20035: Adds pillars & states to retrieve the password from AWS secrets manager.

[arvados.git] / tools / salt-install / config_examples / multi_host / aws / states / ssl_key_encrypted.sls

diff --git a/tools/salt-install/config_examples/multi_host/aws/states/ssl_key_encrypted.sls b/tools/salt-install/config_examples/multi_host/aws/states/ssl_key_encrypted.sls
new file mode 100644 (file)
index 0000000..5bc08f0
--- /dev/null
+++ b/tools/salt-install/config_examples/multi_host/aws/states/ssl_key_encrypted.sls
@@ -0,0 +1,70 @@
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+{%- set ssl_key_encrypted = pillar.get('ssl_key_encrypted', {'enabled': False}) %}
+
+{%- if ssl_key_encrypted.enabled %}
+
+extra_ssl_key_encrypted_password_fifo_file:
+  file.mknod:
+    - ntype: p
+    - name: {{ ssl_key_encrypted.ssl_password_file }}
+    - user: root
+    - group: root
+    - mode: '0600'
+
+extra_ssl_key_encrypted_required_pkgs:
+  pkg.installed:
+    - name: jq
+
+extra_ssl_key_encrypted_password_retrieval_script:
+  file.managed:
+    - name: {{ ssl_key_encrypted.ssl_password_connector_script }}
+    - user: root
+    - group: root
+    - mode: '0750'
+    - require:
+      - pkg: extra_ssl_key_encrypted_required_pkgs
+      - file: extra_ssl_key_encrypted_password_fifo_file
+    - contents: |
+        #!/bin/bash
+
+        while [ true ]; do
+          # AWS_SHARED_CREDENTIALS_FILE is set to an non-existant path to avoid awscli
+          # loading invalid credentials on nodes who use ~/.aws/credentials for other
+          # purposes (e.g.: the dispatcher credentials)
+          # Access to the secrets manager is given by using an instance profile.
+          AWS_SHARED_CREDENTIALS_FILE=~/nonexistant aws secretsmanager get-secret-value --secret-id {{ ssl_key_encrypted.aws_secret_name }} --region us-east-1 | jq -r .SecretString > {{ ssl_key_encrypted.ssl_password_file }}
+          sleep 1
+        done
+
+extra_ssl_key_encrypted_password_retrieval_service_unit:
+  file.managed:
+    - name: /etc/systemd/system/password_secret_connector.service
+    - user: root
+    - group: root
+    - mode: '0644'
+    - require:
+      - file: extra_ssl_key_encrypted_password_retrieval_script
+    - contents: |
+        [Unit]
+        Description=Arvados SSL private key password retrieval service
+        After=network.target
+        AssertPathExists={{ ssl_key_encrypted.ssl_password_file }}
+        [Service]
+        ExecStart=/bin/bash {{ ssl_key_encrypted.ssl_password_connector_script }}
+        [Install]
+        WantedBy=multi-user.target
+
+extra_ssl_key_encrypted_password_retrieval_service:
+  service.running:
+    - name: password_secret_connector
+    - enable: true
+    - require:
+      - file: extra_ssl_key_encrypted_password_retrieval_service_unit
+    - watch:
+      - file: extra_ssl_key_encrypted_password_retrieval_service_unit
+      - file: extra_ssl_key_encrypted_password_retrieval_script
+
+{%- endif %}
\ No newline at end of file