-
Notifications
You must be signed in to change notification settings - Fork 2
/
userdata.sh
135 lines (109 loc) · 3.73 KB
/
userdata.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
#! /usr/bin/env bash
set -o errexit
set -o nounset
set -o pipefail
systemctl start amazon-ssm-agent.service
systemctl enable amazon-ssm-agent.service
# Set Bin directory
BIN_DIR=/usr/local/bin
# Get the Instance ID
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
INSTANCE_ID=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/instance-id)
# Set the Hostname
hostnamectl set-hostname "${ name_prefix }-$INSTANCE_ID"
# Download cfssl
curl -sL https://github.com/cloudflare/cfssl/releases/download/v${ cfssl_version }/cfssl_${ cfssl_version }_linux_amd64 -o $BIN_DIR/cfssl
curl -sL https://github.com/cloudflare/cfssl/releases/download/v${ cfssl_version }/cfssljson_${ cfssl_version }_linux_amd64 -o $BIN_DIR/cfssljson
chmod +x $BIN_DIR/cfssl
chmod +x $BIN_DIR/cfssljson
# Get Metadata
MYIP=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/local-ipv4)
MYDNS=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/local-hostname)
cat <<EOF > ${ vault_config_dir }/config.hcl
cluster_name = "${ name_prefix }"
max_lease_ttl = "${ vault_max_lease_ttl }"
default_lease_ttl = "${ vault_default_lease_ttl }"
ui = "true"
api_addr = "${ vault_api_address }"
cluster_addr = "https://$MYIP:8201"
seal "awskms" {
region = "${ region }"
kms_key_id = "${ vault_kms_seal_key_id }"
}
listener "tcp" {
address = "0.0.0.0:9200"
tls_disable = "true"
}
listener "tcp" {
address = "[::]:8200"
cluster_address = "[::]:8201"
tls_disable = "false"
tls_min_version = "${ tls_min_version }"
tls_client_ca_file = "${ vault_cert_dir }/ca.crt"
tls_cert_file = "${ vault_cert_dir }/cert.pem"
tls_require_and_verify_client_cert = ${ vault_tls_require_and_verify_client_cert }
tls_key_file = "${ vault_cert_dir }/cert-key.pem"
}
storage "dynamodb" {
ha_enabled = "true"
region = "${ region }"
table = "${ dynamodb_table_name }"
}
telemetry {
disable_hostname = true
prometheus_retention_time = "${ prometheus_retention_time }"
}
${ vault_additional_config }
EOF
cat <<EOF > ${ vault_cert_dir }/cfssl-config.json
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"default": {
"usages": [
"signing",
"digital signature",
"key encipherment",
"client auth",
"server auth"
],
"expiry": "8760h"
}
}
}
}
EOF
cat <<EOF > ${ vault_cert_dir }/cert.json
{
"CN": "${ vault_dns_domain }",
"key": {
"algo": "ecdsa",
"size": 384
},
"hosts": [
"${ vault_dns_domain }",
"localhost",
"127.0.0.1",
"$MYDNS",
"$MYIP"
]
}
EOF
# Get CA and generate cert
aws --region ${ region } secretsmanager get-secret-value --secret-id arn:aws:secretsmanager:${region}:${account_id}:secret:${name_prefix}/tls/ca_pem --query SecretString --output text > ${ vault_cert_dir }/ca.crt
aws --region ${ region } secretsmanager get-secret-value --secret-id arn:aws:secretsmanager:${region}:${account_id}:secret:${name_prefix}/tls/ca_key --query SecretString --output text > ${ vault_cert_dir }/ca.key
cd ${ vault_cert_dir }
$BIN_DIR/cfssl gencert -ca ca.crt -ca-key ca.key -config cfssl-config.json -profile=default cert.json | $BIN_DIR/cfssljson -bare cert
cat ${ vault_cert_dir }/ca.crt >> ${ vault_cert_dir }/cert.pem
# Ensure correct permissions
chown -R vault:vault ${ vault_config_dir }
chown -R vault:vault ${ vault_cert_dir } && chmod 600 ${ vault_cert_dir }/*
# Remove CA Key from node
rm -f ${ vault_cert_dir }/ca.key
${ vault_additional_userdata }
# Start Vault now and on boot
systemctl enable vault
systemctl start vault