Dogfood - Enable Fleet TLS connectivity to MySQL (#31201)

- Added tls certificate retriever sidecar configuration and dependencies, for dogfood - Added tls certificate retriever sidecar configuration and dependencies, for dogfood (free)
2026-04-21 13:37:30 +00:00 · 2025-07-23 22:01:26 -04:00 · 2025-07-23 22:01:26 -04:00 · d964e124cc
commit d964e124cc
parent 593a4f8156
3 changed files with 140 additions and 1 deletions
--- a/infrastructure/dogfood/terraform/aws-tf-module/free.tf
+++ b/infrastructure/dogfood/terraform/aws-tf-module/free.tf
@ -11,7 +11,50 @@ locals {
    ELASTIC_APM_SERVER_URL                     = var.elastic_url
    ELASTIC_APM_SECRET_TOKEN                   = var.elastic_token
    ELASTIC_APM_SERVICE_NAME                   = "dogfood-free"
+
+
+    # Load TLS Certificate for RDS Authentication
+    FLEET_MYSQL_TLS_CA              = local.cert_path
+    FLEET_MYSQL_READ_REPLICA_TLS_CA = local.cert_path
  }
+
+  /* 
+    configurations below are necessary for MySQL TLS authentication
+    MySQL TLS Settings to download and store TLS Certificate
+
+    ca_thumbprint is maintained in the infrastructure/cloud/shared/
+    ca_thumbprint is the sha1 thumbprint value of the following certificate: aws rds describe-db-instances --filters='Name=db-cluster-id,Values='${cluster_name}'' | jq '.DBInstances.[0].CACertificateIdentifier' | sed 's/\"//g'
+    You can retrieve the value with the following command: aws rds describe-certificates --certificate-identifier=${ca_cert_val} | jq '.Certificates.[].Thumbprint' | sed 's/\"//g'
+  */
+
+  # load the certificate with a side car into a volume mount
+  sidecars_free = [
+    {
+      name       = "rds-tls-ca-retriever"
+      image      = "public.ecr.aws/docker/library/alpine@sha256:8a1f59ffb675680d47db6337b49d22281a139e9d709335b492be023728e11715"
+      entrypoint = ["/bin/sh", "-c"]
+      command = [templatefile("./templates/mysql_ca_tls_retrieval.sh.tpl", {
+        aws_region         = data.aws_region.current.id
+        container_path     = local.rds_container_path
+        ca_cert_thumbprint = local.ca_cert_thumbprint
+      })]
+      logConfiguration = {
+        logDriver = "awslogs"
+        options = {
+          "awslogs-group"         = local.customer_free
+          "awslogs-region"        = data.aws_region.current.id
+          "awslogs-stream-prefix" = "rds-tls-ca-retriever"
+        }
+      }
+      mountPoints = [
+        {
+          sourceVolume  = "rds-tls-certs",
+          containerPath = local.rds_container_path
+        }
+      ]
+      essential = false
+    }
+  ]
 }

 module "free" {
@ -83,6 +126,24 @@ module "free" {
    extra_iam_policies          = module.ses-free.fleet_extra_iam_policies
    extra_environment_variables = merge(module.ses-free.fleet_extra_environment_variables, local.extra_environment_variables_free, module.geolite2.extra_environment_variables)
    private_key_secret_name     = "${local.customer_free}-fleet-server-private-key"
+    volumes = [
+      {
+        name = "rds-tls-certs"
+      }
+    ]
+    mount_points = [
+      {
+        sourceVolume  = "rds-tls-certs",
+        containerPath = local.rds_container_path
+      }
+    ]
+    depends_on = [
+      {
+        containerName = "rds-tls-ca-retriever"
+        condition     = "SUCCESS"
+      }
+    ]
+    sidecars = local.sidecars_free
  }
  alb_config = {
    name            = local.customer_free
--- a/infrastructure/dogfood/terraform/aws-tf-module/main.tf
+++ b/infrastructure/dogfood/terraform/aws-tf-module/main.tf
@ -72,6 +72,11 @@ locals {
    FLEET_WEBHOOK_STATUS_URL        = var.webhook_url
    FLEET_WEBHOOK_RESULT_URL        = var.webhook_url
    FLEET_OSQUERY_RESULT_LOG_PLUGIN = var.webhook_url != "" ? "webhook" : ""
+
+
+    # Load TLS Certificate for RDS Authentication
+    FLEET_MYSQL_TLS_CA              = local.cert_path
+    FLEET_MYSQL_READ_REPLICA_TLS_CA = local.cert_path
  }
  entra_conditional_access_secrets = {
    # Entra Conditional Access Proxy API Key
@ -81,6 +86,47 @@ locals {
    FLEET_SENTRY_DSN = "${aws_secretsmanager_secret.sentry.arn}:FLEET_SENTRY_DSN::"
  }
  # idp_metadata_file = "${path.module}/files/idp-metadata.xml"
+
+  /* 
+    configurations below are necessary for MySQL TLS authentication
+    MySQL TLS Settings to download and store TLS Certificate
+
+    ca_thumbprint is maintained in the infrastructure/cloud/shared/
+    ca_thumbprint is the sha1 thumbprint value of the following certificate: aws rds describe-db-instances --filters='Name=db-cluster-id,Values='${cluster_name}'' | jq '.DBInstances.[0].CACertificateIdentifier' | sed 's/\"//g'
+    You can retrieve the value with the following command: aws rds describe-certificates --certificate-identifier=${ca_cert_val} | jq '.Certificates.[].Thumbprint' | sed 's/\"//g'
+  */
+  ca_cert_thumbprint = "8cf85e3e2bdbcbe2c4a34c1e85828fb29833e87f"
+  rds_container_path = "/tmp/rds-tls"
+  cert_path          = "${local.rds_container_path}/${data.aws_region.current.id}.pem"
+
+  # load the certificate with a side car into a volume mount
+  sidecars = [
+    {
+      name       = "rds-tls-ca-retriever"
+      image      = "public.ecr.aws/docker/library/alpine@sha256:8a1f59ffb675680d47db6337b49d22281a139e9d709335b492be023728e11715"
+      entrypoint = ["/bin/sh", "-c"]
+      command = [templatefile("./templates/mysql_ca_tls_retrieval.sh.tpl", {
+        aws_region         = data.aws_region.current.id
+        container_path     = local.rds_container_path
+        ca_cert_thumbprint = local.ca_cert_thumbprint
+      })]
+      logConfiguration = {
+        logDriver = "awslogs"
+        options = {
+          "awslogs-group"         = local.customer
+          "awslogs-region"        = data.aws_region.current.id
+          "awslogs-stream-prefix" = "rds-tls-ca-retriever"
+        }
+      }
+      mountPoints = [
+        {
+          sourceVolume  = "rds-tls-certs",
+          containerPath = local.rds_container_path
+        }
+      ]
+      essential = false
+    }
+  ]
 }

 module "main" {
@ -179,6 +225,24 @@ module "main" {
        backup = "true"
      }
    }
+    volumes = [
+      {
+        name = "rds-tls-certs"
+      }
+    ]
+    mount_points = [
+      {
+        sourceVolume  = "rds-tls-certs",
+        containerPath = local.rds_container_path
+      }
+    ]
+    depends_on = [
+      {
+        containerName = "rds-tls-ca-retriever"
+        condition     = "SUCCESS"
+      }
+    ]
+    sidecars = local.sidecars
    # sidecars = [
    #   {
    #     name        = "osquery"
@ -590,7 +654,7 @@ module "geolite2" {
 }

 module "vuln-processing" {
-  source                              = "github.com/fleetdm/fleet-terraform//addons/external-vuln-scans?ref=tf-mod-addon-external-vuln-scans-v2.2.0"
+  source                              = "github.com/fleetdm/fleet-terraform//addons/external-vuln-scans?ref=tf-mod-addon-external-vuln-scans-v2.2.1"
  ecs_cluster                         = module.main.byo-vpc.byo-db.byo-ecs.service.cluster
  execution_iam_role_arn              = module.main.byo-vpc.byo-db.byo-ecs.execution_iam_role_arn
  subnets                             = module.main.byo-vpc.byo-db.byo-ecs.service.network_configuration[0].subnets
--- a/infrastructure/dogfood/terraform/aws-tf-module/templates/mysql_ca_tls_retrieval.sh.tpl
+++ b/infrastructure/dogfood/terraform/aws-tf-module/templates/mysql_ca_tls_retrieval.sh.tpl
@ -0,0 +1,14 @@
+#!/bin/bash
+apk add coreutils openssl
+        
+wget --quiet  https://truststore.pki.rds.amazonaws.com/${aws_region}/${aws_region}-bundle.pem -O ${aws_region}-bundle.dl.pem
+csplit -k -f cert. -b '%02d.pem' ${aws_region}-bundle.dl.pem '/-----BEGIN CERTIFICATE-----/' '{*}'
+
+for filename in cert.*;
+do 
+  thumbprint=$(openssl x509 -in $${filename} -noout -fingerprint | cut -c 18- | sed 's/\://g' | awk '{print tolower($0)}')
+  if [[ "${ca_cert_thumbprint}" = "$${thumbprint}" ]];
+  then
+    mv $${filename} ${container_path}/${aws_region}.pem
+  fi 
+done