Random password e README

2023-09-07 12:40:40 +02:00 · 2023-09-07 12:40:40 +02:00 · eef407b5b8
commit eef407b5b8
parent e5473e8df1
5 changed files with 95 additions and 16 deletions
--- a/.terraform.lock.hcl
+++ b/.terraform.lock.hcl
@ -20,6 +20,25 @@ provider "registry.terraform.io/hashicorp/external" {
  ]
 }

+provider "registry.terraform.io/hashicorp/random" {
+  version = "3.5.1"
+  hashes = [
+    "h1:VSnd9ZIPyfKHOObuQCaKfnjIHRtR7qTw19Rz8tJxm+k=",
+    "zh:04e3fbd610cb52c1017d282531364b9c53ef72b6bc533acb2a90671957324a64",
+    "zh:119197103301ebaf7efb91df8f0b6e0dd31e6ff943d231af35ee1831c599188d",
+    "zh:4d2b219d09abf3b1bb4df93d399ed156cadd61f44ad3baf5cf2954df2fba0831",
+    "zh:6130bdde527587bbe2dcaa7150363e96dbc5250ea20154176d82bc69df5d4ce3",
+    "zh:6cc326cd4000f724d3086ee05587e7710f032f94fc9af35e96a386a1c6f2214f",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:b6d88e1d28cf2dfa24e9fdcc3efc77adcdc1c3c3b5c7ce503a423efbdd6de57b",
+    "zh:ba74c592622ecbcef9dc2a4d81ed321c4e44cddf7da799faa324da9bf52a22b2",
+    "zh:c7c5cde98fe4ef1143bd1b3ec5dc04baf0d4cc3ca2c5c7d40d17c0e9b2076865",
+    "zh:dac4bad52c940cd0dfc27893507c1e92393846b024c5a9db159a93c534a3da03",
+    "zh:de8febe2a2acd9ac454b844a4106ed295ae9520ef54dc8ed2faf29f12716b602",
+    "zh:eab0d0495e7e711cca367f7d4df6e322e6c562fc52151ec931176115b83ed014",
+  ]
+}
+
 provider "registry.terraform.io/telmate/proxmox" {
  version     = "2.9.14"
  constraints = "2.9.14"
--- a/.terraform/providers/registry.terraform.io/hashicorp/random/3.5.1/linux_amd64/terraform-provider-random_v3.5.1_x5
+++ b/.terraform/providers/registry.terraform.io/hashicorp/random/3.5.1/linux_amd64/terraform-provider-random_v3.5.1_x5
--- a/README.md
+++ b/README.md
@ -0,0 +1,16 @@
+# Terraform Alpine VMs en Proxmox
+
+Configuración para desplegar máquinas virtuales usando [Terraform](https://www.terraform.io/)
+a partir de un template de proxmox con soporte de cloud-init basado en Alpine Linux
+e creado como se explica [neste artigo](https://tr4ck.net/~sergio/artigos/alpine-cloud-init.html).
+
+## Configuración no Proxmox
+É necesario no Proxmox crear un usuario e unhas «apikeys» para que o Terraform
+se poida conectar como se explica na [doc do provider](https://registry.terraform.io/providers/Telmate/proxmox/latest/docs).
+Logo copia env.sh.example a env.sh e configurao coas keys obtidas do Proxmox.
+
+## Configuración para o Terraform
+No arquivo vars.tf configura as variables como sigue:
+- proxmox_host: o nome do host Proxmox
+- template_name: o nome do template con cloud-init de Alpine a usar como base
+- ssh_key: a clave pública a usar para facer login por ssh nas VMs creadas
--- a/main.tf
+++ b/main.tf
@ -26,13 +26,19 @@ provider "proxmox" {
    pm_tls_insecure = true
 }

-# resource é o que queremos
-# unha entidade co nome "hashi" de tipo "proxmox_vm_qemu"
+# random passwords, we only want to allow access by ssh with keys
+resource "random_password" "password" {
+  length           = 16
+  special          = true
+  override_special = "!#$%&*()-_=+[]{}<>:?"
+}
+
+# servers definition
 resource "proxmox_vm_qemu" "hashi_server" {
-    count = 1  # cantidade de instancias, 0 para destruir todas
-    name = "hashi-${count.index + 1}"  # autonumera
-    target_node = var.proxmox_host  # definese no vars.tf
-    clone = var.template_name  #definese no vars.tf
+    count = 1  # num of instances, 0 to destroy all
+    name = "hashi-${count.index + 1}"  # autonum
+    target_node = var.proxmox_host  # defined in vars.tf
+    clone = var.template_name  # defined in vars.tf
    full_clone = true

