added private ssh key as variable (#378)

* added private ssh key as variable

Signed-off-by: Ali Mukadam <[email protected]>

* typo in terraform.tfvars.example

Signed-off-by: Ali Mukadam <[email protected]>

* updated changelog

Signed-off-by: Ali Mukadam <[email protected]>

* duplicate entry for api_key in terraform.tfvars.example

Signed-off-by: Ali Mukadam <[email protected]>

Author: hyder

CHANGELOG.adoc

@@ -9,13 +9,12 @@ The format is based on {uri-changelog}[Keep a Changelog].
 
 === Unreleased
 # Breaking changes
+* Set minimum version to Terraform 1.0.0
 * Removed base module and use vcn, bastion and operator modules directly
 * Renamed and standardized all control variables
 * Removed deprecated template provider dependencies
 * Made bastion and operator modules conditional
-* Added LPGs for hub and spoke deployment model
-* Set minimum version to Terraform 1.0.0
-* Removed identity parameters in between modules
+* Removed identity parameters in between modules to improve reusability
 * Renamed okenetwork submodule to network
 * Created a new submodule (extensions) and moved all scripts and extra things there
 * Moved dynamic group and policy for kms into oke module
@@ -24,20 +23,22 @@ The format is based on {uri-changelog}[Keep a Changelog].
 
 # Changes
 * Changed default Kubernetes version to v1.20.8 and removed v1.16.8, v1.17.9 from docs.
-* Added support for reserved public IP address for NAT gateway
 * Bug fix: Use correct calico file to install calico for networking policy only (#307)
 * Added support for GPU and ARM shapes (#302)
-* VCN module upgraded to VCN 3.0.0. This allows supporting multiple cidr blocks (#360 )
-* kubeconfig on operator always uses PRIVATE_ENDPOINT (#358 )
-* Documented providers in quickstart (#355 )
-* Renamed tags to freeform_tags in line with other modules
-* Added validation on some variables
+* VCN module upgraded to VCN 3.0.0. This allows supporting multiple cidr blocks (#360)
+* kubeconfig on operator always uses PRIVATE_ENDPOINT (#358)
+* Documented providers in quickstart (#355)
+* Renamed tags to freeform_tags in line with other modules (#364)
+* Added validation on some variables (#370)
 
 # New Features
-
+* Added OCI Bastion Service as option to access operator or control plane
+* Added support for reserved public IP address for NAT gateway (#311)
+* Added LPGs for hub and spoke deployment model (#295)
 * Allow access to operator via OCI Bastion service (#352)
 * Added support for using NSGs for cluster endpoint (#343 )
-* Added option to disable worker node access to Internet. Users can only pull images from OCIR (#331 )
+* Added option to disable worker node access to Internet. Users can only pull images from OCIR (#331)
+* Added ability to specify api and private ssh keys using heredoc format with a variable (#375) 
 
 # Bug fixes
 * Added home region to update dynamic group script for cases when actual region is different from tenancy home region (#347)

docs/terraformoptions.adoc

@@ -43,8 +43,12 @@ Ensure you review the {uri-terraform-dependencies}[dependencies].
 |none
 
 |api_private_key
-|The contents of the private key file to use with OCI API. This takes precedence over private_key_path if both are specified in the provider. *Maybe required depending on your authentication method.*
-|
+|The contents of the private key file to use with OCI API. This takes precedence over private_key_path if both are specified in the provider. *Maybe required depending on your authentication method.* Use the heredoc format if you are specifying the key with this variable.
+|<<EOT
+-----BEGIN RSA PRIVATE KEY-----
+content+of+api+key
+-----END RSA PRIVATE KEY-----
+EOT
 |none
 
 |api_private_key_password
@@ -104,6 +108,16 @@ Ensure you review the {uri-terraform-dependencies}[dependencies].
 |Values
 |Default
 
+|ssh_private_key
+|The contents of the private ssh key file. Use the heredoc format if you are specifying the private key.
+|
+<<EOT
+-----BEGIN RSA PRIVATE KEY-----
+content+of+api+key
+-----END RSA PRIVATE KEY-----
+EOT
+|
+
 |ssh_private_key_path
 |path to ssh private key. The same key will be used to access worker nodes using SSH. *Required* if bastion is enabled.
 

