Merge pull request #10583 from hashicorp/f-lightsail-key-pair

provider/aws: Add Lightsail Key Pair resource
2016-12-09 08:26:00 -06:00 · 2016-12-09 08:26:00 -06:00 · 0766074289
parent 510c82c6d7 97ac4bde16
commit 0766074289
7 changed files with 573 additions and 6 deletions
--- a/builtin/providers/aws/provider.go
+++ b/builtin/providers/aws/provider.go
@ -286,6 +286,7 @@ func Provider() terraform.ResourceProvider {
 			"aws_lambda_permission":                        resourceAwsLambdaPermission(),
 			"aws_launch_configuration":                     resourceAwsLaunchConfiguration(),
 			"aws_lightsail_instance":                       resourceAwsLightsailInstance(),
+			"aws_lightsail_key_pair":                       resourceAwsLightsailKeyPair(),
 			"aws_lb_cookie_stickiness_policy":              resourceAwsLBCookieStickinessPolicy(),
 			"aws_load_balancer_policy":                     resourceAwsLoadBalancerPolicy(),
 			"aws_load_balancer_backend_server_policy":      resourceAwsLoadBalancerBackendServerPolicies(),
--- a/builtin/providers/aws/resource_aws_iam_user_login_profile_test.go
+++ b/builtin/providers/aws/resource_aws_iam_user_login_profile_test.go
@ -6,6 +6,8 @@ import (
 	"testing"
 	"time"

+	"regexp"
+
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/awserr"
 	"github.com/aws/aws-sdk-go/aws/credentials"
@ -15,7 +17,6 @@ import (
 	"github.com/hashicorp/terraform/helper/resource"
 	"github.com/hashicorp/terraform/terraform"
 	"github.com/hashicorp/vault/helper/pgpkeys"
-	"regexp"
 )

 func TestAccAWSUserLoginProfile_basic(t *testing.T) {
--- a/builtin/providers/aws/resource_aws_lightsail_instance.go
+++ b/builtin/providers/aws/resource_aws_lightsail_instance.go
@ -141,7 +141,7 @@ func resourceAwsLightsailInstanceCreate(d *schema.ResourceData, meta interface{}
 	stateConf := &resource.StateChangeConf{
 		Pending:    []string{"Started"},
 		Target:     []string{"Completed", "Succeeded"},
-		Refresh:    resourceAwsLightsailInstanceOperationRefreshFunc(op.Id, meta),
+		Refresh:    resourceAwsLightsailOperationRefreshFunc(op.Id, meta),
 		Timeout:    10 * time.Minute,
 		Delay:      5 * time.Second,
 		MinTimeout: 3 * time.Second,
@ -217,7 +217,7 @@ func resourceAwsLightsailInstanceDelete(d *schema.ResourceData, meta interface{}
 	stateConf := &resource.StateChangeConf{
 		Pending:    []string{"Started"},
 		Target:     []string{"Completed", "Succeeded"},
-		Refresh:    resourceAwsLightsailInstanceOperationRefreshFunc(op.Id, meta),
+		Refresh:    resourceAwsLightsailOperationRefreshFunc(op.Id, meta),
 		Timeout:    10 * time.Minute,
 		Delay:      5 * time.Second,
 		MinTimeout: 3 * time.Second,
@ -242,11 +242,11 @@ func resourceAwsLightsailInstanceDelete(d *schema.ResourceData, meta interface{}
 // - Failed
 // - Completed
 // - Succeeded (not documented?)
