Feature: Add keepass-entries as resources

[Eusebius1920]

I need to add resources in the keepass database via terraform.

To do this I created a resource "keepass_entry" that allows addition of keepass entries to this provider. Allowing VMs to be provisioned by cloud-init, generating a ssh-key inside terraform and finally exporting the ssh-keys to keepass, where you can use keepassXC's feature to connect to your local ssh-agent to seamlessly use those keys for the provisioned machines.

The change is a quite large commit in a fork of your repository:

https://github.com/Eusebius1920/terraform-provider-keepass/commit/2f4bbc0e6a8fdb870f6158514bd6f1ebdf89a63e

I wanted to hear your opinion if you would be willing to accept this as a contribution to your provider? It is quite a big change to the existing code-base. If so, I would then create a Pull-Request to get that going.

The following things would need to be adjusted by me ( - I am currently using it only for myself, so I skipped these parts):

• polish a few rough edges (review sensitive flags, unify logging, ...)
• missing tests for the new code
• update docs
• somehow test if the implementation is really still platform independent. I used fsnotify which claims to be platform independent, but I still have only tested it on linux?

I would like to hear your thoughts about this!

[Eusebius1920]

Example resource:

resource "tls_private_key" "private_key" {
  algorithm = "RSA"
  rsa_bits  = 2048
}

resource "keepass_entry" "example1" {
  group_uuid = "a3fe9a6931b34ab1a480286d6a6aa111"
  title      = "example1"
  username   = "hehehe"
  password   = "123"
  notes      = "Yes\nmultiline\nnotes"
  url        = "https://example.com"

  ssh_key {
    private_key                                   = tls_private_key.private_key.private_key_openssh
    ssh_agent_lifetime_constraint_duration        = 3600
    ssh_agent_use_lifetime_constraint_when_adding = true
    ssh_agent_use_confirm_constraint_when_adding  = true
    ssh_agent_add_at_database_open                = true
    ssh_agent_remove_at_database_close            = false
  }
}

[iSchluff]

Hi, I think adding a resource for creating entries is reasonable, but the ssh-agent integration is in my opinion out of scope of this provider. I think ssh-agent management would be better suited to a separate provider.

[Eusebius1920]

Hi, I think adding a resource for creating entries is reasonable, but the ssh-agent integration is in my opinion out of scope of this provider. I think ssh-agent management would be better suited to a separate provider.

Just to be sure we are on the same page: The ssh-agent management is just about providing a xml-file as an attachment to a keepass entry which is then used by other applications (like keepassxc or keeagent) to automatically supply ssh-keys that are stored inside the keepass entry (again as an attachment) to be automatically exposed to ssh-agent. It is not about managing or running ssh-agent itself from the provider. Just an XML-File as a configuration file attached to a keepass entry (as a simple attachment)