Terraform TLS SSH key pair to SSM initial implementation #2

joshmyers · 2019-01-10T13:25:46Z

what

This PR is an initial implementation for writing SSH keys to AWS SSM parameter store. It supports both RSA and ECDSA key algos and enforces a convention on how these keys should be written to SSM, name /foo/bar or /foo/bar_badger. If no key name is given for public/private SSH keys, the label module is used, but the delimiter is forced to be underscore for consistency e.g. /ssh_keys/cpco_testing_$app_public_key. This can be useful for namespacing SSM IAM permissions when for multiple keys in the same account.

why

Rather than mounting an s3 based file system using goofys for secrets, we should write them into SSM, to be fetched by chamber.

notes

Fixes #1

aknysh · 2019-01-10T14:55:46Z

LICENSE

@@ -186,7 +186,7 @@
      same "printed page" as the copyright notice for easier
      identification within third-party archives.

-   Copyright [yyyy] [name of copyright owner]
+   Copyright 2018 Cloud Posse, LLC


Suggested change

Copyright 2018 Cloud Posse, LLC

Copyright 2019 Cloud Posse, LLC

README.yaml

examples/complete/main.tf

examples/complete/output.tf

examples/complete/variables.tf

main.tf

aknysh · 2019-01-10T15:15:23Z

main.tf

+  name        = "${local.ssh_private_key_ssm_path}"
+  description = "TLS Private Key"
+  type        = "SecureString"
+  value       = "${tls_private_key.default_rsa.private_key_pem}"


Suggested change

value = "${tls_private_key.default_rsa.private_key_pem}"

value = "${join("", tls_private_key.default_rsa.*.private_key_pem)}"

aknysh · 2019-01-10T15:16:33Z

main.tf

+  name        = "${local.ssh_public_key_ssm_path}"
+  description = "TLS Public Key (OpenSSH - ${var.ssh_key_algorithm})"
+  type        = "String"
+  value       = "${tls_private_key.default_rsa.public_key_openssh}"


Suggested change

value = "${tls_private_key.default_rsa.public_key_openssh}"

value = "${join("", tls_private_key.default_rsa.*.public_key_openssh)}"

aknysh · 2019-01-10T15:17:14Z

main.tf

+  name        = "${local.ssh_private_key_ssm_path}"
+  description = "TLS Private Key (${var.ssh_key_algorithm})"
+  type        = "SecureString"
+  value       = "${tls_private_key.default_ecdsa.private_key_pem}"


Suggested change

value = "${tls_private_key.default_ecdsa.private_key_pem}"

value = "${join("", tls_private_key.default_ecdsa.*.private_key_pem)}"

aknysh · 2019-01-10T15:17:43Z

main.tf

+  name        = "${local.ssh_public_key_ssm_path}"
+  description = "TLS Public Key (${var.ssh_key_algorithm})"
+  type        = "String"
+  value       = "${tls_private_key.default_ecdsa.public_key_openssh}"


Suggested change

value = "${tls_private_key.default_ecdsa.public_key_openssh}"

value = "${join("", tls_private_key.default_ecdsa.*.public_key_openssh)}"

aknysh · 2019-01-10T15:18:18Z

variables.tf

@@ -0,0 +1,73 @@
+variable "namespace" {
+  type        = "string"
+  description = "Namespace (e.g. `cp` or `cloudposse`)"


Suggested change

description = "Namespace (e.g. `cp` or `cloudposse`)"

description = "Namespace (e.g. `eg` or `cp`)"

aknysh

see comments

joshmyers · 2019-01-10T16:05:04Z

@aknysh Have rebased and pushed requested changes, thanks!

joshmyers · 2019-01-10T18:02:01Z

@osterman KMS key added and rebased

This commit adds some default variables and locals for naming of SSM params. We expect SSM params to be written in the form `/foo/bar` or `/foo/bar_badger` where foo is var.ssm_path_prefix and bar is passed in explicitly, or else we default to label.id where we replace the delimiter with underscores to maintain consistency. Both RSA + ECDSA key algo’s are supported.

Initial implementation

fba3430

joshmyers force-pushed the init_v2 branch from 877305c to fc0d5b8 Compare January 10, 2019 13:50