From f91f8b3ad0565c24300743350e8bc4218f8aa044 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arturo=20Filast=C3=B2?= Date: Thu, 25 Jul 2024 17:10:23 +0100 Subject: [PATCH 1/5] Openvpn (#80) This bootstraps the OpenVPN host for @ainghazal to setup a openvpn server on it. He can potentially use this galaxy module to bootstrap the openvpn server: https://github.com/robertdebock/ansible-role-openvpn --- ansible/host_vars/openvpn-server1.ooni.io | 29 +++++++++++++++++++++++ ansible/inventory | 1 + ansible/playbook.yml | 7 ++++++ ansible/roles/ssh_users/tasks/main.yml | 5 ++++ tf/environments/prod/dns_records.tf | 8 +++++++ 5 files changed, 50 insertions(+) create mode 100644 ansible/host_vars/openvpn-server1.ooni.io diff --git a/ansible/host_vars/openvpn-server1.ooni.io b/ansible/host_vars/openvpn-server1.ooni.io new file mode 100644 index 00000000..9cbcc68c --- /dev/null +++ b/ansible/host_vars/openvpn-server1.ooni.io @@ -0,0 +1,29 @@ +ssh_users: + agrabeli: + login: agrabeli + comment: Maria Xynou + keys: ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDD0JSwM+t3Uz9lS3Mjoz9oo4vOToWyzboZhYQbP8JY5HvFtAvWanWHnUBO91t6hkgKIMiUqhdCJn26fqkhSGe/bRBaFUocOmuyfcmZoRdi0qzAskmycJsj/w6vWR4x6MYkmJvSeI/MGxjEFt4s2MfOG1tP8CBLUYft9qUleeJa7Jln8c+xbnqB7YngaI190icQHE9NuIB2CXvzbmo3tLtHNMagEwI7VoBDj6mxzTxBd9JhuhF4w5uGxxm0Gp1hzk+15obNnaBS+Anr7jXz8FPwwxCH+XhBZxB1PPpcIayKrf9iLyGtwmhkdDoWCqYAr1mue3LxFso+TZF4bwE4Cjt1 agrabelh@agrabelh"] + art: + login: art + comment: Arturo Filasto + keys: ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJsibU0nsQFFIdolD1POzXOws4VetV0ZNByINRzY8Hx0 arturo@ooni.org"] + majakomel: + login: majakomel + comment: Maja Komel + keys: + - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC7gWQL4h/IyMbwDuMIXbTVmNEm8Yx19Ftt0P2e3OyWctSMH7WGaHc6b0dGoGh6Y4x0Kpw5h0iHWshP8Rg0pckNG9LeDjLY9nLR3Jv66ogFQtFi1DAlg4CXe369N70rBN9iurndgXjShW9OV+bY+MOlW8Fmmm67Vg0xFiYuYzjgUOpl4ofkbLGAQ7sJRBzpDV6TqHhGfOdYMDJyfFvurVz0oSyEZPFFRv4Css9iVk7BGsBukCCpUuax8akEeEjxWWCvjYXva7OA0jHKayfPAroZx/OJh01rhFe7wxlu5JwUKOcevvAZqeHh6200C82ijZOCN+Qq9yvxOH+OgzhnQwnoetIbGFgnb4CkDxo7dVLc/DFyObznC4f26f5D1OyPMUX8AEarEVdEPwsEfD2ePQr6qek0XWCWtYvGklb+GRLk9Yn0VL1qwvgrtstHdeXsKONTPKRxaCjWHu18dQaG2qOUnZ+St6SHeL49CN9aav2azNI/YKoQ9SGR4D23XeBRsW8=" + mehul: + login: mehul + comment: Mehul Gulati + keys: + - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDEZSA9TKUaYWG8gfnMoyDZO2S6vsy87xma4R/EzNpveZiOZTYSNn+UDL8NpQRuH5YgdWuQV2E7sKw/PIYA0lC/QTiq8Btqf6sEK5YWXtQy+yn9q5kB/rmi8zjaz0FUNigRrjL+26ao+c7NKpgmR+TRqbRd5VeJ46PuFD5M3c+MBeUoF1PT0zfioQFJ1mQoXwVix0n260clEXQDp4t0GZuNpWGTS+YTuJZ2vl6TDZtt8jrnENd99QArr2KU+NMTq8T2KYcPeQOoYsm7v/1TBkbv9UStllhjdE7HZSivPT8oRkF2YZYgytDxtCZG8i5iCK+vbNn6QmZMjuXPoBUeW+Njm70tlsirrKpUX+QiogA2qljxPD9st2eUkA7cATyOBkK7WLh1HYv2xyKpPtkkaELG+EHjmaVjVdyVAgUYwqg+MbIw1OyDpNmMZcW3iOpGpflXPMmLjKNMhee0//G7NxcGfwmIMbIiBkeofOnWDrMo+0PRULFtn6C7aA7ddirck+k=" + norbel: + login: norbel + comment: Norbel Ambanumben + keys: + - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBXprrutdT6AhrV9hWBKjyzq6RqGmCBWpWxi3qwJyRcBJfkiEYKV9QWl3H0g/Sg9JzLd9lWG2yfAai7cyBAT4Ih0+OhwQ0V7wkhBn4YkNjs7d4BGPHjuLIywS9VtmiyH7VafikMjmqPLL/uPBIbRrx9RuSfLkAuN9XFZpVmqzWY8ePpcRCvnG6ucPxEY8o+4j5nfTrgxSaIT31kH16/PFJe07tn1SZjxZE4sZTz/p9xKt6s8HXmlP3RdnXSpXWmH8ZwYDrNhkcH8m6mC3giiqSKThFdwvQVflRRvn9pAlUOhy6KIBtAt1KobVJtOCPrrkcLhQ1C+2P9wKhfYspCGrScFGnrUqumLxPpwlqILxJvmgqGAtkm8Ela9f2D9sEv8CUv5x9XptZKlyRhtOLixvLYoJlwfXXnmXa8T1pg8+4063BhHUOu/bg0InpSp3hdscOfk0R8FtDlXnn6COwbPXynIt4PxzIxD/WQhP0ymgH3ky6ClB5wRBVhOqYvxQw32n2QFS9A5ocga+nATiOE7BTOufgmDCA/OIXfJ/GukXRaMCBsvlx7tObHS1LOMt0I+WdoOEjI0ARUrFzwoiTrs9QYmd922e7S35EnheT3JjnCTjebJrCNtwritUy8vjsN/M27wJs7MAXleT7drwXXnm+3xYrH+4KQ+ru0dxMe1zfBw== aanorbel@gmail.com" + ain: + login: ain + comment: Ain + keys: ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH6Js4xtJq7AoYA8mFraQg8vYgKz/glil9AaPq4lDwtg ain@intertubes"] +admin_usernames: [ art, majakomel, mehul, norbel, ain ] diff --git a/ansible/inventory b/ansible/inventory index 8ce07dd8..b93daabf 100644 --- a/ansible/inventory +++ b/ansible/inventory @@ -1,2 +1,3 @@ [all] monitoring.ooni.org +openvpn-server1.ooni.io diff --git a/ansible/playbook.yml b/ansible/playbook.yml index a8a65237..a7253e16 100644 --- a/ansible/playbook.yml +++ b/ansible/playbook.yml @@ -20,3 +20,10 @@ - prometheus - prometheus_blackbox_exporter - prometheus_alertmanager + +- name: Setup OpenVPN server + hosts: openvpn-server1.ooni.io + become: true + remote_user: root + roles: + - ssh_users diff --git a/ansible/roles/ssh_users/tasks/main.yml b/ansible/roles/ssh_users/tasks/main.yml index b0e11eaf..fc0db3fc 100644 --- a/ansible/roles/ssh_users/tasks/main.yml +++ b/ansible/roles/ssh_users/tasks/main.yml @@ -1,4 +1,9 @@ --- +- name: ensure admin group exists + group: + name: "{{ admin_group_name }}" + state: present + - name: create admin users tags: ssh_users user: diff --git a/tf/environments/prod/dns_records.tf b/tf/environments/prod/dns_records.tf index 7ee1278c..2129b5c3 100644 --- a/tf/environments/prod/dns_records.tf +++ b/tf/environments/prod/dns_records.tf @@ -997,3 +997,11 @@ resource "aws_route53_record" "test-ooni-nu-_NS_" { type = "NS" zone_id = local.dns_root_zone_ooni_nu } + +resource "aws_route53_record" "openvpn-server1-ooni-io-_A_" { + name = "openvpn-server1.ooni.io" + records = ["37.218.243.98"] + ttl = "60" + type = "A" + zone_id = local.dns_root_zone_ooni_io +} From 58bbaf3032d9225cf6dd0a772b90d8a1c54d946b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arturo=20Filast=C3=B2?= Date: Mon, 29 Jul 2024 08:51:53 +0200 Subject: [PATCH 2/5] Cloudhsm debug (#81) WIP to get codesigning to work --- .gitignore | 5 +++ tf/modules/ansible_controller/main.tf | 9 ++-- tf/modules/cloudhsm/main.tf | 65 ++++++++++++++++++--------- 3 files changed, 51 insertions(+), 28 deletions(-) diff --git a/.gitignore b/.gitignore index 5d15b939..f20814c1 100644 --- a/.gitignore +++ b/.gitignore @@ -17,3 +17,8 @@ override.tf.json # Ignore generated docs /dist + +/.vscode + +# Macos +.DS_Store diff --git a/tf/modules/ansible_controller/main.tf b/tf/modules/ansible_controller/main.tf index 7cc22aad..ae109d45 100644 --- a/tf/modules/ansible_controller/main.tf +++ b/tf/modules/ansible_controller/main.tf @@ -1,7 +1,3 @@ -data "aws_ssm_parameter" "ubuntu_22_ami" { - name = "/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id" -} - resource "aws_security_group" "ansible_ctrl_sg" { description = "security group for ansible controller" name_prefix = "ooni-ansible-ctrl" @@ -40,7 +36,8 @@ resource "aws_security_group" "ansible_ctrl_sg" { } resource "aws_instance" "ansible_controller" { - ami = data.aws_ssm_parameter.ubuntu_22_ami.value + # Ubuntu 22.04 + ami = "ami-07652eda1fbad7432" instance_type = var.instance_type key_name = var.key_name @@ -60,7 +57,7 @@ resource "aws_instance" "ansible_controller" { vpc_security_group_ids = [aws_security_group.ansible_ctrl_sg.id] - tags = var.tags + tags = merge(var.tags, { Name = "ansible-controller" }) } resource "aws_route53_record" "oonith_service_alias" { diff --git a/tf/modules/cloudhsm/main.tf b/tf/modules/cloudhsm/main.tf index 97f71822..a9d951f0 100644 --- a/tf/modules/cloudhsm/main.tf +++ b/tf/modules/cloudhsm/main.tf @@ -34,29 +34,9 @@ resource "aws_security_group" "hsm" { } } -data "aws_ami" "amazon_linux" { - most_recent = true - owners = ["amazon"] - - filter { - name = "name" - values = ["al2023-ami-*"] - } - - filter { - name = "architecture" - values = ["x86_64"] - } - - filter { - name = "virtualization-type" - values = ["hvm"] - } - -} - resource "aws_instance" "codesign_box" { - ami = data.aws_ami.amazon_linux.id + # Amazon linux + ami = "ami-03bb61bfa8e4d149e" key_name = var.key_name instance_type = "t3.micro" @@ -85,3 +65,44 @@ resource "aws_instance" "codesign_box" { ignore_changes = all } } + +resource "aws_launch_template" "codesign_box_template" { + name = "codesign-box" + # Ubuntu 22.04 + image_id = "ami-0a43b9fc420cabb27" + + instance_type = "t3.micro" + + key_name = var.key_name + + network_interfaces { + subnet_id = var.subnet_ids[0] + security_groups = [aws_security_group.hsm.id] + associate_public_ip_address = true + } + + user_data = base64encode(<<-EOF + #!