Merge pull request #85 from arnaud-dfns/feat/ssh-key-password

Author: arnaud-dfns

docs/data-sources/ssh.md

@@ -44,6 +44,9 @@ provider "kubernetes" {
 
 ### Optional
 
+- `ssh_key` (String, Sensitive) The path to the private key file or the private key content to use for the SSH connection
+- `ssh_key_passphrase` (String, Sensitive) The passphrase for the private key file
+- `ssh_password` (String, Sensitive) The password to use for the SSH connection
 - `ssh_port` (Number) The port number of the SSH bastion host
 - `ssh_user` (String) The username to use for the SSH connection
 

docs/ephemeral-resources/ssh.md

@@ -44,6 +44,9 @@ provider "kubernetes" {
 
 ### Optional
 
+- `ssh_key` (String, Sensitive) The path to the private key file or the private key content to use for the SSH connection
+- `ssh_key_passphrase` (String, Sensitive) The passphrase for the private key file
+- `ssh_password` (String, Sensitive) The password to use for the SSH connection
 - `ssh_port` (Number) The port number of the SSH bastion host
 - `ssh_user` (String) The username to use for the SSH connection
 

internal/provider/data_source_ssh.go

@@ -24,13 +24,16 @@ type SSHDataSource struct{}
 
 // SSHDataSourceModel describes the data source data model.
 type SSHDataSourceModel struct {
-	LocalHost  types.String `tfsdk:"local_host"`
-	LocalPort  types.Int64  `tfsdk:"local_port"`
-	SSHHost    types.String `tfsdk:"ssh_host"`
-	SSHPort    types.Int64  `tfsdk:"ssh_port"`
-	SSHUser    types.String `tfsdk:"ssh_user"`
-	TargetHost types.String `tfsdk:"target_host"`
-	TargetPort types.Int64  `tfsdk:"target_port"`
+	LocalHost        types.String `tfsdk:"local_host"`
+	LocalPort        types.Int64  `tfsdk:"local_port"`
+	SSHHost          types.String `tfsdk:"ssh_host"`
+	SSHKey           types.String `tfsdk:"ssh_key"`
+	SSHKeyPassphrase types.String `tfsdk:"ssh_key_passphrase"`
+	SSHPassword      types.String `tfsdk:"ssh_password"`
+	SSHPort          types.Int64  `tfsdk:"ssh_port"`
+	SSHUser          types.String `tfsdk:"ssh_user"`
+	TargetHost       types.String `tfsdk:"target_host"`
+	TargetPort       types.Int64  `tfsdk:"target_port"`
 }
 
 func (d *SSHDataSource) Metadata(ctx context.Context, req datasource.MetadataRequest, resp *datasource.MetadataResponse) {
@@ -65,7 +68,21 @@ func (d *SSHDataSource) Schema(ctx context.Context, req datasource.SchemaRequest
 				Optional:            true,
 				Computed:            true,
 			},
-
+			"ssh_password": schema.StringAttribute{
+				MarkdownDescription: "The password to use for the SSH connection",
+				Optional:            true,
+				Sensitive:           true,
+			},
+			"ssh_key": schema.StringAttribute{
+				MarkdownDescription: "The path to the private key file or the private key content to use for the SSH connection",
+				Optional:            true,
+				Sensitive:           true,
+			},
+			"ssh_key_passphrase": schema.StringAttribute{
+				MarkdownDescription: "The passphrase for the private key file",
+				Optional:            true,
+				Sensitive:           true,
+			},
 			// Computed attributes
 			"local_host": schema.StringAttribute{
 				MarkdownDescription: "The DNS name or IP address of the local host",
@@ -112,12 +129,15 @@ func (d *SSHDataSource) Read(ctx context.Context, req datasource.ReadRequest, re
 	}
 
 	_, err = ssh.ForkRemoteTunnel(ctx, ssh.TunnelConfig{
-		LocalPort:  localPort,
-		SSHHost:    data.SSHHost.ValueString(),
-		SSHPort:    int(data.SSHPort.ValueInt64()),
-		SSHUser:    data.SSHUser.ValueString(),
-		TargetHost: data.TargetHost.ValueString(),
-		TargetPort: int(data.TargetPort.ValueInt64()),
+		LocalPort:        localPort,
+		SSHHost:          data.SSHHost.ValueString(),
+		SSHKey:           data.SSHKey.ValueString(),
+		SSHKeyPassphrase: data.SSHKeyPassphrase.ValueString(),
+		SSHPassword:      data.SSHPassword.ValueString(),
+		SSHPort:          int(data.SSHPort.ValueInt64()),
+		SSHUser:          data.SSHUser.ValueString(),
+		TargetHost:       data.TargetHost.ValueString(),
+		TargetPort:       int(data.TargetPort.ValueInt64()),
 	})
 	if err != nil {
 		resp.Diagnostics.AddError("Failed to fork tunnel process", fmt.Sprintf("Error: %s", err))

