Closed danjoneslf closed 3 years ago
Would there be a risk that a private key could be copied ?
Would the module need to check that a file hasn't been copied over contains -----BEGIN OPENSSH PRIVATE KEY-----
for example ?
Would there be a risk that a private key could be copied ?
Would the module need to check that a file hasn't been copied over contains
-----BEGIN OPENSSH PRIVATE KEY-----
for example ?
What are you imagining? This is replicating what we do in concourse at present. It's explicitly for copying a private key into codebuild.
What's happening here is we need terraform to checkout a private repo to get a module (typically from cyber-security-terraform). For that to work terraform needs an SSH key. The SSH key is in SSM. We get the SSH key from SSM and stick it in a .ssh folder along with a .ssh/config
for github.com. That ends up in an output artifact in code pipeline and this just copies it from the output artifact to the home directory for the codebuild job.
I thought that was the case, cheers 👍
For things like the ssh config we want to copy in both the deploy key and the ssh config from the
build_ssh_config
module. You could do this with multiple entries in the copy_artifacts list but with this you can just do.. and copy the whole .ssh directory. Then you just have to ensure that
$HOME=/root/
or wherever you've set the target to.