From 48bd8f9b1ff6caf35b6c0a7b22d2d16421aa8293 Mon Sep 17 00:00:00 2001 From: Callum Scott Date: Sun, 19 Aug 2018 17:11:05 +0100 Subject: [PATCH] Ssh key support (#12) * add support to enable uploading public ssh key to IAM users * make ssh key uploading an toggalable option * Add details of ssh key managment to README --- modules/iam-user/README.md | 4 ++++ modules/iam-user/main.tf | 8 ++++++++ modules/iam-user/outputs.tf | 4 ++++ modules/iam-user/variables.tf | 13 +++++++++++++ 4 files changed, 29 insertions(+) diff --git a/modules/iam-user/README.md b/modules/iam-user/README.md index dda5ce3e..33bf12de 100644 --- a/modules/iam-user/README.md +++ b/modules/iam-user/README.md @@ -33,6 +33,9 @@ This module outputs commands and PGP messages which can be decrypted either usin | password_reset_required | Whether the user should be forced to reset the generated password on first login. | string | `true` | no | | path | Desired path for the IAM user | string | `/` | no | | pgp_key | Either a base-64 encoded PGP public key, or a keybase username in the form keybase:username. Used to encrypt password and access key. | string | `` | no | +| ssh_key_encoding | Which encoding format the uploaded SSH key is in. `SSH` for ssh-rsa or `PEM` for pem. | string | `SSH` | no | +| ssh_public_key | Public key that is to be attached to this IAM account | string | - | no | +| upload_ssh_key | Whether to upload and manage users public SSH key. | string | `false` | no | ## Outputs @@ -48,6 +51,7 @@ This module outputs commands and PGP messages which can be decrypted either usin | this_iam_access_key_key_fingerprint | The fingerprint of the PGP key used to encrypt the secret | | this_iam_access_key_ses_smtp_password | The secret access key converted into an SES SMTP password | | this_iam_access_key_status | Active or Inactive. Keys are initially active, but can be made inactive by other means. | +| this_iam_ssh_public_key_id | The AWS ID for the public key | | this_iam_user_arn | The ARN assigned by AWS for this user | | this_iam_user_login_profile_encrypted_password | The encrypted password, base64 encoded | | this_iam_user_login_profile_key_fingerprint | The fingerprint of the PGP key used to encrypt the password | diff --git a/modules/iam-user/main.tf b/modules/iam-user/main.tf index cdc7dab4..89163671 100644 --- a/modules/iam-user/main.tf +++ b/modules/iam-user/main.tf @@ -21,3 +21,11 @@ resource "aws_iam_access_key" "this" { user = "${aws_iam_user.this.name}" pgp_key = "${var.pgp_key}" } + +resource "aws_iam_user_ssh_key" "this" { + count = "${var.upload_ssh_key}" + + username = "${aws_iam_user.this.name}" + encoding = "${var.ssh_key_encoding}" + public_key = "${var.ssh_public_key}" +} \ No newline at end of file diff --git a/modules/iam-user/outputs.tf b/modules/iam-user/outputs.tf index a6cc529f..818177a3 100644 --- a/modules/iam-user/outputs.tf +++ b/modules/iam-user/outputs.tf @@ -86,3 +86,7 @@ ${element(concat(aws_iam_access_key.this.*.encrypted_secret, list("")), 0)} -----END PGP MESSAGE----- EOF } + +output "this_iam_ssh_public_key_id" { + value = "SSH Key ID: ${element(concat(aws_iam_user_ssh_key.this.*.ssh_public_key_id, list("")), 0)}" +} \ No newline at end of file diff --git a/modules/iam-user/variables.tf b/modules/iam-user/variables.tf index 2fbb8f7e..c8699d6e 100644 --- a/modules/iam-user/variables.tf +++ b/modules/iam-user/variables.tf @@ -41,3 +41,16 @@ variable "password_length" { description = "The length of the generated password" default = 20 } + +variable "upload_ssh_key" { + description = "Whether to upload a public ssh key to the IAM user" + default = false +} +variable "ssh_key_encoding" { + description = "Specifies the public key encoding format to use in the response. To retrieve the public key in ssh-rsa format, use SSH. To retrieve the public key in PEM format, use PEM" + default = "SSH" +} + +variable "ssh_public_key" { + description = "Public SSH key" +}