bootstrap-aws-installer: Pull all keys from secretsmanager.

puppet/zulip_ops/files/install-ssh-keys

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+set -eu
+
+username="$1"
+ssh_secret_name="$2"
+
+homedir="$(getent passwd "$username" | cut -d: -f6)"
+sshdir="$homedir/.ssh"
+
+umask 077
+workdir=$(mktemp -d)
+chown "$username:$username" "$workdir"
+cleanup() { ls -al "$workdir" && rm -rf "$workdir"; }
+trap cleanup EXIT
+
+umask 033
+
+keydata="$(/srv/zulip-aws-tools/bin/aws --output text \
+    secretsmanager get-secret-value \
+    --secret-id "$ssh_secret_name" \
+    --query SecretString)"
+for keyfile in $(jq -r 'keys[]' <<<"$keydata"); do
+    touch "$workdir/$keyfile"
+    if [[ "$keyfile" != *".pub" ]]; then
+        chmod 600 "$workdir/$keyfile"
+    fi
+    jq -r ".[\"$keyfile\"]" <<<"$keydata" | base64 -d >"$workdir/$keyfile"
+    chown "$username:$username" "$workdir/$keyfile"
+done
+
+if [ "$#" -gt 2 ]; then
+    diff -rN -x config -x authorized_keys -x known_hosts \
+        "$workdir/" "$sshdir/"
+    exit 0
+fi
+
+rsync -rv --delete \
+    --exclude config --exclude authorized_keys --exclude known_hosts \
+    "$workdir/" "$sshdir/"

puppet/zulip_ops/manifests/aws_tools.pp

@@ -68,4 +68,14 @@ class zulip_ops::aws_tools {
     group   => 'root',
     content => template('zulip_ops/dotfiles/aws_config.erb'),
   }
+
+  # Pull keys from AWS secretsmanager
+  file { '/usr/local/bin/install-ssh-keys':
+    ensure  => file,
+    require => File['/root/.aws/config'],
+    mode    => '0755',
+    owner   => 'root',
+    group   => 'root',
+    source  => 'puppet:///modules/zulip_ops/install-ssh-keys',
+  }
 }

puppet/zulip_ops/manifests/profile/base.pp

@@ -61,9 +61,14 @@ class zulip_ops::profile::base {
   }
 
   user { 'root': }
-  zulip_ops::user_dotfiles { 'root': home => '/root' }
+  zulip_ops::user_dotfiles { 'root':
+    home => '/root',
+    keys => 'common',
+  }
 
-  zulip_ops::user_dotfiles { 'zulip': }
+  zulip_ops::user_dotfiles { 'zulip':
+    keys => 'common',
+  }
 
   file { '/etc/pam.d/common-session':
     ensure  => file,

puppet/zulip_ops/manifests/profile/nagios.pp

@@ -2,6 +2,7 @@ class zulip_ops::profile::nagios {
   include zulip_ops::profile::base
   include zulip_ops::apache
 
+  zulip::ssh_keys { 'nagios': }
   $nagios_packages = [# Packages needed for Nagios
                       'nagios4',
                       # For sending outgoing email

puppet/zulip_ops/manifests/ssh_keys.pp

@@ -0,0 +1,15 @@
+define zulip_ops::ssh_keys(
+  $keys = true,
+) {
+  $user = $name
+  if $keys == true {
+    $keypath = "prod/ssh/keys/${user}"
+  } else {
+    $keypath = "prod/ssh/keys/${keys}"
+  }
+  exec { "ssh_keys ${user}":
+    require => File['/usr/local/bin/install-ssh-keys'],
+    command => "/usr/local/bin/install-ssh-keys ${user} ${keypath}",
+    unless  => "[ -f /usr/local/bin/install-ssh-keys ] && /usr/local/bin/install-ssh-keys ${user} ${keypath} check",
+  }
+}

puppet/zulip_ops/manifests/user_dotfiles.pp

@@ -1,5 +1,6 @@
 define zulip_ops::user_dotfiles (
   $home = '',
+  $keys = false,
 ) {
   $user = $name
 
@@ -37,4 +38,11 @@ define zulip_ops::user_dotfiles (
     mode    => '0644',
     content => '',
   }
+
+  if $keys != false {
+    zulip_ops::ssh_keys{ $user:
+      keys    => $keys,
+      require => File["${homedir}/.ssh"],
+    }
+  }
 }