puppetlabs / cloudfront-middleware Goto Github PK

CloudFront Middleware enables managed clients to securely access a munki repo from Amazon's CloudFront Global Content Delivery Network. CloudFront has lower transit costs than using S3 directly and can offer better performance to managed clients that are outside of an S3 bucket's region.

CloudFront Middleware uses a CloudFront private key to create and sign requests for private CloudFront resources. Each signed request includes an expiration date after which the request is longer valid.

CloudFront key pairs are available from the AWS Security Credentials dashboard. Each AWS account can have a maximum of two CloudFront key pairs (active or inactive) at a time, allowing for periodic rotation of the private key. It is possible to grant an AWS account other than the CloudFront distribution owner the ability to sign CloudFront requests.

• Amazon S3 bucket with your munki repo inside.
• CloudFront distribution serving this origin with restricted access to your S3 content.
• CloudFront private key of an AWS account that is a trusted signer of this CloudFront distribution.

1. Install middleware_cloudfront.py to /usr/local/munki/.

2. Set the munki preference SoftwareRepoURL to your CloudFront Distribution URL.

3. Set CloudFront Middleware preferences for your Access Key ID and the resource expiration timeout in minutes. If unset expiration will default to 60 minutes.

   sudo defaults write com.github.aaronburchfield.cloudfront access_id -string "YOURACCESSKEYID"
   sudo defaults write com.github.aaronburchfield.cloudfront expire_after -int 30
   

4. If you are using an Alternate Domain Name, set the preference for your domain name.

   sudo defaults write com.github.aaronburchfield.cloudfront domain_name -string "munki.megacorp.com"
   

5. Install a trusted signer's CloudFront private key and set strict permissions.

   sudo cp pk-YOURACCESSKEYID.pem /usr/local/munki/munkiaccess.pem
   sudo chown root:wheel /usr/local/munki/munkiaccess.pem
   sudo chmod 400 /usr/local/munki/munkiaccess.pem
   

6. Run munki and verify that signed CloudFront requests are being made.

   sudo managedsoftwareupdate --checkonly -vvv
   

The included luggage makefile can be used to create an installer package for CloudFront Middleware.

1. With an AWS Root account generate a CloudFront Key Pair, saving the private key as munkiaccess.pem in the root of this repo.
2. Replace the Access Key ID on line 4 of the postinstall script with the ID of your CloudFront Key Pair.
3. make pkg and install.
4. Set your SoftwareRepoURL to your CloudFront Distribution address and run munki.