AWS aws_key_pair: file() vs text


with the following key creation, I can ssh to a box:

resource "aws_key_pair" "vm_key" {
  key_name   = var.key_name
  public_key = "ssh-rsa AAAA .... user@host"

with this one, i can not:

resource "aws_key_pair" "vm_key" {
    key_name   = var.key_name
  public_key = file(var.public_key_file_name)


ssh -i ~/.ssh/vm_key  ec2-user@XX.XX.XX.XX
The authenticity of host 'XX.XX.XX.XX (XX.XX.XX.XX)' can't be established.
ED25519 key fingerprint is SHA256:SKHDXXXXXX.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'XX.XX.XX.XX (ED25519) to the list of known hosts.
ec2-user@XX.XX.XX.XX: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

The plan does show a seemingly identical rsa key when “file()” is used.

The key pair was generated:

ssh-keygen -t rsa -m PEM -f ~/.ssh/vm_key

and is the legit RSA key:

file ~/.ssh/vm_key
/home/az/.ssh/vm_key: PEM RSA private key

 file ~/.ssh/ 
/home/az/.ssh/ OpenSSH RSA public key

head /home/az/.ssh/
ssh-rsa AAAA.... user@host

not sure what to think at this point.

Thank you.

Hi @AndrewZ,

Indeed, there should be no significant difference here if the contents of the file match the string you originally provided.

Can you see the final value for the public_key argument in the plan to create the key pair object? My next step to debug this would be to compare the plan which worked with the plan that didn’t to see if there is any difference in how Terraform or this provider understood the configuration.

@apparentlymart ,
thank you for looking into this matter.

The keys were different. Even though it was not obvious to me late last night.

Here are the details:

resource "aws_key_pair" "vm_key" {
  count     = length(var.public_key_file_name) != 0 ? 1 : 0
  key_name   = var.key_name
  public_key = trimspace(file(var.public_key_file_name))

The plan:

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:
  # aws_key_pair.vm_key[0] will be created
  + resource "aws_key_pair" "vm_key" {
      + arn             = (known after apply)
      + fingerprint     = (known after apply)
      + id              = (known after apply)
      + key_name        = "vm_dev"
      + key_name_prefix = (known after apply)
      + key_pair_id     = (known after apply)
      + key_type        = (known after apply)
      + public_key      = "sh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC <TRIMMED> mpM= az@dell5000"
      + tags_all        = (known after apply)

Plan: 1 to add, 0 to change, 0 to destroy.

whereas :

more ~/.ssh/ 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ  <TRIMMED> Kpwc= az@dell5000

As you can see the first ~20 or so symbols look identical. And been late at night, I missed that.
Most likely during my iterations, i didn’t copy the new pub key over to the TF code location.

Thank you for your help!