From 5f90095e27ed92d74760a04ae869bb6dd2adaf13 Mon Sep 17 00:00:00 2001 From: Jeremy Wood Date: Fri, 26 Jan 2024 10:28:54 -0500 Subject: [PATCH 1/6] Add LB zone id to outputs. --- outputs.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/outputs.tf b/outputs.tf index 4ee2c7d..2170caf 100644 --- a/outputs.tf +++ b/outputs.tf @@ -3,6 +3,11 @@ output "lb_dns" { description = "The DNS value of your LB hosting the concourse cluster. Point your FQDN to it." } +output "lb_zone_id" { + value = aws_elb.concourse_lb.zone_id + description = "The zone ID of your LB hosting the concourse cluster." +} + output "web_sg" { value = aws_security_group.web_sg.id description = "ID of the security group for web boxes. Consume this by other modules as necessary--specifically locking down DB access." From d8b4312cbe64413116dc19f27b4c68c4bce0a796 Mon Sep 17 00:00:00 2001 From: Jeremy Wood Date: Mon, 5 Feb 2024 15:27:38 -0500 Subject: [PATCH 2/6] Generate TLS keys with terraform. --- asg.tf | 10 +++++----- keys.tf | 14 ++++++++++++++ web_variables.tf | 12 ------------ worker_variables.tf | 10 +--------- 4 files changed, 20 insertions(+), 26 deletions(-) create mode 100644 keys.tf diff --git a/asg.tf b/asg.tf index 58e18f4..6a11a08 100644 --- a/asg.tf +++ b/asg.tf @@ -1,8 +1,8 @@ locals { web_interpolation_vars = { - "authorized_worker_keys" = file(var.web_authorized_keys_path) - "session_signing_key" = file(var.web_session_signing_key_path) - "tsa_host_key" = file(var.web_tsa_host_key_path) + "authorized_worker_keys" = tls_private_key.worker_key.public_key_pem + "session_signing_key" = tls_private_key.session_signing_key.private_key_pem + "tsa_host_key" = tls_private_key.tsa_host_key.private_key_pem "conc_version" = var.conc_version "concdb_host" = var.concdb_host "concdb_port" = var.concdb_port @@ -18,8 +18,8 @@ locals { } worker_interpolation_vars = { - "tsa_public_key" = file(var.tsa_public_key_path) - "worker_key" = file(var.worker_key_path) + "tsa_public_key" = tls_private_key.tsa_host_key.public_key_pem + "worker_key" = tls_private_key.worker_key.private_key_pem "conc_version" = var.conc_version "tsa_host" = aws_elb.concourse_lb.dns_name "storage_driver" = var.worker_container_storage_driver diff --git a/keys.tf b/keys.tf new file mode 100644 index 0000000..c58670a --- /dev/null +++ b/keys.tf @@ -0,0 +1,14 @@ +resource "tls_private_key" "session_signing_key" { + algorithm = "RSA" + rsa_bits = 4096 +} + +resource "tls_private_key" "tsa_host_key" { + algorithm = "RSA" + rsa_bits = 4096 +} + +resource "tls_private_key" "worker_key" { + algorithm = "RSA" + rsa_bits = 4096 +} diff --git a/web_variables.tf b/web_variables.tf index a6c0223..6df9e8b 100644 --- a/web_variables.tf +++ b/web_variables.tf @@ -41,18 +41,6 @@ variable "web_ingress_cidr" { description = "The CIDR block from whence web traffic may come for web boxes servicing traffic from workers. Defaults to anywhere, but override it as necessary. This is applied to the ELB." } -variable "web_authorized_keys_path" { - description = "The path to a file containing a list of keys that the web machine authorizes for worker access. This should be one file, similar to how id_rsa works with public keys inside." -} - -variable "web_session_signing_key_path" { - description = "The path to an OpenSSH or RSA key for signing sessions." -} - -variable "web_tsa_host_key_path" { - description = "The path to an OpenSSH or RSA key for hosting TSA connections." -} - variable "conc_fqdn" { description = "The FQDN where your cluster will live. Point this via your DNS to the ELB DNS provided in the output of this module otherwise you'll get some wonkiness. Note that we force HTTPS here so do not include the protocol." } diff --git a/worker_variables.tf b/worker_variables.tf index b2c3d12..f62efea 100644 --- a/worker_variables.tf +++ b/worker_variables.tf @@ -28,14 +28,6 @@ variable "worker_vol_size" { description = "We'll assign instance volumes of this size