Deploy Pykmip With Terraform

This one is just a code snippet - deploying PyKMIP with Terraform.

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }
  required_version = ">= 1.3"
}

provider "aws" {
	region = "eu-west-1"
}

resource "aws_key_pair" "kmipsrv_key" {
  key_name = "kmipsrv_key"
  public_key = file("./kmipsrv_key.pub")
}

resource "aws_instance" "kmip_srv" {
  ami = "ami-0333305f9719618c7"
  instance_type = "t2.micro"
  key_name = aws_key_pair.kmipsrv_key.key_name
  tags = {
    Name = "KMIP server",
    script-author = "nitin.katkam"
  }
  connection {
    type = "ssh"
    user = "ubuntu"
    host = self.public_ip
    port = 22
    private_key = file("./kmipsrv_key")
    timeout = "2m"
    agent = true
  }
  provisioner "file" {
    source = "./server.conf"
    destination = "/home/ubuntu/etc_pykmip_server.conf"
  }
  provisioner "file" {
    source = "./remote_runme"
    destination = "/home/ubuntu/runme.sh"
  }
  provisioner "file" {
    source = "./make_certs.sh"
    destination = "/home/ubuntu/make_certs.sh"
  }
  provisioner "remote-exec" {
    inline = [
      "cloud-init status --wait",
      "sudo mkdir /usr/local/PyKMIP /etc/pykmip /var/log/pykmip /certs",
      "sudo chown ubuntu. /usr/local/PyKMIP /etc/pykmip /var/log/pykmip /certs",
      "sleep 15",
      "sudo apt update",
      "sudo apt install -y python3-dev libffi-dev libssl-dev libsqlite3-dev python3-pip",
      "git clone https://github.com/OpenKMIP/PyKMIP /usr/local/PyKMIP",
      "printf 'cryptography>=1.4\nenum-compat\nrequests\nsix>=1.11.0\nsqlalchemy==1.4.45\n' > /usr/local/PyKMIP/requirements.txt",
      "cd /usr/local/PyKMIP; python3 -m pip install -r requirements.txt",
      "sudo python3 /usr/local/PyKMIP/setup.py install",
      "curl -sSL https://rvm.io/mpapis.asc | gpg --import -",
      "curl -sSL https://rvm.io/pkuczynski.asc | gpg --import -",
      "curl -sSL https://get.rvm.io | bash -s",
      "sudo chmod a+x /home/ubuntu/make_certs.sh",
      "/home/ubuntu/make_certs.sh"
    ]
  }
  provisioner "remote-exec" {
    inline = [
      "sudo mv /home/ubuntu/etc_pykmip_server.conf /etc/pykmip/server.conf",
      "chmod a+x /home/ubuntu/runme.sh"
      #"/home/ubuntu/runme.sh"
    ]
  }
}

output "publicIP" {
  value = aws_instance.kmip_srv.public_ip
}

Server.conf

[server]
database_path=/etc/pykmip/pykmip.database
hostname=0.0.0.0
port=5696
certificate_path=/certs/server.cert
key_path=/certs/server.key
ca_path=/certs/ca.cert
auth_suite=TLS1.2
policy_path=/usr/local/PyKMIP/examples/
enable_tls_client_auth=False
tls_cipher_suites= TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
logging_level=DEBUG

remote_runme

#!/bin/bash
echo "Starting KMIP server"
nohup python3 /usr/local/PyKMIP/bin/run_server.py > /home/ubuntu/kmip_output.txt 2>&1 &
echo "Starting HTTP server (port 8000; to download certs)"
cd /certs/pub; nohup python3 -m http.server > /home/ubuntu/http_output.txt 2>&1 &

make_certs.sh

#!/bin/bash
source /home/ubuntu/.rvm/scripts/rvm
rvm install 3.1.3 && rvm use 3.1.3
gem install certie
cd /certs; certie $(hostname -f); mv $(hostname -f).cert server.cert; mv $(hostname -f).key server.key
sudo chown ubuntu. /certs/server.key && sudo chmod 400 /certs/server.key
mkdir /certs/pub
cp /certs/server.cert /certs/pub
cp /certs/ca.cert /certs/pub

PS: The apt install hangs with a “Which services should be restarted” dialog box. See my other blog post on how to deal with the error.