6
8

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 1 year has passed since last update.

TerraformでEC2のSSHキーペアをローカルで管理しないようにする方法

Last updated at Posted at 2022-03-11

a

  • tls_private_keyでキーペアを生成することができる
    • ssh-keygen相当のことをterraformで管理してくれる
    • なのでローカルでキーペアを管理する必要はなくなる
  • 秘密鍵はAWS SecretManagerに追加される

内容

provider "aws" {
  region  = "ap-northeast-1"
  profile = "vamdemic"
}

resource "tls_private_key" "instance" {
  algorithm = "RSA"
}

resource "aws_key_pair" "instance" {
  key_name   = "test-keypair"
  public_key = tls_private_key.instance.public_key_openssh
  tags = {
    Name = "test-keypair"
  }
}

resource "aws_vpc" "my_vpc" {
  cidr_block = "172.16.0.0/16"
}

resource "aws_subnet" "my_subnet" {
  vpc_id            = aws_vpc.my_vpc.id
  cidr_block        = "172.16.10.0/24"
  availability_zone = "ap-northeast-1a"
}

resource "aws_instance" "instance" {
  ami                    = "ami-08a8688fb7eacb171"
  instance_type          = "t2.small"
  key_name               = aws_key_pair.instance.key_name
  subnet_id              = aws_subnet.my_subnet.id
}

# Creates and stores ssh key used creating an EC2 instance
resource "aws_secretsmanager_secret" "example" {
  name = "example"
}

resource "aws_secretsmanager_secret_version" "example" {
  secret_id     = aws_secretsmanager_secret.example.id
  secret_string = tls_private_key.instance.private_key_pem
}

# Output

output "instance_id" {
  value = aws_instance.instance.id
}

output "secretsmanager_secret" {
  value = aws_secretsmanager_secret.example.id
}

output "secretsmanager_secret_version" {
  value = aws_secretsmanager_secret_version.example.id
}

tls_private_keyの中身

 yuta  ~  terraform-pubkey  terraform state show tls_private_key.instance
# tls_private_key.instance:
resource "tls_private_key" "instance" {
    algorithm                  = "RSA"
    ecdsa_curve                = "P224"
    id                         = "20962f556a6a2636a2a0eec3151ad3240db631c2"
    private_key_pem            = (sensitive value)
    public_key_fingerprint_md5 = "df:ea:d6:72:ea:64:30:a2:1e:b1:e1:92:a8:7e:f4:ed"
    public_key_openssh         = <<-EOT
        ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5j67w5IdIpGLaqHIcrKPFw/MSBScVaqdgQLA5yHAzK1igjx5ULqElY7LwVSJ4zwlyCZFGYctKX7me3CZVu2IPpj9DsxDLGJKESguvwMH7k1EphHIBDDDqwNxVk/3iB8n5I9IVrWr+X2kuqb1eMCHNEq8Yr1cBlU+N6mayAG8L5HVpak11q/mEm3wGPiKd6qv5oM/4dU4oK92gsOmlLxB5dcUx6bi2czEprt1kwF1coXDnrxsF5vVlAvD24+4ghqdyxAVLyJtYFM/0/7fIe9w0dQ7mNsTuXIvG5MJ+BzucUoUlas1u7s17kbMkK87OpONojKfFh9bIP2sJuy01ljaV
    EOT
    public_key_pem             = <<-EOT
        -----BEGIN PUBLIC KEY-----
        MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuY+u8OSHSKRi2qhyHKyj
        xcPzEgUnFWqnYECwOchwMytYoI8eVC6hJWOy8FUieM8JcgmRRmHLSl+5ntwmVbti
        D6Y/Q7MQyxiShEoLr8DB+5NRKYRyAQww6sDcVZP94gfJ+SPSFa1q/l9pLqm9XjAh
        zRKvGK9XAZVPjepmsgBvC+R1aWpNdav5hJt8Bj4ineqr+aDP+HVOKCvdoLDppS8Q
        eXXFMem4tnMxKa7dZMBdXKFw568bBeb1ZQLw9uPuIIancsQFS8ibWBTP9P+3yHvc
        NHUO5jbE7lyLxuTCfgc7nFKFJWrNbu7Ne5GzJCvOzqTjaIynxYfWyD9rCbstNZY2
        lQIDAQAB
        -----END PUBLIC KEY-----
    EOT
    rsa_bits                   = 2048
}

秘密鍵の取得

aws secretsmanager get-secret-value --secret-id example | jq -r .SecretString > secret.pem

参考

6
8
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
6
8

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?