diff --git a/.drone.yml b/.drone.yml index a32dc6453bc38..d8bdc9d1a6bda 100644 --- a/.drone.yml +++ b/.drone.yml @@ -1607,78 +1607,6 @@ image_pull_secrets: # Generated at dronegen/gha.go (main.ghaMultiBuildPipeline) ################################################ -kind: pipeline -type: kubernetes -name: build-legacy-amis -trigger: - event: - include: - - tag - ref: - include: - - refs/tags/v* - repo: - include: - - gravitational/* -workspace: - path: /go -clone: - disable: true -depends_on: -- build-linux-amd64 -- build-linux-amd64-fips -steps: -- name: Check out code - image: docker:git - pull: if-not-exists - commands: - - mkdir -pv "/go/src/github.com/gravitational/teleport" - - cd "/go/src/github.com/gravitational/teleport" - - git init - - git remote add origin ${DRONE_REMOTE_URL} - - git fetch origin --tags - - git checkout -qf "${DRONE_COMMIT_SHA}" - - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa && - chmod 600 /root/.ssh/id_rsa - - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts - - git submodule update --init e - - mkdir -pv /go/cache - - rm -f /root/.ssh/id_rsa - environment: - GITHUB_PRIVATE_KEY: - from_secret: GITHUB_PRIVATE_KEY -- name: Delegate build to GitHub - image: golang:1.18-alpine - pull: if-not-exists - commands: - - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling" - - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e - -tag-workflow -timeout 2h30m0s -workflow release-teleport-legacy-amis.yaml -workflow-ref=${DRONE_TAG} - -input oss-teleport-repo=${DRONE_REPO} -input oss-teleport-ref=${DRONE_TAG} ' - environment: - GHA_APP_KEY: - from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY -- name: Send Slack notification - image: plugins/slack:1.4.1 - settings: - template: |- - *✘ Failed:* `{{ build.event }}` / `${DRONE_STAGE_NAME}` / <{{ build.link }}|Build: #{{ build.number }}> - Author: Repo: Branch: Commit: - webhook: - from_secret: SLACK_WEBHOOK_DEV_TELEPORT - when: - status: - - failure -image_pull_secrets: -- DOCKERHUB_CREDENTIALS - ---- -################################################ -# Generated using dronegen, do not edit by hand! -# Use 'make dronegen' to update. -# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline) -################################################ - kind: pipeline type: kubernetes name: build-oci @@ -12048,6 +11976,6 @@ image_pull_secrets: - DOCKERHUB_CREDENTIALS --- kind: signature -hmac: 4ebe6803bd4211a77094240d8e91c2cc9ac7e9b97956e277fbfa3b5e52962fdd +hmac: 759cdb197a5962b5bbd5f2e21bffb709d04429e28e18f07e0894d78d12073450 ... diff --git a/CHANGELOG.md b/CHANGELOG.md index fa4167087bef0..9417e06593786 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -150,6 +150,15 @@ naming scheme for these AMIs has been changed to include the architecture. - Previous naming scheme: `teleport-oss-14.0.0-$TIMESTAMP` - New naming scheme: `teleport-oss-15.0.0-x86_64-$TIMESTAMP` +##### Legacy Amazon Linux 2 AMIs + +Teleport-provided Amazon Linux 2 AMIs were deprecated, and Teleport 14 is the +last version to produce such legacy AMIs. With Teleport 15's release, only +the newer hardened Amazon Linux 2023 AMIs will be produced. + +The legacy AMIs will continue to be published for Teleport 13 and 14 throughout +the remainder of these releases' lifecycle. + ## 14.0.0 (09/20/23) Teleport 14 brings the following new major features and improvements: diff --git a/assets/aws/Makefile b/assets/aws/Makefile index 1631fa928bc4e..13908c4ee38d6 100644 --- a/assets/aws/Makefile +++ b/assets/aws/Makefile @@ -1,112 +1,26 @@ -# VPC ID used for builds -BUILD_VPC_ID ?= - -# VPC subnet used for builds -BUILD_SUBNET_ID ?= - -# Public AMI name -PUBLIC_AMI_NAME ?= - -# Default build region -AWS_REGION ?= us-west-2 - # Teleport version # This must be a _released_ version of Teleport, i.e. one which has binaries -# available for download on https://gravitational.com/teleport/download +# available for download on https://goteleport.com/download # Unreleased versions will fail to build. TELEPORT_VERSION ?= 14.3.0 # Teleport UID is the UID of a non-privileged 'teleport' user TELEPORT_UID ?= 1007 -# Instance type to build the AMI on -INSTANCE_TYPE ?= t2.medium - # Use comma-separated values without spaces for multiple regions # For now, limit AMI publishing to non opt-in regions # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html # You can get this with $(AWS_DEFAULT_REGION=us-west-2 aws ec2 describe-regions | jq -r '.Regions | map(.RegionName) | join(",")') -DESTINATION_REGIONS ?= eu-north-1,ap-south-1,eu-west-3,eu-west-2,eu-west-1,ap-northeast-3,ap-northeast-2,ap-northeast-1,sa-east-1,ca-central-1,ap-southeast-1,ap-southeast-2,eu-central-1,us-east-1,us-east-2,us-west-1,us-west-2 +DESTINATION_REGIONS ?= ap-northeast-1,ap-northeast-2,ap-northeast-3,ap-south-1,ap-southeast-1,ap-southeast-2,ca-central-1,eu-central-1,eu-north-1,eu-west-1,eu-west-2,eu-west-3,sa-east-1,us-east-1,us-east-2,us-west-1,us-west-2 # Generate timestamp for builds BUILD_TIMESTAMP := $(shell TZ=UTC /bin/date "+%Y%m%d-%H%M%S%Z") -# Telegraf version -TELEGRAF_VERSION ?= 1.9.3 - -# InfluxDB version -INFLUXDB_VERSION ?= 1.8.5 - -# Grafana version -GRAFANA_VERSION ?= 9.0.7 - # AWS account ID which hosts the public Teleport AMIs -AWS_ACCOUNT_ID ?= 126027368216 +AWS_ACCOUNT_ID ?= 146628656107 export -# Build local 'debug' AMI -.PHONY: oss -oss: TELEPORT_TYPE=oss -oss: check-vars -oss: - @echo "Building image $(TELEPORT_VERSION) $(TELEPORT_TYPE)" - @echo "BUILD_TIMESTAMP=$(BUILD_TIMESTAMP)" - mkdir -p files/build - packer build -force -var build_timestamp=$(BUILD_TIMESTAMP) -only teleport-aws-linux -var destination_regions=$(AWS_REGION) single-ami.json - @echo "$(BUILD_TIMESTAMP)" > files/build/oss_build_timestamp.txt - -# Build named 'production' AMI and marketplace version -.PHONY: oss-ci-build -oss-ci-build: TELEPORT_TYPE=oss -oss-ci-build: check-vars -oss-ci-build: - @echo "Building image $(TELEPORT_VERSION) $(TELEPORT_TYPE) via CI" - @echo "Public AMI name: $(PUBLIC_AMI_NAME)" - @echo "BUILD_TIMESTAMP=$(BUILD_TIMESTAMP)" - mkdir -p files/build - packer build -force -var ami_name=$(PUBLIC_AMI_NAME) -var build_timestamp=$(BUILD_TIMESTAMP) -except teleport-aws-linux-fips single-ami.json - @echo "$(BUILD_TIMESTAMP)" > files/build/oss_build_timestamp.txt - -.PHONY: change-amis-to-public-oss -change-amis-to-public-oss: - @echo "Making OSS AMIs public" - bash files/make-amis-public.sh oss $(DESTINATION_REGIONS) - -# Build local 'debug' AMI -.PHONY: ent -ent: TELEPORT_TYPE=ent -ent: check-vars - @echo "Building image $(TELEPORT_VERSION) $(TELEPORT_TYPE)" - @echo "BUILD_TIMESTAMP=$(BUILD_TIMESTAMP)" - mkdir -p files/build - packer build -force -var build_timestamp=$(BUILD_TIMESTAMP) -only teleport-aws-linux -var destination_regions=$(AWS_REGION) single-ami.json - @echo "$(BUILD_TIMESTAMP)" > files/build/ent_build_timestamp.txt - -# Build named 'production' AMI and marketplace version -.PHONY: ent-ci-build -ent-ci-build: TELEPORT_TYPE=ent -ent-ci-build: check-vars -ent-ci-build: - @echo "Building image $(TELEPORT_VERSION) $(TELEPORT_TYPE) via CI" - @echo "Public AMI name: $(PUBLIC_AMI_NAME)" - @echo "FIPS AMI name: $(FIPS_AMI_NAME)" - @echo "BUILD_TIMESTAMP=$(BUILD_TIMESTAMP)" - mkdir -p files/build - packer build -force -var ami_name=$(PUBLIC_AMI_NAME) -var fips_ami_name=$(FIPS_AMI_NAME) -var build_timestamp=$(BUILD_TIMESTAMP) single-ami.json - @echo "$(BUILD_TIMESTAMP)" > files/build/ent_build_timestamp.txt - -.PHONY: change-amis-to-public-ent -change-amis-to-public-ent: - @echo "Making Enterprise AMIs public" - bash files/make-amis-public.sh ent $(DESTINATION_REGIONS) - -.PHONY: change-amis-to-public-ent-fips -change-amis-to-public-ent-fips: - @echo "Making FIPS Enterprise AMIs public" - bash files/make-amis-public.sh ent-fips $(DESTINATION_REGIONS) - - # Other helpers .PHONY: check-vars check-vars: @@ -123,7 +37,7 @@ update-ami-ids-terraform: @echo -e "\nUpdating Enterprise FIPS Terraform image IDs" go run ./cmd/update-ami-id --aws-account $(AWS_ACCOUNT_ID) --regions $(DESTINATION_REGIONS) --version $(TELEPORT_VERSION) --type ent-fips -# you will need the Github 'gh' CLI installed and working to be able to use this target +# you will need the GitHub 'gh' CLI installed and working to be able to use this target # https://github.com/cli/cli/releases/latest AUTO_BRANCH_NAME := "ami-auto-branch-$(shell date +%s)" MAKEFILE_PATH := $(abspath $(lastword $(MAKEFILE_LIST))) diff --git a/assets/aws/README.md b/assets/aws/README.md index c974a8484afac..cf852f4d75dff 100644 --- a/assets/aws/README.md +++ b/assets/aws/README.md @@ -8,8 +8,8 @@ Instructions for building Teleport AWS AMIs. AWS CLI and Packer are required to build Teleport AMIs. -Minimum versions: -awscli == 1.14 +Minimum versions: +awscli == 1.14 packer == v1.4.0 On macOS: @@ -35,11 +35,7 @@ Follow instructions at: https://www.packer.io/docs/install/index.html | Param | Description | |---------------------|-------------------------------------------------------------------------------------------------------------| -| BUILD_VPC_ID | With the region you selected in step 3, create or use an existing VPC. ex. `vpc-xxxxxxxx`. | -| BUILD_SUBNET_ID | Within the VPC above, select a subnet. ex. `subnet-xxxxxxxx` | -| AWS_REGION | Region you selected in step 3. ex. `us-east-1` | | TELEPORT_VERSION | Teleport version. See [Teleport releases](https://github.com/gravitational/teleport/releases). ex. `4.2.10` | -| INSTANCE_TYPE | The instance type used for the build. ex. `t2.micro` | | DESTINATION_REGIONS | The regions the AMI will be replicated to. ex. `us-east-1,us-east-2` | 5. Run @@ -47,7 +43,7 @@ Follow instructions at: https://www.packer.io/docs/install/index.html make oss ``` -6. Once complete, your AMI should be available, in the regions you specified, with the name `teleport-debug-ami--`. (e.g. teleport-debug-ami-oss-4.2.10) +6. Once complete, your AMI should be available, in the regions you specified, with the name `teleport---`. (e.g. teleport-oss-4.2.10-arm64) ## Usage instructions diff --git a/assets/aws/cmd/update-ami-id/main.go b/assets/aws/cmd/update-ami-id/main.go index c9cc86891aa01..55707d45cf2cc 100644 --- a/assets/aws/cmd/update-ami-id/main.go +++ b/assets/aws/cmd/update-ami-id/main.go @@ -43,40 +43,56 @@ func main() { ctx := context.Background() - imageIDs := make(map[string]string) + imageIDs := make(map[string]map[string]string) for _, region := range strings.Split(*regions, ",") { - stub := fmt.Sprintf("gravitational-teleport-ami-%v-%v", *amiType, *version) - if *amiType == "ent-fips" { - stub = fmt.Sprintf("gravitational-teleport-ami-ent-%v-fips", *version) + for _, arch := range []string{"x86_64", "arm64"} { + edition := *amiType + fips := "false" + if *amiType == "ent-fips" { + edition = "ent" + fips = "true" + } + + cfg, err := config.LoadDefaultConfig(ctx, config.WithRegion(region)) + if err != nil { + log.Fatalf("could not load AWS config for %q: %v", region, err) + } + + client := ec2.NewFromConfig(cfg) + resp, err := client.DescribeImages(ctx, &ec2.DescribeImagesInput{ + Filters: []types.Filter{ + {Name: aws.String("name"), Values: []string{"teleport-*"}}, + {Name: aws.String("is-public"), Values: []string{"true"}}, + {Name: aws.String("tag:Architecture"), Values: []string{arch}}, + {Name: aws.String("tag:TeleportVersion"), Values: []string{*version}}, + {Name: aws.String("tag:TeleportEdition"), Values: []string{edition}}, + {Name: aws.String("tag:TeleportFipsEnabled"), Values: []string{fips}}, + {Name: aws.String("tag:BuildType"), Values: []string{"production"}}, + }, + Owners: []string{*account}, + }) + if err != nil { + log.Fatalf("describe images in %q: %v", region, err) + } + + if l := len(resp.Images); l != 1 { + if l == 0 { + log.Printf("missing image for region %q type %q ver %q arch %q", region, *amiType, *version, arch) + continue + } + log.Fatalf("expected 1 image for region %q type %q ver %q arch %q, got %v", region, *amiType, *version, arch, l) + } + + id := resp.Images[0].ImageId + if id == nil { + log.Fatalf("image for region %q type %q ver %q arch %q is missing ID", region, *amiType, *version, arch) + } + if _, ok := imageIDs[region]; !ok { + imageIDs[region] = make(map[string]string) + } + imageIDs[region][arch] = *id } - - cfg, err := config.LoadDefaultConfig(ctx, config.WithRegion(region)) - if err != nil { - log.Fatalf("could not load AWS config: %v", err) - } - - client := ec2.NewFromConfig(cfg) - resp, err := client.DescribeImages(ctx, &ec2.DescribeImagesInput{ - Filters: []types.Filter{ - {Name: aws.String("name"), Values: []string{stub}}, - {Name: aws.String("is-public"), Values: []string{"true"}}, - }, - Owners: []string{*account}, - }) - if