avoid ssh-import-ids, cache keys by our own

sorah · sorah · commit 3b0ed121156f · 2025-09-02T08:14:11.000+09:00
it can be flaky, for example non-existent user or users without keys can silently result into incomplete authorized_keys file: https://bugs.launchpad.net/ssh-import-id/+bug/2031332
diff --git a/tf/acme-responder/userdata.jsonnet b/tf/acme-responder/userdata.jsonnet
@@ -1,5 +1,5 @@
 local cloud_config = (import '../cloudconfig.base.libsonnet') + {
-  runcmd: [
+  runcmd+: [
     ['networkctl', 'reload'],
   ],
   write_files: [
diff --git a/tf/bastion/.terraform.lock.hcl b/tf/bastion/.terraform.lock.hcl
diff --git a/tf/bastion/aws.tf b/tf/bastion/aws.tf
@@ -10,3 +10,4 @@ provider "aws" {
 }
 
 data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}
diff --git a/tf/bastion/bastion-onpremises.tf b/tf/bastion/bastion-onpremises.tf
@@ -14,6 +14,7 @@ resource "aws_instance" "bastion-onpremises" {
   tags = {
     Name = "bastion-onpremises"
   }
+  depends_on = [null_resource.s3-authorized-keys]
   lifecycle {
     ignore_changes = [ami]
   }
diff --git a/tf/bastion/bastion.tf b/tf/bastion/bastion.tf
@@ -51,6 +51,7 @@ resource "aws_instance" "bastion" {
   tags = {
     Name = "bastion"
   }
+  depends_on = [null_resource.s3-authorized-keys]
   lifecycle {
     ignore_changes = [ami]
   }
diff --git a/tf/bastion/ssh_keys.rb b/tf/bastion/ssh_keys.rb
@@ -0,0 +1,45 @@
+require 'bundler/inline'
+gemfile do
+  source 'https://rubygems.org'
+  gem 'aws-sdk-s3'
+  gem 'rexml'
+end
+require 'open-uri'
+require 'json'
+require 'logger'
+
+ssh_import_id = JSON.parse(File.read(ENV['SSH_IMPORT_ID_FILE']))
+
+all_keys = []
+ssh_import_id.each do |x|
+  next unless x.start_with?('gh:')
+  login = x.sub(/^gh:/,'')
+
+  url = "https://api.github.com/users/#{login}/keys"
+  p url
+  keys = JSON.parse(URI.open(url, "r", &:read))
+
+  nonrsa = keys.map { _1.fetch('key') }.any? { _1.start_with?('ssh-ed25519') || _1.start_with?('ecdsa-') }
+
+  keys.each do |key|
+    kty = {
+      'ssh-rsa' => :rsa,
+      'ecdsa-sha2-nistp256' => :ecdsa,
+      'ecdsa-sha2-nistp384' => :ecdsa,
+      'ecdsa-sha2-nistp521' => :ecdsa,
+      'ssh-ed25519' => :ed25519,
+    }[key.fetch('key').split(' ', 2)[0]]
+    next unless kty
+    next if nonrsa && kty == :rsa
+
+    all_keys << "#{key.fetch('key')} #{login}@github/#{key.fetch('id')}"
+  end
+end
+
+Aws::S3::Client.new(logger: Logger.new($stdout))
+  .put_object(
+    bucket: ENV.fetch('S3_BUCKET'),
+    key: ENV.fetch('S3_KEY'),
+    content_type: 'text/plain',
+    body: all_keys.join("\n") + "\n",
+  )
diff --git a/tf/bastion/ssh_keys.tf b/tf/bastion/ssh_keys.tf
@@ -0,0 +1,21 @@
+data "aws_s3_bucket" "dot-net" {
+  bucket = "rubykaigi-dot-net"
+}
+
+resource "null_resource" "s3-authorized-keys" {
+  triggers = {
+    hash1 = sha512(file("${path.module}/ssh_keys.rb"))
+    hash2 = sha512(file("${path.module}/../../data/ssh_import_ids.json"))
+  }
+  provisioner "local-exec" {
+    command = "ruby ssh_keys.rb"
+    environment = {
+      SSH_IMPORT_ID_FILE = "${path.module}/../../data/ssh_import_ids.json"
+      S3_BUCKET          = data.aws_s3_bucket.dot-net.bucket
+      S3_KEY             = "authorized_keys"
+      AWS_REGION         = data.aws_region.current.name
+    }
+  }
+}
+
+
diff --git a/tf/cloudconfig.base.libsonnet b/tf/cloudconfig.base.libsonnet
@@ -5,9 +5,19 @@
       primary_group: 'rk',
       uid: 3333,
       groups: 'adm,sudo,plugdev,netdev,lxd',
-      ssh_import_id: import '../data/ssh_import_ids.json',
+      ssh_authorized_keys: ['# dummy comment'],
       sudo: 'ALL=(ALL) NOPASSWD: ALL',
       shell: '/bin/bash',
     },
   ],
+
+  runcmd_get_authorized_keys:: [
+    ['curl', '-o', '/home/rk/.ssh/authorized_keys.rknet', 'https://rubykaigi.net/authorized_keys'],  // //tf/bastion/ssh_keys.tf
+    ['bash', '-c', 'cat /home/rk/.ssh/authorized_keys.rknet | tee -a /home/rk/.ssh/authorized_keys'],
+    ['rm', '/home/rk/.ssh/authorized_keys.rknet'],
+    ['ls', '-la', '/home/rk/.ssh'],
+  ],
+
+  runcmd: [] +
+          $.runcmd_get_authorized_keys,
 }
diff --git a/tf/cloudprober/cloudconfig.jsonnet b/tf/cloudprober/cloudconfig.jsonnet
@@ -17,7 +17,7 @@
     },
   ],
 
