puppetmaster.conf

#cloud-config
apt_sources:
 - source: "deb http://apt.puppetlabs.com trusty main"
   keyid: 1054b7a24bd6ec30
apt_upgrade: true
locale: en_US.UTF-8
packages:
 - puppet
 - git
 - traceroute
 - nmap
 - vim
 - puppetmaster-passenger
 - python-pip
 - ruby-dev
write_files:
-   path: /etc/apache2/ports.conf
    permissions: '0644'
    content: ""
-   path: /etc/apache2/sites-available/000-default.conf
    permissions: '0644'
    content: ""
-   path: /etc/apache2/sites-available/default-ssl.conf
    permissions: '0644'
    content: ""
-   path: /root/config.ru
    permissions: '0644'
    content: |
        $0 = "master"

        ARGV << "--debug"

        require 'puppet/util/command_line'

        class EnvironmentMiddleware
          def initialize(app)
            @app = app
          end

          def call(env)
            ENV['HTTP_REMOTE_ADDR'] = env['REMOTE_ADDR']
            @app.call(env)
          end
        end

        use EnvironmentMiddleware
        run Puppet::Util::CommandLine.new.execute
-   path: /etc/puppet/puppet.conf
    permissions: '0444'
    content: |
        [main]
        logdir=/var/log/puppet
        vardir=/var/lib/puppet
        ssldir=/var/lib/puppet/ssl
        rundir=/var/run/puppet
        factpath=$vardir/lib/facter
        templatedir=$confdir/templates

        [master]
        node_terminus = exec
        external_nodes = /usr/local/bin/ec2_enc.rb
        # These are needed when the puppetmaster is run by passenger
        # and can safely be removed if webrick is used.
        ssl_client_header = SSL_CLIENT_S_DN
        ssl_client_verify_header = SSL_CLIENT_VERIFY
-   path: /etc/cron.d/puppet
    permissions: '0644'
    content: "*/30 * * * * root /usr/bin/puppet agent -t 2>&1 | logger -t puppete\n"
-   path: /etc/cron.d/puppetupdate
    permissions: '0644'
    content: "*/5 * * * * root /usr/local/sbin/puppetupdate 2>&1 | logger -t puppetupdate\n"
-   path: /usr/local/sbin/puppetupdate
    permissions: '0700'
    content: |
        #!/bin/sh
        #
        set -e
        cd /etc/puppet
        /usr/bin/git fetch
        /usr/bin/git reset --hard origin/master
        cd vendor
        /usr/local/bin/r10k puppetfile install
        /usr/local/bin/r10k puppetfile purge
-   path: /root/fixpuppetmaster.sh
    permissions: '0700'
    content: |
        #!/bin/bash
        chown puppet:puppet /usr/share/puppet/rack/puppetmasterd/config.ru
        /etc/init.d/apache2 stop;
        while [ $(ps aux |grep [P]assenger| grep -v bash | wc -l) -gt 0 ]; do sleep 1; done;
        puppet master &
        sleep 5
        kill $(ps aux | grep '[p]uppet master' | awk '{print $2}')
        sleep 5
        /etc/init.d/apache2 start
-   path: /usr/local/bin/autosign.rb
    permissions: '0755'
    content: |
        #!/usr/bin/ruby

        # Copyright 2014 Jeremy T. Bouse
        #
        # Licensed under the Apache License, Version 2.0 (the "License");
        # you may not use this file except in compliance with the License.
        # You may obtain a copy of the License at
        #
        #     http://www.apache.org/licenses/LICENSE-2.0
        #
        # Unless required by applicable law or agreed to in writing, software
        # distributed under the License is distributed on an "AS IS" BASIS,
        # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
        # See the License for the specific language governing permissions and
        # limitations under the License.
        require 'rubygems'
        require 'aws-sdk'
        require 'puppet'
        require 'puppet/ssl/certificate_request'
        require 'yaml'
        clientcert = ARGV.pop