err != nil { - log.Fatalf("describe images: %v", err) - } - - if l := len(resp.Images); l != 1 { - log.Fatalf("expected 1 image for %v, got %v", stub, l) - } - - id := resp.Images[0].ImageId - if id == nil { - log.Fatalf("image %v is missing ID", stub) - } - imageIDs[region] = *id } tfDir := filepath.Join("..", "..", "examples", "aws", "terraform") @@ -96,7 +112,7 @@ func main() { // change version in TF_VAR_ami_name strings for _, tfMode := range tfModes { log.Printf("Updating version in README for %v", tfMode) - re, err := regexp.Compile(fmt.Sprintf(`gravitational-teleport-ami-%s-([0-9.]+)`, *amiType)) + re, err := regexp.Compile(fmt.Sprintf(`teleport-%s-([0-9.]+)`, *amiType)) if err != nil { log.Fatalf("invalid regexp for type %q: %v", *amiType, err) } @@ -107,7 +123,7 @@ func main() { log.Fatalf("could not find README.md for terraform mode %q: %v", tfMode, err) } - replaced := re.ReplaceAll(b, []byte(fmt.Sprintf("gravitational-teleport-ami-%s-%s", *amiType, *version))) + replaced := re.ReplaceAll(b, []byte(fmt.Sprintf("teleport-%s-%s", *amiType, *version))) if err := os.WriteFile(readme, replaced, 0644); err != nil { log.Fatalf("could not update %v: %v", readme, err) } @@ -120,18 +136,23 @@ func main() { } for _, region := range strings.Split(*regions, ",") { - newAMI := imageIDs[region] - - ts := AMIType(*amiType) - re, err := regexp.Compile(fmt.Sprintf(`(?m)^# %s v(.*) %s: (ami-.*)$`, region, ts.FriendlyType())) - if err != nil { - log.Fatalf("invalid regexp for region %q type %q: %v", region, *amiType, err) + for _, arch := range []string{"x86_64", "arm64"} { + newAMI := imageIDs[region][arch] + if newAMI == "" { + continue + } + + ts := AMIType(*amiType) + re, err := regexp.Compile(fmt.Sprintf(`(?m)^# %s v(.*) %s %s: (ami-.*)$`, region, arch, ts.FriendlyType())) + if err != nil { + log.Fatalf("invalid regexp for region %q type %q arch %q: %v", region, *amiType, arch, err) + } + + repl := fmt.Sprintf(`# %s v%s %s %s: %s`, region, *version, arch, ts.FriendlyType(), newAMI) + md = re.ReplaceAll(md, []byte(repl)) + + log.Printf("[%v %v: %v] -> %v", *amiType, arch, region, newAMI) } - - repl := fmt.Sprintf(`# %s v%s %s: %s`, region, *version, ts.FriendlyType(), newAMI) - md = re.ReplaceAll(md, []byte(repl)) - - log.Printf("[%v: %v] -> %v", *amiType, region, newAMI) } if err := os.WriteFile(tfPath, md, 0644); err != nil { log.Fatalf("could not update %v: %v", tfPath, err) diff --git a/assets/aws/files/install.sh b/assets/aws/files/install.sh deleted file mode 100644 index e809ae890d48c..0000000000000 --- a/assets/aws/files/install.sh +++ /dev/null @@ -1,124 +0,0 @@ -#!/bin/bash -if [[ "${DEBUG:-false}" == "true" ]]; then - set -x -fi - -# Update packages -yum -y update - -# Install uuid used for random token generation, nginx for grafana frontend -yum install -y uuid libffi-devel gcc openssl-devel adduser libfontconfig - -# Install nginx -amazon-linux-extras install nginx1 - -# Set some curl options so that temporary failures get retried -# More info: https://ec.haxx.se/usingcurl-timeouts.html -CURL_OPTS="-L --retry 100 --retry-delay 0 --connect-timeout 10 --max-time 300" - -# Install telegraf to collect stats