2024-01-29 21:34:53 +01:00
|
|
|
# @summary Installs the AWS CLI
|
|
|
|
#
|
2024-02-06 21:40:19 +01:00
|
|
|
class kandra::aws_tools {
|
2024-01-31 03:25:40 +01:00
|
|
|
$is_ec2 = zulipconf('machine', 'hosting_provider', 'ec2') == 'ec2'
|
|
|
|
|
2024-01-29 21:34:53 +01:00
|
|
|
file { '/usr/local/bin/install-aws-cli':
|
|
|
|
ensure => file,
|
|
|
|
mode => '0755',
|
2024-02-06 21:40:19 +01:00
|
|
|
source => 'puppet:///modules/kandra/install-aws-cli',
|
2024-01-29 21:34:53 +01:00
|
|
|
}
|
|
|
|
exec { 'install-aws-cli':
|
|
|
|
require => File['/usr/local/bin/install-aws-cli'],
|
|
|
|
command => '/usr/local/bin/install-aws-cli',
|
|
|
|
# When puppet is initially determining which resources need to be
|
|
|
|
# applied, it will call the unless -- but install-aws-cli may not
|
|
|
|
# exist yet. Count this as needing to run.
|
|
|
|
unless => '[ -f /usr/local/bin/install-aws-cli ] && /usr/local/bin/install-aws-cli check',
|
|
|
|
}
|
2024-01-31 03:25:40 +01:00
|
|
|
|
|
|
|
if ! $is_ec2 {
|
|
|
|
if $::os['architecture'] != 'amd64' {
|
|
|
|
# We would need to build aws_signing_helper from source
|
|
|
|
fail('Only amd64 hosts supported on non-EC2')
|
|
|
|
}
|
|
|
|
$helper_version = $zulip::common::versions['aws_signing_helper']['version']
|
|
|
|
zulip::external_dep { 'aws_signing_helper':
|
|
|
|
version => $helper_version,
|
|
|
|
url => "https://rolesanywhere.amazonaws.com/releases/${helper_version}/X86_64/Linux/aws_signing_helper",
|
|
|
|
before => File['/root/.aws/config'],
|
|
|
|
}
|
|
|
|
file { '/srv/zulip-aws-tools/bin/aws_signing_helper':
|
|
|
|
ensure => link,
|
|
|
|
target => "/srv/zulip-aws_signing_helper-${helper_version}",
|
|
|
|
require => [
|
|
|
|
Zulip::External_Dep['aws_signing_helper'],
|
|
|
|
Exec['install-aws-cli'],
|
|
|
|
],
|
|
|
|
}
|
|
|
|
package { 'sqlite3': ensure => installed }
|
|
|
|
file { '/usr/local/bin/teleport-aws-credentials':
|
|
|
|
ensure => file,
|
|
|
|
require => [
|
|
|
|
Package['sqlite3'],
|
|
|
|
Service['teleport_node'],
|
|
|
|
],
|
|
|
|
before => [
|
|
|
|
File['/root/.aws/config'],
|
|
|
|
],
|
|
|
|
mode => '0755',
|
|
|
|
owner => 'root',
|
|
|
|
group => 'root',
|
2024-02-06 21:40:19 +01:00
|
|
|
source => 'puppet:///modules/kandra/teleport-aws-credentials',
|
2024-01-31 03:25:40 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
file { '/root/.aws':
|
|
|
|
ensure => directory,
|
|
|
|
mode => '0755',
|
|
|
|
owner => 'root',
|
|
|
|
group => 'root',
|
|
|
|
}
|
|
|
|
$aws_trust_arn = zulipsecret('secrets','aws_trust_arn','')
|
|
|
|
$aws_profile_arn = zulipsecret('secrets','aws_profile_arn','')
|
|
|
|
$aws_role_arn = zulipsecret('secrets','aws_role_arn','')
|
|
|
|
file { '/root/.aws/config':
|
|
|
|
ensure => file,
|
|
|
|
mode => '0644',
|
|
|
|
owner => 'root',
|
|
|
|
group => 'root',
|
2024-02-06 21:40:19 +01:00
|
|
|
content => template('kandra/dotfiles/aws_config.erb'),
|
2024-01-31 03:25:40 +01:00
|
|
|
}
|
2024-01-30 20:58:17 +01:00
|
|
|
|
2024-01-31 19:25:39 +01:00
|
|
|
# Pull keys and authorized_keys from AWS secretsmanager
|
2024-01-30 20:58:17 +01:00
|
|
|
file { '/usr/local/bin/install-ssh-keys':
|
|
|
|
ensure => file,
|
|
|
|
require => File['/root/.aws/config'],
|
|
|
|
mode => '0755',
|
|
|
|
owner => 'root',
|
|
|
|
group => 'root',
|
2024-02-06 21:40:19 +01:00
|
|
|
source => 'puppet:///modules/kandra/install-ssh-keys',
|
2024-01-30 20:58:17 +01:00
|
|
|
}
|
2024-01-31 19:25:39 +01:00
|
|
|
file { '/usr/local/bin/install-ssh-authorized-keys':
|
|
|
|
ensure => file,
|
|
|
|
require => File['/root/.aws/config'],
|
|
|
|
mode => '0755',
|
|
|
|
owner => 'root',
|
|
|
|
group => 'root',
|
2024-02-06 21:40:19 +01:00
|
|
|
source => 'puppet:///modules/kandra/install-ssh-authorized-keys',
|
2024-01-31 19:25:39 +01:00
|
|
|
}
|
2024-01-29 21:34:53 +01:00
|
|
|
}
|