-
-
Notifications
You must be signed in to change notification settings - Fork 112
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for multiple keypairs #26
Comments
I just had the same idea with the s3 scheme you described. I think it would be better than using user_data since it would re-create the instance every times keys changes... if I'm correct. |
Yep, that's my understanding. Though in theory, the EC2s made from this module should be able to be recreated all the time unless you're manually installing deps on the bastion host. Truth be told, I have a module in my company where I did go with the S3 route, and it's worked well overall. I made this issue because I'm hoping to migrate from our private module to this one. But there are a few reasons why I haven't loved the experience with the S3 bucket, and why I like the pure terraform approach:
|
Thanks for the feedback very interesting.
|
So if you don't want to have to update known_hosts, I think an EIP is a good idea. So we could add something like: variable use_eip {
type = bool
description = "When true, an elastic IP address will be set on the instance"
default = false
}
variable existing_eip_id {
description = "If set, and var.use_eip is true, this existing EIP will be used for the EC2 instance. If not set, an EIP will be allocated within this module"
default = null
}
variable authorized_keys {
type = list(string)
default = []
description = "Public keys that are authorized to ssh onto the instance"
} |
Bit of a necro, but just found this module after using several other cloudposse modules and wanted to drop a link to https://github.com/Guimove/terraform-aws-bastion in here. We're using it to automate the generation of users using keys from an S3 bucket, and it'll log everything users do to the same S3 bucket for auditing purposes. Allows our users to provision access to the bastion by creating a PR with their public key to a repo, and on merge TF will upload the key to S3 and then this module will set everything else up. Might be some inspiration for adding similar functionality here! |
It would be great if this module could make EC2s that multiple different users could ssh onto.
One way to do this would be to create an s3 bucket that IAM Users could upload public keys to, and then a cronjob could be setup in the user_data that would read in those keys.
Another way would be to have a var take in a list of public keys, and then the user_data could iterate over those keys and add them all as authorized keys.
I would be down to do either of these options if there is interest
The text was updated successfully, but these errors were encountered: