Add an ED25519 key pair resource

Author: daveadams

docs/index.md

@@ -7,8 +7,8 @@ description: |-
 
 # Provider: sshkey
 
-The `sshkey` Terraform provider generates SSH key pairs. Only RSA-type keys are
-currently supported.
+The `sshkey` Terraform provider generates SSH key pairs. Only RSA and ED25519
+keys are currently supported.
 
 ## Example Usage
 

docs/resources/ed25519_key_pair.md

@@ -0,0 +1,26 @@
+---
+page_title: "ed25519_key_pair Resource - terraform-provider-sshkey"
+subcategory: ""
+description: |-
+  The ed25519_key_pair resource generates an ED25519 key pair.
+---
+
+# Resource: sshkey_ed25519_key_pair
+
+The `sshkey_ed25519_key_pair` resource generates an ED25519 key pair.
+
+## Example Usage
+
+```terraform
+resource "sshkey_ed25519_key_pair" "example" {}
+```
+
+## Attributes Reference
+
+The following attributes are exported.
+
+- `private_key_pem` - (Sensitive) The RSA private key in PEM format.
+- `public_key` - The public key value in SSH2/`authorized_keys` format.
+- `fingerprint_sha256` - SHA256 fingerprint of the key.
+- `fingerprint_md5` - Legacy MD5 fingerprint of the key.
+- `id` - The SHA256 fingerprint of the key.

examples/sshkey_ed25519_key_pair/main.tf

@@ -0,0 +1,23 @@
+terraform {
+  required_providers {
+    sshkey = {
+      source = "daveadams/sshkey"
+    }
+  }
+}
+
+resource "sshkey_ed25519_key_pair" "example" {
+  count = 2
+}
+
+output "example_public_keys" {
+  value = sshkey_ed25519_key_pair.example[*].public_key
+}
+
+output "example_fingerprints_md5" {
+  value = sshkey_ed25519_key_pair.example[*].fingerprint_md5
+}
+
+output "example_fingerprints_sha256" {
+  value = sshkey_ed25519_key_pair.example[*].fingerprint_sha256
+}

examples/sshkey_rsa_key_pair/main.tf

@@ -1,8 +1,7 @@
 terraform {
   required_providers {
     sshkey = {
-      version = "0.1.1"
-      source  = "daveadams/sshkey"
+      source = "daveadams/sshkey"
     }
   }
 }

go.mod

@@ -4,7 +4,7 @@ go 1.17
 
 require (
 	github.com/hashicorp/terraform-plugin-framework v0.5.0
-	golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2
+	golang.org/x/crypto v0.0.0-20220214200702-86341886e292
 )
 
 require (
@@ -26,9 +26,9 @@ require (
 	github.com/oklog/run v1.0.0 // indirect
 	github.com/stretchr/testify v1.7.0 // indirect
 	github.com/vmihailenco/msgpack v4.0.4+incompatible // indirect
-	golang.org/x/net v0.0.0-20210326060303-6b1517762897 // indirect
+	golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2 // indirect
 	golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 // indirect
-	golang.org/x/text v0.3.5 // indirect
+	golang.org/x/text v0.3.6 // indirect
 	google.golang.org/appengine v1.6.6 // indirect
 	google.golang.org/genproto v0.0.0-20200711021454-869866162049 // indirect
 	google.golang.org/grpc v1.32.0 // indirect

