Transition off Ansible for Packer builds (#38)

* Fix AMI build due to Packer 1.4 and Ansible 2.8 issues * Cherry pick the ami and url fixes * Revert change that slipped through the cherrypick * Clean up
adhocteam · Jun 26, 2019 · 498665c · 498665c
1 parent 3962e9d
commit 498665c
Show file tree

Hide file tree

Showing 21 changed files with 102 additions and 177 deletions.
diff --git a/ami/base.json b/ami/base.json
@@ -24,6 +24,7 @@
             "ssh_username": "{{user `ssh_username`}}",
             "ami_name": "{{user `ami_name`}}-{{isotime \"2006-01-02T03-04-05\"}}",
             "ami_description": "Ad Hoc Base (based on Amazon Linux 2 AMI)",
+            "encrypt_boot": true,
             "tags": {
                 "app": "base",
                 "docker": "true",
@@ -33,8 +34,18 @@
     ],
     "provisioners": [
         {
-            "type": "ansible",
-            "playbook_file": "playbooks/base.yml"
+            "type": "file",
+            "source": "files",
+            "destination": "/tmp"
+        },
+        {
+            "type": "file",
+            "source": "files/teleport",
+            "destination": "/tmp/files/teleport"
+        },
+        {
+            "type": "shell",
+            "script": "provision.sh"
         }
     ]
-}
+}
diff --git a/...playbooks/files/teleport/teleport-secrets → ami/files/teleport/teleport-secrets b/...playbooks/files/teleport/teleport-secrets → ami/files/teleport/teleport-secrets
diff --git a/...playbooks/files/teleport/teleport.service → ami/files/teleport/teleport.service b/...playbooks/files/teleport/teleport.service → ami/files/teleport/teleport.service
diff --git a/ami/playbooks/files/teleport/teleport.yaml → ami/files/teleport/teleport.yaml b/ami/playbooks/files/teleport/teleport.yaml → ami/files/teleport/teleport.yaml
diff --git a/...ooks/files/teleport/teleport_auth.service → ami/files/teleport/teleport_auth.service b/...ooks/files/teleport/teleport_auth.service → ami/files/teleport/teleport_auth.service
diff --git a/...oks/files/teleport/teleport_proxy.service → ami/files/teleport/teleport_proxy.service b/...oks/files/teleport/teleport_proxy.service → ami/files/teleport/teleport_proxy.service
diff --git a/...ybooks/files/teleport/teleport_proxy.yaml → ami/files/teleport/teleport_proxy.yaml b/...ybooks/files/teleport/teleport_proxy.yaml → ami/files/teleport/teleport_proxy.yaml
diff --git a/ami/playbooks/files/yum-cron.conf → ami/files/yum-cron.conf b/ami/playbooks/files/yum-cron.conf → ami/files/yum-cron.conf
diff --git a/ami/playbooks/base.yml b/ami/playbooks/base.yml
diff --git a/ami/provision.sh b/ami/provision.sh
@@ -0,0 +1,60 @@
+#! /usr/bin/env bash
+set -euo pipefail
+
+echo "--- Install yum packages"
+sudo yum -y -q update
+sudo amazon-linux-extras install docker &> /dev/null
+sudo yum install -y -q curl git jq docker yum-cron
+
+echo "--- Configure yum packages"
+# Allow sudo-less docker commands
+sudo usermod -aG docker ec2-user
+
+# Move yum-cron config into place for automated security updates
+sudo mv /tmp/files/yum-cron.conf /etc/yum/yum-cron.conf
+sudo chmod 0644 /etc/yum/yum-cron.conf
+
+echo "--- Install docker-compose"
+# Install docker-compose
+COMPOSE_URL=$(curl -s https://api.github.com/repos/docker/compose/releases/latest | jq -rc '.assets[] | select(.name == "docker-compose-Linux-x86_64") | .browser_download_url')
+sudo curl -sSfo /usr/local/bin/docker-compose "${COMPOSE_URL}"
+sudo chmod 0755 /usr/local/bin/docker-compose
+sudo chown ec2-user:ec2-user /usr/local/bin/docker-compose
+
+echo "--- Install teleport"
+# Create a system user with a locked password for teleport
+sudo useradd -d "/var/lib/teleport/" -g "adm" -k "/dev/null" -m -r -s "/sbin/nologin" teleport
+sudo passwd -l teleport
+
+# Download info on the teleport release we are targeting
+TELEPORT_VERSION="v4.0.1"
+TELEPORT_INFO=$(curl -sSf https://dashboard.gravitational.com/webapi/releases-oss?product=teleport | jq ".items | map(select(.version == \"${TELEPORT_VERSION}\")) | .[].downloads | map(select(.name == \"teleport-${TELEPORT_VERSION}-linux-amd64-bin.tar.gz\")) | .[]")
+
+# Install teleport binaries
+cd $(mktemp -d)
+curl -sSfo teleport.tar.gz "$(echo ${TELEPORT_INFO} | jq -r .url)"
+echo "$(echo ${TELEPORT_INFO} | jq -r .sha256) teleport.tar.gz" > teleport.tar.gz.sum
+sha256sum -c --status teleport.tar.gz.sum
+tar xzf teleport.tar.gz
+sudo cp teleport/{tctl,teleport} /usr/local/bin/
+sudo chown teleport:adm /usr/local/bin/{tctl,teleport}
+cd -
+
+# Install teleports secrets script
+sudo cp /tmp/files/teleport/teleport-secrets /usr/local/bin
+sudo chown teleport:adm /usr/local/bin/teleport-secrets
+sudo chmod 0755 /usr/local/bin/teleport-secrets
+
+echo "--- Configure teleport"
+# Install teleport configuration
+sudo cp /tmp/files/teleport/teleport.yaml /etc
+sudo chmod 0644 /etc/teleport.yaml
+
+# Install teleport systemd units
+sudo cp /tmp/files/teleport/*.service /etc/systemd/system
+sudo chmod 0644 /etc/systemd/system/teleport*
+
+echo "--- Turn on systemd services"
+sudo systemctl enable --now docker
+sudo systemctl enable --now yum-cron
+sudo systemctl enable --now teleport
diff --git a/utilities/jenkins/main.tf b/utilities/jenkins/main.tf
@@ -4,8 +4,7 @@
 #######
 
