feat(aws): configure basic auth for bindle

aws/terraform/ec2_assets/job/bindle.nomad

@@ -10,6 +10,11 @@ variable "enable_letsencrypt" {
   description = "Enable cert provisioning via Let's Encrypt"
 }
 
+variable "basic_auth_string" {
+  type        = string
+  description = "Basic auth string (e.g. <username>:<bcrypt hash of password>) for Bindle"
+}
+
 job "bindle" {
   datacenters = ["dc1"]
   type        = "service"
@@ -53,10 +58,15 @@ job "bindle" {
         RUST_LOG = "error,bindle=debug"
       }
 
+      template {
+        data = var.basic_auth_string
+        destination = "${NOMAD_TASK_DIR}/htpasswd"
+      }
+
       config {
         command = "bindle-server"
         args = [
-          "--unauthenticated",
+          "--htpasswd-file", "${NOMAD_TASK_DIR}/htpasswd",
           "--address", "${NOMAD_ADDR_http}",
           # PRO TIP: set to an absolute directory to persist bindles when job
           # is restarted

aws/terraform/ec2_assets/job/hippo.nomad

@@ -39,6 +39,17 @@ variable "admin_password" {
   default     = null
 }
 
+variable "bindle_auth_username" {
+  type        = string
+  description = "Basic auth username for Bindle"
+}
+
+variable "bindle_auth_password" {
+  type        = string
+  description = "Basic auth password for Bindle"
+}
+
+
 job "hippo" {
   datacenters = ["dc1"]
   type        = "service"
@@ -104,7 +115,7 @@ job "hippo" {
         # Database__Driver            = "postgresql"
         # ConnectionStrings__Database = "Host=localhost;Username=postgres;Password=postgres;Database=hippo"
 
-        ConnectionStrings__Bindle     = "server=${var.bindle_url}"
+        ConnectionStrings__Bindle    = "server=${var.bindle_url};username=${var.bindle_auth_username};password=${var.bindle_auth_password}"
 
         Nomad__Traefik__Entrypoint   = var.enable_letsencrypt ? "websecure" : "web"
         Nomad__Traefik__CertResolver = var.enable_letsencrypt ? "letsencrypt-tls" : ""

aws/terraform/ec2_assets/run_servers.sh

@@ -95,6 +95,7 @@ echo "Starting bindle job..."
 nomad run \
   -var domain="bindle.${DNS_ZONE}" \
   -var enable_letsencrypt="${ENABLE_LETSENCRYPT}" \
+  -var basic_auth_string="$(htpasswd -bBn ${BINDLE_AUTH_USERNAME} ${BINDLE_AUTH_PASSWORD} | tr -d '\n')" \
   job/bindle.nomad
 
 echo "Starting hippo job..."
@@ -104,6 +105,8 @@ nomad run \
   -var admin_username="${HIPPO_ADMIN_USERNAME}" \
   -var admin_password="${HIPPO_ADMIN_PASSWORD}" \
   -var bindle_url="${PLATFORM_PROTOCOL}://bindle.${DNS_ZONE}/v1" \
+  -var bindle_auth_username="${BINDLE_AUTH_USERNAME}" \
+  -var bindle_auth_password="${BINDLE_AUTH_PASSWORD}" \
   -var enable_letsencrypt="${ENABLE_LETSENCRYPT}" \
   job/hippo.nomad
 

aws/terraform/main.tf

@@ -124,6 +124,8 @@ resource "aws_instance" "ec2" {
 
       bindle_version          = local.bindle_version,
       bindle_checksum         = local.bindle_checksum,
+      bindle_auth_username    = var.bindle_auth_username,
+      bindle_auth_password    = random_password.bindle_auth_password.result
 
       spin_version            = local.spin_version,
       spin_checksum           = local.spin_checksum,
@@ -259,3 +261,13 @@ resource "random_password" "hippo_admin_password" {
   special          = true
   override_special = "!#%&*-_=+<>:?"
 }
+
+# -----------------------------------------------------------------------------
+# Bindle auth password
+# -----------------------------------------------------------------------------
+
+resource "random_password" "bindle_auth_password" {
+  length           = 22
+  special          = true
+  override_special = "!#%&*-_=+<>:?"
+}

aws/terraform/outputs.tf

@@ -40,6 +40,17 @@ output "hippo_admin_password" {
   sensitive   = true
 }
 
+output "bindle_auth_username" {
+  description = "Basic auth username for Bindle"
+  value       = var.bindle_auth_username
+}
+
+output "bindle_auth_password" {
+  description = "Basic auth password for Bindle"
+  value       = random_password.bindle_auth_password.result
+  sensitive   = true
+}
+
 output "common_tags" {
   description = "All applicable AWS resources are tagged with these values"
   value       = local.common_tags
@@ -54,6 +65,8 @@ export HIPPO_URL=${var.enable_letsencrypt ? "https" : "http"}://hippo.${var.dns_
 export HIPPO_USERNAME=${var.hippo_admin_username}
 export HIPPO_PASSWORD=${random_password.hippo_admin_password.result}
 export BINDLE_URL=${var.enable_letsencrypt ? "https" : "http"}://bindle.${var.dns_host == "sslip.io" ? "${aws_eip.lb.public_ip}.${var.dns_host}" : var.dns_host}/v1
+export BINDLE_USERNAME=${var.bindle_auth_username}
+export BINDLE_PASSWORD=${random_password.bindle_auth_password.result}
 
 EOM
 }

aws/terraform/scripts/user-data.sh

@@ -28,6 +28,7 @@ cd /tmp
 
 ## Install misc utilities
 sudo apt-get update && sudo apt-get install -y \
+  apache2-utils \
   curl \
   unzip
 
@@ -112,6 +113,9 @@ export HIPPO_ADMIN_USERNAME='${hippo_admin_username}'
 export HIPPO_ADMIN_PASSWORD='${hippo_admin_password}'
 export HIPPO_REGISTRATION_MODE='${hippo_registration_mode}'
 
+export BINDLE_AUTH_USERNAME='${bindle_auth_username}'
+export BINDLE_AUTH_PASSWORD='${bindle_auth_password}'
+
 export DNS_ZONE='${dns_zone}'
 export ENABLE_LETSENCRYPT='${enable_letsencrypt}'
 

aws/terraform/variables.tf

@@ -68,3 +68,9 @@ variable "hippo_registration_mode" {
     error_message = "The Hippo registration mode must be 'Open', 'Closed' or 'AdministratorOnly'."
   }
 }
+
+variable "bindle_auth_username" {
+  description = "Basic auth username for Bindle"
+  type        = string
+  default     = "admin"
+}