/bin/bash + sudo apt update + curl -o cloudhsm-cli.deb https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/Jammy/cloudhsm-cli_latest_u22.04_amd64.deb + sudo apt install ./cloudhsm-cli.deb + + curl -o cloudhsm-pkcs11.deb https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/Jammy/cloudhsm-pkcs11_latest_u22.04_amd64.deb + sudo apt install ./cloudhsm-pkcs11.deb + + sudo apt install libengine-pkcs11-openssl + EOF + ) + + update_default_version = true + + tag_specifications { + resource_type = "instance" + + tags = { + Name = "codesign-box" + } + } + + tags = merge(var.tags, { Name = "codesign-box-template" }) +} From a55e678edf380880b579df7b009238ada8cc90ca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arturo=20Filast=C3=B2?= Date: Mon, 29 Jul 2024 10:11:32 +0200 Subject: [PATCH 3/5] Fix bug in setup of authorized keys --- ansible/roles/ssh_users/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible/roles/ssh_users/tasks/main.yml b/ansible/roles/ssh_users/tasks/main.yml index fc0db3fc..a4a701a2 100644 --- a/ansible/roles/ssh_users/tasks/main.yml +++ b/ansible/roles/ssh_users/tasks/main.yml @@ -47,6 +47,7 @@ template: src: authorized_keys dest: "/home/{{item}}/.ssh/authorized_keys" + owner: "{{item}}" mode: 0400 with_items: "{{ admin_usernames | union(non_admin_usernames) }}" From 572719c1b07fa6926ca1fd3d4be6290eb11badf8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arturo=20Filast=C3=B2?= Date: Mon, 29 Jul 2024 17:52:08 +0200 Subject: [PATCH 4/5] Code sign box (#83) This sets up all the needed config to initialize the code signing box. Changes: * Removes the user_data from the terraform setup since we do it in ansible * The ansible blocks are commented out since manual .ssh/config is needed to bootstrap the host This fixes: https://github.com/ooni/devops/issues/55 --- ansible/inventory | 3 + ansible/playbook.yml | 8 ++ ansible/roles/codesign_box/defaults/main.yml | 4 + ansible/roles/codesign_box/tasks/main.yml | 72 +++++++++++ .../codesign_box/templates/Cert_bundle.pem | 107 +++++++++++++++++ .../codesign_box/templates/authorized_keys | 8 ++ .../codesign_box/templates/create-hsms.sh | 112 ++++++++++++++++++ .../codesign_box/templates/customerCA.crt | 24 ++++ .../codesign_box/templates/delete-hsms.sh | 30 +++++ .../templates/sign-windows-exe.sh | 22 ++++ tf/modules/cloudhsm/main.tf | 13 -- 11 files changed, 390 insertions(+), 13 deletions(-) create mode 100644 ansible/roles/codesign_box/defaults/main.yml create mode 100644 ansible/roles/codesign_box/tasks/main.yml create mode 100644 ansible/roles/codesign_box/templates/Cert_bundle.pem create mode 100644 ansible/roles/codesign_box/templates/authorized_keys create mode 100644 ansible/roles/codesign_box/templates/create-hsms.sh create mode 100644 ansible/roles/codesign_box/templates/customerCA.crt create mode 100644 ansible/roles/codesign_box/templates/delete-hsms.sh create mode 100644 ansible/roles/codesign_box/templates/sign-windows-exe.sh diff --git a/ansible/inventory b/ansible/inventory index b93daabf..54bbdf2e 100644 --- a/ansible/inventory +++ b/ansible/inventory @@ -1,3 +1,6 @@ [all] monitoring.ooni.org openvpn-server1.ooni.io + +# This requires manual setup of ~/.ssh/config +#codesign-box diff --git a/ansible/playbook.yml b/ansible/playbook.yml index a7253e16..c5079cb1 100644 --- a/ansible/playbook.yml +++ b/ansible/playbook.yml @@ -27,3 +27,11 @@ remote_user: root roles: - ssh_users + +# commented out due to the fact it requires manual config of ~/.ssh/config +#- name: Setup codesign box +# hosts: codesign-box +# become: true +# remote_user: ubuntu +# roles: +# - codesign_box diff --git a/ansible/roles/codesign_box/defaults/main.yml b/ansible/roles/codesign_box/defaults/main.yml new file mode 100644 index 00000000..985d214f --- /dev/null +++ b/ansible/roles/codesign_box/defaults/main.yml @@ -0,0 +1,4 @@ +--- +cluster_id: cluster-qsvghm4oqok +hsm_token_name: OONI_2024-04-26_1 +codesign_usernames: [ art, majakomel, mehul ] diff --git