Test/verify OS PR to Elastic Stack - clearing SSH keys (#1316)

123sarahj123 · patrobinson · web-flow · commit 2a120e863618 · 2024-05-01T17:39:35.000+12:00
Fix SSH key clearance in buildkite-ami.pkr.hcl

Co-authored-by: Patrick Robinson &lt;therealpatrobinson@gmail.com&gt;
Co-authored-by: GH user Gezi-lzq
diff --git a/.buildkite/pipeline.yaml b/.buildkite/pipeline.yaml
@@ -102,7 +102,7 @@ steps:
     name: ":cloudformation: :linux: AMD64 Test"
     command:
       - git --version
-      - goss validate --format documentation
+      - sudo goss validate --format documentation
     timeout_in_minutes: 5
     agents:
       stack: "buildkite-aws-stack-test-linux-amd64-${BUILDKITE_BUILD_NUMBER}"
@@ -145,7 +145,7 @@ steps:
     name: ":cloudformation: :linux: ARM64 Test"
     command:
       - git --version
-      - goss validate --format documentation
+      - sudo goss validate --format documentation
     timeout_in_minutes: 5
     agents:
       stack: "buildkite-aws-stack-test-linux-arm64-${BUILDKITE_BUILD_NUMBER}"
diff --git a/.buildkite/steps/launch.sh b/.buildkite/steps/launch.sh
@@ -100,6 +100,10 @@ cat <<EOF >config.json
   {
     "ParameterKey": "EnableInstanceStorage",
     "ParameterValue": "${enable_instance_storage:-false}"
+  },
+  {
+    "ParameterKey": "BuildkiteAdditionalSudoPermissions",
+    "ParameterValue": "/usr/local/bin/goss"
   }
 ]
 EOF
diff --git a/goss.yaml b/goss.yaml
@@ -14,6 +14,14 @@ file:
   /etc/systemd/system/refresh_authorized_keys.timer:
     exists: true
 
+  /home/ec2-user/.ssh/authorized_keys:
+    exists: true
+    contains: ["!packer"]
+
+  /root/.ssh/authorized_keys:
+    exists: true
+    contains: ["!packer"]
+
   /var/lib/buildkite-agent/builds:
     filetype: directory
     exists: true
diff --git a/packer/linux/buildkite-ami.pkr.hcl b/packer/linux/buildkite-ami.pkr.hcl
@@ -56,6 +56,7 @@ source "amazon-ebs" "elastic-ci-stack-ami" {
   region                                    = var.region
   source_ami                                = data.amazon-ami.al2023.id
   ssh_username                              = "ec2-user"
+  ssh_clear_authorized_keys = true
   temporary_security_group_source_public_ip = true
 
   run_tags = {
@@ -110,8 +111,4 @@ build {
   provisioner "shell" {
     script = "scripts/install-buildkite-utils.sh"
   }
-
-  provisioner "shell" {
-    inline = ["rm /home/ec2-user/.ssh/authorized_keys"]
-  }
 }

Original file line number	Diff line number	Diff line change
`@@ -100,6 +100,10 @@ cat <<EOF >config.json`
`100`	`100`	`{`
`101`	`101`	`"ParameterKey": "EnableInstanceStorage",`
`102`	`102`	`"ParameterValue": "${enable_instance_storage:-false}"`
	`103`	`+ },`
	`104`	`+ {`
	`105`	`+ "ParameterKey": "BuildkiteAdditionalSudoPermissions",`
	`106`	`+ "ParameterValue": "/usr/local/bin/goss"`
`103`	`107`	`}`
`104`	`108`	`]`
`105`	`109`	`EOF`