from influx -curl ${CURL_OPTS} -o /tmp/telegraf.rpm "https://dl.influxdata.com/telegraf/releases/telegraf-${TELEGRAF_VERSION}-1.x86_64.rpm" -yum install -y /tmp/telegraf.rpm -rm -f /tmp/telegraf.rpm - -# Install grafana -curl ${CURL_OPTS} -o /tmp/grafana.rpm "https://dl.grafana.com/oss/release/grafana-${GRAFANA_VERSION}-1.x86_64.rpm" -yum install -y /tmp/grafana.rpm -rm -f /tmp/grafana.rpm - -# Install InfluxDB -curl $CURL_OPTS -o /tmp/influxdb.rpm "https://dl.influxdata.com/influxdb/releases/influxdb-${INFLUXDB_VERSION}.x86_64.rpm" -yum install -y /tmp/influxdb.rpm -rm -f /tmp/influxdb.rpm - -# Install certbot to rotate certificates -# Certbot is a tool to request letsencrypt certificates, -# remove it if you don't need letsencrypt. -yum -y install python3 python3-pip -# pip needs to be upgraded to work around issues with the 'cryptography' package -pip3 install --upgrade pip -# add new pip3 install location to PATH temporarily -export PATH=/usr/local/bin:$PATH -pip3 install -I awscli requests -pip3 install certbot certbot-dns-route53 - -# Create teleport user. It is helpful to share the same UID -# to have the same permissions on shared NFS volumes across auth servers and for consistency. -useradd -r teleport -u ${TELEPORT_UID} -d /var/lib/teleport -# Add teleport to adm group to read and write logs -usermod -a -G adm teleport - -# Setup teleport run dir for pid files -mkdir -p /run/teleport/ /var/lib/teleport /etc/teleport.d -chmod 0700 /var/lib/teleport -chown -R teleport:adm /run/teleport /var/lib/teleport /etc/teleport.d/ - -# Download and install teleport binaries -pushd /tmp || exit -# Install the FIPS version of Teleport if /tmp/teleport-fips is present -if [ -f /tmp/teleport-fips ]; then - TARBALL_FILENAME="/tmp/files/teleport-ent-v${TELEPORT_VERSION}-linux-amd64-fips-bin.tar.gz" - # Use a Teleport artifact uploaded from the build machine, if present - if [ -f ${TARBALL_FILENAME} ]; then - echo "Found locally uploaded Enterprise FIPS tarball ${TARBALL_FILENAME}, moving to /tmp/teleport.tar.gz" - mv ${TARBALL_FILENAME} /tmp/teleport.tar.gz - else - echo "Installing Enterprise Teleport version ${TELEPORT_VERSION} with FIPS support" - curl ${CURL_OPTS} -o teleport.tar.gz https://cdn.teleport.dev/teleport-ent-v${TELEPORT_VERSION}-linux-amd64-fips-bin.tar.gz - fi - tar -xzf teleport.tar.gz - cp teleport-ent/tctl teleport-ent/tsh teleport-ent/teleport teleport-ent/tbot /usr/local/bin - rm -rf /tmp/teleport.tar.gz /tmp/teleport-ent - # add --fips to 'teleport start' commands in FIPS mode - sed -i -E "s_ExecStart=/usr/local/bin/teleport start(.*)_ExecStart=/usr/local/bin/teleport start --fips\1_g" /etc/systemd/system/teleport*.service - # https://aws.amazon.com/blogs/publicsector/enabling-fips-mode-amazon-linux-2/ - yum install -y dracut-fips - dracut -f - /sbin/grubby --update-kernel=ALL --args="fips=1" -else - if [[ "${TELEPORT_TYPE}" == "oss" ]]; then - TARBALL_FILENAME="/tmp/files/teleport-v${TELEPORT_VERSION}-linux-amd64-bin.tar.gz" - # Use a Teleport artifact uploaded from the build machine, if present - if [ -f ${TARBALL_FILENAME} ]; then - echo "Found locally uploaded OSS tarball ${TARBALL_FILENAME}, moving