Merge pull request #414 from ComputeCanada/fix_authorized_keys

Limit where user tf is defined

Author: cmd-ntrf

common/configuration/main.tf

@@ -99,6 +99,7 @@ locals {
         cloud_provider        = var.cloud_provider
         cloud_region          = var.cloud_region
         tags                  = values.tags
+        bastion_tags          = var.bastion_tags
         node_name             = key,
         node_prefix           = values.prefix,
         domain_name           = var.domain_name
@@ -108,7 +109,7 @@ locals {
         puppetserver_password = local.puppet_passwd,
         sudoer_username       = var.sudoer_username,
         ssh_authorized_keys   = local.public_keys
-        tf_ssh_public_key     = tls_private_key.ssh.public_key_openssh
+        tf_ssh_public_key     = chomp(tls_private_key.ssh.public_key_openssh)
         terraform_facts       = local.terraform_facts
         skip_upgrade          = var.skip_upgrade
         puppetfile            = var.puppetfile
@@ -141,7 +142,7 @@ output "terraform_facts" {
 }
 
 output "puppetservers" {
-  value = { for host, values in local.final_inventory : host => values.local_ip if contains(values.tags, "puppet") }
+  value = { for host, values in local.final_inventory : host => { local_ip = values.local_ip, public_ip = values.public_ip } if contains(values.tags, "puppet") }
 }
 
 output "guest_passwd" {

common/configuration/puppet.yaml.tftpl

@@ -6,13 +6,15 @@ mounts:
  - [ ephemeral0, /mnt/ephemeral0 ]
 
 users:
+%{ if contains(tags, "puppet") || length(setintersection(tags, bastion_tags)) > 0 ~}
   - name: tf
     system: true
     passwd: '*'
     no_user_group: true
     homedir: /tmp
 %{ if contains(tags, "puppet") }
     sudo: "ALL = NOPASSWD: /usr/sbin/update_etc_puppetlabs.sh *.zip"
+%{ endif ~}
 %{ endif ~}
   - name: ${sudoer_username}
     groups: adm, wheel, systemd-journal
@@ -164,16 +166,26 @@ runcmd:
   - test -f /run/cloud-init-failed && echo 'WARNING - some steps cloud-init runcmd failed, listed in /run/cloud-init-failed. Manual fixing and rebooting required. ' | tee /etc/motd || true
 
 write_files:
-  # If the ip addresses of the puppet servers are not known in advance, we cannot restrict the ssh connection to them.
-  - content: restrict,%{ if contains(tags, "puppet") }pty%{ else }%{if length(compact(values(puppetservers))) == length(keys(puppetservers)) }%{ for host, ip in puppetservers }permitopen="${ip}:22"%{ endfor }%{ else }pty%{ endif },port-forwarding,command="/sbin/nologin"%{ endif } ${tf_ssh_public_key}
-    path: /etc/ssh/authorized_keys.tf
-    permissions: "0644"
+%{ if contains(tags, "puppet") || length(setintersection(tags, bastion_tags)) > 0 ~}
   - content: |
       Match User tf
         AuthorizedKeysFile /etc/ssh/authorized_keys.%u
         AuthenticationMethods publickey
     path: /etc/ssh/sshd_config.d/50-authenticationmethods.conf
     permissions: "0600"
+%{ endif ~}
+%{ if contains(tags, "puppet") ~}
+  - content: restrict,pty ${tf_ssh_public_key}
+    path: /etc/ssh/authorized_keys.tf
+    permissions: "0644"
+%{ else ~}
+%{ if length(setintersection(tags, bastion_tags)) > 0 ~}
+  # If the ip addresses of the puppet servers are not known in advance, we cannot restrict the ssh connection to them.
+  - content: restrict,%{if length(compact(values(puppetservers))) == length(keys(puppetservers)) }%{ for host, ip in puppetservers }permitopen="${ip}:22"%{ endfor }%{ else }pty%{ endif },port-forwarding,command="/sbin/nologin" ${tf_ssh_public_key}
+    path: /etc/ssh/authorized_keys.tf
+    permissions: "0644"
+%{ endif ~}
+%{ endif ~}
   - content: |
       facts : {
         blocklist : [

common/provision/main.tf

@@ -60,7 +60,8 @@ data "archive_file" "puppetserver_files" {
 }
 
 locals {
-  bastion_host = length(var.configuration.bastions) > 0 ? var.configuration.bastions[keys(var.configuration.bastions)[0]] : null
+  puppetservers_are_bastion = length(setintersection(keys(var.configuration.bastions), keys(var.configuration.puppetservers))) == length(var.configuration.puppetservers)
+  bastion_host              = length(var.configuration.bastions) > 0 ? var.configuration.bastions[keys(var.configuration.bastions)[0]] : null
 }
 
 resource "terraform_data" "deploy_puppetserver_files" {
@@ -69,11 +70,11 @@ resource "terraform_data" "deploy_puppetserver_files" {
   connection {
     type                = "ssh"
     agent               = false
-    bastion_host        = contains(local.bastion_host.tags, "public") ? local.bastion_host.public_ip : local.bastion_host.local_ip
+    bastion_host        = local.puppetservers_are_bastion ? null : (contains(local.bastion_host.tags, "public") ? local.bastion_host.public_ip : local.bastion_host.local_ip)
     bastion_user        = "tf"
     bastion_private_key = var.configuration.ssh_key.private
     user                = "tf"
-    host                = each.value
+    host                = local.puppetservers_are_bastion && each.value.public_ip != "" ? each.value.public_ip : each.value.local_ip
     private_key         = var.configuration.ssh_key.private
   }