backport of commit 6d0ba37

Author: moduli

enos/modules/docker_openssh_server_ca_key/custom-cont-init.d/00-trust-user-ca

@@ -2,13 +2,13 @@
 # Copyright (c) HashiCorp, Inc.
 # SPDX-License-Identifier: BUSL-1.1
 
-cp /ca/ca-key.pub /etc/ssh/ca-key.pub
-chown 1000:1000 /etc/ssh/ca-key.pub
-chmod 644 /etc/ssh/ca-key.pub
-echo TrustedUserCAKeys /etc/ssh/ca-key.pub >> /etc/ssh/sshd_config
-echo PermitTTY yes >> /etc/ssh/sshd_config
-sed -i 's/X11Forwarding no/X11Forwarding yes/' /etc/ssh/sshd_config
-echo "X11UseLocalhost no" >> /etc/ssh/sshd_config
+cp /ca/ca-key.pub /config/sshd/ca-key.pub
+chown 1000:1000 /config/sshd/ca-key.pub
+chmod 644 /config/sshd/ca-key.pub
+echo TrustedUserCAKeys /config/sshd/ca-key.pub >> /config/sshd/sshd_config
+echo PermitTTY yes >> /config/sshd/sshd_config
+sed -i 's/X11Forwarding no/X11Forwarding yes/' /config/sshd/sshd_config
+echo "X11UseLocalhost no" >> /config/sshd/sshd_config
 
 apk update
 apk add xterm util-linux dbus ttf-freefont xauth firefox

enos/modules/docker_openssh_server_ca_key/custom-cont-init.d/01-allow-tcp-forwarding

@@ -0,0 +1,5 @@
+#!/usr/bin/with-contenv bash
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: BUSL-1.1
+
+sed -i 's/AllowTcpForwarding no/AllowTcpForwarding yes/' /config/sshd/sshd_config

enos/modules/docker_openssh_server_ca_key/main.tf

@@ -61,9 +61,14 @@ locals {
   ca_public_key  = data.tls_public_key.ca_key.public_key_openssh
 }
 
+data "docker_registry_image" "openssh" {
+  name = var.image_name
+}
+
 resource "docker_image" "openssh_server" {
-  name         = var.image_name
-  keep_locally = true
+  name          = var.image_name
+  keep_locally  = true
+  pull_triggers = [data.docker_registry_image.openssh.sha256_digest]
 }
 
 resource "docker_container" "openssh_server" {
@@ -75,6 +80,7 @@ resource "docker_container" "openssh_server" {
     "TZ=US/Eastern",
     "USER_NAME=${var.target_user}",
     "PUBLIC_KEY=${local.ssh_public_key}",
+    "SUDO_ACCESS=true",
   ]
   network_mode = "bridge"
   dynamic "networks_advanced" {