From 221e18c4957ddbec69e2bb549800368fa9aa4527 Mon Sep 17 00:00:00 2001 From: Vaughn Dice Date: Mon, 27 Jun 2022 18:23:29 -0600 Subject: [PATCH] feat(aws): configure basic auth for bindle Signed-off-by: Vaughn Dice --- aws/terraform/ec2_assets/job/bindle.nomad | 12 +++++++++++- aws/terraform/ec2_assets/job/hippo.nomad | 13 ++++++++++++- aws/terraform/ec2_assets/run_servers.sh | 3 +++ aws/terraform/main.tf | 12 ++++++++++++ aws/terraform/outputs.tf | 13 +++++++++++++ aws/terraform/scripts/user-data.sh | 4 ++++ aws/terraform/variables.tf | 6 ++++++ 7 files changed, 61 insertions(+), 2 deletions(-) diff --git a/aws/terraform/ec2_assets/job/bindle.nomad b/aws/terraform/ec2_assets/job/bindle.nomad index 0409f53..53cdc71 100644 --- a/aws/terraform/ec2_assets/job/bindle.nomad +++ b/aws/terraform/ec2_assets/job/bindle.nomad @@ -10,6 +10,11 @@ variable "enable_letsencrypt" { description = "Enable cert provisioning via Let's Encrypt" } +variable "basic_auth_string" { + type = string + description = "Basic auth string (e.g. :) for Bindle" +} + job "bindle" { datacenters = ["dc1"] type = "service" @@ -53,10 +58,15 @@ job "bindle" { RUST_LOG = "error,bindle=debug" } + template { + data = var.basic_auth_string + destination = "${NOMAD_TASK_DIR}/htpasswd" + } + config { command = "bindle-server" args = [ - "--unauthenticated", + "--htpasswd-file", "${NOMAD_TASK_DIR}/htpasswd", "--address", "${NOMAD_ADDR_http}", # PRO TIP: set to an absolute directory to persist bindles when job # is restarted diff --git a/aws/terraform/ec2_assets/job/hippo.nomad b/aws/terraform/ec2_assets/job/hippo.nomad index 9f849c1..d706b87 100644 --- a/aws/terraform/ec2_assets/job/hippo.nomad +++ b/aws/terraform/ec2_assets/job/hippo.nomad @@ -39,6 +39,17 @@ variable "admin_password" { default = null } +variable "bindle_auth_username" { + type = string + description = "Basic auth username for Bindle" +} + +variable "bindle_auth_password" { + type = string + description = "Basic auth password for Bindle" +} + + job "hippo" { datacenters = ["dc1"] type = "service" @@ -104,7 +115,7 @@ job "hippo" { # Database__Driver = "postgresql" # ConnectionStrings__Database = "Host=localhost;Username=postgres;Password=postgres;Database=hippo" - ConnectionStrings__Bindle = "server=${var.bindle_url}" + ConnectionStrings__Bindle = "server=${var.bindle_url};username=${var.bindle_auth_username};password=${var.bindle_auth_password}" Nomad__Traefik__Entrypoint = var.enable_letsencrypt ? "websecure" : "web" Nomad__Traefik__CertResolver = var.enable_letsencrypt ? "letsencrypt-tls" : "" diff --git a/aws/terraform/ec2_assets/run_servers.sh b/aws/terraform/ec2_assets/run_servers.sh index d36eaeb..574a948 100755 --- a/aws/terraform/ec2_assets/run_servers.sh +++ b/aws/terraform/ec2_assets/run_servers.sh @@ -95,6 +95,7 @@ echo "Starting bindle job..." nomad run \ -var domain="bindle.${DNS_ZONE}" \ -var enable_letsencrypt="${ENABLE_LETSENCRYPT}" \ + -var basic_auth_string="$(htpasswd -bBn ${BINDLE_AUTH_USERNAME} ${BINDLE_AUTH_PASSWORD} | tr -d '\n')" \ job/bindle.nomad echo "Starting hippo job..." @@ -104,6 +105,8 @@ nomad run \ -var admin_username="${HIPPO_ADMIN_USERNAME}" \ -var admin_password="${HIPPO_ADMIN_PASSWORD}" \ -var bindle_url="${PLATFORM_PROTOCOL}://bindle.