ansible-collections / hetzner.hcloud

A collection to manage resources on Hetzner Cloud
https://galaxy.ansible.com/ui/repo/published/hetzner/hcloud
GNU General Public License v3.0
110 stars 39 forks source link

ssh_key Module Does Not Update SSH Key When Public Key Changes #578

Open cf-sewe opened 3 weeks ago

cf-sewe commented 3 weeks ago
SUMMARY

The hetzner.hcloud.ssh_key Ansible module currently does not support updating the public key when the local SSH key changes. As a result, it is not possible to refresh the key without deleting and recreating it manually. Attempting to pass an updated public_key value does not trigger an update.

ISSUE TYPE
COMPONENT NAME

hetzner.hcloud.ssh_key module in the hetzner.hcloud collection.

ANSIBLE VERSION
ansible [core 2.17.5]
  config file = /Users/x.x/vscode/cplace-ops-cloud/ansible/ansible.cfg
  configured module search path = ['/Users/x.x/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /opt/homebrew/lib/python3.13/site-packages/ansible
  ansible collection location = /Users/x.x/.ansible/collections:/usr/share/ansible/collections
  executable location = /opt/homebrew/bin/ansible
  python version = 3.13.0 (main, Oct  7 2024, 05:02:14) [Clang 16.0.0 (clang-1600.0.26.3)] (/opt/homebrew/opt/python@3.13/bin/python3.13)
  jinja version = 3.1.4
  libyaml = True
COLLECTION VERSION
Collection        Version
----------------- -------
community.general 8.5.0
CONFIGURATION
ANSIBLE_FORCE_COLOR(/Users/x.x/vscode/cplace-ops-cloud/ansible/ansible.cfg) = True
ANSIBLE_NOCOWS(/Users/x.x/x/cplace-ops-cloud/ansible/ansible.cfg) = True
ANSIBLE_PIPELINING(/Users/x.x/vscode/cplace-ops-cloud/ansible/ansible.cfg) = True
CONFIG_FILE() = /Users/x.x/vscode/cplace-ops-cloud/ansible/ansible.cfg
DEFAULT_FORKS(/Users/x.x/vscode/cplace-ops-cloud/ansible/ansible.cfg) = 20
DEFAULT_LOG_PATH(/Users/x.x/vscode/cplace-ops-cloud/ansible/ansible.cfg) = /Users/x.x/vscode/cplace-ops-cloud/ansible/ansible.log
DEFAULT_MANAGED_STR(/Users/x.x/vscode/cplace-ops-cloud/ansible/ansible.cfg) = Ansible managed: {file}
DEFAULT_PRIVATE_KEY_FILE(/Users/x.x/vscode/cplace-ops-cloud/ansible/ansible.cfg) = /Users/x.x/.ssh/ansible_bootstrap_key
DEFAULT_REMOTE_USER(/Users/x.x/vscode/cplace-ops-cloud/ansible/ansible.cfg) = ansible
DEFAULT_ROLES_PATH(/Users/x.x/vscode/cplace-ops-cloud/ansible/ansible.cfg) = ['/Users/x.x/vscode/cplace-ops-cloud/ansible/roles']
EDITOR(env: EDITOR) = nano
HOST_KEY_CHECKING(/Users/x.x/vscode/cplace-ops-cloud/ansible/ansible.cfg) = False
INJECT_FACTS_AS_VARS(/Users/x.x/vscode/cplace-ops-cloud/ansible/ansible.cfg) = True
PAGER(env: PAGER) = less
RETRY_FILES_ENABLED(/Users/x.x/vscode/cplace-ops-cloud/ansible/ansible.cfg) = False
TRANSFORM_INVALID_GROUP_CHARS(/Users/x.x/vscode/cplace-ops-cloud/ansible/ansible.cfg) = ignore
OS / ENVIRONMENT
STEPS TO REPRODUCE
- name: "Generate ed25519 SSH key pair for bootstrapping"
  community.crypto.openssh_keypair:
    comment: "Ansible bootstrap key"
    mode: "0400"
    path: "{{ ansible_env.HOME }}/.ssh/ansible_bootstrap_key"
    state: present
    type: ed25519
  register: bootstrap_keypair

- name: "Create a new SSH key with updated fingerprint label"
  hetzner.hcloud.ssh_key:
    api_token: "{{ infra_hcloud_api_token }}"
    name: ansible-bootstrap
    public_key: "{{ bootstrap_keypair.public_key }}"
    state: present
EXPECTED RESULTS

The hetzner.hcloud.ssh_key module should detect a change in the public_key and update the SSH key in Hetzner Cloud to match the new public key provided.

ACTUAL RESULTS

The module does not detect any changes and does not update the SSH key on Hetzner Cloud, even when a new public_key is provided.

jooola commented 3 weeks ago

The API docs not provide a way to update the public key: https://docs.hetzner.cloud/#ssh-keys-update-an-ssh-key

To make this work, we must delete and create a new ssh key, would that be the behavior that you expect? I am not sure that I like the idea of magically deleting the ssh key without the user knowing.

cf-sewe commented 3 weeks ago

Yes, I would have expected that the role would "update" a key if it changes (source of truth in GIT / ansible). Even if it means that a key would be deleted / recreated. Maybe a force option could be considered as well. And the behaviour should be documented. I have now implemented the recreation myself, but of course a builtin solution is beneficial generally.