├── .github ├── pull_request_template.md └── workflows │ └── security-considerations.yml ├── .gitignore ├── CODEOWNERS ├── CONTRIBUTING.md ├── LICENSE.md ├── README.md ├── SECURITY.md ├── bosh-create-env.sh ├── bosh-create-env.yml ├── ci ├── pipeline.yml ├── terraform-secrets.sh ├── terraform-secrets.yml ├── update-cloud-config-tooling-development.yml ├── update-cloud-config-tooling.sh ├── update-cloud-config-tooling.yml ├── update-cloud-config.sh ├── update-cloud-config.yml ├── update-runtime-config.sh └── update-runtime-config.yml ├── cloud-config ├── base.yml ├── bosh.yml ├── cf.yml ├── development.yml ├── hub-tooling.yml ├── isolation-segment.yml ├── main.yml ├── master.yml ├── protobosh.yml ├── root-disk.yml ├── staging.yml └── tooling.yml ├── empty-vm.yml ├── generate-instance-config.sh ├── generate-master-bosh-certs.sh ├── operations ├── add-cloud-gov-root-certificate.yml ├── add-nessus-agent.yml ├── add-new-saml-key.yml ├── ca.yml ├── cloud-config.yml ├── cpi-protobosh.yml ├── cpi.yml ├── cron.yml ├── dns-aliases.yml ├── dns.yml ├── encryption.yml ├── external-db-bosh-rds.yml ├── external-db-protobosh.yml ├── external-db.yml ├── masterbosh-metadatav2.yml ├── masterbosh-ntp.yml ├── max-tasks.yml ├── name.yml ├── nats-payload.yml ├── nist-ntp.yml ├── remove-new-saml-key.yml ├── rotate-new-saml-key.yml ├── s3-blobstore-protobosh.yml ├── s3-blobstore.yml ├── uaa-clients.yml ├── update.yml ├── use-c5-large.yml ├── use-trusty.yml └── use-z3.yml ├── releases ├── generate.rb ├── generate.sh ├── pipeline.yml.erb └── releases.yml ├── runtime-config └── runtime.yml └── variables ├── development.yml ├── master.yml ├── production.yml ├── staging.yml ├── terraform-master.yml ├── terraform-westa-hub.yml ├── terraform.yml ├── tooling.yml └── westa-hub-tooling.yml /.github/pull_request_template.md: -------------------------------------------------------------------------------- 1 | ## Changes proposed in this pull request: 2 | - 3 | - 4 | - 5 | 6 | ## security considerations 7 | [Note the any security considerations here, or make note of why there are none] 8 | -------------------------------------------------------------------------------- /.github/workflows/security-considerations.yml: -------------------------------------------------------------------------------- 1 | name: Security Considerations 2 | 3 | on: 4 | pull_request: 5 | types: [opened, edited, reopened] 6 | branches: [main, master, develop] 7 | 8 | jobs: 9 | security-considerations: 10 | runs-on: ubuntu-latest 11 | steps: 12 | - uses: cloud-gov/security-considerations-action@main 13 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | tmp/ 2 | certs 3 | *secrets.yml 4 | *.pem 5 | credentials.yml 6 | -------------------------------------------------------------------------------- /CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @cloud-gov/platform-ops 2 | 3 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | ## Public domain 2 | 3 | This project is in the public domain within the United States, and 4 | copyright and related rights in the work worldwide are waived through 5 | the [CC0 1.0 Universal public domain dedication](https://creativecommons.org/publicdomain/zero/1.0/). 6 | 7 | All contributions to this project will be released under the CC0 8 | dedication. By submitting a pull request, you are agreeing to comply 9 | with this waiver of copyright interest. 10 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | As a work of the United States Government, this project is in the 2 | public domain within the United States. 3 | 4 | Additionally, we waive copyright and related rights in the work 5 | worldwide through the CC0 1.0 Universal public domain dedication. 6 | 7 | ## CC0 1.0 Universal Summary 8 | 9 | This is a human-readable summary of the 10 | [Legal Code (read the full text)](https://creativecommons.org/publicdomain/zero/1.0/legalcode). 11 | 12 | ### No Copyright 13 | 14 | The person who associated a work with this deed has dedicated the work to 15 | the public domain by waiving all of his or her rights to the work worldwide 16 | under copyright law, including all related and neighboring rights, to the 17 | extent allowed by law. 18 | 19 | You can copy, modify, distribute and perform the work, even for commercial 20 | purposes, all without asking permission. 21 | 22 | ### Other Information 23 | 24 | In no way are the patent or trademark rights of any person affected by CC0, 25 | nor are the rights that other persons may have in the work or in how the 26 | work is used, such as publicity or privacy rights. 27 | 28 | Unless expressly stated otherwise, the person who associated a work with 29 | this deed makes no warranties about the work, and disclaims liability for 30 | all uses of the work, to the fullest extent permitted by applicable law. 31 | When using or citing the work, you should not imply endorsement by the 32 | author or the affirmer. 33 | 34 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## cloud.gov bosh configuration 2 | 3 | This repo contains the Concourse pipeline and BOSH manifests for deploying BOSH via [bosh-deployment](https://github.com/cloudfoundry/bosh-deployment). 4 | 5 | ## Updating the instance types 6 | 7 | Every once in awhile AWS adds new or deprecates old instance types, which means the cloud config will need to be updated. The easiest way to do this is by running the `generate-instance-config.sh` script and copying the output to `.vm_types` section of the [`base.yml`](./cloud-config/base.yml) file. 8 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | 2 | **Reporting Security Issues** 3 | 4 | Please refrain from reporting security vulnerabilities through public GitHub issues. 5 | 6 | Instead, kindly report them via the information provided in [cloud.gov's security.txt](https://cloud.gov/.well-known/security.txt). 7 | 8 | When reporting, include the following details (as much as possible) to help us understand the nature and extent of the potential issue: 9 | 10 | - Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.) 11 | - Full paths of related source file(s) 12 | - Location of affected source code (tag/branch/commit or direct URL) 13 | - Any special configuration required to reproduce the issue 14 | - Step-by-step instructions to reproduce the issue 15 | - Proof-of-concept or exploit code (if available) 16 | - Impact of the issue, including potential exploitation by attackers 17 | 18 | Providing this information will facilitate a quicker triage of your report. 19 | -------------------------------------------------------------------------------- /bosh-create-env.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -eux 4 | 5 | bosh interpolate ${COMMON_FILE} --path "/default_ca/private_key" > ./ca.key 6 | AGENT_VER=$(cat nessus-agent-release/version) 7 | sed -i "s/NESSUS_VER/$AGENT_VER/" bosh-config/operations/add-nessus-agent.yml 8 | # todo (mxplusb): there needs to be interpolation at some point before the deployment. 9 | # and deploy it! 10 | set +e 11 | bosh create-env \ 12 | bosh-deployment/bosh.yml \ 13 | --state bosh-state/*.json \ 14 | --ops-file bosh-deployment/aws/cpi.yml \ 15 | --ops-file bosh-deployment/aws/iam-instance-profile.yml \ 16 | --ops-file bosh-deployment/aws/cli-iam-instance-profile.yml \ 17 | --ops-file bosh-deployment/uaa.yml \ 18 | --ops-file bosh-deployment/credhub.yml \ 19 | --ops-file bosh-deployment/jumpbox-user.yml \ 20 | --ops-file bosh-config/operations/cpi.yml \ 21 | --ops-file bosh-config/operations/masterbosh-metadatav2.yml \ 22 | --ops-file bosh-config/operations/encryption.yml \ 23 | --ops-file bosh-config/operations/add-cloud-gov-root-certificate.yml \ 24 | --ops-file bosh-config/operations/masterbosh-ntp.yml \ 25 | --ops-file bosh-config/operations/add-nessus-agent.yml \ 26 | --vars-file bosh-config/variables/${BOSH_NAME}.yml \ 27 | --vars-file terraform-yaml/state.yml \ 28 | --vars-file terraform-secrets/terraform.yml \ 29 | --vars-file ${COMMON_FILE} \ 30 | --vars-store ./creds.yml 31 | code=$? 32 | set -e 33 | 34 | # ensure state gets copied to output 35 | cp bosh-state/*.json updated-bosh-state 36 | 37 | # ensure we copy out creds.yml so we don't miss out on any new bosh-deployment variables 38 | cp creds.yml updated-bosh-creds/master-bosh-creds.yml 39 | -------------------------------------------------------------------------------- /bosh-create-env.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platform: linux 3 | 4 | inputs: 5 | - name: bosh-deployment 6 | - name: common 7 | - name: terraform-yaml 8 | - name: bosh-config 9 | - name: bosh-state 10 | - name: bosh-creds 11 | - name: terraform-secrets 12 | - name: nessus-agent-release 13 | 14 | outputs: 15 | - name: updated-bosh-state 16 | - name: updated-bosh-creds 17 | 18 | run: 19 | path: bosh-config/bosh-create-env.sh 20 | 21 | params: 22 | COMMON_FILE: 23 | BOSH_NAME: 24 | -------------------------------------------------------------------------------- /ci/terraform-secrets.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | bosh interpolate \ 4 | "bosh-config/variables/${VARS_FILE:-terraform.yml}" \ 5 | -l terraform-yaml/state.yml \ 6 | > terraform-secrets/terraform.yml 7 | -------------------------------------------------------------------------------- /ci/terraform-secrets.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platform: linux 3 | 4 | inputs: 5 | - name: bosh-config 6 | - name: terraform-yaml 7 | outputs: 8 | - name: terraform-secrets 9 | 10 | run: 11 | path: bosh-config/ci/terraform-secrets.sh 12 | -------------------------------------------------------------------------------- /ci/update-cloud-config-tooling-development.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platform: linux 3 | 4 | image_resource: 5 | type: registry-image 6 | source: 7 | aws_access_key_id: ((ecr_aws_key)) 8 | aws_secret_access_key: ((ecr_aws_secret)) 9 | repository: general-task 10 | aws_region: us-gov-west-1 11 | tag: latest 12 | 13 | inputs: 14 | - {name: bosh-config} 15 | - {name: ca-cert-store} 16 | - {name: terraform-yaml} 17 | - {name: terraform-yaml-development} 18 | 19 | run: 20 | path: bosh-config/ci/update-cloud-config-tooling.sh 21 | 22 | params: 23 | OPS_PATHS: 24 | BOSH_CA_CERT: 25 | BOSH_ENVIRONMENT: 26 | BOSH_CLIENT: 27 | BOSH_CLIENT_SECRET: 28 | -------------------------------------------------------------------------------- /ci/update-cloud-config-tooling.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -eux 4 | 5 | args=("--vars-file" "terraform-yaml/state.yml") 6 | for ops in ${OPS_PATHS:-}; do 7 | args=(${args[@]} --ops-file "${ops}") 8 | done 9 | 10 | for environment in "development" "staging" "production"; do 11 | if [ -s terraform-yaml-${environment}/state.yml ]; then 12 | cloud_config_environment=${environment} bosh interpolate \ 13 | bosh-config/cloud-config/bosh.yml \ 14 | --vars-file terraform-yaml-${environment}/state.yml \ 15 | --vars-env cloud_config \ 16 | > ${environment}-bosh.yml 17 | args=(${args[@]} "--ops-file" "${environment}-bosh.yml") 18 | fi 19 | done 20 | 21 | bosh -n update-cloud-config bosh-config/cloud-config/base.yml "${args[@]}" 22 | -------------------------------------------------------------------------------- /ci/update-cloud-config-tooling.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platform: linux 3 | 4 | inputs: 5 | - {name: bosh-config} 6 | - {name: ca-cert-store} 7 | - {name: terraform-yaml} 8 | - {name: terraform-yaml-development} 9 | - {name: terraform-yaml-staging} 10 | - {name: terraform-yaml-production} 11 | 12 | 13 | run: 14 | path: bosh-config/ci/update-cloud-config-tooling.sh 15 | -------------------------------------------------------------------------------- /ci/update-cloud-config.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -eux 4 | 5 | args=("--vars-file" "terraform-yaml/state.yml") 6 | for ops in ${OPS_PATHS:-}; do 7 | args=(${args[@]} "--ops-file" "${ops}") 8 | done 9 | 10 | # Collect isolation segment configs 11 | for segment in terraform-yaml-isolation-segment-*; do 12 | if [ -d "${segment}" ]; then 13 | outname="${segment/terraform-yaml-/}.yml" 14 | cloud_config_segment="${segment/terraform-yaml-isolation-segment-/}" bosh interpolate \ 15 | bosh-config/cloud-config/isolation-segment.yml \ 16 | --vars-file "${segment}/state.yml" \ 17 | --vars-env cloud_config \ 18 | > "${outname}" 19 | args=(${args[@]} "--ops-file" "${outname}") 20 | fi 21 | done 22 | 23 | bosh -n update-cloud-config bosh-config/cloud-config/base.yml "${args[@]}" 24 | -------------------------------------------------------------------------------- /ci/update-cloud-config.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platform: linux 3 | 4 | inputs: 5 | - {name: bosh-config} 6 | - {name: ca-cert-store} 7 | - {name: terraform-yaml} 8 | 9 | run: 10 | path: bosh-config/ci/update-cloud-config.sh 11 | 12 | params: 13 | OPS_PATHS: 14 | BOSH_CA_CERT: 15 | BOSH_ENVIRONMENT: 16 | BOSH_CLIENT: 17 | BOSH_CLIENT_SECRET: 18 | -------------------------------------------------------------------------------- /ci/update-runtime-config.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -eu 4 | 5 | releases=$(ls releases) 6 | 7 | pushd releases 8 | for release in ${releases}; do 9 | pushd ${release} 10 | tar xf *.tgz 11 | release=$(grep "^name" release.MF | awk '{print $2}') 12 | version=$(grep "^version" release.MF | awk '{print $2}' | sed -e "s/['\"']//g") 13 | declare -x "runtime_release_${release//-/_}"=${version} 14 | popd 15 | done 16 | popd 17 | 18 | bosh -n update-runtime-config \ 19 | bosh-config/runtime-config/runtime.yml \ 20 | --vars-env runtime \ 21 | --var=bosh_environment=${BOSH_ENV_NAME} \ 22 | --vars-file terraform-yaml/state.yml 23 | 24 | 25 | bosh -n update-runtime-config --name dns \ 26 | bosh-deployment/runtime-configs/dns.yml \ 27 | --ops-file bosh-config/operations/dns-aliases.yml 28 | -------------------------------------------------------------------------------- /ci/update-runtime-config.