Upload public SSH key for git user

In order to access the codecommit repository via SSH, we must upload a SSH key. We add a required variable for the concourse terraform: `git_rsa_id_pub`, which must have the public SSH key to add, and a new output `git_ssh_key_id` which is the key id of the ssh key and the user that must be used when connecting to the codecommit git repo. We use the resource `aws_iam_user_ssh_key` which has been added in this issue and PR: hashicorp/terraform#5744 hashicorp/terraform#5774
alphagov · Mar 23, 2016 · d5bc654 · d5bc654
1 parent d9fab0f
commit d5bc654
Show file tree

Hide file tree

Showing 6 changed files with 51 additions and 1 deletion.
diff --git a/terraform/concourse/aws-get-aws-key-id.sh b/terraform/concourse/aws-get-aws-key-id.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+set -e
+
+username="$1"
+id_rsa_pub=$(echo $2 | awk '{print $2}')
+
+for key_id in $(aws iam list-ssh-public-keys --user-name "${username}" --query 'SSHPublicKeys[*].SSHPublicKeyId' | sed -n 's/.*\(AP.*\)".*/\1/p'); do
+    key=$(aws iam get-ssh-public-key --encoding SSH --user-name "${username}" --ssh-public-key-id "${key_id}" --query 'SSHPublicKey.SSHPublicKeyBody')
+    if echo "${key}" | grep -q "${id_rsa_pub}"; then
+        echo $key_id
+        exit 0
+    fi
+done
+echo "Not found"
+exit 1
diff --git a/terraform/concourse/aws-upload-aws-key.sh b/terraform/concourse/aws-upload-aws-key.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+output=$(mktemp)
+trap 'rm -f "${output}"' EXIT
+
+aws iam upload-ssh-public-key --user-name $1 --ssh-public-key-body "$2" > "${output}" 2>&1
+RET="$?"
+cat "${output}"
+
+if [ "${RET}" != "0" ]; then
+    if grep -q "Duplicate SSH public key uploaded" "${output}"; then
+        echo "Key is already uploaded."
+        # Try to find out the key id
+        exit 0
+    else
+        echo "Error uploading key"
+        exit "${RET}"
+    fi
+fi
+
diff --git a/terraform/concourse/codecommit.tf b/terraform/concourse/codecommit.tf
@@ -30,3 +30,9 @@ resource "aws_iam_user" "git" {
 #    ]
 #    append = true
 #}
+
+resource "aws_iam_user_ssh_key" "user" {
+  username = "${aws_iam_user.user.name}"
+  encoding = "PEM"
+  public_key = "${var.git_rsa_id_pub}"
+}
diff --git a/terraform/concourse/git_ssh_key_id b/terraform/concourse/git_ssh_key_id
@@ -0,0 +1 @@
+Empty file git_ssh_key_id to avoid terraform fail during the first run.
diff --git a/terraform/concourse/outputs.tf b/terraform/concourse/outputs.tf
@@ -28,5 +28,10 @@ output "git_concourse_pool_clone_url_http" {
 }
 
 output "git_user_name" {
-  value = "${aws_iam_user.git.name}"
+  # value = "${aws_iam_user.git.name}"
+  value = "git"
+}
+
+output "git_ssh_key_id" {
+  value = "${template_file.git_ssh_key_id.rendered}"
 }
diff --git a/terraform/concourse/variables.tf b/terraform/concourse/variables.tf
@@ -10,3 +10,7 @@ variable "concourse_pool_git_rw_groupname" {
   description = "Group with permissions to write in concourse pool git repositories"
   default     = "concourse-pool-git-rw"
 }
+
+variable "git_rsa_id_pub" {
+  description = "Public SSH key for the git user"
+}