a/ansible/roles/codesign_box/tasks/main.yml b/ansible/roles/codesign_box/tasks/main.yml new file mode 100644 index 00000000..aa12e810 --- /dev/null +++ b/ansible/roles/codesign_box/tasks/main.yml @@ -0,0 +1,72 @@ +--- +- name: Create .ssh/authorized_keys in ubuntu home + ansible.builtin.template: + src: authorized_keys + dest: "/home/ubuntu/.ssh/authorized_keys" + owner: "ubuntu" + mode: "0400" + +- name: Install cloudhsm-cli + ansible.builtin.apt: + deb: https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/Jammy/cloudhsm-cli_latest_u22.04_amd64.deb + update_cache: true + +- name: Install cloudhsm-pkcs11 + ansible.builtin.apt: + deb: https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/Jammy/cloudhsm-pkcs11_latest_u22.04_amd64.deb + +- name: Install cloudhsm-pkcs11 + ansible.builtin.apt: + name: + - libengine-pkcs11-openssl + - awscli + +- name: Write customerCA.crt + ansible.builtin.template: + src: customerCA.crt + dest: /opt/cloudhsm/etc/customerCA.crt + owner: root + group: adm + mode: "u=rwx,g=rx" + +- name: Write Cert_bundle.pem + ansible.builtin.template: + src: Cert_bundle.pem + dest: /opt/cloudhsm/etc/Cert_bundle.pem + owner: root + group: adm + mode: "u=rwx,g=rx" + +- name: Write delete-hsms.sh command + ansible.builtin.template: + src: delete-hsms.sh + dest: /usr/bin/delete-hsms.sh + owner: root + group: adm + mode: "u=rwx,g=rx" + +- name: Write create-hsms.sh command + ansible.builtin.template: + src: create-hsms.sh + dest: /usr/bin/create-hsms.sh + owner: root + group: adm + mode: "u=rwx,g=rx" + +- name: Ensure .hsmcredentials file exists + ansible.builtin.copy: + dest: /home/ubuntu/.hsmcredentials + content: | + HSM_PASSWORD= + owner: ubuntu + group: adm + mode: "u=rw,g=,o=" + force: false + +- name: Write sign-windows-exe.sh command + ansible.builtin.template: + src: sign-windows-exe.sh + dest: /usr/bin/sign-windows-exe.sh + owner: root + group: adm + mode: "u=rwx,g=rx" diff --git a/ansible/roles/codesign_box/templates/Cert_bundle.pem b/ansible/roles/codesign_box/templates/Cert_bundle.pem new file mode 100644 index 00000000..074bee46 --- /dev/null +++ b/ansible/roles/codesign_box/templates/Cert_bundle.pem @@ -0,0 +1,107 @@ +subject=jurisdictionCountryName=IT, businessCategory=Business Entity, CN=Open Observatory of Network Interference (OONI), SERIALNUMBER=96568220584, O=Open Observatory of Network Interference (OONI), L=Rome, C=IT +issuer=CN=HARICA EV Code Signing RSA SubCA R1, O=Hellenic Academic and Research Institutions CA, L=Athens, C=GR +-----BEGIN CERTIFICATE----- +MIIHeDCCBWCgAwIBAgIQeP20SJFLrwNNrScDbdnSeDANBgkqhkiG9w0BAQsFADCBhTELMAkGA1UE +BhMCR1IxDzANBgNVBAcMBkF0aGVuczE3MDUGA1UECgwuSGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJl +c2VhcmNoIEluc3RpdHV0aW9ucyBDQTEsMCoGA1UEAwwjSEFSSUNBIEVWIENvZGUgU2lnbmluZyBS +U0EgU3ViQ0EgUjEwHhcNMjQwNDI5MTEwNjU2WhcNMjYwNDI5MTEwNjU2WjCB1TELMAkGA1UEBhMC +SVQxDTALBgNVBAcMBFJvbWUxODA2BgNVBAoML09wZW4gT2JzZXJ2YXRvcnkgb2YgTmV0d29yayBJ +bnRlcmZlcmVuY2UgKE9PTkkpMRQwEgYDVQQFEws5NjU2ODIyMDU4NDE4MDYGA1UEAwwvT3BlbiBP +YnNlcnZhdG9yeSBvZiBOZXR3b3JrIEludGVyZmVyZW5jZSAoT09OSSkxGDAWBgNVBA8MD0J1c2lu +ZXNzIEVudGl0eTETMBEGCysGAQQBgjc8AgEDEwJJVDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC +AgoCggIBALs3gSrsYiuFwdffvSPMKI/yGYk6R2cX2nAsFB8fHFElGdsUbHNoBOdBsRUe2yCSHLwA +kMyuNsGvOxbykiNaCGnNjEg3bI7rE7YyKwSH6aR5B/TTpI9CESnFROxltWEfbBSr+SY/MlF+5bA2 +JWs9SMzl0BXMBoOVbLBczoAN38cX4Wwe7hsXpXwhbub8FIwSLMbMUcrqhLIsJQL7ywz/8cnxZqKD +Y9MsM+sIstCKrK2w6b8B9AAY0lmPpR+p4ZaBHzU1vsTX8wPoYA/QDz+TwlczuosNdyaWZcgAUZag +eMhjUOuT7Z92Yzu4PoWIPCOCu6LvYaC+M2mIRCZV476E+KlvSjqElDhYEBkkKueP+1/paiq4ibf3 +MUILTGg+/bhGF+5GVLGEhdimNYGVzzoqPh8ngPo37g+mKjMN8oguejN6/W5Ts/nedvNog4txeaYL +2M8PG5Jv0pyXf82lOaHpXVQ8qfHqWJr4RvI02kcNHGFrNvOCBao4DdLrehOCwFsxlcb7FG2lzjua +Zxg5TfBTNHDby8RGPDo6iq9zlEK2ciSN1lI1viGFRmM9ZYo75jj7OgFsSq9TwLj30WXLqxZdm7CN +f8OPFRc2NWNMTXhjCU9nAYYo8e8ZCnJ5bNVUMHpgx8eW9zrHVdQBKet3irOhDTdcl8DCj2/51S2z +wt69AB3HAgMBAAGjggGQMIIBjDAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFJTvT2NZT7wQp8iHqRdp +AhJiR+F1MHIGCCsGAQUFBwEBBGYwZDA/BggrBgEFBQcwAoYzaHR0cDovL2NydC5oYXJpY2EuZ3Iv +SGFyaWNhRVZDb2RlU2lnbmluZ1N1YkNBUjEuY2VyMCEGCCsGAQUFBzABhhVodHRwOi8vb2NzcC5o +YXJpY2EuZ3IwYAYDVR0gBFkwVzAHBgVngQwBAzAIBgYEAI96AQIwQgYMKwYBBAGBzxEBAQMDMDIw +MAYIKwYBBQUHAgEWJGh0dHBzOi8vcmVwby5oYXJpY2EuZ3IvZG9jdW1lbnRzL0NQUzATBgNVHSUE +DDAKBggrBgEFBQcDAzBEBgNVHR8EPTA7MDmgN6A1hjNodHRwOi8vY3JsLmhhcmljYS5nci9IYXJp +Y2FFVkNvZGVTaWduaW5nU3ViQ0FSMS5jcmwwHQYDVR0OBBYEFMA9FXuU36eaZpHrxlphS5vn/I9v +MA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAgEAlEj7BT3SRaAL0uZWs4VJ3zKxMQKL +JOMR5fl7DKO5N/ynRDH8ktjLJZyt4wfNXBR71l0hvTeE+ZqnWXn0Pz0tEVR4qdjzf/JuO2G0GXfb +ATnZrUsTgm8utogtzb3BwDQVRgh5X6/BN8Ip/5C80zAGg2pGdySho2D4kJVeoNu/Gr0xYodFZirV +fcT6zT82eh+MEM2I19gONJ9soJsM9qNxeV94nA8Rct9ZVtv6/CuEg2zPz+JYjmAttp1cEqUchUsg +yUuwLzA4Bk7xnO8giTVFs71z8GET9WeQnohYO2PE/+ytA8wyjELctVOBj1MHVcTcQb/pc+CKenTP +sbeq29RG2WYOsdvAQlhRLJDFB6UoHlqtvQCMfda9HEemI/wHRMD7zKYYc3F1ik6VgGQ8ekEyjuzJ +V6xnELvWpbpm/GvdeXTUqrQpfA4ZowQaQr3ZdNGmpuxaWXByfAzcN9tVYHlcPnh4lTd5j40Sy2OL +Az0MxeukIvBTZEQaYxjxqSHglrVs9c9Gc7DJdpNy48zAefRUK2CfpoY1396DmKmpmYFTWkBvSESm +oQt2IPMnskBgrrNKMvas+W6Grybp9Y0k7c0m4VlW7IkvNR3D3dh+cwdMVxXHmwktIzAE2QdoWlNM +PiaCEKcXPYdBJ9Q2LrxyH2QaqbppvZ/n36y4SCQ//ZvZOUM= +-----END CERTIFICATE----- +subject=CN=HARICA EV Code Signing RSA SubCA R1, O=Hellenic Academic and Research Institutions CA, L=Athens, C=GR +issuer=CN=Hellenic Academic and Research Institutions RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR +-----BEGIN CERTIFICATE----- +MIIG9jCCBN6gAwIBAgIQRBc8w77BDn0wQDhwYp8kwDANBgkqhkiG9w0BAQsFADCBpjELMAkGA1UE +BhMCR1IxDzANBgNVBAcTBkF0aGVuczFEMEIGA1UEChM7SGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJl +c2VhcmNoIEluc3RpdHV0aW9ucyBDZXJ0LiBBdXRob3JpdHkxQDA+BgNVBAMTN0hlbGxlbmljIEFj +YWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMgUm9vdENBIDIwMTUwHhcNMjAwMjI3MTIw +NTIyWhcNMzUwMjIzMTIwNTIyWjCBhTELMAkGA1UEBhMCR1IxDzANBgNVBAcMBkF0aGVuczE3MDUG +A1UECgwuSGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJlc2VhcmNoIEluc3RpdHV0aW9ucyBDQTEsMCoG +A1UEAwwjSEFSSUNBIEVWIENvZGUgU2lnbmluZyBSU0EgU3ViQ0EgUjEwggIiMA0GCSqGSIb3DQEB +AQUAA4ICDwAwggIKAoICAQCYS0S4Qp3qUC9OZ6t2FGCQBPTWXTEg081FblEgW/x41zwNJtFtQg3U +s+eKDgL0fB0lu64q2/A3uT8PzXr5YKgRcXswYztRFGbvd4zVKcOmNn1QXYB20RE7hHMSzFCc0LVz +CAnJE5+l+s60P+7HqIA/5aX/bKfI76xL2CiuTCZkgpXQFDdBIneIBMRXzpjQ2MM3qJg90yN6lt5S +ZH2+H+zV3OCLBYsAxsfuK4x1dH4EBD/6gF0DA8J38SU5g3nitEVlGMdl50Fvkuv0la5YUemSi+s/ +fE5QlRV39y3csRG5/L/irbZr39jTHDUK9mSli5KQvlzAvZ+Mw3byNKmlAeYrR+TYc0Tl8tVHWqoY +4e+shW4FTJlzpRWT550TD1QG8NqL+M4P7ZQD+X7W2bDedLBLDV1Oh1qVLcfPi7uzhqKFRG9Qv48b +CNXmiPkRlsUB3417sHaupqhNV487vxLKJSeu885SyehgFVv7ajJAxUSeIaguuxJ70ooCrXQDprN3 +a3qNhq/tNBzBByw2OMFj06tazhI66hrBhSnGHqwheT41mU3kz2fgwEyxe+9ZHbTgoSSGdPNp7Sga +ZBl4HXpIg8ofFFbBFGfmwoj12Nt75wGbY3gGec95VLqVqmF/fNZOqhj0V5kizzbtx4aEmiTG4ozn +zXfFrIqw27e7TRKTYzkRGwIDAQABo4IBPTCCATkwEgYDVR0TAQH/BAgwBgEB/wIBADAfBgNVHSME +GDAWgBRxFWfIyMm9dV1y0DgYap3zcSRUCzBvBggrBgEFBQcBAQRjMGEwPAYIKwYBBQUHMAKGMGh0 +dHA6Ly9yZXBvLmhhcmljYS5nci9jZXJ0cy9IYXJpY2FSb290Q0EyMDE1LmNydDAhBggrBgEFBQcw +AYYVaHR0cDovL29jc3AuaGFyaWNhLmdyMBEGA1UdIAQKMAgwBgYEVR0gADATBgNVHSUEDDAKBggr +BgEFBQcDAzA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY3JsLmhhcmljYS5nci9IYXJpY2FSb290 +Q0EyMDE1LmNybDAdBgNVHQ4EFgQUlO9PY1lPvBCnyIepF2kCEmJH4XUwDgYDVR0PAQH/BAQDAgGG +MA0GCSqGSIb3DQEBCwUAA4ICAQByG18cPy5oLuAXImw5+BVlID7Y4Y3C3lNVVW15V12YV/OOLrPS +8N1L+66RyzkBAxC15Fn2xfrwHNRZEIQy/DqAfxO2nUn9BN1cXDgv2aje4LP7dqSOojupvkkWfCvg +JMuV3/Jpc3TFb8LdWN6+qreMJEU7FU+Xz0Sshm63ujzf8ta43FF9l4cooklUXrIjFrKPKYq38h8n +STrbPFDeZqjc9WwQ7tGm8Vt38PzQTmzAs6uZ5tZUyWJWYdtWa7AwwOoCRfE3L4i3ZzqYh/OL4z0m +qsiswn8PHn4yzirFXYs/jBY9pHZfbB81CV3Ad/xMxDMtmqSTVz9fP7o5Mpf+Z3aQlSsG4wFxQANA +w6EOQjt77ZTnLiGO8kjV2uxRBzXWDUATipNW8W4fMvIe6Pcb7pEU27piFTwxtsyq4KKfoKcnr7DZ +qZSfDVX2HBzndJu55aYZprU+AkB12aH0QDBjU/jeWu4dylJ8Soqn53bgWT3aAIXGB/mfE6XsjV+h +kc9GVDVAFYhe6qh6QXiUyZSt3nX9JU/UieAGnIck0YUQnjKlhpwgg1GjWQxc0YscDa9p/PtnPHSL +1/5DMkpv4sZnqeymAiGiOOofNrxpxtHCvEB4RTp4hGd3B3FxyVkkfVvwQQ6OyB2WvBVn7qht6/9Y +H64e3atPXIjYx+Lq6jGUQpci2w== +-----END CERTIFICATE----- +subject=CN=Hellenic Academic and