#!/usr/bin/env bash # # Licensed to the Apache Software Foundation (ASF) under one # or more contributor license agreements. See the NOTICE file # distributed with this work for additional information # regarding copyright ownership. The ASF licenses this file # to you under the Apache License, Version 2.0 (the # "License"); you may not use this file except in compliance # with the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, # software distributed under the License is distributed on an # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY # KIND, either express or implied. See the License for the # specific language governing permissions and limitations # under the License. # imds_token=$( curl -Ss -H "X-aws-ec2-metadata-token-ttl-seconds: 30" -XPUT 169.254.169.254/latest/api/token ) instance_id=$( curl -Ss -H "X-aws-ec2-metadata-token: $imds_token" 169.254.169.254/latest/meta-data/instance-id ) local_ipv4=$( curl -Ss -H "X-aws-ec2-metadata-token: $imds_token" 169.254.169.254/latest/meta-data/local-ipv4 ) curl -fsSL https://apt.releases.hashicorp.com/gpg | apt-key add - apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main" apt-get update apt-get install -y vault=${vault_version}-* awscli jq timedatectl set-timezone UTC rm -rf /opt/vault/tls/* # /opt/vault/tls should be readable by all the users chmod 0755 /opt/vault/tls # Only the vault group be able to read the vault-key.pem touch /opt/vault/tls/vault-key.pem chown root:vault /opt/vault/tls/vault-key.pem chmod 0640 /opt/vault/tls/vault-key.pem secret_result=$(aws secretsmanager get-secret-value --secret-id ${secrets_manager_arn} --region ${region} --output text --query SecretString) jq -r .vault_cert <<< "$secret_result" > /opt/vault/tls/vault-cert.pem jq -r .vault_ca <<< "$secret_result" > /opt/vault/tls/vault-ca.pem jq -r .vault_pk <<< "$secret_result" > /opt/vault/tls/vault-key.pem cat << EOF > /etc/vault.d/vault.hcl ui = true disable_mlock = true storage "raft" { path = "/opt/vault/data" node_id = "$instance_id" retry_join { auto_join = "provider=aws region=${region} tag_key=${name}-vault tag_value=server" auto_join_scheme = "https" leader_tls_servername = "${leader_tls_servername}" leader_ca_cert_file = "/opt/vault/tls/vault-ca.pem" leader_client_cert_file = "/opt/vault/tls/vault-cert.pem" leader_client_key_file = "/opt/vault/tls/vault-key.pem" } } cluster_addr = "https://$local_ipv4:8201" api_addr = "https://$local_ipv4:8200" listener "tcp" { address = "0.0.0.0:8200" tls_disable = false tls_cert_file = "/opt/vault/tls/vault-cert.pem" tls_key_file = "/opt/vault/tls/vault-key.pem" tls_client_ca_file = "/opt/vault/tls/vault-ca.pem" } seal "awskms" { region = "${region}" kms_key_id = "${kms_key_arn}" } EOF # Only the vault group should be able to read vault.hcl chown root:root /etc/vault.d chown root:vault /etc/vault.d/vault.hcl chmod 640 /etc/vault.d/vault.hcl systemctl enable vault systemctl start vault echo "Vault profile" cat <<PROFILE | sudo tee /etc/profile.d/vault.sh export VAULT_ADDR="https://127.0.0.1:8200" export VAULT_CACERT="/opt/vault/tls/vault-ca.pem" PROFILE