-  runcmd: [
+  runcmd+: [
     ['systemctl', 'daemon-reload'],
     ['systemctl', 'enable', '--now', 'cloudprober.service'],
   ],
diff --git a/tf/tftp/default.jsonnet b/tf/tftp/default.jsonnet
@@ -6,14 +6,6 @@ local user_data = (import '../cloudconfig.base.libsonnet') + {
     'iperf3',
     'mtr',
   ],
-  users+: [
-    super.users[0] {
-      // FIXME: ssh_import_id is flaky...
-      ssh_authorized_keys: [
-        'ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBACG1cKNR8SS4Dkm2wcia74RRmy9d7h62114MQd0H9zb1+1LxVa55Qqd8O232BH1i/fF/1o+eE3L5U7RCR8KUCuAXgFrF429BETaiiBnSErv5yrHJS5RTTjEhA1d9Ygk0o3Und6+90waBXAk2oPVP+OBNtYq1CraZQsXuqvlUtMrBnSTsQ== sorah-mulberry-ecdsa',
-      ],
-    },
-  ],
 };
 local autoinstall = {
   autoinstall: {

Original file line number	Diff line number	Diff line change
`@@ -10,3 +10,4 @@ provider "aws" {`
`10`	`10`	`}`
`11`	`11`
`12`	`12`	`data "aws_caller_identity" "current" {}`
	`13`	`+data "aws_region" "current" {}`
Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,7 @@ resource "aws_instance" "bastion-onpremises" {`
`14`	`14`	`tags = {`
`15`	`15`	`Name = "bastion-onpremises"`
`16`	`16`	`}`
	`17`	`+ depends_on = [null_resource.s3-authorized-keys]`
`17`	`18`	`lifecycle {`
`18`	`19`	`ignore_changes = [ami]`
`19`	`20`	`}`
Original file line number	Diff line number	Diff line change
`@@ -51,6 +51,7 @@ resource "aws_instance" "bastion" {`
`51`	`51`	`tags = {`
`52`	`52`	`Name = "bastion"`
`53`	`53`	`}`
	`54`	`+ depends_on = [null_resource.s3-authorized-keys]`
`54`	`55`	`lifecycle {`
`55`	`56`	`ignore_changes = [ami]`
`56`	`57`	`}`