More robust CrateDB password handling

crate · Oct 24, 2023 · f261cf8 · f261cf8
1 parent f1c026e
commit f261cf8
Show file tree

Hide file tree

Showing 5 changed files with 41 additions and 24 deletions.
diff --git a/aws/ec2.tf b/aws/ec2.tf
@@ -40,16 +40,18 @@ data "cloudinit_config" "config" {
     content_type = "text/cloud-config"
     content = templatefile("${path.module}/scripts/cloud-init-cratedb-${var.cratedb_tar_download_url == null ? "rpm" : "tar"}.tftpl",
       {
-        crate_download_url    = var.cratedb_tar_download_url
-        crate_user            = local.config.crate_username
-        crate_pass            = local.cratedb_password
-        crate_heap_size       = var.crate.heap_size_gb
-        crate_cluster_name    = var.crate.cluster_name
-        crate_cluster_size    = var.crate.cluster_size
-        crate_nodes_ips       = indent(12, yamlencode(aws_network_interface.interface[*].private_ip))
-        crate_ssl_enable      = var.crate.ssl_enable
-        crate_ssl_certificate = base64encode(tls_self_signed_cert.ssl.cert_pem)
-        crate_ssl_private_key = base64encode(tls_private_key.ssl.private_key_pem)
+        user_provisioning_file = indent(6, file(("${path.module}/scripts/user_provisioning.sh")))
+        crate_download_url     = var.cratedb_tar_download_url
+        crate_user             = local.config.crate_username
+        crate_pass             = local.cratedb_password
+        crate_heap_size        = var.crate.heap_size_gb
+        crate_cluster_name     = var.crate.cluster_name
+        crate_cluster_size     = var.crate.cluster_size
+        crate_nodes_ips        = indent(12, yamlencode(aws_network_interface.interface[*].private_ip))
+        crate_ssl_enable       = var.crate.ssl_enable
+        crate_protocol         = var.crate.ssl_enable ? "https" : "http"
+        crate_ssl_certificate  = base64encode(tls_self_signed_cert.ssl.cert_pem)
+        crate_ssl_private_key  = base64encode(tls_private_key.ssl.private_key_pem)
       }
     )
   }

diff --git a/aws/scripts/cloud-init-cratedb-rpm.tftpl b/aws/scripts/cloud-init-cratedb-rpm.tftpl
@@ -23,6 +23,7 @@ packages:
   - openssl
   - htop
   - node_exporter
+  - jq
 
 bootcmd:
   - test -z "$(blkid /dev/nvme1n1)" && mkfs -t xfs -L data /dev/nvme1n1
@@ -42,13 +43,9 @@ write_files:
     path: /etc/crate/certificate.pem
     permissions: "0660"
   - content: |
-      #!/bin/bash
-
-      sleep 30
-      curl -sS -H 'Content-Type: application/json' -k -X POST 'http${crate_ssl_enable ? "s" : ""}://localhost:4200/_sql' -d '{"stmt": "CREATE USER ${crate_user} WITH (password = '\''${crate_pass}'\'');"}'
-      curl -sS -H 'Content-Type: application/json' -k -X POST 'http${crate_ssl_enable ? "s" : ""}://localhost:4200/_sql' -d '{"stmt": "GRANT ALL PRIVILEGES TO ${crate_user};"}'
+      ${user_provisioning_file}
     owner: root:root
-    path: /opt/deployment/finish.sh
+    path: /opt/deployment/user_provisioning.sh
     permissions: "0755"
   - content: |
         path.data: /opt/data
@@ -112,7 +109,7 @@ runcmd:
   - curl --output-dir /opt/crate -O https://repo1.maven.org/maven2/io/crate/crate-jmx-exporter/1.0.0/crate-jmx-exporter-1.0.0.jar
   - systemctl enable crate
   - systemctl start crate
-  - bash /opt/deployment/finish.sh && rm -f /opt/deployment/finish.sh
+  - bash /opt/deployment/user_provisioning.sh "${crate_protocol}" "${crate_user}" "${crate_pass}" && rm -f /opt/deployment/user_provisioning.sh
   - systemctl enable node_exporter.service
   - systemctl start node_exporter.service
 

diff --git a/aws/scripts/cloud-init-cratedb-tar.tftpl b/aws/scripts/cloud-init-cratedb-tar.tftpl
@@ -35,13 +35,9 @@ write_files:
     path: /opt/crate/config/certificate.pem
     permissions: "0660"
   - content: |
-      #!/bin/bash
-
-      sleep 30
-      curl -sS -H 'Content-Type: application/json' -k -X POST 'http${crate_ssl_enable ? "s" : ""}://localhost:4200/_sql' -d '{"stmt": "CREATE USER ${crate_user} WITH (password = '\''${crate_pass}'\'');"}'
-      curl -sS -H 'Content-Type: application/json' -k -X POST 'http${crate_ssl_enable ? "s" : ""}://localhost:4200/_sql' -d '{"stmt": "GRANT ALL PRIVILEGES TO ${crate_user};"}'
+      ${user_provisioning_file}
     owner: root:root
-    path: /opt/deployment/finish.sh
+    path: /opt/deployment/user_provisioning.sh
     permissions: "0755"
   - content: |
         path.data: /opt/data
@@ -178,7 +174,7 @@ runcmd:
   - systemctl daemon-reload
   - systemctl enable crate
   - systemctl start crate
-  - bash /opt/deployment/finish.sh && rm -f /opt/deployment/finish.sh
+  - bash /opt/deployment/user_provisioning.sh "${crate_protocol}" "${crate_user}" "${crate_pass}" && rm -f /opt/deployment/user_provisioning.sh
   - systemctl enable node_exporter.service
   - systemctl start node_exporter.service
 

diff --git a/aws/scripts/user_provisioning.sh b/aws/scripts/user_provisioning.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+protocol="${1}"
+username="${2}"
+password="${3}"
+
+send_sql() {
+    curl -sS -H 'Content-Type: application/json' -k -X POST "${protocol}://localhost:4200/_sql" -d "$1"
+}
+
+generate_body() {
+    jq -n --arg stmt "$1" '{"stmt": $stmt}'
+}
+
+sleep 30
+
+send_sql "$(generate_body "CREATE USER ${username} WITH (password = \$\$${password}\$\$)")"
+send_sql "$(generate_body "GRANT ALL PRIVILEGES TO ${username}")"
diff --git a/aws/variables.tf b/aws/variables.tf
@@ -39,6 +39,10 @@ variable "cratedb_password" {
   default     = null
   sensitive   = true
   description = "The password to use for the CrateDB database user. If null, a random password will be assigned."
+  validation {
+    condition     = var.cratedb_password == null || (!strcontains(var.cratedb_password, "$$") && !strcontains(var.cratedb_password, "\""))
+    error_message = "The CrateDB password must not contain any of the following character sequences: $$, \""
+  }
 }
 
 variable "cratedb_tar_download_url" {