juanmhidalgo/https-instance.config

## https-instance.config
Resources:
  sslSecurityGroupIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0


packages:
  yum:
    epel-release: []
    mod24_ssl : []


files:
  "/root/.aws/credentials":
    mode: "000644"
    owner: root
    group: root
    encoding: plain
    content: |
      [default]
      aws_access_key_id = VALID_AWS_ACCESS_KEY
      aws_secret_access_key = VALID_AWS_SECRET

  "/tmp/getvars.sh":
    mode: "00555"
    owner: root
    group: root
    encoding: plain
    content: |
      #!/bin/bash

      # get the vars from the env
      # Needed because vars are not set for commands, only container_commands
      CLEAN=0

      logMsg()
      {
        INITPID=$$
        PROG="getvars"
        logger -t ${PROG}[$INITPID] $1
        echo $1
      }


      VARS_TO_GET=("NEWRELIC_JAVA_PLUGIN_URL" \
               "NEWRELIC_LICENSE_KEY" \
               "NEWRELIC_ENABLE" \
               "NEWRELIC_CIRCUIT_BREAKER" \
              )

      # get the region we are deployed in
      AVAILABILITY_ZONE=`wget -qO- http://169.254.169.254/latest/meta-data/placement/availability-zone`
      REGION_ID=${AVAILABILITY_ZONE:0:${#AVAILABILITY_ZONE} - 1}

      # get our EB env name
      BEANSTALKENV=`{ "Ref" : "AWSEBEnvironmentName" }`

      # get our beanstalk app name
      BEANSTALKAPP=$(/usr/bin/aws elasticbeanstalk describe-environments --environment-names ${BEANSTALKENV} --region ${REGION_ID} |grep "ApplicationName" |cut -f 2 -d ":"|tr -d ","|xargs)

      ENV_CNAME=$(/usr/bin/aws elasticbeanstalk describe-environments --environment-names ${BEANSTALKENV} --region ${REGION_ID} |grep "CNAME" |cut -f 2 -d ":"|tr -d ","|xargs)

      logMsg "Getting vars from env ${BEANSTALKENV} in ${BEANSTALKAPP} (${REGION_ID}) (${ENV_CNAME})"

      rm -f /tmp/envvars
      echo "ENV_CNAME=${ENV_CNAME}" >> /tmp/envvars

      if [ $CLEAN -eq 1 ]; then
        rm -f /tmp/vars.$$
      fi

  "/etc/httpd/conf.d/ssl_rewrite.conf":
    mode: "000644"
    owner: root
    group: root
    content: |
        RewriteEngine On
        RewriteCond %{HTTP:X-Forwarded-Proto} !https
        RewriteRule . https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]

  /etc/httpd/conf.d/ssl.conf:
    mode: "000644"
    owner: root
    group: root
    content: |
      LoadModule ssl_module modules/mod_ssl.so
      LoadModule wsgi_module modules/mod_wsgi.so
      WSGIPythonHome /opt/python/run/baselinenv
      WSGISocketPrefix run/wsgi
      WSGIRestrictEmbedded On

      Listen 443
      <VirtualHost *:443>
        <Proxy *>
          Order deny,allow
          Allow from all
        </Proxy>

        SSLEngine             on
        SSLCertificateFile "/etc/letsencrypt/live/ebcert/fullchain.pem"
        SSLCertificateKeyFile "/etc/letsencrypt/live/ebcert/privkey.pem"
        SSLCipherSuite        EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
        SSLProtocol           All -SSLv2 -SSLv3
        SSLHonorCipherOrder   On
        SSLSessionTickets     Off

        Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
        Header always set X-Frame-Options DENY
        Header always set X-Content-Type-Options nosniff

        RequestHeader set X-Forwarded-Proto "https" early

        Alias /static/ /opt/python/current/app/staticfiles/
        <Directory /opt/python/current/app/staticfiles/>
        Order allow,deny
        Allow from all
        </Directory>

        Alias /static /opt/python/current/app/staticfiles
        <Directory /opt/python/current/app/staticfiles>
        Order allow,deny
        Allow from all
        </Directory>


        WSGIScriptAlias / /opt/python/current/app/ctq/wsgi.py


        <Directory /opt/python/current/app/>
          Require all granted
        </Directory>

        WSGIDaemonProcess wsgi-ssl processes=1 threads=15 display-name=%{GROUP} \
          python-home=/opt/python/run/venv/ \
          python-path=/opt/python/current/app user=wsgi group=wsgi \
          home=/opt/python/current/app
        WSGIProcessGroup wsgi-ssl

      </VirtualHost>
  "/opt/elasticbeanstalk/tasks/taillogs.d/letsencrypt.conf":
    mode: "000755"
    owner: root
    group: root
    content: |
      /var/log/letsencrypt/letsencrypt.log


commands:
  command block:
    command: |
      /tmp/getvars.sh
      . /tmp/envvars
      wget https://dl.eff.org/certbot-auto -O /tmp/certbot-auto;
      chmod a+x /tmp/certbot-auto;

      logMsg()
      {
        INITPID=$$
        PROG="getvars"
        logger -t ${PROG}[$INITPID] $1
        echo $1
      }

      logMsg "CNAME ${ENV_CNAME}"
      /tmp/certbot-auto certonly --debug --non-interactive --email YOUR_EMAIL --agree-tos --standalone --domains ${ENV_CNAME} --keep-until-expiring --pre-hook "service httpd stop" --post-hook "service httpd start"
      ln -sf /etc/letsencrypt/live/${ENV_CNAME} /etc/letsencrypt/live/ebcert
	Resources:
	sslSecurityGroupIngress:
	Type: AWS::EC2::SecurityGroupIngress
	Properties:
	GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
	IpProtocol: tcp
	ToPort: 443
	FromPort: 443
	CidrIp: 0.0.0.0/0


	packages:
	yum:
	epel-release: []
	mod24_ssl : []



	files:
	"/root/.aws/credentials":
	mode: "000644"
	owner: root
	group: root
	encoding: plain
	content: \|
	[default]
	aws_access_key_id = VALID_AWS_ACCESS_KEY
	aws_secret_access_key = VALID_AWS_SECRET

