ResiLien
/
terraform
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add SSH cert authentication method for connection via Bastion

This commit is contained in:
Mark 2019-07-21 09:32:48 +03:00
parent 4c337cc51d
commit 3031aca971
4 changed files with 27 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
communicator/ssh/communicator.go
View File

@ -155,11 +155,13 @@ func (c *Communicator) Connect(o terraform.UIOutput) (err error) {
" User: %s\n"+ " User: %s\n"+
" Password: %t\n"+ " Password: %t\n"+
" Private key: %t\n"+ " Private key: %t\n"+
" Certificate: %t\n"+
" SSH Agent: %t\n"+ " SSH Agent: %t\n"+
" Checking Host Key: %t", " Checking Host Key: %t",
c.connInfo.BastionHost, c.connInfo.BastionUser, c.connInfo.BastionHost, c.connInfo.BastionUser,
c.connInfo.BastionPassword != "", c.connInfo.BastionPassword != "",
c.connInfo.BastionPrivateKey != "", c.connInfo.BastionPrivateKey != "",
c.connInfo.BastionCertificate != "",
c.connInfo.Agent, c.connInfo.Agent,
c.connInfo.BastionHostKey != "", c.connInfo.BastionHostKey != "",
)) ))

5
communicator/ssh/provisioner.go
View File

@ -56,6 +56,7 @@ type connectionInfo struct {
BastionUser string `mapstructure:"bastion_user"` BastionUser string `mapstructure:"bastion_user"`
BastionPassword string `mapstructure:"bastion_password"` BastionPassword string `mapstructure:"bastion_password"`
BastionPrivateKey string `mapstructure:"bastion_private_key"` BastionPrivateKey string `mapstructure:"bastion_private_key"`
BastionCertificate string `mapstructure:"bastion_certificate"`
BastionHost string `mapstructure:"bastion_host"` BastionHost string `mapstructure:"bastion_host"`
BastionHostKey string `mapstructure:"bastion_host_key"` BastionHostKey string `mapstructure:"bastion_host_key"`
BastionPort int `mapstructure:"bastion_port"` BastionPort int `mapstructure:"bastion_port"`
@ -123,6 +124,9 @@ func parseConnectionInfo(s *terraform.InstanceState) (*connectionInfo, error) {
if connInfo.BastionPrivateKey == "" { if connInfo.BastionPrivateKey == "" {
connInfo.BastionPrivateKey = connInfo.PrivateKey connInfo.BastionPrivateKey = connInfo.PrivateKey
} }
if connInfo.BastionCertificate == "" {
connInfo.BastionCertificate = connInfo.Certificate
}
if connInfo.BastionPort == 0 { if connInfo.BastionPort == 0 {
connInfo.BastionPort = connInfo.Port connInfo.BastionPort = connInfo.Port
} }
@ -176,6 +180,7 @@ func prepareSSHConfig(connInfo *connectionInfo) (*sshConfig, error) {
privateKey: connInfo.BastionPrivateKey, privateKey: connInfo.BastionPrivateKey,
password: connInfo.BastionPassword, password: connInfo.BastionPassword,
hostKey: connInfo.HostKey, hostKey: connInfo.HostKey,
certificate: connInfo.BastionCertificate,
sshAgent: sshAgent, sshAgent: sshAgent,
}) })
if err != nil { if err != nil {

4
terraform/eval_validate.go
View File

@ -291,6 +291,10 @@ var connectionBlockSupersetSchema = &configschema.Block{
Type: cty.String, Type: cty.String,
Optional: true, Optional: true,
}, },
"bastion_certificate": {
Type: cty.String,
Optional: true,
},
// For type=winrm only (enforced in winrm communicator) // For type=winrm only (enforced in winrm communicator)
"https": { "https": {

4
website/docs/provisioners/connection.html.markdown
View File

@ -126,3 +126,7 @@ The `ssh` connection also supports the following fields to facilitate connnectio
host. These can be loaded from a file on disk using host. These can be loaded from a file on disk using
[the `file` function](/docs/configuration/functions/file.html). [the `file` function](/docs/configuration/functions/file.html).
Defaults to the value of the `private_key` field. Defaults to the value of the `private_key` field.
* `bastion_certificate` - The contents of a signed CA Certificate. The certificate argument
must be used in conjunction with a `bastion_private_key`. These can be loaded from
a file on disk using the [the `file` function](/docs/configuration/functions/file.html).