Password and SSH bug fixes (#110)

Author: jchancellor-ms

.terraform-docs.yml

@@ -4,7 +4,7 @@
 
 formatter: "markdown document" # this is required
 
-version: "~> 0.17.0"
+version: "~> 0.18.0"
 
 header-from: "_header.md"
 footer-from: "_footer.md"

README.md

@@ -660,7 +660,7 @@ Default: `{}`
 
 ### <a name="input_disable_password_authentication"></a> [disable\_password\_authentication](#input\_disable\_password\_authentication)
 
-Description: If true this value will disallow password authentication on linux vm's. This will require at least one public key to be configured.
+Description: If true this value will disallow password authentication on linux vm's. This will require at least one public key to be configured. If using the option to auto generate passwords and keys, setting this value to `false` will cause a password to be generated an stored instead of an SSH key.
 
 Type: `bool`
 
@@ -849,7 +849,7 @@ Default: `{}`
 
 ### <a name="input_generate_admin_password_or_ssh_key"></a> [generate\_admin\_password\_or\_ssh\_key](#input\_generate\_admin\_password\_or\_ssh\_key)
 
-Description: Set this value to true if the deployment should create a strong password for the admin user.
+Description: Set this value to true if the deployment should create a strong password for the admin user. If `os_type` is Linux, this will generate and store an SSH key as the default. However, setting `disable_password_authentication` to `false` will generate and store a password value instead of an ssh key.
 
 Type: `bool`
 

examples/.terraform-docs.yml

@@ -4,7 +4,7 @@
 
 formatter: "markdown document" # this is required
 
-version: "~> 0.17.0"
+version: "~> 0.18.0"
 
 header-from: "_header.md"
 footer-from: "_footer.md"

examples/basic_windows_w_encryption_at_host/README.md

@@ -177,10 +177,10 @@ module "avm_res_keyvault_vault" {
 }
 
 resource "azurerm_disk_encryption_set" "this" {
-  key_vault_key_id    = module.avm_res_keyvault_vault.keys_resource_ids.des_key.id
   location            = azurerm_resource_group.this_rg.location
   name                = module.naming.disk_encryption_set.name_unique
   resource_group_name = azurerm_resource_group.this_rg.name
+  key_vault_key_id    = module.avm_res_keyvault_vault.keys_resource_ids.des_key.id
   tags                = local.tags
 
   identity {

examples/basic_windows_w_encryption_at_host/main.tf

@@ -155,10 +155,10 @@ module "avm_res_keyvault_vault" {
 }
 
 resource "azurerm_disk_encryption_set" "this" {
-  key_vault_key_id    = module.avm_res_keyvault_vault.keys_resource_ids.des_key.id
   location            = azurerm_resource_group.this_rg.location
   name                = module.naming.disk_encryption_set.name_unique
   resource_group_name = azurerm_resource_group.this_rg.name
+  key_vault_key_id    = module.avm_res_keyvault_vault.keys_resource_ids.des_key.id
   tags                = local.tags
 
   identity {

examples/common_ubuntu_w_ssh_auth/README.md

@@ -86,34 +86,34 @@ resource "azurerm_subnet" "this_subnet_2" {
   virtual_network_name = azurerm_virtual_network.this_vnet.name
 }
 
-/* Uncomment this section if you would like to include a bastion resource with this example.
+#Uncomment this section if you would like to include a bastion resource with this example.
 resource "azurerm_subnet" "bastion_subnet" {
+  address_prefixes     = ["10.0.3.0/24"]
   name                 = "AzureBastionSubnet"
   resource_group_name  = azurerm_resource_group.this_rg.name
   virtual_network_name = azurerm_virtual_network.this_vnet.name
-  address_prefixes     = ["10.0.3.0/24"]
 }
 
 resource "azurerm_public_ip" "bastionpip" {
-  name                = module.naming.public_ip.name_unique
+  allocation_method   = "Static"
   location            = azurerm_resource_group.this_rg.location
+  name                = module.naming.public_ip.name_unique
   resource_group_name = azurerm_resource_group.this_rg.name
-  allocation_method   = "Static"
   sku                 = "Standard"
 }
 
 resource "azurerm_bastion_host" "bastion" {
-  name                = module.naming.bastion_host.name_unique
   location            = azurerm_resource_group.this_rg.location
+  name                = module.naming.bastion_host.name_unique
   resource_group_name = azurerm_resource_group.this_rg.name
 
   ip_configuration {
     name                 = "${module.naming.bastion_host.name_unique}-ipconf"
-    subnet_id            = azurerm_subnet.bastion_subnet.id
     public_ip_address_id = azurerm_public_ip.bastionpip.id
+    subnet_id            = azurerm_subnet.bastion_subnet.id
   }
 }
-*/
+
 
 
 data "azurerm_client_config" "current" {}
@@ -197,11 +197,26 @@ resource "azurerm_key_vault_secret" "admin_ssh_key" {
   ]
 }
 
+resource "tls_private_key" "this_2" {
+  algorithm = "RSA"
+  rsa_bits  = 4096
+}
+
+resource "azurerm_key_vault_secret" "admin_ssh_key_2" {
+  key_vault_id = module.avm_res_keyvault_vault.resource_id
+  name         = "azureuser-ssh-private-key-2"
+  value        = tls_private_key.this_2.private_key_pem
+
+  depends_on = [
+    module.avm_res_keyvault_vault
+  ]
+}
+
 resource "azurerm_disk_encryption_set" "this" {
-  key_vault_key_id    = module.avm_res_keyvault_vault.keys_resource_ids.des_key.id
   location            = azurerm_resource_group.this_rg.location
   name                = module.naming.disk_encryption_set.name_unique
   resource_group_name = azurerm_resource_group.this_rg.name
+  key_vault_key_id    = module.avm_res_keyvault_vault.keys_resource_ids.des_key.id
   tags                = local.tags
 
   identity {
@@ -230,6 +245,10 @@ module "testvm" {
     {
       public_key = tls_private_key.this.public_key_openssh
       username   = "azureuser" #the username must match the admin_username currently.
+    },
+    {
+      public_key = tls_private_key.this_2.public_key_openssh
+      username   = "azureuser" #the username must match the admin_username currently.
     }
   ]
 
@@ -339,17 +358,22 @@ The following requirements are needed by this module:
 
 The following resources are used by this module:
 
+- [azurerm_bastion_host.bastion](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/bastion_host) (resource)
 - [azurerm_disk_encryption_set.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/disk_encryption_set) (resource)
 - [azurerm_key_vault_secret.admin_ssh_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) (resource)
+- [azurerm_key_vault_secret.admin_ssh_key_2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) (resource)
+- [azurerm_public_ip.bastionpip](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) (resource)
 - [azurerm_resource_group.this_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) (resource)
 - [azurerm_resource_group.this_rg_secondary](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) (resource)
+- [azurerm_subnet.bastion_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) (resource)
 - [azurerm_subnet.this_subnet_1](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) (resource)
 - [azurerm_subnet.this_subnet_2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) (resource)
 - [azurerm_user_assigned_identity.example_identity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) (resource)
 - [azurerm_virtual_network.this_vnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network) (resource)
 - [random_integer.region_index](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/integer) (resource)
 - [random_integer.zone_index](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/integer) (resource)
 - [tls_private_key.this](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) (resource)
+- [tls_private_key.this_2](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) (resource)
 - [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) (data source)
 
 <!-- markdownlint-disable MD013 -->

examples/common_ubuntu_w_ssh_auth/main.tf

@@ -64,34 +64,34 @@ resource "azurerm_subnet" "this_subnet_2" {
   virtual_network_name = azurerm_virtual_network.this_vnet.name
 }
 
-/* Uncomment this section if you would like to include a bastion resource with this example.
+#Uncomment this section if you would like to include a bastion resource with this example.
 resource "azurerm_subnet" "bastion_subnet" {
+  address_prefixes     = ["10.0.3.0/24"]
   name                 = "AzureBastionSubnet"
   resource_group_name  = azurerm_resource_group.this_rg.name
   virtual_network_name = azurerm_virtual_network.this_vnet.name
-  address_prefixes     = ["10.0.3.0/24"]
 }
 
 resource "azurerm_public_ip" "bastionpip" {
-  name                = module.naming.public_ip.name_unique
+  allocation_method   = "Static"
   location            = azurerm_resource_group.this_rg.location
+  name                = module.naming.public_ip.name_unique
   resource_group_name = azurerm_resource_group.this_rg.name
-  allocation_method   = "Static"
   sku                 = "Standard"
 }
 
 resource "azurerm_bastion_host" "bastion" {
-  name                = module.naming.bastion_host.name_unique
   location            = azurerm_resource_group.this_rg.location
+  name                = module.naming.bastion_host.name_unique
   resource_group_name = azurerm_resource_group.this_rg.name
 
   ip_configuration {
     name                 = "${module.naming.bastion_host.name_unique}-ipconf"
-    subnet_id            = azurerm_subnet.bastion_subnet.id
     public_ip_address_id = azurerm_public_ip.bastionpip.id
+    subnet_id            = azurerm_subnet.bastion_subnet.id
   }
 }
-*/
+
 
 
 data "azurerm_client_config" "current" {}
@@ -175,11 +175,26 @@ resource "azurerm_key_vault_secret" "admin_ssh_key" {
   ]
 }
 
+resource "tls_private_key" "this_2" {
+  algorithm = "RSA"
+  rsa_bits  = 4096
+}
+
+resource "azurerm_key_vault_secret" "admin_ssh_key_2" {
+  key_vault_id = module.avm_res_keyvault_vault.resource_id
+  name         = "azureuser-ssh-private-key-2"
+  value        = tls_private_key.this_2.private_key_pem
+
+  depends_on = [
+    module.avm_res_keyvault_vault
+  ]
+}
+
 resource "azurerm_disk_encryption_set" "this" {
-  key_vault_key_id    = module.avm_res_keyvault_vault.keys_resource_ids.des_key.id
   location            = azurerm_resource_group.this_rg.location
   name                = module.naming.disk_encryption_set.name_unique
   resource_group_name = azurerm_resource_group.this_rg.name
+  key_vault_key_id    = module.avm_res_keyvault_vault.keys_resource_ids.des_key.id
   tags                = local.tags
 
   identity {
@@ -208,6 +223,10 @@ module "testvm" {
     {
       public_key = tls_private_key.this.public_key_openssh
       username   = "azureuser" #the username must match the admin_username currently.
+    },
+    {
+      public_key = tls_private_key.this_2.public_key_openssh
+      username   = "azureuser" #the username must match the admin_username currently.
     }
   ]