 locals {
-  default_url = "jenkins.${var.env}.${var.domain_name}"
-  url         = coalesce(var.jenkins_url, local.default_url)
+  url = "jenkins.${var.domain_name}"
 }
 
 resource "aws_alb" "jenkins" {
@@ -73,33 +72,19 @@ resource "aws_route53_record" "alb" {
   records = [aws_alb.jenkins.dns_name]
 }
 
-module "cert" {
-  source = "../../wildcard_cert"
-
-  env         = var.env
-  root_domain = var.domain_name
-  domain      = local.default_url
-}
-
 resource "aws_alb_listener" "https" {
   load_balancer_arn = aws_alb.jenkins.arn
   port              = "443"
   protocol          = "HTTPS"
   ssl_policy        = "ELBSecurityPolicy-2016-08"
-  certificate_arn   = module.cert.arn
+  certificate_arn   = data.aws_acm_certificate.wildcard.arn
 
   default_action {
     target_group_arn = aws_alb_target_group.primary.arn
     type             = "forward"
   }
 }
 
-# Also allow it serve direct subdomains like jenkins.domain_name
-resource "aws_alb_listener_certificate" "domain_name" {
-  listener_arn    = aws_alb_listener.https.arn
-  certificate_arn = data.aws_acm_certificate.wildcard.arn
-}
-
 # Security group
 resource "aws_security_group" "alb" {
   name_prefix = "$jenkins-alb-"
@@ -153,7 +138,7 @@ resource "aws_instance" "jenkins_primary" {
   key_name      = "infrastructure"
 
   associate_public_ip_address = false
-  subnet_id                   = element(data.aws_subnet.application_subnet.*.id, 1)
+  subnet_id                   = data.aws_subnet.application_subnet[1].id
   vpc_security_group_ids      = [aws_security_group.jenkins_primary.id]
 
   iam_instance_profile = aws_iam_instance_profile.primary.name
@@ -317,7 +302,7 @@ resource "aws_instance" "jenkins_worker" {
 
   root_block_device {
     volume_type = "gp2"
-    volume_size = 40
+    volume_size = 120
     delete_on_termination = true
   }
 

diff --git a/utilities/jenkins/variables.tf b/utilities/jenkins/variables.tf
@@ -30,13 +30,9 @@ variable "ssh_proxy_sg" {
   default     = ""
 }
 
