`ssh_key_file` bootstrap problem

[scottbot95]

Context

I am attempting to migrate my infrastructure from NixOps to Terraform to be able to use a more mature deployment system. I have been loosely following this tutorial on nix.dev, with the addition of using terranix to generate my terraform config.

Problem

It does not appear to be possible to use ssh_key_file with a file generated by terraform (ie tls_private_key + local_sensitive_file) due to limitations on the file() function. In my attempts, I always get the following:

│ Error: Invalid function argument
│
│   on .terraform/modules/deploy_nixos/main.tf line 91, in locals:
│   91:   ssh_private_key      = local.ssh_private_key_file == "-" ? var.ssh_private_key : file(local.ssh_private_key_file)
│     ├────────────────
│     │ while calling file(path)
│     │ local.ssh_private_key_file is "./id_rsa"
│
│ Invalid value for "path" parameter: no file exists at "./id_rsa"; this function works only with files that are distributed as part
│ of the configuration source code, so if this file will be created by a resource in this configuration you must instead obtain this
│ result from an attribute of that resource.

Workarounds

1. It is somewhat possible to workaround this by doing a terraform apply without the deploy_nixos module to first generate the file, then a second terraform apply, however doing so is not ideal for CI/CD workflows as it would require maintaining multiple terraform config files.
2. Alternatively one could simply use ssh_key instead which does work properly with terraforms dependency system. However this also is problematic because it means that the output from deploy_nixos gets omitted by default since it will print the contents of the ssh private key to stdout.

Questions

1. I seem to be the only one having issues with this; is there a better approach that would allow me to have terraform manage my ssh key used for deployment? If not it seems like workaround (1) is probably my best option.
2. Should I just not even be attempting to manage the ssh key used for deployment with IaC and use some sort of out-of-band method for distributing ssh keys to my deployer hosts instead?

[scottbot95]

Although I'm also just now realizing that ssh_key_file will also just print the contents of the private key to stdout so it's effectively the same as just using ssh_key with unsensitive if the contents of the file are already available within terraform.

So perhaps my real ask here is to add a mechanism to read the ssh_key_file from within nixos-deploy.sh