Last active
August 29, 2015 14:02
-
-
Save ekristen/8f88244ba6f8c253cfca to your computer and use it in GitHub Desktop.
Example State and Pillar Data for Automatic Encryption of EC2 Instance (Ephemeral) Storage for SaltStack
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| instanceluks: | |
| password: global_password | |
| passwords: | |
| data0: password1 | |
| data1: password2 | |
| data2: password3 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| {%- set numbers = ['0', '1', '2', '3', '4', '5', '6', '7', '8'] -%} | |
| {%- set global_password = salt['pillar.get']('instanceluks:password', 'testing12345') -%} | |
| {% if grains['os_family'] == 'Debian' %} | |
| instanceluks_crypto_package: | |
| pkg: | |
| - name: cryptsetup | |
| - order: 5 | |
| - installed | |
| instanceluks_lvm2_package: | |
| pkg: | |
| - name: lvm2 | |
| - order: 6 | |
| - installed | |
| {% endif %} | |
| {% for num in numbers %} | |
| {%- set device = salt['grains.get']('ec2_block-device-mapping_ephemeral' + num, false) -%} | |
| {% if device %} | |
| {%- if grains['os_family'] == 'Debian' -%} | |
| {%- set device = device|replace("sd", "xvd") -%} | |
| {%- endif -%} | |
| {%- set name = "data" + num -%} | |
| {%- set password = salt['pillar.get']('instanceluks:passwords:' + name, global_password) -%} | |
| instanceluks_umount_{{ num }}: | |
| cmd.run: | |
| - name: umount /dev/{{ device }} | |
| - onlyif: df | grep /dev/{{ device }} | |
| - order: 10 | |
| instanceluks_encrypt_{{ num }}: | |
| cmd.run: | |
| - unless: cryptsetup luksUUID /dev/{{ device }} | |
| - name: echo "{{ password }}" | cryptsetup luksFormat /dev/{{ device }} | |
| - order: 12 | |
| instanceluks_open_{{ num }}: | |
| cmd.run: | |
| - unless: stat /dev/mapper/{{ name }} | |
| - name: echo "{{ password }}" | cryptsetup luksOpen /dev/{{ device }} {{ name }} | |
| - order: 14 | |
| instanceluks_format_{{ num }}: | |
| cmd.run: | |
| - unless: lsblk -f /dev/mapper/{{ name }} | grep ext4 | |
| - name: mkfs.ext4 /dev/mapper/{{ name }} | |
| - order: 16 | |
| instanceluks_mount_{{ num }}: | |
| mount.mounted: | |
| - name: /{{ name }} | |
| - device: /dev/mapper/{{ name }} | |
| - fstype: ext4 | |
| - mkmnt: True | |
| - persist: False | |
| - order: 18 | |
| instanceluks_grain_{{ num }}: | |
| grains.list_present: | |
| - name: instanceluks_volumes | |
| - value: /{{ name }} | |
| {% endif %} | |
| {% endfor %} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment