Reputation: 1725
Terraform Lifecycle to ignore SSH-Key in metadata
When you use gcloud to ssh to an instance, it adds that ssh pubkey to the instance's metadata to let you in. Awesome.
Except, now terraform wants to remove that metadata because it's not in the .tf file. I don't care that it's not in the .tf file, I want terraform to ignore the SSH keys, and due to security concerns I can't control I'm not able to use project-wide SSH keys.
I know how to set a lifecycle policy that ignores all metadata, but we still want to be notified if the hostinit script changes, so I'm trying to find a way to only ignore the ssh keys metadata.
As you can imagine this is rather hard to get good Google results for, but I have tried. There are a number of similar questions but they're resolved by enabling project wide SSH keys which I can't do.
Upvotes: 3
Views: 2584
Answers (1)
Reputation: 5663
You can either ignore all meta data
resource "google_compute_instance" "default" {
...
lifecycle {
ignore_changes = [
metadata
]
}
}
or just specific ones, here for example metadata["sshKeys"] (the syntax for map elements in ignore_changes)
lifecycle {
ignore_changes = [
metadata["sshKeys"]
]
}
Upvotes: 6
Related Questions
- How to create an SSH key in Terraform?
- How to add an ssh key to an GCP instance using terraform?
- How to use Project wide ssh keys with terraform
- Ignore specific key from terraform outputs or locals
- Generate SSH key with Terraform and always add to ssh-agent
- How to Enable Block project-wide SSH keys in GCP using terraform
- GCP Terraform Lifecycle to ignore ssh-keys from instance metadata
- What goes in the ssh_keys > key_data argument in a Terraform template
- Adding a ssh key to an GCP instance using terraform works but shows error on the console
- Terraform/GCP: ssh-keys not being added to metdata