问题描述
我需要为不同的用户启动一堆EC2盒.每个用户都应该与其他所有用户沙盒化,因此每个EC2盒都需要自己的SSH密钥.
I need to spin up a bunch of EC2 boxes for different users. Each user should be sandboxed from all the others, so each EC2 box needs its own SSH key.
在Terraform中实现此目标的最佳方法是什么?
What's the best way to accomplish this in Terraform?
我发现的几乎所有说明都希望我手动创建SSH密钥并将其粘贴到terraform脚本中.
Almost all of the instructions I've found want me to manually create an SSH key and paste it into a terraform script.
(错误)示例:
- https://github.com/hashicorp/terraform/issues/1243 ,
- http://2ninjas1blog .com/terraform-assigning-aws-key-pair-to-your-ec2-instance-resource/
- Terraform无法使用Amazon EC2导入密钥对)
- https://github.com/hashicorp/terraform/issues/1243,
- http://2ninjas1blog.com/terraform-assigning-an-aws-key-pair-to-your-ec2-instance-resource/
- Terraform fails to import key pair with Amazon EC2)
由于我需要以编程方式为许多用户生成唯一密钥,所以这是不切实际的.
Since I need to programmatically generate unique keys for many users, this is impractical.
这似乎不是一个困难的用例,但是我在任何地方都找不到它的文档.
This doesn't seem like a difficult use case, but I can't find docs on it anywhere.
在紧要关头,我可以使用Bash生成Terraform脚本并即时注入SSH密钥.但这似乎完全是Terraform应该要做的事情.
At a pinch, I could generate Terraform scripts and inject SSH keys on the fly using Bash. But that seems like exactly the kind of thing that Terraform is supposed to do in the first place.
推荐答案
Terraform可以使用 tls_private_key资源.
Terraform can generate SSL/SSH private keys using the tls_private_key resource.
因此,如果您想即时生成SSH密钥,可以执行以下操作:
So if you wanted to generate SSH keys on the fly you could do something like this:
variable "key_name" {}
resource "tls_private_key" "example" {
algorithm = "RSA"
rsa_bits = 4096
}
resource "aws_key_pair" "generated_key" {
key_name = "${var.key_name}"
public_key = "${tls_private_key.example.public_key_openssh}"
}
data "aws_ami" "ubuntu" {
most_recent = true
filter {
name = "name"
values = ["ubuntu/images/hvm-ssd/ubuntu-trusty-14.04-amd64-server-*"]
}
filter {
name = "virtualization-type"
values = ["hvm"]
}
owners = ["099720109477"] # Canonical
}
resource "aws_instance" "web" {
ami = "${data.aws_ami.ubuntu.id}"
instance_type = "t2.micro"
key_name = "${aws_key_pair.generated_key.key_name}"
tags {
Name = "HelloWorld"
}
}
这将创建一个处于Terraform状态的SSH密钥对(未将其写入磁盘中的文件,而不是在不使用远程状态时可能对Terraform状态本身进行的操作),并基于以下条件创建一个AWS密钥对:公钥,然后创建一个Ubuntu 14.04实例,其中可以使用生成的私钥访问ubuntu用户.
This will create an SSH key pair that lives in the Terraform state (it is not written to disk in files other than what might be done for the Terraform state itself when not using remote state), creates an AWS key pair based on the public key and then creates an Ubuntu 14.04 instance where the ubuntu user is accessible with the private key that was generated.
然后,您将不得不从状态文件中提取私钥并将其提供给用户.您可以使用 output 将其直接吐出到标准输出已应用Terraform.
You would then have to extract the private key from the state file and provide that to the users. You could use an output to spit this straight out to stdout when Terraform is applied.
在这里我应该指出,传递私钥通常不是一个好主意,最好让开发人员创建自己的密钥对并为您(或他们)提供可用于生成密钥的公钥. AWS密钥对(可能使用的 aws_key_pair资源在上面的示例中),可以在创建实例时指定.
I should point out here that passing private keys around is generally a bad idea and you'd be much better having developers create their own key pairs and provide you with the public key that you (or them) can use to generate an AWS key pair (potentially using the aws_key_pair resource as used in the above example) that can then be specified when creating instances.
通常,我只会使用类似上面的方法来为您控制的非常临时的开发环境生成SSH密钥,因此您无需将私钥传递给任何人.如果确实需要将私钥传递给其他人,则需要确保在安全通道中进行此操作,并确保Terraform状态(包含纯文本私钥)也得到了适当的保护.
In general I would only use something like the above way of generating SSH keys for very temporary dev environments that you are controlling so you don't need to pass private keys to anyone. If you do need to pass private keys to people you will need to make sure that you do this in a secure channel and that you make sure the Terraform state (which contains the private key in plain text) is also secured appropriately.
这篇关于如何在Terraform中创建SSH密钥?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!