go.sum

@@ -99,8 +99,9 @@ github.com/vmihailenco/msgpack v3.3.3+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6Ac
 github.com/vmihailenco/msgpack v4.0.4+incompatible h1:dSLoQfGFAo3F6OoNhwUmLwVgaUXK79GlxNBwueZn0xI=
 github.com/vmihailenco/msgpack v4.0.4+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk=
 github.com/zclconf/go-cty v1.1.0/go.mod h1:xnAOWiHeOqg2nWS62VtQ7pbOu17FtxJNW8RLEih+O3s=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2 h1:VklqNMn3ovrHsnt90PveolxSbWFaJdECFbxSq0Mqo2M=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20220214200702-86341886e292 h1:f+lwQ+GtmgoY+A2YaQxlSOnDjXcQ7ZRLWOHbC6HtRqE=
+golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
@@ -116,8 +117,8 @@ golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR
 golang.org/x/net v0.0.0-20191009170851-d66e71096ffb/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210326060303-6b1517762897 h1:KrsHThm5nFk34YtATK1LsThyGhGbGe1olrte/HInHvs=
-golang.org/x/net v0.0.0-20210326060303-6b1517762897/go.mod h1:uSPa2vr4CLtc/ILN5odXGNXS6mhrKVzTaCXzk9m6W3k=
+golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2 h1:CIJ76btIcR3eFI5EgSo6k1qKw9KJexJuRLI9G7Hp5wE=
+golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -129,15 +130,16 @@ golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210324051608-47abb6519492/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 h1:SrN+KX8Art/Sf4HNj6Zcz06G7VEz+7w9tdXTPOZ7+l4=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.5 h1:i6eZZ+zk0SOf0xgBpEpPD18qWcJda6q1sxt3S0kzyUQ=
-golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=

sshkey/ed25519_key_pair.go

@@ -0,0 +1,58 @@
+package sshkey
+
+import (
+	"crypto/ed25519"
+	"crypto/rand"
+	"crypto/x509"
+	"encoding/pem"
+	"golang.org/x/crypto/ssh"
+)
+
+type ed25519KeyPair struct {
+	privateKey ed25519.PrivateKey
+	publicKey  ssh.PublicKey
+}
+
+func generateED25519KeyPair() (*ed25519KeyPair, error) {
+	rawPubKey, key, err := ed25519.GenerateKey(rand.Reader)
+	if err != nil {
+		return nil, err
+	}
+
+	pub, err := ssh.NewPublicKey(rawPubKey)
+	if err != nil {
+		return nil, err
+	}
+
+	return &ed25519KeyPair{
+		privateKey: key,
+		publicKey:  pub,
+	}, nil
+}
+
+func (k *ed25519KeyPair) PrivateKeyPEM() (string, error) {
+	keyBytes, err := x509.MarshalPKCS8PrivateKey(k.privateKey)
+	if err != nil {
+		return "", err
+	}
+
+	return string(pem.EncodeToMemory(
+		&pem.Block{
+			Type:    "OPENSSH PRIVATE KEY",
+			Headers: nil,
+			Bytes:   keyBytes,
+		}),
+	), nil
+}
+
+func (k *ed25519KeyPair) PublicKey() string {
+	return string(ssh.MarshalAuthorizedKey(k.publicKey))
+}
+
+func (k *ed25519KeyPair) FingerprintMD5() string {
+	return ssh.FingerprintLegacyMD5(k.publicKey)
+}
+
+func (k *ed25519KeyPair) FingerprintSHA256() string {
+	return ssh.FingerprintSHA256(k.publicKey)
+}

sshkey/models.go

@@ -12,3 +12,11 @@ type RSAKeyPair struct {
 	FingerprintMD5    types.String `tfsdk:"fingerprint_md5"`
 	FingerprintSHA256 types.String `tfsdk:"fingerprint_sha256"`
 }
+
+type ED25519KeyPair struct {
+	ID                types.String `tfsdk:"id"`
+	PrivateKeyPEM     types.String `tfsdk:"private_key_pem"`
+	PublicKey         types.String `tfsdk:"public_key"`
+	FingerprintMD5    types.String `tfsdk:"fingerprint_md5"`
+	FingerprintSHA256 types.String `tfsdk:"fingerprint_sha256"`
+}

sshkey/provider.go

@@ -37,7 +37,8 @@ func (p *sshkeyProvider) Configure(ctx context.Context, req tfsdk.ConfigureProvi
 
 func (p *sshkeyProvider) GetResources(_ context.Context) (map[string]tfsdk.ResourceType, diag.Diagnostics) {
 	return map[string]tfsdk.ResourceType{
-		"sshkey_rsa_key_pair": resourceRSAKeyPairType{},
+		"sshkey_rsa_key_pair":     resourceRSAKeyPairType{},
+		"sshkey_ed25519_key_pair": resourceED25519KeyPairType{},
 	}, nil
 }
 

