pass SSM param names that hold Kong EE creds (#26)

dwp · Mar 9, 2021 · 6ab8c87 · 6ab8c87
1 parent 0995f61
commit 6ab8c87
Show file tree

Hide file tree

Showing 7 changed files with 84 additions and 33 deletions.
diff --git a/examples/hybrid_external_database/main.tf b/examples/hybrid_external_database/main.tf
@@ -169,6 +169,13 @@ module "create_kong_cp" {
   vpc_cidr_block            = aws_vpc.vpc.cidr_block
   iam_instance_profile_name = aws_iam_instance_profile.kong.name
 
+  ee_creds_ssm_param = {
+    license          = aws_ssm_parameter.ee-license.name
+    bintray_username = aws_ssm_parameter.ee_bintray_username.name
+    bintray_password = aws_ssm_parameter.ee_bintray_password.name
+    admin_token      = aws_ssm_parameter.ee-admin-token.name
+  }
+
   asg_desired_capacity = var.asg_desired_capacity
   asg_max_size         = var.asg_max_size
   asg_min_size         = var.asg_min_size

diff --git a/examples/hybrid_external_database/ssm.tf b/examples/hybrid_external_database/ssm.tf
@@ -17,10 +17,22 @@ resource "aws_kms_alias" "kong" {
   target_key_id = aws_kms_key.kong.key_id
 }
 
-resource "aws_ssm_parameter" "ee-bintray-auth" {
-  name  = format("/%s/%s/ee/bintray-auth", var.service, local.environment)
+resource "aws_ssm_parameter" "ee_bintray_username" {
+  name  = format("/%s/%s/ee/bintray-username", var.service, local.environment)
   type  = "SecureString"
-  value = var.ee_bintray_auth
+  value = var.ee_bintray_username
+
+  key_id = aws_kms_alias.kong.target_key_arn
+
+  lifecycle {
+    ignore_changes = [value]
+  }
+}
+
+resource "aws_ssm_parameter" "ee_bintray_password" {
+  name  = format("/%s/%s/ee/bintray-password", var.service, local.environment)
+  type  = "SecureString"
+  value = var.ee_bintray_password
 
   key_id = aws_kms_alias.kong.target_key_arn
 

diff --git a/examples/hybrid_external_database/variables.tf b/examples/hybrid_external_database/variables.tf
@@ -38,8 +38,14 @@ variable "description" {
   default     = "Kong API Gateway"
 }
 
-variable "ee_bintray_auth" {
-  description = "enterprise repo creds"
+variable "ee_bintray_username" {
+  description = "enterprise repo username"
+  type        = string
+  default     = "placeholder"
+}
+
+variable "ee_bintray_password" {
+  description = "enterprise repo password"
   type        = string
   default     = "placeholder"
 }

diff --git a/main.tf b/main.tf
@@ -34,23 +34,24 @@ locals {
 
   user_data = templatefile("${path.module}/templates/cloud-init.cfg", {})
   user_data_script = templatefile("${path.module}/templates/cloud-init.sh", {
-    proxy_config     = var.proxy_config
-    db_user          = var.kong_database_config.user
-    db_host          = local.db_info.endpoint
-    db_name          = local.db_info.database_name
-    ce_pkg           = var.ce_pkg
-    ee_pkg           = var.ee_pkg
-    parameter_path   = local.ssm_parameter_path
-    region           = var.region
-    vpc_cidr_block   = var.vpc_cidr_block
-    deck_version     = var.deck_version
-    manager_host     = var.manager_host
-    portal_host      = var.portal_host
-    session_secret   = random_string.session_secret.result
-    kong_config      = var.kong_config
-    kong_ports       = var.kong_ports
-    kong_ssl_uris    = var.kong_ssl_uris
-    kong_hybrid_conf = var.kong_hybrid_conf
+    proxy_config       = var.proxy_config
+    db_user            = var.kong_database_config.user
+    db_host            = local.db_info.endpoint
+    db_name            = local.db_info.database_name
+    ce_pkg             = var.ce_pkg
+    ee_pkg             = var.ee_pkg
+    ee_creds_ssm_param = var.ee_creds_ssm_param
+    parameter_path     = local.ssm_parameter_path
+    region             = var.region
+    vpc_cidr_block     = var.vpc_cidr_block
+    deck_version       = var.deck_version
+    manager_host       = var.manager_host
+    portal_host        = var.portal_host
+    session_secret     = random_string.session_secret.result
+    kong_config        = var.kong_config
+    kong_ports         = var.kong_ports
+    kong_ssl_uris      = var.kong_ssl_uris
+    kong_hybrid_conf   = var.kong_hybrid_conf
   })
   name = format("%s-%s-%s", var.service, var.environment, random_string.prefix.result)
 }