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platform: linux 3 | 4 | inputs: 5 | - { name: bosh-config } 6 | - { name: bosh-deployment } 7 | - { name: certificate } 8 | - { name: terraform-yaml } 9 | - { name: cg-s3-fisma-jammy-release, path: releases/fisma-jammy } 10 | - { name: aide-release, path: releases/aide } 11 | - { name: cg-s3-awslogs-jammy-release, path: releases/awslogs-jammy } 12 | - { name: cg-s3-nessus-agent-release, path: releases/nessus-agent } 13 | - { name: cg-s3-clamav-release, path: releases/clamav } 14 | - { name: cg-s3-jammy-snort-release, path: releases/jammy-snort } 15 | - { name: node-exporter-release, path: releases/node-exporter } 16 | - { name: syslog-release, path: releases/syslog } 17 | 18 | run: 19 | path: bosh-config/ci/update-runtime-config.sh 20 | 21 | params: 22 | BOSH_CA_CERT: 23 | BOSH_ENVIRONMENT: 24 | BOSH_CLIENT: 25 | BOSH_CLIENT_SECRET: 26 | BOSH_ENV_NAME: 27 | -------------------------------------------------------------------------------- /cloud-config/base.yml: -------------------------------------------------------------------------------- 1 | azs: 2 | - name: z1 3 | cloud_properties: 4 | availability_zone: ((terraform_outputs.az1)) 5 | - name: z2 6 | cloud_properties: 7 | availability_zone: ((terraform_outputs.az2)) 8 | 9 | vm_types: 10 | - cloud_properties: 11 | instance_type: c4.2xlarge 12 | name: c4.2xlarge 13 | - cloud_properties: 14 | instance_type: c4.4xlarge 15 | name: c4.4xlarge 16 | - cloud_properties: 17 | instance_type: c4.8xlarge 18 | name: c4.8xlarge 19 | - cloud_properties: 20 | instance_type: c4.large 21 | name: c4.large 22 | - cloud_properties: 23 | instance_type: c4.xlarge 24 | name: c4.xlarge 25 | - cloud_properties: 26 | instance_type: c5.12xlarge 27 | name: c5.12xlarge 28 | - cloud_properties: 29 | instance_type: c5.18xlarge 30 | name: c5.18xlarge 31 | - cloud_properties: 32 | instance_type: c5.24xlarge 33 | name: c5.24xlarge 34 | - cloud_properties: 35 | instance_type: c5.2xlarge 36 | name: c5.2xlarge 37 | - cloud_properties: 38 | instance_type: c5.4xlarge 39 | name: c5.4xlarge 40 | - cloud_properties: 41 | instance_type: c5.9xlarge 42 | name: c5.9xlarge 43 | - cloud_properties: 44 | instance_type: c5.large 45 | name: c5.large 46 | - cloud_properties: 47 | instance_type: c5.metal 48 | name: c5.metal 49 | - cloud_properties: 50 | instance_type: c5.xlarge 51 | name: c5.xlarge 52 | - cloud_properties: 53 | instance_type: c5d.12xlarge 54 | name: c5d.12xlarge 55 | - cloud_properties: 56 | instance_type: c5d.18xlarge 57 | name: c5d.18xlarge 58 | - cloud_properties: 59 | instance_type: c5d.24xlarge 60 | name: c5d.24xlarge 61 | - cloud_properties: 62 | instance_type: c5d.2xlarge 63 | name: c5d.2xlarge 64 | - cloud_properties: 65 | instance_type: c5d.4xlarge 66 | name: c5d.4xlarge 67 | - cloud_properties: 68 | instance_type: c5d.9xlarge 69 | name: c5d.9xlarge 70 | - cloud_properties: 71 | instance_type: c5d.large 72 | name: c5d.large 73 | - cloud_properties: 74 | instance_type: c5.xlarge 75 | iam_instance_profile: ((terraform_outputs.bosh_compilation_profile)) 76 | ephemeral_disk: 77 | size: 30000 78 | name: c5.xlarge.compilation 79 | - cloud_properties: 80 | instance_type: c5d.metal 81 | name: c5d.metal 82 | - cloud_properties: 83 | instance_type: c5d.xlarge 84 | name: c5d.xlarge 85 | - cloud_properties: 86 | instance_type: c5n.18xlarge 87 | name: c5n.18xlarge 88 | - cloud_properties: 89 | instance_type: c5n.2xlarge 90 | name: c5n.2xlarge 91 | - cloud_properties: 92 | instance_type: c5n.4xlarge 93 | name: c5n.4xlarge 94 | - cloud_properties: 95 | instance_type: c5n.9xlarge 96 | name: c5n.9xlarge 97 | - cloud_properties: 98 | instance_type: c5n.large 99 | name: c5n.large 100 | - cloud_properties: 101 | instance_type: c5n.metal 102 | name: c5n.metal 103 | - cloud_properties: 104 | instance_type: c5n.xlarge 105 | name: c5n.xlarge 106 | - cloud_properties: 107 | instance_type: c6i.2xlarge 108 | name: c6i.2xlarge 109 | - cloud_properties: 110 | instance_type: c6i.large 111 | name: c6i.large 112 | - cloud_properties: 113 | instance_type: c6i.xlarge 114 | name: c6i.xlarge 115 | - cloud_properties: 116 | instance_type: c6id.2xlarge 117 | name: c6id.2xlarge 118 | - cloud_properties: 119 | instance_type: c6id.large 120 | name: c6id.large 121 | - cloud_properties: 122 | instance_type: c6id.xlarge 123 | name: c6id.xlarge 124 | - cloud_properties: 125 | instance_type: m4.10xlarge 126 | name: m4.10xlarge 127 | - cloud_properties: 128 | instance_type: m4.16xlarge 129 | name: m4.16xlarge 130 | - cloud_properties: 131 | instance_type: m4.2xlarge 132 | name: m4.2xlarge 133 | - cloud_properties: 134 | instance_type: m4.4xlarge 135 | name: m4.4xlarge 136 | - cloud_properties: 137 | instance_type: m4.large 138 | name: m4.large 139 | - cloud_properties: 140 | instance_type: m4.xlarge 141 | name: m4.xlarge 142 | - cloud_properties: 143 | instance_type: m5.12xlarge 144 | name: m5.12xlarge 145 | - cloud_properties: 146 | instance_type: m5.16xlarge 147 | name: m5.16xlarge 148 | - cloud_properties: 149 | instance_type: m5.24xlarge 150 | name: m5.24xlarge 151 | - cloud_properties: 152 | instance_type: m5.2xlarge 153 | name: m5.2xlarge 154 | - cloud_properties: 155 | instance_type: m5.4xlarge 156 | name: m5.4xlarge 157 | - cloud_properties: 158 | instance_type: m5.8xlarge 159 | name: m5.8xlarge 160 | - cloud_properties: 161 | instance_type: m5.large 162 | name: m5.large 163 | - cloud_properties: 164 | instance_type: m5.large 165 | ephemeral_disk: 166 | size: 45000 167 | name: m5.large.concourse.web 168 | - cloud_properties: 169 | instance_type: m5.metal 170 | name: m5.metal 171 | - cloud_properties: 172 | instance_type: m5.xlarge 173 | name: m5.xlarge 174 | - cloud_properties: 175 | instance_type: m5.xlarge 176 | ephemeral_disk: 177 | size: 300000 178 | name: m5.xlarge.concourse.worker 179 | - cloud_properties: 180 | instance_type: m5.xlarge 181 | ephemeral_disk: 182 | size: 20000 183 | name: m5.xlarge.opsuaa 184 | - cloud_properties: 185 | instance_type: m5.xlarge 186 | ephemeral_disk: 187 | size: 20000 188 | name: m5.xlarge.bosh.director 189 | - cloud_properties: 190 | instance_type: m5a.12xlarge 191 | name: m5a.12xlarge 192 | - cloud_properties: 193 | instance_type: m5a.16xlarge 194 | name: m5a.16xlarge 195 | - cloud_properties: 196 | instance_type: m5a.24xlarge 197 | name: m5a.24xlarge 198 | - cloud_properties: 199 | instance_type: m5a.2xlarge 200 | name: m5a.2xlarge 201 | - cloud_properties: 202 | instance_type: m5a.4xlarge 203 | name: m5a.4xlarge 204 | - cloud_properties: 205 | instance_type: m5a.8xlarge 206 | name: m5a.8xlarge 207 | - cloud_properties: 208 | instance_type: m5a.large 209 | name: m5a.large 210 | - cloud_properties: 211 | instance_type: m5a.xlarge 212 | name: m5a.xlarge 213 | - cloud_properties: 214 | instance_type: m5ad.12xlarge 215 | name: m5ad.12xlarge 216 | - cloud_properties: 217 | instance_type: m5ad.16xlarge 218 | name: m5ad.16xlarge 219 | - cloud_properties: 220 | instance_type: m5ad.24xlarge 221 | name: m5ad.24xlarge 222 | - cloud_properties: 223 | instance_type: m5ad.2xlarge 224 | name: m5ad.2xlarge 225 | - cloud_properties: 226 | instance_type: m5ad.4xlarge 227 | name: m5ad.4xlarge 228 | - cloud_properties: 229 | instance_type: m5ad.8xlarge 230 | name: m5ad.8xlarge 231 | - cloud_properties: 232 | instance_type: m5ad.large 233 | name: m5ad.large 234 | - cloud_properties: 235 | instance_type: m5ad.xlarge 236 | name: m5ad.xlarge 237 | - cloud_properties: 238 | instance_type: m5d.12xlarge 239 | name: m5d.12xlarge 240 | - cloud_properties: 241 | instance_type: m5d.16xlarge 242 | name: m5d.16xlarge 243 | - cloud_properties: 244 | instance_type: m5d.24xlarge 245 | name: m5d.24xlarge 246 | - cloud_properties: 247 | instance_type: m5d.2xlarge 248 | name: m5d.2xlarge 249 | - cloud_properties: 250 | instance_type: m5d.4xlarge 251 | name: m5d.4xlarge 252 | - cloud_properties: 253 | instance_type: m5d.8xlarge 254 | name: m5d.8xlarge 255 | - cloud_properties: 256 | instance_type: m5d.large 257 | name: m5d.large 258 | - cloud_properties: 259 | instance_type: m5d.metal 260 | name: m5d.metal 261 | - cloud_properties: 262 | instance_type: m5d.xlarge 263 | name: m5d.xlarge 264 | - cloud_properties: 265 | instance_type: m6i.2xlarge 266 | name: m6i.2xlarge 267 | - cloud_properties: 268 | instance_type: m6i.large 269 | name: m6i.large 270 | - cloud_properties: 271 | ephemeral_disk: 272 | size: 45000 273 | instance_type: m6i.large 274 | name: m6i.large.concourse.web 275 | - cloud_properties: 276 | instance_type: m6i.xlarge 277 | name: m6i.xlarge 278 | - cloud_properties: 279 | instance_type: m6i.xlarge 280 | ephemeral_disk: 281 | size: 20000 282 | name: m6i.xlarge.bosh.director 283 | - cloud_properties: 284 | instance_type: m6i.xlarge 285 | ephemeral_disk: 286 | size: 300000 287 | name: m6i.xlarge.concourse.worker 288 | - cloud_properties: 289 | instance_type: m6i.xlarge 290 | name: m6i.xlarge.opsuaa 291 | - cloud_properties: 292 | instance_type: r4.16xlarge 293 | name: r4.16xlarge 294 | - cloud_properties: 295 | instance_type: r4.2xlarge 296 | name: r4.2xlarge 297 | - cloud_properties: 298 | instance_type: r4.4xlarge 299 | name: r4.4xlarge 300 | - cloud_properties: 301 | instance_type: r4.8xlarge 302 | name: r4.8xlarge 303 | - cloud_properties: 304 | instance_type: r4.large 305 | name: r4.large 306 | - cloud_properties: 307 | instance_type: r4.xlarge 308 | name: r4.xlarge 309 | - cloud_properties: 310 | instance_type: r5.12xlarge 311 | name: r5.12xlarge 312 | - cloud_properties: 313 | instance_type: r5.16xlarge 314 | name: r5.16xlarge 315 | - cloud_properties: 316 | instance_type: r5.24xlarge 317 | name: r5.24xlarge 318 | - cloud_properties: 319 | instance_type: r5.2xlarge 320 | name: r5.2xlarge 321 | - cloud_properties: 322 | instance_type: r5.4xlarge 323 | name: r5.4xlarge 324 | - cloud_properties: 325 | instance_type: r5.8xlarge 326 | name: r5.8xlarge 327 | - cloud_properties: 328 | instance_type: r5.large 329 | ephemeral_disk: 330 | size: 10000 331 | name: r5.large 332 | - cloud_properties: 333 | instance_type: r5.metal 334 | name: r5.metal 335 | - cloud_properties: 336 | instance_type: r5.xlarge 337 | name: r5.xlarge 338 | - cloud_properties: 339 | instance_type: r5.xlarge 340 | ephemeral_disk: 341 | size: 30000 342 | name: r5.xlarge.logsearch.ingestor 343 | - cloud_properties: 344 | instance_type: r5.xlarge 345 | ephemeral_disk: 346 | size: 30000 347 | name: r5.xlarge.logs_opensearch.ingestor 348 | - cloud_properties: 349 | instance_type: r5a.12xlarge 350 | name: r5a.12xlarge 351 | - cloud_properties: 352 | instance_type: r5a.16xlarge 353 | name: r5a.16xlarge 354 | - cloud_properties: 355 | instance_type: r5a.24xlarge 356 | name: r5a.24xlarge 357 | - cloud_properties: 358 | instance_type: r5a.2xlarge 359 | name: r5a.2xlarge 360 | - cloud_properties: 361 | instance_type: r5a.4xlarge 362 | name: r5a.4xlarge 363 | - cloud_properties: 364 | instance_type: r5a.8xlarge 365 | name: r5a.8xlarge 366 | - cloud_properties: 367 | instance_type: r5a.large 368 | name: r5a.large 369 | - cloud_properties: 370 | instance_type: r5a.xlarge 371 | name: r5a.xlarge 372 | - cloud_properties: 373 | instance_type: r5ad.12xlarge 374 | name: r5ad.12xlarge 375 | - cloud_properties: 376 | instance_type: r5ad.16xlarge 377 | name: r5ad.16xlarge 378 | - cloud_properties: 379 | instance_type: r5ad.24xlarge 380 | name: r5ad.24xlarge 381 | - cloud_properties: 382 | instance_type: r5ad.2xlarge 383 | name: r5ad.2xlarge 384 | - cloud_properties: 385 | instance_type: r5ad.4xlarge 386 | name: r5ad.4xlarge 387 | - cloud_properties: 388 | instance_type: r5ad.8xlarge 389 | name: r5ad.8xlarge 390 | - cloud_properties: 391 | instance_type: r5ad.large 392 | name: r5ad.large 393 | - cloud_properties: 394 | instance_type: r5ad.xlarge 395 | name: r5ad.xlarge 396 | - cloud_properties: 397 | instance_type: r5d.12xlarge 398 | name: r5d.12xlarge 399 | - cloud_properties: 400 | instance_type: r5d.16xlarge 401 | name: r5d.16xlarge 402 | - cloud_properties: 403 | instance_type: r5d.24xlarge 404 | name: r5d.24xlarge 405 | - cloud_properties: 406 | instance_type: r5d.2xlarge 407 | name: r5d.2xlarge 408 | - cloud_properties: 409 | instance_type: r5d.4xlarge 410 | name: r5d.4xlarge 411 | - cloud_properties: 412 | instance_type: r5d.8xlarge 413 | name: r5d.8xlarge 414 | - cloud_properties: 415 | instance_type: r5d.large 416 | name: r5d.large 417 | - cloud_properties: 418 | instance_type: r5d.metal 419 | name: r5d.metal 420 | - cloud_properties: 421 | instance_type: r5d.xlarge 422 | name: r5d.xlarge 423 | - cloud_properties: 424 | instance_type: r6i.2xlarge 425 | name: r6i.2xlarge 426 | - cloud_properties: 427 | instance_type: r6i.4xlarge 428 | name: r6i.4xlarge 429 | - cloud_properties: 430 | instance_type: r6i.8xlarge 431 | name: r6i.8xlarge 432 | - cloud_properties: 433 | instance_type: r6i.large 434 | ephemeral_disk: 435 | size: 10000 436 | name: r6i.large 437 | - cloud_properties: 438 | instance_type: r6i.xlarge 439 | name: r6i.xlarge 440 | - cloud_properties: 441 | instance_type: r6i.xlarge 442 | ephemeral_disk: 443 | size: 30000 444 | name: r6i.xlarge.logsearch.ingestor 445 | - cloud_properties: 446 | instance_type: t3.2xlarge 447 | name: t3.2xlarge 448 | - cloud_properties: 449 | instance_type: t3.large 450 | name: t3.large 451 | - cloud_properties: 452 | instance_type: t3.medium 453 | name: t3.medium 454 | - cloud_properties: 455 | instance_type: t3.medium 456 | ephemeral_disk: 457 | size: 45000 458 | name: t3.medium.concourse.web 459 | - cloud_properties: 460 | instance_type: t3.medium 461 | ephemeral_disk: 462 | size: 30000 463 | name: t3.medium.nessus.manager 464 | - cloud_properties: 465 | instance_type: t3.micro 466 | name: t3.micro 467 | - cloud_properties: 468 | instance_type: t3.nano 469 | name: t3.nano 470 | - cloud_properties: 471 | instance_type: t3.small 472 | name: t3.small 473 | - cloud_properties: 474 | instance_type: t3.xlarge 475 | name: t3.xlarge 476 | - cloud_properties: 477 | instance_type: t3a.2xlarge 478 | name: t3a.2xlarge 479 | - cloud_properties: 480 | instance_type: t3a.large 481 | name: t3a.large 482 | - cloud_properties: 483 | instance_type: t3a.medium 484 | name: t3a.medium 485 | - cloud_properties: 486 | instance_type: t3a.micro 487 | name: t3a.micro 488 | - cloud_properties: 489 | instance_type: t3a.nano 490 | name: t3a.nano 491 | - cloud_properties: 492 | instance_type: t3a.small 493 | name: t3a.small 494 | - cloud_properties: 495 | instance_type: t3a.xlarge 496 | name: t3a.xlarge 497 | - cloud_properties: 498 | instance_type: x1.16xlarge 499 | name: x1.16xlarge 500 | - cloud_properties: 501 | instance_type: x1.32xlarge 502 | name: x1.32xlarge 503 | - cloud_properties: 504 | instance_type: x1e.16xlarge 505 | name: x1e.16xlarge 506 | - cloud_properties: 507 | instance_type: x1e.2xlarge 508 | name: x1e.2xlarge 509 | - cloud_properties: 510 | instance_type: x1e.32xlarge 511 | name: x1e.32xlarge 512 | - cloud_properties: 513 | instance_type: x1e.4xlarge 514 | name: x1e.4xlarge 515 | - cloud_properties: 516 | instance_type: x1e.8xlarge 517 | name: x1e.8xlarge 518 | - cloud_properties: 519 | instance_type: x1e.xlarge 520 | name: x1e.xlarge 521 | 522 | vm_extensions: 523 | - name: errand-profile 524 | cloud_properties: 525 | iam_instance_profile: ((terraform_outputs.bosh_compilation_profile)) 526 | 527 | networks: [] 528 | disk_types: [] 529 | 530 | compilation: 531 | workers: 5 532 | reuse_compilation_vms: true 533 | vm_type: c5.xlarge.compilation 534 | az: z1 535 | -------------------------------------------------------------------------------- /cloud-config/bosh.