Skip to content

Commit

Permalink
Merge pull request #22156 from binlab/feature/bastion-ca-ssh
Browse files Browse the repository at this point in the history
Add SSH certificate authentication method for connection via Bastion
  • Loading branch information
Pam Selle authored Aug 15, 2019
2 parents 0d19465 + 3031aca commit 901ec99
Show file tree
Hide file tree
Showing 4 changed files with 27 additions and 12 deletions.
2 changes: 2 additions & 0 deletions communicator/ssh/communicator.go
Original file line number Diff line number Diff line change
Expand Up @@ -155,11 +155,13 @@ func (c *Communicator) Connect(o terraform.UIOutput) (err error) {
" User: %s\n"+
" Password: %t\n"+
" Private key: %t\n"+
" Certificate: %t\n"+
" SSH Agent: %t\n"+
" Checking Host Key: %t",
c.connInfo.BastionHost, c.connInfo.BastionUser,
c.connInfo.BastionPassword != "",
c.connInfo.BastionPrivateKey != "",
c.connInfo.BastionCertificate != "",
c.connInfo.Agent,
c.connInfo.BastionHostKey != "",
))
Expand Down
29 changes: 17 additions & 12 deletions communicator/ssh/provisioner.go
Original file line number Diff line number Diff line change
Expand Up @@ -53,12 +53,13 @@ type connectionInfo struct {
ScriptPath string `mapstructure:"script_path"`
TimeoutVal time.Duration `mapstructure:"-"`

BastionUser string `mapstructure:"bastion_user"`
BastionPassword string `mapstructure:"bastion_password"`
BastionPrivateKey string `mapstructure:"bastion_private_key"`
BastionHost string `mapstructure:"bastion_host"`
BastionHostKey string `mapstructure:"bastion_host_key"`
BastionPort int `mapstructure:"bastion_port"`
BastionUser string `mapstructure:"bastion_user"`
BastionPassword string `mapstructure:"bastion_password"`
BastionPrivateKey string `mapstructure:"bastion_private_key"`
BastionCertificate string `mapstructure:"bastion_certificate"`
BastionHost string `mapstructure:"bastion_host"`
BastionHostKey string `mapstructure:"bastion_host_key"`
BastionPort int `mapstructure:"bastion_port"`

AgentIdentity string `mapstructure:"agent_identity"`
}
Expand Down Expand Up @@ -123,6 +124,9 @@ func parseConnectionInfo(s *terraform.InstanceState) (*connectionInfo, error) {
if connInfo.BastionPrivateKey == "" {
connInfo.BastionPrivateKey = connInfo.PrivateKey
}
if connInfo.BastionCertificate == "" {
connInfo.BastionCertificate = connInfo.Certificate
}
if connInfo.BastionPort == 0 {
connInfo.BastionPort = connInfo.Port
}
Expand Down Expand Up @@ -171,12 +175,13 @@ func prepareSSHConfig(connInfo *connectionInfo) (*sshConfig, error) {
bastionHost := fmt.Sprintf("%s:%d", connInfo.BastionHost, connInfo.BastionPort)

bastionConf, err = buildSSHClientConfig(sshClientConfigOpts{
user: connInfo.BastionUser,
host: bastionHost,
privateKey: connInfo.BastionPrivateKey,
password: connInfo.BastionPassword,
hostKey: connInfo.HostKey,
sshAgent: sshAgent,
user: connInfo.BastionUser,
host: bastionHost,
privateKey: connInfo.BastionPrivateKey,
password: connInfo.BastionPassword,
hostKey: connInfo.HostKey,
certificate: connInfo.BastionCertificate,
sshAgent: sshAgent,
})
if err != nil {
return nil, err
Expand Down
4 changes: 4 additions & 0 deletions terraform/eval_validate.go
Original file line number Diff line number Diff line change
Expand Up @@ -305,6 +305,10 @@ var connectionBlockSupersetSchema = &configschema.Block{
Type: cty.String,
Optional: true,
},
"bastion_certificate": {
Type: cty.String,
Optional: true,
},

// For type=winrm only (enforced in winrm communicator)
"https": {
Expand Down
4 changes: 4 additions & 0 deletions website/docs/provisioners/connection.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -126,3 +126,7 @@ The `ssh` connection also supports the following fields to facilitate connnectio
host. These can be loaded from a file on disk using
[the `file` function](/docs/configuration/functions/file.html).
Defaults to the value of the `private_key` field.

* `bastion_certificate` - The contents of a signed CA Certificate. The certificate argument
must be used in conjunction with a `bastion_private_key`. These can be loaded from
a file on disk using the [the `file` function](/docs/configuration/functions/file.html).

0 comments on commit 901ec99

Please sign in to comment.