[New Resource]: aws_transfer_host_key

[sergei-ivanov]

Description

We need a mechanism to import multiple host keys into transfer server, possibly superseding the aws_transfer_server.host_key functionality. This is essential for key rotation requirements, and also to be able to provide keys of multiple types (e.g. both RSA and ED25519).

Requested Resource(s) and/or Data Source(s)

• aws_transfer_host_key

Potential Terraform Configuration

resource "aws_transfer_host_key" "rsa" {
  server_id   = aws_transfer_server.this.id
  private_key = "...."
  description = "RSA 4096, Created 2023-03-15"
  tags = {
    Type = "RSA"
  }
}

References

Linked issues:

• [Enhancement]: Support ED25519 and ECDSA keys for Transfer Server #26996

API:

• https://pkg.go.dev/github.com/aws/aws-sdk-go@v1.44.245/service/transfer#Transfer.ImportHostKey
• https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/transfer#Client.ImportHostKey

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[dirk39]

hi @sergei-ivanov, will the aws_transfer_server.host_key conflict with the new resource? Or do we have to maintain both ways to import the key?

[sergei-ivanov]

hi @sergei-ivanov, will the aws_transfer_server.host_key conflict with the new resource? Or do we have to maintain both ways to import the key?

I guess that we'll have to use ignore_changes for host_key when the keys are attached using the new aws_transfer_host_key resource. We may still want to use host_key for seeding the initial key, because if we leave it unspecified, AWS Transfer will still create its own key pair.

[chadmyers]

Also please make it so that it can hook into an AWS Secrets Manager Secret somehow. I can't believe people are OK with having their private host keys as plaintext strings in their terraform files!

[pspot2]

Also please make it so that it can hook into an AWS Secrets Manager Secret somehow. I can't believe people are OK with having their private host keys as plaintext strings in their terraform files!

You can use the data "aws_ssm_parameter" resource to fetch the parameter you need and then feed it to the respective input argument of the Transfer server.

As to how you would put secrets / host keys into SSM (in order not to have them in TF files) in the first place - that is a completely different story. If you use Terraform for this (resource "aws_ssm_parameter"), then be aware that at the moment Terraform stores SecureString values in its state in plain text (see #3475).