SSH Keys Management

Terraform code in the example projects provided in this pattern creates, modifies and destroys the SSH key. However, you may want to use your own SSH key or create, modify and destroy it using a different method. Having a SSH key shared between projects is also good practice to follow. This chapter describes how to manage a SSH key outside of the example project Terraform code.

Before creating the SSH key in IBM Cloud you need to have a SSH key pair in your system. You can create the key pair using the ssh-keygen command. If you use the default parameters it generates the SSH Key Pairs in the files ~/.ssh/id_rsa.pub and ~/.ssh/id_rsa. Read create the SSH key pair to know more about the command ssh-keygen and the different parameters you can use.

You can create the SSH Key on IBM Cloud on different ways, here we’ll explain two: Using the IBM Cloud CLI and using Terraform.

Make sure you have installed ibmcloud and the infrastructure-service plugin targeting it to Gen 2. Then login to your account using the ibmcloud login command. The Setup Environment page explain how to get this ready.

List the existing SSH Keys using the following command to not use one of the used key names:

To create your SSH Key execute the command ibmcloud is key-create KEY_NAME (KEY | @KEY_FILE). Assuming you’ll take the public SSH key from ~/.ssh/id_rsa.pub and name the key schematics-test-key, the command would be like this:

If something went wrong with the creation you can update the key name or delete the SSH key with the following commands respectively. The key ID 00000000-0000-0000-0000-000000000000 is fake, get the correct Key ID using the ibmcloud is keys command.

A pre-requisite for using Terraform is to complete the environment setup. For the steps below, it’s required to have Terraform installed, the IBM Cloud Provider installed and the variable IC_API_KEY exported with the API Key to access your IBM Cloud account.

In the Getting Started with Terraform we made Terraform code to create a SSH Key for our simple instance. We can reuse that code. Create a directory named ssh-key for the following Terraform code:

Execute terraform init, then execute the following commands to create or update the key (you will be prompted for the key name because there is no default set for ssh_key_name variable in the code):

To destroy the key just execute terraform destroy

To make the Terraform code in all the examples of the IaC pattern use the recently created SSH Key we need to add the following code the files variables.tf and main.tf like so:

All the variables related to the SSH Key were replaced by just one ssh_key_name which is going to store the name of the recently created SSH Key.

In the main.tf remove all the code to create the SSH Key and insert the data source ibm_is_ssh_key to get the information from the shared SSH Key. The data source requires the SSH Key name which is stored in the variable ssh_key_name. Also, remove any SSH key variable in the variables.tf file.

The ibm_is_instance.iac_instance instance use a similar code to get the SSH Key ID, but instead it uses the data source ibm_is_ssh_key.shared_ssh_key, notice the prefix data..

If you’d like to destroy the shared SSH Key just need to execute the command:

If the SSH key is being used by other resources IBM Cloud will complain and won’t let you delete the key. Make sure no resource is using the key in order to delete it.