2
0
salt-formula/salt/cloud.sls
Andrew Vant f0e9c2df87 Enforced root-only permissions on cloud.providers.d.
As mentioned in issue #118, provider files may contain passwords
or API keys and should be restricted. Profiles/maps are probably
OK with the defaults.
2015-04-06 11:24:41 -04:00

73 lines
1.5 KiB
Plaintext

{% from "salt/map.jinja" import salt_settings with context %}
python-pip:
pkg.installed
pycrypto:
pip.installed:
- require:
- pkg: python-pip
{% if grains['os_family'] not in ['Debian', 'RedHat'] %}
crypto:
pip.installed:
- require:
- pkg: python-pip
{% endif %}
apache-libcloud:
pip.installed:
- require:
- pkg: python-pip
{% if salt_settings.install_packages %}
salt-cloud:
pkg.installed:
- name: {{ salt_settings.salt_cloud }}
- require:
- pip: apache-libcloud
- pip: pycrypto
{% if grains['os_family'] not in ['Debian', 'RedHat'] %}
- pip: crypto
{% endif %}
{% endif %}
{% for cert in pillar.get('salt_cloud_certs', {}) %}
{% for type in ['pem'] %}
cloud-cert-{{ cert }}-pem:
file.managed:
- name: /etc/salt/pki/cloud/{{ cert }}.pem
- source: salt://salt/files/key
- template: jinja
- user: root
- group: root
- mode: 600
- makedirs: True
- defaults:
key: {{ cert }}
type: {{ type }}
{% endfor %}
{% endfor %}
{%- for dir in ['providers', 'profiles', 'maps'] %}
{%- set source = salt_settings.cloud.template_sources.get(dir) %}
salt-cloud-{{ dir }}:
file.recurse:
- name: /etc/salt/cloud.{{ dir }}.d
- source: {{ source }}
- template: jinja
- makedirs: True
{%- endfor %}
salt-cloud-providers-permissions:
file.directory:
- name: /etc/salt/cloud.providers.d
- user: root
- group: root
- file_mode: 600
- dir_mode: 700
- recurse:
- user
- group
- mode