SSH Key Auth not working on Terraform Cloud

[jseparovic]

System Information

Terraform Cloud

Description of Issue/Question

When trying to configure SSH Key authentication using Terraform Cloud, plan fails with the following error:

Error: failed to dial libvirt: could not configure SSH authentication methods

When using ssh password authentication the plan works no problem.

Are there any examples of how to use SSH keys with Terraform Cloud?

Setup

https://github.com/jseparovic/terraform-cloud-test/blob/main/main.tf

terraform {
  required_providers {
    libvirt = {
      source = "dmacvicar/libvirt"
      version = "0.7.1"
    }
  }
}

variable "private_key" {
  description = "Private Key to use in SSH Connection"
  type        = string
}

variable "password" {
  description = "Password to use in SSH Connection"
  type        = string
}

variable "target_host" {
  description = "The target host"
  type        = string
}

variable "key_file" {
  description = "The private key file"
  type        = string
  default     = "terraform_id_rsa"
}

resource "local_sensitive_file" "private_key" {
  content = var.private_key
  filename = var.key_file
  file_permission = "0600"
}

provider "libvirt" {
  #uri   = "qemu+ssh://root:${var.password}@${var.target_host}/system?sshauth=ssh-password&no_verify=1"
  uri   = "qemu+ssh://root@${var.target_host}/system?sshauth=privkey&keyfile=${var.key_file}&no_verify=1"
}

resource "libvirt_volume" "vm-image" {
  name   = "vm-image"
  source = "/images/vm-image.qcow2"
}

resource "libvirt_volume" "remotehost-qcow2" {
  name     = "remotehost-qcow2"
  format   = "qcow2"
  size     = 17179869184
  base_volume_id = libvirt_volume.vm-image.id
}

resource "libvirt_domain" "remotehost-domain" {
  provider = libvirt
  name     = "vm-a"
  memory   = "8192"
  vcpu     = 4

  disk {
    volume_id = libvirt_volume.remotehost-qcow2.id
  }
}

Steps to Reproduce Issue

• Fork https://github.com/jseparovic/terraform-cloud-test to your github account
• Setup a free Terraform Cloud account
• Create a workspace using VCS
• Connect the workspace to your fork of terraform-cloud-test
• Add sensitive variable private_key to your workspace
• Add variable target_host to your workspace
• Run the plan in terraform cloud

[jseparovic]

After adding DEBUG logs to terraform cloud I can see that the key file is not found. [ERROR] Failed to read ssh key: open terraform_id_rsa: no such file or directory

So it looks like the plan fails because it is validating a file that does not yet exist. Is there some way to prevent this check? As the file will be created in the run.

[jseparovic]

Looks like the only way to make this work is to put the private key in the git repo linked to the Terraform Cloud workspace. Not ideal, I would much rather using a sensitive variable directly in Terraform Cloud.

This does work now after adding the key to .ssh/id_rsa in my git repo

provider "libvirt" {
  uri   = "qemu+ssh://root@${var.target_host}/system?sshauth=privkey&keyfile=${path.module}/.ssh/id_rsa&no_verify=1"
}

There has to be a better way... I'd probably choose a long root password over this.