zulip/puppet/kandra/manifests/aws_tools.pp

# @summary Installs the AWS CLI
#
class kandra::aws_tools {
  $is_ec2 = zulipconf('machine', 'hosting_provider', 'ec2') == 'ec2'

  file { '/usr/local/bin/install-aws-cli':
    ensure => file,
    mode   => '0755',
    source => 'puppet:///modules/kandra/install-aws-cli',
  }
  exec { 'install-aws-cli':
    require => File['/usr/local/bin/install-aws-cli'],
    command => '/usr/local/bin/install-aws-cli',
    # When puppet is initially determining which resources need to be
    # applied, it will call the unless -- but install-aws-cli may not
    # exist yet.  Count this as needing to run.
    unless  => '[ -f /usr/local/bin/install-aws-cli ] && /usr/local/bin/install-aws-cli check',
  }

  if ! $is_ec2 {
    if $facts['os']['architecture'] != 'amd64' {
      # We would need to build aws_signing_helper from source
      fail('Only amd64 hosts supported on non-EC2')
    }
    $helper_version = $zulip::common::versions['aws_signing_helper']['version']
    zulip::external_dep { 'aws_signing_helper':
      version => $helper_version,
      url     => "https://rolesanywhere.amazonaws.com/releases/${helper_version}/X86_64/Linux/aws_signing_helper",
      before  => File['/root/.aws/config'],
    }
    file { '/srv/zulip-aws-tools/bin/aws_signing_helper':
      ensure  => link,
      target  => "/srv/zulip-aws_signing_helper-${helper_version}",
      require => [
        File["/srv/zulip-aws_signing_helper-${helper_version}"],
        Exec['install-aws-cli'],
      ],
      before  => Exec['Cleanup aws_signing_helper'],
    }
    package { 'sqlite3': ensure => installed }
    file { '/usr/local/bin/teleport-aws-credentials':
      ensure  => file,
      require => [
        Package['sqlite3'],
        Service['teleport_node'],
      ],
      before  => [
        File['/root/.aws/config'],
      ],
      mode    => '0755',
      owner   => 'root',
      group   => 'root',
      source  => 'puppet:///modules/kandra/teleport-aws-credentials',
    }
  }
  file { '/root/.aws':
    ensure => directory,
    mode   => '0755',
    owner  => 'root',
    group  => 'root',
  }
  $aws_trust_arn = zulipsecret('secrets','aws_trust_arn','')
  $aws_profile_arn = zulipsecret('secrets','aws_profile_arn','')
  $aws_role_arn = zulipsecret('secrets','aws_role_arn','')
  file { '/root/.aws/config':
    ensure  => file,
    mode    => '0644',
    owner   => 'root',
    group   => 'root',
    content => template('kandra/dotfiles/aws_config.erb'),
  }

  # Pull keys and authorized_keys from AWS secretsmanager
  file { '/usr/local/bin/install-ssh-keys':
    ensure  => file,
    require => File['/root/.aws/config'],
    mode    => '0755',
    owner   => 'root',
    group   => 'root',
    source  => 'puppet:///modules/kandra/install-ssh-keys',
  }
  file { '/usr/local/bin/install-ssh-authorized-keys':
    ensure  => file,
    require => File['/root/.aws/config'],
    mode    => '0755',
    owner   => 'root',
    group   => 'root',
    source  => 'puppet:///modules/kandra/install-ssh-authorized-keys',
  }
}
install-aws-cli: Also install and keep up to date using Puppet. We previously only did this install on the developer machine and on initial boot. Also run it from puppet to make sure we keep the binary up-to-date. 2024-01-29 21:34:53 +01:00			`# @summary Installs the AWS CLI`
			`#`
puppet: Rename puppet/zulip_ops to puppet/kandra. This makes for easier tab-completion, and also is a bit more explicit about the expected consumer. 2024-02-06 21:40:19 +01:00			`class kandra::aws_tools {`
puppet: Use IAM Roles Anywhere to get AWS credentials outside EC2. 2024-01-31 03:25:40 +01:00			`$is_ec2 = zulipconf('machine', 'hosting_provider', 'ec2') == 'ec2'`