Research Institutions RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR +issuer=CN=Hellenic Academic and Research Institutions RootCA 2011, O=Hellenic Academic and Research Institutions Cert. Authority, C=GR +-----BEGIN CERTIFICATE----- +MIIGcTCCBVmgAwIBAgIIGn48dflJd1IwDQYJKoZIhvcNAQELBQAwgZUxCzAJBgNVBAYTAkdSMUQw +QgYDVQQKEztIZWxsZW5pYyBBY2FkZW1pYyBhbmQgUmVzZWFyY2ggSW5zdGl0dXRpb25zIENlcnQu +IEF1dGhvcml0eTFAMD4GA1UEAxM3SGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJlc2VhcmNoIEluc3Rp +dHV0aW9ucyBSb290Q0EgMjAxMTAeFw0xNjA3MTkxMDMwNDZaFw0yNDA3MTcxMDMwNDZaMIGmMQsw +CQYDVQQGEwJHUjEPMA0GA1UEBxMGQXRoZW5zMUQwQgYDVQQKEztIZWxsZW5pYyBBY2FkZW1pYyBh +bmQgUmVzZWFyY2ggSW5zdGl0dXRpb25zIENlcnQuIEF1dGhvcml0eTFAMD4GA1UEAxM3SGVsbGVu +aWMgQWNhZGVtaWMgYW5kIFJlc2VhcmNoIEluc3RpdHV0aW9ucyBSb290Q0EgMjAxNTCCAiIwDQYJ +KoZIhvcNAQEBBQADggIPADCCAgoCggIBAML4qT8bifw8PARdPZA2sJE6eTxmWu9tOQFJGrS3z39N +I1O3kADjEyoopjHxkQDjKOyuIUHOH9r9fRJbAYMPubBfmeHyEoOATQY+36yv56GIazGv8IvQGDO4 +20VqNPQCgCQoCgIVlV52Kg2ZOhRb9svLU7wTTQGIN5QlG0K8ItiOo5ZeOtky2z7o8BBl7XThL6d8 +ryc0uyl9m7bPCcjl0wr8iGVldArccxxczUCxHNS2hIxMUM9ojqhZrsInToKiNd0U9B//snfVhy+q +bn0kJ+fGyybm5f5nB2PYRQ3dOlllOVh6kplyPZyEXoghuNX0LPzZcFJPeLi9PCuLlZj1s9FozyAU +fkxcX+eL5fU1gRk31xEIt2a+00rOg1cAOsOB+BfLkjZd0aPYdRvhiyfqekhB/UUZBq0nmU7BcEfd +tZ+BUxLlsYxIXTFDF+OMxnpjlkspME6ETmIZXjzOl5ClfwHrneD4i4ndJZg9krZ+79nxUVF9LSbI +aVlh4KxquCo2EQR6UL0yhL4v3HLV1x0WR+RHZiA/9JbFr44BeqUPemT1DRiH2a6I1fqEwTrAaSgt +8g1oUarjpXfGpJAOoTeLMSNHwQkI6273eJvXgvyEIJlJGbYSRrH7RVUWqaNlrJwHD+pr3B8uBnLs +hogS5C3bXwUv5PAD0yYz54DCzUKhFzQLAgMBAAGjggGwMIIBrDAPBgNVHRMBAf8EBTADAQH/MA4G +A1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUcRVnyMjJvXVdctA4GGqd83EkVAswRgYDVR0fBD8wPTA7 +oDmgN4Y1aHR0cDovL2NybHYxLmhhcmljYS5nci9IYXJpY2FSb290Q0EyMDExL2NybHYxLmRlci5j +cmwwHwYDVR0jBBgwFoAUppFC/RNhSiOeCKQp5dgTBCPuQSUwbgYIKwYBBQUHAQEEYjBgMCEGCCsG +AQUFBzABhhVodHRwOi8vb2NzcC5oYXJpY2EuZ3IwOwYIKwYBBQUHMAKGL2h0dHA6Ly93d3cuaGFy +aWNhLmdyL2NlcnRzL0hhcmljYVJvb3RDQTIwMTEuY3J0MIGQBgNVHSAEgYgwgYUwgYIGBFUdIAAw +ejAyBggrBgEFBQcCARYmaHR0cDovL3d3dy5oYXJpY2EuZ3IvZG9jdW1lbnRzL0NQUy5waHAwRAYI +KwYBBQUHAgIwOAw2VGhpcyBjZXJ0aWZpY2F0ZSBpcyBzdWJqZWN0IHRvIEdyZWVrIGxhd3MgYW5k +IG91ciBDUFMuMA0GCSqGSIb3DQEBCwUAA4IBAQCI1QWSZXa9rZJOYCTxBoag7VU8vZfaaegtz2s+ +24HjERi5837T/Fn4wf8oU+tyDCXpnU3hyxsAPGSim/qeRFW3MhyMXUspGC+vW6gaoY0fQ5zxVH/6 +10dPl91uM3ItnnslMQZnHO79WFc+0qI3FWw6pRtE9qxVkr3Ed38ay2sQhEtnsgxlv83JPtPXVTBS +L7YtbvlQPf9eu85xaBtBCM2hc8SoH34vEpnaX70o1WvVsMRLyH2SEhQO1POBKf9+WMddJKi8/eVz +EBRMXOR/XzsofGT7hpZuK3nSJR6FOeEU+AaOUveNZEJY2kTA2vqjqUvPLeO9R45736xh/jWnHi51 +-----END CERTIFICATE----- diff --git a/ansible/roles/codesign_box/templates/authorized_keys b/ansible/roles/codesign_box/templates/authorized_keys new file mode 100644 index 00000000..d8d52847 --- /dev/null +++ b/ansible/roles/codesign_box/templates/authorized_keys @@ -0,0 +1,8 @@ +# managed by ansible +# see roles/ssh_users/templates/authorized_keys +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA6QK3Q5Hxtnf0o0wqMS47W/ewlHf5ZhQrn4vOR5HaUO oonidevops +{% for user in codesign_usernames %} +{% for k in ssh_users[user]['keys'] %} +{{ k }} +{% endfor %} +{% endfor %} diff --git a/ansible/roles/codesign_box/templates/create-hsms.sh b/ansible/roles/codesign_box/templates/create-hsms.sh new file mode 100644 index 00000000..b5192060 --- /dev/null +++ b/ansible/roles/codesign_box/templates/create-hsms.sh @@ -0,0 +1,112 @@ +#!/bin/bash + +CLUSTER_ID="{{ cluster_id }}" + +create_hsm_token() { + if [ -z $1 ]; then + echo "AVAILABILITY ZONE PARAMETER UNSET!" + exit 1 + fi + AVAILABILITY_ZONE=$1 + aws cloudhsmv2 create-hsm --cluster-id $CLUSTER_ID --availability-zone $AVAILABILITY_ZONE + echo "Creating HSM Token in $AVAILABILITY_ZONE..." + sleep 5 + +} + + +wait_for_hsm_tokens() { + + while true; do + STATE=$(aws cloudhsmv2 describe-clusters --filters clusterIds=$CLUSTER_ID --query "Clusters[0].Hsms[?State=='ACTIVE'] | length(@)") + if [ "$STATE" -ge 2 ]; then + echo "HSM Tokens created and active." + break + fi + echo "Waiting for HSM Token $TOKEN_NAME to become active..." + sleep 