bootstrap-aws-installer: Pull all keys from secretsmanager.

tools/setup/bootstrap-aws-installer

@@ -6,7 +6,6 @@
 #FULL_ROLES=
 #REPO_URL=
 #BRANCH=
-#SSH_SECRET_ID=
 
 export RUNNING_IN_CLOUD_INIT=1
 if ! curl -fLs -m 5 -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 10" >/dev/null; then
@@ -45,7 +44,6 @@ AWS_INSTALLER="inline!puppet/zulip_ops/files/install-aws-cli"
 
 # We then call it, to install the AWS CLI
 "$AWS_INSTALLER"
-AWS=/srv/zulip-aws-tools/bin/aws
 
 # Set up a bare-bones AWS configuration
 mkdir -p /root/.aws
@@ -56,25 +54,11 @@ output = text
 # Credentials are from the IAM role attached to the EC2 instance
 EOF
 
-# Set up public keys for root, so we can fetch the repo; this is a
-# function so we do can it again later with the zulip user
-function install_keys() {
-    USERNAME="$1"
-    SSHDIR="$(getent passwd "$USERNAME" | cut -d: -f6)/.ssh"
-    KEYDATA="$($AWS --output text \
-        secretsmanager get-secret-value \
-        --secret-id "$SSH_SECRET_ID" \
-        --query SecretString)"
-    mkdir -p "$SSHDIR"
-    for KEYFILE in $(echo "$KEYDATA" | jq -r 'keys[]'); do
-        echo "$KEYDATA" | jq -r ".[\"$KEYFILE\"]" | base64 -d >"$SSHDIR/$KEYFILE"
-        if [[ "$KEYFILE" != *".pub" ]]; then
-            chmod 600 "$SSHDIR/$KEYFILE"
-        fi
-    done
-    chown -R "$USERNAME:$USERNAME" "$SSHDIR"
-}
-install_keys root
+# The following line gets replaced by pack-local-script output, which
+# smuggles the install-ssh-keys binary into this one.
+# install-ssh-keys, in turn, pulls key data from AWS' secret manager.
+INSTALL_SSH_KEYS="inline!puppet/zulip_ops/files/install-ssh-keys"
+"$INSTALL_SSH_KEYS" root prod/ssh/keys/common
 
 # Provide GitHub known_hosts setup; you can verify against fingerprints at
 # https://docs.github.com/en/github/authenticating-to-github/githubs-ssh-key-fingerprints
@@ -98,8 +82,6 @@ git -C zulip checkout "$BRANCH"
         --no-init-db
 )
 
-install_keys zulip
-
 # Delete the ubuntu user
 userdel ubuntu