-func resourceAwsLightsailInstanceOperationRefreshFunc(
+func resourceAwsLightsailOperationRefreshFunc(
 	oid *string, meta interface{}) resource.StateRefreshFunc {
 	return func() (interface{}, string, error) {
 		conn := meta.(*AWSClient).lightsailconn
-		log.Printf("[DEBUG] Checking if Lightsail Instance Operation (%s) is Completed", *oid)
+		log.Printf("[DEBUG] Checking if Lightsail Operation (%s) is Completed", *oid)
 		o, err := conn.GetOperation(&lightsail.GetOperationInput{
 			OperationId: oid,
 		})
@ -258,7 +258,7 @@ func resourceAwsLightsailInstanceOperationRefreshFunc(
 			return nil, "Failed", fmt.Errorf("[ERR] Error retrieving Operation info for operation (%s)", *oid)
 		}

-		log.Printf("[DEBUG] Lightsail Instance Operation (%s) is currently %q", *oid, *o.Operation.Status)
+		log.Printf("[DEBUG] Lightsail Operation (%s) is currently %q", *oid, *o.Operation.Status)
 		return o, *o.Operation.Status, nil
 	}
 }
--- a/builtin/providers/aws/resource_aws_lightsail_key_pair.go
+++ b/builtin/providers/aws/resource_aws_lightsail_key_pair.go
@ -0,0 +1,225 @@
+package aws
+
+import (
+	"fmt"
+	"log"
+	"time"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/awserr"
+	"github.com/aws/aws-sdk-go/service/lightsail"
+	"github.com/hashicorp/terraform/helper/encryption"
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/helper/schema"
+)
+
+func resourceAwsLightsailKeyPair() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceAwsLightsailKeyPairCreate,
+		Read:   resourceAwsLightsailKeyPairRead,
+		Delete: resourceAwsLightsailKeyPairDelete,
+
+		Schema: map[string]*schema.Schema{
+			"name": {
+				Type:          schema.TypeString,
+				Optional:      true,
+				Computed:      true,
+				ForceNew:      true,
+				ConflictsWith: []string{"name_prefix"},
+			},
+			"name_prefix": {
+				Type:     schema.TypeString,
+				Optional: true,
+				ForceNew: true,
+			},
+
+			// optional fields
+			"pgp_key": {
+				Type:     schema.TypeString,
+				Optional: true,
+				ForceNew: true,
+			},
+
+			// additional info returned from the API
+			"arn": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+
+			// fields returned from CreateKey
+			"fingerprint": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"public_key": {
+				Type:     schema.TypeString,
+				Computed: true,
+				Optional: true,
+				ForceNew: true,
+			},
+			"private_key": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+
+			// encrypted fields if pgp_key is given
+			"encrypted_fingerprint": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"encrypted_private_key": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+		},
+	}
+}
+
+func resourceAwsLightsailKeyPairCreate(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).lightsailconn
+
+	var kName string
+	if v, ok := d.GetOk("name"); ok {
+		kName = v.(string)
+	} else if v, ok := d.GetOk("name_prefix"); ok {
+		kName = resource.PrefixedUniqueId(v.(string))
+	} else {
+		kName = resource.UniqueId()
+	}
+
+	var pubKey string
+	var op *lightsail.Operation
+	if pubKeyInterface, ok := d.GetOk("public_key"); ok {
+		pubKey = pubKeyInterface.(string)
+	}
+
+	if pubKey == "" {
+		// creating new key
+		resp, err := conn.CreateKeyPair(&lightsail.CreateKeyPairInput{
+			KeyPairName: aws.String(kName),
+		})
+		if err != nil {
+			return err
+		}
+		if resp.Operation == nil {
