update_puppet_crl.sh

#!/usr/bin/env bash

set -euo pipefail

PUPPET_CRL=$(/opt/puppetlabs/bin/puppet config print hostcrl)
PUPPET_CRL_DIR=$(dirname "$PUPPET_CRL")
PUPPET_CA_CRL=$(/opt/puppetlabs/bin/puppet config print cacrl)
PUPPET_CA_CRL_DIR=$(dirname "$PUPPET_CA_CRL")
if [[ -d $PUPPET_CA_CRL_DIR ]]; then
  SERVER="yes"
  USER="puppet"
  GROUP="puppet"
else
  SERVER="no"
  USER="root"
  GROUP="root"
fi
CA_HASH="MY_CA_HASH"
WORKDIR=$(mktemp -d)

cleanup() {
  if [[ -n "${WORKDIR:-}" && -d "$WORKDIR" ]]; then
    rm -rf "$WORKDIR"
  fi
  popd > /dev/null
}

if [[ -z $PUPPET_CRL ]]; then
  echo "ERROR: Unable to determine location of CRL file" 1>&2
  exit 1
fi

pushd "$WORKDIR" > /dev/null
trap cleanup EXIT

aws s3 cp "s3://MY_S3_BUCKET/crl/${CA_HASH}.crl" raw.crl > /dev/null
openssl crl -inform DER -in raw.crl -outform PEM -out root_crl.pem

csplit -s -z -f crl- "$PUPPET_CRL" '/-----BEGIN X509 CRL-----/' '{*}'
oldroot=$(find . -type f -name 'crl-*' | sort -n | tail -n 1)
if [[ -f "$oldroot" ]]; then
  rm -f "$oldroot"
fi

cat -- crl-* root_crl.pem > "${PUPPET_CRL_DIR}/crl.pem.new"
chown "${USER}:${GROUP}" "${PUPPET_CRL_DIR}/crl.pem.new"
(cd "$PUPPET_CRL_DIR" && mv -bS .old crl.pem.new crl.pem)
if [[ $SERVER == "yes" ]]; then
  ca_crl=$(basename "$PUPPET_CA_CRL")
  cat -- crl-* root_crl.pem > "${PUPPET_CA_CRL_DIR}/${ca_crl}.new"
  chown "${USER}:${GROUP}" "${PUPPET_CA_CRL_DIR}/${ca_crl}.new"
  (cd "$PUPPET_CA_CRL_DIR" && mv -bS .old "${ca_crl}.new" "$ca_crl")
fi