HTTPS etcd with cloud-config

cloud-config.yml

#cloud-config

coreos:
  update:
    reboot-strategy: etcd-lock
  etcd:
    discovery: https://discovery.etcd.io/<TOKEN>
    addr: $private_ipv4:4001
    peer-addr: $private_ipv4:7001
    key-file: /etc/etcd-ssl/key.pem
    cert-file: /etc/etcd-ssl/cert.pem
    ca-file: /etc/etcd-ca/cert.pem
    peer-key-file: /etc/etcd-ssl/key.pem
    peer-cert-file: /etc/etcd-ssl/cert.pem
    peer-ca-file: /etc/etcd-ca/cert.pem
  fleet:
    etcd-servers: https://127.0.0.1:4001
    etcd-cafile: /etc/etcd-ca/cert.pem
    etcd-keyfile: /etc/etcd-ssl/key.pem
    etcd-certfile: /etc/etcd-ssl/cert.pem
  units:
    - name: etcd-certificate.service
      command: start
      content: |
        [Unit]
        Description=etcd-certificate
        
        [Service]
        WorkingDirectory=/tmp
        ExecStart=/usr/bin/mkdir -p /opt/bin /etc/etcd-ssl
        ExecStart=/usr/bin/wget -P /opt/bin https://s3.amazonaws.com/newsdev-pub/pkg/generate-cert
        ExecStart=/usr/bin/chmod +x /opt/bin/generate-cert
        ExecStart=/opt/bin/generate-cert -key /etc/etcd-ca/key.pem -cert /etc/etcd-ca/cert.pem -host 127.0.0.1,$private_ipv4 -rsa-bits 4096
        ExecStart=/usr/bin/chown root:etcd cert.pem key.pem
        ExecStart=/usr/bin/chmod 440 cert.pem key.pem
        ExecStart=/usr/bin/mv cert.pem key.pem /etc/etcd-ssl
        RemainAfterExit=yes
        Type=oneshot
    - name: etcd.service
      command: start
    - name: fleet.service
      command: start