${DNS_ZONE}/v1" \ + -var bindle_auth_username="${BINDLE_AUTH_USERNAME}" \ + -var bindle_auth_password="${BINDLE_AUTH_PASSWORD}" \ -var enable_letsencrypt="${ENABLE_LETSENCRYPT}" \ job/hippo.nomad diff --git a/aws/terraform/main.tf b/aws/terraform/main.tf index f225522..710c57e 100644 --- a/aws/terraform/main.tf +++ b/aws/terraform/main.tf @@ -124,6 +124,8 @@ resource "aws_instance" "ec2" { bindle_version = local.bindle_version, bindle_checksum = local.bindle_checksum, + bindle_auth_username = var.bindle_auth_username, + bindle_auth_password = random_password.bindle_auth_password.result spin_version = local.spin_version, spin_checksum = local.spin_checksum, @@ -259,3 +261,13 @@ resource "random_password" "hippo_admin_password" { special = true override_special = "!#%&*-_=+<>:?" } + +# ----------------------------------------------------------------------------- +# Bindle auth password +# ----------------------------------------------------------------------------- + +resource "random_password" "bindle_auth_password" { + length = 22 + special = true + override_special = "!#%&*-_=+<>:?" +} diff --git a/aws/terraform/outputs.tf b/aws/terraform/outputs.tf index d21c58f..07b524d 100644 --- a/aws/terraform/outputs.tf +++ b/aws/terraform/outputs.tf @@ -40,6 +40,17 @@ output "hippo_admin_password" { sensitive = true } +output "bindle_auth_username" { + description = "Basic auth username for Bindle" + value = var.bindle_auth_username +} + +output "bindle_auth_password" { + description = "Basic auth password for Bindle" + value = random_password.bindle_auth_password.result + sensitive = true +} + output "common_tags" { description = "All applicable AWS resources are tagged with these values" value = local.common_tags @@ -54,6 +65,8 @@ export HIPPO_URL=${var.enable_letsencrypt ? "https" : "http"}://hippo.${var.dns_ export HIPPO_USERNAME=${var.hippo_admin_username} export HIPPO_PASSWORD=${random_password.hippo_admin_password.result} export BINDLE_URL=${var.enable_letsencrypt ? "https" : "http"}://bindle.${var.dns_host == "sslip.io" ? "${aws_eip.lb.public_ip}.${var.dns_host}" : var.dns_host}/v1 +export BINDLE_USERNAME=${var.bindle_auth_username} +export BINDLE_PASSWORD=${random_password.bindle_auth_password.result} EOM } diff --git a/aws/terraform/scripts/user-data.sh b/aws/terraform/scripts/user-data.sh index 06c020a..9a068dc 100644 --- a/aws/terraform/scripts/user-data.sh +++ b/aws/terraform/scripts/user-data.sh @@ -28,6 +28,7 @@ cd /tmp ## Install misc utilities sudo apt-get update && sudo apt-get install -y \ + apache2-utils \ curl \ unzip @@ -112,6 +113,9 @@ export HIPPO_ADMIN_USERNAME='${hippo_admin_username}' export HIPPO_ADMIN_PASSWORD='${hippo_admin_password}' export HIPPO_REGISTRATION_MODE='${hippo_registration_mode}' +export BINDLE_AUTH_USERNAME='${bindle_auth_username}' +export BINDLE_AUTH_PASSWORD='${bindle_auth_password}' + export DNS_ZONE='${dns_zone}' export ENABLE_LETSENCRYPT='${enable_letsencrypt}' diff --git a/aws/terraform/variables.tf b/aws/terraform/variables.tf index c9d83e6..e772109 100644 --- a/aws/terraform/variables.tf +++ b/aws/terraform/variables.tf @@ -68,3 +68,9 @@ variable "hippo_registration_mode" { error_message = "The Hippo registration mode must be 'Open', 'Closed' or 'AdministratorOnly'." } } + +variable "bindle_auth_username" { + description = "Basic auth username for Bindle" + type = string + default = "admin" +} \ No newline at end of file