terraform-hcloud-ssh-keys

Terraform module for managing SSH keys in the Hetzner Cloud, with support for generating new SSH keys and importing existing SSH public keys.

It implements the following provider resources:

• hcloud_ssh_key
• local_file
• local_sensitive_file
• tls_private_key

⚠️ WARNING: SSH private keys will be stored unencrypted in the Terraform state. Using generated SSH keys in production deployments is therefore not recommended. Instead, create and distribute SSH keys outside of Terraform and just import the SSH public keys into Terraform.

Usage

module "ssh_key" {
  source   = "github.com/peterpramb/terraform-hcloud-ssh-keys?ref=<release>"

  ssh_keys = [
    {
      name       = "ssh-gen-1"
      algorithm  = "ECDSA"
      key_param  = "P256"
      public_key = null
      labels     = {
        "managed"    = "true"
        "managed_by" = "Terraform"
      }
    },
    {
      name       = "ssh-gen-2"
      algorithm  = "RSA"
      key_param  = "4096"
      public_key = null
      labels     = {
        "managed"    = "true"
        "managed_by" = "Terraform"
      }
    },
    {
      name       = "ssh-imp-1"
      algorithm  = null
      key_param  = null
      public_key = "~/.ssh/cloud-infra.pub"
      labels     = {
        "managed"    = "true"
        "managed_by" = "Terraform"
      }
    },
    {
      name       = "ssh-imp-2"
      algorithm  = null
      key_param  = null
      public_key = "ecdsa-sha2-nistp256 AAAAE2VjZH..."
      labels     = {
        "managed"    = "true"
        "managed_by" = "Terraform"
      }
    }
  ]
}

Requirements

Name	Version
terraform	≥ 0.13

Providers

Name	Version
hcloud	≥ 1.20
local	≥ 2.2
tls	≥ 2.1

Inputs

Name	Description	Type	Default	Required
ssh_keys	List of SSH key objects to be managed.	list(map(ssh_key))	See below	yes
ssh_key_path	Destination path for generated SSH key files.	string	"~/.ssh"	no
ssh_key_path_perms	Permissions for the SSH key destination path.	string	"0700"	no
ssh_private_key_perms	Permissions for generated SSH private key files.	string	"0600"	no
ssh_public_key_perms	Permissions for generated SSH public key files.	string	"0640"	no

ssh_key

Name	Description	Type	Required
name	Unique name of the SSH key.	string	yes
algorithm	Key algorithm for generated SSH keys.	string	yes (generate only)
key_param	RSA key size or elliptic curve name.	string	no
public_key	Absolute path to SSH public key file or SSH public key data.	string	yes (import only)
labels	Map of user-defined labels.	map(string)	no

Defaults

ssh_keys = [
  {
    name       = "ssh-key-1"
    algorithm  = null
    key_param  = null
    public_key = "~/.ssh/id_rsa.pub"
    labels     = {}
  }
]

Outputs

Name	Description
ssh_keys	List of all SSH key objects.
ssh_key_ids	Map of all SSH key objects indexed by ID.
ssh_key_names	Map of all SSH key objects indexed by name.

Defaults

ssh_keys = [
  {
    "fingerprint" = "32:1e:71:8f:03:34..."
    "id" = "2173651"
    "labels" = {}
    "name" = "ssh-key-1"
    "public_key" = "ssh-rsa AAAAB3NzaC..."
  },
]

ssh_key_ids = {
  "2173651" = {
    "fingerprint" = "32:1e:71:8f:03:34..."
    "id" = "2173651"
    "labels" = {}
    "name" = "ssh-key-1"
    "public_key" = "ssh-rsa AAAAB3NzaC..."
  }
}

ssh_key_names = {
  "ssh-key-1" = {
    "fingerprint" = "32:1e:71:8f:03:34..."
    "id" = "2173651"
    "labels" = {}
    "name" = "ssh-key-1"
    "public_key" = "ssh-rsa AAAAB3NzaC..."
  }
}

License

This module is released under the MIT License.