ComputeCanada · cmd-ntrf · Aug 22, 2024 · Jul 18, 2024 · Jul 18, 2024 · Jul 18, 2024
diff --git a/aws/infrastructure.tf b/aws/infrastructure.tf
@@ -19,7 +19,6 @@ module "configuration" {
   config_git_url        = var.config_git_url
   config_version        = var.config_version
   sudoer_username       = var.sudoer_username
-  generate_ssh_key      = var.generate_ssh_key
   public_keys           = var.public_keys
   domain_name           = module.design.domain_name
   bastion_tag           = module.design.bastion_tag
@@ -42,7 +41,6 @@ module "provision" {
   terraform_facts = module.configuration.terraform_facts
   hieradata       = var.hieradata
   hieradata_dir   = var.hieradata_dir
-  sudoer_username = var.sudoer_username
   eyaml_key       = var.eyaml_key
   puppetfile      = var.puppetfile
   depends_on      = [aws_instance.instances, aws_eip.public_ip]

diff --git a/azure/infrastructure.tf b/azure/infrastructure.tf
@@ -19,7 +19,6 @@ module "configuration" {
   config_git_url        = var.config_git_url
   config_version        = var.config_version
   sudoer_username       = var.sudoer_username
-  generate_ssh_key      = var.generate_ssh_key
   public_keys           = var.public_keys
   domain_name           = module.design.domain_name
   bastion_tag           = module.design.bastion_tag
@@ -42,7 +41,6 @@ module "provision" {
   terraform_facts = module.configuration.terraform_facts
   hieradata       = var.hieradata
   hieradata_dir   = var.hieradata_dir
-  sudoer_username = var.sudoer_username
   eyaml_key       = var.eyaml_key
   puppetfile      = var.puppetfile
   depends_on      = [ azurerm_linux_virtual_machine.instances ]

diff --git a/common/configuration/main.tf b/common/configuration/main.tf
@@ -12,15 +12,13 @@ variable "domain_name" { }
 variable "cluster_name" { }
 variable "guest_passwd" { }
 
-variable "generate_ssh_key" { }
 variable "public_keys" { }
 
 variable "skip_upgrade" { }
 variable "puppetfile" { }
 variable "bastion_tag" { }
 
 resource "tls_private_key" "ssh" {
-  count     = var.generate_ssh_key ? 1 : 0
   algorithm = "ED25519"
 }
 
@@ -56,8 +54,6 @@ locals {
     tag => [for key, values in var.inventory : values.local_ip if contains(values.tags, tag)]
   }
 
-  ssh_authorized_keys = var.generate_ssh_key ? concat(var.public_keys, ["${chomp(tls_private_key.ssh[0].public_key_openssh)} terraform@localhost"]) :  var.public_keys
-
   # add openssh public key to inventory
   inventory = { for host, values in var.inventory:
     host => merge(values, {
@@ -74,7 +70,7 @@ locals {
       tag_ip    = local.tag_ip
       data      = {
         sudoer_username = var.sudoer_username
-        public_keys     = local.ssh_authorized_keys
+        public_keys     = var.public_keys
         cluster_name    = lower(var.cluster_name)
         domain_name     = var.domain_name
         guest_passwd    = local.guest_passwd
@@ -102,7 +98,8 @@ locals {
         puppetservers         = local.puppetservers,
         puppetserver_password = local.puppet_passwd,
         sudoer_username       = var.sudoer_username,
-        ssh_authorized_keys   = local.ssh_authorized_keys
+        ssh_authorized_keys   = var.public_keys
+        tf_ssh_public_key     = tls_private_key.ssh.public_key_openssh
         # If there is no bastion, the terraform data has to be packed with the user_data of the puppetserver.
         # We do not packed it systematically because it increases the user-data size to a value that can be
         # near or exceeds the cloud provider limit - AWS 16KB, Azure and OpenStack 64KB, GCP 256 KB.
@@ -153,8 +150,8 @@ output "inventory" {
 
 output "ssh_key" {
   value = {
-    public  = try("${chomp(tls_private_key.ssh[0].public_key_openssh)} terraform@localhost", null)
-    private = try(tls_private_key.ssh[0].private_key_pem, null)
+    public  = try("${chomp(tls_private_key.ssh.public_key_openssh)} tf@localhost", null)
+    private = try(tls_private_key.ssh.private_key_pem, null)
   }
 }
 

diff --git a/common/configuration/puppet.yaml b/common/configuration/puppet.yaml
@@ -6,6 +6,13 @@ mounts:
  - [ ephemeral0, /mnt/ephemeral0 ]
 
 users:
+  - name: tf
+    no_create_home: true
+    no_create_group: true
+    homedir: /tmp
+%{ if contains(tags, "puppet") }
+    sudo: "ALL = NOPASSWD: /usr/sbin/update_etc_puppetlabs.sh *.zip"
+%{ endif ~}
   - name: ${sudoer_username}
     groups: adm, wheel, systemd-journal
     homedir: /${sudoer_username}
@@ -17,12 +24,9 @@ users:
 %{ endfor ~}
 
