Merge pull request #46 from 7Factor/jwood/terraform_ssh_keys

Terraform the SSH keys instead of manually generating them.
7Factor · Mar 1, 2024 · 8f91b4f · 8f91b4f
2 parents 514e160 + 60c5475
commit 8f91b4f
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 25 deletions.
diff --git a/asg.tf b/asg.tf
@@ -1,8 +1,8 @@
 locals {
   web_interpolation_vars = {
-    "authorized_worker_keys"       = file(var.web_authorized_keys_path)
-    "session_signing_key"          = file(var.web_session_signing_key_path)
-    "tsa_host_key"                 = file(var.web_tsa_host_key_path)
+    "authorized_worker_keys"       = tls_private_key.worker_key.public_key_openssh
+    "session_signing_key"          = tls_private_key.session_signing_key.private_key_pem
+    "tsa_host_key"                 = tls_private_key.tsa_host_key.private_key_pem
     "conc_version"                 = var.conc_version
     "concdb_host"                  = var.concdb_host
     "concdb_port"                  = var.concdb_port
@@ -18,8 +18,8 @@ locals {
   }
 
   worker_interpolation_vars = {
-    "tsa_public_key" = file(var.tsa_public_key_path)
-    "worker_key"     = file(var.worker_key_path)
+    "tsa_public_key" = tls_private_key.tsa_host_key.public_key_openssh
+    "worker_key"     = tls_private_key.worker_key.private_key_pem
     "conc_version"   = var.conc_version
     "tsa_host"       = aws_elb.concourse_lb.dns_name
     "storage_driver" = var.worker_container_storage_driver

diff --git a/keys.tf b/keys.tf
@@ -0,0 +1,14 @@
+resource "tls_private_key" "session_signing_key" {
+  algorithm = "RSA"
+  rsa_bits  = 4096
+}
+
+resource "tls_private_key" "tsa_host_key" {
+  algorithm = "RSA"
+  rsa_bits  = 4096
+}
+
+resource "tls_private_key" "worker_key" {
+  algorithm = "RSA"
+  rsa_bits  = 4096
+}
diff --git a/web_variables.tf b/web_variables.tf
@@ -41,18 +41,6 @@ variable "web_ingress_cidr" {
   description = "The CIDR block from whence web traffic may come for web boxes servicing traffic from workers. Defaults to anywhere, but override it as necessary. This is applied to the ELB."
 }
 
-variable "web_authorized_keys_path" {
-  description = "The path to a file containing a list of keys that the web machine authorizes for worker access. This should be one file, similar to how id_rsa works with public keys inside."
-}
-
-variable "web_session_signing_key_path" {
-  description = "The path to an OpenSSH or RSA key for signing sessions."
-}
-
-variable "web_tsa_host_key_path" {
-  description = "The path to an OpenSSH or RSA key for hosting TSA connections."
-}
-
 variable "conc_fqdn" {
   description = "The FQDN where your cluster will live. Point this via your DNS to the ELB DNS provided in the output of this module otherwise you'll get some wonkiness. Note that we force HTTPS here so do not include the protocol."
 }

diff --git a/worker_variables.tf b/worker_variables.tf
@@ -28,14 +28,6 @@ variable "worker_vol_size" {
   description = "We'll assign instance volumes of this size to your workers. Suggested retail size of 40GB."
 }
 
-variable "worker_key_path" {
-  description = "Path to an OpenSSH or RSA key the worker uses to secure communication with."
-}
-
-variable "tsa_public_key_path" {
-  description = "Path to an OpenSSH or RSA public key the worker uses to talk to the TSA with."
-}
-
 variable "worker_container_storage_driver" {
   default     = "overlay"
   description = "Storage driver to use for the container runtime. Defaults to overlay."