AFS
/
xdr-terraform-modules


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140
							#!/bin/bash

SUDO=""
LOG_FILE=/var/log/cloud-init-provision-salt-master-output.log
exec > >(tee ${LOG_FILE}) 2>&1

echo "Started provision_salt_master.sh" 

#Install dependencies. The virtual env was used to reduce the python module conflicts between rpm and pip.
echo "Install dependencies" 
yum install GitPython --enablerepo=epel -y
yum install python-virtualenv -y
virtualenv ~/awscli

#check if proxy settings are ready
if [ -s "/etc/pip.conf" ]; then
    ~/awscli/bin/pip install awscli
else
    echo "pip proxy not ready"
fi

chmod +x ~/awscli/bin/aws

#we need to refresh our bash session to pick up the proxy settings. 
if [ -s "/etc/profile.d/proxy.sh" ]; then
    source /etc/profile.d/proxy.sh
else
    echo "System proxy not ready"
fi

~/awscli/bin/aws secretsmanager get-secret-value --region us-gov-east-1  --secret-id saltmaster/ssh_key --query SecretString --output text > ~root/.ssh/github_read_only
chmod 0600 ~root/.ssh/github_read_only

#GPG Keys
echo "GPG Keys" 
mkdir -p /etc/salt/gpgkeys
chmod 0700 /etc/salt/gpgkeys
~/awscli/bin/aws secretsmanager get-secret-value --region us-gov-east-1  --secret-id saltmaster/gpg/private --query SecretString --output text > /etc/salt/gpgkeys/private
~/awscli/bin/aws secretsmanager get-secret-value --region us-gov-east-1  --secret-id saltmaster/gpg/ownertrust --query SecretString --output text > /etc/salt/gpgkeys/ownertrust
chmod 0600 /etc/salt/gpgkeys/private
chmod 0600 /etc/salt/gpgkeys/ownertrust
gpg --import --yes --batch -q --homedir /etc/salt/gpgkeys/ /etc/salt/gpgkeys/private
gpg --import-ownertrust --homedir /etc/salt/gpgkeys/ /etc/salt/gpgkeys/ownertrust

#Salt Master Pub/Private
~/awscli/bin/aws secretsmanager get-secret-value --region us-gov-east-1  --secret-id saltmaster/master.pem --query SecretString --output text > /etc/salt/pki/master/master.pem
~/awscli/bin/aws secretsmanager get-secret-value --region us-gov-east-1  --secret-id saltmaster/master.pub --query SecretString --output text > /etc/salt/pki/master/master.pub
chmod 0400 /etc/salt/pki/master/master.pem

#clean up. These are not needed after initial bootstrapping. 
yum remove python-virtualenv -y
rm -rf ~/awscli

cat > ~/.ssh/config << 'EOF'

Host github.mdr.defpoint.com
  IdentityFile ~/.ssh/github_read_only

EOF
chmod 0400 ~/.ssh/config

cat - > ~/.ssh/known_hosts << 'EOF'
github.mdr.defpoint.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBObDNqJCB+iXyR2hm0GRERmfEl33E7Kiu+UGmSHHC878NQjsvOtLxoRAPIU07bCzKutFNZCi+8bRkQWXtOT2InA=
EOF

cat > /etc/salt/master.d/gpg_pillar.conf << 'EOF'

decrypt_pillar:
  - 'secrets' : gpg

EOF

#For both Test and Prod start out pointing to the Master branch. After inital startup, it is expected that a highstate will be run which will change the branch in Test to develop.  
cat - > /etc/salt/master.d/gitfs.conf << 'EOF'

fileserver_backend:
  - gitfs
  - roots

gitfs_saltenv_whitelist:
  - base
  - master
  - develop

# File roots via Git
gitfs_provider: gitpython
gitfs_update_interval: 600
gitfs_base: master
gitfs_remotes:
  - git@github.mdr.defpoint.com:mdr-engineering/msoc-infrastructure.git:
    - name: gitfs-base-msoc
    - base: master
    - root: salt/fileroots
  # File roots for the CM's
  - git@github.mdr.defpoint.com:mdr-engineering/msoc-moose-cm.git:
    - name: msoc-moose-cm
    - base: master
    - mountpoint: salt://customer_repos/msoc-moose-cm
  - git@github.mdr.defpoint.com:mdr-engineering/msoc-afs-cm.git:
    - name: msoc-afs-cm
    - base: master
    - mountpoint: salt://customer_repos/msoc-afs-cm
  - git@github.mdr.defpoint.com:mdr-engineering/msoc-nga-cm.git:
    - name: msoc-nga-cm
    - base: master
    - mountpoint: salt://customer_repos/msoc-nga-cm
  # File roots for the deployment servers
  - git@github.mdr.defpoint.com:mdr-engineering/msoc-nga-pop.git:
    - name: msoc-nga-pop
    - base: master
    - mountpoint: salt://deployment_servers/msoc-nga-pop
  - git@github.mdr.defpoint.com:mdr-engineering/msoc-afs-pop.git:
    - name: msoc-afs-pop
    - base: master
    - mountpoint: salt://deployment_servers/msoc-afs-pop


# Pillar via Git configs
git_pillar_provider: gitpython
git_pillar_root:    salt/pillar
git_pillar_base:    master
git_pillar_branch: master
ext_pillar:
  - git:
    - git@github.mdr.defpoint.com:mdr-engineering/msoc-infrastructure.git:
      - name: salt-piller-base
      - env: base

EOF

systemctl restart salt-master
systemctl enable salt-master

#This attempts to help out with accepting the minion key.
sleep 60
salt-key -A -y

salt-call state.highstate

echo "Ending provision_salt_master.sh"