Merge pull request #91 from Ontotext-AD/GDB-11621

GDB-11621 Run cronjob as root, to make sure that backup rotation works correctly.

Author: vanxa

modules/graphdb/templates/04_gdb_conf_overrides.sh.tpl

@@ -82,7 +82,7 @@ GDB_PROPERTIES=$(aws --cli-connect-timeout 300 ssm get-parameter --region ${regi
 extra_graphdb_java_options="$(aws --cli-connect-timeout 300 ssm get-parameter --region ${region} --name "/${name}/graphdb/graphdb_java_options" --with-decryption 2>/dev/null | jq -r .Parameter.Value || /bin/true )"
 if [[ -n $extra_graphdb_java_options  ]]; then
   if grep GDB_JAVA_OPTS /etc/graphdb/graphdb.env &>/dev/null; then
-    sed -ie "s/GDB_JAVA_OPTS=\"\(.*\)\"/GDB_JAVA_OPTS=\"\1 $extra_graphdb_java_options\"/g" /etc/graphdb/graphdb.env
+    sed -ie "s|GDB_JAVA_OPTS=\"\(.*\)\"|GDB_JAVA_OPTS=\"\1 $extra_graphdb_java_options\"|g" /etc/graphdb/graphdb.env
   else
     echo "GDB_JAVA_OPTS=$extra_graphdb_java_options" > /etc/graphdb/graphdb.env
   fi

modules/graphdb/templates/05_gdb_backup_conf.sh.tpl

@@ -17,12 +17,19 @@ echo "#    Configuring the GraphDB backup cron job    #"
 echo "#################################################"
 
 if [ ${deploy_backup} == "true" ]; then
-  GRAPHDB_ADMIN_PASSWORD="$(aws --cli-connect-timeout 300 ssm get-parameter --region ${region} --name "/${name}/graphdb/admin_password" --with-decryption | jq -r .Parameter.Value | base64 -d)"
+  # Create the backup user. ID : 1010
+  echo "Creating the backup user"
+  useradd -r -M -s /usr/sbin/nologin gdb-backup
+  # Initialize the log file so that we are safe from potential attacks
+  [[ -f /var/opt/graphdb/node/graphdb_backup.log ]] && rm /var/opt/graphdb/node/graphdb_backup.log
+  touch /var/opt/graphdb/node/graphdb_backup.log
+  chown gdb-backup:gdb-backup /var/opt/graphdb/node/graphdb_backup.log
+  chmod og-rw /var/opt/graphdb/node/graphdb_backup.log
   cat <<-EOF >/usr/bin/graphdb_backup
 #!/bin/bash
 
 set -euo pipefail
-GRAPHDB_ADMIN_PASSWORD="\$1"
+GRAPHDB_ADMIN_PASSWORD="\$(aws --cli-connect-timeout 300 ssm get-parameter --region ${region} --name "/${name}/graphdb/admin_password" --with-decryption | jq -r .Parameter.Value | base64 -d)"
 NODE_STATE="\$(curl --silent -u "admin:\$GRAPHDB_ADMIN_PASSWORD" http://localhost:7201/rest/cluster/node/status | jq -r .nodeState)"
 
 function trigger_backup {
@@ -83,9 +90,11 @@ fi
 EOF
 
   chmod +x /usr/bin/graphdb_backup
-  echo "${backup_schedule} graphdb /usr/bin/graphdb_backup $GRAPHDB_ADMIN_PASSWORD" >/etc/cron.d/graphdb_backup
+  echo "${backup_schedule} gdb-backup /usr/bin/graphdb_backup" >/etc/cron.d/graphdb_backup
   chmod og-rwx /etc/cron.d/graphdb_backup
-
+  # Set ownership of aws-cli to backup user
+  chown -R gdb-backup:gdb-backup /usr/local/aws-cli
+  chmod -R og-rwx /usr/local/aws-cli/
   log_with_timestamp "Cron job created"
 else
   log_with_timestamp "Backup module is not deployed, skipping provisioning..."

modules/graphdb/user_data.tf

@@ -72,16 +72,20 @@ data "cloudinit_config" "graphdb_user_data" {
     })
   }
 
-  part {
-    content_type = "text/x-shellscript"
-    content = templatefile("${path.module}/templates/05_gdb_backup_conf.sh.tpl", {
-      name : var.resource_name_prefix
-      region : var.aws_region
-      backup_schedule : var.backup_schedule
-      backup_retention_count : var.backup_retention_count
-      backup_bucket_name : var.backup_bucket_name
-      deploy_backup : var.deploy_backup
-    })
+  dynamic "part" {
+    for_each = var.deploy_backup ? [1] : []
+
+    content {
+      content_type = "text/x-shellscript"
+      content = templatefile("${path.module}/templates/05_gdb_backup_conf.sh.tpl", {
+        name : var.resource_name_prefix
+        region : var.aws_region
+        backup_schedule : var.backup_schedule
+        backup_retention_count : var.backup_retention_count
+        backup_bucket_name : var.backup_bucket_name
+        deploy_backup : var.deploy_backup
+      })
+    }
   }
 
   part {
@@ -154,13 +158,19 @@ data "cloudinit_config" "graphdb_user_data" {
     }
   }
 
-  # 12 Make aws-cli accessible only for root user
-  part {
-    content_type = "text/x-shellscript"
-    content      = <<-EOF
-      #!/bin/bash
+  # 12 Make aws-cli accessible only for root user iff backup is not enabled (otherwise, will be owned by the backup user)
+  dynamic "part" {
+    for_each = var.deploy_backup ? [] : [1]
+
+    content {
+      content_type = "text/x-shellscript"
+      content      = <<-EOF
+            #!/bin/bash
       set -euo pipefail
       chmod -R og-rwx /usr/local/aws-cli/
     EOF
+    }
+
   }
+
 }