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /networks/- 3 | value: 4 | name: ((environment))-bosh 5 | subnets: 6 | - az: z1 7 | range: ((terraform_outputs.private_subnet_cidr_az1)) 8 | gateway: ((terraform_outputs.private_subnet_gateway_az1)) 9 | static: ((terraform_outputs.bosh_network_static_ips)) 10 | reserved: [((terraform_outputs.private_subnet_reserved_az1))] 11 | dns: [((terraform_outputs.vpc_cidr_dns))] 12 | cloud_properties: 13 | subnet: ((terraform_outputs.private_subnet_az1)) 14 | security_groups: [((terraform_outputs.bosh_security_group))] 15 | 16 | - type: replace 17 | path: /vm_extensions/- 18 | value: 19 | name: ((environment))-bosh-profile 20 | cloud_properties: 21 | iam_instance_profile: ((terraform_outputs.bosh_profile)) 22 | -------------------------------------------------------------------------------- /cloud-config/cf.yml: -------------------------------------------------------------------------------- 1 | # Ephemeral disks 2 | - type: replace 3 | path: /disk_types/- 4 | value: 5 | name: default 6 | disk_size: 1024 7 | - type: replace 8 | path: /disk_types/- 9 | value: 10 | name: 1GB 11 | disk_size: 1024 12 | - type: replace 13 | path: /disk_types/- 14 | value: 15 | name: 5GB 16 | disk_size: 5120 17 | - type: replace 18 | path: /disk_types/- 19 | value: 20 | name: 10GB 21 | disk_size: 10240 22 | - type: replace 23 | path: /disk_types/- 24 | value: 25 | name: 50GB 26 | disk_size: 51200 27 | - type: replace 28 | path: /disk_types/- 29 | value: 30 | name: 100GB 31 | disk_size: 102400 32 | - type: replace 33 | path: /disk_types/- 34 | value: 35 | name: 500GB 36 | disk_size: 512000 37 | - type: replace 38 | path: /disk_types/- 39 | value: 40 | name: 1TB 41 | disk_size: 1048576 42 | 43 | - type: replace 44 | path: /vm_extensions/- 45 | value: 46 | name: 1GB_ephemeral_disk 47 | cloud_properties: 48 | ephemeral_disk: 49 | size: 1024 50 | - type: replace 51 | path: /vm_extensions/- 52 | value: 53 | name: 5GB_ephemeral_disk 54 | cloud_properties: 55 | ephemeral_disk: 56 | size: 5120 57 | - type: replace 58 | path: /vm_extensions/- 59 | value: 60 | name: 10GB_ephemeral_disk 61 | cloud_properties: 62 | ephemeral_disk: 63 | size: 10240 64 | - type: replace 65 | path: /vm_extensions/- 66 | value: 67 | name: 15GB_ephemeral_disk 68 | cloud_properties: 69 | ephemeral_disk: 70 | size: 15360 71 | - type: replace 72 | path: /vm_extensions/- 73 | value: 74 | name: 50GB_ephemeral_disk 75 | cloud_properties: 76 | ephemeral_disk: 77 | size: 51200 78 | - type: replace 79 | path: /vm_extensions/- 80 | value: 81 | name: 100GB_ephemeral_disk 82 | cloud_properties: 83 | ephemeral_disk: 84 | size: 102400 85 | - type: replace 86 | path: /vm_extensions/- 87 | value: 88 | name: 200GB_ephemeral_disk 89 | cloud_properties: 90 | ephemeral_disk: 91 | size: 204800 92 | - type: replace 93 | path: /vm_extensions/- 94 | value: 95 | name: 300GB_ephemeral_disk 96 | cloud_properties: 97 | ephemeral_disk: 98 | size: 307200 99 | - type: replace 100 | path: /vm_extensions/- 101 | value: 102 | name: 500GB_ephemeral_disk 103 | cloud_properties: 104 | ephemeral_disk: 105 | size: 512000 106 | - type: replace 107 | path: /vm_extensions/- 108 | value: 109 | name: 1TB_ephemeral_disk 110 | cloud_properties: 111 | ephemeral_disk: 112 | size: 1048576 113 | 114 | # Load balancers 115 | - type: replace 116 | path: /vm_extensions/- 117 | value: 118 | name: cf-router-network-properties 119 | cloud_properties: 120 | lb_target_groups: ((terraform_outputs.cf_router_target_groups)) 121 | - type: replace 122 | path: /vm_extensions/- 123 | value: 124 | name: cf-router-main-network-properties 125 | cloud_properties: 126 | lb_target_groups: ((terraform_outputs.cf_router_main_target_group)) 127 | - type: replace 128 | path: /vm_extensions/- 129 | value: 130 | name: cf-router-logstash-network-properties 131 | cloud_properties: 132 | lb_target_groups: ((terraform_outputs.cf_logstash_target_group)) 133 | - type: replace 134 | path: /vm_extensions/- 135 | value: 136 | name: diego-ssh-proxy-network-properties 137 | cloud_properties: 138 | elbs: [((terraform_outputs.diego_elb_name))] 139 | - type: replace 140 | path: /vm_extensions/- 141 | value: 142 | name: cf-tcp-router-network-properties 143 | cloud_properties: 144 | lb_target_groups: ((terraform_outputs.tcp_lb_target_groups)) 145 | security_groups: ((terraform_outputs.tcp_lb_security_groups)) 146 | 147 | # Instance profiles 148 | - type: replace 149 | path: /vm_extensions/- 150 | value: 151 | name: blobstore-profile 152 | cloud_properties: 153 | iam_instance_profile: ((terraform_outputs.cf_blobstore_profile)) 154 | - type: replace 155 | path: /vm_extensions/- 156 | value: 157 | name: diego-platform-cell-profile 158 | cloud_properties: 159 | iam_instance_profile: ((terraform_outputs.platform_profile)) 160 | -------------------------------------------------------------------------------- /cloud-config/development.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /disk_types/name=logsearch_es_data/disk_size 3 | value: 400_000 4 | - type: replace 5 | path: /disk_types/name=logsearch_es_platform_data/disk_size 6 | value: 200_000 7 | - type: replace 8 | path: /disk_types/name=logs_opensearch_os_data/disk_size 9 | value: 400_000 10 | - type: replace 11 | path: /disk_types/name=logs_opensearch_os_platform_data/disk_size 12 | value: 200_000 13 | -------------------------------------------------------------------------------- /cloud-config/hub-tooling.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /vm_types/- 3 | value: 4 | name: bosh 5 | cloud_properties: 6 | instance_type: m4.xlarge 7 | ephemeral_disk: 8 | size: 20_000 9 | - type: replace 10 | path: /networks/- 11 | value: 12 | name: opsuaa 13 | type: manual 14 | subnets: 15 | - range: ((terraform_outputs.private_subnet_az1_cidr)) 16 | reserved: ((terraform_outputs.private_subnet_reserved_az1)) 17 | gateway: ((terraform_outputs.private_subnet_az1_gateway)) 18 | static: ((terraform_outputs.bosh_uaa_static_ips_az1)) 19 | az: z1 20 | dns: [((terraform_outputs.vpc_cidr_dns))] 21 | cloud_properties: 22 | security_groups: 23 | - ((terraform_outputs.bosh_security_group)) 24 | - ((terraform_outputs.bosh_uaa_security_group)) 25 | subnet: ((terraform_outputs.private_subnet_az1)) 26 | - range: ((terraform_outputs.private_subnet_az2_cidr)) 27 | reserved: ((terraform_outputs.private_subnet_reserved_az2)) 28 | gateway: ((terraform_outputs.private_subnet_az2_gateway)) 29 | static: ((terraform_outputs.bosh_uaa_static_ips_az2)) 30 | az: z2 31 | dns: [((terraform_outputs.vpc_cidr_dns))] 32 | cloud_properties: 33 | security_groups: 34 | - ((terraform_outputs.bosh_security_group)) 35 | - ((terraform_outputs.bosh_uaa_security_group)) 36 | subnet: ((terraform_outputs.private_subnet_az2)) 37 | - range: ((terraform_outputs.private_subnet_az3_cidr)) 38 | reserved: ((terraform_outputs.private_subnet_reserved_az3)) 39 | gateway: ((terraform_outputs.private_subnet_az3_gateway)) 40 | static: ((terraform_outputs.bosh_uaa_static_ips_az3)) 41 | az: z3 42 | dns: [((terraform_outputs.vpc_cidr_dns))] 43 | cloud_properties: 44 | security_groups: 45 | - ((terraform_outputs.bosh_security_group)) 46 | - ((terraform_outputs.bosh_uaa_security_group)) 47 | subnet: ((terraform_outputs.private_subnet_az3)) 48 | 49 | - type: replace 50 | path: /networks/- 51 | value: 52 | name: nessus-manager 53 | type: manual 54 | subnets: 55 | - range: ((terraform_outputs.private_subnet_az3_cidr)) 56 | reserved: ((terraform_outputs.private_subnet_reserved_az3)) 57 | gateway: ((terraform_outputs.private_subnet_az3_gateway)) 58 | static: 59 | - ((terraform_outputs.nessus_static_ip)) 60 | az: z3 61 | dns: [((terraform_outputs.vpc_cidr_dns))] 62 | cloud_properties: 63 | security_groups: 64 | - ((terraform_outputs.bosh_security_group)) 65 | - ((terraform_outputs.nessus_security_group)) 66 | subnet: ((terraform_outputs.private_subnet_az3)) 67 | 68 | - type: replace 69 | path: /networks/- 70 | value: 71 | name: staging-concourse 72 | type: manual 73 | subnets: 74 | - range: ((terraform_outputs.staging_concourse_subnet_cidr_az1)) 75 | gateway: ((terraform_outputs.staging_concourse_subnet_gateway_az1)) 76 | reserved: 77 | - ((terraform_outputs.staging_concourse_subnet_reserved_az1)) 78 | az: z1 79 | dns: [((terraform_outputs.vpc_cidr_dns))] 80 | cloud_properties: 81 | subnet: ((terraform_outputs.staging_concourse_subnet_az1)) 82 | security_groups: 83 | - ((terraform_outputs.bosh_security_group)) 84 | - ((terraform_outputs.staging_concourse_security_group)) 85 | - ((terraform_outputs.staging_credhub_security_group)) 86 | - range: ((terraform_outputs.staging_concourse_subnet_cidr_az2)) 87 | gateway: ((terraform_outputs.staging_concourse_subnet_gateway_az2)) 88 | reserved: 89 | - ((terraform_outputs.staging_concourse_subnet_reserved_az2)) 90 | az: z2 91 | dns: [((terraform_outputs.vpc_cidr_dns))] 92 | cloud_properties: 93 | subnet: ((terraform_outputs.staging_concourse_subnet_az2)) 94 | security_groups: 95 | - ((terraform_outputs.bosh_security_group)) 96 | - ((terraform_outputs.staging_concourse_security_group)) 97 | - ((terraform_outputs.staging_credhub_security_group)) 98 | - range: ((terraform_outputs.staging_concourse_subnet_cidr_az3)) 99 | gateway: ((terraform_outputs.staging_concourse_subnet_gateway_az3)) 100 | reserved: 101 | - ((terraform_outputs.staging_concourse_subnet_reserved_az3)) 102 | az: z3 103 | dns: [((terraform_outputs.vpc_cidr_dns))] 104 | cloud_properties: 105 | subnet: ((terraform_outputs.staging_concourse_subnet_az3)) 106 | security_groups: 107 | - ((terraform_outputs.bosh_security_group)) 108 | - ((terraform_outputs.staging_concourse_security_group)) 109 | - ((terraform_outputs.staging_credhub_security_group)) 110 | 111 | - type: replace 112 | path: /networks/- 113 | value: 114 | name: production-concourse 115 | type: manual 116 | subnets: 117 | - range: ((terraform_outputs.production_concourse_subnet_cidr_az1)) 118 | gateway: ((terraform_outputs.production_concourse_subnet_gateway_az1)) 119 | reserved: 120 | - ((terraform_outputs.production_concourse_subnet_reserved_az1)) 121 | az: z1 122 | dns: [((terraform_outputs.vpc_cidr_dns))] 123 | cloud_properties: 124 | subnet: ((terraform_outputs.production_concourse_subnet_az1)) 125 | security_groups: 126 | - ((terraform_outputs.bosh_security_group)) 127 | - ((terraform_outputs.production_concourse_security_group)) 128 | - ((terraform_outputs.production_credhub_security_group)) 129 | - range: ((terraform_outputs.production_concourse_subnet_cidr_az2)) 130 | gateway: ((terraform_outputs.production_concourse_subnet_gateway_az2)) 131 | reserved: 132 | - ((terraform_outputs.production_concourse_subnet_reserved_az2)) 133 | az: z2 134 | dns: [((terraform_outputs.vpc_cidr_dns))] 135 | cloud_properties: 136 | subnet: ((terraform_outputs.production_concourse_subnet_az2)) 137 | security_groups: 138 | - ((terraform_outputs.bosh_security_group)) 139 | - ((terraform_outputs.production_concourse_security_group)) 140 | - ((terraform_outputs.production_credhub_security_group)) 141 | - range: ((terraform_outputs.production_concourse_subnet_cidr_az3)) 142 | gateway: ((terraform_outputs.production_concourse_subnet_gateway_az3)) 143 | reserved: 144 | - ((terraform_outputs.production_concourse_subnet_reserved_az3)) 145 | az: z3 146 | dns: [((terraform_outputs.vpc_cidr_dns))] 147 | cloud_properties: 148 | subnet: ((terraform_outputs.production_concourse_subnet_az3)) 149 | security_groups: 150 | - ((terraform_outputs.bosh_security_group)) 151 | - ((terraform_outputs.production_concourse_security_group)) 152 | - ((terraform_outputs.production_credhub_security_group)) 153 | 154 | - type: replace 155 | path: /networks/- 156 | value: 157 | name: staging-monitoring 158 | type: dynamic 159 | subnets: 160 | - range: ((terraform_outputs.staging_monitoring_subnet_cidr_az1)) 161 | gateway: ((terraform_outputs.staging_monitoring_subnet_gateway_az1)) 162 | reserved: 163 | - ((terraform_outputs.staging_monitoring_subnet_reserved_az1)) 164 | az: z1 165 | dns: [((terraform_outputs.vpc_cidr_dns))] 166 | cloud_properties: 167 | subnet: ((terraform_outputs.staging_monitoring_subnet_az1)) 168 | security_groups: 169 | - ((terraform_outputs.bosh_security_group)) 170 | - ((terraform_outputs.staging_monitoring_security_group)) 171 | - range: ((terraform_outputs.staging_monitoring_subnet_cidr_az2)) 172 | gateway: ((terraform_outputs.staging_monitoring_subnet_gateway_az2)) 173 | reserved: 174 | - ((terraform_outputs.staging_monitoring_subnet_reserved_az2)) 175 | az: z2 176 | dns: [((terraform_outputs.vpc_cidr_dns))] 177 | cloud_properties: 178 | subnet: ((terraform_outputs.staging_monitoring_subnet_az2)) 179 | security_groups: 180 | - ((terraform_outputs.bosh_security_group)) 181 | - ((terraform_outputs.staging_monitoring_security_group)) 182 | - range: ((terraform_outputs.staging_monitoring_subnet_cidr_az3)) 183 | gateway: ((terraform_outputs.staging_monitoring_subnet_gateway_az3)) 184 | reserved: 185 | - ((terraform_outputs.staging_monitoring_subnet_reserved_az3)) 186 | az: z3 187 | dns: [((terraform_outputs.vpc_cidr_dns))] 188 | cloud_properties: 189 | subnet: ((terraform_outputs.staging_monitoring_subnet_az3)) 190 | security_groups: 191 | - ((terraform_outputs.bosh_security_group)) 192 | - ((terraform_outputs.staging_monitoring_security_group)) 193 | 194 | 195 | - type: replace 196 | path: /networks/- 197 | value: 198 | name: staging-credhub 199 | type: dynamic 200 | subnets: 201 | - range: ((terraform_outputs.staging_credhub_subnet_cidr_az1)) 202 | gateway: ((terraform_outputs.staging_credhub_subnet_gateway_az1)) 203 | reserved: 204 | - ((terraform_outputs.staging_credhub_subnet_reserved_az1)) 205 | az: z1 206 | dns: [((terraform_outputs.vpc_cidr_dns))] 207 | cloud_properties: 208 | subnet: ((terraform_outputs.staging_credhub_subnet_az1)) 209 | security_groups: 210 | - ((terraform_outputs.bosh_security_group)) 211 | - ((terraform_outputs.staging_concourse_security_group)) 212 | - ((terraform_outputs.staging_credhub_security_group)) 213 | - range: ((terraform_outputs.staging_credhub_subnet_cidr_az2)) 214 | gateway: ((terraform_outputs.staging_credhub_subnet_gateway_az2)) 215 | reserved: 216 | - ((terraform_outputs.staging_credhub_subnet_reserved_az2)) 217 | az: z2 218 | dns: [((terraform_outputs.vpc_cidr_dns))] 219 | cloud_properties: 220 | subnet: ((terraform_outputs.staging_credhub_subnet_az2)) 221 | security_groups: 222 | - ((terraform_outputs.bosh_security_group)) 223 | - ((terraform_outputs.staging_concourse_security_group)) 224 | - ((terraform_outputs.staging_credhub_security_group)) 225 | - range: ((terraform_outputs.staging_credhub_subnet_cidr_az3)) 226 | gateway: ((terraform_outputs.staging_credhub_subnet_gateway_az3)) 227 | reserved: 228 | - ((terraform_outputs.staging_credhub_subnet_reserved_az3)) 229 | az: z3 230 | dns: [((terraform_outputs.vpc_cidr_dns))] 231 | cloud_properties: 232 | subnet: ((terraform_outputs.staging_credhub_subnet_az3)) 233 | security_groups: 234 | - ((terraform_outputs.bosh_security_group)) 235 | - ((terraform_outputs.staging_concourse_security_group)) 236 | - ((terraform_outputs.staging_credhub_security_group)) 237 | 238 | - type: replace 239 | path: /networks/- 240 | value: 241 | name: production-credhub 242 | type: dynamic 243 | subnets: 244 | - range: ((terraform_outputs.production_credhub_subnet_cidr_az1)) 245 | gateway: ((terraform_outputs.production_credhub_subnet_gateway_az1)) 246 | reserved: 247 | - ((terraform_outputs.production_credhub_subnet_reserved_az1)) 248 | az: z1 249 | dns: [((terraform_outputs.vpc_cidr_dns))] 250 | cloud_properties: 251 | subnet: ((terraform_outputs.production_credhub_subnet_az1)) 252 | security_groups: 253 | - ((terraform_outputs.bosh_security_group)) 254 | - ((terraform_outputs.production_concourse_security_group)) 255 | - ((terraform_outputs.production_credhub_security_group)) 256 | - range: ((terraform_outputs.production_credhub_subnet_cidr_az2)) 257 | gateway: ((terraform_outputs.production_credhub_subnet_gateway_az2)) 258 | reserved: 259 | - ((terraform_outputs.production_credhub_subnet_reserved_az2)) 260 | az: z2 261 | dns: [((terraform_outputs.vpc_cidr_dns))] 262 | cloud_properties: 263 | subnet: ((terraform_outputs.production_credhub_subnet_az2)) 264 | security_groups: 265 | - ((terraform_outputs.bosh_security_group)) 266 | - ((terraform_outputs.production_concourse_security_group)) 267 | - ((terraform_outputs.production_credhub_security_group)) 268 | - range: ((terraform_outputs.production_credhub_subnet_cidr_az3)) 269 | gateway: ((terraform_outputs.production_credhub_subnet_gateway_az3)) 270 | reserved: 271 | - ((terraform_outputs.production_credhub_subnet_reserved_az3)) 272 | az: z3 273 | dns: [((terraform_outputs.vpc_cidr_dns))] 274 | cloud_properties: 275 | subnet: ((terraform_outputs.production_credhub_subnet_az3)) 276 | security_groups: 277 | - ((terraform_outputs.bosh_security_group)) 278 | - ((terraform_outputs.production_concourse_security_group)) 279 | - ((terraform_outputs.production_credhub_security_group)) 280 | - type: replace 281 | path: /networks/- 282 | value: 283 | name: production-monitoring 284 | type: dynamic 285 | subnets: 286 | - range: ((terraform_outputs.production_monitoring_subnet_cidr_az1)) 287 | gateway: ((terraform_outputs.production_monitoring_subnet_gateway_az1)) 288 | reserved: 289 | - ((terraform_outputs.production_monitoring_subnet_reserved_az1)) 290 | az: z1 291 | dns: [((terraform_outputs.vpc_cidr_dns))] 292 | cloud_properties: 293 | subnet: ((terraform_outputs.production_monitoring_subnet_az1)) 294 | security_groups: 295 | - ((terraform_outputs.bosh_security_group)) 