Merge pull request #22156 from binlab/feature/bastion-ca-ssh

Add SSH certificate authentication method for connection via Bastion
2019-08-15 16:01:54 -04:00 · 2019-08-15 16:01:54 -04:00 · 901ec990ed
parent 0d19465ada 3031aca971
commit 901ec990ed
4 changed files with 27 additions and 12 deletions
--- a/communicator/ssh/communicator.go
+++ b/communicator/ssh/communicator.go
@ -155,11 +155,13 @@ func (c *Communicator) Connect(o terraform.UIOutput) (err error) {
 					"  User: %s\n"+
 					"  Password: %t\n"+
 					"  Private key: %t\n"+
+					"  Certificate: %t\n"+
 					"  SSH Agent: %t\n"+
 					"  Checking Host Key: %t",
 				c.connInfo.BastionHost, c.connInfo.BastionUser,
 				c.connInfo.BastionPassword != "",
 				c.connInfo.BastionPrivateKey != "",
+				c.connInfo.BastionCertificate != "",
 				c.connInfo.Agent,
 				c.connInfo.BastionHostKey != "",
 			))
--- a/communicator/ssh/provisioner.go
+++ b/communicator/ssh/provisioner.go
@ -53,12 +53,13 @@ type connectionInfo struct {
 	ScriptPath  string        `mapstructure:"script_path"`
 	TimeoutVal  time.Duration `mapstructure:"-"`

-	BastionUser       string `mapstructure:"bastion_user"`
-	BastionPassword   string `mapstructure:"bastion_password"`
-	BastionPrivateKey string `mapstructure:"bastion_private_key"`
-	BastionHost       string `mapstructure:"bastion_host"`
-	BastionHostKey    string `mapstructure:"bastion_host_key"`
-	BastionPort       int    `mapstructure:"bastion_port"`
+	BastionUser        string `mapstructure:"bastion_user"`
+	BastionPassword    string `mapstructure:"bastion_password"`
+	BastionPrivateKey  string `mapstructure:"bastion_private_key"`
+	BastionCertificate string `mapstructure:"bastion_certificate"`
+	BastionHost        string `mapstructure:"bastion_host"`
+	BastionHostKey     string `mapstructure:"bastion_host_key"`
+	BastionPort        int    `mapstructure:"bastion_port"`

 	AgentIdentity string `mapstructure:"agent_identity"`
 }
@ -123,6 +124,9 @@ func parseConnectionInfo(s *terraform.InstanceState) (*connectionInfo, error) {
 		if connInfo.BastionPrivateKey == "" {
 			connInfo.BastionPrivateKey = connInfo.PrivateKey
 		}
+		if connInfo.BastionCertificate == "" {
+			connInfo.BastionCertificate = connInfo.Certificate
+		}
 		if connInfo.BastionPort == 0 {
 			connInfo.BastionPort = connInfo.Port
 		}
@ -171,12 +175,13 @@ func prepareSSHConfig(connInfo *connectionInfo) (*sshConfig, error) {
 		bastionHost := fmt.Sprintf("%s:%d", connInfo.BastionHost, connInfo.BastionPort)

 		bastionConf, err = buildSSHClientConfig(sshClientConfigOpts{
-			user:       connInfo.BastionUser,
-			host:       bastionHost,
-			privateKey: connInfo.BastionPrivateKey,
-			password:   connInfo.BastionPassword,
-			hostKey:    connInfo.HostKey,
-			sshAgent:   sshAgent,
+			user:        connInfo.BastionUser,
+			host:        bastionHost,
+			privateKey:  connInfo.BastionPrivateKey,
+			password:    connInfo.BastionPassword,
+			hostKey:     connInfo.HostKey,
+			certificate: connInfo.BastionCertificate,
+			sshAgent:    sshAgent,
 		})
 		if err != nil {
 			return nil, err
--- a/terraform/eval_validate.go
+++ b/terraform/eval_validate.go
@ -305,6 +305,10 @@ var connectionBlockSupersetSchema = &configschema.Block{
 			Type:     cty.String,
 			Optional: true,
 		},
+		"bastion_certificate": {
+			Type:     cty.String,
+			Optional: true,
+		},

 		// For type=winrm only (enforced in winrm communicator)
 		"https": {
--- a/website/docs/provisioners/connection.html.markdown
+++ b/website/docs/provisioners/connection.html.markdown
@ -126,3 +126,7 @@ The `ssh` connection also supports the following fields to facilitate connnectio
  host. These can be loaded from a file on disk using
  [the `file` function](/docs/configuration/functions/file.html).
  Defaults to the value of the `private_key` field.
+
+* `bastion_certificate` - The contents of a signed CA Certificate. The certificate argument
+  must be used in conjunction with a `bastion_private_key`. These can be loaded from
+  a file on disk using the [the `file` function](/docs/configuration/functions/file.html).