        csr = Puppet::SSL::CertificateRequest.from_s(STDIN.read)
        l = File.open('/var/log/puppet/autosign.log', 'a')
        remote_ip = ENV['HTTP_REMOTE_ADDR']
        retcode = 0
        Aws.config.update({region: Facter['ec2_placement_availability_zone'].value[0..-2], credentials: Aws::InstanceProfileCredentials.new})
        pp_instance_id = csr.request_extensions.find { |a| a['oid'] == 'pp_instance_id' }
        if !pp_instance_id
          l.puts "#{Time.now.utc.iso8601} Remote IP: #{remote_ip} asked for a clientcert #{clientcert} to be signed without a pp_instance_id extension"
          exit 1
        end
        cert_instance_id = pp_instance_id['value']
        ec2 = Aws::EC2::Client.new
        server = begin
          ec2.describe_instances( filters: [{name: 'private-ip-address', values: [remote_ip]}]).data['reservations'][0]['instances'][0]
        rescue Exception => e
          l.puts "#{Time.now.utc.iso8601} Could not find host #{cert_instance_id} (#{remote_ip}) #{clientcert}: #{e}"
          exit 2
        end

        if csr.name != clientcert
          l.puts "#{Time.now.utc.iso8601} clientcert value (#{clientcert}) doesn't match the name on the CSR (#{csr.name}) - #{cert_instance_id} (#{remote_ip})"
          exit 3
        elsif server.state.name != 'running'
          l.puts "#{Time.now.utc.iso8601} Server status (#{server.state.name}) is != running for #{cert_instance_id} (#{remote_ip}) #{clientcert}"
          exit 3
        elsif server.instance_id != cert_instance_id
          l.puts "#{Time.now.utc.iso8601} Server's instance_id (#{server.instance_id}) from IP lookup in the API is different to the instance_id in the cert (#{cert_instance_id}) for #{remote_ip}"
          exit 4
        end
        # Shouldn't ever reach here.
        l.puts "#{Time.now.utc.iso8601} OK: Sign clientcert #{clientcert} - #{cert_instance_id} (#{remote_ip})"
        exit 0
-   path: /usr/local/bin/ec2_enc.rb
    permissions: '0755'
    content: |
        #!/usr/bin/ruby
        require 'rubygems'
        require 'puppet'
        require 'logger'
        require 'aws-sdk'
        require 'yaml'

        def find_instance(host_name)

          if (not host_name)
            puts 'Usage: ec2_enc.rb <host_name>'
            puts 'The parameter host_name must not be empty'
            exit 1
          end

          Aws.config.update({region: Facter['ec2_placement_availability_zone'].value[0..-2], credentials: Aws::InstanceProfileCredentials.new})
          ec2 = Aws::EC2::Client.new

          environment = 'production'
          role = 'unknown'
          params = {}
          instance = begin
            ec2.describe_instances( filters: [{name: 'private-dns-name', values: [host_name]}]).data['reservations'][0]['instances'][0]
          rescue Exception => e
            puts "Could not find host #{host_name}: #{e}"
            exit 1
          end
          tags = {}
          instance['tags'].each { |tag| tags[tag['key']] = tag['value'] }
          enc = Hash.new
          tags.each do |key, value|
            if key == 'puppet_role'
              role = value
            end
            if key == 'puppet_role_params'
              params = params.merge(params, JSON.parse(value))
            end
            if key == 'puppet_environment'
              environment = value
            end
          end

          return {
            'classes' => { "role::#{role}" => params },
            'environment' => environment
          }.to_yaml

          puts "Unknown host with name #{host_name}."
          exit 1
        end
        puts find_instance(ARGV[0])

runcmd:
 - [ /etc/init.d/apache2, stop ]
 - [ /bin/cp, /root/config.ru, /usr/share/puppet/rack/puppetmasterd/config.ru ]
 - [ /bin/ln, -fs, /usr/share/puppet/rack/puppetmasterd/config.ru, /usr/share/puppet/ext/rack/config.ru ]
 - [ /bin/dd, if=/dev/zero, of=/swap, bs=1M, count=2048 ]
 - [ /sbin/mkswap, /swap ]
 - [ /bin/bash, -c, "echo /swap none swap sw 0 0 >> /etc/fstab" ]
 - [ /sbin/swapon, -a ]
 - [ /usr/bin/gem, install, aws-sdk ]
 - [ /usr/bin/gem, install, r10k ]
 - [ /usr/bin/gem, install, unicorn ]
 - [ /usr/bin/pip, install, awscli ]
 - [ /bin/bash, -c, "/usr/bin/puppet resource host puppet ensure=present ip=$(facter ipaddress_eth0)" ]
 - [ rm, -rf, /etc/puppet ]
 - [ git, clone, "__REPOSITORY__", /etc/puppet ]
 - [ /usr/local/sbin/puppetupdate ]
 - [ /root/fixpuppetmaster.sh ]
 - [ /usr/bin/puppet, agent, -t ]