+			return fmt.Errorf("[ERR] No operation found for CreateKeyPair response")
+		}
+		if resp.KeyPair == nil {
+			return fmt.Errorf("[ERR] No KeyPair information found for CreateKeyPair response")
+		}
+		d.SetId(kName)
+
+		// private_key and public_key are only available in the response from
+		// CreateKey pair. Here we set the public_key, and encrypt the private_key
+		// if a pgp_key is given, else we store the private_key in state
+		d.Set("public_key", resp.PublicKeyBase64)
+
+		// encrypt private key if pgp_key is given
+		pgpKey, err := encryption.RetrieveGPGKey(d.Get("pgp_key").(string))
+		if err != nil {
+			return err
+		}
+		if pgpKey != "" {
+			fingerprint, encrypted, err := encryption.EncryptValue(pgpKey, *resp.PrivateKeyBase64, "Lightsail Private Key")
+			if err != nil {
+				return err
+			}
+
+			d.Set("encrypted_fingerprint", fingerprint)
+			d.Set("encrypted_private_key", encrypted)
+		} else {
+			d.Set("private_key", resp.PrivateKeyBase64)
+		}
+
+		op = resp.Operation
+	} else {
+		// importing key
+		resp, err := conn.ImportKeyPair(&lightsail.ImportKeyPairInput{
+			KeyPairName:     aws.String(kName),
+			PublicKeyBase64: aws.String(pubKey),
+		})
+
+		if err != nil {
+			log.Printf("[ERR] Error importing key: %s", err)
+			return err
+		}
+		d.SetId(kName)
+
+		op = resp.Operation
+	}
+
+	stateConf := &resource.StateChangeConf{
+		Pending:    []string{"Started"},
+		Target:     []string{"Completed", "Succeeded"},
+		Refresh:    resourceAwsLightsailOperationRefreshFunc(op.Id, meta),
+		Timeout:    10 * time.Minute,
+		Delay:      5 * time.Second,
+		MinTimeout: 3 * time.Second,
+	}
+
+	_, err := stateConf.WaitForState()
+	if err != nil {
+		// We don't return an error here because the Create call succeded
+		log.Printf("[ERR] Error waiting for KeyPair (%s) to become ready: %s", d.Id(), err)
+	}
+
+	return resourceAwsLightsailKeyPairRead(d, meta)
+}
+
+func resourceAwsLightsailKeyPairRead(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).lightsailconn
+
+	resp, err := conn.GetKeyPair(&lightsail.GetKeyPairInput{
+		KeyPairName: aws.String(d.Id()),
+	})
+
+	if err != nil {
+		log.Printf("[WARN] Error getting KeyPair (%s): %s", d.Id(), err)
+		// check for known not found error
+		if awsErr, ok := err.(awserr.Error); ok {
+			if awsErr.Code() == "NotFoundException" {
+				log.Printf("[WARN] Lightsail KeyPair (%s) not found, removing from state", d.Id())
+				d.SetId("")
+				return nil
+			}
+		}
+		return err
+	}
+
+	d.Set("arn", resp.KeyPair.Arn)
+	d.Set("name", resp.KeyPair.Name)
+	d.Set("fingerprint", resp.KeyPair.Fingerprint)
+
+	return nil
+}
+
+func resourceAwsLightsailKeyPairDelete(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).lightsailconn
+	resp, err := conn.DeleteKeyPair(&lightsail.DeleteKeyPairInput{
+		KeyPairName: aws.String(d.Id()),
+	})
+
+	if err != nil {
+		return err
+	}
+
+	op := resp.Operation
+	stateConf := &resource.StateChangeConf{
+		Pending:    []string{"Started"},
+		Target:     []string{"Completed", "Succeeded"},
+		Refresh:    resourceAwsLightsailOperationRefreshFunc(op.Id, meta),
+		Timeout:    10 * time.Minute,
+		Delay:      5 * time.Second,
+		MinTimeout: 3 * time.Second,
+	}
+
+	_, err = stateConf.WaitForState()
+	if err != nil {
+		return fmt.Errorf(
+			"Error waiting for KeyPair (%s) to become destroyed: %s",
+			d.Id(), err)
+	}
+
+	d.SetId("")
