From e18c841dbac00802b8a92a8311e1608206aa98cc Mon Sep 17 00:00:00 2001
From: Cameron Stokes <cameron@tailscale.com>
Date: Wed, 24 Dec 2025 10:14:21 -0800
Subject: [PATCH 1/4] terraform/azure: create an ssh key if not provided one

closes #46
---
 terraform/azure/azure-linux-vm/main.tf            | 15 ++++++++++-----
 terraform/azure/azure-linux-vm/variables.tf       |  4 +++-
 terraform/azure/azure-linux-vm/versions.tf        |  4 ++++
 .../azure/internal-modules/azure-linux-vm/main.tf |  2 +-
 .../internal-modules/azure-linux-vm/variables.tf  |  4 ++--
 5 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/terraform/azure/azure-linux-vm/main.tf b/terraform/azure/azure-linux-vm/main.tf
index 90a5663..2a12d57 100644
--- a/terraform/azure/azure-linux-vm/main.tf
+++ b/terraform/azure/azure-linux-vm/main.tf
@@ -30,7 +30,7 @@ locals {
   subnet_id                 = module.vpc.public_subnet_id
   network_security_group_id = azurerm_network_security_group.tailscale_ingress.id
   instance_type             = "Standard_D2as_v6"
-  admin_public_key_path     = var.admin_public_key_path
+  admin_public_key          = var.admin_public_key_path == "" ? tls_private_key.ssh[0].public_key_pem : file(var.admin_public_key_path)
 }
 
 resource "azurerm_resource_group" "main" {
@@ -53,6 +53,11 @@ module "vpc" {
   subnet_name_private_dns_resolver = "dns-inbound"
 }
 
+resource "tls_private_key" "ssh" {
+  count     = var.admin_public_key_path == "" ? 1 : 0
+  algorithm = "ED25519"
+}
+
 #
 # Tailscale instance resources
 #
@@ -87,10 +92,10 @@ module "tailscale_azure_linux_virtual_machine" {
   network_security_group_id = local.network_security_group_id
   public_ip_address_id      = azurerm_public_ip.vm.id
 
-  machine_name          = local.name
-  machine_size          = local.instance_type
-  admin_public_key_path = local.admin_public_key_path
-  resource_tags         = local.azure_tags
+  machine_name     = local.name
+  machine_size     = local.instance_type
+  admin_public_key = local.admin_public_key
+  resource_tags    = local.azure_tags
 
   # Variables for Tailscale resources
   tailscale_hostname        = local.name
diff --git a/terraform/azure/azure-linux-vm/variables.tf b/terraform/azure/azure-linux-vm/variables.tf
index 8d7c73a..bc45d48 100644
--- a/terraform/azure/azure-linux-vm/variables.tf
+++ b/terraform/azure/azure-linux-vm/variables.tf
@@ -2,5 +2,7 @@
 # Variables for Azure resources
 #
 variable "admin_public_key_path" {
-  type = string
+  type        = string
+  description = "Path to the SSH public key to assign to the virtual machine - if omitted, a key will be created"
+  default     = ""
 }
diff --git a/terraform/azure/azure-linux-vm/versions.tf b/terraform/azure/azure-linux-vm/versions.tf
index d5e75c5..e2e3409 100644
--- a/terraform/azure/azure-linux-vm/versions.tf
+++ b/terraform/azure/azure-linux-vm/versions.tf
@@ -4,6 +4,10 @@ terraform {
       source  = "hashicorp/azurerm"
       version = ">= 4.0, < 5.0"
     }
+    tls = {
+      source  = "hashicorp/tls"
+      version = ">= 4.0, < 5.0"
+    }
     tailscale = {
       source  = "tailscale/tailscale"
       version = ">= 0.24"
diff --git a/terraform/azure/internal-modules/azure-linux-vm/main.tf b/terraform/azure/internal-modules/azure-linux-vm/main.tf
index 98a2257..dfce3b5 100644
--- a/terraform/azure/internal-modules/azure-linux-vm/main.tf
+++ b/terraform/azure/internal-modules/azure-linux-vm/main.tf
@@ -43,7 +43,7 @@ resource "azurerm_linux_virtual_machine" "tailscale_instance" {
   admin_username = var.admin_username
   admin_ssh_key {
     username   = var.admin_username
-    public_key = file(var.admin_public_key_path)
+    public_key = var.admin_public_key
   }
 