internal/provider/ephemeral_ssh.go

@@ -25,13 +25,16 @@ type SSHEphemeral struct{}
 
 // SSHEphemeralModel describes the data source data model.
 type SSHEphemeralModel struct {
-	LocalHost  types.String `tfsdk:"local_host"`
-	LocalPort  types.Int64  `tfsdk:"local_port"`
-	SSHHost    types.String `tfsdk:"ssh_host"`
-	SSHPort    types.Int64  `tfsdk:"ssh_port"`
-	SSHUser    types.String `tfsdk:"ssh_user"`
-	TargetHost types.String `tfsdk:"target_host"`
-	TargetPort types.Int64  `tfsdk:"target_port"`
+	LocalHost        types.String `tfsdk:"local_host"`
+	LocalPort        types.Int64  `tfsdk:"local_port"`
+	SSHHost          types.String `tfsdk:"ssh_host"`
+	SSHKey           types.String `tfsdk:"ssh_key"`
+	SSHKeyPassphrase types.String `tfsdk:"ssh_key_passphrase"`
+	SSHPassword      types.String `tfsdk:"ssh_password"`
+	SSHPort          types.Int64  `tfsdk:"ssh_port"`
+	SSHUser          types.String `tfsdk:"ssh_user"`
+	TargetHost       types.String `tfsdk:"target_host"`
+	TargetPort       types.Int64  `tfsdk:"target_port"`
 }
 
 func (d *SSHEphemeral) Metadata(ctx context.Context, req ephemeral.MetadataRequest, resp *ephemeral.MetadataResponse) {
@@ -66,7 +69,21 @@ func (d *SSHEphemeral) Schema(ctx context.Context, req ephemeral.SchemaRequest,
 				Optional:            true,
 				Computed:            true,
 			},
-
+			"ssh_password": schema.StringAttribute{
+				MarkdownDescription: "The password to use for the SSH connection",
+				Optional:            true,
+				Sensitive:           true,
+			},
+			"ssh_key": schema.StringAttribute{
+				MarkdownDescription: "The path to the private key file or the private key content to use for the SSH connection",
+				Optional:            true,
+				Sensitive:           true,
+			},
+			"ssh_key_passphrase": schema.StringAttribute{
+				MarkdownDescription: "The passphrase for the private key file",
+				Optional:            true,
+				Sensitive:           true,
+			},
 			// Computed attributes
 			"local_host": schema.StringAttribute{
 				MarkdownDescription: "The DNS name or IP address of the local host",
@@ -113,12 +130,15 @@ func (d *SSHEphemeral) Open(ctx context.Context, req ephemeral.OpenRequest, resp
 	}
 
 	cmd, err := ssh.ForkRemoteTunnel(ctx, ssh.TunnelConfig{
-		LocalPort:  localPort,
-		SSHHost:    data.SSHHost.ValueString(),
-		SSHPort:    int(data.SSHPort.ValueInt64()),
-		SSHUser:    data.SSHUser.ValueString(),
-		TargetHost: data.TargetHost.ValueString(),
-		TargetPort: int(data.TargetPort.ValueInt64()),
+		LocalPort:        localPort,
+		SSHHost:          data.SSHHost.ValueString(),
+		SSHKey:           data.SSHKey.ValueString(),
+		SSHKeyPassphrase: data.SSHKeyPassphrase.ValueString(),
+		SSHPassword:      data.SSHPassword.ValueString(),
+		SSHPort:          int(data.SSHPort.ValueInt64()),
+		SSHUser:          data.SSHUser.ValueString(),
+		TargetHost:       data.TargetHost.ValueString(),
+		TargetPort:       int(data.TargetPort.ValueInt64()),
 	})
 	if err != nil {
 		resp.Diagnostics.AddError("Failed to fork tunnel process", fmt.Sprintf("Error: %s", err))

internal/ssh/tunnel.go

@@ -12,6 +12,7 @@ import (
 	"os/signal"
 	"path/filepath"
 	"strconv"
+	"strings"
 	"time"
 
 	"github.com/dfns/terraform-provider-tunnel/internal/libs"
@@ -21,12 +22,15 @@ import (
 var TunnelType string = "ssh"
 
 type TunnelConfig struct {
-	SSHHost    string
-	SSHPort    int
-	SSHUser    string
-	TargetHost string
-	TargetPort int
-	LocalPort  int
+	LocalPort        int
+	SSHHost          string
+	SSHKey           string
+	SSHKeyPassphrase string
+	SSHPassword      string
+	SSHPort          int
+	SSHUser          string
+	TargetHost       string
+	TargetPort       int
 }
 
 func ForkRemoteTunnel(ctx context.Context, cfg TunnelConfig) (*exec.Cmd, error) {
@@ -89,6 +93,26 @@ func StartRemoteTunnel(ctx context.Context, cfgJson string, parentPid int) (err
 	sshTun.SetUser(cfg.SSHUser)
 	sshTun.SetRemoteHost(cfg.TargetHost)
 
+	if cfg.SSHPassword != "" {
+		sshTun.SetPassword(cfg.SSHPassword)
+	}
+
+	if cfg.SSHKey != "" {
+		if _, err := os.Stat(cfg.SSHKey); err == nil {
+			if cfg.SSHKeyPassphrase != "" {
+				sshTun.SetEncryptedKeyFile(cfg.SSHKey, cfg.SSHKeyPassphrase)
+			} else {
+				sshTun.SetKeyFile(cfg.SSHKey)
+			}
+		} else {
+			if cfg.SSHKeyPassphrase != "" {
+				sshTun.SetEncryptedKeyReader(strings.NewReader(cfg.SSHKey), cfg.SSHKeyPassphrase)
+			} else {
+				sshTun.SetKeyReader(strings.NewReader(cfg.SSHKey))
+			}
+		}
+	}
+
 	sshTun.SetTunneledConnState(func(tun *sshtun.SSHTun, state *sshtun.TunneledConnState) {
 		log.Printf("tunnel state: %+v", state)
 	})