From 5c9e0e24b6227746dac9de970c8b67a1a03045f7 Mon Sep 17 00:00:00 2001 From: bbuechler Date: Tue, 18 Feb 2020 08:45:51 -0900 Subject: [PATCH 1/8] Refactor what gets passed into TF --- build/Jenkinsfile | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/build/Jenkinsfile b/build/Jenkinsfile index b9fd0a04..fca11ad9 100644 --- a/build/Jenkinsfile +++ b/build/Jenkinsfile @@ -67,17 +67,13 @@ pipeline { sh 'echo "this file ${WORKSPACE}/${DEPENDENCYLAYERFILENAME}" should exist: ' sh "ls -lah *.zip" - // Swap in BUILD# - sh "echo '>> Build Stamping....'" - sh 'sed -i -e "s//${CODE_DIR}\\/${DEPENDENCYLAYERFILENAME}/" ./cloudformation/thin-egress-app.yaml' - + } } // Package code stage('Package Code') { steps { - // Zip up the upload. sh "echo '>> Building Zipfile....'" @@ -94,16 +90,22 @@ pipeline { sh "cd ${WORKSPACE}" sh 'if [ ${APPTAG} != "tea" ]; then sed -i -e "s/asf.public.code/${CODE_BUCKET}/" ./cloudformation/thin-egress-app.yaml; fi' + + // thin-egress-app.yaml sh 'sed -i -e "s//${CODE_DIR}\\/${CODE_ARCHIVE_FILENAME}/" ./cloudformation/thin-egress-app.yaml' - sh 'sed -i -e "s//${BUILDTAG}/" ./cloudformation/thin-egress-app.yaml' - sh 'sed -i -e "s//${BUILDTAG}/" ./terraform/variables.tf' + sh 'sed -i -e "s//${CODE_DIR}\\/${DEPENDENCYLAYERFILENAME}/" ./cloudformation/thin-egress-app.yaml' + sh 'sed -i -e "s//${BUILD_ID}/" ./cloudformation/thin-egress-app.yaml' sh 'sed -i -e "s;^Description:.*;Description: \\"TEA built by Jenkins job ${JOB_NAME}, ${BUILDTAG}\\";" ./cloudformation/thin-egress-app.yaml' + + // terraform/variables.tf + sh 'sed -i -e "s//${CF_TEMPLATE_FILENAME}/" ./terraform/variables.tf' // Zip up terraform sh "echo '>> Building Terraform Zip....'" sh "cp ${WORKSPACE}/${CODE_ARCHIVE_FILENAME} ${WORKSPACE}/terraform/lambda.zip" sh "cp ${WORKSPACE}/${DEPENDENCYLAYERFILENAME} ${WORKSPACE}/terraform/dependencylayer.zip" - sh "cd ${WORKSPACE}/terraform && zip ../${TF_ZIP_FILENAME} *.tf lambda.zip dependencylayer.zip" + sh "cp ./cloudformation/thin-egress-app.yaml ${WORKSPACE}/terraform/thin-egress-app.yaml" + sh "cd ${WORKSPACE}/terraform && zip ../${TF_ZIP_FILENAME} *.tf thin-egress-app.yaml lambda.zip dependencylayer.zip" } } // Push packages to AWS and deploy new version From fe1eee8bb049121330951a251347eae59a419647 Mon Sep 17 00:00:00 2001 From: bbuechler Date: Tue, 18 Feb 2020 08:48:27 -0900 Subject: [PATCH 2/8] Remove template_url --- terraform/variables.tf | 6 ------ 1 file changed, 6 deletions(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index 0a6bf8c8..389cc816 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -163,12 +163,6 @@ variable "tags" { default = {} } -variable "template_url" { - type = string - default = "https://s3.amazonaws.com/asf.public.code/thin-egress-app/tea-cloudformation-.yaml" - description = "URL of CloudFormation stack template" -} - variable "urs_auth_creds_secret_name" { type = string default = "urs_creds_for_tea" From e7c7ebc0fd39086993bd9aa7e0bb874e0ef3f19f Mon Sep 17 00:00:00 2001 From: bbuechler Date: Tue, 18 Feb 2020 09:06:53 -0900 Subject: [PATCH 3/8] Upload CF template to lambda code bucket. --- terraform/main.tf | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/terraform/main.tf