Handling ssh private keys in Terraform
Its important to protect the SSH private key in a secure location given the fact that it allows access to your server/vm for whoever holds the key. Azure key vault is a perfect place to store your keys and use only when requires so that it reduces the risk of exposing the keys to others.
Here I will explain the steps for creating Azure key vault, storing ssh private key in key vault and retrieve the key whenever requires.
- Generate SSH key pair
- Create Azure VM image with the public key stored in ~/.ssh/authorized_keys
Here is the Terraform plan for creating the key vault which is no difference than official documentation but adding here for completeness.
This code creates a Azure key vault with required permission and roles.
Here is the snippet of the same code for importing SSH private keys to the above created key vault. I assumes here SSH public and private key pair is generated at this point and available in the place you execute Terraform.
You may have noticed that, key was encoded with base64 format for storing in key vault.
Now you can query the key vault and retrieve the private key within your Terraform plan. Key was encoded while importing to the key vault, so it has to be decoded with base64 before use again for ssh authentication.
Now you can use this private key to connect to any VM that has configured with relevant public key.
This is specially beneficial if you requires execute Ansible playbook within terraform code. Besides, it allows to execute Terraform plan with Ansible from any host or docker image as per your desire. Because, Ansible host connection will be taken care by the ssh private/public key pair. Here is the code for retrieving public key and save it to file in your Terraform control host.
You can find the complete TF plan on my github page.