+	return nil
+}
--- a/builtin/providers/aws/resource_aws_lightsail_key_pair_test.go
+++ b/builtin/providers/aws/resource_aws_lightsail_key_pair_test.go
@ -0,0 +1,247 @@
+package aws
+
+import (
+	"errors"
+	"fmt"
+	"testing"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/awserr"
+	"github.com/aws/aws-sdk-go/service/lightsail"
+	"github.com/hashicorp/terraform/helper/acctest"
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/terraform"
+)
+
+func TestAccAWSLightsailKeyPair_basic(t *testing.T) {
+	var conf lightsail.KeyPair
+	lightsailName := fmt.Sprintf("tf-test-lightsail-%d", acctest.RandInt())
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSLightsailKeyPairDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSLightsailKeyPairConfig_basic(lightsailName),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckAWSLightsailKeyPairExists("aws_lightsail_key_pair.lightsail_key_pair_test", &conf),
+					resource.TestCheckResourceAttrSet("aws_lightsail_key_pair.lightsail_key_pair_test", "arn"),
+					resource.TestCheckResourceAttrSet("aws_lightsail_key_pair.lightsail_key_pair_test", "fingerprint"),
+					resource.TestCheckResourceAttrSet("aws_lightsail_key_pair.lightsail_key_pair_test", "public_key"),
+					resource.TestCheckResourceAttrSet("aws_lightsail_key_pair.lightsail_key_pair_test", "private_key"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccAWSLightsailKeyPair_imported(t *testing.T) {
+	var conf lightsail.KeyPair
+	lightsailName := fmt.Sprintf("tf-test-lightsail-%d", acctest.RandInt())
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSLightsailKeyPairDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSLightsailKeyPairConfig_imported(lightsailName, testLightsailKeyPairPubKey1),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckAWSLightsailKeyPairExists("aws_lightsail_key_pair.lightsail_key_pair_test", &conf),
+					resource.TestCheckResourceAttrSet("aws_lightsail_key_pair.lightsail_key_pair_test", "arn"),
+					resource.TestCheckResourceAttrSet("aws_lightsail_key_pair.lightsail_key_pair_test", "fingerprint"),
+					resource.TestCheckResourceAttrSet("aws_lightsail_key_pair.lightsail_key_pair_test", "public_key"),
+					resource.TestCheckResourceAttr("aws_lightsail_key_pair.lightsail_key_pair_test", "encrypted_fingerprint", ""),
+					resource.TestCheckResourceAttr("aws_lightsail_key_pair.lightsail_key_pair_test", "encrypted_private_key", ""),
+					resource.TestCheckResourceAttr("aws_lightsail_key_pair.lightsail_key_pair_test", "private_key", ""),
+				),
+			},
+		},
+	})
+}
+
+func TestAccAWSLightsailKeyPair_encrypted(t *testing.T) {
+	var conf lightsail.KeyPair
+	lightsailName := fmt.Sprintf("tf-test-lightsail-%d", acctest.RandInt())
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSLightsailKeyPairDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSLightsailKeyPairConfig_encrypted(lightsailName, testLightsailKeyPairPubKey1),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckAWSLightsailKeyPairExists("aws_lightsail_key_pair.lightsail_key_pair_test", &conf),
+					resource.TestCheckResourceAttrSet("aws_lightsail_key_pair.lightsail_key_pair_test", "arn"),
+					resource.TestCheckResourceAttrSet("aws_lightsail_key_pair.lightsail_key_pair_test", "fingerprint"),
+					resource.TestCheckResourceAttrSet("aws_lightsail_key_pair.lightsail_key_pair_test", "encrypted_fingerprint"),
