-
Notifications
You must be signed in to change notification settings - Fork 796
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
User Story 60501: 101-aks-cluster #218
User Story 60501: 101-aks-cluster #218
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @TomArcherMsft for opening this pr, could we use tls_private_key
resource to generate the ssh key?
quickstart/101-aks-cluster/main.tf
Outdated
parent_id = azurerm_resource_group.rg.id | ||
} | ||
|
||
resource "azapi_resource_action" "ssh_public_key_gen" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would recommend tls_private_key
resource:
# RSA key of size 4096 bits
resource "tls_private_key" "rsa_4096" {
algorithm = "RSA"
rsa_bits = 4096
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi, @lonegunmanb. I used the AzAPI as that is something @grayzu recommended in an email thread with all of us. Maybe we need to reengage on the email thread or figure it out here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Although the tls provider will do the trick, I think making use of the Azure functionality which will provide SSH certificates that can be used in production environments is a better way to show this functionality. According to the docs, the tls provider is not recommended for prod use.
admin_username = var.linux_admin_username | ||
|
||
ssh_key { | ||
key_data = jsondecode(azapi_resource_action.ssh_public_key_gen.output)["publicKey"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we use tls_private_key
resource, then the key_data
could be:
key_data = tls_private_key.rsa_4096.public_key_openssh
value = azurerm_resource_group.rg.name | ||
} | ||
|
||
output "ssh_key_name" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can export the private key:
output "ssh_private_key_openssh" {
sensitive = true
value = tls_private_key.rsa_4096.private_key_openssh
}
output "ssh_private_key_pem" {
sensitive = true
value = tls_private_key.rsa_4096.private_key_pem
}
terraform { | ||
required_version = ">=1.0" | ||
required_providers { | ||
azapi = { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can use tls
provider here:
tls = {
source = "hashicorp/tls"
version = "~>4.0"
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! @grayzu WDYT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I responded to lonegunmanb's suggestion to use tls provider. Everything else looks great.
quickstart/101-aks-cluster/main.tf
Outdated
parent_id = azurerm_resource_group.rg.id | ||
} | ||
|
||
resource "azapi_resource_action" "ssh_public_key_gen" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Although the tls provider will do the trick, I think making use of the Azure functionality which will provide SSH certificates that can be used in production environments is a better way to show this functionality. According to the docs, the tls provider is not recommended for prod use.
In a more recent PR, I put the SSH-creation code in a separate file (ssh.tf). I like doing that as it's isolates the SSH creation & AzAPI usage and reduces code in main.tf. Should we use that pattern as the standard? If so, I'll make the change to this PR. |
As long as we've agreed on a working pattern I think it's ok to apply the pattern on this repo. |
@stemaMSFT @lonegunmanb This PR is ready to review. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM~
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @TomArcherMsft thanks for the update, it looks this pr's base commit is too old so the changed files scope that the pipeline calculated was wrong. Would you please rebase your branch to the latest master branch and try again? Thanks!
Part of POC to test generating sample code and articles using OpenAI.