Closed SuperCoolAlan closed 9 months ago
It seems you're inputting the key in the wrong format. This is what I did to have this working:
tf code:
provider "aws" {
profile = "..."
region = "eu-central-1"
}
locals {
client_pgp_pubkey = filebase64("${path.module}/gpg_public.raw")
}
module "iam_user" {
source = "terraform-aws-modules/iam/aws//modules/iam-user"
name = "issue.430"
force_destroy = true
create_iam_access_key = true
password_reset_required = false
pgp_key = local.client_pgp_pubkey
}
Key creation:
$ export PGP_PUBKEY_DIR=`pwd`
$ gpg --gen-key
... (fill in name, email, ...)
$ gpg --export -o gpg_public.raw
TF output
➜ terraform apply
Terraform used the selected providers to generate the following execution plan.
Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# module.iam_user.aws_iam_access_key.this[0] will be created
+ resource "aws_iam_access_key" "this" {
+ create_date = (known after apply)
+ encrypted_secret = (known after apply)
+ encrypted_ses_smtp_password_v4 = (known after apply)
+ id = (known after apply)
+ key_fingerprint = (known after apply)
+ pgp_key = "mDMEZVR6DBY...[REDACTED]...qHAQ=="
+ secret = (sensitive value)
+ ses_smtp_password_v4 = (sensitive value)
+ status = "Active"
+ user = "issue.430"
}
# module.iam_user.aws_iam_user.this[0] will be created
+ resource "aws_iam_user" "this" {
+ arn = (known after apply)
+ force_destroy = true
+ id = (known after apply)
+ name = "issue.430"
+ path = "/"
+ tags_all = (known after apply)
+ unique_id = (known after apply)
}
# module.iam_user.aws_iam_user_login_profile.this[0] will be created
+ resource "aws_iam_user_login_profile" "this" {
+ encrypted_password = (known after apply)
+ id = (known after apply)
+ key_fingerprint = (known after apply)
+ password = (known after apply)
+ password_length = 20
+ password_reset_required = false
+ pgp_key = "mDMEZVR6DBY...[REDACTED]...qHAQ=="
+ user = "issue.430"
}
Plan: 3 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
module.iam_user.aws_iam_user.this[0]: Creating...
module.iam_user.aws_iam_user.this[0]: Creation complete after 1s [id=issue.430]
module.iam_user.aws_iam_access_key.this[0]: Creating...
module.iam_user.aws_iam_user_login_profile.this[0]: Creating...
module.iam_user.aws_iam_user_login_profile.this[0]: Creation complete after 0s [id=issue.430]
module.iam_user.aws_iam_access_key.this[0]: Creation complete after 0s [id=AKIAYK6MP27KUKOV4VMJ]
The whole jumbling of the key through a JSON format and back seems unneeded. filebase64
is exactly what you need. The documentation for iam_access_key
(which is used in the module) at https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key#pgp_key also reflects the format you need to feed to the pgp_key attribute.
This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days
This issue was automatically closed because of stale in 10 days
Thanks for the fix! You are right - my redirection to JSON was incorrect.
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
Description
When using the
iam-user
module, importing a base64-encodedpgp_key
generated withgpg
gives the following error:I have attempted to remove
gpg
's--armor
flag, attempted to add the--no-default-keyring
flag togpg
, attempted to base64 encode only the contents between the PGP key's labels (like "-----BEGIN PGP PUBLIC KEY BLOCK-----"), and attempted to encode the entire key including the labels. I receive parsing errors when not using the--armor
flag and labels.Versions
Module version: 5.30.0 (master)
Terraform version: Terraform v1.6.1
Provider version(s):
Reproduction Code
Create your own PGP key with
gpg
client_keys.tf
outputs.tf
Steps to reproduce the behavior:
terraform apply
data
andoutput
Expected behavior
When importing a self-generated PGP key, do not return error and encrypt secrets like when using keybase.
Actual behavior
PGP format is missing data
Terminal Output Screenshot(s)
Additional context