Merge pull request #64 from loafoe/feature/61

Support for private key passphprases #61
loafoe · Feb 10, 2023 · d3e8309 · d3e8309
2 parents 9dbafdb + 1e8138f
commit d3e8309
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 8 deletions.
diff --git a/docs/resources/resource.md b/docs/resources/resource.md
@@ -88,6 +88,16 @@ Each `file` block can contain the following fields. Use either `content` or `sou
 * `owner` - (Optional, string) The file owner. Default owner the SSH user
 * `group` - (Optional, string) The file group. Default group is the SSH user's group
 
+### Passphrases on SSH private keys
+
+The provider supports using private keys with a passphrases. However, to prevent passphrases from being stored
+in Terraform state they can only be provided through the environment variables:
+
+| Environment                        | Description                                |
+|------------------------------------|--------------------------------------------|
+| SSH_PRIVATE_KEY_PASSPHRASE         | Passphrase for the host target private key |
+| SSH_BASTION_PRIVATE_KEY_PASSPHRASE | Passphrase for the bastion private key     |
+
 ## Attributes Reference
 
 The following attributes are exported:

diff --git a/ssh/resource_resource.go b/ssh/resource_resource.go
@@ -7,6 +7,7 @@ import (
 	"math/rand"
 	"net/http"
 	"os"
+	"strings"
 	"time"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
@@ -294,8 +295,10 @@ func mainRun(_ context.Context, d *schema.ResourceData, m interface{}, onUpdate
 	password := d.Get("password").(string)
 	bastionPassword := d.Get("bastion_password").(string)
 	privateKey := d.Get("private_key").(string)
+	privateKeyPassphrase, _ := schema.EnvDefaultFunc("SSH_PRIVATE_KEY_PASSPHRASE", "")()
 	hostPrivateKey := d.Get("host_private_key").(string)
 	bastionPrivateKey := d.Get("bastion_private_key").(string)
+	bastionPrivateKeyPassphrase, _ := schema.EnvDefaultFunc("SSH_BASTION_PRIVATE_KEY_PASSPHRASE", "")()
 	host := d.Get("host").(string)
 	timeout := d.Get("timeout").(string)
 	retryDelay := d.Get("retry_delay").(string)
@@ -331,15 +334,17 @@ func mainRun(_ context.Context, d *schema.ResourceData, m interface{}, onUpdate
 	// Collect SSH details
 	privateIP := host
 	ssh := &easyssh.MakeConfig{
-		User:   hostUser,
-		Server: privateIP,
-		Port:   port,
-		Key:    privateKey,
-		Proxy:  http.ProxyFromEnvironment,
+		User:       hostUser,
+		Server:     privateIP,
+		Port:       port,
+		Key:        privateKey,
+		Passphrase: privateKeyPassphrase.(string),
+		Proxy:      http.ProxyFromEnvironment,
 		Bastion: easyssh.DefaultConfig{
-			User:   user,
-			Server: bastionHost,
-			Port:   bastionPort,
+			User:       user,
+			Server:     bastionHost,
+			Passphrase: bastionPrivateKeyPassphrase.(string),
+			Port:       bastionPort,
 		},
 	}
 	if password != "" {
@@ -442,9 +447,15 @@ func runCommands(ctx context.Context, retryDelay time.Duration, commands []strin
 			if err == nil {
 				break
 			}
+			if strings.Contains(err.Error(), "no supported methods remain") {
+				diags = append(diags, diag.FromErr(err)...)
+				return stdout, diags, err
+			}
+
 			select {
 			case <-time.After(retryDelay * time.Second):
 				// Retry
+
 			case <-ctx.Done():
 				_, _ = config.Debug("error: %v\n", err)
 				diags = append(diags, diag.Diagnostic{