diff --git a/templates/cloud-init.sh b/templates/cloud-init.sh
@@ -56,7 +56,7 @@ done
 # Function to grab SSM parameters
 aws_get_parameter() {
     aws ssm --region ${region} get-parameter \
-        --name "${parameter_path}/$1" \
+        --name $1 \
         --with-decryption \
         --output text \
         --query Parameter.Value 2>/dev/null
@@ -104,14 +104,19 @@ EOF
 %{ endif ~}
 %{ endif ~}
 # Install Kong
-echo "Installing Kong"
-EE_LICENSE=$(aws_get_parameter ee/license)
-EE_CREDS=$(aws_get_parameter ee/bintray-auth)
+%{ if ee_creds_ssm_param.license != null && ee_creds_ssm_param.bintray_username != null && ee_creds_ssm_param.bintray_password != null && ee_creds_ssm_param.admin_token != null ~}
+EE_LICENSE=$(aws_get_parameter ${ee_creds_ssm_param.license})
+EE_BINTRAY_USERNAME=$(aws_get_parameter ${ee_creds_ssm_param.bintray_username})
+EE_BINTRAY_PASSWORD=$(aws_get_parameter ${ee_creds_ssm_param.bintray_password})
+ADMIN_TOKEN=$(aws_get_parameter ${ee_creds_ssm_param.admin_token})
+%{ else ~}
+EE_LICENSE="placeholder"
+%{ endif ~}
 if [ "$EE_LICENSE" != "placeholder" ]; then
+    echo "Installing Kong EE"
     curl -sL https://kong.bintray.com/kong-enterprise-edition-deb/dists/${ee_pkg} \
-        -u $EE_CREDS \
-        -o ${ee_pkg}
-
+        -u $EE_BINTRAY_USERNAME:$EE_BINTRAY_PASSWORD \
+        -o ${ee_pkg} 
     if [ ! -f ${ee_pkg} ]; then
         echo "Error: Enterprise edition download failed, aborting."
         exit 1
@@ -125,6 +130,7 @@ EOF
     chown root:kong /etc/kong/license.json
     chmod 640 /etc/kong/license.json
 else
+    echo "Installing Kong CE"
     curl -sL "https://bintray.com/kong/kong-deb/download_file?file_path=${ce_pkg}" \
         -o ${ce_pkg}
     dpkg -i ${ce_pkg}
@@ -134,8 +140,8 @@ fi
 %{ if lookup(kong_config, "KONG_ROLE", "embedded") != "data_plane" ~}
 # Setup database
 echo "Setting up Kong database"
-PGPASSWORD=$(aws_get_parameter "db/password/master")
-DB_PASSWORD=$(aws_get_parameter "db/password")
+PGPASSWORD=$(aws_get_parameter "${parameter_path}/db/password/master")
+DB_PASSWORD=$(aws_get_parameter "${parameter_path}/db/password")
 
 DB_HOST=${db_host}
 DB_NAME=${db_name}
@@ -257,7 +263,6 @@ export KONG_PG_PASSWORD="$DB_PASSWORD"
 export KONG_PG_DATABASE="$DB_NAME"
 
 if [ "$EE_LICENSE" != "placeholder" ]; then
-    ADMIN_TOKEN=$(aws_get_parameter "ee/admin/token")
     kong KONG_PASSWORD=$ADMIN_TOKEN kong migrations bootstrap
 else
     kong migrations bootstrap

diff --git a/test/integration/libraries/kong_util.rb b/test/integration/libraries/kong_util.rb
@@ -14,6 +14,10 @@ def wait(url, max=500)
       break
     rescue Exception => e
       count += 1
+      if count == max
+        raise 'There was an issue with contancting the Kong control plane, check if the Kong service is running'
+      end
+
       sleep 1
       next
     end

diff --git a/variables.tf b/variables.tf
@@ -166,7 +166,23 @@ variable "ce_pkg" {
 variable "ee_pkg" {
   description = "Filename of the Enterprise Edition package"
   type        = string
-  default     = "kong-enterprise-eition-2.3.2.0.focal.all.deb"
+  default     = "kong-enterprise-edition-2.3.2.0.focal.all.deb"
+}
+
+variable "ee_creds_ssm_param" {
+  description = "(optional) SSM parameter names where customer's Kong enterprise license credentials are stored"
+  type = object({
+    license          = string
+    bintray_username = string
+    bintray_password = string
+    admin_token      = string
+  })
+  default = {
+    license          = null
+    bintray_username = null
+    bintray_password = null
+    admin_token      = null
+  }
 }
 
 variable "region" {