How to get private key from secret manager?

Question

I need to store a Private Key in AWS. Because when I create an ec2 instance from AWS I need to use this primary key to auth in provisioner "remote-exec". I don't want to save in repo AWS.

It's a good idea to save a private key in Secret Manager? And then consume it?

And in the case affirmative, How to save the primary key in Secret Manager and then retrieve in TF aws_secretsmanager_secret_version?

In my case, if I validate from a file(), it's working but if I validate from a string, is failed.

connection {
    host = self.private_ip
    type = "ssh"
    user = "ec2-user"
    #private_key = file("${path.module}/key")   <-- Is working
    private_key = jsondecode(data.aws_secretsmanager_secret_version.secret_terraform.secret_string)["ec2_key"]    <-- not working. Error: Failed to read ssh private key: no key found
}

Answer 1

I think the reason is due to how you store it. I verified using my own sandbox account the use of aws_secretsmanager_secret_version and it works. However, I stored it as a pain text, not json:

Then I successfuly used it as follows for an instance:

resource "aws_instance" "public" {
  ami           =  "ami-02354e95b39ca8dec" 
  instance_type = "t2.micro" 
  key_name      = "key-pair-name"
  security_groups = [aws_security_group.ec2_sg.name]
  
  provisioner "remote-exec" {
  
    connection {
      type     = "ssh"
      user     = "ec2-user"
      private_key = data.aws_secretsmanager_secret_version.example.secret_string
      host     = "${self.public_ip}"
    }
  
    inline = [
      "ls -la"
    ]
  }
  
  depends_on = [aws_key_pair.key]
  
}