From fb1d7e8d3b22f6250d635eb48ea2e1765c5f042c Mon Sep 17 00:00:00 2001
From: Andrew Vant <andrew.vant@rackspace.com>
Date: Fri, 3 Apr 2015 17:33:25 -0400
Subject: [PATCH 1/6] Added pillar option to redirect profile and map folders.

---
 pillar.example |  6 ++++++
 salt/cloud.sls | 22 ++++++++++------------
 2 files changed, 16 insertions(+), 12 deletions(-)

diff --git a/pillar.example b/pillar.example
index ca41f63..5076166 100644
--- a/pillar.example
+++ b/pillar.example
@@ -82,6 +82,12 @@ salt:
       - cloud.providers.d/key
       - cloud.profiles.d
       - cloud.maps.d
+
+    # You can take profile and map templates from an alternate location
+    # if desired.
+    profiles_src: salt://templates/cloud.profiles.d
+    maps_src: salt://templates/cloud.maps.d
+
     providers:
       - ec2
       - gce
diff --git a/salt/cloud.sls b/salt/cloud.sls
index 9d467e7..b95c103 100644
--- a/salt/cloud.sls
+++ b/salt/cloud.sls
@@ -60,21 +60,19 @@ cloud-cert-{{ cert }}-pem:
 {% endfor %}
 
 {% for providers in salt_settings.cloud.providers %}
-salt-cloud-profiles-{{ providers }}:
-  file.managed:
-    - name: /etc/salt/cloud.profiles.d/{{ providers }}.conf
-    - template: jinja
-    - source: salt://salt/files/cloud.profiles.d/{{ providers }}.conf
-
 salt-cloud-providers-{{ providers }}:
   file.managed:
     - name: /etc/salt/cloud.providers.d/{{ providers }}.conf
     - template: jinja
     - source: salt://salt/files/cloud.providers.d/{{ providers }}.conf
-
-salt-cloud-maps-{{ providers }}:
-  file.managed:
-    - name: /etc/salt/cloud.maps.d/{{ providers }}.conf
-    - template: jinja
-    - source: salt://salt/files/cloud.maps.d/{{ providers }}.conf
 {% endfor %}
+
+{%- for dir in ['profiles', 'maps'] %}
+{%- set default_src = 'salt://salt/files/cloud.{}.d'.format(dir) %}
+{%- set source = salt_settings.cloud.get(dir + "_src", default_src) %}
+salt-cloud-{{ dir }}:
+  file.recurse:
+    - name: /etc/salt/cloud.{{ dir }}.d
+    - source: {{ source }}
+    - template: jinja
+{%- endfor %}

From 7e074dc37917a9c70a29cfa49eb8fe1b8d21b38b Mon Sep 17 00:00:00 2001
From: Andrew Vant <andrew.vant@rackspace.com>
Date: Fri, 3 Apr 2015 18:47:08 -0400
Subject: [PATCH 2/6] Supplied default values for all pillar queries in
 provider templates.