to /tmp/teleport.tar.gz" - mv ${TARBALL_FILENAME} /tmp/teleport.tar.gz - else - echo "Installing OSS Teleport version ${TELEPORT_VERSION}" - curl ${CURL_OPTS} -o teleport.tar.gz https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION}-linux-amd64-bin.tar.gz - fi - tar -xzf teleport.tar.gz - cp teleport/tctl teleport/tsh teleport/teleport teleport/tbot /usr/local/bin - rm -rf /tmp/teleport.tar.gz /tmp/teleport - else - TARBALL_FILENAME="/tmp/files/teleport-ent-v${TELEPORT_VERSION}-linux-amd64-bin.tar.gz" - # Use a Teleport artifact uploaded from the build machine, if present - if [ -f ${TARBALL_FILENAME} ]; then - echo "Found locally uploaded Enterprise tarball ${TARBALL_FILENAME}, moving to /tmp/teleport.tar.gz" - mv ${TARBALL_FILENAME} /tmp/teleport.tar.gz - else - echo "Installing Enterprise Teleport version ${TELEPORT_VERSION}" - curl ${CURL_OPTS} -o teleport.tar.gz https://cdn.teleport.dev/teleport-ent-v${TELEPORT_VERSION}-linux-amd64-bin.tar.gz - fi - tar -xzf teleport.tar.gz - cp teleport-ent/tctl teleport-ent/tsh teleport-ent/teleport teleport-ent/tbot /usr/local/bin - rm -rf /tmp/teleport.tar.gz /tmp/teleport-ent - fi -fi -popd || exit - -# Add /usr/local/bin to path used by sudo (so 'sudo tctl users add' will work as per the docs) -echo "Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin" > /etc/sudoers.d/secure_path - -# Clean up the authorized keys not used -rm -f /root/.ssh/authorized_keys -rm -f /home/ec2-user/.ssh/authorized_keys - -# Clean up copied temp files -rm -rf /tmp/files - -# Clean up all packages -yum -y clean all - -# Enable Teleport services to start on boot -systemctl enable teleport-generate-config.service -systemctl enable teleport.service diff --git a/assets/aws/files/make-amis-public.sh b/assets/aws/files/make-amis-public.sh deleted file mode 100755 index 9a79dd79020c7..0000000000000 --- a/assets/aws/files/make-amis-public.sh +++ /dev/null @@ -1,62 +0,0 @@ -#!/usr/bin/env bash -set -e - -# Exit if required parameters not provided -if [[ "$1" == "" ]] || [[ "$2" == "" ]]; then - echo "Usage: $(basename $0) [oss/ent/ent-fips] [comma-separated-destination-region-list]" - exit 1 -else - RUN_MODE="$1" - REGION_LIST="$2" -fi - -# Note: to run this script on MacOS you will need to install coreutils (using Brew), then edit the PATH in your shell's -# RC file to use coreutils versions first (something like "export PATH=/usr/local/opt/coreutils/libexec/gnubin:$PATH") -ABSPATH=$(readlink -f "$0") -SCRIPT_DIR=$(dirname "${ABSPATH}") -BUILD_DIR=$(readlink -f "${SCRIPT_DIR}/build") - -AMI_TAG="production" -OUTFILE="amis.txt" -BUILD_TIMESTAMP_FILENAME="${RUN_MODE}_build_timestamp.txt" -NAME_FILTER="*${RUN_MODE}*" -# Conditionally set variables for FIPS -if [[ "${RUN_MODE}" == "ent-fips" ]]; then - AMI_TAG="production-fips" - OUTFILE="amis-fips.txt" - BUILD_TIMESTAMP_FILENAME="ent_build_timestamp.txt" - NAME_FILTER="*-fips" -fi - -# Remove existing AMI ID file if present -if [ -f "${BUILD_DIR}/${OUTFILE}.txt" ]; then - rm -f "${BUILD_DIR}/${OUTFILE}.txt" -fi - -# Read build timestamp from file -TIMESTAMP_FILE="${BUILD_DIR}/${BUILD_TIMESTAMP_FILENAME}" -if [ ! -f "${TIMESTAMP_FILE}" ]; then - echo "Cannot find \"${TIMESTAMP_FILE}\"" - exit 1 -fi -BUILD_TIMESTAMP=$(<"${TIMESTAMP_FILE}") - -# Iterate through AMIs -IFS="," -for REGION in ${REGION_LIST}; do - AMI_ID=$(aws ec2 describe-images --region ${REGION} --filters "Name=name,Values=${NAME_FILTER}" "Name=tag:BuildTimestamp,Values=${BUILD_TIMESTAMP}" "Name=tag:BuildType,Values=${AMI_TAG}"| jq -r '.Images[0].ImageId') - if [[ "${AMI_ID}" == "" || "${AMI_ID}" == "null" ]]; then - echo "Error: cannot get AMI ID for ${REGION}" - exit 2 - fi - # Make each AMI public (set launchPermission to 'all') - aws ec2 modify-image-attribute --region ${REGION} --image-id ${AMI_ID} --launch-permission "Add=[{Group=all}]" - # Check that the AMI was successfully made public by listing it again - # The output will be "true" if the AMI is public and "" if it doesn't exist or is private - PUBLIC_CHECK=$(aws ec2 describe-images --region ${REGION} --filters "Name=image-id,Values=${AMI_ID}" "Name=is-public,Values=true" | jq -r '.Images[].Public') - if [[ "${PUBLIC_CHECK}" == "true" ]]; then - echo "AMI ID ${AMI_ID} for ${REGION} set to public" - else - echo "WARNING: There was an error making ${AMI_ID} in ${REGION} public!" - fi -done diff --git a/assets/aws/monitor-files/bin/teleport-monitor-setup b/assets/aws/monitor-files/bin/teleport-monitor-setup deleted file mode 100755 index 2e71b02e1d302..0000000000000 --- a/assets/aws/monitor-files/bin/teleport-monitor-setup +++ /dev/null @@ -1,92 +0,0 @@ -#!/bin/bash - -# Source variables from user-data -. /etc/teleport.d/conf - -# Enable/start grafana -systemctl enable grafana-server -systemctl start grafana-server - -# Enable/start influxdb -systemctl enable influxdb.service -systemctl restart influxdb.service - -# Import dashboard and data source -until curl --output /dev/null --silent --head --fail http://localhost:3000; do - echo "waiting for grafana to respond" - sleep 5 -done - -echo "Grafana is up setting up dashboards and data sources" - -GRAFANA_PASS="$(aws ssm get-parameter --with-decryption --name /teleport/${TELEPORT_CLUSTER_NAME}/grafana_pass --region ${EC2_REGION} --query 'Parameter.Value' --output text)" - -# if the password hasn't been changed from the default, set it to a random value (for security) and then also write that -# parameter back to SSM so the user can find out what it is -if [[ "${GRAFANA_PASS}" == "CHANGE_THIS_VALUE" ]]; then - GRAFANA_PASS=$(hexdump -n 16 -e '4/4 "%08X" 1 "\n"' /dev/urandom) - aws ssm put-parameter --name /teleport/${TELEPORT_CLUSTER_NAME}/grafana_pass --region ${EC2_REGION} --value "${GRAFANA_PASS}" --type SecureString --overwrite - echo "Grafana password has been set to ${GRAFANA_PASS} as it wasn't changed from the default CHANGE_THIS_VALUE" -fi - -# Change grafana password -curl -X PUT -u admin:admin -H 'Content-Type: application/json' -d "{ - \"oldPassword\": \"admin\", - \"newPassword\": \"${GRAFANA_PASS}\", - \"confirmNew\": \"${GRAFANA_PASS}\" -}" http://127.0.0.1:3000/api/user/password - -# Set up default input -curl -s -H "Content-Type: application/json" \ - -XPOST -u admin:${GRAFANA_PASS} http://127.0.0.1:3000/api/datasources \ - -d @- </lib/systemd/system/nginx.service <