Use new SSL certificates with CA, install agents through OpsManager

Author: exAspArk

mongodb/mongodb/mongodb.tf

@@ -6,8 +6,9 @@ variable "mongodb_conf_engine"      {}
 variable "mongodb_conf_replsetname" {}
 variable "mongodb_conf_oplogsizemb" {}
 variable "mongodb_key_s3_object"    {}
-variable "mongodb_ssl_server_key_s3_object" {}
-variable "mongodb_ssl_client_key_s3_object" {}
+variable "ssl_ca_key_s3_object"     {}
+variable "ssl_agent_key_s3_object"  {}
+variable "ssl_mongod_key_s3_object" {}
 variable "opsmanager_key_s3_object" {}
 variable "mongodb_iam_name"         {}
 variable "mongodb_sg_id"            {}
@@ -36,12 +37,6 @@ variable "config_ebs" {
 variable "role_node" {
   default = "false"
 }
-variable "role_monitoring_agent" {
-  default = "false"
-}
-variable "role_backup_agent" {
-  default = "false"
-}
 variable "role_opsmanager" {
   default = "false"
 }
@@ -71,17 +66,16 @@ data "template_file" "user_data" {
     mongodb_conf_replsetname = "${var.mongodb_conf_replsetname}"
     mongodb_conf_oplogsizemb = "${var.mongodb_conf_oplogsizemb}"
     mongodb_key_s3_object    = "${var.mongodb_key_s3_object}"
-    mongodb_ssl_server_key_s3_object = "${var.mongodb_ssl_server_key_s3_object}"
-    mongodb_ssl_client_key_s3_object = "${var.mongodb_ssl_client_key_s3_object}"
+    ssl_ca_key_s3_object     = "${var.ssl_ca_key_s3_object}"
+    ssl_mongod_key_s3_object = "${var.ssl_mongod_key_s3_object}"
+    ssl_agent_key_s3_object  = "${var.ssl_agent_key_s3_object}"
     opsmanager_key_s3_object = "${var.opsmanager_key_s3_object}"
     opsmanager_subdomain     = "${var.opsmanager_subdomain}"
     hostname                 = "${var.route53_hostname}"
     aws_region               = "${var.aws_region}"
     config_ephemeral         = "${var.config_ephemeral}"
     config_ebs               = "${var.config_ebs}"
     role_node                = "${var.role_node}"
-    role_monitoring_agent    = "${var.role_monitoring_agent}"
-    role_backup_agent        = "${var.role_backup_agent}"
     role_opsmanager          = "${var.role_opsmanager}"
     role_backup              = "${var.role_backup}"
     mms_group_id             = "${var.mms_group_id}"

mongodb/mongodb/templates/user-data.sh

@@ -204,74 +204,16 @@ if [ "${role_node}" == "true" ]; then
   # setup ssl certificates for mongodb
   SSL_PATH=/etc/mongodb/ssl
   mkdir -p $SSL_PATH
-  aws s3 --region=${aws_region} cp ${mongodb_ssl_server_key_s3_object} $SSL_PATH/mongodb_ssl_server.pem
-  aws s3 --region=${aws_region} cp ${mongodb_ssl_client_key_s3_object} $SSL_PATH/mongodb_ssl_client.pem
+  aws s3 --region=${aws_region} cp ${ssl_ca_key_s3_object} $SSL_PATH/CAroot.pem
+  aws s3 --region=${aws_region} cp ${ssl_mongod_key_s3_object} $SSL_PATH/mongod.pem
+  aws s3 --region=${aws_region} cp ${ssl_agent_key_s3_object} $SSL_PATH/agent.pem
   chmod 700 -R $SSL_PATH
   chown -R mongodb:mongodb $SSL_PATH
 
   service mongodb-mms-automation-agent stop
   service mongodb-mms-automation-agent start
 fi
 
