terraform: allow nixos-rebuild to use specified private key for deployment

`nixos-rebuild/deploy.sh` script enable ssh authentication with a given private key through the `SSH_KEY` environment variable. Add additional variable for the private key used for the deployment. To encourage the use of ssh-agent and discourage the storage of deployment keys in the terraform state we do not set the install ssh key as the default for the deployment key. Co-authored-by: Jörg Thalheim <Mic92@users.noreply.github.com>
2024-07-14 19:40:42 +03:00 · 2023-03-21 09:07:13 +01:00 · 2023-03-21 09:07:13 +01:00 · 16143cd8c0
commit 16143cd8c0
parent ad954defb3
4 changed files with 20 additions and 3 deletions
--- a/terraform/all-in-one/main.tf
+++ b/terraform/all-in-one/main.tf
@ -22,7 +22,7 @@ module "install" {
  target_port            = var.target_port
  nixos_partitioner      = module.partitioner-build.result.out
  nixos_system           = module.system-build.result.out
-  ssh_private_key        = var.ssh_private_key
+  ssh_private_key        = var.install_ssh_key
  debug_logging          = var.debug_logging
  instance_id            = var.instance_id
 }
@ -33,6 +33,7 @@ module "nixos-rebuild" {
  ]
  source = "../nixos-rebuild"
  nixos_system = module.system-build.result.out
+  ssh_private_key = var.deployment_ssh_key
  target_host = var.target_host
  target_user = var.target_user
 }
--- a/terraform/all-in-one/variables.tf
+++ b/terraform/all-in-one/variables.tf
@ -51,9 +51,15 @@ variable "instance_id" {
  default     = null
 }

-variable "ssh_private_key" {
+variable "install_ssh_key" {
  type        = string
-  description = "Content of private key used to connect to the target_host"
+  description = "Content of private key used to connect to the target_host during initial installation"
+  default     = null
+}
+
+variable "deployment_ssh_key" {
+  type        = string
+  description = "Content of private key used to deploy to the target_host after initial installation. To ensure maximum security, it is advisable to connect to your host using ssh-agent instead of relying on this variable"
  default     = null
 }

--- a/terraform/nixos-rebuild/main.tf
+++ b/terraform/nixos-rebuild/main.tf
@ -3,6 +3,10 @@ resource "null_resource" "nixos-rebuild" {
    store_path = var.nixos_system
  }
  provisioner "local-exec" {
+    environment = {
+      SSH_KEY = var.ssh_private_key
+    }
+
    command = "${path.module}/deploy.sh ${var.nixos_system} ${var.target_user}@${var.target_host} ${var.target_port}"
  }
 }
--- a/terraform/nixos-rebuild/variables.tf
+++ b/terraform/nixos-rebuild/variables.tf
@ -19,3 +19,9 @@ variable "target_port" {
  description = "SSH port used to connect to the target_host"
  default     = 22
 }
+
+variable "ssh_private_key" {
+  type        = string
+  description = "Content of private key used to connect to the target_host. If set to - no key is passed to openssh and ssh will back to its own configuration".
+  default     = "-"
+}