   os_disk {
diff --git a/terraform/azure/internal-modules/azure-linux-vm/variables.tf b/terraform/azure/internal-modules/azure-linux-vm/variables.tf
index 82652bb..456cbba 100644
--- a/terraform/azure/internal-modules/azure-linux-vm/variables.tf
+++ b/terraform/azure/internal-modules/azure-linux-vm/variables.tf
@@ -38,8 +38,8 @@ variable "admin_username" {
   type        = string
   default     = "ubuntu"
 }
-variable "admin_public_key_path" {
-  description = "The filepath of the SSH public key to assign to the virtual machine"
+variable "admin_public_key" {
+  description = "The SSH public key to assign to the virtual machine"
   type        = string
 }
 variable "public_ip_address_id" {

From e4b6473bd9f220241aab078b6487fc41d7ca763f Mon Sep 17 00:00:00 2001
From: Cameron Stokes <cameron@tailscale.com>
Date: Wed, 24 Dec 2025 10:19:46 -0800
Subject: [PATCH 2/4] fix ssh key usage

---
 terraform/azure/azure-linux-vm/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/terraform/azure/azure-linux-vm/main.tf b/terraform/azure/azure-linux-vm/main.tf
index 2a12d57..a35b44f 100644
--- a/terraform/azure/azure-linux-vm/main.tf
+++ b/terraform/azure/azure-linux-vm/main.tf
@@ -30,7 +30,7 @@ locals {
   subnet_id                 = module.vpc.public_subnet_id
   network_security_group_id = azurerm_network_security_group.tailscale_ingress.id
   instance_type             = "Standard_D2as_v6"
-  admin_public_key          = var.admin_public_key_path == "" ? tls_private_key.ssh[0].public_key_pem : file(var.admin_public_key_path)
+  admin_public_key          = var.admin_public_key_path == "" ? tls_private_key.ssh[0].public_key_openssh : file(var.admin_public_key_path)
 }
 
 resource "azurerm_resource_group" "main" {

From 3040e08432d5c421c5ff6f0ca9dd2210909c0d30 Mon Sep 17 00:00:00 2001
From: Cameron Stokes <cameron@tailscale.com>
Date: Wed, 24 Dec 2025 10:25:28 -0800
Subject: [PATCH 3/4] Update outputs.tf

---
 terraform/azure/azure-linux-vm/outputs.tf | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/terraform/azure/azure-linux-vm/outputs.tf b/terraform/azure/azure-linux-vm/outputs.tf
index 9a84535..c27982d 100644
--- a/terraform/azure/azure-linux-vm/outputs.tf
+++ b/terraform/azure/azure-linux-vm/outputs.tf
@@ -32,6 +32,11 @@ output "instance_id" {
   value = module.tailscale_azure_linux_virtual_machine.instance_id
 }
 
+output "ssh_private_key_openssh" {
+  value = var.admin_public_key_path == "" ? tls_private_key.ssh[0].private_key_openssh : null
+  sensitive   = true
+}
+
 output "user_data_md5" {
   description = "MD5 hash of the VM user_data script - for detecting changes"
   value       = module.tailscale_azure_linux_virtual_machine.user_data_md5

From fb76c7fb453bac218fc62791cc9a58a2cc9a3a04 Mon Sep 17 00:00:00 2001
From: Cameron Stokes <cameron@tailscale.com>
Date: Wed, 24 Dec 2025 10:26:34 -0800
Subject: [PATCH 4/4] terraform fmt

---
 terraform/azure/azure-linux-vm/outputs.tf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/terraform/azure/azure-linux-vm/outputs.tf b/terraform/azure/azure-linux-vm/outputs.tf
index c27982d..97ad700 100644
--- a/terraform/azure/azure-linux-vm/outputs.tf
+++ b/terraform/azure/azure-linux-vm/outputs.tf
@@ -33,8 +33,8 @@ output "instance_id" {
 }
 
 output "ssh_private_key_openssh" {
-  value = var.admin_public_key_path == "" ? tls_private_key.ssh[0].private_key_openssh : null
-  sensitive   = true
+  value     = var.admin_public_key_path == "" ? tls_private_key.ssh[0].private_key_openssh : null
+  sensitive = true
 }
 
 output "user_data_md5" {