install-aws-cli: Also install and keep up to date using Puppet. We previously only did this install on the developer machine and on initial boot. Also run it from puppet to make sure we keep the binary up-to-date. 2024-01-29 21:34:53 +01:00			`file { '/usr/local/bin/install-aws-cli':`
			`ensure => file,`
			`mode => '0755',`
puppet: Rename puppet/zulip_ops to puppet/kandra. This makes for easier tab-completion, and also is a bit more explicit about the expected consumer. 2024-02-06 21:40:19 +01:00			`source => 'puppet:///modules/kandra/install-aws-cli',`
install-aws-cli: Also install and keep up to date using Puppet. We previously only did this install on the developer machine and on initial boot. Also run it from puppet to make sure we keep the binary up-to-date. 2024-01-29 21:34:53 +01:00			`}`
			`exec { 'install-aws-cli':`
			`require => File['/usr/local/bin/install-aws-cli'],`
			`command => '/usr/local/bin/install-aws-cli',`
			`# When puppet is initially determining which resources need to be`
			`# applied, it will call the unless -- but install-aws-cli may not`
			`# exist yet. Count this as needing to run.`
			`unless => '[ -f /usr/local/bin/install-aws-cli ] && /usr/local/bin/install-aws-cli check',`
			`}`
puppet: Use IAM Roles Anywhere to get AWS credentials outside EC2. 2024-01-31 03:25:40 +01:00
			`if ! $is_ec2 {`
puppet: Switch from top-level fact variables to facts dict, again. These were somehow missed in 57f8b48ff989. 2024-03-25 20:16:16 +01:00			`if $facts['os']['architecture'] != 'amd64' {`
puppet: Use IAM Roles Anywhere to get AWS credentials outside EC2. 2024-01-31 03:25:40 +01:00			`# We would need to build aws_signing_helper from source`
			`fail('Only amd64 hosts supported on non-EC2')`
			`}`
			`$helper_version = $zulip::common::versions['aws_signing_helper']['version']`
			`zulip::external_dep { 'aws_signing_helper':`
			`version => $helper_version,`
			`url => "https://rolesanywhere.amazonaws.com/releases/${helper_version}/X86_64/Linux/aws_signing_helper",`
			`before => File['/root/.aws/config'],`
			`}`
			`file { '/srv/zulip-aws-tools/bin/aws_signing_helper':`
			`ensure => link,`
			`target => "/srv/zulip-aws_signing_helper-${helper_version}",`
			`require => [`
puppet: Stop relying on "tidy" ordering, which ignores metaparams. The `tidy` parameter is buggy, and ignores all ordering metaparameters. This is fixed in Puppet 7[^1], but it's helpful to resolve it now. Specifically, this fixes bugs with tidy running too early, and deleting the old version of a package before its new version is installed or symlinked, leaving a race condition if anything tries to run the binary in this window. This is mostly not a problem for Supervisor-managed processes, since the binary is already running, and can continue to run if it is tidied out from under the running process. For stand-alone tools like wal-g, which are run frequently by PostgreSQL, this may cause issues if PostgreSQL tries to call them during a puppet run. Remove all complicated uses of tidy, and replace them with an `exec` which does the equivalent. We also generate `file` resources for binaries, making them easier (and clearer) to specify as dependencies. [^1]: https://puppet.atlassian.net/browse/PUP-10688 2024-04-15 20:11:08 +02:00			`File["/srv/zulip-aws_signing_helper-${helper_version}"],`
puppet: Use IAM Roles Anywhere to get AWS credentials outside EC2. 2024-01-31 03:25:40 +01:00			`Exec['install-aws-cli'],`
			`],`
