hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.

https://registry.terraform.io/providers/hashicorp/aws

Mozilla Public License 2.0

9.75k stars 9.11k forks source link

[New Resource]: aws_transfer_host_key #30789

Open sergei-ivanov opened 1 year ago

sergei-ivanov commented 1 year ago

Description

We need a mechanism to import multiple host keys into transfer server, possibly superseding the aws_transfer_server.host_key functionality. This is essential for key rotation requirements, and also to be able to provide keys of multiple types (e.g. both RSA and ED25519).

Requested Resource(s) and/or Data Source(s)

aws_transfer_host_key

Potential Terraform Configuration

resource "aws_transfer_host_key" "rsa" {
  server_id   = aws_transfer_server.this.id
  private_key = "...."
  description = "RSA 4096, Created 2023-03-15"
  tags = {
    Type = "RSA"
  }
}

References

Linked issues:

https://github.com/hashicorp/terraform-provider-aws/issues/26996

API:

Would you like to implement a fix?

None

github-actions[bot] commented 1 year ago

Community Note

Voting for Prioritization

Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
Please see our prioritization guide for information on how we prioritize.
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

If you are interested in working on this issue, please leave a comment.
If this would be your first contribution, please review the contribution guide.

dirk39 commented 1 year ago

hi @sergei-ivanov, will the aws_transfer_server.host_key conflict with the new resource? Or do we have to maintain both ways to import the key?

sergei-ivanov commented 1 year ago

hi @sergei-ivanov, will the aws_transfer_server.host_key conflict with the new resource? Or do we have to maintain both ways to import the key?

I guess that we'll have to use ignore_changes for host_key when the keys are attached using the new aws_transfer_host_key resource. We may still want to use host_key for seeding the initial key, because if we leave it unspecified, AWS Transfer will still create its own key pair.

chadmyers commented 1 year ago

Also please make it so that it can hook into an AWS Secrets Manager Secret somehow. I can't believe people are OK with having their private host keys as plaintext strings in their terraform files!

pspot2 commented 1 year ago

Also please make it so that it can hook into an AWS Secrets Manager Secret somehow. I can't believe people are OK with having their private host keys as plaintext strings in their terraform files!

You can use the data "aws_ssm_parameter" resource to fetch the parameter you need and then feed it to the respective input argument of the Transfer server.

As to how you would put secrets / host keys into SSM (in order not to have them in TF files) in the first place - that is a completely different story. If you use Terraform for this (resource "aws_ssm_parameter"), then be aware that at the moment Terraform stores SecureString values in its state in plain text (see #3475).