Terraform: Feature request - ssh key provider

Hi @yellowmegaman!

I'm not sure what you mean by managing SSH keys in state, particularly in comparison with the PostgreSQL provider, since that provider doesn't manage keys in state.

If what you're looking for is to generate an SSH private key within Terraform, this can already be done using tls_private_key, which (if you choose an SSH-compatible key format) exports an attribute public_key_openssh which gives the key in a format that's suitable for writing into .ssh/authorized_keys.

@apparentlymart hi! Thanks for reply, forgot about the FR completely.
Actually i was thinking about this kind of flow:

• company has 10 employees
• one is fired, two are hired
• i remove one public ssh key from template, add two new
• all instances ssh-keys are corrected

So i don't need to make any provisioning, don't need to run any automation tool against instances.
That's all.

Hi @yellowmegaman! Thanks for the additional detail here.

Terraform can't manage SSH keys directly on servers because it's aimed at creating objects via APIs rather than managing the configuration on a particular server. However, if you have some other infrastructure already in place for centrally managing your SSH keys then Terraform could potentially be the tool that adds and removes them from that system.

For example, some users who use AWS OpsWorks as a management layer for their servers currently use Terraform to configure the SSH keys registered with OpsWorks. In other cases, SSH keys might be mastered in HashiCorp Consul, written there by Terraform and then installed onto servers by the Consul agent. The important detail is that in both of these cases there is a separate system coordinating the distribution of the keys across all servers and Terraform is used merely to register the keys with that system.

For this reason, Terraform is _complementary_ with a configuration management system for your servers: it can be used to provide data for a configuration management system to use, but the configuration management system manages what is installed and running on your servers.

Thanks for explanation!

 aimed at creating objects via APIs

is sufficient response, didn't think of it, and see the reason now!

Actually what I wanted to do was generate a key that I can register to login using the remote-exec.

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.