These aren't intended to function; they're here to allow the use of
file.recurse on the provider folder, without requiring the user
to provide pillar data for templates they're not using.
---
 salt/files/cloud.providers.d/ec2.conf     | 6 +++---
 salt/files/cloud.providers.d/gce.conf     | 6 +++---
 salt/files/cloud.providers.d/rsos.conf    | 8 ++++----
 salt/files/cloud.providers.d/saltify.conf | 5 ++++-
 4 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/salt/files/cloud.providers.d/ec2.conf b/salt/files/cloud.providers.d/ec2.conf
index fddf6b7..9afbcf3 100644
--- a/salt/files/cloud.providers.d/ec2.conf
+++ b/salt/files/cloud.providers.d/ec2.conf
@@ -2,12 +2,12 @@
 {% set cloud = salt['pillar.get']('salt:cloud', {}) -%}
 ec2_ubuntu_public:
   minion:
-    master: {{ cloud['master'] }}
+    master: {{ cloud.get('master', 'salt') }}
   grains:
     test: True
   ssh_interface: public_ips
-  id: {{ cloud['aws_key'] }}
-  key: '{{ cloud['aws_secret'] }}'
+  id: {{ cloud.get('aws_key', 'DEFAULT') }}
+  key: '{{ cloud.get('aws_secret', 'DEFAULT') }}'
   private_key: /etc/salt/cloud.providers.d/key/key.pem
   keyname: keyname
   location: eu-west-1
diff --git a/salt/files/cloud.providers.d/gce.conf b/salt/files/cloud.providers.d/gce.conf
index 5313dfb..6b90bfb 100644
--- a/salt/files/cloud.providers.d/gce.conf
+++ b/salt/files/cloud.providers.d/gce.conf
@@ -1,11 +1,11 @@
 # This file managed by Salt, do not edit by hand!!
 {% set cloud = salt['pillar.get']('salt:cloud', {}) -%}
 gce:
-  project: "{{ cloud['gce_project'] }}"
-  service_account_email_address: "{{ cloud['gce_service_account_email_address'] }}"
+  project: "{{ cloud.get('gce_project', 'DEFAULT') }}"
+  service_account_email_address: "{{ cloud.get('gce_service_account_email_address', 'DEFAULT') }}"
   service_account_private_key: "/etc/salt/cloud.providers.d/key.pem"
   minion:
-    master: {{ cloud['master'] }}
+    master: {{ cloud.get('master', 'salt') }}
   grains:
     test: True
   provider: gce
diff --git a/salt/files/cloud.providers.d/rsos.conf b/salt/files/cloud.providers.d/rsos.conf
index d3d6aa7..4bd41f1 100644
--- a/salt/files/cloud.providers.d/rsos.conf
+++ b/salt/files/cloud.providers.d/rsos.conf
@@ -6,7 +6,7 @@
 
 rsos_{{ region|lower }}:
   minion:
-    master: {{ cloud['master'] }}
+    master: {{ cloud.get('master', 'salt') }}
   grains:
     region: {{ region|lower }}
 
@@ -15,7 +15,7 @@ rsos_{{ region|lower }}:
   protocol: ipv4
   compute_region: {{ region }}
   provider: openstack
-  user:  {{ cloud['rsos_user'] }}
-  tenant: {{ cloud['rsos_tenant'] }}
-  apikey: {{ cloud['rsos_apikey'] }}
+  user:  {{ cloud.get('rsos_user', 'DEFAULT') }}
+  tenant: {{ cloud.get('rsos_tenant', 'DEFAULT') }}
+  apikey: {{ cloud.get('rsos_apikey', 'DEFAULT') }}
 {% endfor %}
diff --git a/salt/files/cloud.providers.d/saltify.conf b/salt/files/cloud.providers.d/saltify.conf
index 4fcff65..97cc2d5 100644
--- a/salt/files/cloud.providers.d/saltify.conf
+++ b/salt/files/cloud.providers.d/saltify.conf
@@ -1,5 +1,8 @@
 # This file is managed by Salt via {{ source }}
+
+{% set cloud = salt['pillar.get']('salt:cloud', {}) -%}
+
 saltify:
   provider: saltify
   minion:
-    master: {{ cloud['master'] }}
+    master: {{ cloud.get('master', 'salt') }}

From f3ed6e182895b7632394aae39c079a3dd2d8798d Mon Sep 17 00:00:00 2001
From: Andrew Vant <andrew.vant@rackspace.com>
Date: Fri, 3 Apr 2015 19:30:26 -0400
Subject: [PATCH 3/6] cloud.providers.d can now be redirected.

This obsoletes the salt:cloud:folders and salt:cloud:providers pillar
entries. Provider keys have been moved to /etc/salt/pki/cloud.
---
 pillar.example                        | 17 ++++++--------
 salt/cloud.sls                        | 32 ++++++++-------------------
 salt/defaults.yaml                    |  6 +++++
 salt/files/cloud.providers.d/ec2.conf |  2 +-
 salt/files/cloud.providers.d/gce.conf |  2 +-
 5 files changed, 24 insertions(+), 35 deletions(-)

diff --git a/pillar.example b/pillar.example
index 5076166..e30b978 100644
--- a/pillar.example
+++ b/pillar.example
@@ -78,19 +78,16 @@ salt:
   # salt cloud config
   cloud:
     master: salt
-    folders:
-      - cloud.providers.d/key
-      - cloud.profiles.d
-      - cloud.maps.d
 
