terraform-munki module

This terraform module creates all the necessary resources in AWS for highly scalable munki web setup using AWS S3 for object storage and AWS CloudFront (CDN) for content distribution. You can optionally secure the CDN via signed URLs so only clients that have your signing certificate can download content.

Table of Contents

• High Level Features
• Versions
• Terraform Usage
• CloudFront signing key
• SNS Alerts
• Lambda Notes
• Inputs
• Outputs

NOTE

Currently server side makecatalogs via the s3 Repo Plugin does not function with python3 and munki version 4+. I recommend you keep server_side_makecatalogs set to false.

High Level Features

• Restrictions on the S3 bucket to disallow any direct connections
• Use a custom DNS name for the web server or use a supplied URL from AWS
• Rebuild the catalog files whenever a pkginfo file or icon is updated or modified See Note above
• Only pay for what you use
• Optional SNS Alert when a warning or error happen during makecatalog run
• Custom TTL values for assets
• Baisc Auth and Cert Based ACL controls

Versions

At this time, it is impossible to supply your own lambda payload as such you are stuck on the following versions.

• Munki - v3.2.1
• Munki s3Repo Plugin - 0.4.4

Terraform Usage

module "munki-service" {
  source = "git@github.com:clburlison/terraform-munki.git?ref=v1.1.0"
  s3_bucket_name = "megacorp-munki-repo"

  tags = {
    Environment  = "prod"
    BusinessUnit = "ClientABC"
  }
}

For additional instructions please checkout the [examples](./examples) directory.

CloudFront signing key

The CloudFront signing key can not be automatically created. This key can also only be created by the root account owner, administrator IAM users will not work.

The creation process can be followed in the following Amazon doc:

To create CloudFront key pairs

or via the following graphic:

SNS Alerts

Terraform is unable to create and validate Simple Notification Service (SNS) resources so a topic and subscription must be created manually. The following steps will guide you through an email alert:

1. Log into the AWS Console
2. Go to the Simple Notification Service (SNS) service
3. Create a new topic
4. Click on the created topic ARN to go to the details page
5. Create a subscription
6. Select the protocol and options you want
7. Confirm the subscription (required for the email protocol)
8. Copy the Topic ARN from this page and use in the terraform alarm_arn variable

Lambda Notes

The lambda_makecatalogs.py file runs as a AWS Lambda function. It is triggered from the following s3 events:

• a file under pkginfo/ is modified or uploaded
• a file under icons/ with the extensions of the .png or .jpg is modified or uploaded

If this setup is destroyed and recreated the 'munki-s3-rw' policy will need to be re-applied to the 'munki_s3' user.

Requirements

Name	Version
terraform	>= 0.12

Providers

Name	Version
archive	2.2.0
aws	4.23.0

Modules

No modules.

Resources

Name	Type
aws_cloudfront_distribution.munki	resource
aws_cloudfront_distribution.munki_basic_auth	resource
aws_cloudfront_origin_access_identity.cf-identity	resource
aws_cloudwatch_log_group.munki_makecatalogs	resource
aws_cloudwatch_log_metric_filter.errors	resource
aws_cloudwatch_log_metric_filter.warnings	resource
aws_cloudwatch_metric_alarm.Makecatalogs-Error	resource
aws_cloudwatch_metric_alarm.Makecatalogs-Warning	resource
aws_iam_policy.munki-s3-rw	resource
aws_iam_role.lambda_execution_role	resource
aws_iam_role.makecatalogs_lambda	resource
aws_iam_role_policy.lambda_execution_role_policy	resource
aws_iam_role_policy_attachment.lambda_iam_policy_basic_execution	resource
aws_iam_role_policy_attachment.lambda_munki_s3_rw_policy	resource
aws_lambda_alias.alias	resource
aws_lambda_function.basic_auth_lambda	resource
aws_lambda_function.lambda	resource
aws_lambda_permission.allow_bucket	resource
aws_lambda_permission.allow_cloudwatch	resource
aws_s3_bucket.munki-bucket	resource
aws_s3_bucket_acl.munki-bucket	resource
aws_s3_bucket_notification.bucket_notification	resource
aws_s3_bucket_policy.munki-bucket	resource
aws_s3_bucket_server_side_encryption_configuration.munki-bucket	resource
archive_file.basic_auth_payload	data source
aws_caller_identity.current	data source
aws_iam_policy_document.lambda_execution_role_assume_role_policy_document	data source
aws_iam_policy_document.lambda_execution_role_policy_document	data source
aws_iam_policy_document.munki_s3_policy	data source