    # basic VM settings here. agent refers to guest agent
@ -74,7 +80,8 @@ resource "proxmox_vm_qemu" "hashi_server" {

    # username by cloud-init
    ciuser = "alpine"
-    ssh_user = "alpine"
+    cipassword = random_password.password.result # needed for ssh access, without password cant login
+                                                 # even though user has authorized_keys configured

    # sshkeys set using variables. the variable contains the text of the key.
    sshkeys = <<EOF
--- a/terraform.tfstate
+++ b/terraform.tfstate
@ -1,7 +1,7 @@
 {
  "version": 4,
  "terraform_version": "1.5.6",
-  "serial": 26,
+  "serial": 84,
  "lineage": "9d9b0d60-7a22-799c-7440-c01afa77a9fb",
  "outputs": {},
  "resources": [
@ -50,7 +50,7 @@
            "bridge": null,
            "ci_wait": null,
            "cicustom": "",
-            "cipassword": "",
+            "cipassword": "7=+LNuFPaXFJWWi-",
            "ciuser": "alpine",
            "clone": "alpine-gold",
            "clone_wait": 10,
@ -66,7 +66,7 @@
                "backup": true,
                "cache": "none",
                "discard": "",
-                "file": "vm-104-disk-0",
+                "file": "vm-103-disk-0",
                "format": "raw",
                "iops": 0,
                "iops_max": 0,
@ -91,7 +91,7 @@
                "storage": "local-lvm",
                "storage_type": "lvmthin",
                "type": "scsi",
-                "volume": "local-lvm:vm-104-disk-0"
+                "volume": "local-lvm:vm-103-disk-0"
              }
            ],
            "disk_gb": null,
@ -103,7 +103,7 @@
            "hastate": "",
            "hostpci": [],
            "hotplug": "network,disk,usb",
-            "id": "pve/qemu/104",
+            "id": "pve/qemu/103",
            "ipconfig0": "ip=192.168.1.71/24,gw=192.168.1.1",
            "ipconfig1": "",
            "ipconfig10": "",
@ -132,7 +132,7 @@
                "bridge": "vmbr0",
                "firewall": false,
                "link_down": false,
-                "macaddr": "A6:34:10:6D:83:97",
+                "macaddr": "0A:FE:8F:84:55:C3",
                "model": "virtio",
                "mtu": 0,
                "queues": 0,
@ -159,7 +159,7 @@
            "ssh_host": null,
            "ssh_port": null,
            "ssh_private_key": null,
-            "ssh_user": "alpine",
+            "ssh_user": null,
            "sshkeys": "    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPiMj6yG62yNiju2H3FQicX76AsBRZfxpMMfVeCEXEsF sergio@nas\n\n",
            "startup": "",
            "storage": null,
@ -175,13 +175,50 @@
            "vlan": -1,
            "vmid": null
          },
-          "sensitive_attributes": [],
+          "sensitive_attributes": [
+            [
+              {
+                "type": "get_attr",
+                "value": "cipassword"
+              }
+            ]
+          ],
          "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxMjAwMDAwMDAwMDAwLCJkZWZhdWx0IjoxMjAwMDAwMDAwMDAwLCJkZWxldGUiOjEyMDAwMDAwMDAwMDAsInJlYWQiOjEyMDAwMDAwMDAwMDAsInVwZGF0ZSI6MTIwMDAwMDAwMDAwMH19",
          "dependencies": [
-            "data.external.env"
+            "data.external.env",
+            "random_password.password"
          ]
        }
      ]
+    },
+    {
+      "mode": "managed",
+      "type": "random_password",
+      "name": "password",
+      "provider": "provider[\"registry.terraform.io/hashicorp/random\"]",
+      "instances": [
+        {
+          "schema_version": 3,
+          "attributes": {
+            "bcrypt_hash": "$2a$10$oYJ7Dy9JjkZw64Z3qrLk6.pTP41wEzi2e892x0RFVMrYgUgS2CO6K",
+            "id": "none",
+            "keepers": null,
+            "length": 16,
+            "lower": true,
+            "min_lower": 0,
+            "min_numeric": 0,
+            "min_special": 0,
+            "min_upper": 0,
+            "number": true,
+            "numeric": true,
+            "override_special": "!#$%\u0026*()-_=+[]{}\u003c\u003e:?",
+            "result": "7=+LNuFPaXFJWWi-",
+            "special": true,
+            "upper": true
+          },
+          "sensitive_attributes": []
+        }
+      ]
    }
  ],
  "check_results": null