Open
Conversation
…stem Previously, the bastion SSH key was written to ~/.ssh/ during `pulumi up` via a local command, which only worked for the engineer who ran the initial deployment. Other engineers would fail to connect because the key wasn't on their machine. Now the SSH key is exported as a Pulumi stack output and fetched on demand when starting a proxy session. The key is written to a temp file and cleaned up when the proxy stops. Additional changes: - Consolidate BastionName/JumpBoxId into single BastionInfo lookup - Export PTD_ROOT in workon shell for manual pulumi commands - Remove local.run_output that wrote SSH key to ~/.ssh/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
The Azure bastion SSH key was previously written to
~/.ssh/duringpulumi upvia alocal.run_outputcommand. This only worked for the engineer who ran the initial deployment — other engineers couldn't connect because the key wasn't on their machine.This PR exports the SSH key as a Pulumi stack output and fetches it on demand when starting a proxy session.
Code Flow
bastion_ssh_private_key) from the persistent stack viaazure_workload_persistent.py.target.go):BastionName()andJumpBoxId()are consolidated into a singleBastionInfo()method that fetches all bastion connection details (name, jumpbox ID, SSH key) from the persistent stack in one lookup.proxy.go): When starting a proxy session, the SSH key is written to a temp file viaos.CreateTemp, used for the SSH SOCKS connection, and cleaned up inStop().workon.go):PTD_ROOTis now exported to theworkonshell environment so thatpulumicommands work correctly within the shell.Rollout
The
bastion_ssh_private_keyoutput must be registered viapulumi upon the persistent stack for each Azure workload before deploying the new binary. I will runensureon all Azure workloads so the new stack output is in place for everyone before merging.Category of change