From 50322cbf7970cb5a3d2dc910aa16bc5ffbe49481 Mon Sep 17 00:00:00 2001 From: matthieu42morin Date: Thu, 29 Feb 2024 18:25:21 +0100 Subject: [PATCH] userdate_template port to Debian, apt, aws cli install --- files/userdata_template.sh | 92 +++++++++++++++++++++++++++++++------- 1 file changed, 75 insertions(+), 17 deletions(-) diff --git a/files/userdata_template.sh b/files/userdata_template.sh index e0d8854..fb8b9c2 100644 --- a/files/userdata_template.sh +++ b/files/userdata_template.sh @@ -18,8 +18,7 @@ set -e # Note: dollar-sign curly braces are template values from Terraform. # Non curly brace ones are normal bash variables... -yum update -y -yum install -y jq +sudo apt update -y && sudo apt install gpg wget -y # Make the user useradd --system --shell /sbin/nologin vault @@ -37,21 +36,80 @@ chmod 755 /opt/vault/bin # Change ownership to vault user chown -R vault:vault /opt/vault -# Get the HashiCorp PGP -curl https://keybase.io/hashicorp/pgp_keys.asc | gpg --import +# === Install Vault via apt === +# Get the keyring +wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg -# Download vault and signatures -curl -Os https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip -curl -Os https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS -curl -Os https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS.sig +# Verify the keyring +gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --fingerprint -# Verify Signatres -gpg --verify vault_${VAULT_VERSION}_SHA256SUMS.sig vault_${VAULT_VERSION}_SHA256SUMS -cat vault_${VAULT_VERSION}_SHA256SUMS | grep vault_${VAULT_VERSION}_linux_amd64.zip | sha256sum -c +# Check the exit status of the last command +if [ $? -eq 0 ]; then + # If the exit status is 0 (which means the previous command was successful), add the repo + echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list -# unzip and move to /opt/vault/bin -unzip vault_${VAULT_VERSION}_linux_amd64.zip -mv vault /opt/vault/bin + # Install the vault + sudo apt update && sudo apt install vault -y +else + # If the exit status is not 0 (which means the previous command failed), print an error message and exit + echo "Keyring verification failed. Exiting." + exit 1 +fi + +# === Install AWS CLI === +# Either x86_64 or aarm64 +Architecture=$(uname -m) + +printf '%s\n' "Installing / Updating AWS-Cli" "-----------------" "$Architecture" + +echo "downloading..." +curl "https://awscli.amazonaws.com/awscli-exe-linux-$Architecture.zip" -o "awscliv2.zip" +sleep 1 + +# create public gpg key +cat < aws-cli-public.gpg +-----BEGIN PGP PUBLIC KEY BLOCK----- +mQINBF2Cr7UBEADJZHcgusOJl7ENSyumXh85z0TRV0xJorM2B/JL0kHOyigQluUG +ZMLhENaG0bYatdrKP+3H91lvK050pXwnO/R7fB/FSTouki4ciIx5OuLlnJZIxSzx +PqGl0mkxImLNbGWoi6Lto0LYxqHN2iQtzlwTVmq9733zd3XfcXrZ3+LblHAgEt5G +TfNxEKJ8soPLyWmwDH6HWCnjZ/aIQRBTIQ05uVeEoYxSh6wOai7ss/KveoSNBbYz +gbdzoqI2Y8cgH2nbfgp3DSasaLZEdCSsIsK1u05CinE7k2qZ7KgKAUIcT/cR/grk +C6VwsnDU0OUCideXcQ8WeHutqvgZH1JgKDbznoIzeQHJD238GEu+eKhRHcz8/jeG +94zkcgJOz3KbZGYMiTh277Fvj9zzvZsbMBCedV1BTg3TqgvdX4bdkhf5cH+7NtWO +lrFj6UwAsGukBTAOxC0l/dnSmZhJ7Z1KmEWilro/gOrjtOxqRQutlIqG22TaqoPG +fYVN+en3Zwbt97kcgZDwqbuykNt64oZWc4XKCa3mprEGC3IbJTBFqglXmZ7l9ywG +EEUJYOlb2XrSuPWml39beWdKM8kzr1OjnlOm6+lpTRCBfo0wa9F8YZRhHPAkwKkX +XDeOGpWRj4ohOx0d2GWkyV5xyN14p2tQOCdOODmz80yUTgRpPVQUtOEhXQARAQAB +tCFBV1MgQ0xJIFRlYW0gPGF3cy1jbGlAYW1hem9uLmNvbT6JAlQEEwEIAD4CGwMF +CwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQT7Xbd/1cEYuAURraimMQrMRnJHXAUC +ZMKcEgUJCSEf3QAKCRCmMQrMRnJHXCilD/4vior9J5tB+icri5WbDudS3ak/ve4q +XS6ZLm5S8l+CBxy5aLQUlyFhuaaEHDC11fG78OduxatzeHENASYVo3mmKNwrCBza +NJaeaWKLGQT0MKwBSP5aa3dva8P/4oUP9GsQn0uWoXwNDWfrMbNI8gn+jC/3MigW +vD3fu6zCOWWLITNv2SJoQlwILmb/uGfha68o4iTBOvcftVRuao6DyqF+CrHX/0j0 +klEDQFMY9M4tsYT7X8NWfI8Vmc89nzpvL9fwda44WwpKIw1FBZP8S0sgDx2xDsxv +L8kM2GtOiH0cHqFO+V7xtTKZyloliDbJKhu80Kc+YC/TmozD8oeGU2rEFXfLegwS +zT9N+jB38+dqaP9pRDsi45iGqyA8yavVBabpL0IQ9jU6eIV+kmcjIjcun/Uo8SjJ +0xQAsm41rxPaKV6vJUn10wVNuhSkKk8mzNOlSZwu7Hua6rdcCaGeB8uJ44AP3QzW +BNnrjtoN6AlN0D2wFmfE/YL/rHPxU1XwPntubYB/t3rXFL7ENQOOQH0KVXgRCley +sHMglg46c+nQLRzVTshjDjmtzvh9rcV9RKRoPetEggzCoD89veDA9jPR2Kw6RYkS +XzYm2fEv16/HRNYt7hJzneFqRIjHW5qAgSs/bcaRWpAU/QQzzJPVKCQNr4y0weyg +B8HCtGjfod0p1A== +=gdMc +-----END PGP PUBLIC KEY BLOCK----- +EOF + +gpg --import aws-cli-public.gpg + +curl -o awscliv2.sig https://awscli.amazonaws.com/awscli-exe-linux-$Architecture.zip.sig + +gpg --verify awscliv2.sig awscliv2.zip + +# -u for overwrite / update +unzip -u awscliv2.zip + +sudo ./aws/install --bin-dir /usr/local/bin --install-dir /usr/local/aws-cli --update + +aws --version # give ownership to the vault user chown vault:vault /opt/vault/bin/vault @@ -63,9 +121,9 @@ ln -s /opt/vault/bin/vault /usr/local/bin/vault setcap cap_ipc_lock=+ep /opt/vault/bin/vault # cleanup files -rm vault_${VAULT_VERSION}_linux_amd64.zip -rm vault_${VAULT_VERSION}_SHA256SUMS -rm vault_${VAULT_VERSION}_SHA256SUMS.sig +rm awscliv2.zip +rm aws-cli-public.gpg +rm awscliv2.sig --==BOUNDARY== Content-Type: text/x-shellscript; charset="us-ascii"