     # You can take profile and map templates from an alternate location
-    # if desired.
-    profiles_src: salt://templates/cloud.profiles.d
-    maps_src: salt://templates/cloud.maps.d
+    # if you want to write your own.
+    template_sources:
+      providers: salt://templates/cloud.providers.d
+      profiles: salt://templates/cloud.profiles.d
+      maps: salt://templates/cloud.maps.d
 
-    providers:
-      - ec2
-      - gce
+    # These settings are used by the default provider templates and
+    # only need to be set for the ones you're using.
     aws_key: AWSKEYIJSHJAIJS6JSH
     aws_secret: AWSSECRETYkkDY1iQf9zRtl9+pW+Nm+aZY95
     gce_project: test
diff --git a/salt/cloud.sls b/salt/cloud.sls
index b95c103..6834f2d 100644
--- a/salt/cloud.sls
+++ b/salt/cloud.sls
@@ -32,47 +32,33 @@ salt-cloud:
       {% endif %}
 {% endif %}
 
-{% for folder in salt_settings.cloud.folders %}
-{{ folder }}:
-  file.directory:
-    - name: /etc/salt/{{ folder }}
-    - user: root
-    - group: root
-    - file_mode: 744
-    - dir_mode: 755
-    - makedirs: True
-{% endfor %}
-
 {% for cert in pillar.get('salt_cloud_certs', {}) %}
 {% for type in ['pem'] %}
 cloud-cert-{{ cert }}-pem:
   file.managed:
-    - name: /etc/salt/cloud.providers.d/key/{{ cert }}.pem
+    - name: /etc/salt/pki/cloud/{{ cert }}.pem
     - source: salt://salt/files/key
     - template: jinja
     - user: root
     - group: root
     - mode: 600
+    - makedirs: True
     - defaults:
         key: {{ cert }}
         type: {{ type }}
 {% endfor %}
 {% endfor %}
 
-{% for providers in salt_settings.cloud.providers %}
-salt-cloud-providers-{{ providers }}:
-  file.managed:
-    - name: /etc/salt/cloud.providers.d/{{ providers }}.conf
-    - template: jinja
-    - source: salt://salt/files/cloud.providers.d/{{ providers }}.conf
-{% endfor %}
-
-{%- for dir in ['profiles', 'maps'] %}
-{%- set default_src = 'salt://salt/files/cloud.{}.d'.format(dir) %}
-{%- set source = salt_settings.cloud.get(dir + "_src", default_src) %}
+{%- for dir in ['providers', 'profiles', 'maps'] %}
+{%- set source = salt_settings.cloud.template_sources.get(dir) %}
 salt-cloud-{{ dir }}:
   file.recurse:
     - name: /etc/salt/cloud.{{ dir }}.d
     - source: {{ source }}
     - template: jinja
+    - user: root
+    - group: root
+    - dir_mode: 755
+    - file_mode: 644
+    - makedirs: True
 {%- endfor %}
diff --git a/salt/defaults.yaml b/salt/defaults.yaml
index 3457a72..c42f5aa 100644
--- a/salt/defaults.yaml
+++ b/salt/defaults.yaml
@@ -23,3 +23,9 @@ salt:
       install_from_source: True
     gitpython:
       install_from_source: False
+
+  cloud:
+    template_sources:
+      providers: salt://salt/files/cloud.providers.d
+      profiles: salt://salt/files/cloud.profiles.d
+      maps: salt://salt/files/cloud.maps.d
diff --git a/salt/files/cloud.providers.d/ec2.conf b/salt/files/cloud.providers.d/ec2.conf
index 9afbcf3..56dab21 100644
--- a/salt/files/cloud.providers.d/ec2.conf
+++ b/salt/files/cloud.providers.d/ec2.conf
@@ -8,7 +8,7 @@ ec2_ubuntu_public:
   ssh_interface: public_ips
   id: {{ cloud.get('aws_key', 'DEFAULT') }}
   key: '{{ cloud.get('aws_secret', 'DEFAULT') }}'
-  private_key: /etc/salt/cloud.providers.d/key/key.pem
+  private_key: /etc/salt/pki/cloud/ec2.pem
   keyname: keyname
   location: eu-west-1
   availability_zone: eu-west-1a
diff --git a/salt/files/cloud.providers.d/gce.conf b/salt/files/cloud.providers.d/gce.conf
index 6b90bfb..def68f2 100644
--- a/salt/files/cloud.providers.d/gce.conf
+++ b/salt/files/cloud.providers.d/gce.conf
@@ -3,7 +3,7 @@
 gce:
   project: "{{ cloud.get('gce_project', 'DEFAULT') }}"
   service_account_email_address: "{{ cloud.get('gce_service_account_email_address', 'DEFAULT') }}"
-  service_account_private_key: "/etc/salt/cloud.providers.d/key.pem"
+  service_account_private_key: "/etc/salt/pki/cloud/gce.pem"
   minion:
     master: {{ cloud.get('master', 'salt') }}
   grains:

