a
-
tls_private_key
でキーペアを生成することができる- ssh-keygen相当のことをterraformで管理してくれる
- なのでローカルでキーペアを管理する必要はなくなる
- 秘密鍵はAWS SecretManagerに追加される
内容
provider "aws" {
region = "ap-northeast-1"
profile = "vamdemic"
}
resource "tls_private_key" "instance" {
algorithm = "RSA"
}
resource "aws_key_pair" "instance" {
key_name = "test-keypair"
public_key = tls_private_key.instance.public_key_openssh
tags = {
Name = "test-keypair"
}
}
resource "aws_vpc" "my_vpc" {
cidr_block = "172.16.0.0/16"
}
resource "aws_subnet" "my_subnet" {
vpc_id = aws_vpc.my_vpc.id
cidr_block = "172.16.10.0/24"
availability_zone = "ap-northeast-1a"
}
resource "aws_instance" "instance" {
ami = "ami-08a8688fb7eacb171"
instance_type = "t2.small"
key_name = aws_key_pair.instance.key_name
subnet_id = aws_subnet.my_subnet.id
}
# Creates and stores ssh key used creating an EC2 instance
resource "aws_secretsmanager_secret" "example" {
name = "example"
}
resource "aws_secretsmanager_secret_version" "example" {
secret_id = aws_secretsmanager_secret.example.id
secret_string = tls_private_key.instance.private_key_pem
}
# Output
output "instance_id" {
value = aws_instance.instance.id
}
output "secretsmanager_secret" {
value = aws_secretsmanager_secret.example.id
}
output "secretsmanager_secret_version" {
value = aws_secretsmanager_secret_version.example.id
}
tls_private_key
の中身
yuta ~ terraform-pubkey terraform state show tls_private_key.instance
# tls_private_key.instance:
resource "tls_private_key" "instance" {
algorithm = "RSA"
ecdsa_curve = "P224"
id = "20962f556a6a2636a2a0eec3151ad3240db631c2"
private_key_pem = (sensitive value)
public_key_fingerprint_md5 = "df:ea:d6:72:ea:64:30:a2:1e:b1:e1:92:a8:7e:f4:ed"
public_key_openssh = <<-EOT
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5j67w5IdIpGLaqHIcrKPFw/MSBScVaqdgQLA5yHAzK1igjx5ULqElY7LwVSJ4zwlyCZFGYctKX7me3CZVu2IPpj9DsxDLGJKESguvwMH7k1EphHIBDDDqwNxVk/3iB8n5I9IVrWr+X2kuqb1eMCHNEq8Yr1cBlU+N6mayAG8L5HVpak11q/mEm3wGPiKd6qv5oM/4dU4oK92gsOmlLxB5dcUx6bi2czEprt1kwF1coXDnrxsF5vVlAvD24+4ghqdyxAVLyJtYFM/0/7fIe9w0dQ7mNsTuXIvG5MJ+BzucUoUlas1u7s17kbMkK87OpONojKfFh9bIP2sJuy01ljaV
EOT
public_key_pem = <<-EOT
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuY+u8OSHSKRi2qhyHKyj
xcPzEgUnFWqnYECwOchwMytYoI8eVC6hJWOy8FUieM8JcgmRRmHLSl+5ntwmVbti
D6Y/Q7MQyxiShEoLr8DB+5NRKYRyAQww6sDcVZP94gfJ+SPSFa1q/l9pLqm9XjAh
zRKvGK9XAZVPjepmsgBvC+R1aWpNdav5hJt8Bj4ineqr+aDP+HVOKCvdoLDppS8Q
eXXFMem4tnMxKa7dZMBdXKFw568bBeb1ZQLw9uPuIIancsQFS8ibWBTP9P+3yHvc
NHUO5jbE7lyLxuTCfgc7nFKFJWrNbu7Ne5GzJCvOzqTjaIynxYfWyD9rCbstNZY2
lQIDAQAB
-----END PUBLIC KEY-----
EOT
rsa_bits = 2048
}
秘密鍵の取得
aws secretsmanager get-secret-value --secret-id example | jq -r .SecretString > secret.pem
参考