b/terraform/main.tf index 22c9520c..4748f701 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -1,5 +1,6 @@ locals { vpc_security_group_ids_set = length(var.vpc_security_group_ids) > 0 + cloudformation_template_filename = "${path.module}/thin-egress-app.yaml" lambda_source_filename = "${path.module}/lambda.zip" dependency_layer_filename ="${path.module}/dependencylayer.zip" } @@ -35,13 +36,21 @@ resource "aws_s3_bucket_object" "lambda_code_dependency_archive" { etag = filemd5(local.dependency_layer_filename) } +resource "aws_s3_bucket_object" "cloudformation_template" { + bucket = aws_s3_bucket.lambda_source.bucket + key = "${filemd5(local.cloudformation_template_filename)}.yaml" + source = local.cloudformation_template_filename + etag = filemd5(local.cloudformation_template_filename) +} + resource "aws_cloudformation_stack" "thin_egress_app" { depends_on = [ aws_s3_bucket_object.lambda_source, - aws_s3_bucket_object.lambda_code_dependency_archive + aws_s3_bucket_object.lambda_code_dependency_archive, + aws_s3_bucket_object.cloudformation_template ] name = var.stack_name - template_url = var.template_url + template_url = "https://s3.amazonaws.com/${aws_s3_bucket_object.lambda_source.bucket}/${aws_s3_bucket_object.cloudformation_template.key}" capabilities = ["CAPABILITY_NAMED_IAM"] parameters = { AuthBaseUrl = var.auth_base_url From d8e88f8d7f9a2c8e7c2b9a154f290282a510b541 Mon Sep 17 00:00:00 2001 From: bbuechler Date: Tue, 18 Feb 2020 09:08:55 -0900 Subject: [PATCH 4/8] Remove template_url --- NGAP-DEPLOY-README.MD | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/NGAP-DEPLOY-README.MD b/NGAP-DEPLOY-README.MD index 51624789..cc9234f9 100644 --- a/NGAP-DEPLOY-README.MD +++ b/NGAP-DEPLOY-README.MD @@ -48,8 +48,7 @@ module "thin_egress_app" { * **session_store** (string) - "DB" for storing sessions in DynamoDB, "S3" for storing sessions in S3. Defaults to "DB". * **session_ttl** (number) - time to live for auth session, in hours. Defaults to 168. * **stage_name** (string) - this value will show up as the base of the url path as so: `https://xxxxxxxx.execute-api.us-east-1.amazonaws.com//and/so/on`. Defaults to "API". -* **template_url** (string) - URL of CloudFormation stack template. This will be set when the Terraform module is built. -* ***use_reverse_bucket_map** (bool) - standard bucketmaps are not reverse. Defaults to false. +* **use_reverse_bucket_map** (bool) - standard bucketmaps are not reverse. Defaults to false. * **vpc_security_group_ids** (list(string)) - list of security groups for the Lambda function * **vpc_subnet_ids** (list(string)) - list of subnets for the lambda function From 03add62eea5e9736c1a992c86d4879353bb0a973 Mon Sep 17 00:00:00 2001 From: bbuechler Date: Tue, 18 Feb 2020 09:12:01 -0900 Subject: [PATCH 5/8] No need to adjust terraform/variables.tf --- build/Jenkinsfile | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/build/Jenkinsfile b/build/Jenkinsfile index fca11ad9..c693551a 100644 --- a/build/Jenkinsfile +++ b/build/Jenkinsfile @@ -89,16 +89,13 @@ pipeline { sh "echo '>> Build Stamping....'" sh "cd ${WORKSPACE}" - sh 'if [ ${APPTAG} != "tea" ]; then sed -i -e "s/asf.public.code/${CODE_BUCKET}/" ./cloudformation/thin-egress-app.yaml; fi' - + // thin-egress-app.yaml + sh 'if [ ${APPTAG} != "tea" ]; then sed -i -e "s/asf.public.code/${CODE_BUCKET}/" ./cloudformation/thin-egress-app.yaml; fi' sh 'sed -i -e "s//${CODE_DIR}\\/${CODE_ARCHIVE_FILENAME}/" ./cloudformation/thin-egress-app.yaml' sh 'sed -i -e "s//${CODE_DIR}\\/${DEPENDENCYLAYERFILENAME}/" ./cloudformation/thin-egress-app.yaml' sh 'sed -i -e "s//${BUILD_ID}/" ./cloudformation/thin-egress-app.yaml' sh 'sed -i -e "s;^Description:.*;Description: \\"TEA built by Jenkins job ${JOB_NAME}, ${BUILDTAG}\\";" ./cloudformation/thin-egress-app.yaml' - - // terraform/variables.tf - sh 'sed -i -e "s//${CF_TEMPLATE_FILENAME}/" ./terraform/variables.tf' // Zip up terraform sh "echo '>> Building Terraform Zip....'" From b9e1ee275b95a87d47a9746bc822643fddac68ac Mon Sep 17 00:00:00 2001 From: bbuechler Date: Tue, 18 Feb 2020 11:31:16 -0900 Subject: [PATCH 6/8] Get rid of base64 newlines --- README.MD | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.MD b/README.MD index ecde4923..d286f717 100644 --- a/README.MD +++ b/README.MD @@ -168,8 +168,8 @@ aws secretsmanager create-secret --name urs_creds_for_tea \ Create a key pair and b64 encode them: ```bash ssh-keygen -t rsa -b 4096 -m PEM -f ./jwtcookie.key -openssl base64 -in jwtcookie.key -out jwtcookie.key.b64 -openssl base64 -in jwtcookie.key.pub -out jwtcookie.key.pub.b64 +openssl base64 -in jwtcookie.key -out jwtcookie.key.b64 -A +openssl base64 -in jwtcookie.key.pub -out jwtcookie.key.pub.b64 -A ``` Put the base-64 encoded keys into a json file like so: ```json From 81b36bb9e7528a373a7307b7523cfc3531a02de0 Mon Sep 17 00:00:00 2001 From: bbuechler Date: Tue, 18 Feb 2020 11:32:32 -0900 Subject: [PATCH 7/8] Update setup_jwt_cookie.sh --- setup_jwt_cookie.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup_jwt_cookie.sh b/setup_jwt_cookie.sh index d06bf943..8d4e71ad 100644 --- a/setup_jwt_cookie.sh +++ b/setup_jwt_cookie.sh @@ -15,8 +15,8 @@ EOL function GENERATE_TEA_CREDS { cd /tmp || exit 1 ssh-keygen -t rsa -b 4096 -m PEM -f ./jwtcookie.key -N '' - openssl base64 -in jwtcookie.key -out jwtcookie.key.b64 - openssl base64 -in jwtcookie.key.pub -out jwtcookie.key.pub.b64 + openssl base64 -in jwtcookie.key -out jwtcookie.key.b64 -A + openssl base64 -in jwtcookie.key.pub -out jwtcookie.key.pub.b64 -A export rsa_priv_key=$( Date: Tue, 18 Feb 2020 11:38:18 -0900 Subject: [PATCH 8/8] Update setup_jwt_cookie.sh --- setup_jwt_cookie.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup_jwt_cookie.sh b/setup_jwt_cookie.sh index 8d4e71ad..6921925b 100644 --- a/setup_jwt_cookie.sh +++ b/setup_jwt_cookie.sh @@ -25,9 +25,9 @@ function GENERATE_TEA_CREDS { } GENERATE_TEA_CREDS -aws secretsmanager create-secret --name tt_for_tea --profile ${profile_name:-default} --region ${aws_region:-us-east-1} \ +aws secretsmanager create-secret --name jwt_secret_for_tea --profile ${profile_name:-default} --region ${aws_region:-us-east-1} \ --description "RS256 keys for TEA app JWT cookies" \ - --secret-string file:/tmp/jwtkeys.json + --secret-string file:///tmp/jwtkeys.json