	"/tmp/getvars.sh":
	mode: "00555"
	owner: root
	group: root
	encoding: plain
	content: \|
	#!/bin/bash

	# get the vars from the env
	# Needed because vars are not set for commands, only container_commands
	CLEAN=0

	logMsg()
	{
	INITPID=$$
	PROG="getvars"
	logger -t ${PROG}[$INITPID] $1
	echo $1
	}


	VARS_TO_GET=("NEWRELIC_JAVA_PLUGIN_URL" \
	"NEWRELIC_LICENSE_KEY" \
	"NEWRELIC_ENABLE" \
	"NEWRELIC_CIRCUIT_BREAKER" \
	)

	# get the region we are deployed in
	AVAILABILITY_ZONE=`wget -qO- http://169.254.169.254/latest/meta-data/placement/availability-zone`
	REGION_ID=${AVAILABILITY_ZONE:0:${#AVAILABILITY_ZONE} - 1}

	# get our EB env name
	BEANSTALKENV=`{ "Ref" : "AWSEBEnvironmentName" }`

	# get our beanstalk app name
	BEANSTALKAPP=$(/usr/bin/aws elasticbeanstalk describe-environments --environment-names ${BEANSTALKENV} --region ${REGION_ID} \|grep "ApplicationName" \|cut -f 2 -d ":"\|tr -d ","\|xargs)

	ENV_CNAME=$(/usr/bin/aws elasticbeanstalk describe-environments --environment-names ${BEANSTALKENV} --region ${REGION_ID} \|grep "CNAME" \|cut -f 2 -d ":"\|tr -d ","\|xargs)

	logMsg "Getting vars from env ${BEANSTALKENV} in ${BEANSTALKAPP} (${REGION_ID}) (${ENV_CNAME})"

	rm -f /tmp/envvars
	echo "ENV_CNAME=${ENV_CNAME}" >> /tmp/envvars

	if [ $CLEAN -eq 1 ]; then
	rm -f /tmp/vars.$$
	fi

	"/etc/httpd/conf.d/ssl_rewrite.conf":
	mode: "000644"
	owner: root
	group: root
	content: \|
	RewriteEngine On
	RewriteCond %{HTTP:X-Forwarded-Proto} !https
	RewriteRule . https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]

	/etc/httpd/conf.d/ssl.conf:
	mode: "000644"
	owner: root
	group: root
	content: \|
	LoadModule ssl_module modules/mod_ssl.so
	LoadModule wsgi_module modules/mod_wsgi.so
	WSGIPythonHome /opt/python/run/baselinenv
	WSGISocketPrefix run/wsgi
	WSGIRestrictEmbedded On

	Listen 443
	<VirtualHost *:443>
	<Proxy *>
	Order deny,allow
	Allow from all
	</Proxy>

	SSLEngine on
	SSLCertificateFile "/etc/letsencrypt/live/ebcert/fullchain.pem"
	SSLCertificateKeyFile "/etc/letsencrypt/live/ebcert/privkey.pem"
	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
	SSLProtocol All -SSLv2 -SSLv3
	SSLHonorCipherOrder On
	SSLSessionTickets Off

	Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
	Header always set X-Frame-Options DENY
	Header always set X-Content-Type-Options nosniff

	RequestHeader set X-Forwarded-Proto "https" early

	Alias /static/ /opt/python/current/app/staticfiles/
	<Directory /opt/python/current/app/staticfiles/>
	Order allow,deny
	Allow from all
	</Directory>

	Alias /static /opt/python/current/app/staticfiles
	<Directory /opt/python/current/app/staticfiles>
	Order allow,deny
	Allow from all
	</Directory>


	WSGIScriptAlias / /opt/python/current/app/ctq/wsgi.py


	<Directory /opt/python/current/app/>
	Require all granted
	</Directory>

	WSGIDaemonProcess wsgi-ssl processes=1 threads=15 display-name=%{GROUP} \
	python-home=/opt/python/run/venv/ \
	python-path=/opt/python/current/app user=wsgi group=wsgi \
	home=/opt/python/current/app
	WSGIProcessGroup wsgi-ssl

	</VirtualHost>
	"/opt/elasticbeanstalk/tasks/taillogs.d/letsencrypt.conf":
	mode: "000755"
	owner: root
	group: root
	content: \|
	/var/log/letsencrypt/letsencrypt.log



	commands:
	command block:
	command: \|
	/tmp/getvars.sh
	. /tmp/envvars
	wget https://dl.eff.org/certbot-auto -O /tmp/certbot-auto;
	chmod a+x /tmp/certbot-auto;

	logMsg()
	{
	INITPID=$$
	PROG="getvars"
	logger -t ${PROG}[$INITPID] $1
	echo $1
	}

	logMsg "CNAME ${ENV_CNAME}"
	/tmp/certbot-auto certonly --debug --non-interactive --email YOUR_EMAIL --agree-tos --standalone --domains ${ENV_CNAME} --keep-until-expiring --pre-hook "service httpd stop" --post-hook "service httpd start"
	ln -sf /etc/letsencrypt/live/${ENV_CNAME} /etc/letsencrypt/live/ebcert