Open sergei-ivanov opened 1 year ago
Voting for Prioritization
Volunteering to Work on This Issue
hi @sergei-ivanov, will the aws_transfer_server.host_key
conflict with the new resource? Or do we have to maintain both ways to import the key?
hi @sergei-ivanov, will the
aws_transfer_server.host_key
conflict with the new resource? Or do we have to maintain both ways to import the key?
I guess that we'll have to use ignore_changes
for host_key
when the keys are attached using the new aws_transfer_host_key
resource. We may still want to use host_key
for seeding the initial key, because if we leave it unspecified, AWS Transfer will still create its own key pair.
Also please make it so that it can hook into an AWS Secrets Manager Secret somehow. I can't believe people are OK with having their private host keys as plaintext strings in their terraform files!
Also please make it so that it can hook into an AWS Secrets Manager Secret somehow. I can't believe people are OK with having their private host keys as plaintext strings in their terraform files!
You can use the data "aws_ssm_parameter"
resource to fetch the parameter you need and then feed it to the respective input argument of the Transfer server.
As to how you would put secrets / host keys into SSM (in order not to have them in TF files) in the first place - that is a completely different story. If you use Terraform for this (resource "aws_ssm_parameter"
), then be aware that at the moment Terraform stores SecureString
values in its state in plain text (see #3475).
Description
We need a mechanism to import multiple host keys into transfer server, possibly superseding the
aws_transfer_server.host_key
functionality. This is essential for key rotation requirements, and also to be able to provide keys of multiple types (e.g. both RSA and ED25519).Requested Resource(s) and/or Data Source(s)
aws_transfer_host_key
Potential Terraform Configuration
References
Linked issues:
API:
Would you like to implement a fix?
None