From 6ab8c8783f9d9d3b0456c579dd0af2431276d2ef Mon Sep 17 00:00:00 2001 From: Daniel Hill Date: Tue, 9 Mar 2021 09:48:35 +0000 Subject: [PATCH] pass SSM param names that hold Kong EE creds (#26) --- examples/hybrid_external_database/main.tf | 7 ++++ examples/hybrid_external_database/ssm.tf | 18 ++++++++-- .../hybrid_external_database/variables.tf | 10 ++++-- main.tf | 35 ++++++++++--------- templates/cloud-init.sh | 25 +++++++------ test/integration/libraries/kong_util.rb | 4 +++ variables.tf | 18 +++++++++- 7 files changed, 84 insertions(+), 33 deletions(-) diff --git a/examples/hybrid_external_database/main.tf b/examples/hybrid_external_database/main.tf index 685e03a..033e4c1 100644 --- a/examples/hybrid_external_database/main.tf +++ b/examples/hybrid_external_database/main.tf @@ -169,6 +169,13 @@ module "create_kong_cp" { vpc_cidr_block = aws_vpc.vpc.cidr_block iam_instance_profile_name = aws_iam_instance_profile.kong.name + ee_creds_ssm_param = { + license = aws_ssm_parameter.ee-license.name + bintray_username = aws_ssm_parameter.ee_bintray_username.name + bintray_password = aws_ssm_parameter.ee_bintray_password.name + admin_token = aws_ssm_parameter.ee-admin-token.name + } + asg_desired_capacity = var.asg_desired_capacity asg_max_size = var.asg_max_size asg_min_size = var.asg_min_size diff --git a/examples/hybrid_external_database/ssm.tf b/examples/hybrid_external_database/ssm.tf index 171e6d1..d05f9ec 100644 --- a/examples/hybrid_external_database/ssm.tf +++ b/examples/hybrid_external_database/ssm.tf @@ -17,10 +17,22 @@ resource "aws_kms_alias" "kong" { target_key_id = aws_kms_key.kong.key_id } -resource "aws_ssm_parameter" "ee-bintray-auth" { - name = format("/%s/%s/ee/bintray-auth", var.service, local.environment) +resource "aws_ssm_parameter" "ee_bintray_username" { + name = format("/%s/%s/ee/bintray-username", var.service, local.environment) type = "SecureString" - value = var.ee_bintray_auth + value = var.ee_bintray_username + + key_id = aws_kms_alias.kong.target_key_arn + + lifecycle { + ignore_changes = [value] + } +} + +resource "aws_ssm_parameter" "ee_bintray_password" { + name = format("/%s/%s/ee/bintray-password", var.service, local.environment) + type = "SecureString" + value = var.ee_bintray_password key_id = aws_kms_alias.kong.target_key_arn diff --git a/examples/hybrid_external_database/variables.tf b/examples/hybrid_external_database/variables.tf index 6cec7d8..67f5d09 100644 --- a/examples/hybrid_external_database/variables.tf +++ b/examples/hybrid_external_database/variables.tf @@ -38,8 +38,14 @@ variable "description" { default = "Kong API Gateway" } -variable "ee_bintray_auth" { - description = "enterprise repo creds" +variable "ee_bintray_username" { + description = "enterprise repo username" + type = string + default = "placeholder" +} + +variable "ee_bintray_password" { + description = "enterprise repo password" type = string default = "placeholder" } diff --git a/main.tf b/main.tf index 511f2a5..722e4a2 100644 --- a/main.tf +++ b/main.tf @@ -34,23 +34,24 @@ locals { user_data = templatefile("${path.module}/templates/cloud-init.cfg", {}) user_data_script = templatefile("${path.module}/templates/cloud-init.sh", { - proxy_config = var.proxy_config - db_user = var.kong_database_config.user - db_host = local.db_info.endpoint - db_name = local.db_info.database_name - ce_pkg = var.ce_pkg - ee_pkg = var.ee_pkg - parameter_path = local.ssm_parameter_path - region = var.region - vpc_cidr_block = var.vpc_cidr_block - deck_version = var.deck_version - manager_host = var.manager_host - portal_host = var.portal_host - session_secret = random_string.session_secret.result - kong_config = var.kong_config - kong_ports = var.kong_ports - kong_ssl_uris = var.kong_ssl_uris - kong_hybrid_conf = var.kong_hybrid_conf + proxy_config = var.proxy_config + db_user = var.kong_database_config.user + db_host = local.db_info.endpoint + db_name = local.db_info.database_name + ce_pkg = var.ce_pkg + ee_pkg = var.ee_pkg + ee_creds_ssm_param = var.ee_creds_ssm_param + parameter_path = local.ssm_parameter_path + region = var.region + vpc_cidr_block = var.vpc_cidr_block + deck_version = var.deck_version + manager_host = var.manager_host + portal_host = var.portal_host + session_secret = random_string.session_secret.result + kong_config = var.kong_config + kong_ports = var.kong_ports + kong_ssl_uris = var.kong_ssl_uris + kong_hybrid_conf = var.kong_hybrid_conf }) name = format("%s-%s-%s", var.service, var.environment, random_string.prefix.result) } diff --git a/templates/cloud-init.sh b/templates/cloud-init.sh index 0af2cd1..0ffa62e 100644 --- a/templates/cloud-init.sh +++ b/templates/cloud-init.sh @@ -56,7 +56,7 @@ done # Function to grab SSM parameters aws_get_parameter() { aws ssm --region ${region} get-parameter \ - --name "${parameter_path}/$1" \ + --name $1 \ --with-decryption \ --output text \ --query Parameter.Value 2>/dev/null @@ -104,14 +104,19 @@ EOF %{ endif ~} %{ endif ~} # Install Kong -echo "Installing Kong" -EE_LICENSE=$(aws_get_parameter ee/license) -EE_CREDS=$(aws_get_parameter ee/bintray-auth) +%{ if ee_creds_ssm_param.license != null && ee_creds_ssm_param.bintray_username != null && ee_creds_ssm_param.bintray_password != null && ee_creds_ssm_param.admin_token != null ~} +EE_LICENSE=$(aws_get_parameter ${ee_creds_ssm_param.license}) +EE_BINTRAY_USERNAME=$(aws_get_parameter ${ee_creds_ssm_param.bintray_username}) +EE_BINTRAY_PASSWORD=$(aws_get_parameter ${ee_creds_ssm_param.bintray_password}) +ADMIN_TOKEN=$(aws_get_parameter ${ee_creds_ssm_param.admin_token}) +%{ else ~} +EE_LICENSE="placeholder" +%{ endif ~} if [ "$EE_LICENSE" != "placeholder" ]; then + echo "Installing Kong EE" curl -sL https://kong.bintray.com/kong-enterprise-edition-deb/dists/${ee_pkg} \ - -u $EE_CREDS \ - -o ${ee_pkg} - + -u $EE_BINTRAY_USERNAME:$EE_BINTRAY_PASSWORD \ + -o ${ee_pkg} if [ ! -f ${ee_pkg} ]; then echo "Error: Enterprise edition download failed, aborting." exit 1 @@ -125,6 +130,7 @@ EOF chown root:kong /etc/kong/license.json chmod 640 /etc/kong/license.json else + echo "Installing Kong CE" curl -sL "https://bintray.com/kong/kong-deb/download_file?file_path=${ce_pkg}" \ -o ${ce_pkg} dpkg -i ${ce_pkg} @@ -134,8 +140,8 @@ fi %{ if lookup(kong_config, "KONG_ROLE", "embedded") != "data_plane" ~} # Setup database echo "Setting up Kong database" -PGPASSWORD=$(aws_get_parameter "db/password/master") -DB_PASSWORD=$(aws_get_parameter "db/password") +PGPASSWORD=$(aws_get_parameter "${parameter_path}/db/password/master") +DB_PASSWORD=$(aws_get_parameter "${parameter_path}/db/password") DB_HOST=${db_host} DB_NAME=${db_name} @@ -257,7 +263,6 @@ export KONG_PG_PASSWORD="$DB_PASSWORD" export KONG_PG_DATABASE="$DB_NAME" if [ "$EE_LICENSE" != "placeholder" ]; then - ADMIN_TOKEN=$(aws_get_parameter "ee/admin/token") kong KONG_PASSWORD=$ADMIN_TOKEN kong migrations bootstrap else kong migrations bootstrap diff --git a/test/integration/libraries/kong_util.rb b/test/integration/libraries/kong_util.rb index e69a0c6..5b6fc20 100644 --- a/test/integration/libraries/kong_util.rb +++ b/test/integration/libraries/kong_util.rb @@ -14,6 +14,10 @@ def wait(url, max=500) break rescue Exception => e count += 1 + if count == max + raise 'There was an issue with contancting the Kong control plane, check if the Kong service is running' + end + sleep 1 next end diff --git a/variables.tf b/variables.tf index ab6c2c3..7e45e6b 100644 --- a/variables.tf +++ b/variables.tf @@ -166,7 +166,23 @@ variable "ce_pkg" { variable "ee_pkg" { description = "Filename of the Enterprise Edition package" type = string - default = "kong-enterprise-eition-2.3.2.0.focal.all.deb" + default = "kong-enterprise-edition-2.3.2.0.focal.all.deb" +} + +variable "ee_creds_ssm_param" { + description = "(optional) SSM parameter names where customer's Kong enterprise license credentials are stored" + type = object({ + license = string + bintray_username = string + bintray_password = string + admin_token = string + }) + default = { + license = null + bintray_username = null + bintray_password = null + admin_token = null + } } variable "region" {