How to store SSH private host keys securely in Terraform?

Question

Our Terraform code is stored in Git. The SSH private host keys are stored there too. Terraform pushes these keys each time the VMs are (re)created.

For Ansible we store private data in an Ansible Vault. AFAIK Terraform doesn't have such an encrypted vault.

How to store sensitive data in Terraform project like the SSH host private keys?

This is how I load the keys actually:

# instance.tf

data "template_file" "cloud_config" {
  template = file("../cloud-config.yml.tpl")
  vars = {
    ssh_rsa_private = indent(4, file("host-keys/${var.name}-ssh_host_rsa_key"))
                                              #   ^- This file is stored in plaintext
                                              #      But should be encrypted somehow
  }
}

resource "aws_instance" "generator" {
  user_data            = data.template_file.cloud_config.rendered
  # ...
}

# cloud-config.yml.tpl

ssh_keys:
  rsa_private: |
    ${ssh_rsa_private}
# ...

You could use some Vault or GitHub Encrypted secret that you already have (https://docs.github.com/en/actions/security-guides/encrypted-secrets). After in terraform you can use the github provider in terraform to dynamically recover your secret (https://registry.terraform.io/providers/integrations/github/latest/docs/data-sources/codespaces_secrets). Same you can use AWS Parameter Store (with Secure String) and Secret Manager. Just store manually the secret and recover it in terraform — Danilo Cacace, Aug 29 '23 at 07:55

How to store SSH private host keys securely in Terraform?

0 Answers0