296 | - ((terraform_outputs.production_monitoring_security_group)) 297 | - range: ((terraform_outputs.production_monitoring_subnet_cidr_az2)) 298 | gateway: ((terraform_outputs.production_monitoring_subnet_gateway_az2)) 299 | reserved: 300 | - ((terraform_outputs.production_monitoring_subnet_reserved_az2)) 301 | az: z2 302 | dns: [((terraform_outputs.vpc_cidr_dns))] 303 | cloud_properties: 304 | subnet: ((terraform_outputs.production_monitoring_subnet_az2)) 305 | security_groups: 306 | - ((terraform_outputs.bosh_security_group)) 307 | - ((terraform_outputs.production_monitoring_security_group)) 308 | - range: ((terraform_outputs.production_monitoring_subnet_cidr_az3)) 309 | gateway: ((terraform_outputs.production_monitoring_subnet_gateway_az3)) 310 | reserved: 311 | - ((terraform_outputs.production_monitoring_subnet_reserved_az3)) 312 | az: z3 313 | dns: [((terraform_outputs.vpc_cidr_dns))] 314 | cloud_properties: 315 | subnet: ((terraform_outputs.production_monitoring_subnet_az3)) 316 | security_groups: 317 | - ((terraform_outputs.bosh_security_group)) 318 | - ((terraform_outputs.production_monitoring_security_group)) 319 | 320 | 321 | - type: replace 322 | path: /networks/- 323 | value: 324 | name: dns-public 325 | type: dynamic 326 | subnets: 327 | - az: z1 328 | cloud_properties: 329 | subnet: ((terraform_outputs.public_subnet_az1)) 330 | security_groups: 331 | - ((terraform_outputs.bosh_security_group)) 332 | - ((terraform_outputs.dns_axfr_security_group)) 333 | - ((terraform_outputs.dns_public_security_group)) 334 | - az: z2 335 | cloud_properties: 336 | subnet: ((terraform_outputs.public_subnet_az2)) 337 | security_groups: 338 | - ((terraform_outputs.bosh_security_group)) 339 | - ((terraform_outputs.dns_axfr_security_group)) 340 | - ((terraform_outputs.dns_public_security_group)) 341 | - az: z3 342 | cloud_properties: 343 | subnet: ((terraform_outputs.public_subnet_az3)) 344 | security_groups: 345 | - ((terraform_outputs.bosh_security_group)) 346 | - ((terraform_outputs.dns_axfr_security_group)) 347 | - ((terraform_outputs.dns_public_security_group)) 348 | - type: replace 349 | path: /networks/- 350 | value: 351 | name: dns-public-vip 352 | type: vip 353 | - type: replace 354 | path: /networks/- 355 | value: 356 | name: smtp-private 357 | type: manual 358 | subnets: 359 | - az: z1 360 | range: ((terraform_outputs.private_subnet_az1_cidr)) 361 | reserved: ((terraform_outputs.private_subnet_reserved_az1)) 362 | gateway: ((terraform_outputs.private_subnet_az1_gateway)) 363 | static: ((terraform_outputs.production_smtp_private_ip)) 364 | dns: [((terraform_outputs.vpc_cidr_dns))] 365 | cloud_properties: 366 | subnet: ((terraform_outputs.private_subnet_az1)) 367 | security_groups: 368 | - ((terraform_outputs.bosh_security_group)) 369 | - ((terraform_outputs.smtp_security_group)) 370 | 371 | # todo (mxplusb): remove this. 372 | - type: replace 373 | path: /vm_types/- 374 | value: 375 | name: staging-concourse-web 376 | cloud_properties: 377 | instance_type: t3.medium 378 | ephemeral_disk: 379 | size: 45_000 380 | - type: replace 381 | path: /vm_types/- 382 | value: 383 | name: staging-concourse-worker 384 | cloud_properties: 385 | instance_type: m5.large 386 | ephemeral_disk: 387 | size: 50_000 388 | - type: replace 389 | path: /vm_types/- 390 | value: &concourse-iaas-worker-vm 391 | name: staging-concourse-iaas-worker 392 | cloud_properties: 393 | instance_type: m5.large 394 | ephemeral_disk: 395 | size: 300_000 396 | - type: replace 397 | path: /vm_types/- 398 | value: 399 | name: production-concourse-web 400 | cloud_properties: 401 | instance_type: t3.xlarge 402 | ephemeral_disk: 403 | size: 45_000 404 | - type: replace 405 | path: /vm_types/- 406 | value: 407 | name: production-concourse-worker 408 | cloud_properties: 409 | instance_type: m5.xlarge 410 | ephemeral_disk: 411 | size: 300_000 412 | - type: replace 413 | path: /vm_types/- 414 | value: 415 | <<: *concourse-iaas-worker-vm 416 | name: production-concourse-iaas-worker 417 | 418 | - type: replace 419 | path: /vm_extensions/- 420 | value: 421 | name: opsuaa-lb 422 | cloud_properties: 423 | lb_target_groups: 424 | - ((terraform_outputs.opsuaa_target_group)) 425 | - type: replace 426 | path: /vm_extensions/- 427 | value: 428 | name: nessus-manager-lb 429 | cloud_properties: 430 | lb_target_groups: 431 | - ((terraform_outputs.nessus_target_group)) 432 | - type: replace 433 | path: /vm_extensions/- 434 | value: 435 | name: staging-prometheus-lb 436 | cloud_properties: 437 | lb_target_groups: 438 | - ((terraform_outputs.staging_monitoring_lb_target_group)) 439 | - type: replace 440 | path: /vm_extensions/- 441 | value: 442 | name: production-prometheus-lb 443 | cloud_properties: 444 | lb_target_groups: 445 | - ((terraform_outputs.production_monitoring_lb_target_group)) 446 | - type: replace 447 | path: /vm_extensions/- 448 | value: 449 | name: staging-doomsday-lb 450 | cloud_properties: 451 | lb_target_groups: 452 | - ((terraform_outputs.staging_doomsday_lb_target_group)) 453 | - type: replace 454 | path: /vm_extensions/- 455 | value: 456 | name: production-doomsday-lb 457 | cloud_properties: 458 | lb_target_groups: 459 | - ((terraform_outputs.production_doomsday_lb_target_group)) 460 | - type: replace 461 | path: /vm_extensions/- 462 | value: 463 | name: staging-concourse-lb 464 | cloud_properties: 465 | lb_target_groups: 466 | - ((terraform_outputs.staging_concourse_lb_target_group)) 467 | - type: replace 468 | path: /vm_extensions/- 469 | value: &concourse-profile 470 | name: staging-concourse-profile 471 | cloud_properties: 472 | iam_instance_profile: ((terraform_outputs.concourse_worker_profile)) 473 | - type: replace 474 | path: /vm_extensions/- 475 | value: &concourse-iaas-profile 476 | name: staging-concourse-iaas-profile 477 | cloud_properties: 478 | iam_instance_profile: ((terraform_outputs.concourse_iaas_worker_profile)) 479 | - type: replace 480 | path: /vm_extensions/- 481 | value: 482 | name: production-concourse-lb 483 | cloud_properties: 484 | lb_target_groups: 485 | - ((terraform_outputs.production_concourse_lb_target_group)) 486 | - type: replace 487 | path: /vm_extensions/- 488 | value: 489 | <<: *concourse-profile 490 | name: production-concourse-profile 491 | - type: replace 492 | path: /vm_extensions/- 493 | value: 494 | <<: *concourse-iaas-profile 495 | name: production-concourse-iaas-profile 496 | - type: replace 497 | path: /vm_extensions/- 498 | value: 499 | name: production-credhub-lb 500 | cloud_properties: 501 | lb_target_groups: 502 | - ((terraform_outputs.production_credhub_lb_target_group)) 503 | - type: replace 504 | path: /vm_extensions/- 505 | value: 506 | name: staging-credhub-lb 507 | cloud_properties: 508 | lb_target_groups: 509 | - ((terraform_outputs.staging_credhub_lb_target_group)) 510 | - type: replace 511 | path: /vm_extensions/- 512 | value: 513 | name: 5GB_ephemeral_disk 514 | cloud_properties: 515 | ephemeral_disk: 516 | size: 5120 517 | - type: replace 518 | path: /vm_extensions/- 519 | value: 520 | name: 10GB_ephemeral_disk 521 | cloud_properties: 522 | ephemeral_disk: 523 | size: 10240 524 | 525 | - type: replace 526 | path: /disk_types/- 527 | value: 528 | name: bosh 529 | disk_size: 92_000 530 | - type: replace 531 | path: /disk_types/- 532 | value: 533 | name: 5GB 534 | disk_size: 5120 535 | - type: replace 536 | path: /disk_types/- 537 | value: 538 | name: nessus-manager 539 | disk_size: 200_000 540 | - type: replace 541 | path: /disk_types/- 542 | value: &prometheus-small-disk 543 | name: staging-prometheus-small 544 | disk_size: 8192 545 | - type: replace 546 | path: /disk_types/- 547 | value: &prometheus-large-disk 548 | name: staging-prometheus-large 549 | disk_size: 200_000 550 | - type: replace 551 | path: /disk_types/- 552 | value: 553 | <<: *prometheus-small-disk 554 | name: production-prometheus-small 555 | - type: replace 556 | path: /disk_types/- 557 | value: 558 | <<: *prometheus-large-disk 559 | name: production-prometheus-large 560 | disk_size: 3_000_000 561 | cloud_properties: 562 | type: io1 563 | iops: 14_000 564 | 565 | - type: replace 566 | path: /compilation/network? 567 | value: production-concourse 568 | 569 | - type: replace 570 | path: /azs/- 571 | value: 572 | name: z3 573 | cloud_properties: 574 | availability_zone: ((terraform_outputs.az3)) 575 | -------------------------------------------------------------------------------- /cloud-config/isolation-segment.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /networks/- 3 | value: 4 | name: ((segment))-default 5 | type: manual 6 | subnets: 7 | - az: z1 8 | range: ((terraform_outputs.private_subnet_cidr_az1)) 9 | gateway: ((terraform_outputs.private_subnet_gateway_az1)) 10 | reserved: ((terraform_outputs.private_subnet_reserved_az1)) 11 | dns: [((terraform_outputs.vpc_cidr_dns))] 12 | cloud_properties: 13 | subnet: ((terraform_outputs.private_subnet_az1)) 14 | security_groups: [((terraform_outputs.bosh_security_group))] 15 | - az: z2 16 | range: ((terraform_outputs.private_subnet_cidr_az2)) 17 | gateway: ((terraform_outputs.private_subnet_gateway_az2)) 18 | reserved: [((terraform_outputs.private_subnet_reserved_az2))] 19 | dns: [((terraform_outputs.vpc_cidr_dns))] 20 | cloud_properties: 21 | subnet: ((terraform_outputs.private_subnet_az2)) 22 | security_groups: [((terraform_outputs.bosh_security_group))] 23 | -------------------------------------------------------------------------------- /cloud-config/main.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /networks/- 3 | value: 4 | name: default 5 | type: manual 6 | subnets: 7 | - az: z1 8 | range: ((terraform_outputs.private_subnet_cidr_az1)) 9 | gateway: ((terraform_outputs.private_subnet_gateway_az1)) 10 | reserved: 11 | - ((terraform_outputs.private_subnet_reserved_az1)) 12 | - ((terraform_outputs.bosh_static_ip)) 13 | dns: [((terraform_outputs.vpc_cidr_dns))] 14 | cloud_properties: 15 | subnet: ((terraform_outputs.private_subnet_az1)) 16 | security_groups: 17 | - ((terraform_outputs.bosh_security_group)) 18 | - az: z2 19 | range: ((terraform_outputs.private_subnet_cidr_az2)) 20 | gateway: ((terraform_outputs.private_subnet_gateway_az2)) 21 | reserved: 22 | - ((terraform_outputs.private_subnet_reserved_az2)) 23 | dns: [((terraform_outputs.vpc_cidr_dns))] 24 | cloud_properties: 25 | subnet: ((terraform_outputs.private_subnet_az2)) 26 | security_groups: 27 | - ((terraform_outputs.bosh_security_group)) 28 | - type: replace 29 | path: /networks/- 30 | value: 31 | - name: services 32 | type: manual 33 | subnets: 34 | - az: z1 35 | range: ((terraform_outputs.services_subnet_cidr_az1)) 36 | gateway: ((terraform_outputs.services_subnet_gateway_az1)) 37 | reserved: 38 | - ((terraform_outputs.services_subnet_reserved_az1)) 39 | - ((terraform_outputs.domains-internal-ip-az1)) 40 | dns: [((terraform_outputs.vpc_cidr_dns))] 41 | cloud_properties: 42 | subnet: ((terraform_outputs.services_subnet_az1)) 43 | security_groups: 44 | - ((terraform_outputs.bosh_security_group)) 45 | 46 | - type: replace 47 | path: /disk_types/- 48 | value: 49 | name: shibboleth 50 | disk_size: 4096 51 | - type: replace 52 | path: /disk_types/- 53 | value: 54 | name: logsearch_es_master 55 | disk_size: 102400 56 | cloud_properties: 57 | type: gp3 58 | - type: replace 59 | path: /disk_types/- 60 | value: 61 | name: logsearch_es_data 62 | disk_size: 16_500_000 63 | cloud_properties: 64 | type: gp3 65 | - type: replace 66 | path: /disk_types/- 67 | value: 68 | name: logsearch_es_platform_data 69 | disk_size: 10_000_000 70 | cloud_properties: 71 | type: gp3 72 | - type: replace 73 | path: /disk_types/- 74 | value: 75 | name: logsearch_ingestor 76 | disk_size: 64_000 77 | cloud_properties: 78 | type: gp3 79 | - type: replace 80 | path: /disk_types/- 81 | value: 82 | name: logsearch_redis 83 | disk_size: 4096 84 | cloud_properties: 85 | type: gp3 86 | - type: replace 87 | path: /disk_types/- 88 | value: 89 | name: logs_opensearch_os_master 90 | disk_size: 102400 91 | cloud_properties: 92 | type: gp3 93 | - type: replace 94 | path: /disk_types/- 95 | value: 96 | name: logs_opensearch_os_data 97 | disk_size: 12_000_000 98 | cloud_properties: 99 | type: gp3 100 | - type: replace 101 | path: /disk_types/- 102 | value: 103 | name: logs_opensearch_os_platform_data 104 | disk_size: 3_500_000 105 | cloud_properties: 106 | type: gp3 107 | - type: replace 108 | path: /disk_types/- 109 | value: 110 | name: logs_opensearch_ingestor 111 | disk_size: 64_000 112 | cloud_properties: 113 | type: gp3 114 | - type: replace 115 | path: /disk_types/- 116 | value: 117 | name: logs_opensearch_redis 118 | disk_size: 4096 119 | cloud_properties: 120 | type: gp3 121 | - type: replace 122 | path: /disk_types/- 123 | value: 124 | name: kubernetes 125 | disk_size: 35_000 126 | - type: replace 127 | path: /disk_types/- 128 | value: 129 | name: nfs-volume 130 | disk_size: 64_000 131 | - type: replace 132 | path: /vm_extensions/- 133 | value: 134 | name: shibboleth-lb 135 | cloud_properties: 136 | lb_target_groups: 137 | - ((terraform_outputs.shibboleth_lb_target_group)) 138 | - type: replace 139 | path: /vm_extensions/- 140 | value: 141 | name: logsearch-lb 142 | cloud_properties: 143 | elbs: 144 | - ((terraform_outputs.logsearch_elb_name)) 145 | - type: replace 146 | path: /vm_extensions/- 147 | value: 148 | name: platform-syslog-lb 149 | cloud_properties: 150 | elbs: 151 | - ((terraform_outputs.platform_syslog_elb_name)) 152 | - type: replace 153 | path: /vm_extensions/- 154 | value: 155 | name: platform-kibana-lb 156 | cloud_properties: 157 | lb_target_groups: 158 | - ((terraform_outputs.platform_kibana_lb_target_group)) 159 | - type: replace 160 | path: /vm_extensions/- 161 | value: 162 | name: elasticache-broker-lb 163 | cloud_properties: 164 | elbs: 165 | - ((terraform_outputs.elasticache_broker_elb_name)) 166 | - type: replace 167 | path: /vm_extensions/- 168 | value: 169 | name: domains-broker-lb 170 | cloud_properties: 171 | lb_target_groups: 172 | - ((terraform_outputs.domains_broker_internal_target_group)) 173 | - type: replace 174 | path: /vm_extensions/- 175 | value: 176 | name: logsearch-ingestor-profile 177 | cloud_properties: 178 | iam_instance_profile: ((terraform_outputs.logsearch_ingestor_profile)) 179 | - type: replace 180 | path: /vm_extensions/- 181 | value: 182 | name: logs-opensearch-ingestor-profile 183 | cloud_properties: 184 | iam_instance_profile: ((terraform_outputs.logs_opensearch_ingestor_profile)) 185 | - type: replace 186 | path: /vm_extensions/- 187 | value: 188 | name: elasticache-broker-profile 189 | cloud_properties: 190 | iam_instance_profile: ((terraform_outputs.elasticache_broker_profile)) 191 | - type: replace 192 | path: /vm_extensions/- 193 | value: 194 | name: domains-broker-profile 195 | cloud_properties: 196 | iam_instance_profile: ((terraform_outputs.domains_broker_profile)) 197 | 198 | - type: replace 199 | path: /compilation/network? 200 | value: default 201 | -------------------------------------------------------------------------------- /cloud-config/master.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /vm_types/- 3 | value: 4 | name: bosh 5 | cloud_properties: 6 | instance_type: m5.large 7 | 8 | - type: replace 9 | path: /networks/- 10 | value: 11 | name: bosh 12 | type: manual 13 | subnets: 14 | - az: z1 15 | range: ((terraform_outputs.private_subnet_az1_cidr)) 16 | gateway: ((terraform_outputs.private_subnet_az1_gateway)) 17 | static: [((terraform_outputs.tooling_bosh_static_ip))] 18 | reserved: ((terraform_outputs.master_bosh_reserved)) 19 | dns: [((terraform_outputs.vpc_cidr_dns))] 20 | cloud_properties: 21 | subnet: ((terraform_outputs.private_subnet_az1)) 22 | security_groups: [((terraform_outputs.bosh_security_group))] 23 | 24 | - type: replace 25 | path: /vm_extensions/- 26 | value: 27 | name: bosh-profile 28 | cloud_properties: 29 | iam_instance_profile: ((terraform_outputs.bosh_profile)) 30 | 31 | - type: replace 32 | path: /disk_types/- 33 | value: 34 | name: bosh 35 | disk_size: 300000 36 | cloud_properties: 37 | type: gp3 38 | 39 | - type: replace 40 | path: /compilation/network? 