From 45d478de7ff7439da0511901cbb0c57ab21bdc90 Mon Sep 17 00:00:00 2001 From: Ricardo Rosales Date: Mon, 14 Dec 2020 14:50:50 -0600 Subject: [PATCH] AWS instance metadata token is now valid only for 5 minutes --- .../amazon/images/ivy-vault/provision.yml | 7 ++ roles/consul/defaults/main.yml | 2 - .../consul/files/opt/ivy/configure_consul.sh | 12 ++-- roles/consul/tasks/main.yml | 3 - roles/consul/tasks/vault.yml | 31 --------- .../system-base/files/opt/ivy/bash_lib/aws.sh | 4 +- roles/system-base/tasks/main.yml | 12 ++-- roles/vault/defaults/main.yml | 9 +++ .../files/etc/systemd/system/vault.service | 17 +++++ roles/vault/tasks/main.yml | 68 +++++++++++++++++++ 10 files changed, 115 insertions(+), 50 deletions(-) create mode 100644 providers/amazon/images/ivy-vault/provision.yml delete mode 100644 roles/consul/tasks/vault.yml create mode 100644 roles/vault/defaults/main.yml create mode 100644 roles/vault/files/etc/systemd/system/vault.service create mode 100644 roles/vault/tasks/main.yml diff --git a/providers/amazon/images/ivy-vault/provision.yml b/providers/amazon/images/ivy-vault/provision.yml new file mode 100644 index 0000000..3b2deb1 --- /dev/null +++ b/providers/amazon/images/ivy-vault/provision.yml @@ -0,0 +1,7 @@ +--- +- name: Provision a machine + hosts: 127.0.0.1 + user: ec2-user + connection: local + roles: + - vault diff --git a/roles/consul/defaults/main.yml b/roles/consul/defaults/main.yml index 16d9777..1eb1c93 100644 --- a/roles/consul/defaults/main.yml +++ b/roles/consul/defaults/main.yml @@ -1,9 +1,7 @@ consul_home: /opt/consul -vault_home: /opt/vault consul_config_dir: /etc/consul.d consul_data_dir: "{{ consul_home }}/data" consul_user: consul consul_group: consul consul_url: "https://releases.hashicorp.com/consul/1.6.2/consul_1.6.2_linux_amd64.zip" -vault_url: "https://releases.hashicorp.com/vault/0.7.0/vault_0.7.0_linux_amd64.zip" diff --git a/roles/consul/files/opt/ivy/configure_consul.sh b/roles/consul/files/opt/ivy/configure_consul.sh index 26b512a..64929e3 100755 --- a/roles/consul/files/opt/ivy/configure_consul.sh +++ b/roles/consul/files/opt/ivy/configure_consul.sh @@ -12,13 +12,13 @@ sed -i -e '/^#.*__IVY_TAG__/s/^#//' -e "s/__IVY_TAG__/${TAG}/" /etc/dnsmasq.d/10 CONSUL_MASTERS="" if [[ $(get_cloud) -eq "aws" ]]; then - MESOS_IPS=($(aws ec2 describe-network-interfaces --region $(get_region) \ - --filters Name=tag:"${TAG}:sysenv",Values="${ENV}" \ - Name=tag:"${TAG}:service",Values="Mesos" \ - --query 'NetworkInterfaces[*].PrivateIpAddress' \ - --output text)) + MASTERS_IPS=($(aws ec2 describe-network-interfaces --region $(get_region) \ + --filters Name=tag:"${TAG}:sysenv",Values="${ENV}" \ + Name=tag:"${TAG}:service",Values="Mesos,Vault" \ + --query 'NetworkInterfaces[*].PrivateIpAddress' \ + --output text)) - for IP in "${MESOS_IPS[@]}"; do + for IP in "${MASTERS_IPS[@]}"; do CONSUL_MASTERS="${CONSUL_MASTERS} -retry-join=${IP}" done diff --git a/roles/consul/tasks/main.yml b/roles/consul/tasks/main.yml index 0911b94..463597d 100644 --- a/roles/consul/tasks/main.yml +++ b/roles/consul/tasks/main.yml @@ -29,8 +29,5 @@ - include: consul.yml -# skip vault for now -#- include: vault.yml - - name: copy init files copy: src=etc/systemd/system/ dest=/etc/systemd/system/ diff --git a/roles/consul/tasks/vault.yml b/roles/consul/tasks/vault.yml deleted file mode 100644 index ed47342..0000000 --- a/roles/consul/tasks/vault.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: create vault directories - file: > - state=directory - path={{ item }} - owner={{ consul_user }} - group={{ consul_group }} - with_items: - - "{{ vault_home }}" - - "{{ vault_home }}/bin" - - "/etc/vault" - -- name: install vault - # Skip lint for this, ansible does not have an easy way to download and extract file to location in a succinct manner - # noqa 303 - shell: > - curl -L {{ vault_url }} -o /tmp/vault.zip && - unzip /tmp/vault.zip -d "{{ vault_home }}/bin/" && - rm -rf /tmp/vault* - args: - creates: "{{ vault_home }}/bin/vault" - -- name: set ownership - file: > - state=directory - path={{ vault_home }} - owner={{ consul_user }} - group={{ consul_group }} - recurse=yes - -- name: vault symlink to /usr/local/bin - file: src={{ vault_home }}/bin/vault dest=/usr/local/bin/vault owner=root group=root state=link diff --git a/roles/system-base/files/opt/ivy/bash_lib/aws.sh b/roles/system-base/files/opt/ivy/bash_lib/aws.sh index 4138f14..87ffd2c 100644 --- a/roles/system-base/files/opt/ivy/bash_lib/aws.sh +++ b/roles/system-base/files/opt/ivy/bash_lib/aws.sh @@ -22,11 +22,11 @@ function get_mdsv2() { } function get_instance_id() { - echo $(curl --retry 3 --silent --fail http://169.254.169.254/latest/meta-data/instance-id) + echo $(get_mdsv2 'instance-id') } function get_availability_zone() { - echo $(curl --retry 3 --silent --fail http://169.254.169.254/latest/meta-data/placement/availability-zone) + echo $(get_mdsv2 'placement/availability-zone') } function get_region() { diff --git a/roles/system-base/tasks/main.yml b/roles/system-base/tasks/main.yml index 372ab80..c66c5c7 100644 --- a/roles/system-base/tasks/main.yml +++ b/roles/system-base/tasks/main.yml @@ -9,12 +9,12 @@ dest: /etc/security/limits.conf mode: 0644 -#- name: root authorized_key -# authorized_key: -# user: root -# key: "{{ item }}" -# with_file: -# - public_keys/infeng +- name: root authorized_key + authorized_key: + user: root + key: "{{ item }}" + with_file: + - public_keys/infeng - name: create ivy user user: diff --git a/roles/vault/defaults/main.yml b/roles/vault/defaults/main.yml new file mode 100644 index 0000000..46e87c8 --- /dev/null +++ b/roles/vault/defaults/main.yml @@ -0,0 +1,9 @@ +--- +# Versions +vault_version: "1.5.0" +# Download dirs +tmp_dir: "/tmp" +bin_dir: "/usr/local/bin" +# vault +vault_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip" +vault_dest: "{{ tmp_dir }}/vault_{{ vault_version }}_linux_amd64.zip" diff --git a/roles/vault/files/etc/systemd/system/vault.service b/roles/vault/files/etc/systemd/system/vault.service new file mode 100644 index 0000000..2242c61 --- /dev/null +++ b/roles/vault/files/etc/systemd/system/vault.service @@ -0,0 +1,17 @@ +[Unit] +Description=Vault Agent +Requires=network-online.target +After=network-online.target + +[Service] +Restart=on-failure +PermissionsStartOnly=true +ExecStartPre=/sbin/setcap 'cap_ipc_lock=+ep' /usr/local/bin/vault +ExecStart=/usr/local/bin/vault server -config /etc/vault.d +ExecReload=/bin/kill -HUP $MAINPID +KillSignal=SIGTERM +User=vault +Group=vault + +[Install] +WantedBy=multi-user.target diff --git a/roles/vault/tasks/main.yml b/roles/vault/tasks/main.yml new file mode 100644 index 0000000..91318ec --- /dev/null +++ b/roles/vault/tasks/main.yml @@ -0,0 +1,68 @@ +--- +- name: create vault group + group: + name: vault + +- name: create vault user and make vault its primary group + user: + name: vault + group: vault + system: yes + comment: Hashicorp vault user + home: /srv/vault + shell: /bin/false + +- name: disable core dumps + shell: | + echo 'ulimit -c 0 > /dev/null 2>&1' > /etc/profile.d/disable-coredumps.sh + +- name: Adjusting ulimits for vault user + pam_limits: + domain: vault + limit_type: "{{ item.type }}" + limit_item: "{{ item.item }}" + value: 65536 + loop: + - { type: "soft", item: "nofile" } + - { type: "hard", item: "nofile" } + - { type: "soft", item: "nproc" } + - { type: "hard", item: "nproc" } + +- name: download vault + get_url: + url: "{{ item.url }}" + dest: "{{ item.dest }}" + mode: 0755 + loop: + - { url: "{{ vault_url }}", dest: "{{ vault_dest }}" } + +- name: extract vault and place it on PATH + unarchive: + src: "{{ vault_dest }}" + dest: "{{ bin_dir }}/" + remote_src: yes + +- name: change vault ownership, group and permissions + file: + path: "{{ bin_dir }}/vault" + owner: vault + group: vault + mode: 0755 + +- name: copy vault systemd unit + copy: + src: etc/systemd/system/vault.service + dest: /etc/systemd/system/vault.service + mode: 0644 + + +- name: create vault config directory + file: + path: "{{ item }}" + state: directory + owner: vault + group: vault + mode: 0755 + loop: + - /etc/vault.d + - /var/log/vault