Merge pull request #2712 from cgolubi1/224_lets_encrypt

Support SSL on AWS-based buttonmen sites
buttonmen-dev · Apr 7, 2021 · 8d7fdbf · 8d7fdbf
2 parents e1b6544 + cbc6847
commit 8d7fdbf
Show file tree

Hide file tree

Showing 4 changed files with 71 additions and 0 deletions.
diff --git a/deploy/vagrant/manifests/init.pp b/deploy/vagrant/manifests/init.pp
@@ -53,6 +53,7 @@
   include "postfix::base"
   include "user::buttonmen-devs"
   include "sudo::buttonmen-devs"
+  include "fqdn::base"
 
   # Node configuration needed for the buttonmen server
   include "apache::server::vagrant"

diff --git a/deploy/vagrant/modules/apache/manifests/init.pp b/deploy/vagrant/modules/apache/manifests/init.pp
@@ -16,6 +16,13 @@
 
   # Monitor the error log
   include "apache::server::feature::monitor-logs"
+
+  # Install and configure letsencrypt (SSL/certbot) for AWS instances 
+  case "${ec2_services_partition}" {
+    "aws": {
+      include "apache::server::feature::letsencrypt"
+    }
+  }
 }
 
 class apache::server::vagrant {
@@ -70,3 +77,21 @@
       minute => 5;
   }
 }
+
+class apache::server::feature::letsencrypt {
+
+  # Install the certbot package
+  package {
+    "python-certbot-apache": ensure => installed;
+  }
+
+  exec {
+    # Run certbot to configure LetsEncrypt
+    # If the site has the special FQDN indicating it's a non-networked sandbox, don't run certbot
+    "apache_certbot_setup":
+      command => "/usr/bin/certbot --apache -d $(/bin/cat /usr/local/etc/bmsite_fqdn) -n --email help@buttonweavers.com --agree-tos",
+      require => [ Exec["fqdn_populate_etc_file"], Package["python-certbot-apache"] ],
+      creates => "/etc/letsencrypt/live",
+      unless => "/bin/grep -q sandbox.buttonweavers.com /usr/local/etc/bmsite_fqdn";
+  }
+}
diff --git a/deploy/vagrant/modules/fqdn/manifests/init.pp b/deploy/vagrant/modules/fqdn/manifests/init.pp
@@ -0,0 +1,23 @@
+#####
+# This provides information about the FQDN used for an EC2 site,
+# so that consumers like letsencrypt or cloudwatch can access that
+# information if it exists.
+#
+# This module does not change /etc/hosts or /etc/hostname
+
+class fqdn::base {
+  file {
+    # The script that queries EC2 instance tags to get an FQDN 
+    "/usr/local/bin/fqdn_from_ec2_tags":
+      ensure => file,
+      content => template("fqdn/from_ec2_tags.erb"),
+      mode => 555;
+  }
+
+  # Use fqdn_from_ec2_tags to populate or update a site file
+  exec {
+    "fqdn_populate_etc_file":
+      command => "/usr/local/bin/fqdn_from_ec2_tags /usr/local/etc/bmsite_fqdn",
+      require => [ File["/usr/local/bin/fqdn_from_ec2_tags"] ];
+  }
+}
diff --git a/deploy/vagrant/modules/fqdn/templates/from_ec2_tags.erb b/deploy/vagrant/modules/fqdn/templates/from_ec2_tags.erb
@@ -0,0 +1,22 @@
+#!/bin/bash
+##### fqdn_from_ec2_tags
+# Get the FQDN from EC2 instance tags
+
+# Optionally put the FQDN in a file, otherwise just print it to STDOUT
+OUTPUT_FILE=$1
+
+FQDN=""
+<% if @ec2_services_partition == "aws" -%>
+FQDN=$(aws ec2 describe-tags --region <%= ec2_placement_region %> --filters "Name=resource-id,Values=<%= ec2_instance_id %>" "Name=key,Values=fqdn" | grep Value | awk -F\" '{print $4}')
+<% end -%>
+
+# Use a static fake site name for both non-AWS instances and instances that failed the above check
+if [ "${FQDN}" = "" ]; then
+  FQDN="sandbox.buttonweavers.com"
+fi
+
+if [ "${OUTPUT_FILE}" = "" ]; then
+  echo $FQDN
+else
+  echo "${FQDN}" > ${OUTPUT_FILE}
+fi