Handling SSH auth in Terraform Cloud

Dear all,

I’m fairly new to Terraform et al, please excuse any gap in knowledge and experience. I’m working on setting up a Nomad cluster on AWS, with a separate instance serving as a Vault CA. I’m using Terraform Cloud and want to have SSH access to all instances. As for the generated key pair:

resource “tls_private_key” “private_key” {
algorithm = “RSA”
rsa_bits = 4096

resource “aws_key_pair” “generated_key” {
key_name = “tf-key”
public_key = tls_private_key.private_key.public_key_openssh

I’m wondering if there is a way to store the private key somewhere in Terraform Cloud so I download it in order to use it for logging into the AWS instances. The only way I’ve found is grabbing it from the state file. Alternatively, I tried using a pre-generated key pair and save public and private keys as environment variables but that didn’t work for me either.

Thanks for your thoughts and guidance on this matter.


Hi @nasenblick,

The output values from your root module are the only channel for directly exporting data from your Terraform configuration.

If that’s not sufficient then you’ll need to write your Terraform configuration to publish this information to some other location outside of Terraform, and then retrieve it directly from that location.

For example, since you are using AWS you might choose to use AWS Secrets Manager to store the key:

resource "aws_secretsmanager_secret" "example" {
  name = "example"

resource "aws_secretsmanager_secret_version" "example" {
  secret_id     = aws_secretsmanager_secret.example.id
  secret_string = tls_private_key.private_key_pem

Any service which has Terraform provider support and can securely store a sensitive value would probably be suitable here, though of course you may be subject to compliance requirements that constrain your choices.

1 Like

Thanks @apparentlymart, this is makes perfect sense and is very helpful!