+					resource.TestCheckResourceAttrSet("aws_lightsail_key_pair.lightsail_key_pair_test", "encrypted_private_key"),
+					resource.TestCheckResourceAttrSet("aws_lightsail_key_pair.lightsail_key_pair_test", "public_key"),
+					resource.TestCheckResourceAttr("aws_lightsail_key_pair.lightsail_key_pair_test", "private_key", ""),
+				),
+			},
+		},
+	})
+}
+
+func TestAccAWSLightsailKeyPair_nameprefix(t *testing.T) {
+	var conf1, conf2 lightsail.KeyPair
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSLightsailKeyPairDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSLightsailKeyPairConfig_prefixed(),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckAWSLightsailKeyPairExists("aws_lightsail_key_pair.lightsail_key_pair_test_omit", &conf1),
+					testAccCheckAWSLightsailKeyPairExists("aws_lightsail_key_pair.lightsail_key_pair_test_prefixed", &conf2),
+					resource.TestCheckResourceAttrSet("aws_lightsail_key_pair.lightsail_key_pair_test_omit", "name"),
+					resource.TestCheckResourceAttrSet("aws_lightsail_key_pair.lightsail_key_pair_test_prefixed", "name"),
+				),
+			},
+		},
+	})
+}
+
+func testAccCheckAWSLightsailKeyPairExists(n string, res *lightsail.KeyPair) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[n]
+		if !ok {
+			return fmt.Errorf("Not found: %s", n)
+		}
+
+		if rs.Primary.ID == "" {
+			return errors.New("No LightsailKeyPair set")
+		}
+
+		conn := testAccProvider.Meta().(*AWSClient).lightsailconn
+
+		respKeyPair, err := conn.GetKeyPair(&lightsail.GetKeyPairInput{
+			KeyPairName: aws.String(rs.Primary.Attributes["name"]),
+		})
+
+		if err != nil {
+			return err
+		}
+
+		if respKeyPair == nil || respKeyPair.KeyPair == nil {
+			return fmt.Errorf("KeyPair (%s) not found", rs.Primary.Attributes["name"])
+		}
+		*res = *respKeyPair.KeyPair
+		return nil
+	}
+}
+
+func testAccCheckAWSLightsailKeyPairDestroy(s *terraform.State) error {
+
+	for _, rs := range s.RootModule().Resources {
+		if rs.Type != "aws_lightsail_key_pair" {
+			continue
+		}
+
+		conn := testAccProvider.Meta().(*AWSClient).lightsailconn
+
+		respKeyPair, err := conn.GetKeyPair(&lightsail.GetKeyPairInput{
+			KeyPairName: aws.String(rs.Primary.Attributes["name"]),
+		})
+
+		if err == nil {
+			if respKeyPair.KeyPair != nil {
+				return fmt.Errorf("LightsailKeyPair %q still exists", rs.Primary.ID)
+			}
+		}
+
+		// Verify the error
+		if awsErr, ok := err.(awserr.Error); ok {
+			if awsErr.Code() == "NotFoundException" {
+				return nil
+			}
+		}
+		return err
+	}
+
+	return nil
+}
+
+func testAccAWSLightsailKeyPairConfig_basic(lightsailName string) string {
+	return fmt.Sprintf(`
+provider "aws" {
+  region = "us-east-1"
+}
+resource "aws_lightsail_key_pair" "lightsail_key_pair_test" {
+  name = "%s"
+}
+`, lightsailName)
+}
+
+func testAccAWSLightsailKeyPairConfig_imported(lightsailName, key string) string {
+	return fmt.Sprintf(`
+provider "aws" {
+  region = "us-east-1"
+}
+resource "aws_lightsail_key_pair" "lightsail_key_pair_test" {
+  name = "%s"
+	
+	public_key = "%s"
+}
+`, lightsailName, lightsailPubKey)
+}
+
+func testAccAWSLightsailKeyPairConfig_encrypted(lightsailName, key string) string {
+	return fmt.Sprintf(`
+provider "aws" {
+  region = "us-east-1"
+}
+resource "aws_lightsail_key_pair" "lightsail_key_pair_test" {
+  name = "%s"
+	
+	pgp_key = <<EOF
+%s
+EOF
+}