-variable "jenkins_url" {
-  description = "OPTIONAL: the URL at which jenkins will be served. Default is jenkins.{var.env}.{var.domain_name}"
-  default     = ""
-}
-
 variable "jenkins_image" {
-  description = "OPTIONAL: the image name for the container to use for the jenkins primary"
-  default     = "adhocteam/jenkins:latest"
+  type        = string
+  description = "OPTIONAL: the image tag for the adhocteam/jenkins container to use for the primary"
+  default     = "latest"
 }
 
diff --git a/utilities/main.tf b/utilities/main.tf
@@ -1,3 +1,7 @@
+terraform {
+  required_version = ">= 0.12"
+}
+
 module "jumpbox" {
   source      = "./jumpbox"
   env         = var.env
@@ -20,7 +24,6 @@ module "jenkins" {
   domain_name   = var.domain_name
   ssh_proxy_sg  = module.teleport.security_group
   workers       = var.jenkins_workers
-  jenkins_url   = var.jenkins_url
   jenkins_image = var.jenkins_image
   github_user   = var.jenkins_github_user
 }

diff --git a/utilities/teleport/auth-user-data.tmpl b/utilities/teleport/auth-user-data.tmpl
@@ -69,7 +69,7 @@ systemctl enable --now teleport_auth
 echo "Create GitHub authenticator"
 
 # Sleep to allow time for the authentication service to start up and then retry a few times
-sleep 15
-for i in {1..5}; do sudo -u teleport /usr/local/bin/tctl create /var/lib/teleport/github.yaml && break || sleep 15; done
+sleep 60 
+for i in {1..5}; do sudo -u teleport /usr/local/bin/tctl create /var/lib/teleport/github.yaml && break || sleep 30; done
 
 echo "Teleport install complete"
diff --git a/utilities/teleport/data.tf b/utilities/teleport/data.tf
@@ -31,6 +31,11 @@ data "aws_subnet" "public_subnet" {
   }
 }
 
+data "aws_acm_certificate" "wildcard" {
+  domain      = "${var.domain_name}"
+  most_recent = true
+}
+
 data "aws_route53_zone" "external" {
   name         = var.domain_name
   private_zone = false

diff --git a/utilities/teleport/main.tf b/utilities/teleport/main.tf
@@ -6,22 +6,13 @@
 # Public DNS name for client use to connect to proxies
 resource "aws_route53_record" "public" {
   zone_id = data.aws_route53_zone.external.id
-  name    = "teleport.${var.env}"
+  name    = "teleport"
   type    = "CNAME"
   ttl     = 30
 
   records = [aws_elb.proxy.dns_name]
 }
 
-module "cert" {
-  source      = "../../wildcard_cert"
-  env         = var.env
-  root_domain = var.domain_name
-
-  # Can't use aws_route53_record.public.fqdn here to prevent cycle with ELB
-  domain = "teleport.${var.env}.${var.domain_name}"
-}
-
 # Private DNS name inside VPC for auth nodes as light-weight service discovery
 resource "aws_route53_zone" "teleport" {
   name    = "teleport.local"

diff --git a/utilities/teleport/proxy.tf b/utilities/teleport/proxy.tf
@@ -36,15 +36,15 @@ resource "aws_elb" "proxy" {
     instance_protocol  = "tcp"
     lb_port            = 443
     lb_protocol        = "ssl"
-    ssl_certificate_id = module.cert.arn
+    ssl_certificate_id = data.aws_acm_certificate.wildcard.arn
   }
 
   listener {
     instance_port      = 3080
     instance_protocol  = "tcp"
     lb_port            = 3080
     lb_protocol        = "ssl"
-    ssl_certificate_id = module.cert.arn
+    ssl_certificate_id = data.aws_acm_certificate.wildcard.arn
   }
 
   health_check {

diff --git a/utilities/teleport_subcluster/auth-user-data.tmpl b/utilities/teleport_subcluster/auth-user-data.tmpl
@@ -63,7 +63,7 @@ spec:
 EOF
 
 # Sleep to allow time for the authentication service to start up and then retry a few times
-sleep 30
-for i in {1..5}; do sudo -u teleport /usr/local/bin/tctl create /var/lib/teleport/cluster.yaml && break || sleep 30; done
+sleep 60
+for i in {1..5}; do sudo -u teleport /usr/local/bin/tctl create /var/lib/teleport/cluster.yaml && break || sleep 60; done
 
 echo "Teleport install complete"
diff --git a/utilities/teleport_subcluster/auth.tf b/utilities/teleport_subcluster/auth.tf
@@ -72,7 +72,7 @@ data "template_file" "auth_user_data" {
     cluster_name             = var.env
     main_cluster             = var.main_cluster
     main_cluster_token       = data.aws_secretsmanager_secret_version.main_cluster_token.secret_string
-    main_cluster_url         = "teleport.${var.main_cluster}.${var.domain_name}"
+    main_cluster_url         = "teleport.${var.domain_name}"
   }
 }