10 + done + +} + +CURRENT_TOKEN_COUNT=$(aws cloudhsmv2 describe-clusters --filters clusterIds=$CLUSTER_ID --query "Clusters[0].Hsms[?State=='ACTIVE'] | length(@)") +if [ "$CURRENT_TOKEN_COUNT" -ge 2 ]; then + echo "Enough HSMs already exist, skipping creation" +else + create_hsm_token eu-central-1a + create_hsm_token eu-central-1b + wait_for_hsm_tokens +fi + +echo "Extracting IP addresses of created HSM tokens..." +IP_ADDRESSES=$(aws cloudhsmv2 describe-clusters --filters clusterIds=$CLUSTER_ID --query "Clusters[0].Hsms[*].EniIp" --output text) +echo "IP Addresses of created HSM tokens: $IP_ADDRESSES" + +IP_ADDRESS_1=$(echo $IP_ADDRESSES | cut -d ' ' -f1) +IP_ADDRESS_2=$(echo $IP_ADDRESSES | cut -d ' ' -f2) + +echo "[+] writing cloudhsm-cli.cfg" +cat < /tmp/cloudhsm-cli.cfg +{ + "clusters" : [{ + "type": "hsm1", + "cluster":{ + "hsm_ca_file": "/opt/cloudhsm/etc/customerCA.crt", + "servers":[ + { + "hostname": "$IP_ADDRESS_1", + "port": 2223, + "enable": true + }, + { + "hostname": "$IP_ADDRESS_2", + "port": 2223, + "enable": true + } + ] + } + }], + "logging": { + "log_type": "file", + "log_file": "/opt/cloudhsm/run/cloudhsm-cli.log", + "log_level": "info", + "log_interval": "daily" + } +} +EOF + +sudo mv /tmp/cloudhsm-cli.cfg /opt/cloudhsm/etc/cloudhsm-cli.cfg +sudo chown root:root /opt/cloudhsm/etc/cloudhsm-cli.cfg + + +echo "[+] writing cloudhsm-pkcs11.cfg" +cat < /tmp/cloudhsm-pkcs11.cfg +{ + "clusters" : [{ + "type": "hsm1", + "cluster":{ + "hsm_ca_file": "/opt/cloudhsm/etc/customerCA.crt", + "servers":[ + { + "hostname": "$IP_ADDRESS_1", + "port": 2223, + "enable": true + }, + { + "hostname": "$IP_ADDRESS_2", + "port": 2223, + "enable": true + } + ] + } + }], + "logging": { + "log_type": "file", + "log_file": "/opt/cloudhsm/run/cloudhsm-pkcs11.log", + "log_level": "info", + "log_interval": "daily" + } +} +EOF +sudo mv /tmp/cloudhsm-pkcs11.cfg /opt/cloudhsm/etc/cloudhsm-pkcs11.cfg +sudo chown root:root /opt/cloudhsm/etc/cloudhsm-pkcs11.cfg \ No newline at end of file diff --git a/ansible/roles/codesign_box/templates/customerCA.crt b/ansible/roles/codesign_box/templates/customerCA.crt new file mode 100644 index 00000000..09845437 --- /dev/null +++ b/ansible/roles/codesign_box/templates/customerCA.crt @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEGTCCAwGgAwIBAgIUW998tXwtbnAJWCYzxpJoY1CIkbAwDQYJKoZIhvcNAQEL +BQAwgZsxCzAJBgNVBAYTAklUMQ0wCwYDVQQIDARSb21hMQ0wCwYDVQQHDARSb21h +MTwwOgYDVQQKDDNPcGVuIE9ic2VydmF0b3J5IG9mIE5ldHdvcmsgSW50ZXJmZXJl +bmNlIChPT05JKSBFVFMxETAPBgNVBAMMCG9vbmkub3JnMR0wGwYJKoZIhvcNAQkB +Fg5hZG1pbkBvb25pLm9yZzAeFw0yNDA0MjQxMDQ1MDlaFw0zNDA0MjQxMDQ1MDla +MIGbMQswCQYDVQQGEwJJVDENMAsGA1UECAwEUm9tYTENMAsGA1UEBwwEUm9tYTE8 +MDoGA1UECgwzT3BlbiBPYnNlcnZhdG9yeSBvZiBOZXR3b3JrIEludGVyZmVyZW5j +ZSAoT09OSSkgRVRTMREwDwYDVQQDDAhvb25pLm9yZzEdMBsGCSqGSIb3DQEJARYO +YWRtaW5Ab29uaS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDM +xiZOH0dkYKnFNpkRSuyFbsV+1wDygQLO7xry5Hf/JVetEAfLCVQJtR4V+gT+Q1kv +BJKTgh8iXNA4Js5AhPKOwgw+G6OUvaP1IZtnKfce67modAXSQaxY5/a0Rump4lCD +jtkg4a+WXXAf0AkM/3QulDkCEmpOw9AzCUMc70My0iMdF/7N5HdzIjlXMe9mEb1H +167EzmwOBq03L00tg55xfnJGZv7PNvQV3ftyexUxzY943zRXU9bS1iBO9BnltlvL +agQXGLcOlY/WxEPkVll3K+Mf3eXeeYDQYT7J4otGzyPsU1ZGNfcOA6aLbFbQjjHn +5clFr/3r2D12brqkkZ6LAgMBAAGjUzBRMB0GA1UdDgQWBBQTfMoy+GpdWLOnG3cX +e+qwDQ33aTAfBgNVHSMEGDAWgBQTfMoy+GpdWLOnG3cXe+qwDQ33aTAPBgNVHRMB +Af8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQDDePxklTMHa8/uTyNMQq3o2pBg +3y/2f8XpaQHVxH/KIlQXBC5xi3ZCOHoBN/fa9UX94cxkmDncOfZVwnsMDhT7igDz +WU+jdWsrnAaBWEWsmPxiKz3JNewcgI+SS6jjEgoyy9rDe0wkL60LJ6N0yeVJV07C +GUo/rBPyYLZ1etVMk+WeRUnqOf9dd1yVJrp4gyb9fnBnPSV+Ey4DjViHIFhY839u +b2fw/62/NSTQDJXaamHXH38ViSIAMcUIcMMNVDmy1llqRq41nHYcB/nOF4AwffaO +qxphfAMEku7qj/EYWYahJmbqBJSQbm/kknJIOc997IwQkWVS3sGlHqzHR3tf +-----END CERTIFICATE----- diff --git a/ansible/roles/codesign_box/templates/delete-hsms.sh b/ansible/roles/codesign_box/templates/delete-hsms.sh new file mode 100644 index 00000000..109e7f32 --- /dev/null +++ b/ansible/roles/codesign_box/templates/delete-hsms.sh @@ -0,0 +1,30 @@ +#!