puppet: Stop relying on "tidy" ordering, which ignores metaparams. The `tidy` parameter is buggy, and ignores all ordering metaparameters. This is fixed in Puppet 7[^1], but it's helpful to resolve it now. Specifically, this fixes bugs with tidy running too early, and deleting the old version of a package before its new version is installed or symlinked, leaving a race condition if anything tries to run the binary in this window. This is mostly not a problem for Supervisor-managed processes, since the binary is already running, and can continue to run if it is tidied out from under the running process. For stand-alone tools like wal-g, which are run frequently by PostgreSQL, this may cause issues if PostgreSQL tries to call them during a puppet run. Remove all complicated uses of tidy, and replace them with an `exec` which does the equivalent. We also generate `file` resources for binaries, making them easier (and clearer) to specify as dependencies. [^1]: https://puppet.atlassian.net/browse/PUP-10688 2024-04-15 20:11:08 +02:00			`before => Exec['Cleanup aws_signing_helper'],`
puppet: Use IAM Roles Anywhere to get AWS credentials outside EC2. 2024-01-31 03:25:40 +01:00			`}`
			`package { 'sqlite3': ensure => installed }`
			`file { '/usr/local/bin/teleport-aws-credentials':`
			`ensure => file,`
			`require => [`
			`Package['sqlite3'],`
			`Service['teleport_node'],`
			`],`
			`before => [`
			`File['/root/.aws/config'],`
			`],`
			`mode => '0755',`
			`owner => 'root',`
			`group => 'root',`
puppet: Rename puppet/zulip_ops to puppet/kandra. This makes for easier tab-completion, and also is a bit more explicit about the expected consumer. 2024-02-06 21:40:19 +01:00			`source => 'puppet:///modules/kandra/teleport-aws-credentials',`
puppet: Use IAM Roles Anywhere to get AWS credentials outside EC2. 2024-01-31 03:25:40 +01:00			`}`
			`}`
			`file { '/root/.aws':`
			`ensure => directory,`
			`mode => '0755',`
			`owner => 'root',`
			`group => 'root',`
			`}`
			`$aws_trust_arn = zulipsecret('secrets','aws_trust_arn','')`
			`$aws_profile_arn = zulipsecret('secrets','aws_profile_arn','')`
			`$aws_role_arn = zulipsecret('secrets','aws_role_arn','')`
			`file { '/root/.aws/config':`
			`ensure => file,`
			`mode => '0644',`
			`owner => 'root',`
			`group => 'root',`
puppet: Rename puppet/zulip_ops to puppet/kandra. This makes for easier tab-completion, and also is a bit more explicit about the expected consumer. 2024-02-06 21:40:19 +01:00			`content => template('kandra/dotfiles/aws_config.erb'),`
puppet: Use IAM Roles Anywhere to get AWS credentials outside EC2. 2024-01-31 03:25:40 +01:00			`}`
bootstrap-aws-installer: Pull all keys from secretsmanager. 2024-01-30 20:58:17 +01:00
puppet: Pull authorized_keys from AWS secretsmanager. 2024-01-31 19:25:39 +01:00			`# Pull keys and authorized_keys from AWS secretsmanager`
bootstrap-aws-installer: Pull all keys from secretsmanager. 2024-01-30 20:58:17 +01:00			`file { '/usr/local/bin/install-ssh-keys':`
			`ensure => file,`
			`require => File['/root/.aws/config'],`
			`mode => '0755',`
			`owner => 'root',`
			`group => 'root',`
puppet: Rename puppet/zulip_ops to puppet/kandra. This makes for easier tab-completion, and also is a bit more explicit about the expected consumer. 2024-02-06 21:40:19 +01:00			`source => 'puppet:///modules/kandra/install-ssh-keys',`
bootstrap-aws-installer: Pull all keys from secretsmanager. 2024-01-30 20:58:17 +01:00			`}`
puppet: Pull authorized_keys from AWS secretsmanager. 2024-01-31 19:25:39 +01:00			`file { '/usr/local/bin/install-ssh-authorized-keys':`
			`ensure => file,`
			`require => File['/root/.aws/config'],`
			`mode => '0755',`
			`owner => 'root',`
			`group => 'root',`
puppet: Rename puppet/zulip_ops to puppet/kandra. This makes for easier tab-completion, and also is a bit more explicit about the expected consumer. 2024-02-06 21:40:19 +01:00			`source => 'puppet:///modules/kandra/install-ssh-authorized-keys',`
puppet: Pull authorized_keys from AWS secretsmanager. 2024-01-31 19:25:39 +01:00			`}`
install-aws-cli: Also install and keep up to date using Puppet. We previously only did this install on the developer machine and on initial boot. Also run it from puppet to make sure we keep the binary up-to-date. 2024-01-29 21:34:53 +01:00			`}`