41 | value: bosh 42 | -------------------------------------------------------------------------------- /cloud-config/protobosh.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /vm_types/- 3 | value: 4 | name: bosh 5 | cloud_properties: 6 | instance_type: m5.large 7 | 8 | - type: replace 9 | path: /networks/- 10 | value: 11 | name: bosh 12 | type: manual 13 | subnets: 14 | - az: z1 15 | range: ((terraform_outputs.private_subnet_az1_cidr)) 16 | gateway: ((terraform_outputs.private_subnet_az1_gateway)) 17 | reserved: ((terraform_outputs.protobosh_reserved_az1)) 18 | dns: [((terraform_outputs.vpc_cidr_dns))] 19 | cloud_properties: 20 | subnet: ((terraform_outputs.private_subnet_az1)) 21 | security_groups: [((terraform_outputs.bosh_security_group))] 22 | 23 | - az: z2 24 | range: ((terraform_outputs.private_subnet_az2_cidr)) 25 | gateway: ((terraform_outputs.private_subnet_az2_gateway)) 26 | reserved: ((terraform_outputs.protobosh_reserved_az2)) 27 | dns: [((terraform_outputs.vpc_cidr_dns))] 28 | cloud_properties: 29 | subnet: ((terraform_outputs.private_subnet_az2)) 30 | security_groups: [((terraform_outputs.bosh_security_group))] 31 | 32 | - az: z3 33 | range: ((terraform_outputs.private_subnet_az3_cidr)) 34 | gateway: ((terraform_outputs.private_subnet_az3_gateway)) 35 | static: [((terraform_outputs.tooling_bosh_static_ip))] 36 | reserved: ((terraform_outputs.protobosh_reserved_az3)) 37 | dns: [((terraform_outputs.vpc_cidr_dns))] 38 | cloud_properties: 39 | subnet: ((terraform_outputs.private_subnet_az3)) 40 | security_groups: [((terraform_outputs.bosh_security_group))] 41 | 42 | - type: replace 43 | path: /vm_extensions/- 44 | value: 45 | name: ((terraform_outputs.bosh_profile)) 46 | cloud_properties: 47 | iam_instance_profile: ((terraform_outputs.bosh_profile)) 48 | 49 | - type: replace 50 | path: /disk_types/- 51 | value: 52 | name: bosh 53 | disk_size: 300000 54 | 55 | - type: replace 56 | path: /compilation/network? 57 | value: bosh 58 | 59 | - type: replace 60 | path: /azs/- 61 | value: 62 | name: z3 63 | cloud_properties: 64 | availability_zone: ((terraform_outputs.az3)) 65 | 66 | 67 | - type: remove 68 | path: /vm_types/name=c5.xlarge.compilation 69 | 70 | - type: replace 71 | path: /vm_types/- 72 | value: 73 | name: c5.xlarge.compilation 74 | cloud_properties: 75 | ephemeral_disk: 76 | size: 30000 77 | iam_instance_profile: ((terraform_outputs.protobosh_compilation_profile)) 78 | instance_type: c5.xlarge -------------------------------------------------------------------------------- /cloud-config/root-disk.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /vm_extensions/- 3 | value: 4 | cloud_properties: 5 | root_disk: 6 | size: 10240 7 | name: 10GB_root_disk 8 | 9 | - type: replace 10 | path: /vm_extensions/- 11 | value: 12 | cloud_properties: 13 | root_disk: 14 | size: 15360 15 | name: 15GB_root_disk 16 | 17 | 18 | - type: replace 19 | path: /vm_extensions/- 20 | value: 21 | cloud_properties: 22 | root_disk: 23 | size: 20480 24 | name: 20GB_root_disk 25 | 26 | - type: replace 27 | path: /vm_extensions/- 28 | value: 29 | cloud_properties: 30 | root_disk: 31 | size: 30720 32 | name: 30GB_root_disk 33 | 34 | - type: replace 35 | path: /vm_extensions/- 36 | value: 37 | cloud_properties: 38 | root_disk: 39 | size: 40960 40 | name: 40GB_root_disk 41 | 42 | - type: replace 43 | path: /vm_extensions/- 44 | value: 45 | cloud_properties: 46 | root_disk: 47 | size: 51200 48 | name: 50GB_root_disk 49 | 50 | - type: replace 51 | path: /vm_extensions/- 52 | value: 53 | cloud_properties: 54 | root_disk: 55 | size: 102400 56 | name: 100GB_root_disk 57 | 58 | - type: replace 59 | path: /vm_extensions/- 60 | value: 61 | cloud_properties: 62 | root_disk: 63 | size: 204800 64 | name: 200GB_root_disk -------------------------------------------------------------------------------- /cloud-config/staging.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /disk_types/name=logsearch_es_data/disk_size 3 | value: 900_000 4 | - type: replace 5 | path: /disk_types/name=logs_opensearch_os_data/disk_size 6 | value: 900_000 7 | -------------------------------------------------------------------------------- /cloud-config/tooling.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /vm_types/- 3 | value: 4 | name: bosh 5 | cloud_properties: 6 | instance_type: m4.xlarge 7 | ephemeral_disk: 8 | size: 20_000 9 | - type: replace 10 | path: /networks/- 11 | value: 12 | name: opsuaa 13 | type: manual 14 | subnets: 15 | - range: ((terraform_outputs.private_subnet_az1_cidr)) 16 | reserved: ((terraform_outputs.private_subnet_az1_reserved)) 17 | gateway: ((terraform_outputs.private_subnet_az1_gateway)) 18 | static: ((terraform_outputs.bosh_uaa_static_ips)) 19 | az: z1 20 | dns: [((terraform_outputs.vpc_cidr_dns))] 21 | cloud_properties: 22 | security_groups: 23 | - ((terraform_outputs.bosh_security_group)) 24 | - ((terraform_outputs.bosh_uaa_security_group)) 25 | subnet: ((terraform_outputs.private_subnet_az1)) 26 | - type: replace 27 | path: /networks/- 28 | value: 29 | name: nessus-manager 30 | type: manual 31 | subnets: 32 | - range: ((terraform_outputs.private_subnet_az1_cidr)) 33 | reserved: ((terraform_outputs.private_subnet_az1_reserved)) 34 | gateway: ((terraform_outputs.private_subnet_az1_gateway)) 35 | static: 36 | - ((terraform_outputs.nessus_static_ip)) 37 | az: z1 38 | dns: [((terraform_outputs.vpc_cidr_dns))] 39 | cloud_properties: 40 | security_groups: 41 | - ((terraform_outputs.bosh_security_group)) 42 | - ((terraform_outputs.nessus_security_group)) 43 | subnet: ((terraform_outputs.private_subnet_az1)) 44 | - type: replace 45 | path: /networks/- 46 | value: 47 | name: staging-concourse 48 | type: manual 49 | subnets: 50 | - range: ((terraform_outputs.staging_concourse_subnet_cidr)) 51 | gateway: ((terraform_outputs.staging_concourse_subnet_gateway)) 52 | reserved: 53 | - ((terraform_outputs.staging_concourse_subnet_reserved)) 54 | az: z2 55 | dns: [((terraform_outputs.vpc_cidr_dns))] 56 | cloud_properties: 57 | subnet: ((terraform_outputs.staging_concourse_subnet)) 58 | security_groups: 59 | - ((terraform_outputs.bosh_security_group)) 60 | - ((terraform_outputs.staging_concourse_security_group)) 61 | - ((terraform_outputs.staging_credhub_security_group)) 62 | - type: replace 63 | path: /networks/- 64 | value: 65 | name: production-concourse 66 | type: manual 67 | subnets: 68 | - range: ((terraform_outputs.production_concourse_subnet_cidr)) 69 | gateway: ((terraform_outputs.production_concourse_subnet_gateway)) 70 | reserved: 71 | - ((terraform_outputs.production_concourse_subnet_reserved)) 72 | az: z1 73 | dns: [((terraform_outputs.vpc_cidr_dns))] 74 | cloud_properties: 75 | subnet: ((terraform_outputs.production_concourse_subnet)) 76 | security_groups: 77 | - ((terraform_outputs.bosh_security_group)) 78 | - ((terraform_outputs.production_concourse_security_group)) 79 | - ((terraform_outputs.production_credhub_security_group)) 80 | 81 | - type: replace 82 | path: /networks/- 83 | value: 84 | name: staging-monitoring 85 | type: dynamic 86 | subnets: 87 | - range: ((terraform_outputs.staging_monitoring_subnet_cidr)) 88 | gateway: ((terraform_outputs.staging_monitoring_subnet_gateway)) 89 | reserved: 90 | - ((terraform_outputs.staging_monitoring_subnet_reserved)) 91 | az: z2 92 | dns: [((terraform_outputs.vpc_cidr_dns))] 93 | cloud_properties: 94 | subnet: ((terraform_outputs.staging_monitoring_subnet)) 95 | security_groups: 96 | - ((terraform_outputs.bosh_security_group)) 97 | - ((terraform_outputs.staging_monitoring_security_group)) 98 | - type: replace 99 | path: /networks/- 100 | value: 101 | name: staging-credhub 102 | type: dynamic 103 | subnets: 104 | - range: ((terraform_outputs.staging_credhub_subnet_cidr_az1)) 105 | gateway: ((terraform_outputs.staging_credhub_subnet_az1_gateway)) 106 | reserved: 107 | - ((terraform_outputs.staging_credhub_subnet_az1_reserved)) 108 | az: z1 109 | dns: [((terraform_outputs.vpc_cidr_dns))] 110 | cloud_properties: 111 | subnet: ((terraform_outputs.staging_credhub_subnet_az1)) 112 | security_groups: 113 | - ((terraform_outputs.bosh_security_group)) 114 | - ((terraform_outputs.staging_concourse_security_group)) 115 | - ((terraform_outputs.staging_credhub_security_group)) 116 | - range: ((terraform_outputs.staging_credhub_subnet_cidr_az2)) 117 | gateway: ((terraform_outputs.staging_credhub_subnet_az2_gateway)) 118 | reserved: 119 | - ((terraform_outputs.staging_credhub_subnet_az2_reserved)) 120 | az: z2 121 | dns: [((terraform_outputs.vpc_cidr_dns))] 122 | cloud_properties: 123 | subnet: ((terraform_outputs.staging_credhub_subnet_az2)) 124 | security_groups: 125 | - ((terraform_outputs.bosh_security_group)) 126 | - ((terraform_outputs.staging_concourse_security_group)) 127 | - ((terraform_outputs.staging_credhub_security_group)) 128 | 129 | - type: replace 130 | path: /networks/- 131 | value: 132 | name: development-defectdojo 133 | type: dynamic 134 | subnets: 135 | - range: ((terraform_outputs.development_defectdojo_subnet_cidr_az1)) 136 | gateway: ((terraform_outputs.development_defectdojo_subnet_az1_gateway)) 137 | reserved: 138 | - ((terraform_outputs.development_defectdojo_subnet_az1_reserved)) 139 | az: z1 140 | dns: [((terraform_outputs.vpc_cidr_dns))] 141 | cloud_properties: 142 | subnet: ((terraform_outputs.development_defectdojo_subnet_az1)) 143 | security_groups: 144 | - ((terraform_outputs.bosh_security_group)) 145 | - ((terraform_outputs.development_defectdojo_security_group)) 146 | - range: ((terraform_outputs.development_defectdojo_subnet_cidr_az2)) 147 | gateway: ((terraform_outputs.development_defectdojo_subnet_az2_gateway)) 148 | reserved: 149 | - ((terraform_outputs.development_defectdojo_subnet_az2_reserved)) 150 | az: z2 151 | dns: [((terraform_outputs.vpc_cidr_dns))] 152 | cloud_properties: 153 | subnet: ((terraform_outputs.development_defectdojo_subnet_az2)) 154 | security_groups: 155 | - ((terraform_outputs.bosh_security_group)) 156 | - ((terraform_outputs.development_defectdojo_security_group)) 157 | 158 | - type: replace 159 | path: /networks/- 160 | value: 161 | name: staging-defectdojo 162 | type: dynamic 163 | subnets: 164 | - range: ((terraform_outputs.staging_defectdojo_subnet_cidr_az1)) 165 | gateway: ((terraform_outputs.staging_defectdojo_subnet_az1_gateway)) 166 | reserved: 167 | - ((terraform_outputs.staging_defectdojo_subnet_az1_reserved)) 168 | az: z1 169 | dns: [((terraform_outputs.vpc_cidr_dns))] 170 | cloud_properties: 171 | subnet: ((terraform_outputs.staging_defectdojo_subnet_az1)) 172 | security_groups: 173 | - ((terraform_outputs.bosh_security_group)) 174 | - ((terraform_outputs.staging_defectdojo_security_group)) 175 | - range: ((terraform_outputs.staging_defectdojo_subnet_cidr_az2)) 176 | gateway: ((terraform_outputs.staging_defectdojo_subnet_az2_gateway)) 177 | reserved: 178 | - ((terraform_outputs.staging_defectdojo_subnet_az2_reserved)) 179 | az: z2 180 | dns: [((terraform_outputs.vpc_cidr_dns))] 181 | cloud_properties: 182 | subnet: ((terraform_outputs.staging_defectdojo_subnet_az2)) 183 | security_groups: 184 | - ((terraform_outputs.bosh_security_group)) 185 | - ((terraform_outputs.staging_defectdojo_security_group)) 186 | 187 | - type: replace 188 | path: /networks/- 189 | value: 190 | name: production-defectdojo 191 | type: dynamic 192 | subnets: 193 | - range: ((terraform_outputs.production_defectdojo_subnet_cidr_az1)) 194 | gateway: ((terraform_outputs.production_defectdojo_subnet_az1_gateway)) 195 | reserved: 196 | - ((terraform_outputs.production_defectdojo_subnet_az1_reserved)) 197 | az: z1 198 | dns: [((terraform_outputs.vpc_cidr_dns))] 199 | cloud_properties: 200 | subnet: ((terraform_outputs.production_defectdojo_subnet_az1)) 201 | security_groups: 202 | - ((terraform_outputs.bosh_security_group)) 203 | - ((terraform_outputs.production_defectdojo_security_group)) 204 | - range: ((terraform_outputs.production_defectdojo_subnet_cidr_az2)) 205 | gateway: ((terraform_outputs.production_defectdojo_subnet_az2_gateway)) 206 | reserved: 207 | - ((terraform_outputs.production_defectdojo_subnet_az2_reserved)) 208 | az: z2 209 | dns: [((terraform_outputs.vpc_cidr_dns))] 210 | cloud_properties: 211 | subnet: ((terraform_outputs.production_defectdojo_subnet_az2)) 212 | security_groups: 213 | - ((terraform_outputs.bosh_security_group)) 214 | - ((terraform_outputs.production_defectdojo_security_group)) 215 | 216 | - type: replace 217 | path: /networks/- 218 | value: 219 | name: production-credhub 220 | type: dynamic 221 | subnets: 222 | - range: ((terraform_outputs.production_credhub_subnet_cidr_az1)) 223 | gateway: ((terraform_outputs.production_credhub_subnet_az1_gateway)) 224 | reserved: 225 | - ((terraform_outputs.production_credhub_subnet_az1_reserved)) 226 | az: z1 227 | dns: [((terraform_outputs.vpc_cidr_dns))] 228 | cloud_properties: 229 | subnet: ((terraform_outputs.production_credhub_subnet_az1)) 230 | security_groups: 231 | - ((terraform_outputs.bosh_security_group)) 232 | - ((terraform_outputs.production_concourse_security_group)) 233 | - ((terraform_outputs.production_credhub_security_group)) 234 | - range: ((terraform_outputs.production_credhub_subnet_cidr_az2)) 235 | gateway: ((terraform_outputs.production_credhub_subnet_az2_gateway)) 236 | reserved: 237 | - ((terraform_outputs.production_credhub_subnet_az2_reserved)) 238 | az: z2 239 | dns: [((terraform_outputs.vpc_cidr_dns))] 240 | cloud_properties: 241 | subnet: ((terraform_outputs.production_credhub_subnet_az2)) 242 | security_groups: 243 | - ((terraform_outputs.bosh_security_group)) 244 | - ((terraform_outputs.production_concourse_security_group)) 245 | - ((terraform_outputs.production_credhub_security_group)) 246 | - type: replace 247 | path: /networks/- 248 | value: 249 | name: production-monitoring 250 | type: dynamic 251 | subnets: 252 | - range: ((terraform_outputs.production_monitoring_subnet_cidr)) 253 | gateway: ((terraform_outputs.production_monitoring_subnet_gateway)) 254 | reserved: 255 | - ((terraform_outputs.production_monitoring_subnet_reserved)) 256 | az: z1 257 | dns: [((terraform_outputs.vpc_cidr_dns))] 258 | cloud_properties: 259 | subnet: ((terraform_outputs.production_monitoring_subnet)) 260 | security_groups: 261 | - ((terraform_outputs.bosh_security_group)) 262 | - ((terraform_outputs.production_monitoring_security_group)) 263 | - type: replace 264 | path: /networks/- 265 | value: 266 | name: dns-private 267 | type: manual 268 | subnets: 269 | - az: z1 270 | range: ((terraform_outputs.private_subnet_az1_cidr)) 271 | reserved: ((terraform_outputs.private_subnet_az1_reserved)) 272 | gateway: ((terraform_outputs.private_subnet_az1_gateway)) 273 | static: ((terraform_outputs.dns_private_ips)) 274 | dns: [((terraform_outputs.vpc_cidr_dns))] 275 | cloud_properties: 276 | subnet: ((terraform_outputs.private_subnet_az1)) 277 | security_groups: 278 | - ((terraform_outputs.bosh_security_group)) 279 | - ((terraform_outputs.dns_axfr_security_group)) 280 | - type: replace 281 | path: /networks/- 282 | value: 283 | name: dns-public 284 | type: dynamic 285 | subnets: 286 | - az: z1 287 | cloud_properties: 288 | subnet: ((terraform_outputs.public_subnet_az1)) 289 | security_groups: 290 | - ((terraform_outputs.bosh_security_group)) 291 | - ((terraform_outputs.dns_axfr_security_group)) 