user-data.in

#!/bin/bash
#
# Something to increment to force deploys when there are no real changes: 1
#
###
set -euo pipefail

ec2metadata() {
  local base=http://169.254.169.254/latest token
  token=$(curl -X PUT -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" "$base/api/token")

  if [[ -z "$token" ]]; then
    echo "Unable to get EC2 Metadata Token" >&2
    exit 1
  fi

  curl -H "X-aws-ec2-metadata-token: $token" "$base/meta-data/$1"
}

host=$(ec2metadata public-hostname)

if [[ -z "$host" ]]; then
  echo "Unable to get public-hostname" >&2
  exit 1
fi

INSTANCE_ID=$(ec2metadata instance-id)
export INSTANCE_ID

# TODO: Set these in CFN (like LIFECYCLE_HOOKS_URL, RESTYLER_QUEUE_NAME), so we
# handle SSM there, which is more secure.
get_ssm_parameter_value() {
  aws \
    --region "$REGION" ssm get-parameter \
    --name "/restyled/$ENV/$1" \
    --query 'Parameter.Value' \
    --output text
}

REDIS_URL=$(get_ssm_parameter_value redis-url)
export REDIS_URL

echo "Generating TLS certificates"
mkdir -p certs
docker run --rm \
  --volume "$PWD"/certs:/certs \
  restyled/init-certificates -H "$host" -o /certs

echo "Reconfiguring Docker daemon for TLS"
sudo mkdir -p /etc/docker/ssl
sudo cp certs/{ca,server_cert,server_key}.pem /etc/docker/ssl/
options="--tlsverify"
options+=" --tlscacert=/etc/docker/ssl/ca.pem"
options+=" --tlscert=/etc/docker/ssl/server_cert.pem"
options+=" --tlskey=/etc/docker/ssl/server_key.pem"
options+=" -H tcp://0.0.0.0:2376"
sudo sed -i 's%^\(OPTIONS="[^"]*\)"$%\1 '"$options"'"%' /etc/sysconfig/docker

echo "Restarting Docker daemon"
sudo systemctl restart docker

echo "Testing Docker connection"
mkdir -p client-certs
sudo cp /certs/ca.pem client-certs/ca.pem
sudo cp /certs/client_cert.pem client-certs/cert.pem
sudo cp /certs/client_key.pem client-certs/key.pem
sudo chown -R ec2-user:ec2-user client-certs/
env \
  DOCKER_TLS_VERIFY=1 \
  DOCKER_HOST="tcp://$host:2376" \
  DOCKER_CERT_PATH="$PWD/client-certs" \
  docker version

echo "Adding hourly prune script"
sudo tee /etc/cron.hourly/prune <<'EOM'
#!/bin/sh
set -x
find /tmp -maxdepth 1 \
  -type d -name 'restyler-*' \
  -cmin +$((4 * 60)) \
  -exec rm -r {} +
EOM
sudo chmod +x /etc/cron.hourly/prune

echo "Adding daily prune script"
sudo tee /etc/cron.daily/prune <<'EOM'
#!/bin/sh
set -x
docker system prune --all --force
EOM
sudo chmod +x /etc/cron.daily/prune

echo "Creating user-bridge Docker network"
docker network create user-bridge

if [[ -n "${DD_API_KEY:-""}" ]]; then
  echo "Starting Datadog agent"
  docker run \
    --net user-bridge \
    --detach \
    --name dd-agent \
    --volume /etc/passwd:/etc/passwd:ro \
    --volume /proc/:/host/proc/:ro \
    --volume /sys/fs/cgroup/:/host/sys/fs/cgroup:ro \
    --volume /var/run/docker.sock:/var/run/docker.sock:ro \
    --env DD_API_KEY \
    --env DD_SITE \
    --env DD_DOGSTATSD_NON_LOCAL_TRAFFIC=1 \
    --env DD_PROCESS_AGENT_ENABLED=true \
    "gcr.io/datadoghq/agent:$DD_AGENT_MAJOR_VERSION"
fi

# https://stackoverflow.com/a/71884476
echo "Increasing put-response-hop-limit to 2"
aws --region "$REGION" ec2 modify-instance-metadata-options \
  --instance-id "$INSTANCE_ID" \
  --http-put-response-hop-limit 2 \
  --http-endpoint enabled

echo "Starting build agent"
docker run \
  --net user-bridge \
  --detach \
  --name restyled-agent \
  --log-driver=awslogs \
  --log-opt "awslogs-region=$REGION" \
  --log-opt "awslogs-group=$LOG_GROUP" \
  --env GITHUB_APP_ID \
  --env GITHUB_APP_KEY \
  --env RESTYLED_TOKEN \
  --env INSTANCE_ID \
  --env LIFECYCLE_HOOKS_URL \
  --env LOG_LEVEL=info,restyler:error \
  --env LOG_FORMAT=json \
  --env STATSD_HOST=dd-agent \
  --env REDIS_URL \
  --env RESTYLER_QUEUE_NAME \
  --env RESTYLER_POOL_SIZE \
  --volume "$PWD"/client-certs:/certs \
  --volume /tmp:/tmp \
  --volume /var/run/docker.sock:/var/run/docker.sock \
  AGENT_IMAGE \
  --net user-bridge