Store user_data scripts in S3.

7Factor · Mar 1, 2024 · 4901a8f · 4901a8f
1 parent b330b28
commit 4901a8f
Show file tree

Hide file tree

Showing 4 changed files with 59 additions and 5 deletions.
diff --git a/asg.tf b/asg.tf
@@ -52,7 +52,21 @@ resource "aws_launch_template" "web_template" {
     var.utility_accessible_sg,
   ]
 
-  user_data = base64encode(templatefile("${path.module}/templates/web_user_data.sh", local.web_interpolation_vars))
+  user_data = <<EOF
+#-------------------------------------------#
+#-----> COPY THE CONFIG FILES FROM S3 <-----#
+#-------------------------------------------#
+
+sudo aws s3 cp s3://${var.user_data_bucket_name}/web_user_data.sh ./
+sudo chmod +x web_user_data.sh
+
+#-------------------------------------------#
+#---------> RUN THE CONFIG FILES  <---------#
+#-------------------------------------------#
+
+./web_user_data.sh
+
+EOF
 
   iam_instance_profile {
     name = aws_iam_instance_profile.concourse_profile.name
@@ -123,7 +137,21 @@ resource "aws_launch_template" "worker_template" {
     aws_security_group.worker_sg.id,
   ]
 
-  user_data = base64encode(templatefile("${path.module}/templates/worker_user_data.sh", local.worker_interpolation_vars))
+  user_data = <<EOF
+#-------------------------------------------#
+#-----> COPY THE CONFIG FILES FROM S3 <-----#
+#-------------------------------------------#
+
+sudo aws s3 cp s3://${var.user_data_bucket_name}/worker_user_data.sh ./
+sudo chmod +x worker_user_data.sh
+
+#-------------------------------------------#
+#---------> RUN THE CONFIG FILES  <---------#
+#-------------------------------------------#
+
+./worker_user_data.sh
+
+EOF
 
   iam_instance_profile {
     name = aws_iam_instance_profile.concourse_profile.name

diff --git a/iam.tf b/iam.tf
@@ -48,15 +48,16 @@ resource "aws_iam_role_policy_attachment" "cloudwatch_policies" {
   policy_arn = data.aws_iam_policy.cloudwatch_agent_policy.arn
 }
 
-resource "aws_iam_role_policy" "ssm_get_parameters" {
-  name = "ConcourseCI-SSM-GetParameters"
+resource "aws_iam_role_policy" "s3_get_user_data" {
+  name = "ConcourseCI-S3-Retrieve-UserData"
   role = aws_iam_role.concourse_role.id
   policy = jsonencode({
     Version = "2012-10-17"
     Statement = [
       {
         Action = [
-          "ssm:GetParameter"
+          "s3:ListBucket",
+          "s3:GetObject"
         ]
         Effect   = "Allow"
         Resource = "*"

diff --git a/s3.tf b/s3.tf
@@ -0,0 +1,20 @@
+resource "aws_s3_bucket" "user_data" {
+  bucket = var.user_data_bucket_name
+}
+
+resource "aws_s3_bucket_acl" "user_data_acl" {
+  bucket = aws_s3_bucket.user_data.id
+  acl    = "private"
+}
+
+resource "aws_s3_bucket_object" "web_user_data" {
+  bucket  = aws_s3_bucket.user_data.id
+  key     = "web_user_data.sh"
+  content = templatefile("${path.module}/templates/web_user_data.sh", local.web_interpolation_vars)
+}
+
+resource "aws_s3_bucket_object" "worker_user_data" {
+  bucket  = aws_s3_bucket.user_data.id
+  key     = "worker_user_data.sh"
+  content = templatefile("${path.module}/templates/worker_user_data.sh", local.worker_interpolation_vars)
+}
diff --git a/variables.tf b/variables.tf
@@ -72,3 +72,8 @@ variable "cloudwatch_namespace" {
   default     = "Concourse"
   description = "The namespace to use for CloudWatch metrics."
 }
+
+variable "user_data_bucket_name" {
+  default     = "concourse-user-data"
+  description = "The name of the S3 bucket to store user data (init scripts) in."
+}