Skip to content

Commit d804bdc

Browse files
reppingrepping
authored
Merge pull request #60 from repping/master
updated vault aws_health.sh script
2 parents d4393a2 + ded31db commit d804bdc

File tree

2 files changed

+35
-38
lines changed

2 files changed

+35
-38
lines changed

iam.tf

Lines changed: 17 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -254,39 +254,41 @@ resource "aws_iam_role_policy" "lambda" {
254254
role = aws_iam_role.lambda[0].id
255255
}
256256

257+
data "aws_partition" "current" {}
258+
259+
data "aws_caller_identity" "current" {}
260+
257261
data "aws_iam_policy_document" "lambda" {
258262
count = var.vault_enable_cloudwatch ? 1 : 0
259263
statement {
260264
effect = "Allow"
261265
actions = [
262-
"logs:CreateLogGroup",
263-
"logs:CreateLogStream",
264-
"logs:PutLogEvents",
265-
"logs:DescribeLogGroups"
266+
"cloudwatch:PutMetricData"
266267
]
267268
resources = [
268-
# TODO should be --> Resource: !Sub "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:*"
269-
"*"
269+
"*"
270270
]
271271
}
272272
statement {
273273
effect = "Allow"
274274
actions = [
275-
"logs:PutLogEvents"
275+
"logs:CreateLogGroup",
276+
"logs:CreateLogStream",
277+
"logs:PutLogEvents",
278+
"logs:DescribeLogGroups"
276279
]
277280
resources = [
278-
# TODO should be --> Resource: !Sub "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:*:log-stream:*"
279-
"*"
281+
"arn:${data.aws_partition.current.partition}:logs:${data.aws_region.default.name}:${data.aws_caller_identity.current.id}:log-group:*",
282+
"arn:${data.aws_partition.current.partition}:logs:${data.aws_region.default.name}:${data.aws_caller_identity.current.id}:log-group:*:log-stream:*"
280283
]
281284
}
282285
statement {
283286
effect = "Allow"
284287
actions = [
285-
"ec2:DescribeInstances",
286-
"ec2:DescribeImages"
288+
"logs:PutLogEvents"
287289
]
288290
resources = [
289-
"*"
291+
"arn:${data.aws_partition.current.partition}:logs:${data.aws_region.default.name}:${data.aws_caller_identity.current.id}:log-group:*:log-stream:*",
290292
]
291293
}
292294
statement {
@@ -296,7 +298,6 @@ data "aws_iam_policy_document" "lambda" {
296298
"ec2:DescribeImages"
297299
]
298300
resources = [
299-
# TODO should be --> Resource: !Sub "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/*"
300301
"*"
301302
]
302303
}
@@ -308,8 +309,7 @@ data "aws_iam_policy_document" "lambda" {
308309
"cloudwatch:PutMetricAlarm"
309310
]
310311
resources = [
311-
# TODO should be --> Resource: !Sub "arn:${AWS::Partition}:cloudwatch:${AWS::Region}:${AWS::AccountId}:alarm:AutoAlarm-*"
312-
"*"
312+
"arn:${data.aws_partition.current.partition}:cloudwatch:${data.aws_region.default.name}:${data.aws_caller_identity.current.id}:alarm:AutoAlarm-*"
313313
]
314314
}
315315
statement {
@@ -318,7 +318,7 @@ data "aws_iam_policy_document" "lambda" {
318318
"cloudwatch:DescribeAlarms"
319319
]
320320
resources = [
321-
"*"
321+
"*"
322322
]
323323
}
324324
statement {
@@ -327,8 +327,7 @@ data "aws_iam_policy_document" "lambda" {
327327
"ec2:CreateTags"
328328
]
329329
resources = [
330-
# TODO should be --> Resource: !Sub "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/*"
331-
"*"
330+
"arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.default.name}:${data.aws_caller_identity.current.id}:instance/*"
332331
]
333332
}
334333
}

user_data_vault.sh.tpl

Lines changed: 18 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -200,26 +200,24 @@ usermod -G vault ec2-user
200200

201201
# Place an AWS EC2 health check script.
202202
cat << EOF >> /usr/local/bin/aws_health.sh
203-
#!/bin/sh
204-
205-
# This script checks that status of Vault and reports that status to the ASG.
206-
# If Vault fails, the instance is replaced.
207-
208-
# Tell Vault how to connect.
209-
export VAULT_ADDR=https://$${my_ipaddress}:8200
210-
export VAULT_CACERT="${vault_data_path}/tls/vault_ca.crt"
211-
212-
# Get the status of Vault and report to AWS ASG.
213-
# TODO: This check is not sufficient; 0 is returned in many cases.
214-
if vault status > /dev/null 2>&1 ; then
215-
aws --region $${my_region} autoscaling set-instance-health --instance-id $${my_instance_id} --health-status Healthy
216-
else
217-
# Randominze the moment when to set the instance to unhealthy. This helps gradually replacing unhealthy instances.
218-
# For example; a cluster that is configured as a replication secondary has all followers set to unhealthy, risking
219-
# loosing quorum.
220-
sleep $((RANDOM % 60))
221-
aws --region $${my_region} autoscaling set-instance-health --instance-id $${my_instance_id} --health-status Unhealthy
222-
fi
203+
!/bin/bash
204+
205+
# Set variables
206+
VAULT_STATUS_URL="https://$${my_ipaddress}:8200/v1/sys/health"
207+
TIMEOUT=5
208+
209+
# Perform the health check
210+
response=\$(curl -k -m \$TIMEOUT -s -o /dev/null -w "%%{http_code}" \$VAULT_STATUS_URL)
211+
212+
# Check the response code
213+
case \$response in
214+
200|429|472|473)
215+
aws --region $${my_region} autoscaling set-instance-health --instance-id $${my_instance_id} --health-status Healthy
216+
;;
217+
*)
218+
aws --region $${my_region} autoscaling set-instance-health --instance-id $${my_instance_id} --health-status Unhealthy
219+
;;
220+
esac
223221
EOF
224222

225223
# Make the AWS EC2 health check script executable.

0 commit comments

Comments
 (0)