From f0e9c2df87ecca478d8f3b13a8b39678ee69e153 Mon Sep 17 00:00:00 2001
From: Andrew Vant <andrew.vant@rackspace.com>
Date: Mon, 6 Apr 2015 11:24:41 -0400
Subject: [PATCH 4/6] Enforced root-only permissions on cloud.providers.d.

As mentioned in issue #118, provider files may contain passwords
or API keys and should be restricted. Profiles/maps are probably
OK with the defaults.
---
 salt/cloud.sls | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/salt/cloud.sls b/salt/cloud.sls
index 6834f2d..f67a147 100644
--- a/salt/cloud.sls
+++ b/salt/cloud.sls
@@ -56,9 +56,17 @@ salt-cloud-{{ dir }}:
     - name: /etc/salt/cloud.{{ dir }}.d
     - source: {{ source }}
     - template: jinja
-    - user: root
-    - group: root
-    - dir_mode: 755
-    - file_mode: 644
     - makedirs: True
 {%- endfor %}
+
+salt-cloud-providers-permissions:
+  file.directory:
+    - name: /etc/salt/cloud.providers.d
+    - user: root
+    - group: root
+    - file_mode: 600
+    - dir_mode: 700
+    - recurse:
+      - user
+      - group
+      - mode

From ba143c18109d9e9efd6ca092b01d1ae25fc7118d Mon Sep 17 00:00:00 2001
From: Andrew Vant <andrew.vant@rackspace.com>
Date: Mon, 13 Apr 2015 16:07:03 -0400
Subject: [PATCH 5/6] Updated pillar.example with the correct defaults for
 template_sources.

---
 pillar.example | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pillar.example b/pillar.example
index e30b978..3f7a8f3 100644
--- a/pillar.example
+++ b/pillar.example
@@ -82,9 +82,9 @@ salt:
     # You can take profile and map templates from an alternate location
     # if you want to write your own.
     template_sources:
-      providers: salt://templates/cloud.providers.d
-      profiles: salt://templates/cloud.profiles.d
-      maps: salt://templates/cloud.maps.d
+      providers: salt://salt/files/cloud.providers.d
+      profiles: salt://salt/files/cloud.profiles.d
+      maps: salt://salt/files/cloud.maps.d
 
     # These settings are used by the default provider templates and
     # only need to be set for the ones you're using.

From e632b8bcb5400df743076803319a2cffd5db930f Mon Sep 17 00:00:00 2001
From: Andrew Vant <andrew.vant@rackspace.com>
Date: Mon, 13 Apr 2015 16:08:11 -0400
Subject: [PATCH 6/6] Cloud file.recurse loop no longer hardcodes folder list.

---
 salt/cloud.sls | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/salt/cloud.sls b/salt/cloud.sls
index f67a147..13bd5c0 100644
--- a/salt/cloud.sls
+++ b/salt/cloud.sls
@@ -49,12 +49,11 @@ cloud-cert-{{ cert }}-pem:
 {% endfor %}
 {% endfor %}
 
-{%- for dir in ['providers', 'profiles', 'maps'] %}
-{%- set source = salt_settings.cloud.template_sources.get(dir) %}
+{%- for dir, templ_path in salt_settings.cloud.template_sources.items() %}
 salt-cloud-{{ dir }}:
   file.recurse:
     - name: /etc/salt/cloud.{{ dir }}.d
-    - source: {{ source }}
+    - source: {{ templ_path }}
     - template: jinja
     - makedirs: True
 {%- endfor %}