Support for ssh-ecdsa keys in azurerm_storage_account_local_user

[indispeq]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Dear team behind this provider. Thank you for your excellent work. I would like to ask for the support of ecdsa keys in the azurerm_storage_account_local_user resource type. At the moment, when we receive such a key from a client who wants to use SFTP and sends us a key looking like ssh-ed25519 AAAA... the provider gives this error:

 Error: - the provided ssh-ed25519 SSH key is not supported. Only RSA SSH keys are supported by Azure 

However, I can manually go into the Azure portal and add this very same key to the user. This leads me to believe that this is a limitation of the module and since the Azure API supports it, it would be worth implementing, since it is a more secure algorithm.

Thank you!

New or Affected Resource(s)/Data Source(s)

azurerm_storage_account_local_user

Potential Terraform Configuration

resource "azurerm_storage_account_local_user" "example" {
  name                 = "user1"
  storage_account_id   = azurerm_storage_account.example.id
  ssh_key_enabled      = true
  ssh_password_enabled = true
  home_directory       = "example_path"
  ssh_authorized_key {
    description = "key1"
    key         = "ssh-ed25519 AAAA..."
  }

  permission_scope {
    permissions {
      read   = true
      create = true
    }
    service       = "blob"
    resource_name = azurerm_storage_container.example.name
  }
}

### References

_No response_

[kfollesdal]

Same for azurerm_linux_virtual_machine

[tomasr]

Any updates here? Running into this issue as well.

[AndrewBarrowAusport]

I am having the same problem with an ecdsa-sha2-nistp256 public key.

Doesn't look like it should be too hard to change: https://github.com/hashicorp/terraform-provider-azurerm/blob/main/internal/services/compute/validate/ssh_key.go Line 38: if pubKey.Type() != ssh.KeyAlgoRSA {

I'd create a PR but I have zero experience with providers.

[mich4xD]

Hey guys! Seems that the azure documentation states that sftp storage accounts should be supporting ECDSA keys. Furthermore, with current CVEs for RSA, ECDSA should be the standard for connecting to SFTP. https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support#supported-algorithms

[gilbahat]

bumping this up, ssh ecdsa ed25519 keys are supported

[gilbahat]

https://github.com/gilbahat/terraform-provider-azurerm - fixed, but I am unsure how to test a local provider build - if anyone feels like taking it.