AWS instance metadata token is now valid only for 5 minutes

nxtlytics · Dec 14, 2020 · 45d478d · 45d478d
1 parent 01310bd
commit 45d478d
Show file tree

Hide file tree

Showing 10 changed files with 115 additions and 50 deletions.
diff --git a/providers/amazon/images/ivy-vault/provision.yml b/providers/amazon/images/ivy-vault/provision.yml
@@ -0,0 +1,7 @@
+---
+- name: Provision a machine
+  hosts: 127.0.0.1
+  user: ec2-user
+  connection: local
+  roles:
+    - vault
diff --git a/roles/consul/defaults/main.yml b/roles/consul/defaults/main.yml
@@ -1,9 +1,7 @@
 consul_home: /opt/consul
-vault_home: /opt/vault
 consul_config_dir: /etc/consul.d
 consul_data_dir: "{{ consul_home }}/data"
 consul_user: consul
 consul_group: consul
 
 consul_url: "https://releases.hashicorp.com/consul/1.6.2/consul_1.6.2_linux_amd64.zip"
-vault_url: "https://releases.hashicorp.com/vault/0.7.0/vault_0.7.0_linux_amd64.zip"
diff --git a/roles/consul/files/opt/ivy/configure_consul.sh b/roles/consul/files/opt/ivy/configure_consul.sh
@@ -12,13 +12,13 @@ sed -i -e '/^#.*__IVY_TAG__/s/^#//' -e "s/__IVY_TAG__/${TAG}/" /etc/dnsmasq.d/10
 
 CONSUL_MASTERS=""
 if [[ $(get_cloud) -eq "aws" ]]; then
-   MESOS_IPS=($(aws ec2 describe-network-interfaces --region $(get_region) \
-                   --filters Name=tag:"${TAG}:sysenv",Values="${ENV}"    \
-                             Name=tag:"${TAG}:service",Values="Mesos"                 \
-                   --query 'NetworkInterfaces[*].PrivateIpAddress'                \
-                   --output text))
+    MASTERS_IPS=($(aws ec2 describe-network-interfaces --region $(get_region)  \
+                      --filters Name=tag:"${TAG}:sysenv",Values="${ENV}"       \
+                                Name=tag:"${TAG}:service",Values="Mesos,Vault" \
+                      --query 'NetworkInterfaces[*].PrivateIpAddress'          \
+                      --output text))
 
-    for IP in "${MESOS_IPS[@]}"; do
+    for IP in "${MASTERS_IPS[@]}"; do
       CONSUL_MASTERS="${CONSUL_MASTERS} -retry-join=${IP}"
     done
 

diff --git a/roles/consul/tasks/main.yml b/roles/consul/tasks/main.yml
@@ -29,8 +29,5 @@
 
 - include: consul.yml
 
-# skip vault for now
-#- include: vault.yml
-
 - name: copy init files
   copy: src=etc/systemd/system/ dest=/etc/systemd/system/
diff --git a/roles/consul/tasks/vault.yml b/roles/consul/tasks/vault.yml
diff --git a/roles/system-base/files/opt/ivy/bash_lib/aws.sh b/roles/system-base/files/opt/ivy/bash_lib/aws.sh
@@ -22,11 +22,11 @@ function get_mdsv2() {
 }
 
 function get_instance_id() {
-    echo $(curl --retry 3 --silent --fail http://169.254.169.254/latest/meta-data/instance-id)
+    echo $(get_mdsv2 'instance-id')
 }
 
 function get_availability_zone() {
-    echo $(curl --retry 3 --silent --fail http://169.254.169.254/latest/meta-data/placement/availability-zone)
+    echo $(get_mdsv2 'placement/availability-zone')
 }
 
 function get_region() {

diff --git a/roles/system-base/tasks/main.yml b/roles/system-base/tasks/main.yml
@@ -9,12 +9,12 @@
     dest: /etc/security/limits.conf
     mode: 0644
 
-#- name: root authorized_key
-#  authorized_key:
-#    user: root
-#    key: "{{ item }}"
-#  with_file:
-#    - public_keys/infeng
+- name: root authorized_key
+  authorized_key:
+    user: root
+    key: "{{ item }}"
+  with_file:
+    - public_keys/infeng
 
 - name: create ivy user
   user:

diff --git a/roles/vault/defaults/main.yml b/roles/vault/defaults/main.yml
@@ -0,0 +1,9 @@
+---
+# Versions
+vault_version: "1.5.0"
+# Download dirs
+tmp_dir: "/tmp"
+bin_dir: "/usr/local/bin"
+# vault
+vault_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip"
+vault_dest: "{{ tmp_dir }}/vault_{{ vault_version }}_linux_amd64.zip"
diff --git a/roles/vault/files/etc/systemd/system/vault.service b/roles/vault/files/etc/systemd/system/vault.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=Vault Agent
+Requires=network-online.target
+After=network-online.target
+
+[Service]
+Restart=on-failure
+PermissionsStartOnly=true
+ExecStartPre=/sbin/setcap 'cap_ipc_lock=+ep' /usr/local/bin/vault
+ExecStart=/usr/local/bin/vault server -config /etc/vault.d
+ExecReload=/bin/kill -HUP $MAINPID
+KillSignal=SIGTERM
+User=vault
+Group=vault
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/vault/tasks/main.yml b/roles/vault/tasks/main.yml
@@ -0,0 +1,68 @@
+---
+- name: create vault group
+  group:
+    name: vault
+
+- name: create vault user and make vault its primary group
+  user:
+    name: vault
+    group: vault
+    system: yes
+    comment: Hashicorp vault user
+    home: /srv/vault
+    shell: /bin/false
+
+- name: disable core dumps
+  shell: |
+    echo 'ulimit -c 0 > /dev/null 2>&1' > /etc/profile.d/disable-coredumps.sh
+
+- name: Adjusting ulimits for vault user
+  pam_limits:
+    domain: vault
+    limit_type: "{{ item.type }}"
+    limit_item: "{{ item.item }}"
+    value: 65536
+  loop:
+    - { type: "soft", item: "nofile" }
+    - { type: "hard", item: "nofile" }
+    - { type: "soft", item: "nproc" }
+    - { type: "hard", item: "nproc" }
+
+- name: download vault
+  get_url:
+    url: "{{ item.url }}"
+    dest: "{{ item.dest }}"
+    mode: 0755
+  loop:
+    - { url: "{{ vault_url }}", dest: "{{ vault_dest }}" }
+
+- name: extract vault and place it on PATH
+  unarchive:
+    src: "{{ vault_dest }}"
+    dest: "{{ bin_dir }}/"
+    remote_src: yes
+
+- name: change vault ownership, group and permissions
+  file:
+    path: "{{ bin_dir }}/vault"
+    owner: vault
+    group: vault
+    mode: 0755
+
+- name: copy vault systemd unit
+  copy:
+    src: etc/systemd/system/vault.service
+    dest: /etc/systemd/system/vault.service
+    mode: 0644
+
+
+- name: create vault config directory
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: vault
+    group: vault
+    mode: 0755
+  loop:
+    - /etc/vault.d
+    - /var/log/vault