ssh_key Module Does Not Update SSH Key When Public Key Changes

[cf-sewe]

SUMMARY

The hetzner.hcloud.ssh_key Ansible module currently does not support updating the public key when the local SSH key changes. As a result, it is not possible to refresh the key without deleting and recreating it manually. Attempting to pass an updated public_key value does not trigger an update.

ISSUE TYPE

• Bug Report

COMPONENT NAME

hetzner.hcloud.ssh_key module in the hetzner.hcloud collection.

ANSIBLE VERSION

ansible [core 2.17.5]
  config file = /Users/x.x/vscode/cplace-ops-cloud/ansible/ansible.cfg
  configured module search path = ['/Users/x.x/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /opt/homebrew/lib/python3.13/site-packages/ansible
  ansible collection location = /Users/x.x/.ansible/collections:/usr/share/ansible/collections
  executable location = /opt/homebrew/bin/ansible
  python version = 3.13.0 (main, Oct  7 2024, 05:02:14) [Clang 16.0.0 (clang-1600.0.26.3)] (/opt/homebrew/opt/[email protected]/bin/python3.13)
  jinja version = 3.1.4
  libyaml = True

COLLECTION VERSION

Collection        Version
----------------- -------
community.general 8.5.0

CONFIGURATION

ANSIBLE_FORCE_COLOR(/Users/x.x/vscode/cplace-ops-cloud/ansible/ansible.cfg) = True
ANSIBLE_NOCOWS(/Users/x.x/x/cplace-ops-cloud/ansible/ansible.cfg) = True
ANSIBLE_PIPELINING(/Users/x.x/vscode/cplace-ops-cloud/ansible/ansible.cfg) = True
CONFIG_FILE() = /Users/x.x/vscode/cplace-ops-cloud/ansible/ansible.cfg
DEFAULT_FORKS(/Users/x.x/vscode/cplace-ops-cloud/ansible/ansible.cfg) = 20
DEFAULT_LOG_PATH(/Users/x.x/vscode/cplace-ops-cloud/ansible/ansible.cfg) = /Users/x.x/vscode/cplace-ops-cloud/ansible/ansible.log
DEFAULT_MANAGED_STR(/Users/x.x/vscode/cplace-ops-cloud/ansible/ansible.cfg) = Ansible managed: {file}
DEFAULT_PRIVATE_KEY_FILE(/Users/x.x/vscode/cplace-ops-cloud/ansible/ansible.cfg) = /Users/x.x/.ssh/ansible_bootstrap_key
DEFAULT_REMOTE_USER(/Users/x.x/vscode/cplace-ops-cloud/ansible/ansible.cfg) = ansible
DEFAULT_ROLES_PATH(/Users/x.x/vscode/cplace-ops-cloud/ansible/ansible.cfg) = ['/Users/x.x/vscode/cplace-ops-cloud/ansible/roles']
EDITOR(env: EDITOR) = nano
HOST_KEY_CHECKING(/Users/x.x/vscode/cplace-ops-cloud/ansible/ansible.cfg) = False
INJECT_FACTS_AS_VARS(/Users/x.x/vscode/cplace-ops-cloud/ansible/ansible.cfg) = True
PAGER(env: PAGER) = less
RETRY_FILES_ENABLED(/Users/x.x/vscode/cplace-ops-cloud/ansible/ansible.cfg) = False
TRANSFORM_INVALID_GROUP_CHARS(/Users/x.x/vscode/cplace-ops-cloud/ansible/ansible.cfg) = ignore

OS / ENVIRONMENT

STEPS TO REPRODUCE

- name: "Generate ed25519 SSH key pair for bootstrapping"
  community.crypto.openssh_keypair:
    comment: "Ansible bootstrap key"
    mode: "0400"
    path: "{{ ansible_env.HOME }}/.ssh/ansible_bootstrap_key"
    state: present
    type: ed25519
  register: bootstrap_keypair

- name: "Create a new SSH key with updated fingerprint label"
  hetzner.hcloud.ssh_key:
    api_token: "{{ infra_hcloud_api_token }}"
    name: ansible-bootstrap
    public_key: "{{ bootstrap_keypair.public_key }}"
    state: present

EXPECTED RESULTS

The hetzner.hcloud.ssh_key module should detect a change in the public_key and update the SSH key in Hetzner Cloud to match the new public key provided.

ACTUAL RESULTS

The module does not detect any changes and does not update the SSH key on Hetzner Cloud, even when a new public_key is provided.

[jooola]

The API docs not provide a way to update the public key: https://docs.hetzner.cloud/#ssh-keys-update-an-ssh-key

To make this work, we must delete and create a new ssh key, would that be the behavior that you expect? I am not sure that I like the idea of magically deleting the ssh key without the user knowing.

[cf-sewe]

Yes, I would have expected that the role would "update" a key if it changes (source of truth in GIT / ansible). Even if it means that a key would be deleted / recreated. Maybe a force option could be considered as well. And the behaviour should be documented. I have now implemented the recreation myself, but of course a builtin solution is beneficial generally.