Terraform无法导入Amazon EC2的密钥对

时间:2016-10-19 00:16:19

标签: amazon-ec2 terraform

使用Terraform 0.7.7。

我有一个简单的Terraform文件,其中包含以下内容:

provider "aws" {
  access_key = "${var.access_key}"
  secret_key = "${var.secret_key}"
  region     = "${var.region}"
}

resource "aws_instance" "personal" {
  ami           = "${lookup(var.amis, var.region)}"
  instance_type = "t2.micro"
}

resource "aws_eip" "ip" {
  instance = "${aws_instance.personal.id}"
}

resource "aws_key_pair" "personal" {
  key_name = "mschuchard-us-east"
  public_key = "${var.public_key}"
}

Terraform apply会产生以下错误:

aws_key_pair.personal: Creating...
  fingerprint: "" => "<computed>"
  key_name:    "" => "mschuchard-us-east"
  public_key:  "" => "ssh-rsa pubkey hash mschuchard-us-east"
aws_instance.personal: Creating...
  ami:                      "" => "ami-c481fad3"
  availability_zone:        "" => "<computed>"
  ebs_block_device.#:       "" => "<computed>"
  ephemeral_block_device.#: "" => "<computed>"
  instance_state:           "" => "<computed>"
  instance_type:            "" => "t2.micro"
  key_name:                 "" => "<computed>"
  network_interface_id:     "" => "<computed>"
  placement_group:          "" => "<computed>"
  private_dns:              "" => "<computed>"
  private_ip:               "" => "<computed>"
  public_dns:               "" => "<computed>"
  public_ip:                "" => "<computed>"
  root_block_device.#:      "" => "<computed>"
  security_groups.#:        "" => "<computed>"
  source_dest_check:        "" => "true"
  subnet_id:                "" => "<computed>"
  tenancy:                  "" => "<computed>"
  vpc_security_group_ids.#: "" => "<computed>"
aws_instance.personal: Creation complete
aws_eip.ip: Creating...
  allocation_id:     "" => "<computed>"
  association_id:    "" => "<computed>"
  domain:            "" => "<computed>"
  instance:          "" => "i-0ab94b58b0089697d"
  network_interface: "" => "<computed>"
  private_ip:        "" => "<computed>"
  public_ip:         "" => "<computed>"
  vpc:               "" => "<computed>"
aws_eip.ip: Creation complete
Error applying plan:

1 error(s) occurred:

* aws_key_pair.personal: Error import KeyPair: InvalidKeyPair.Duplicate: The keypair 'mschuchard-us-east' already exists.
status code: 400, request id: 51950b9a-55e8-4901-bf35-4d2be234abbf

我用谷歌搜索找到的唯一帮助就是吹走*.tfstate文件,我试过这些文件并没有帮助。我可以使用带有这个密钥对的gui启动一个EC2实例并轻松地插入它,但Terraform在尝试使用相同的全功能密钥对时出错。

3 个答案:

答案 0 :(得分:11)

错误告诉您,您的AWS账户中已存在密钥对,但Terraform在其状态文件中并不知道它,因此每次都尝试创建密钥对。

您有两种选择。首先,您可以简单地从AWS账户中删除它,并允许Terraform上传它,从而允许它由Terraform管理并保存在其状态文件中。

或者,您可以使用Terraform import命令将预先存在的资源导入到您的状态文件中:

terraform import aws_key_pair.personal mschuchard-us-east

答案 1 :(得分:3)

The error says that key pair already exists in AWS, and it does not say whether it was created using Terraform or using console.

You should see it in AWS console EC2 -> Key Pairs for correct region. You should delete it using console before retrying import it using Terraform.

答案 2 :(得分:0)

使用$ {uuid()}函数在生成时始终获取密钥对的随机ID,选定/生成的UUID会将其放入状态文件中,因此您仍然可以删除,但不会进行更新可能。每次应用terraform文件时,都会生成一个新的密钥对...

虽然确实不能使用AWS提供程序从头生成密钥对,但是可以使用TLS提供程序生成的RSA私钥在AWS中生成新的密钥对对象。

resource "aws_key_pair" "test" {
    key_name   = "${uuid()}"
    public_key = "${tls_private_key.t.public_key_openssh}"
}
provider "tls" {}
resource "tls_private_key" "t" {
    algorithm = "RSA"
}
provider "local" {}
resource "local_file" "key" {
    content  = "${tls_private_key.t.private_key_pem}"
    filename = "id_rsa"
    provisioner "local-exec" {
        command = "chmod 600 id_rsa"
    }
}

使用tls提供程序生成密钥,并每次将其作为新对象导入。 然后导出私钥,以便以后可以访问服务器。

值得注意的是,这打破了Terraform尝试使用的一种范例(基础架构作为代码),但是从实际的开发角度来看可能有点过于理想化... Terraform构建在过程中失败并指出变得无效。更好的解决方案可能是AWS插件收到自动导入的“已经存在”错误,或者是可以设置的可选行为。