Inputs

Name	Description	Type	Default	Required
alarm_arn	The arn to send alerts to on lambda errors and warnings	string	""	no
basic_auth_password	Password for munki basic auth	string	""	no
basic_auth_user	Username for munki basic auth	string	""	no
catalogs_ordered_cache_behavior_default_ttl	The default amount of time (in seconds) that a catalog object is in a CloudFront cache before CloudFront forwards another request in the absence of an Cache-Control max-age or Expires header.	number	30	no
catalogs_ordered_cache_behavior_max_ttl	The maximum amount of time (in seconds) that a catalog object is in a CloudFront cache before CloudFront forwards another request to your origin to determine whether the object has been updated.	number	60	no
catalogs_ordered_cache_behavior_min_ttl	The minimum amount of time (in seconds) that you want catalog objects to stay in CloudFront caches before CloudFront queries your origin to see whether the object has been updated.	number	0	no
cf_default_certificate	true if you want viewers to use HTTPS to request your objects and you're using the CloudFront domain name for your distribution. Specify this, cf_acm_certificate_arn, or cf_iam_certificate_id	string	"true"	no
cf_dns_aliases	Optionally a list of dns aliases to assign to the CloudFront distribution point	list(string)	[]	no
cf_minimum_protocol_version	The minimum version of the SSL protocol that you want CloudFront to use for HTTPS connections. One of SSLv3, TLSv1, TLSv1_2016, TLSv1.1_2016 or TLSv1.2_2018	string	"TLSv1.2_2018"	no
cf_price_class	The CloudFront pricing tier. One of PriceClass_All, PriceClass_200, PriceClass_100	string	"PriceClass_All"	no
cf_ssl_cert_arn	The ARN of the AWS Certificate Manager certificate to use. Specify this, cf_cloudfront_default_certificate, or cf_iam_certificate_id. The ACM certificate must be in US-EAST-1	string	""	no
cf_ssl_support_method	Specifies how you want CloudFront to serve HTTPS requests. Required if you specify acm_certificate_arn. One of vip or sni-only. vip is $600 a month don't select that option!	string	""	no
cf_trusted_signers	The AWS accounts, if any, that you want to allow to create signed URLs for private content. Use ['self'] if you want to target the account that owns this CloudFront distribution point	list(string)	[]	no
default_cache_behavior_default_ttl	The default amount of time (in seconds) that an object is in a CloudFront cache before CloudFront forwards another request in the absence of an Cache-Control max-age or Expires header.	number	86400	no
default_cache_behavior_max_ttl	The maximum amount of time (in seconds) that an object is in a CloudFront cache before CloudFront forwards another request to your origin to determine whether the object has been updated.	number	31536000	no
default_cache_behavior_min_ttl	The minimum amount of time (in seconds) that you want objects to stay in CloudFront caches before CloudFront queries your origin to see whether the object has been updated.	number	0	no
enable_icons_basic_auth	When set to 'true' the resource will enable basic auth for icons/ subpath	bool	true	no
icons_ordered_cache_behavior_default_ttl	The default amount of time (in seconds) that a icon object is in a CloudFront cache before CloudFront forwards another request in the absence of an Cache-Control max-age or Expires header.	number	30	no
icons_ordered_cache_behavior_max_ttl	The maximum amount of time (in seconds) that a icon object is in a CloudFront cache before CloudFront forwards another request to your origin to determine whether the object has been updated.	number	60	no
icons_ordered_cache_behavior_min_ttl	The minimum amount of time (in seconds) that you want icon objects to stay in CloudFront caches before CloudFront queries your origin to see whether the object has been updated.	number	0	no
manifests_ordered_cache_behavior_default_ttl	The default amount of time (in seconds) that a manifest object is in a CloudFront cache before CloudFront forwards another request in the absence of an Cache-Control max-age or Expires header.	number	30	no
manifests_ordered_cache_behavior_max_ttl	The maximum amount of time (in seconds) that a manifest object is in a CloudFront cache before CloudFront forwards another request to your origin to determine whether the object has been updated.	number	60	no
manifests_ordered_cache_behavior_min_ttl	The minimum amount of time (in seconds) that you want manifest objects to stay in CloudFront caches before CloudFront queries your origin to see whether the object has been updated.	number	0	no
name	Name to be used on all resources as the identifier	string	"munki"	no
s3_bucket_create	Set to true to create a new s3 bucket. If false you can reuse a current bucket	bool	true	no
s3_bucket_name	The s3 bucket name to use	any	n/a	yes
s3_encryption_enabled	When set to 'true' the resource will have aes256 encryption enabled by default	bool	true	no
server_side_makecatalogs	Set to true to enable server side makecatalogs when s3 bucket changes happen	bool	false	no
tags	A map of tags to add to all resources	map(string)	{}	no

Outputs

Name	Description
cf_domain_name	The cloudfront distribution point domain name
cf_hosted_zone_id	The cloudfront distribution point zone id