From d7159bc6784b7d86f7d093886a9e8d9226fc8a63 Mon Sep 17 00:00:00 2001
From: Daniel Mikula <mikuld@HDW0074117.at.softlab.net>
Date: Mon, 22 May 2023 13:21:02 +0200
Subject: [PATCH] added private key encryption

---
 README.md                            | 4 +++-
 ec2.tf                               | 8 ++++++++
 setup_scripts/encrypt_private_key.sh | 6 ++++++
 variables.tf                         | 5 +++++
 4 files changed, 22 insertions(+), 1 deletion(-)
 create mode 100644 setup_scripts/encrypt_private_key.sh

diff --git a/README.md b/README.md
index af975b2..7a5dae0 100644
--- a/README.md
+++ b/README.md
@@ -4,7 +4,9 @@ Launches EC2 instance, creates private key, and saves it on the machine.
 
 Usage:
 ```
-terraform apply -var="instance_type=t2.nano" -var="instance_name=k3s-box" -var="instance_ami=ami-0889a44b331db0194" -var="availability_zone=us-east-1a" -var="create_ebs_block_device=false" - var="enable_ingress_http=false" -var="duckdns_domain=<duckdns_domain>" -var="duckdns_token=<duckdns_token>" -auto-approve
+terraform apply -var="instance_type=t2.nano" -var="instance_name=k3s-box" -var="instance_ami=ami-0889a44b331db0194" -var="availability_zone=us-east-1a" -var="create_ebs_block_device=false" - var="enable_ingress_http=false" -var="duckdns_domain=<duckdns_domain>" -var="duckdns_token=<duckdns_token>" -var="private_key_password=<your_password>" -auto-approve
 ```
 
+Or create a tfvars file.
+
 Defaults of vars are set to the ones provided in "Usage"
\ No newline at end of file
diff --git a/ec2.tf b/ec2.tf
index e149a55..37d57eb 100644
--- a/ec2.tf
+++ b/ec2.tf
@@ -33,6 +33,14 @@ resource "aws_instance" "k3s_box" {
      ]
   }
 
+  provisioner "local-exec" {
+    inline = [
+      "chmod +x ./setup_scripts/encrypt_private_key.sh",
+      "./setup_scripts/encrypt_private_key.sh ${var.private_key_password} ${local_file.k3s_box_private_key.filename}"
+    ]
+  }
+
+
   tags = {
     Name = var.instance_name
   }
diff --git a/setup_scripts/encrypt_private_key.sh b/setup_scripts/encrypt_private_key.sh
new file mode 100644
index 0000000..4e8cb91
--- /dev/null
+++ b/setup_scripts/encrypt_private_key.sh
@@ -0,0 +1,6 @@
+#! /bin/bash
+
+# assuming gpg is installed
+password="$1"
+filename="$2"
+gpg --symmetric --cipher-algo AES256 --passphrase "$password" "$filename"
\ No newline at end of file
diff --git a/variables.tf b/variables.tf
index 18057c9..44c11a0 100644
--- a/variables.tf
+++ b/variables.tf
@@ -36,4 +36,9 @@ variable "duckdns_domain" {
 variable "duckdns_token" {
   type = string
   default = "None"
+}
+
+variable "private_key_password" {
+    type = string
+    default = "password"
 }
\ No newline at end of file