Cloudhsm debug (#81)

WIP to get codesigning to work
ooni · Jul 29, 2024 · 58bbaf3 · 58bbaf3
1 parent f91f8b3
commit 58bbaf3
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 28 deletions.
diff --git a/.gitignore b/.gitignore
@@ -17,3 +17,8 @@ override.tf.json
 
 # Ignore generated docs
 /dist
+
+/.vscode
+
+# Macos
+.DS_Store
diff --git a/tf/modules/ansible_controller/main.tf b/tf/modules/ansible_controller/main.tf
@@ -1,7 +1,3 @@
-data "aws_ssm_parameter" "ubuntu_22_ami" {
-  name = "/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id"
-}
-
 resource "aws_security_group" "ansible_ctrl_sg" {
   description = "security group for ansible controller"
   name_prefix = "ooni-ansible-ctrl"
@@ -40,7 +36,8 @@ resource "aws_security_group" "ansible_ctrl_sg" {
 }
 
 resource "aws_instance" "ansible_controller" {
-  ami           = data.aws_ssm_parameter.ubuntu_22_ami.value
+  # Ubuntu 22.04
+  ami           = "ami-07652eda1fbad7432"
   instance_type = var.instance_type
   key_name      = var.key_name
 
@@ -60,7 +57,7 @@ resource "aws_instance" "ansible_controller" {
 
   vpc_security_group_ids = [aws_security_group.ansible_ctrl_sg.id]
 
-  tags = var.tags
+  tags = merge(var.tags, { Name = "ansible-controller" })
 }
 
 resource "aws_route53_record" "oonith_service_alias" {

diff --git a/tf/modules/cloudhsm/main.tf b/tf/modules/cloudhsm/main.tf
@@ -34,29 +34,9 @@ resource "aws_security_group" "hsm" {
   }
 }
 
-data "aws_ami" "amazon_linux" {
-  most_recent = true
-  owners      = ["amazon"]
-
-  filter {
-    name   = "name"
-    values = ["al2023-ami-*"]
-  }
-
-  filter {
-    name   = "architecture"
-    values = ["x86_64"]
-  }
-
-  filter {
-    name   = "virtualization-type"
-    values = ["hvm"]
-  }
-
-}
-
 resource "aws_instance" "codesign_box" {
-  ami = data.aws_ami.amazon_linux.id
+  # Amazon linux
+  ami = "ami-03bb61bfa8e4d149e"
 
   key_name      = var.key_name
   instance_type = "t3.micro"
@@ -85,3 +65,44 @@ resource "aws_instance" "codesign_box" {
     ignore_changes = all
   }
 }
+
+resource "aws_launch_template" "codesign_box_template" {
+  name = "codesign-box"
+  # Ubuntu 22.04
+  image_id = "ami-0a43b9fc420cabb27"
+
+  instance_type = "t3.micro"
+
+  key_name = var.key_name
+
+  network_interfaces {
+    subnet_id                   = var.subnet_ids[0]
+    security_groups             = [aws_security_group.hsm.id]
+    associate_public_ip_address = true
+  }
+
+  user_data = base64encode(<<-EOF
+                #!/bin/bash
+                sudo apt update
+                curl -o cloudhsm-cli.deb https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/Jammy/cloudhsm-cli_latest_u22.04_amd64.deb
+                sudo apt install ./cloudhsm-cli.deb
+
+                curl -o cloudhsm-pkcs11.deb https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/Jammy/cloudhsm-pkcs11_latest_u22.04_amd64.deb
+                sudo apt install ./cloudhsm-pkcs11.deb
+
+                sudo apt install libengine-pkcs11-openssl
+                EOF
+  )
+
+  update_default_version = true
+
+  tag_specifications {
+    resource_type = "instance"
+
+    tags = {
+      Name = "codesign-box"
+    }
+  }
+
+  tags = merge(var.tags, { Name = "codesign-box-template" })
+}