Best practice for ssh keys w/ Terraform Provisioners for Atlas?

2,707 views
Skip to first unread message

Adron Hall

unread,
Aug 26, 2016, 7:23:13 PM8/26/16
to Terraform
I've got a terraform instance I'm trying to create in Google Cloud. However I have a provisioner setup like this...

  provisioner "file" {
    source = "tf-scripts/create-elastic-yaml.sh"
    destination = "create-elastic-yaml.sh"
    connection {
      type = "ssh"
      user = "root"
      private_key = "${file("~/.ssh/google_compute_engine")}"
    }
  }

Which works great locally because my ssh key is indeed where the file interpolation points to, but how do I get a key uploading to Atlas for use with Terraform?

Cheers,
Adron

Andrew Hodgson

unread,
Aug 27, 2016, 6:43:57 AM8/27/16
to terrafo...@googlegroups.com

Hi,

 

This is one thing Atlas does really well.  You can put your SSH key into Atlas in a variable which is then stored encrypted:

 

https://atlas.hashicorp.com/help/terraform/runs/variables-and-configuration

 

I do this with SSH keys and SSL keys.

 

Andrew.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/93a84db5-a194-4cc1-ac73-236d68e3d512%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Adron Hall

unread,
Aug 27, 2016, 1:06:24 PM8/27/16
to Terraform
Oh, so it doesn't have to be a "file" then, it'll use just the contents? That actually makes sense, and is what I do with the GCP account.json file.

Thanks, will give that a shot.

Adron

Adron Hall

unread,
Aug 27, 2016, 1:56:54 PM8/27/16
to Terraform
I gave it a try. Added the private ssh key to the variable TF_VAR_private_ssh_key.

Then set it in the connection as such > 

  provisioner "remote-exec" {
    inline = [
      "echo ${google_compute_instance.testing-elastic-1.network_interface.0.access_config.0.assigned_nat_ip}"]

    connection {
      type = "ssh"
      private_key = "${var.private_ssh_key}"
      timeout = "45s"
    }
  }

Then I get...

Error applying plan:

1 error(s) occurred:

* Failed to read key "-----BEGIN RSA PRIVATE KEY-----": no key found

How should this be stored in the variable? Currently I set this as an environment variable, I'm not sure if I should set it some other way.

Andrew Hodgson

unread,
Aug 28, 2016, 6:42:59 AM8/28/16
to terrafo...@googlegroups.com

 

 

You need to set it as a Terraform push variable not environment variable.

 

Thanks.

Reply all
Reply to author
Forward
0 new messages