 runcmd:
-  # Verify ${sudoer_username} was created with the right homedir. If it wasn't
-  # the user with the corresponding username is entirely removed, cloud-init is
-  # cleaned and the system is rebooted. This happens when configuring from images
-  # that were customized.
   - test ! -d /${sudoer_username} && userdel -f -r ${sudoer_username} && cloud-init clean -r
   - restorecon -R /${sudoer_username}
+  - echo -e "match User tf\n\tAuthorizedKeysFile /etc/ssh/authorized_keys.%u\n\tAuthenticationMethods publickey" >> /etc/ssh/sshd_config
   - sed -i '/HostKey \/etc\/ssh\/ssh_host_ecdsa_key/ s/^#*/#/' /etc/ssh/sshd_config
   - chmod 644 /etc/ssh/ssh_host_*_key.pub
   - chgrp ssh_keys /etc/ssh/ssh_host_*_key.pub
@@ -126,6 +130,9 @@ runcmd:
   - test -f /etc/magic-castle-release && systemctl start puppet || true
 
 write_files:
+  - content: restrict%{ if contains(tags, "puppet") },pty%{ else }%{ for host, ip in puppetservers },permitopen="${ip}:22"%{ endfor },port-forwarding,command="/sbin/nologin"%{ endif } ${tf_ssh_public_key}
+    path: /etc/ssh/authorized_keys.tf
+    permissions: "0644"
   - content: |
       facts : {
         blocklist : [
@@ -144,6 +151,31 @@ write_files:
     path: /etc/puppetlabs/facter/facts.d/prefix.yaml
     permissions: "0644"
 %{ if contains(tags, "puppet") ~}
+  - content: |
+      #!/bin/bash
+      ZIP_FILE=$${1}
+      ZIP_DIR=$${ZIP_FILE%.zip}
+
+      # unzip is not necessarily installed when connecting, but python is.
+      /usr/libexec/platform-python -c "import zipfile; zipfile.ZipFile('$${ZIP_FILE}').extractall()"
+
+      chmod g-w,o-rwx $(find $${ZIP_DIR}/ -type f ! -path $${ZIP_DIR}/code/*)
+      chown -R root:52 $${ZIP_DIR}
+      mkdir -p -m 755 /etc/puppetlabs/
+      rsync -avh --no-t --exclude 'data' $${ZIP_DIR}/ /etc/puppetlabs/
+      rsync -avh --no-t --del $${ZIP_DIR}/data/ /etc/puppetlabs/data/
+      rm -rf $${ZIP_DIR}/
+
+      if [ -f /opt/puppetlabs/puppet/bin/r10k ] && [ /etc/puppetlabs/code/Puppetfile -nt /etc/puppetlabs/code/modules ]; then
+          /opt/puppetlabs/puppet/bin/r10k puppetfile install --moduledir=/etc/puppetlabs/code/modules --puppetfile=/etc/puppetlabs/code/Puppetfile
+          touch /etc/puppetlabs/code/modules
+      fi
+
+      if [ -f /usr/local/bin/consul ] && [ -f /usr/bin/jq ]; then
+          /usr/local/bin/consul event -token=$(jq -r .acl.tokens.agent /etc/consul/config.json) -name=puppet $(date +%s)
+      fi
+    permissions: 0755
+    path: /usr/sbin/update_etc_puppetlabs.sh
   - content: |
       ---
       general:

diff --git a/common/outputs.tf b/common/outputs.tf
@@ -37,8 +37,3 @@ output "accounts" {
     }
   }
 }
-
-output "ssh_private_key" {
-  value     = module.configuration.ssh_key.private
-  sensitive = true
-}
diff --git a/common/provision/main.tf b/common/provision/main.tf
@@ -4,7 +4,6 @@ variable "terraform_data" { }
 variable "terraform_facts" { }
 variable "hieradata" { }
 variable "hieradata_dir" { }
-variable "sudoer_username" { }
 variable "tf_ssh_key" { }
 variable "eyaml_key" { }
 variable "puppetfile" { }
@@ -65,9 +64,9 @@ resource "terraform_data" "deploy_puppetserver_files" {
   connection {
     type                = "ssh"
     bastion_host        = var.bastions[keys(var.bastions)[0]].public_ip
-    bastion_user        = var.sudoer_username
+    bastion_user        = "tf"
     bastion_private_key = var.tf_ssh_key.private
-    user                = var.sudoer_username
+    user                = "tf"
     host                = each.value
     private_key         = var.tf_ssh_key.private
   }
@@ -81,15 +80,10 @@ resource "terraform_data" "deploy_puppetserver_files" {
     destination = "${local.provision_folder}.zip"
   }
 
-  provisioner "file" {
-    content     = file("${path.module}/update_etc_puppetlabs.sh")
-    destination = "update_etc_puppetlabs.sh"
-  }
-
   provisioner "remote-exec" {
     inline = [
-      "sudo bash update_etc_puppetlabs.sh ${local.provision_folder}.zip",
-      "rm ${local.provision_folder}.zip update_etc_puppetlabs.sh"
+      "sudo /usr/sbin/update_etc_puppetlabs.sh ${local.provision_folder}.zip",
+      "rm ${local.provision_folder}.zip"
     ]
   }
 }
diff --git a/common/provision/update_etc_puppetlabs.sh b/common/provision/update_etc_puppetlabs.sh
diff --git a/common/variables.tf b/common/variables.tf
@@ -133,12 +133,6 @@ variable "firewall_rules" {
   description = "Map of ingress firewall rules. Rules are defined as object({from_port, to_port, tag, cidr, ethertype, protocol})."
 }
 
-variable "generate_ssh_key" {
-  type        = bool
-  default     = false
-  description = "If set to true, Terraform will generate an ssh key pair to connect to the cluster. Default: false"
-}
-
 variable "software_stack" {
   type        = string
   default     = "alliance"

diff --git a/dns/acme/main.tf b/dns/acme/main.tf
diff --git a/dns/acme/versions.tf b/dns/acme/versions.tf