+`, lightsailName, key)
+}
+
+func testAccAWSLightsailKeyPairConfig_prefixed() string {
+	return fmt.Sprintf(`
+provider "aws" {
+  region = "us-east-1"
+}
+resource "aws_lightsail_key_pair" "lightsail_key_pair_test_omit" {}
+resource "aws_lightsail_key_pair" "lightsail_key_pair_test_prefixed" {
+	name_prefix = "cts"
+}
+`)
+}
+
+const lightsailPubKey = `ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3F6tyPEFEzV0LX3X8BsXdMsQz1x2cEikKDEY0aIj41qgxMCP/iteneqXSIFZBp5vizPvaoIR3Um9xK7PGoW8giupGn+EPuxIA4cDM4vzOqOkiMPhz5XK0whEjkVzTo4+S0puvDZuwIsdiW9mxhJc7tgBNL0cYlWSYVkz4G/fslNfRPW5mYAM49f4fhtxPb5ok4Q2Lg9dPKVHO/Bgeu5woMc7RY0p1ej6D4CKFE6lymSDJpW0YHX/wqE9+cfEauh7xZcG0q9t2ta6F6fmX0agvpFyZo8aFbXeUBr7osSCJNgvavWbM/06niWrOvYX2xwWdhXmXSrbX8ZbabVohBK41 phodgson@thoughtworks.com`
+const testLightsailKeyPairPubKey1 = `mQENBFXbjPUBCADjNjCUQwfxKL+RR2GA6pv/1K+zJZ8UWIF9S0lk7cVIEfJiprzzwiMwBS5cD0da
+rGin1FHvIWOZxujA7oW0O2TUuatqI3aAYDTfRYurh6iKLC+VS+F7H+/mhfFvKmgr0Y5kDCF1j0T/
+063QZ84IRGucR/X43IY7kAtmxGXH0dYOCzOe5UBX1fTn3mXGe2ImCDWBH7gOViynXmb6XNvXkP0f
+sF5St9jhO7mbZU9EFkv9O3t3EaURfHopsCVDOlCkFCw5ArY+DUORHRzoMX0PnkyQb5OzibkChzpg
+8hQssKeVGpuskTdz5Q7PtdW71jXd4fFVzoNH8fYwRpziD2xNvi6HABEBAAG0EFZhdWx0IFRlc3Qg
+S2V5IDGJATgEEwECACIFAlXbjPUCGy8GCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEOfLr44B
+HbeTo+sH/i7bapIgPnZsJ81hmxPj4W12uvunksGJiC7d4hIHsG7kmJRTJfjECi+AuTGeDwBy84TD
+cRaOB6e79fj65Fg6HgSahDUtKJbGxj/lWzmaBuTzlN3CEe8cMwIPqPT2kajJVdOyrvkyuFOdPFOE
+A7bdCH0MqgIdM2SdF8t40k/ATfuD2K1ZmumJ508I3gF39jgTnPzD4C8quswrMQ3bzfvKC3klXRlB
+C0yoArn+0QA3cf2B9T4zJ2qnvgotVbeK/b1OJRNj6Poeo+SsWNc/A5mw7lGScnDgL3yfwCm1gQXa
+QKfOt5x+7GqhWDw10q+bJpJlI10FfzAnhMF9etSqSeURBRW5AQ0EVduM9QEIAL53hJ5bZJ7oEDCn
+aY+SCzt9QsAfnFTAnZJQrvkvusJzrTQ088eUQmAjvxkfRqnv981fFwGnh2+I1Ktm698UAZS9Jt8y
+jak9wWUICKQO5QUt5k8cHwldQXNXVXFa+TpQWQR5yW1a9okjh5o/3d4cBt1yZPUJJyLKY43Wvptb
+6EuEsScO2DnRkh5wSMDQ7dTooddJCmaq3LTjOleRFQbu9ij386Do6jzK69mJU56TfdcydkxkWF5N
+ZLGnED3lq+hQNbe+8UI5tD2oP/3r5tXKgMy1R/XPvR/zbfwvx4FAKFOP01awLq4P3d/2xOkMu4Lu
+9p315E87DOleYwxk+FoTqXEAEQEAAYkCPgQYAQIACQUCVduM9QIbLgEpCRDny6+OAR23k8BdIAQZ
+AQIABgUCVduM9QAKCRAID0JGyHtSGmqYB/4m4rJbbWa7dBJ8VqRU7ZKnNRDR9CVhEGipBmpDGRYu
+lEimOPzLUX/ZXZmTZzgemeXLBaJJlWnopVUWuAsyjQuZAfdd8nHkGRHG0/DGum0l4sKTta3OPGHN
+C1z1dAcQ1RCr9bTD3PxjLBczdGqhzw71trkQRBRdtPiUchltPMIyjUHqVJ0xmg0hPqFic0fICsr0
+YwKoz3h9+QEcZHvsjSZjgydKvfLYcm+4DDMCCqcHuJrbXJKUWmJcXR0y/+HQONGrGJ5xWdO+6eJi
+oPn2jVMnXCm4EKc7fcLFrz/LKmJ8seXhxjM3EdFtylBGCrx3xdK0f+JDNQaC/rhUb5V2XuX6VwoH
+/AtY+XsKVYRfNIupLOUcf/srsm3IXT4SXWVomOc9hjGQiJ3rraIbADsc+6bCAr4XNZS7moViAAcI
+PXFv3m3WfUlnG/om78UjQqyVACRZqqAGmuPq+TSkRUCpt9h+A39LQWkojHqyob3cyLgy6z9Q557O
+9uK3lQozbw2gH9zC0RqnePl+rsWIUU/ga16fH6pWc1uJiEBt8UZGypQ/E56/343epmYAe0a87sHx
+8iDV+dNtDVKfPRENiLOOc19MmS+phmUyrbHqI91c0pmysYcJZCD3a502X1gpjFbPZcRtiTmGnUKd
+OIu60YPNE4+h7u2CfYyFPu3AlUaGNMBlvy6PEpU=`
--- a/website/source/docs/providers/aws/r/lightsail_key_pair.html.markdown
+++ b/website/source/docs/providers/aws/r/lightsail_key_pair.html.markdown
@ -0,0 +1,78 @@
+---
+layout: "aws"
+page_title: "AWS: aws_lightsail_key_pair"
+sidebar_current: "docs-aws-resource-lightsail-key-pair"
+description: |-
+  Provides an Lightsail Key Pair 
+---
+
+# aws\_lightsail\_key\_pair
+
+Provides a Lightsail Key Pair, for use with Lightsail Instances. These key pairs
+are seperate from EC2 Key Pairs, and must be created or imported for use with
+Lightsail.
