Deploy SSH Keypairs with Terraform

An SSH keypair stores an SSH public key and its PEM-encoded private key. SSH keypairs are scoped to your organisation, versioned with rotation history, and can be attached to projects and containers.

Required fields

Read-only fields

Example

resource "bahriya_ssh_keypair" "deploy_key" {
  handle      = "deploy-key"
  name        = "Production Deploy Key"
  public_key  = file("${path.module}/keys/deploy.pub")
  private_key = file("${path.module}/keys/deploy")
}

Attach it to a project so it deploys to the project's regions:

resource "bahriya_project" "production" {
  handle  = "production"
  name    = "Production"
  regions = ["helsinki-1", "falkenstein-1"]
}
 
resource "bahriya_project_ssh_keypair_attachment" "deploy_key" {
  project_id = bahriya_project.production.id
  handle     = bahriya_ssh_keypair.deploy_key.handle
}

Then mount it on a container — the public and private keys land as files in mountpath:

resource "bahriya_container" "deployer" {
  # ... other fields ...
 
  ssh_keypairs = [
    {
      handle    = bahriya_ssh_keypair.deploy_key.handle
      mountpath = "/etc/bahriya/ssh"
    },
  ]
}

Rotation

To rotate key material, update the public_key and private_key fields in your Terraform config and run terraform apply. The Bahriya API creates a new version and marks it current. Previous versions are retained for rollback (default: last 5).

After rotation, file-mounted containers pick up the new keys automatically within about 60 seconds. No manual redeploy is needed for file-mounted keys.

Importing an existing keypair

terraform import bahriya_ssh_keypair.deploy_key <uuid>

Pricing

SSH keypairs are billed at $0.02 per month while they exist in your organisation, plus $0.02 per region per month when attached to a project.