From e549787e90ad2cfec8e95412c4d4da3dece6d38f Mon Sep 17 00:00:00 2001 From: J Cole Morrison Date: Wed, 29 Apr 2020 17:52:40 -0700 Subject: [PATCH] generate and trust certificate --- files/userdata_template.sh | 45 ++++++++++++++++++++++++-------------- 1 file changed, 29 insertions(+), 16 deletions(-) diff --git a/files/userdata_template.sh b/files/userdata_template.sh index 3ca4acf..6827c6b 100644 --- a/files/userdata_template.sh +++ b/files/userdata_template.sh @@ -5,6 +5,7 @@ MIME-Version: 1.0 Content-Type: text/x-shellscript; charset="us-ascii" #!/bin/bash +set -e # Run Order: 1 # Run Frequency: only once, on first boot @@ -24,17 +25,17 @@ yum install -y jq useradd --system --shell /sbin/nologin vault # Make the directories -mkdir -p "/opt/vault" -mkdir -p "/opt/vault/bin" -mkdir -p "/opt/vault/config" -mkdir -p "/opt/vault/tls" +mkdir -p /opt/vault +mkdir -p /opt/vault/bin +mkdir -p /opt/vault/config +mkdir -p /opt/vault/tls # Give corret permissions -chmod 755 "/opt/vault" -chmod 755 "/opt/vault/bin" +chmod 755 /opt/vault +chmod 755 /opt/vault/bin # Change ownership to vault user -chown -R "vault:vault" "/opt/vault" +chown -R vault:vault /opt/vault # Download the vault bin curl -o /tmp/vault.zip https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip @@ -46,7 +47,7 @@ unzip -d /tmp /tmp/vault.zip mv /tmp/vault /opt/vault/bin # give ownership to the vault user -chown vault:vault /opt/vault/bin +chown vault:vault /opt/vault/bin/vault # create a symlink ln -s /opt/vault/bin/vault /usr/local/bin/vault @@ -58,6 +59,7 @@ setcap cap_ipc_lock=+ep /opt/vault/bin/vault Content-Type: text/x-shellscript; charset="us-ascii" #!/bin/bash +set -e # Run Order: 2 # Run Frequency: only once, on first boot @@ -75,15 +77,25 @@ INSTANCE_DNS_NAME=$(curl http://169.254.169.254/latest/meta-data/local-hostname) # ...or paying $400/month base for the ACM private CA. openssl req -x509 -sha256 -nodes \ -newkey rsa:4096 -days 3650 \ - -keyout /opt/vault/tls/vault.pem -out /opt/vault/tls/vault.crt \ + -keyout /opt/vault/tls/vault.key -out /opt/vault/tls/vault.crt \ -subj "/CN=$INSTANCE_DNS_NAME" \ -extensions san \ -config <(cat /etc/pki/tls/openssl.cnf <(echo -e "\n[san]\nsubjectAltName=DNS:$INSTANCE_DNS_NAME,IP:$INSTANCE_IP_ADDR")) +chown vault:vault /opt/vault/tls/vault.key +chown vault:vault /opt/vault/tls/vault.crt + +chmod 640 /opt/vault/tls/vault.key +chmod 644 /opt/vault/tls/vault.crt + +# Trust the certificate +cp /opt/vault/tls/vault.crt /etc/pki/tls/certs/vault.crt + --==BOUNDARY== Content-Type: text/x-shellscript; charset="us-ascii" #!/bin/bash +set -e # Run Order: 3 # Run Frequency: only once, on first boot @@ -114,7 +126,7 @@ seal "awskms" { # Listener for loopback listener "tcp" { - address = "127.0.0.1:8200" + address = "127.0.0.1:8199" tls_disable = "true" } @@ -135,7 +147,7 @@ storage "dynamodb" { } EOF -chwon vault:vault /opt/vault/config/server.hcl +chown vault:vault /opt/vault/config/server.hcl # The systemd service file cat > /etc/systemd/system/vault.service <<- EOF @@ -175,8 +187,9 @@ EOF Content-Type: text/x-shellscript; charset="us-ascii" #!/bin/bash +set -e -# Run Order: 3 +# Run Order: 4 # Run Frequency: only once, on first boot # Tasks: @@ -194,8 +207,9 @@ systemctl restart vault Content-Type: text/x-shellscript; charset="us-ascii" #!/bin/bash +set -e -# Run Order: 4 +# Run Order: 5 # Run Frequency: only once, on first boot # Tasks: @@ -209,10 +223,9 @@ Content-Type: text/x-shellscript; charset="us-ascii" # Workaround to make sure the vault service is fully initialized. sleep 10 -export VAULT_ADDR="http://127.0.0.1:8200" +export VAULT_ADDR="http://127.0.0.1:8199" export AWS_DEFAULT_REGION="${VAULT_CLUSTER_REGION}" - -VAULT_INITIALIZED=$(vault operator init -status) +export VAULT_INITIALIZED=$(vault operator init -status) # avoid non-zero exit status function initialize_vault { # initialize and pipe to file