sshkey/resource_ed25519_key_pair.go

@@ -0,0 +1,105 @@
+package sshkey
+
+import (
+	"context"
+
+	"github.com/hashicorp/terraform-plugin-framework/diag"
+	"github.com/hashicorp/terraform-plugin-framework/tfsdk"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+)
+
+type resourceED25519KeyPairType struct{}
+
+func (r resourceED25519KeyPairType) GetSchema(ctx context.Context) (tfsdk.Schema, diag.Diagnostics) {
+	return tfsdk.Schema{
+		Attributes: map[string]tfsdk.Attribute{
+			"id": {
+				Type:     types.StringType,
+				Computed: true,
+			},
+			"private_key_pem": {
+				Type:      types.StringType,
+				Computed:  true,
+				Sensitive: true,
+			},
+			"public_key": {
+				Type:     types.StringType,
+				Computed: true,
+			},
+			"fingerprint_md5": {
+				Type:     types.StringType,
+				Computed: true,
+			},
+			"fingerprint_sha256": {
+				Type:     types.StringType,
+				Computed: true,
+			},
+		},
+	}, nil
+}
+
+func (r resourceED25519KeyPairType) NewResource(ctx context.Context, p tfsdk.Provider) (tfsdk.Resource, diag.Diagnostics) {
+	return resourceED25519KeyPair{}, nil
+}
+
+type resourceED25519KeyPair struct{}
+
+func (r resourceED25519KeyPair) Create(ctx context.Context, req tfsdk.CreateResourceRequest, resp *tfsdk.CreateResourceResponse) {
+	var plan ED25519KeyPair
+	diags := req.Plan.Get(ctx, &plan)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	key, err := generateED25519KeyPair()
+	if err != nil {
+		resp.Diagnostics.AddError("Unable to generate a new ED25519 key", err.Error())
+		return
+	}
+
+	privateKeyPEM, err := key.PrivateKeyPEM()
+	if err != nil {
+		resp.Diagnostics.AddError("Unable to render private key to PEM format", err.Error())
+		return
+	}
+
+	result := ED25519KeyPair{
+		ID:                types.String{Value: key.FingerprintSHA256()},
+		PrivateKeyPEM:     types.String{Value: privateKeyPEM},
+		PublicKey:         types.String{Value: key.PublicKey()},
+		FingerprintMD5:    types.String{Value: key.FingerprintMD5()},
+		FingerprintSHA256: types.String{Value: key.FingerprintSHA256()},
+	}
+
+	diags = resp.State.Set(ctx, result)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+}
+
+func (r resourceED25519KeyPair) Read(ctx context.Context, req tfsdk.ReadResourceRequest, resp *tfsdk.ReadResourceResponse) {
+	// no need to support Read at the moment since the resource is fully within state
+	// NOTE: if we support sourcing from files on disk in the future, this will have to be implemented
+}
+
+func (r resourceED25519KeyPair) Update(ctx context.Context, req tfsdk.UpdateResourceRequest, resp *tfsdk.UpdateResourceResponse) {
+	// no need to support Update at the moment, since the only possible changes require replacement
+	// NOTE: if we need to support changes later for comments, etc, this will need to be implemented
+}
+
+func (r resourceED25519KeyPair) Delete(ctx context.Context, req tfsdk.DeleteResourceRequest, resp *tfsdk.DeleteResourceResponse) {
+	var state ED25519KeyPair
+	diags := req.State.Get(ctx, &state)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	resp.State.RemoveResource(ctx)
+}
+
+func (r resourceED25519KeyPair) ImportState(ctx context.Context, req tfsdk.ImportResourceStateRequest, resp *tfsdk.ImportResourceStateResponse) {
+	tfsdk.ResourceImportStateNotImplemented(ctx, "", resp)
+}

sshkey/rsa_key_pair.go

@@ -38,7 +38,7 @@ func generateRSAKeyPair(bits int) (*rsaKeyPair, error) {
 func (k *rsaKeyPair) PrivateKeyPEM() string {
 	return string(pem.EncodeToMemory(
 		&pem.Block{
-			Type:    "RSA PRIVATE KEY",
+			Type:    "OPENSSH PRIVATE KEY",
 			Headers: nil,
 			Bytes:   x509.MarshalPKCS1PrivateKey(k.privateKey),
 		}),