-#
-# Monitoring Agent (connects to OpsManager)
-#
-if [ "${role_monitoring_agent}" == "true" ] ; then
-  # install
-  curl -k -OL http://${opsmanager_subdomain}:8080/download/agent/monitoring/mongodb-mms-monitoring-agent_5.4.5.370-1_amd64.deb
-  DEBIAN_FRONTEND=noninteractive dpkg --install mongodb-mms-monitoring-agent_5.4.5.370-1_amd64.deb
-
-  # setup for opsmanager
-  MONITORING_AGENT_CONFIG_FILE=/etc/mongodb-mms/monitoring-agent.config
-  ESCAPED_OPSMANAGER_URL=`echo http://${opsmanager_subdomain}:8080 | awk '{gsub("/", "\\\/");print}'`
-  sed -i "s/mmsBaseUrl=.*/mmsBaseUrl=$ESCAPED_OPSMANAGER_URL/"        $MONITORING_AGENT_CONFIG_FILE
-  sed -i "s/mmsApiKey=.*/mmsApiKey=${mms_api_key}/"                   $MONITORING_AGENT_CONFIG_FILE
-
-  # setup ssl certificates for monitoring agents
-  SSL_PATH=/etc/mongodb-mms/ssl
-  mkdir -p $SSL_PATH
-  aws s3 --region=${aws_region} cp ${mongodb_ssl_server_key_s3_object} $SSL_PATH/mongodb_ssl_server.pem
-  aws s3 --region=${aws_region} cp ${mongodb_ssl_client_key_s3_object} $SSL_PATH/mongodb_ssl_client.pem
-  chmod 700 -R $SSL_PATH
-  chown -R mongodb-mms-agent:mongodb-mms-agent $SSL_PATH
-  echo "sslTrustedServerCertificates=$SSL_PATH/mongodb_ssl_server.pem" >> $MONITORING_AGENT_CONFIG_FILE
-  echo "sslClientCertificate=$SSL_PATH/mongodb_ssl_client.pem"         >> $MONITORING_AGENT_CONFIG_FILE
-  echo "sslRequireValidServerCertificates=true"                        >> $MONITORING_AGENT_CONFIG_FILE
-
-  stop mongodb-mms-monitoring-agent
-  start mongodb-mms-monitoring-agent
-fi
-
-#
-# Backup Agent (connects to OpsManager)
-#
-if [ "${role_backup_agent}" == "true" ] ; then
-  # install
-  curl -k -OL http://${opsmanager_subdomain}:8080/download/agent/backup/mongodb-mms-backup-agent_5.0.7.494-1_amd64.deb
-  DEBIAN_FRONTEND=noninteractive dpkg --install mongodb-mms-backup-agent_5.0.7.494-1_amd64.deb
-
-  # setup for opsmanager
-  BACKUP_AGENT_CONFIG_FILE=/etc/mongodb-mms/backup-agent.config
-  chmod 644 $BACKUP_AGENT_CONFIG_FILE
-  chown mongodb:mongodb $BACKUP_AGENT_CONFIG_FILE
-  sed -i "s/mmsApiKey=.*/mmsApiKey=${mms_api_key}/"                 $BACKUP_AGENT_CONFIG_FILE
-  sed -i "s/mothership=.*/mothership=${opsmanager_subdomain}:8080/" $BACKUP_AGENT_CONFIG_FILE
-
-  # setup ssl certificates for monitoring agents
-  SSL_PATH=/etc/mongodb-mms/ssl
-  mkdir -p $SSL_PATH
-  aws s3 --region=${aws_region} cp ${mongodb_ssl_server_key_s3_object} $SSL_PATH/mongodb_ssl_server.pem
-  aws s3 --region=${aws_region} cp ${mongodb_ssl_client_key_s3_object} $SSL_PATH/mongodb_ssl_client.pem
-  chmod 700 -R $SSL_PATH
-  chown -R mongodb-mms-agent:mongodb-mms-agent $SSL_PATH
-  echo "sslTrustedServerCertificates=$SSL_PATH/mongodb_ssl_server.pem" >> $BACKUP_AGENT_CONFIG_FILE
-  echo "sslClientCertificate=$SSL_PATH/mongodb_ssl_client.pem"         >> $BACKUP_AGENT_CONFIG_FILE
-  echo "sslRequireValidServerCertificates=true"                        >> $BACKUP_AGENT_CONFIG_FILE
-
-  stop mongodb-mms-backup-agent
-  start mongodb-mms-backup-agent
-fi
-
 #
 # Backup Node (connects to OpsManager)
 #