+
+~> **Note:** Lightsail is currently only supported in `us-east-1` region.
+
+## Example Usage, creating a new Key Pair
+
+```
+# Create a new Lightsail Key Pair
+resource "aws_lightsail_key_pair" "lg_key_pair" {
+  name = "lg_key_pair"
+}
+```
+
+## Create new Key Pair, encrypting the private key with a PGP Key
+
+```
+resource "aws_lightsail_key_pair" "lg_key_pair" {
+  name    = "lg_key_pair"
+  pgp_key = "keybase:keybaseusername"
+}
+```
+
+## Import an existing public key
+
+```
+resource "aws_lightsail_key_pair" "lg_key_pair" {
+  name       = "importing"
+  public_key = "${file("~/.ssh/id_rsa.pub")}"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `name` - (Optional) The name of the Lightsail Key Pair. If omitted, a unique
+name will be generated by Terraform
+* `pgp_key` – (Optional) An optional PGP key to encrypt the resulting private
+key material. Only used when creating a new key pair
+* `public_key` - (Required) The public key material. This public key will be
+imported into Lightsail 
+
+~> **NOTE:** a PGP key is not required, however it is strongly encouraged. 
+Without a PGP key, the private key material will be stored in state unencrypted. 
+`pgp_key` is ignored if `public_key` is supplied.
+
+## Attributes Reference
+
+The following attributes are exported in addition to the arguments listed above:
+
+* `id` - The name used for this key pair
+* `arn` - The ARN of the Lightsail key pair
+* `fingerprint` - The MD5 public key fingerprint as specified in section 4 of RFC 4716.
+* `public_key` - the public key, base64 encoded
+* `private_key` - the private key, base64 encoded. This is only populated
+when creating a new key, and when no `pgp_key` is provided
+* `encrypted_private_key` – the private key material, base 64 encoded and
+encrypted with the given `pgp_key`. This is only populated when creating a new
+key and `pgp_key` is supplied
+* `encrypted_fingerprint` - The MD5 public key fingerprint for the encrypted
+private key
+
+## Import
+
+Lightsail Key Pairs cannot be imported, because the private and public key are
+only available on initial creation. 
--- a/website/source/layouts/aws.erb
+++ b/website/source/layouts/aws.erb
@ -689,6 +689,21 @@
                  </ul>
              </li>

+                <li<%= sidebar_current(/^docs-aws-resource-lightsail/) %>>
+                    <a href="#">Lightsail Resources</a>
+                    <ul class="nav nav-visible">
+
+                        <li<%= sidebar_current("docs-aws-resource-lightsail-instance") %>>
+                            <a href="/docs/providers/aws/r/lightsail_instance.html">aws_lightsail_instance</a>
+                        </li>
+
+                        <li<%= sidebar_current("docs-aws-resource-lightsail-key-pair") %>>
+                            <a href="/docs/providers/aws/r/lightsail_key_pair.html">aws_lightsail_key_pair</a>
+                        </li>
+
+                    </ul>
+                </li>
+
                <li<%= sidebar_current(/^docs-aws-resource-opsworks/) %>>
                    <a href="#">OpsWorks Resources</a>
                    <ul class="nav nav-visible">