terraform: Scan and add SSH host keys

After having deployed the cluster, the first connection to deployed
machines is currently going to fail because of unknown host keys. Let's
improve this situation by scanning deployed hosts and adding their keys
to the known_hosts file automatically.

2 files changed, 14 insertions, 0 deletions

diff --git a/_support/terraform/roles/deploy/handlers/main.yml b/_support/terraform/roles/deploy/handlers/main.yml
new file mode 100644
index 000000000..d2d7522d2
--- /dev/null
+++ b/_support/terraform/roles/deploy/handlers/main.yml
@@ -0,0 +1,12 @@
+- name: scan SSH keys
+  command: "ssh-keyscan {{ item }}"
+  register: ssh_keys
+  with_items: "{{ tfstate.outputs.gitaly_ssh_ip.value.values() | list + tfstate.outputs.praefect_ssh_ip.value.values() | list + [tfstate.outputs.gitlab_external_ip.value] }}"
+  listen: add hostkeys
+
+- name: add SSH keys to known hosts
+  known_hosts:
+    name: "{{ item.item }}"
+    key: "{{ item.stdout }}"
+  with_items: "{{ ssh_keys.results }}"
+  listen: add hostkeys
diff --git a/_support/terraform/roles/deploy/tasks/main.yml b/_support/terraform/roles/deploy/tasks/main.yml
index bb9ac2268..152d844cb 100644
--- a/_support/terraform/roles/deploy/tasks/main.yml
+++ b/_support/terraform/roles/deploy/tasks/main.yml
@@ -18,6 +18,8 @@
     variables_file: terraform.tfvars
     force_init: true
   register: tfstate
+  notify:
+    - add hostkeys
 
 - name: hosts.ini
   template: