search

dmacvicar / terraform-provider-libvirt

Terraform provider to provision infrastructure with Linux's KVM using libvirt
Apache License 2.0
1.54k stars 457 forks source link

Add support for passwords using the SSH URI's #887

Closed jli-cparta closed 2 years ago

jli-cparta commented 2 years ago

While a trivial addition, this allows using secret providers (e.g. Hashicorp Vault) to provide plaintext passwords instead of copying private key files around.

provider "vault" {
  address = "https://vault.example.com:8200"
}

data "vault_generic_secret" "admin_auth" {
  path = "op/vaults/servers/items/admin-at-kvm-server"
}

provider "libvirt" {
  uri = "qemu+ssh://admin:${urlencode(data.vault_generic_secret.admin_auth.data["password"])}@kvm-server.example.com/system"
}
dmacvicar commented 2 years ago

Thanks for the PR!

libvirt connection URI does not support password auth without agent , but I think the way you implemented it is clever, because it does not break the spec.

It would still likely expose the password in the logs and output, would it?

jli-cparta commented 2 years ago

It would still likely expose the password in the logs and output, would it?

Not that I can find. It's in the tfstate files (of course). And if you enable debug-logging from terraform it will show up.

But it's not visible in standard output, nor is it in any log files. Not any that I can find, anyway. Searched everything in /var/log/* and the home directory of the user.

jli-cparta commented 2 years ago

@dmacvicar Are you OK to pull this request?

dmacvicar commented 2 years ago

I am not convinced this is a good idea.

libvirt has support for passwords with ssh, but it is a password auth-method" (see here), which resolves to look the username password in a libvirt-specific auth file (see here). Therefore, it may be confusing behavior for people used to libvirt that the ssh password resolves to the ssh account password. Given that the standard way of accessing an ssh server is using ssh-keys, I'd prefer to keep things as they were with libvirt.

Now, what we could do it is add a "unnoficial" auth method ssh-password, and make it explicit in the URL, which would then make the password of the URL behave like this PR describes, which can be useful for Vault ssh otp-passwords and such.

What do you think?

jli-cparta commented 2 years ago

Fine with me. I just need some way to pass a password through, and preferably one that doesn't create files with it in cleartext on disk.

So you'd like to see something like this?

qemu+ssh://USER:PASS@kvm-server.example.com/system?sshauth=ssh-password

jli-cparta commented 2 years ago

@dmacvicar Anything else you need?

dmacvicar commented 2 years ago

Thanks for the contribution.