292 | - ((terraform_outputs.dns_public_security_group)) 293 | - az: z2 294 | cloud_properties: 295 | subnet: ((terraform_outputs.public_subnet_az2)) 296 | security_groups: 297 | - ((terraform_outputs.bosh_security_group)) 298 | - ((terraform_outputs.dns_axfr_security_group)) 299 | - ((terraform_outputs.dns_public_security_group)) 300 | - type: replace 301 | path: /networks/- 302 | value: 303 | name: dns-public-vip 304 | type: vip 305 | - type: replace 306 | path: /networks/- 307 | value: 308 | name: smtp-private 309 | type: manual 310 | subnets: 311 | - az: z1 312 | range: ((terraform_outputs.private_subnet_az1_cidr)) 313 | reserved: ((terraform_outputs.private_subnet_az1_reserved)) 314 | gateway: ((terraform_outputs.private_subnet_az1_gateway)) 315 | static: ((terraform_outputs.production_smtp_private_ip)) 316 | dns: [((terraform_outputs.vpc_cidr_dns))] 317 | cloud_properties: 318 | subnet: ((terraform_outputs.private_subnet_az1)) 319 | security_groups: 320 | - ((terraform_outputs.bosh_security_group)) 321 | - ((terraform_outputs.smtp_security_group)) 322 | 323 | # todo (mxplusb): remove this. 324 | - type: replace 325 | path: /vm_types/- 326 | value: 327 | name: staging-concourse-web 328 | cloud_properties: 329 | instance_type: t3.medium 330 | ephemeral_disk: 331 | size: 45_000 332 | - type: replace 333 | path: /vm_types/- 334 | value: 335 | name: staging-concourse-worker 336 | cloud_properties: 337 | instance_type: m5.large 338 | ephemeral_disk: 339 | size: 50_000 340 | - type: replace 341 | path: /vm_types/- 342 | value: &concourse-iaas-worker-vm 343 | name: staging-concourse-iaas-worker 344 | cloud_properties: 345 | instance_type: m5.large 346 | ephemeral_disk: 347 | size: 300_000 348 | - type: replace 349 | path: /vm_types/- 350 | value: 351 | name: production-concourse-web 352 | cloud_properties: 353 | instance_type: t3.xlarge 354 | ephemeral_disk: 355 | size: 45_000 356 | - type: replace 357 | path: /vm_types/- 358 | value: 359 | name: production-concourse-worker 360 | cloud_properties: 361 | instance_type: m5.xlarge 362 | ephemeral_disk: 363 | size: 300_000 364 | - type: replace 365 | path: /vm_types/- 366 | value: 367 | name: m6i.large.nessus.manager 368 | cloud_properties: 369 | instance_type: m6i.large 370 | ephemeral_disk: 371 | size: 30_000 372 | - type: replace 373 | path: /vm_types/- 374 | value: 375 | <<: *concourse-iaas-worker-vm 376 | name: production-concourse-iaas-worker 377 | 378 | - type: replace 379 | path: /vm_extensions/- 380 | value: 381 | name: opsuaa-lb 382 | cloud_properties: 383 | lb_target_groups: 384 | - ((terraform_outputs.opsuaa_target_group)) 385 | - type: replace 386 | path: /vm_extensions/- 387 | value: 388 | name: nessus-manager-lb 389 | cloud_properties: 390 | lb_target_groups: 391 | - ((terraform_outputs.nessus_target_group)) 392 | - type: replace 393 | path: /vm_extensions/- 394 | value: 395 | name: staging-prometheus-lb 396 | cloud_properties: 397 | lb_target_groups: 398 | - ((terraform_outputs.staging_monitoring_lb_target_group)) 399 | - type: replace 400 | path: /vm_extensions/- 401 | value: 402 | name: production-prometheus-lb 403 | cloud_properties: 404 | lb_target_groups: 405 | - ((terraform_outputs.production_monitoring_lb_target_group)) 406 | - type: replace 407 | path: /vm_extensions/- 408 | value: 409 | name: staging-doomsday-lb 410 | cloud_properties: 411 | lb_target_groups: 412 | - ((terraform_outputs.staging_doomsday_lb_target_group)) 413 | - type: replace 414 | path: /vm_extensions/- 415 | value: 416 | name: production-doomsday-lb 417 | cloud_properties: 418 | lb_target_groups: 419 | - ((terraform_outputs.production_doomsday_lb_target_group)) 420 | - type: replace 421 | path: /vm_extensions/- 422 | value: 423 | name: development-defectdojo-lb 424 | cloud_properties: 425 | lb_target_groups: 426 | - ((terraform_outputs.development_defectdojo_lb_target_group)) 427 | - type: replace 428 | path: /vm_extensions/- 429 | value: 430 | name: staging-defectdojo-lb 431 | cloud_properties: 432 | lb_target_groups: 433 | - ((terraform_outputs.staging_defectdojo_lb_target_group)) 434 | - type: replace 435 | path: /vm_extensions/- 436 | value: 437 | name: production-defectdojo-lb 438 | cloud_properties: 439 | lb_target_groups: 440 | - ((terraform_outputs.production_defectdojo_lb_target_group)) 441 | - type: replace 442 | path: /vm_extensions/- 443 | value: 444 | name: staging-concourse-lb 445 | cloud_properties: 446 | lb_target_groups: 447 | - ((terraform_outputs.staging_concourse_lb_target_group)) 448 | - type: replace 449 | path: /vm_extensions/- 450 | value: &concourse-profile 451 | name: staging-concourse-profile 452 | cloud_properties: 453 | iam_instance_profile: ((terraform_outputs.concourse_worker_profile)) 454 | - type: replace 455 | path: /vm_extensions/- 456 | value: &concourse-iaas-profile 457 | name: staging-concourse-iaas-profile 458 | cloud_properties: 459 | iam_instance_profile: ((terraform_outputs.concourse_iaas_worker_profile)) 460 | - type: replace 461 | path: /vm_extensions/- 462 | value: 463 | name: production-concourse-lb 464 | cloud_properties: 465 | lb_target_groups: 466 | - ((terraform_outputs.production_concourse_lb_target_group)) 467 | 468 | - type: replace 469 | path: /vm_extensions/- 470 | value: 471 | <<: *concourse-profile 472 | name: production-concourse-profile 473 | - type: replace 474 | path: /vm_extensions/- 475 | value: 476 | <<: *concourse-iaas-profile 477 | name: production-concourse-iaas-profile 478 | - type: replace 479 | path: /vm_extensions/- 480 | value: 481 | name: production-credhub-lb 482 | cloud_properties: 483 | lb_target_groups: 484 | - ((terraform_outputs.production_credhub_lb_target_group)) 485 | - type: replace 486 | path: /vm_extensions/- 487 | value: 488 | name: staging-credhub-lb 489 | cloud_properties: 490 | lb_target_groups: 491 | - ((terraform_outputs.staging_credhub_lb_target_group)) 492 | - type: replace 493 | path: /vm_extensions/- 494 | value: 495 | name: 5GB_ephemeral_disk 496 | cloud_properties: 497 | ephemeral_disk: 498 | size: 5120 499 | - type: replace 500 | path: /vm_extensions/- 501 | value: 502 | name: 10GB_ephemeral_disk 503 | cloud_properties: 504 | ephemeral_disk: 505 | size: 10240 506 | 507 | - type: replace 508 | path: /disk_types/- 509 | value: 510 | name: bosh 511 | disk_size: 92_000 512 | cloud_properties: 513 | type: gp3 514 | - type: replace 515 | path: /disk_types/- 516 | value: 517 | name: 5GB 518 | disk_size: 5120 519 | - type: replace 520 | path: /disk_types/- 521 | value: 522 | name: nessus-manager 523 | disk_size: 200_000 524 | cloud_properties: 525 | type: gp3 526 | - type: replace 527 | path: /disk_types/- 528 | value: &prometheus-small-disk 529 | name: staging-prometheus-small 530 | disk_size: 8192 531 | cloud_properties: 532 | type: gp3 533 | - type: replace 534 | path: /disk_types/- 535 | value: &prometheus-large-disk 536 | name: staging-prometheus-large 537 | disk_size: 200_000 538 | cloud_properties: 539 | type: gp3 540 | - type: replace 541 | path: /disk_types/- 542 | value: 543 | <<: *prometheus-small-disk 544 | name: production-prometheus-small 545 | - type: replace 546 | path: /disk_types/- 547 | value: 548 | <<: *prometheus-large-disk 549 | name: production-prometheus-large 550 | disk_size: 3_000_000 551 | cloud_properties: 552 | type: io1 553 | iops: 14_000 554 | 555 | - type: replace 556 | path: /compilation/network? 557 | value: production-concourse 558 | -------------------------------------------------------------------------------- /empty-vm.yml: -------------------------------------------------------------------------------- 1 | instance_groups: 2 | - azs: 3 | - z1 4 | instances: 1 5 | jobs: 6 | - name: clamav 7 | properties: 8 | clamav: 9 | alert_on_stale_defs: ((/clamav_alert_on_stale_defs)) 10 | cron: 11 | schedule: ((/clamav_cron_schedule)) 12 | dbMirror1: ((/clamav_mirror)) 13 | exclude_directories: ((/clamav_exclude_directories)) 14 | include_directories: ((/clamav_include_directories)) 15 | on_access_enabled: ((/clamav_onaccess_enabled)) 16 | schedule_enabled: ((/clamav_schedule_enabled)) 17 | release: clamav 18 | name: empty-vm 19 | networks: 20 | - name: default 21 | persistent_disk: 10240 22 | stemcell: default 23 | vm_type: t3.medium 24 | name: empty-jammy-test 25 | releases: 26 | - name: clamav 27 | version: 37 28 | stemcells: 29 | - alias: default 30 | os: ubuntu-jammy 31 | version: latest 32 | update: 33 | canaries: 2 34 | canary_watch_time: 5000-60000 35 | max_in_flight: 1 36 | update_watch_time: 5000-60000 -------------------------------------------------------------------------------- /generate-instance-config.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | i=$(aws ec2 describe-instance-types --region us-gov-west-1) 4 | nextToken=$(echo $i | jq -r '.NextToken') 5 | counter=0 6 | echo "$i" > temp-instance-$counter.json 7 | 8 | while [[ ${nextToken} != "null" && -n "${nextToken}" ]]; do 9 | i=$(aws ec2 describe-instance-types --region us-gov-west-1 --next-token $nextToken) 10 | nextToken=$(echo $i | jq -r '.NextToken') 11 | counter=$((counter + 1)) 12 | echo "$i" > temp-instance-$counter.json 13 | done 14 | 15 | jq -r 'reduce inputs as $i (.; .InstanceTypes += $i.InstanceTypes)' temp-instance-*.json | \ 16 | jq -r '[.InstanceTypes[] | {"name":.InstanceType,"cloud_properties":{"instance_type":.InstanceType}}]' | \ 17 | yq read - 18 | 19 | rm temp-instance-*.json -------------------------------------------------------------------------------- /generate-master-bosh-certs.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [ "$#" -lt 1 ]; then 4 | echo "USAGE: $0 " 5 | exit 99; 6 | fi 7 | 8 | export MASTER_BOSH_IP=$1 9 | export TARGET="out" 10 | 11 | # generate master-bosh.pem / root CA 12 | certstrap --depot-path ${TARGET} init -o 'GSA / TTS / 18F' -ou 'cloud.gov' --cn 'master-bosh' --passphrase '' 13 | 14 | # extract the public key 15 | TMPKEY=$(mktemp) 16 | cp ${TARGET}/master-bosh.key ${TMPKEY} 17 | chmod 600 ${TMPKEY} 18 | ssh-keygen -y -f ${TMPKEY} > ${TARGET}/master-bosh.pub 19 | rm ${TMPKEY} 20 | 21 | # upload it to AWS. Use this as the default_key_name is all bosh manifests 22 | key_name="masterbosh-$(date +'%Y%m%d%H%M%S')" 23 | aws ec2 import-key-pair --key-name "${key_name}" --public-key-material "$(cat ${TARGET}/master-bosh.pub)" 24 | echo "${key_name}" > ./key-name 25 | -------------------------------------------------------------------------------- /operations/add-cloud-gov-root-certificate.yml: -------------------------------------------------------------------------------- 1 | --- 2 | --- 3 | - type: replace 4 | path: /instance_groups/name=bosh/properties/director/trusted_certs? 5 | value: | 6 | # master-bosh root certificate. 7 | -----BEGIN CERTIFICATE----- 8 | MIIFSDCCAzCgAwIBAgIBATANBgkqhkiG9w0BAQsFADBEMRgwFgYDVQQKEw9HU0Eg 9 | LyBUVFMgLyAxOEYxEjAQBgNVBAsTCWNsb3VkLmdvdjEUMBIGA1UEAxMLbWFzdGVy 10 | LWJvc2gwHhcNMTcwOTE1MDM1ODIwWhcNMjcwOTE1MDM1ODI3WjBEMRgwFgYDVQQK 11 | Ew9HU0EgLyBUVFMgLyAxOEYxEjAQBgNVBAsTCWNsb3VkLmdvdjEUMBIGA1UEAxML 12 | bWFzdGVyLWJvc2gwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDMYV8M 13 | 2uYMCaeqnfIL2aV59VNzad7ahNywftR+l/7TtKNW6/fHgKtfBCIKnUG0ef1X0Stc 14 | WcgAhNSzn70DA25Hak+cqV90vRh5UPi2XsLXvWvO9A8jksrMxcOKzEVjmz4iu98Q 15 | 2BVkVHy2mDLTuXO2WZ6/Qh0/ahpRyc7hIjmMidL//BayOmMp/2ynqq1OeWfybsR1 16 | yr9L9odCVKyfENG6Tedg+F2tm39yNVZvDM6sSMsmjq/XL9zpnPq1NE0HPq3rG4KZ 17 | EYTcyhIdsLN/bnwQ2IcvpE8VJoxmw8tO2Q70nVrfh5VuX7FHp1kmKvIdHZRujUl/ 18 | FE8PEzKHt2kPJtj+tpthBvUGMsSla2FP6ZkjPbbKiUBRTTcbgFDr1l9uA+mliPL+ 19 | lIUrU9IDTU4K/gH4esMbw8uYSIaVh6lLR8AT0FPtdEYBg1PTDtY37vVoA0vZS4zH 20 | rhgXqZ45APRNcloHdxFfeB6Kk8KfV5PuIpXh5bupk1jZQQ759yI78myJEPSlvZjn 21 | eqpp7ZM7eoTcGjHBXRVIwMHPCki+2yZ9EAPbkuFUTL9cs1xea5jz6bbugQOSY/yS 22 | xfQkiPQpDLVv522PNJpTfpXHHk5z7aKfB4TzoxbP+Xd/omkexzM2711fKHcsjd7j 23 | sLn0vxqBaw2Lm+Y9QczltMfHx0bo3RvlykHedwIDAQABo0UwQzAOBgNVHQ8BAf8E 24 | BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUDLeETJEoxUyUzz8y 25 | yhq/JSJIAXgwDQYJKoZIhvcNAQELBQADggIBAHGP+ZIg8shzgQS7MKv0wfj/Z5ei 26 | an30oHds/QdtFYU6Il8wJaHS4bbrRfhvSljQt9fDe+RiuDeKn2fu/N1EMGWo8zfJ 27 | I6dekjM/6sg7mGpRsZND4R2BMg8L3/ITLunVKDl2AIVO/j59sbLytz/0N0KcmPyT 28 | gmFFAmU5TipMpTRd4c6sSCquUm6sJLp19zcbnOovb0Mxpf/aTsWU9bnNjcudvNwT 29 | tLISqHTzRPhwIKNJ6hIK04/1hJVcG8HjWkV7qqOLARYru4eFQgn4gMXxSF/5y+Pg 30 | jsOtenCo1/CJz31xxjzU2kMnSyb+VTdV0/2vb04qSkgYrLB4gbqQnRMFXoU6rNBe 31 | T2MYzgTReB4kqOnEn2d2gE1SSDS8RbZSIZTpP7ncrUeYmvzWY94XyNyJwGnKBrKF 32 | dh2qb68wbLYoOlVQ85q+SF9u8HUtMx0JV8SX9FHFee5+rqhpw8QXtzmWb0LnPA4M 33 | xo+EfQrpXDxrKzaUDV4/DoQaAeYLTjoedSis7MdKJJs4ZSbSfPPkItcUGLRlEMGL 34 | NKzvsaMXJlBk3J+lUM5hpgM4qRJgqK8AGqLyraFPal9uD5ed5R/scZzHznY9BzGF 35 | ml254TrTDTplo4qoBbWH4amGqN8A4T55Uf34s8K6DjE9hmR3zAWcIc7L7pYkEAH2 36 | xY5KVL5IjegnPTy+ 37 | -----END CERTIFICATE----- -------------------------------------------------------------------------------- /operations/add-nessus-agent.yml: -------------------------------------------------------------------------------- 1 | # This addes the nessus agent to master-bosh 2 | 3 | - path: /releases/name=nessus-agent? 4 | release: nessus-agent 5 | type: replace 6 | value: 7 | name: nessus-agent 8 | url: 'file://../nessus-agent-release/nessus-agent-NESSUS_VER.tgz' 9 | 10 | - path: /instance_groups/name=bosh/jobs/- 11 | type: replace 12 | value: 13 | name: nessus-agent 14 | properties: 15 | nessus-agent: 16 | key: ((nessus_agent_key)) 17 | group: ((nessus_agent_group)) 18 | server: ((nessus_agent_server)) 19 | port: 8834 20 | release: nessus-agent 21 | -------------------------------------------------------------------------------- /operations/add-new-saml-key.yml: -------------------------------------------------------------------------------- 1 | - path: /variables/- 2 | type: replace 3 | value: 4 | name: uaa_service_provider_ssl_key_2 5 | options: 6 | alternative_names: 7 | - ((internal_ip)) 8 | ca: default_ca 9 | common_name: ((internal_ip)) 10 | type: certificate 11 | # To add file, just increment integer here first 12 | - path: /instance_groups/name=bosh/jobs/name=uaa/properties/login/saml/keys/uaa-saml-key-2? 13 | type: replace 14 | value: 15 | certificate: ((uaa_service_provider_ssl_key_2.certificate)) 16 | key: ((uaa_service_provider_ssl_key_2.private_key)) 17 | passphrase: "" 18 | 19 | - path: /instance_groups/name=bosh/jobs/name=uaa/properties/login/saml/activeKeyId 20 | type: replace 21 | value: uaa-saml-key-2 22 | 23 | - path: /instance_groups/name=bosh/jobs/name=uaa/properties/login/saml/keys/uaa-saml-key-1 24 | type: remove 25 | -------------------------------------------------------------------------------- /operations/ca.yml: -------------------------------------------------------------------------------- 1 | - path: /variables/name=default_ca? 2 | type: replace 3 | value: 4 | name: default_ca 5 | options: 6 | common_name: ca 7 | is_ca: true 8 | duration: 3650 9 | type: certificate 10 | 11 | - path: /variables/name=nats_ca? 12 | type: replace 13 | value: 14 | name: nats_ca 15 | options: 16 | common_name: default.nats-ca.bosh-internal 17 | is_ca: true 18 | duration: 3650 19 | type: certificate 20 | 21 | - path: /variables/name=blobstore_ca? 22 | type: replace 23 | value: 24 | name: blobstore_ca 25 | options: 26 | common_name: default.blobstore-ca.bosh-internal 27 | is_ca: true 28 | duration: 3650 29 | type: certificate 30 | 31 | 32 | - path: /variables/name=credhub_ca? 33 | type: replace 34 | value: 35 | name: credhub_ca 36 | options: 37 | common_name: CredHub CA 38 | is_ca: true 39 | duration: 3650 40 | type: certificate 41 | 42 | 43 | - type: replace 44 | path: /instance_groups/name=bosh/properties/director/trusted_certs? 45 | value: ((default_ca.ca)) 46 | 47 | 48 | -------------------------------------------------------------------------------- /operations/cloud-config.