From e9b43af7406385e911c5914f4d2c475124c742bb Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Thu, 25 Sep 2025 20:34:39 +0100 Subject: [PATCH] Add support for seamless AWS key changes --- cookbooks/tilelog/recipes/default.rb | 6 +++++- cookbooks/tilelog/templates/default/tilelog.erb | 4 ++-- cookbooks/web/recipes/rails.rb | 15 +++++++++------ test/data_bags/tilelog/passwords.json | 4 +++- test/data_bags/web/passwords.json | 4 +++- 5 files changed, 22 insertions(+), 11 deletions(-) diff --git a/cookbooks/tilelog/recipes/default.rb b/cookbooks/tilelog/recipes/default.rb index 937022515..8f8ac4a8f 100644 --- a/cookbooks/tilelog/recipes/default.rb +++ b/cookbooks/tilelog/recipes/default.rb @@ -43,13 +43,17 @@ directory tilelog_output_directory do recursive true end +aws_access_key_id = "AKIASQUXHPE7JFCFMOUP" +aws_secret_access_key = passwords["aws_keys"][aws_access_key_id] + template "/usr/local/bin/tilelog" do source "tilelog.erb" owner "root" group "root" mode "755" variables :output_dir => tilelog_output_directory, - :aws_key => passwords["aws_key"] + :aws_access_key_id => aws_access_key_id, + :aws_secret_access_key => aws_secret_access_key end systemd_service "tilelog" do diff --git a/cookbooks/tilelog/templates/default/tilelog.erb b/cookbooks/tilelog/templates/default/tilelog.erb index 978974d89..16d461f65 100644 --- a/cookbooks/tilelog/templates/default/tilelog.erb +++ b/cookbooks/tilelog/templates/default/tilelog.erb @@ -12,8 +12,8 @@ TMPDIR=$(mktemp -d -t tilelog.XXXXXXXXX) cd "$TMPDIR" -export AWS_ACCESS_KEY_ID="AKIASQUXHPE7JFCFMOUP" -export AWS_SECRET_ACCESS_KEY="<%= @aws_key %>" +export AWS_ACCESS_KEY_ID="<%= @aws_access_key_id %>" +export AWS_SECRET_ACCESS_KEY="<%= @aws_secret_access_key %>" export AWS_REGION="eu-west-1" TILEFILE="tiles-${DATE}.txt.xz" diff --git a/cookbooks/web/recipes/rails.rb b/cookbooks/web/recipes/rails.rb index e21a988e2..3d9df3f9b 100644 --- a/cookbooks/web/recipes/rails.rb +++ b/cookbooks/web/recipes/rails.rb @@ -45,11 +45,14 @@ rails_directory = "#{node[:web][:base_directory]}/rails" matomo = data_bag_item("web", "matomo") +aws_access_key_id = "AKIASQUXHPE7AMJQRFOS" +aws_secret_access_key = web_passwords["aws_keys"][aws_access_key_id] + storage = { "avatars" => { "service" => "S3", - "access_key_id" => "AKIASQUXHPE7AMJQRFOS", - "secret_access_key" => web_passwords["aws_key"], + "access_key_id" => aws_access_key_id, + "secret_access_key" => aws_secret_access_key, "region" => "eu-west-1", "bucket" => "openstreetmap-user-avatars", "public" => true, @@ -61,8 +64,8 @@ storage = { }, "gps_traces" => { "service" => "S3", - "access_key_id" => "AKIASQUXHPE7AMJQRFOS", - "secret_access_key" => web_passwords["aws_key"], + "access_key_id" => aws_access_key_id, + "secret_access_key" => aws_secret_access_key, "region" => "eu-west-1", "bucket" => "openstreetmap-gps-traces", "use_dualstack_endpoint" => true, @@ -74,8 +77,8 @@ storage = { }, "gps_images" => { "service" => "S3", - "access_key_id" => "AKIASQUXHPE7AMJQRFOS", - "secret_access_key" => web_passwords["aws_key"], + "access_key_id" => aws_access_key_id, + "secret_access_key" => aws_secret_access_key, "region" => "eu-west-1", "bucket" => "openstreetmap-gps-images", "use_dualstack_endpoint" => true, diff --git a/test/data_bags/tilelog/passwords.json b/test/data_bags/tilelog/passwords.json index 060602931..ad87bf6c3 100644 --- a/test/data_bags/tilelog/passwords.json +++ b/test/data_bags/tilelog/passwords.json @@ -1,4 +1,6 @@ { "id": "passwords", - "aws_key": "AWS_KEY_VALUE" + "aws_keys": { + "AKIASQUXHPE7JFCFMOUP": "AWS_KEY_VALUE" + } } diff --git a/test/data_bags/web/passwords.json b/test/data_bags/web/passwords.json index 172b85cf5..eb1e423a4 100644 --- a/test/data_bags/web/passwords.json +++ b/test/data_bags/web/passwords.json @@ -21,7 +21,9 @@ "thunderforest_key": "thunderforest", "tracestrack_key": "tracestrack", "totp_key": "totp", - "aws_key": "aws", + "aws_keys": { + "AKIASQUXHPE7AMJQRFOS": "aws" + } "openid_connect_key": [ "-----BEGIN PRIVATE KEY-----", "MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC1yJqM4c0bJNVN", -- 2.39.5