main.tf

@@ -254,6 +254,7 @@ module "extensions" {
   region = var.region
 
   # ssh keys
+  ssh_private_key      = var.ssh_private_key
   ssh_private_key_path = var.ssh_private_key_path
   ssh_public_key       = var.ssh_public_key
   ssh_public_key_path  = var.ssh_public_key_path

modules/extensions/activeworker.tf

@@ -8,14 +8,14 @@ resource "null_resource" "check_worker_active" {
 
   connection {
     host        = var.operator_private_ip
-    private_key = file(var.ssh_private_key_path)
+    private_key = local.ssh_private_key
     timeout     = "40m"
     type        = "ssh"
     user        = "opc"
 
     bastion_host        = var.bastion_public_ip
     bastion_user        = "opc"
-    bastion_private_key = file(var.ssh_private_key_path)
+    bastion_private_key = local.ssh_private_key
   }
 
   depends_on = [null_resource.write_kubeconfig_on_operator]

modules/extensions/calico.tf

@@ -4,14 +4,14 @@
 resource "null_resource" "install_calico" {
   connection {
     host        = var.operator_private_ip
-    private_key = file(var.ssh_private_key_path)
+    private_key = local.ssh_private_key
     timeout     = "40m"
     type        = "ssh"
     user        = "opc"
 
     bastion_host        = var.bastion_public_ip
     bastion_user        = "opc"
-    bastion_private_key = file(var.ssh_private_key_path)
+    bastion_private_key = local.ssh_private_key
   }
 
   depends_on = [null_resource.install_kubectl_operator, null_resource.write_kubeconfig_on_operator]

modules/extensions/drain.tf

@@ -4,14 +4,14 @@
 resource "null_resource" "drain_nodes" {
   connection {
     host        = var.operator_private_ip
-    private_key = file(var.ssh_private_key_path)
+    private_key = local.ssh_private_key
     timeout     = "40m"
     type        = "ssh"
     user        = "opc"
 
     bastion_host        = var.bastion_public_ip
     bastion_user        = "opc"
-    bastion_private_key = file(var.ssh_private_key_path)
+    bastion_private_key = local.ssh_private_key
   }
 
   provisioner "file" {

modules/extensions/iam.tf

@@ -32,14 +32,14 @@ resource "null_resource" "update_dynamic_group" {
 
   connection {
     host        = var.operator_private_ip
-    private_key = file(var.ssh_private_key_path)
+    private_key = local.ssh_private_key
     timeout     = "40m"
     type        = "ssh"
     user        = "opc"
 
     bastion_host        = var.bastion_public_ip
     bastion_user        = "opc"
-    bastion_private_key = file(var.ssh_private_key_path)
+    bastion_private_key = local.ssh_private_key
   }
 
   depends_on = [time_sleep.wait_30_seconds]

modules/extensions/k8stools.tf

@@ -4,14 +4,14 @@
 resource "null_resource" "install_kubectl_operator" {
   connection {
     host        = var.operator_private_ip
-    private_key = file(var.ssh_private_key_path)
+    private_key = local.ssh_private_key
     timeout     = "40m"
     type        = "ssh"
     user        = "opc"
 
     bastion_host        = var.bastion_public_ip
     bastion_user        = "opc"
-    bastion_private_key = file(var.ssh_private_key_path)
+    bastion_private_key = local.ssh_private_key
   }
 
   provisioner "file" {
@@ -34,14 +34,14 @@ resource "null_resource" "install_kubectl_operator" {
 resource "null_resource" "install_helm_operator" {
   connection {
     host        = var.operator_private_ip
-    private_key = file(var.ssh_private_key_path)
+    private_key = local.ssh_private_key
     timeout     = "40m"
     type        = "ssh"
     user        = "opc"
 
     bastion_host        = var.bastion_public_ip
     bastion_user        = "opc"
-    bastion_private_key = file(var.ssh_private_key_path)
+    bastion_private_key = local.ssh_private_key
   }
 
   depends_on = [null_resource.install_kubectl_operator, null_resource.write_kubeconfig_on_operator]

modules/extensions/kubeconfig.tf

@@ -53,14 +53,14 @@ resource "local_file" "kube_config_file" {
 resource "null_resource" "write_kubeconfig_on_operator" {
   connection {
     host        = var.operator_private_ip
-    private_key = file(var.ssh_private_key_path)
+    private_key = local.ssh_private_key
     timeout     = "40m"
     type        = "ssh"
     user        = "opc"
 
     bastion_host        = var.bastion_public_ip
     bastion_user        = "opc"
-    bastion_private_key = file(var.ssh_private_key_path)
+    bastion_private_key = local.ssh_private_key
   }
 
   depends_on = [null_resource.install_kubectl_operator]

modules/extensions/locals.tf

@@ -2,7 +2,7 @@
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl
 
 locals {
-
+  ssh_private_key = var.ssh_private_key != "" ? var.ssh_private_key : var.ssh_private_key_path != "none" ? file(var.ssh_private_key_path) : null
   node_pools_size_list = [
     for node_pool in data.oci_containerengine_node_pools.all_node_pools.node_pools :
     node_pool.node_config_details[0].size