/bin/bash +CLUSTER_ID="{{ cluster_id }}" + +# List all HSM tokens +echo "Listing all HSM tokens in the cluster..." +aws cloudhsmv2 describe-clusters --filters clusterIds=$CLUSTER_ID --query "Clusters[0].Hsms[*].HsmId" + +# Function to delete an HSM token and wait for its deletion +delete_hsm_token() { + HSM_ID=$1 + aws cloudhsmv2 delete-hsm --cluster-id $CLUSTER_ID --hsm-id $HSM_ID + echo "Deleting HSM Token with ID: $HSM_ID..." + while true; do + STATE=$(aws cloudhsmv2 describe-clusters --filters clusterIds=$CLUSTER_ID --query "Clusters[0].Hsms[?HsmId=='$HSM_ID'] | length(@)") + if [ "$STATE" -eq 0 ]; then + echo "HSM Token with ID $HSM_ID deleted." + break + fi + echo "Waiting for HSM Token with ID $HSM_ID to be deleted..." + sleep 10 + done +} + +# Delete all HSM tokens +HSM_IDS=$(aws cloudhsmv2 describe-clusters --filters clusterIds=$CLUSTER_ID --query "Clusters[0].Hsms[*].HsmId" --output text) +for HSM_ID in $HSM_IDS; do + delete_hsm_token $HSM_ID +done + +echo "All HSM tokens have been deleted." diff --git a/ansible/roles/codesign_box/templates/sign-windows-exe.sh b/ansible/roles/codesign_box/templates/sign-windows-exe.sh new file mode 100644 index 00000000..197ffed3 --- /dev/null +++ b/ansible/roles/codesign_box/templates/sign-windows-exe.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +source ~/.hsmcredentials + +if [ -z $HSM_CREDENTIALS ];then + echo "please configure HSM_CREDENTIALS inside ~/.hsmcredentials" + exit 1 +fi + +if [ "$#" -ne 2 ];then + echo "Usage: $0 [in.exe] [out.exe]" + exit 1 +fi + +osslsigncode sign \ + -pass $HSM_CREDENTIALS \ + -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so \ + -pkcs11module /opt/cloudhsm/lib/libcloudhsm_pkcs11.so \ + -certs Cert_bundle.pem \ + -key "pkcs11:token=hsm1;object={{ hsm_token_name }}" \ + -in $1 \ + -out $2 diff --git a/tf/modules/cloudhsm/main.tf b/tf/modules/cloudhsm/main.tf index a9d951f0..a69c94b1 100644 --- a/tf/modules/cloudhsm/main.tf +++ b/tf/modules/cloudhsm/main.tf @@ -81,19 +81,6 @@ resource "aws_launch_template" "codesign_box_template" { associate_public_ip_address = true } - user_data = base64encode(<<-EOF - #!/bin/bash - sudo apt update - curl -o cloudhsm-cli.deb https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/Jammy/cloudhsm-cli_latest_u22.04_amd64.deb - sudo apt install ./cloudhsm-cli.deb - - curl -o cloudhsm-pkcs11.deb https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/Jammy/cloudhsm-pkcs11_latest_u22.04_amd64.deb - sudo apt install ./cloudhsm-pkcs11.deb - - sudo apt install libengine-pkcs11-openssl - EOF - ) - update_default_version = true tag_specifications { From 748e26fb1123985f2038edf27732babd316d1657 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arturo=20Filast=C3=B2?= Date: Mon, 29 Jul 2024 17:58:19 +0200 Subject: [PATCH 5/5] Make the death be faster --- .../roles/codesign_box/templates/delete-hsms.sh | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/ansible/roles/codesign_box/templates/delete-hsms.sh b/ansible/roles/codesign_box/templates/delete-hsms.sh index 109e7f32..099a104f 100644 --- a/ansible/roles/codesign_box/templates/delete-hsms.sh +++ b/ansible/roles/codesign_box/templates/delete-hsms.sh @@ -10,15 +10,21 @@ delete_hsm_token() { HSM_ID=$1 aws cloudhsmv2 delete-hsm --cluster-id $CLUSTER_ID --hsm-id $HSM_ID echo "Deleting HSM Token with ID: $HSM_ID..." + +} + +wait_for_them_to_die() { + while true; do - STATE=$(aws cloudhsmv2 describe-clusters --filters clusterIds=$CLUSTER_ID --query "Clusters[0].Hsms[?HsmId=='$HSM_ID'] | length(@)") + STATE=$(aws cloudhsmv2 describe-clusters --filters clusterIds=$CLUSTER_ID --query "Clusters[0].Hsms[*] | length(@)") if [ "$STATE" -eq 0 ]; then - echo "HSM Token with ID $HSM_ID deleted." + echo "All HSM tokens are dead. RIP." break fi - echo "Waiting for HSM Token with ID $HSM_ID to be deleted..." + echo "Waiting for HSM tokens to die." sleep 10 done + } # Delete all HSM tokens @@ -27,4 +33,6 @@ for HSM_ID in $HSM_IDS; do delete_hsm_token $HSM_ID done +wait_for_them_to_die + echo "All HSM tokens have been deleted."