to your workers. Suggested retail size of 40GB." } -variable "worker_key_path" { - description = "Path to an OpenSSH or RSA key the worker uses to secure communication with." -} - -variable "tsa_public_key_path" { - description = "Path to an OpenSSH or RSA public key the worker uses to talk to the TSA with." -} - variable "worker_container_storage_driver" { default = "overlay" description = "Storage driver to use for the container runtime. Defaults to overlay." @@ -48,4 +40,4 @@ variable "worker_patch_schedule" { variable "worker_dns_servers" { default = ["8.8.8.8", "8.8.4.4"] description = "Optional DNS servers. Defaults to google." -} \ No newline at end of file +} From fb43fad7935ab124d55376d66964205a91ef4409 Mon Sep 17 00:00:00 2001 From: Jeremy Wood Date: Tue, 6 Feb 2024 16:13:16 -0500 Subject: [PATCH 3/6] Store TLS keys in Secrets Manager. --- asg.tf | 10 +++++----- keys.tf | 25 +++++++++++++++++++++++++ 2 files changed, 30 insertions(+), 5 deletions(-) diff --git a/asg.tf b/asg.tf index 6a11a08..584b0ea 100644 --- a/asg.tf +++ b/asg.tf @@ -1,8 +1,8 @@ locals { web_interpolation_vars = { - "authorized_worker_keys" = tls_private_key.worker_key.public_key_pem - "session_signing_key" = tls_private_key.session_signing_key.private_key_pem - "tsa_host_key" = tls_private_key.tsa_host_key.private_key_pem + "authorized_worker_keys" = jsondecode(aws_secretsmanager_secret_version.web_keys.secret_string).authorized_worker_keys + "session_signing_key" = jsondecode(aws_secretsmanager_secret_version.web_keys.secret_string).session_signing_key + "tsa_host_key" = jsondecode(aws_secretsmanager_secret_version.web_keys.secret_string).tsa_host_key "conc_version" = var.conc_version "concdb_host" = var.concdb_host "concdb_port" = var.concdb_port @@ -18,8 +18,8 @@ locals { } worker_interpolation_vars = { - "tsa_public_key" = tls_private_key.tsa_host_key.public_key_pem - "worker_key" = tls_private_key.worker_key.private_key_pem + "tsa_public_key" = jsondecode(aws_secretsmanager_secret_version.worker_keys.secret_string).tsa_public_key + "worker_key" = jsondecode(aws_secretsmanager_secret_version.worker_keys.secret_string).worker_key "conc_version" = var.conc_version "tsa_host" = aws_elb.concourse_lb.dns_name "storage_driver" = var.worker_container_storage_driver diff --git a/keys.tf b/keys.tf index c58670a..531085a 100644 --- a/keys.tf +++ b/keys.tf @@ -12,3 +12,28 @@ resource "tls_private_key" "worker_key" { algorithm = "RSA" rsa_bits = 4096 } + +resource "aws_secretsmanager_secret" "web_keys" { + name = "${var.conc_key_name}-web-keys" +} + +resource "aws_secretsmanager_secret_version" "web_keys" { + secret_id = aws_secretsmanager_secret.web_keys.id + secret_string = jsonencode({ + session_signing_key = tls_private_key.session_signing_key.private_key_pem, + tsa_host_key = tls_private_key.tsa_host_key.private_key_pem, + authorized_worker_keys = tls_private_key.worker_key.public_key_pem, + }) +} + +resource "aws_secretsmanager_secret" "worker_keys" { + name = "${var.conc_key_name}-worker-keys" +} + +resource "aws_secretsmanager_secret_version" "worker_keys" { + secret_id = aws_secretsmanager_secret.worker_keys.id + secret_string = jsonencode({ + worker_key = tls_private_key.worker_key.private_key_pem, + tsa_public_key = tls_private_key.tsa_host_key.public_key_pem, + }) +} From 66b168420b675728ca6e1043c4aaa0f8903f14d6 Mon Sep 17 00:00:00 2001 From: Jeremy Wood Date: Tue, 6 Feb 2024 16:52:20 -0500 Subject: [PATCH 4/6] Revert "Store TLS keys in Secrets Manager." This reverts commit e1c7c1850dcb96a67b8ec3ef8374da1bd92f756c. --- asg.tf | 10 +++++----- keys.tf | 25 ------------------------- 2 files changed, 5 insertions(+), 30 deletions(-) diff --git a/asg.tf b/asg.tf index 584b0ea..6a11a08 100644 --- a/asg.tf +++ b/asg.tf @@ -1,8 +1,8 @@ locals { web_interpolation_vars = { - "authorized_worker_keys" = jsondecode(aws_secretsmanager_secret_version.web_keys.secret_string).authorized_worker_keys - "session_signing_key" = jsondecode(aws_secretsmanager_secret_version.web_keys.secret_string).session_signing_key - "tsa_host_key" = jsondecode(aws_secretsmanager_secret_version.web_keys.secret_string).tsa_host_key + "authorized_worker_keys" = tls_private_key.worker_key.public_key_pem + "session_signing_key" = tls_private_key.session_signing_key.private_key_pem + "tsa_host_key" = tls_private_key.tsa_host_key.private_key_pem "conc_version" = var.conc_version "concdb_host" = var.concdb_host "concdb_port" = var.concdb_port @@ -18,8 +18,8 @@ locals { } worker_interpolation_vars = { - "tsa_public_key" = jsondecode(aws_secretsmanager_secret_version.worker_keys.secret_string).tsa_public_key - "worker_key" = jsondecode(aws_secretsmanager_secret_version.worker_keys.secret_string).worker_key + "tsa_public_key" = tls_private_key.tsa_host_key.public_key_pem + "worker_key" = tls_private_key.worker_key.private_key_pem "conc_version" = var.conc_version "tsa_host" = aws_elb.concourse_lb.dns_name "storage_driver" = var.worker_container_storage_driver diff --git a/keys.tf b/keys.tf index 531085a..c58670a 100644 --- a/keys.tf +++ b/keys.tf @@ -12,28 +12,3 @@ resource "tls_private_key" "worker_key" { algorithm = "RSA" rsa_bits = 4096 } - -resource "aws_secretsmanager_secret" "web_keys" { - name = "${var.conc_key_name}-web-keys" -} - -resource "aws_secretsmanager_secret_version" "web_keys" { - secret_id = aws_secretsmanager_secret.web_keys.id - secret_string = jsonencode({ - session_signing_key = tls_private_key.session_signing_key.private_key_pem, - tsa_host_key = tls_private_key.tsa_host_key.private_key_pem, - authorized_worker_keys = tls_private_key.worker_key.public_key_pem, - }) -} - -resource "aws_secretsmanager_secret" "worker_keys" { - name = "${var.conc_key_name}-worker-keys" -} - -resource "aws_secretsmanager_secret_version" "worker_keys" { - secret_id = aws_secretsmanager_secret.worker_keys.id - secret_string = jsonencode({ - worker_key = tls_private_key.worker_key.private_key_pem, - tsa_public_key = tls_private_key.tsa_host_key.public_key_pem, - }) -} From 0f61633d1a98ba788eb436cf9ef884bea09c1427 Mon Sep 17 00:00:00 2001 From: Jeremy Wood Date: Tue, 6 Feb 2024 16:53:20 -0500 Subject: [PATCH 5/6] Use openssh format for public keys. --- asg.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/asg.tf b/asg.tf index 6a11a08..9eb0281 100644 --- a/asg.tf +++ b/asg.tf @@ -1,6 +1,6 @@ locals { web_interpolation_vars = { - "authorized_worker_keys" = tls_private_key.worker_key.public_key_pem + "authorized_worker_keys" = tls_private_key.worker_key.public_key_openssh "session_signing_key" = tls_private_key.session_signing_key.private_key_pem "tsa_host_key" = tls_private_key.tsa_host_key.private_key_pem "conc_version" = var.conc_version @@ -18,7 +18,7 @@ locals { } worker_interpolation_vars = { - "tsa_public_key" = tls_private_key.tsa_host_key.public_key_pem + "tsa_public_key" = tls_private_key.tsa_host_key.public_key_openssh "worker_key" = tls_private_key.worker_key.private_key_pem "conc_version" = var.conc_version "tsa_host" = aws_elb.concourse_lb.dns_name From 60c54755a2c7c3f77548641e2076c9e7bd44568b Mon Sep 17 00:00:00 2001 From: Jeremy Wood Date: Fri, 1 Mar 2024 14:56:34 -0500 Subject: [PATCH 6/6] Revert "Add LB zone id to outputs." This reverts commit 5f90095e27ed92d74760a04ae869bb6dd2adaf13. --- outputs.tf | 5 ----- 1 file changed, 5 deletions(-) diff --git a/outputs.tf b/outputs.tf index 2170caf..4ee2c7d 100644 --- a/outputs.tf +++ b/outputs.tf @@ -3,11 +3,6 @@ output "lb_dns" { description = "The DNS value of your LB hosting the concourse cluster. Point your FQDN to it." } -output "lb_zone_id" { - value = aws_elb.concourse_lb.zone_id - description = "The zone ID of your LB hosting the concourse cluster." -} - output "web_sg" { value = aws_security_group.web_sg.id description = "ID of the security group for web boxes. Consume this by other modules as necessary--specifically locking down DB access."