zulip/puppet/kandra/manifests/aws_tools.pp

# @summary Installs the AWS CLI
#
class kandra::aws_tools {
  $is_ec2 = zulipconf('machine', 'hosting_provider', 'ec2') == 'ec2'

  file { '/usr/local/bin/install-aws-cli':
    ensure => file,
    mode   => '0755',
    source => 'puppet:///modules/kandra/install-aws-cli',
  }
  exec { 'install-aws-cli':
    require => File['/usr/local/bin/install-aws-cli'],
    command => '/usr/local/bin/install-aws-cli',
    # When puppet is initially determining which resources need to be
    # applied, it will call the unless -- but install-aws-cli may not
    # exist yet.  Count this as needing to run.
    unless  => '[ -f /usr/local/bin/install-aws-cli ] && /usr/local/bin/install-aws-cli check',
  }

  if ! $is_ec2 {
    if $facts['os']['architecture'] != 'amd64' {
      # We would need to build aws_signing_helper from source
      fail('Only amd64 hosts supported on non-EC2')
    }
    $helper_version = $zulip::common::versions['aws_signing_helper']['version']
    zulip::external_dep { 'aws_signing_helper':
      version => $helper_version,
      url     => "https://rolesanywhere.amazonaws.com/releases/${helper_version}/X86_64/Linux/aws_signing_helper",
      before  => File['/root/.aws/config'],
    }
    file { '/srv/zulip-aws-tools/bin/aws_signing_helper':
      ensure  => link,
      target  => "/srv/zulip-aws_signing_helper-${helper_version}",
      require => [
        File["/srv/zulip-aws_signing_helper-${helper_version}"],
        Exec['install-aws-cli'],
      ],
      before  => Exec['Cleanup aws_signing_helper'],
    }
    package { 'sqlite3': ensure => installed }
    file { '/usr/local/bin/teleport-aws-credentials':
      ensure  => file,
      require => [
        Package['sqlite3'],
        Service['teleport_node'],
      ],
      before  => [
        File['/root/.aws/config'],
      ],
      mode    => '0755',
      owner   => 'root',
      group   => 'root',
      source  => 'puppet:///modules/kandra/teleport-aws-credentials',
    }
  }
  file { '/root/.aws':
    ensure => directory,
    mode   => '0755',
    owner  => 'root',
    group  => 'root',
  }
  $aws_trust_arn = zulipsecret('secrets','aws_trust_arn','')
  $aws_profile_arn = zulipsecret('secrets','aws_profile_arn','')
  $aws_role_arn = zulipsecret('secrets','aws_role_arn','')
  file { '/root/.aws/config':
    ensure  => file,
    mode    => '0644',
    owner   => 'root',
    group   => 'root',
    content => template('kandra/dotfiles/aws_config.erb'),
  }

  # Pull keys and authorized_keys from AWS secretsmanager
  file { '/usr/local/bin/install-ssh-keys':
    ensure  => file,
    require => File['/root/.aws/config'],
    mode    => '0755',
    owner   => 'root',
    group   => 'root',
    source  => 'puppet:///modules/kandra/install-ssh-keys',
  }
  file { '/usr/local/bin/install-ssh-authorized-keys':
    ensure  => file,
    require => File['/root/.aws/config'],
    mode    => '0755',
    owner   => 'root',
    group   => 'root',
    source  => 'puppet:///modules/kandra/install-ssh-authorized-keys',
  }
}