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /update? 3 | value: 4 | canaries: 1 5 | canary_watch_time: 3000-180000 6 | update_watch_time: 3000-180000 7 | max_in_flight: 4 8 | 9 | - type: remove 10 | path: /cloud_provider 11 | 12 | - type: remove 13 | path: /resource_pools 14 | 15 | - type: remove 16 | path: /disk_pools 17 | 18 | - type: remove 19 | path: /networks 20 | 21 | - type: remove 22 | path: /instance_groups/name=bosh/resource_pool 23 | 24 | - type: remove 25 | path: /instance_groups/name=bosh/persistent_disk_pool 26 | 27 | - type: replace 28 | path: /instance_groups/name=bosh/vm_type? 29 | value: bosh 30 | 31 | - type: replace 32 | path: /instance_groups/name=bosh/vm_extensions? 33 | value: [((instance_profile))] 34 | 35 | - type: replace 36 | path: /instance_groups/name=bosh/persistent_disk_type? 37 | value: bosh 38 | 39 | - type: replace 40 | path: /instance_groups/name=bosh/networks 41 | value: 42 | - name: ((network)) 43 | static_ips: [((internal_ip))] 44 | 45 | - type: replace 46 | path: /stemcells? 47 | value: 48 | - alias: default 49 | os: ubuntu-jammy 50 | version: latest 51 | 52 | - type: replace 53 | path: /instance_groups/name=bosh/stemcell? 54 | value: default 55 | 56 | - type: replace 57 | path: /instance_groups/name=bosh/azs? 58 | value: [z1] 59 | 60 | - type: remove 61 | path: /variables/name=mbus_bootstrap_password 62 | 63 | - type: remove 64 | path: /variables/name=mbus_bootstrap_ssl 65 | -------------------------------------------------------------------------------- /operations/cpi-protobosh.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=bosh/properties/aws/default_iam_instance_profile? 3 | value: ((terraform_outputs.protobosh_profile)) 4 | 5 | - type: replace 6 | path: /instance_groups/name=bosh/properties/aws/default_security_groups 7 | value: [((terraform_outputs.bosh_security_group))] 8 | 9 | - type: replace 10 | path: /instance_groups/name=bosh/properties/aws/region 11 | value: ((terraform_outputs.vpc_region)) 12 | 13 | - type: replace 14 | path: /instance_groups/name=bosh/properties/aws/encrypted? 15 | value: true 16 | 17 | - type: replace 18 | path: /instance_groups/name=bosh/properties/director/enable_cpi_resize_disk? 19 | value: true -------------------------------------------------------------------------------- /operations/cpi.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=bosh/properties/aws/default_iam_instance_profile? 3 | value: ((terraform_outputs.default_profile)) 4 | 5 | - type: replace 6 | path: /instance_groups/name=bosh/properties/aws/default_security_groups 7 | value: [((terraform_outputs.bosh_security_group))] 8 | 9 | - type: replace 10 | path: /instance_groups/name=bosh/properties/aws/region 11 | value: ((terraform_outputs.vpc_region)) 12 | 13 | - type: replace 14 | path: /instance_groups/name=bosh/properties/aws/encrypted? 15 | value: true 16 | 17 | - type: replace 18 | path: /instance_groups/name=bosh/properties/director/enable_cpi_resize_disk? 19 | value: true 20 | 21 | - type: replace 22 | path: /tags?/environment? 23 | value: ((environment)) 24 | 25 | # Forces IMDSv2 26 | - type: replace 27 | path: /instance_groups/name=bosh/properties/aws/metadata_options?/http_tokens? 28 | value: required 29 | 30 | - type: replace 31 | path: /instance_groups/name=bosh/properties/aws/metadata_options?/http_put_response_hop_limit? 32 | value: 2 -------------------------------------------------------------------------------- /operations/cron.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /releases/- 3 | value: 4 | name: cron 5 | version: latest 6 | 7 | 8 | - type: replace 9 | path: /instance_groups/name=bosh/jobs/- 10 | value: 11 | name: cron 12 | release: cron 13 | properties: 14 | cron: 15 | variables: 16 | TOOLING_BOSH: ((terraform_outputs.tooling_bosh_static_ip)) 17 | AWS_DEFAULT_REGION: ((terraform_outputs.vpc_region)) 18 | PGHOST: ((terraform_outputs.bosh_rds_host_curr)) 19 | PGUSERNAME: ((terraform_outputs.bosh_rds_username)) 20 | PGPASSWORD: ((terraform_outputs.bosh_rds_password)) 21 | PGDBNAME: bosh 22 | VPC_NAME: ((terraform_outputs.stack_description)) 23 | BOSH_DIRECTOR: ((terraform_outputs.bosh_static_ip)) 24 | GATEWAY_HOST: ((gateway_host)) 25 | GATEWAY_DEPLOYMENT: ((gateway_deployment)) 26 | INSTANCE_WHITELIST: ((terraform_outputs.master_bosh_static_ip)) ((terraform_outputs.bosh_static_ip)) 27 | entries: 28 | - minute: '*' 29 | hour: '*' 30 | day: '*' 31 | month: '*' 32 | wday: '*' 33 | user: root 34 | script: 35 | name: unknown-vms.sh 36 | contents: |- 37 | #!/bin/bash 38 | 39 | set -exu 40 | 41 | export PGPASSWORD=${PGPASSWORD} 42 | 43 | # apps from other packages on this host we need 44 | PSQL=/var/vcap/packages/postgres-client/bin/psql 45 | 46 | AWSCLI=/var/vcap/packages/awslogs-jammy/venv/bin/aws 47 | export LD_LIBRARY_PATH=/var/vcap/packages/awslogs-jammy/venv/lib 48 | 49 | # Hack: look up push gateway address in database if gateway is managed by the current director 50 | if [ -n "${GATEWAY_DEPLOYMENT}" ]; then 51 | GATEWAY_HOST=$($PSQL -h ${PGHOST} -U ${PGUSERNAME} -d ${PGDBNAME} -tA -c \ 52 | "select ip from local_dns_records where deployment = '${GATEWAY_DEPLOYMENT}' and instance_group = 'prometheus' limit 1") 53 | fi 54 | 55 | # build JMESpath filter to exclude a list of instances based on their PrivateIpAddress 56 | query_filter() { 57 | local IFS 58 | unset IFS 59 | local FILTER="" 60 | 61 | for ip in ${1}; do 62 | if [ -z "$FILTER" ]; then 63 | FILTER="?PrivateIpAddress != " 64 | else 65 | FILTER="${FILTER} && PrivateIpAddress != " 66 | fi 67 | FILTER="${FILTER}\`$ip\`" 68 | done 69 | 70 | echo ${FILTER} 71 | } 72 | 73 | 74 | # find the AWS VPC ID we want to enumerate 75 | VPC_ID=$(${AWSCLI} ec2 describe-vpcs --filter Name=tag:Name,Values=${VPC_NAME} --output text --query 'Vpcs[].VpcId') 76 | 77 | IFS=$'\n' 78 | VMS=$( 79 | ${AWSCLI} ec2 describe-instances --max-items 1000 --output text --filter Name=vpc-id,Values=${VPC_ID} --query " 80 | Reservations[].Instances[$(query_filter "${BOSH_DIRECTOR} ${INSTANCE_WHITELIST}")] 81 | | [].{\"iaas_id\": InstanceId, \"bosh_id\": Tags[?Key==\`id\`].Value | [0]} 82 | | [].[iaas_id, bosh_id]" 83 | ) 84 | metrics=$(mktemp metrics-XXXX.prom) 85 | # 86 | # get a list of all the instances bosh has created 87 | KNOWN_INSTANCES=$($PSQL -h ${PGHOST} -U ${PGUSERNAME} -d ${PGDBNAME} -t -c "select uuid from instances") 88 | 89 | # emit a metric for all instances in that VPC 90 | for vminfo in ${VMS} 91 | do 92 | 93 | iaas_id=$(echo ${vminfo} | cut -f1) 94 | bosh_id=$(echo ${vminfo} | cut -f2) 95 | 96 | # check to see if bosh director knows about this instance pulled from the iaas 97 | unknown_instance=0 98 | if [[ $KNOWN_INSTANCES != *${bosh_id}* ]]; then 99 | unknown_instance=1 100 | fi 101 | 102 | cat <> "${metrics}" 103 | bosh_unknown_iaas_instance {iaas_id="${iaas_id}",bosh_id="${bosh_id}"} ${unknown_instance} 104 | PUSH 105 | 106 | done 107 | 108 | curl -X PUT --data-binary "@${metrics}" "${GATEWAY_HOST}:${GATEWAY_PORT:-9091}/metrics/job/bosh_unknown_instance/vpc_name/${VPC_NAME}" 109 | rm "${metrics}" 110 | -------------------------------------------------------------------------------- /operations/dns-aliases.yml: -------------------------------------------------------------------------------- 1 | # Allow tooling services to resolve the prometheus push gateway 2 | - type: replace 3 | path: /addons/name=bosh-dns/jobs/name=bosh-dns/properties/aliases? 4 | value: 5 | prometheus-staging.service.cf.internal: ["*.prometheus.staging-monitoring.prometheus-staging.bosh"] 6 | prometheus-production.service.cf.internal: ["*.prometheus.production-monitoring.prometheus-production.bosh"] 7 | prometheus-tooling.service.cf.internal: ["*.prometheus-tooling.production-monitoring.prometheus-production.bosh"] 8 | alertmanager-staging.service.cf.internal: ["*.alertmanager.staging-monitoring.prometheus-staging.bosh"] 9 | alertmanager-production.service.cf.internal: ["*.alertmanager.production-monitoring.prometheus-production.bosh"] 10 | 11 | - type: replace 12 | path: /addons/name=bosh-dns/jobs/name=bosh-dns/properties/log_level? 13 | value: WARN 14 | -------------------------------------------------------------------------------- /operations/dns.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=bosh/properties/director/local_dns/include_index? 3 | value: true 4 | -------------------------------------------------------------------------------- /operations/encryption.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /cloud_provider/properties/aws/encrypted? 3 | value: true 4 | -------------------------------------------------------------------------------- /operations/external-db-bosh-rds.yml: -------------------------------------------------------------------------------- 1 | - type: remove 2 | path: /instance_groups/name=bosh/jobs/name=postgres-9.4? 3 | 4 | - type: remove 5 | path: /instance_groups/name=bosh/jobs/name=postgres-10? 6 | 7 | - type: remove 8 | path: /instance_groups/name=bosh/jobs/name=postgres? 9 | 10 | - type: remove 11 | path: /instance_groups/name=bosh/properties/postgres 12 | 13 | - type: replace 14 | path: /instance_groups/name=bosh/jobs/- 15 | value: 16 | name: toolbelt-psql 17 | release: toolbelt 18 | 19 | - type: replace 20 | path: /releases/- 21 | value: 22 | name: toolbelt 23 | version: latest 24 | 25 | - type: replace 26 | path: /instance_groups/name=bosh/properties/director/db 27 | value: 28 | host: ((terraform_outputs.bosh_rds_host_curr)) 29 | port: ((terraform_outputs.bosh_rds_port)) 30 | user: ((terraform_outputs.bosh_rds_username)) 31 | password: ((terraform_outputs.bosh_rds_password)) 32 | database: bosh 33 | 34 | - type: replace 35 | path: /instance_groups/name=bosh/properties/registry?/db 36 | value: 37 | host: ((terraform_outputs.bosh_rds_host_curr)) 38 | port: ((terraform_outputs.bosh_rds_port)) 39 | user: ((terraform_outputs.bosh_rds_username)) 40 | password: ((terraform_outputs.bosh_rds_password)) 41 | database: bosh 42 | 43 | - type: replace 44 | path: /instance_groups/name=bosh/jobs/name=uaa/properties/uaadb 45 | value: 46 | address: ((terraform_outputs.bosh_rds_host_curr)) 47 | port: ((terraform_outputs.bosh_rds_port)) 48 | user: ((terraform_outputs.bosh_rds_username)) 49 | password: ((terraform_outputs.bosh_rds_password)) 50 | db_scheme: postgresql 51 | roles: 52 | - name: bosh 53 | password: ((terraform_outputs.bosh_rds_password)) 54 | tag: admin 55 | databases: 56 | - name: bosh_uaadb 57 | tag: uaa 58 | 59 | - type: replace 60 | path: /instance_groups/name=bosh/jobs/name=uaa/properties/uaa/ca_certs? 61 | value: 62 | - |+ 63 | # UAA requires each cert as an array object 64 | # RDS US-GOV-WEST-1-BUNDLE.PEM UPDATED APRIL 2022 65 | # Amazon RDS GovCloud Root CA expires May22 66 | -----BEGIN CERTIFICATE----- 67 | MIIEDjCCAvagAwIBAgIJAMM61RQn3/kdMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYD 68 | VQQGEwJVUzEQMA4GA1UEBwwHU2VhdHRsZTETMBEGA1UECAwKV2FzaGluZ3RvbjEi 69 | MCAGA1UECgwZQW1hem9uIFdlYiBTZXJ2aWNlcywgSW5jLjETMBEGA1UECwwKQW1h 70 | em9uIFJEUzEkMCIGA1UEAwwbQW1hem9uIFJEUyBHb3ZDbG91ZCBSb290IENBMB4X 71 | DTE3MDUxOTIyMjkxMVoXDTIyMDUxODIyMjkxMVowgZMxCzAJBgNVBAYTAlVTMRAw 72 | DgYDVQQHDAdTZWF0dGxlMRMwEQYDVQQIDApXYXNoaW5ndG9uMSIwIAYDVQQKDBlB 73 | bWF6b24gV2ViIFNlcnZpY2VzLCBJbmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMSQw 74 | IgYDVQQDDBtBbWF6b24gUkRTIEdvdkNsb3VkIFJvb3QgQ0EwggEiMA0GCSqGSIb3 75 | DQEBAQUAA4IBDwAwggEKAoIBAQDGS9bh1FGiJPT+GRb3C5aKypJVDC1H2gbh6n3u 76 | j8cUiyMXfmm+ak402zdLpSYMaxiQ7oL/B3wEmumIpRDAsQrSp3B/qEeY7ipQGOfh 77 | q2TXjXGIUjiJ/FaoGqkymHRLG+XkNNBtb7MRItsjlMVNELXECwSiMa3nJL2/YyHW 78 | nTr1+11/weeZEKgVbCUrOugFkMXnfZIBSn40j6EnRlO2u/NFU5ksK5ak2+j8raZ7 79 | xW7VXp9S1Tgf1IsWHjGZZZguwCkkh1tHOlHC9gVA3p63WecjrIzcrR/V27atul4m 80 | tn56s5NwFvYPUIx1dbC8IajLUrepVm6XOwdQCfd02DmOyjWJAgMBAAGjYzBhMA4G 81 | A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRJEM+kuDUu 82 | ZTmCnA4wUrgnFaXc4zAfBgNVHSMEGDAWgBRJEM+kuDUuZTmCnA4wUrgnFaXc4zAN 83 | BgkqhkiG9w0BAQsFAAOCAQEAcfA7uirXsNZyI2j4AJFVtOTKOZlQwqbyNducnmlg 84 | /5nug9fAkwM4AgvF5bBOD1Hw6khdsccMwIj+1S7wpL+EYb/nSc8G0qe1p/9lZ/mZ 85 | ff5g4JOa26lLuCrZDqAk4TzYnt6sQKfa5ZXVUUn0BK3okhiXS0i+NloMyaBCL7vk 86 | kDwkHwEqflRKfZ9/oFTcCfoiHPA7AdBtaPVr0/Kj9L7k+ouz122huqG5KqX0Zpo8 87 | S0IGvcd2FZjNSNPttNAK7YuBVsZ0m2nIH1SLp//00v7yAHIgytQwwB17PBcp4NXD 88 | pCfTa27ng9mMMC2YLqWQpW4TkqjDin2ZC+5X/mbrjzTvVg== 89 | -----END CERTIFICATE----- 90 | - |+ 91 | # Amazon RDS us-gov-west-1 CA expires May22 92 | -----BEGIN CERTIFICATE----- 93 | MIIECjCCAvKgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgZMxCzAJBgNVBAYTAlVT 94 | MRAwDgYDVQQHDAdTZWF0dGxlMRMwEQYDVQQIDApXYXNoaW5ndG9uMSIwIAYDVQQK 95 | DBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJbmMuMRMwEQYDVQQLDApBbWF6b24gUkRT 96 | MSQwIgYDVQQDDBtBbWF6b24gUkRTIEdvdkNsb3VkIFJvb3QgQ0EwHhcNMTcwNTE5 97 | MjIzMTE5WhcNMjIwNTE4MTIwMDAwWjCBkzELMAkGA1UEBhMCVVMxEzARBgNVBAgM 98 | Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxIjAgBgNVBAoMGUFtYXpvbiBX 99 | ZWIgU2VydmljZXMsIEluYy4xEzARBgNVBAsMCkFtYXpvbiBSRFMxJDAiBgNVBAMM 100 | G0FtYXpvbiBSRFMgdXMtZ292LXdlc3QtMSBDQTCCASIwDQYJKoZIhvcNAQEBBQAD 101 | ggEPADCCAQoCggEBAM8YZLKAzzOdNnoi7Klih26Zkj+OCpDfwx4ZYB6f8L8UoQi5 102 | 8z9ZtIwMjiJ/kO08P1yl4gfc7YZcNFvhGruQZNat3YNpxwUpQcr4mszjuffbL4uz 103 | +/8FBxALdqCVOJ5Q0EVSfz3d9Bd1pUPL7ARtSpy7bn/tUPyQeI+lODYO906C0TQ3 104 | b9bjOsgAdBKkHfjLdsknsOZYYIzYWOJyFJJa0B11XjDUNBy/3IuC0KvDl6At0V5b 105 | 8M6cWcKhte2hgjwTYepV+/GTadeube1z5z6mWsN5arOAQUtYDLH6Aztq9mCJzLHm 106 | RccBugnGl3fRLJ2VjioN8PoGoN9l9hFBy5fnFgsCAwEAAaNmMGQwDgYDVR0PAQH/ 107 | BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFEG7+br8KkvwPd5g 108 | 71Rvh2stclJbMB8GA1UdIwQYMBaAFEkQz6S4NS5lOYKcDjBSuCcVpdzjMA0GCSqG 109 | SIb3DQEBCwUAA4IBAQBMA327u5ABmhX+aPxljoIbxnydmAFWxW6wNp5+rZrvPig8 110 | zDRqGQWWr7wWOIjfcWugSElYtf/m9KZHG/Z6+NG7nAoUrdcd1h/IQhb+lFQ2b5g9 111 | sVzQv/H2JNkfZA8fL/Ko/Tm/f9tcqe0zrGCtT+5u0Nvz35Wl8CEUKLloS5xEb3k5 112 | 7D9IhG3fsE3vHWlWrGCk1cKry3j12wdPG5cUsug0vt34u6rdhP+FsM0tHI15Kjch 113 | RuUCvyQecy2ZFNAa3jmd5ycNdL63RWe8oayRBpQBxPPCbHfILxGZEdJbCH9aJ2D/ 114 | l8oHIDnvOLdv7/cBjyYuvmprgPtu3QEkbre5Hln/ 115 | -----END CERTIFICATE----- 116 | - |+ 117 | # Amazon RDS us-gov-west-1 Root CA RSA2048 G1 expires April2162 118 | -----BEGIN CERTIFICATE----- 119 | MIIEBzCCAu+gAwIBAgIRAMSbo6rMlQ+TZDCb7zg40qUwDQYJKoZIhvcNAQEMBQAw 120 | gZsxCzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJ 121 | bmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTE0MDIGA1UEAwwr 122 | QW1hem9uIFJEUyB1cy1nb3Ytd2VzdC0xIFJvb3QgQ0EgUlNBMjA0OCBHMTEQMA4G 123 | A1UEBwwHU2VhdHRsZTAgFw0yMjA0MTUyMjM1MjFaGA8yMDYyMDQxNTIzMzUyMVow 124 | gZsxCzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJ 125 | bmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTE0MDIGA1UEAwwr 126 | QW1hem9uIFJEUyB1cy1nb3Ytd2VzdC0xIFJvb3QgQ0EgUlNBMjA0OCBHMTEQMA4G 127 | A1UEBwwHU2VhdHRsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM3U 128 | XJp6XLyNdOmyuj19ZKNmbJTGoRbsnrdxYLxbhQRCykOga7Hh/D5qKPMR/B80OsoK 129 | uWpxWmQCaCP4Z9Aa9N68L0TRJXZoArZjV8q5nfjsYWQqOPx+cKtIxqvyotov5WE2 130 | RKaujqpKBAyI49542NNmOEROUshunxYh/7s3Z8oPxOX8kp6hLBtckqUzFbAb7/vM 131 | X0YpgNUpJ2G1Q9MLKfxEmw2p0WE1FEW35gMvUN4jFtTaKjsXtqGu6iF4YqEASwrv 132 | vPmLhBHuyKC9ZfEvYzFjw2+l5SMENvhAde10WUpBuJnK+ZoKgFxLOUcdyZO9fR1Y 133 | wVG5twjPnOhHUOLpAP0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E 134 | FgQUsjcnO96t1VCa/JBZSqY1asXWaZ4wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3 135 | DQEBDAUAA4IBAQCYx0FHyvrX1CeuKd4CEi50QUZzY1HjGoySz+by6rY1+jZ1v2cp 136 | JIBrhQ8VUiJ8EqCDKzzv1mBOA1lx+5jpWB2yKP2hq3YJ93BNK+KO7BgasCkUYLGk 137 | v3c2jo4J5qbWsNsqa/dog+qQbLAcqCx4MeZIadpdLv++ejGPjA0+zjXWwWmQ4RKe 138 | ILiR1wO52uKF90tiDTNi3C5oMaEYbW+Kbsfsx5NpybEU7DkrVKb4MTVgtFuAELrF 139 | 8Zmdbpv8xnUA+oo/QdLLX+eJP/+8tdeDdB6rYFKpJmC2B3EnaKS4X4UpxZJFAgig 140 | oB6q5jNJ5onkWIfx8luNdbagKSFZXHhSO8KP 141 | -----END CERTIFICATE----- 142 | - |+ 143 | # Amazon RDS us-gov-west-1 Root CA RSA4096 G1 expires May2121 144 | -----BEGIN CERTIFICATE----- 145 | MIIGBzCCA++gAwIBAgIRAOzQCoOR21YG2noWOfFcuNIwDQYJKoZIhvcNAQEMBQAw 146 | gZsxCzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJ 147 | bmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTE0MDIGA1UEAwwr 148 | QW1hem9uIFJEUyB1cy1nb3Ytd2VzdC0xIFJvb3QgQ0EgUlNBNDA5NiBHMTEQMA4G 149 | A1UEBwwHU2VhdHRsZTAgFw0yMTA1MjYyMTQ0MzlaGA8yMTIxMDUyNjIyNDQzOVow 150 | gZsxCzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJ 151 | bmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTE0MDIGA1UEAwwr 152 | QW1hem9uIFJEUyB1cy1nb3Ytd2VzdC0xIFJvb3QgQ0EgUlNBNDA5NiBHMTEQMA4G 153 | A1UEBwwHU2VhdHRsZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANwY 154 | M2iZdnnlMutI9nfn2fWBICAQHWmMmpPmtSka/ziBFyaCxkHDF8RLmooW+GLe+FEF 155 | 9CQKSVqRa7X5AFiqRFF1KvgxWvazawyScuw88JW6Eqhaw0Rlm2p1Iow3TE8FSCDo 156 | Is1vEV3Brbf26CMiXbqI+aCuTOy0fjRzjl5igViTgZxt2ZXOwyKkF+2T8LQp4b4F 157 | Mh85Ctw1An1DhAemsc3SmcYnPKyFUP90DxGuTjFtfNR01GbBtVYwVvOBgIJe59Zs 158 | OWcEFOO2mU53Ik6oKcLYu4+PmE5aDvQewb6bkQZchClb7Eg0BPYekWwTPsKUTS3H 159 | bgdwVxgzjdAdU9fvaaoQmS9xdHWlonKq8CubJdLUduV3WVmDAg7MQgiT3p8JF9W2 160 | KbQpUbYxqd7j9OIe3IS3rVPwYA8PVh1hUJ+OBLw61sbGRAuN3H+B1DlJh1smg6bR 161 | g9W+oLRzfjZa32EzFmaQIxtgRfiyjxB/vqAHdl5zPou30X1CyRYquS870O02bvTN 162 | zzWSOfRY4KPmS1YFVsN+m+R4+hSUOAE//bJ25ACP9oDO5w9NWkAux4e0UUAuWCra 163 | jRROYN2J0KCogdru5G7lOQerD12zi3C2iibty6ou4tQX+MIKMMUVq8cfUH7oKv/R 164 | 8mL5PV/NUsgO248llo0lr9QBwQKdiw17wCxFR+8vAgMBAAGjQjBAMA8GA1UdEwEB 165 | /wQFMAMBAf8wHQYDVR0OBBYEFPDYnx2xYIPDDAEjb6UcF29I6DgKMA4GA1UdDwEB 166 | /wQEAwIBhjANBgkqhkiG9w0BAQwFAAOCAgEANTrAGs/GpXCADAwMGlrjXTdohp+p 167 | CIp3gbnryVYZBXvO+f8hjJ8bHk0D/DiBrkjE8o0IpNaAadOZa+WvTNMsanPmGf1A 168 | kD0vA9nm4gwEhBbzj9HRYX+dIhZhVWny9Kugm80s0h0hvbwTakUPOdMqkz6wn+xx 169 | Owh7AIwaC5TTCsQyKlv5rjVblvU1XFgBf3Pf3wvMAfjDoAEPTXER/9mLVbXe+EmW 170 | osP1JmgyDd+0WQFVK/LEDW81L5hsV5JvthAAFhGVtRw9ko5Ep28+EQUJE1wmLTdL 171 | PyjB/KfJrTMDq94WolzFv4JpUStHbclkKlXtigjKeiYZ5Yvo+vLMSkXemccSfYn7 172 | vdaUFD5vqWXvM4xhiYRq/tigw2E1bjmyd9L3XD7XalufZtMGWn7zT8HMPP+/Lch1 173 | JjZ9LL2Y99VIqhoHcuSa95FtLpYDRQ28K03uwqxqFnOQLyPVmYwsaHKnmmwaZDjF 174 | K1XxLVRLGRWvKEuSoWrsGcs3ehoxX4Knz/BaJzr/ioU1VnItj53tmOSJO0eMA6k+ 175 | egaVEb0FTa2F5xeLCKjgfDDWMz3v0TdL+kt+9z0THMlPWfOzd1C35ZzSIcTcRj22 176 | SAzsL0t5ZTI4XvoPFF8dga78/KsBRolqdPjs0UzdlKhwh1ADOkTRgLOaaidMEgsT 177 | JS/rbzD4FPbvc/g= 178 | -----END CERTIFICATE----- 179 | - |+ 180 | # Amazon RDS us-gov-west-1 Root CA ECC384 G1 expires May2121 181 | -----BEGIN CERTIFICATE----- 182 | MIICtDCCAjugAwIBAgIQPyg+edjKVnM2PB4KZVu66jAKBggqhkjOPQQDAzCBmjEL 183 | MAkGA1UEBhMCVVMxIjAgBgNVBAoMGUFtYXpvbiBXZWIgU2VydmljZXMsIEluYy4x 184 | EzARBgNVBAsMCkFtYXpvbiBSRFMxCzAJBgNVBAgMAldBMTMwMQYDVQQDDCpBbWF6 185 | b24gUkRTIHVzLWdvdi13ZXN0LTEgUm9vdCBDQSBFQ0MzODQgRzExEDAOBgNVBAcM 186 | B1NlYXR0bGUwIBcNMjEwNTI2MjE1MzI3WhgPMjEyMTA1MjYyMjUzMjdaMIGaMQsw 187 | CQYDVQQGEwJVUzEiMCAGA1UECgwZQW1hem9uIFdlYiBTZXJ2aWNlcywgSW5jLjET 188 | MBEGA1UECwwKQW1hem9uIFJEUzELMAkGA1UECAwCV0ExMzAxBgNVBAMMKkFtYXpv 189 | biBSRFMgdXMtZ292LXdlc3QtMSBSb290IENBIEVDQzM4NCBHMTEQMA4GA1UEBwwH 190 | U2VhdHRsZTB2MBAGByqGSM49AgEGBSuBBAAiA2IABFaqyIYrbpPfhiKzLEkmzp1j 191 | 3OYO/e1VE3vCf5c62bN5xYKFKH/MnKgsUFNsFpJ1t0p9cexi+607aiYOo1sOWvOj 192 | q3PUu+ltklQdvunU/Se5++qqsh7lylL5OF/F19uqfqNCMEAwDwYDVR0TAQH/BAUw 193 | AwEB/zAdBgNVHQ4EFgQUJHPtPhijPquZxTz2UGh4YV1npYMwDgYDVR0PAQH/BAQD 194 | AgGGMAoGCCqGSM49BAMDA2cAMGQCMHWDFuIZ9LZgysbL4vx/Ox9z8fbegb3352bM 195 | BFr6JV1x8VLbePblHd0V1MwDdRWeAwIwarWfOVdB1ijrwzjROzCwE0uBkHYUPr0Z 196 | vgwdtlsnwDw9TnjsBrTJkQ0aS8c0Ahl1 197 | -----END CERTIFICATE----- 198 | - |+ 199 | # rds-ca-2015-root.pem 200 | -----BEGIN CERTIFICATE----- 201 | MIID9DCCAtygAwIBAgIBQjANBgkqhkiG9w0BAQUFADCBijELMAkGA1UEBhMCVVMx 202 | EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxIjAgBgNVBAoM 203 | GUFtYXpvbiBXZWIgU2VydmljZXMsIEluYy4xEzARBgNVBAsMCkFtYXpvbiBSRFMx 204 | GzAZBgNVBAMMEkFtYXpvbiBSRFMgUm9vdCBDQTAeFw0xNTAyMDUwOTExMzFaFw0y 205 | MDAzMDUwOTExMzFaMIGKMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3Rv 206 | bjEQMA4GA1UEBwwHU2VhdHRsZTEiMCAGA1UECgwZQW1hem9uIFdlYiBTZXJ2aWNl 207 | cywgSW5jLjETMBEGA1UECwwKQW1hem9uIFJEUzEbMBkGA1UEAwwSQW1hem9uIFJE 208 | UyBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuD8nrZ8V 209 | u+VA8yVlUipCZIKPTDcOILYpUe8Tct0YeQQr0uyl018StdBsa3CjBgvwpDRq1HgF 210 | Ji2N3+39+shCNspQeE6aYU+BHXhKhIIStt3r7gl/4NqYiDDMWKHxHq0nsGDFfArf 211 | AOcjZdJagOMqb3fF46flc8k2E7THTm9Sz4L7RY1WdABMuurpICLFE3oHcGdapOb9 212 | T53pQR+xpHW9atkcf3pf7gbO0rlKVSIoUenBlZipUlp1VZl/OD/E+TtRhDDNdI2J 213 | P/DSMM3aEsq6ZQkfbz/Ilml+Lx3tJYXUDmp+ZjzMPLk/+3beT8EhrwtcG3VPpvwp 214 | BIOqsqVVTvw/CwIDAQABo2MwYTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUw 215 | AwEB/zAdBgNVHQ4EFgQUTgLurD72FchM7Sz1BcGPnIQISYMwHwYDVR0jBBgwFoAU 216 | TgLurD72FchM7Sz1BcGPnIQISYMwDQYJKoZIhvcNAQEFBQADggEBAHZcgIio8pAm 217 | MjHD5cl6wKjXxScXKtXygWH2BoDMYBJF9yfyKO2jEFxYKbHePpnXB1R04zJSWAw5 218 | 2EUuDI1pSBh9BA82/5PkuNlNeSTB3dXDD2PEPdzVWbSKvUB8ZdooV+2vngL0Zm4r 219 | 47QPyd18yPHrRIbtBtHR/6CwKevLZ394zgExqhnekYKIqqEX41xsUV0Gm6x4vpjf 220 | 2u6O/+YE2U+qyyxHE5Wd5oqde0oo9UUpFETJPVb6Q2cEeQib8PBAyi0i6KnF+kIV 221 | A9dY7IHSubtCK/i8wxMVqfd5GtbA8mmpeJFwnDvm9rBEsHybl08qlax9syEwsUYr 222 | /40NawZfTUU= 223 | -----END CERTIFICATE----- 224 | - |+ 225 | # rds-ca-2012-us-gov-west-1.pem 226 | -----BEGIN CERTIFICATE----- 227 | MIIDQzCCAqygAwIBAgIJAMGs6m/j+u8sMA0GCSqGSIb3DQEBBQUAMHUxCzAJBgNV 228 | BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdTZWF0dGxlMRMw 229 | EQYDVQQKEwpBbWF6b24uY29tMQwwCgYDVQQLEwNSRFMxHDAaBgNVBAMTE2F3cy5h 230 | bWF6b24uY29tL3Jkcy8wHhcNMTIwODE2MDY0MjAwWhcNMTcwODE1MDY0MjAwWjB1 231 | MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHU2Vh 232 | dHRsZTETMBEGA1UEChMKQW1hem9uLmNvbTEMMAoGA1UECxMDUkRTMRwwGgYDVQQD 233 | ExNhd3MuYW1hem9uLmNvbS9yZHMvMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB 234 | gQCnTB7AkRR4xuhfAuOt5foNeCRBPeUujkzmJu1yfnTbtFi+g7zmovQ9BJcRoPYL 235 | 45McnXyaT/7UjhJhCI5gnYlTIyBTRFh7lXFJryypFx8AIh6q3D/ht8b6cVro3sJ2 236 | k4x1w/c7akKKsZJtf0ZyhbMvNnBz3K3TWVB6c9DChbfyUQIDAQABo4HaMIHXMB0G 237 | A1UdDgQWBBS/OwyfNJHDnAmnZBbq9ACiXz7O1jCBpwYDVR0jBIGfMIGcgBS/Owyf 238 | NJHDnAmnZBbq9ACiXz7O1qF5pHcwdTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldh 239 | c2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxEzARBgNVBAoTCkFtYXpvbi5jb20x 240 | DDAKBgNVBAsTA1JEUzEcMBoGA1UEAxMTYXdzLmFtYXpvbi5jb20vcmRzL4IJAMGs 241 | 6m/j+u8sMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEACR37LqHlzjSH 242 | 9gHCaiVJgCb0CCxSg3PHaQuv8h4ugAqQpGxpX3Zo97VgHnjEve21gXA74kzGUUAo 243 | 7YNTZWbF2VkHUDqekXimvL3q1JEvHDKPkLJrxEic1zTU1uazb9uJeb1aVWTq6N8R 244 | bx56xd/e3o7RYcPfLD45y7RRXKz3AmE= 245 | -----END CERTIFICATE----- 246 | 247 | 248 | - type: replace 249 | path: /instance_groups/name=bosh/jobs/name=credhub/properties/credhub/data_storage 250 | value: 251 | type: postgres 252 | host: ((terraform_outputs.bosh_rds_host_curr)) 253 | port: ((terraform_outputs.bosh_rds_port)) 254 | username: ((terraform_outputs.bosh_rds_username)) 255 | password: ((terraform_outputs.bosh_rds_password)) 256 | database: credhub 257 | require_tls: true 258 | tls_ca: |- 259 | # Credhub requires all CA certs to be one single bundle 260 | # RDS US-GOV-WEST-1-BUNDLE.PEM UPDATED APRIL 2022 261 | # Amazon RDS GovCloud Root CA expires May22 262 | -----BEGIN CERTIFICATE----- 263 | MIIEDjCCAvagAwIBAgIJAMM61RQn3/kdMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYD 264 | VQQGEwJVUzEQMA4GA1UEBwwHU2VhdHRsZTETMBEGA1UECAwKV2FzaGluZ3RvbjEi 265 | MCAGA1UECgwZQW1hem9uIFdlYiBTZXJ2aWNlcywgSW5jLjETMBEGA1UECwwKQW1h 266 | em9uIFJEUzEkMCIGA1UEAwwbQW1hem9uIFJEUyBHb3ZDbG91ZCBSb290IENBMB4X 267 | DTE3MDUxOTIyMjkxMVoXDTIyMDUxODIyMjkxMVowgZMxCzAJBgNVBAYTAlVTMRAw 268 | DgYDVQQHDAdTZWF0dGxlMRMwEQYDVQQIDApXYXNoaW5ndG9uMSIwIAYDVQQKDBlB 269 | bWF6b24gV2ViIFNlcnZpY2VzLCBJbmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMSQw 270 | IgYDVQQDDBtBbWF6b24gUkRTIEdvdkNsb3VkIFJvb3QgQ0EwggEiMA0GCSqGSIb3 271 | DQEBAQUAA4IBDwAwggEKAoIBAQDGS9bh1FGiJPT+GRb3C5aKypJVDC1H2gbh6n3u 272 | j8cUiyMXfmm+ak402zdLpSYMaxiQ7oL/B3wEmumIpRDAsQrSp3B/qEeY7ipQGOfh 273 | q2TXjXGIUjiJ/FaoGqkymHRLG+XkNNBtb7MRItsjlMVNELXECwSiMa3nJL2/YyHW 274 | nTr1+11/weeZEKgVbCUrOugFkMXnfZIBSn40j6EnRlO2u/NFU5ksK5ak2+j8raZ7 275 | xW7VXp9S1Tgf1IsWHjGZZZguwCkkh1tHOlHC9gVA3p63WecjrIzcrR/V27atul4m 276 | tn56s5NwFvYPUIx1dbC8IajLUrepVm6XOwdQCfd02DmOyjWJAgMBAAGjYzBhMA4G 277 | A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRJEM+kuDUu 278 | ZTmCnA4wUrgnFaXc4zAfBgNVHSMEGDAWgBRJEM+kuDUuZTmCnA4wUrgnFaXc4zAN 279 | BgkqhkiG9w0BAQsFAAOCAQEAcfA7uirXsNZyI2j4AJFVtOTKOZlQwqbyNducnmlg 280 | /5nug9fAkwM4AgvF5bBOD1Hw6khdsccMwIj+1S7wpL+EYb/nSc8G0qe1p/9lZ/mZ 281 | ff5g4JOa26lLuCrZDqAk4TzYnt6sQKfa5ZXVUUn0BK3okhiXS0i+NloMyaBCL7vk 282 | kDwkHwEqflRKfZ9/oFTcCfoiHPA7AdBtaPVr0/Kj9L7k+ouz122huqG5KqX0Zpo8 283 | S0IGvcd2FZjNSNPttNAK7YuBVsZ0m2nIH1SLp//00v7yAHIgytQwwB17PBcp4NXD 284 | pCfTa27ng9mMMC2YLqWQpW4TkqjDin2ZC+5X/mbrjzTvVg== 285 | -----END CERTIFICATE----- 286 | # Amazon RDS us-gov-west-1 CA expires May22 287 | -----BEGIN CERTIFICATE----- 288 | MIIECjCCAvKgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgZMxCzAJBgNVBAYTAlVT 289 | MRAwDgYDVQQHDAdTZWF0dGxlMRMwEQYDVQQIDApXYXNoaW5ndG9uMSIwIAYDVQQK 290 | DBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJbmMuMRMwEQYDVQQLDApBbWF6b24gUkRT 291 | MSQwIgYDVQQDDBtBbWF6b24gUkRTIEdvdkNsb3VkIFJvb3QgQ0EwHhcNMTcwNTE5 292 | MjIzMTE5WhcNMjIwNTE4MTIwMDAwWjCBkzELMAkGA1UEBhMCVVMxEzARBgNVBAgM 293 | Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxIjAgBgNVBAoMGUFtYXpvbiBX 294 | ZWIgU2VydmljZXMsIEluYy4xEzARBgNVBAsMCkFtYXpvbiBSRFMxJDAiBgNVBAMM 295 | G0FtYXpvbiBSRFMgdXMtZ292LXdlc3QtMSBDQTCCASIwDQYJKoZIhvcNAQEBBQAD 296 | ggEPADCCAQoCggEBAM8YZLKAzzOdNnoi7Klih26Zkj+OCpDfwx4ZYB6f8L8UoQi5 297 | 8z9ZtIwMjiJ/kO08P1yl4gfc7YZcNFvhGruQZNat3YNpxwUpQcr4mszjuffbL4uz 298 | +/8FBxALdqCVOJ5Q0EVSfz3d9Bd1pUPL7ARtSpy7bn/tUPyQeI+lODYO906C0TQ3 299 | b9bjOsgAdBKkHfjLdsknsOZYYIzYWOJyFJJa0B11XjDUNBy/3IuC0KvDl6At0V5b 300 | 8M6cWcKhte2hgjwTYepV+/GTadeube1z5z6mWsN5arOAQUtYDLH6Aztq9mCJzLHm 301 | RccBugnGl3fRLJ2VjioN8PoGoN9l9hFBy5fnFgsCAwEAAaNmMGQwDgYDVR0PAQH/ 302 | BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFEG7+br8KkvwPd5g 303 | 71Rvh2stclJbMB8GA1UdIwQYMBaAFEkQz6S4NS5lOYKcDjBSuCcVpdzjMA0GCSqG 304 | SIb3DQEBCwUAA4IBAQBMA327u5ABmhX+aPxljoIbxnydmAFWxW6wNp5+rZrvPig8 305 | zDRqGQWWr7wWOIjfcWugSElYtf/m9KZHG/Z6+NG7nAoUrdcd1h/IQhb+lFQ2b5g9 306 | sVzQv/H2JNkfZA8fL/Ko/Tm/f9tcqe0zrGCtT+5u0Nvz35Wl8CEUKLloS5xEb3k5 307 | 7D9IhG3fsE3vHWlWrGCk1cKry3j12wdPG5cUsug0vt34u6rdhP+FsM0tHI15Kjch 308 | RuUCvyQecy2ZFNAa3jmd5ycNdL63RWe8oayRBpQBxPPCbHfILxGZEdJbCH9aJ2D/ 309 | l8oHIDnvOLdv7/cBjyYuvmprgPtu3QEkbre5Hln/ 310 | -----END CERTIFICATE----- 311 | # Amazon RDS us-gov-west-1 Root CA RSA2048 G1 expires April2162 312 | -----BEGIN CERTIFICATE----- 313 | MIIEBzCCAu+gAwIBAgIRAMSbo6rMlQ+TZDCb7zg40qUwDQYJKoZIhvcNAQEMBQAw 314 | gZsxCzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJ 315 | bmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTE0MDIGA1UEAwwr 316 | QW1hem9uIFJEUyB1cy1nb3Ytd2VzdC0xIFJvb3QgQ0EgUlNBMjA0OCBHMTEQMA4G 317 | A1UEBwwHU2VhdHRsZTAgFw0yMjA0MTUyMjM1MjFaGA8yMDYyMDQxNTIzMzUyMVow 318 | gZsxCzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJ 319 | bmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTE0MDIGA1UEAwwr 320 | QW1hem9uIFJEUyB1cy1nb3Ytd2VzdC0xIFJvb3QgQ0EgUlNBMjA0OCBHMTEQMA4G 321 | A1UEBwwHU2VhdHRsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM3U 322 | XJp6XLyNdOmyuj19ZKNmbJTGoRbsnrdxYLxbhQRCykOga7Hh/D5qKPMR/B80OsoK 323 | uWpxWmQCaCP4Z9Aa9N68L0TRJXZoArZjV8q5nfjsYWQqOPx+cKtIxqvyotov5WE2 324 | RKaujqpKBAyI49542NNmOEROUshunxYh/7s3Z8oPxOX8kp6hLBtckqUzFbAb7/vM 325 | X0YpgNUpJ2G1Q9MLKfxEmw2p0WE1FEW35gMvUN4jFtTaKjsXtqGu6iF4YqEASwrv 326 | vPmLhBHuyKC9ZfEvYzFjw2+l5SMENvhAde10WUpBuJnK+ZoKgFxLOUcdyZO9fR1Y 327 | wVG5twjPnOhHUOLpAP0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E 328 | FgQUsjcnO96t1VCa/JBZSqY1asXWaZ4wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3 329 | DQEBDAUAA4IBAQCYx0FHyvrX1CeuKd4CEi50QUZzY1HjGoySz+by6rY1+jZ1v2cp 330 | JIBrhQ8VUiJ8EqCDKzzv1mBOA1lx+5jpWB2yKP2hq3YJ93BNK+KO7BgasCkUYLGk 331 | v3c2jo4J5qbWsNsqa/dog+qQbLAcqCx4MeZIadpdLv++ejGPjA0+zjXWwWmQ4RKe 332 | ILiR1wO52uKF90tiDTNi3C5oMaEYbW+Kbsfsx5NpybEU7DkrVKb4MTVgtFuAELrF 333 | 8Zmdbpv8xnUA+oo/QdLLX+eJP/+8tdeDdB6rYFKpJmC2B3EnaKS4X4UpxZJFAgig 334 | oB6q5jNJ5onkWIfx8luNdbagKSFZXHhSO8KP 335 | -----END CERTIFICATE----- 336 | # Amazon RDS us-gov-west-1 Root CA RSA4096 G1 expires May2121 337 | -----BEGIN CERTIFICATE----- 338 | MIIGBzCCA++gAwIBAgIRAOzQCoOR21YG2noWOfFcuNIwDQYJKoZIhvcNAQEMBQAw 339 | gZsxCzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJ 340 | bmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTE0MDIGA1UEAwwr 341 | QW1hem9uIFJEUyB1cy1nb3Ytd2VzdC0xIFJvb3QgQ0EgUlNBNDA5NiBHMTEQMA4G 342 | A1UEBwwHU2VhdHRsZTAgFw0yMTA1MjYyMTQ0MzlaGA8yMTIxMDUyNjIyNDQzOVow 343 | gZsxCzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJ 344 | bmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTE0MDIGA1UEAwwr 345 | QW1hem9uIFJEUyB1cy1nb3Ytd2VzdC0xIFJvb3QgQ0EgUlNBNDA5NiBHMTEQMA4G 346 | A1UEBwwHU2VhdHRsZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANwY 347 | M2iZdnnlMutI9nfn2fWBICAQHWmMmpPmtSka/ziBFyaCxkHDF8RLmooW+GLe+FEF 348 | 9CQKSVqRa7X5AFiqRFF1KvgxWvazawyScuw88JW6Eqhaw0Rlm2p1Iow3TE8FSCDo 349 | Is1vEV3Brbf26CMiXbqI+aCuTOy0fjRzjl5igViTgZxt2ZXOwyKkF+2T8LQp4b4F 350 | Mh85Ctw1An1DhAemsc3SmcYnPKyFUP90DxGuTjFtfNR01GbBtVYwVvOBgIJe59Zs 351 | OWcEFOO2mU53Ik6oKcLYu4+PmE5aDvQewb6bkQZchClb7Eg0BPYekWwTPsKUTS3H 352 | bgdwVxgzjdAdU9fvaaoQmS9xdHWlonKq8CubJdLUduV3WVmDAg7MQgiT3p8JF9W2 353 | KbQpUbYxqd7j9OIe3IS3rVPwYA8PVh1hUJ+OBLw61sbGRAuN3H+B1DlJh1smg6bR 354 | g9W+oLRzfjZa32EzFmaQIxtgRfiyjxB/vqAHdl5zPou30X1CyRYquS870O02bvTN 355 | zzWSOfRY4KPmS1YFVsN+m+R4+hSUOAE//bJ25ACP9oDO5w9NWkAux4e0UUAuWCra 356 | jRROYN2J0KCogdru5G7lOQerD12zi3C2iibty6ou4tQX+MIKMMUVq8cfUH7oKv/R 357 | 8mL5PV/NUsgO248llo0lr9QBwQKdiw17wCxFR+8vAgMBAAGjQjBAMA8GA1UdEwEB 358 | /wQFMAMBAf8wHQYDVR0OBBYEFPDYnx2xYIPDDAEjb6UcF29I6DgKMA4GA1UdDwEB 359 | /wQEAwIBhjANBgkqhkiG9w0BAQwFAAOCAgEANTrAGs/GpXCADAwMGlrjXTdohp+p 360 | CIp3gbnryVYZBXvO+f8hjJ8bHk0D/DiBrkjE8o0IpNaAadOZa+WvTNMsanPmGf1A 361 | kD0vA9nm4gwEhBbzj9HRYX+dIhZhVWny9Kugm80s0h0hvbwTakUPOdMqkz6wn+xx 362 | Owh7AIwaC5TTCsQyKlv5rjVblvU1XFgBf3Pf3wvMAfjDoAEPTXER/9mLVbXe+EmW 363 | osP1JmgyDd+0WQFVK/LEDW81L5hsV5JvthAAFhGVtRw9ko5Ep28+EQUJE1wmLTdL 364 | PyjB/KfJrTMDq94WolzFv4JpUStHbclkKlXtigjKeiYZ5Yvo+vLMSkXemccSfYn7 365 | vdaUFD5vqWXvM4xhiYRq/tigw2E1bjmyd9L3XD7XalufZtMGWn7zT8HMPP+/Lch1 366 | JjZ9LL2Y99VIqhoHcuSa95FtLpYDRQ28K03uwqxqFnOQLyPVmYwsaHKnmmwaZDjF 367 | K1XxLVRLGRWvKEuSoWrsGcs3ehoxX4Knz/BaJzr/ioU1VnItj53tmOSJO0eMA6k+ 368 | egaVEb0FTa2F5xeLCKjgfDDWMz3v0TdL+kt+9z0THMlPWfOzd1C35ZzSIcTcRj22 369 | SAzsL0t5ZTI4XvoPFF8dga78/KsBRolqdPjs0UzdlKhwh1ADOkTRgLOaaidMEgsT 370 | JS/rbzD4FPbvc/g= 371 | -----END CERTIFICATE----- 372 | # Amazon RDS us-gov-west-1 Root CA ECC384 G1 expires May2121 373 | -----BEGIN CERTIFICATE----- 374 | MIICtDCCAjugAwIBAgIQPyg+edjKVnM2PB4KZVu66jAKBggqhkjOPQQDAzCBmjEL 375 | MAkGA1UEBhMCVVMxIjAgBgNVBAoMGUFtYXpvbiBXZWIgU2VydmljZXMsIEluYy4x 376 | EzARBgNVBAsMCkFtYXpvbiBSRFMxCzAJBgNVBAgMAldBMTMwMQYDVQQDDCpBbWF6 377 | b24gUkRTIHVzLWdvdi13ZXN0LTEgUm9vdCBDQSBFQ0MzODQgRzExEDAOBgNVBAcM 378 | B1NlYXR0bGUwIBcNMjEwNTI2MjE1MzI3WhgPMjEyMTA1MjYyMjUzMjdaMIGaMQsw 379 | CQYDVQQGEwJVUzEiMCAGA1UECgwZQW1hem9uIFdlYiBTZXJ2aWNlcywgSW5jLjET 380 | MBEGA1UECwwKQW1hem9uIFJEUzELMAkGA1UECAwCV0ExMzAxBgNVBAMMKkFtYXpv 381 | biBSRFMgdXMtZ292LXdlc3QtMSBSb290IENBIEVDQzM4NCBHMTEQMA4GA1UEBwwH 382 | U2VhdHRsZTB2MBAGByqGSM49AgEGBSuBBAAiA2IABFaqyIYrbpPfhiKzLEkmzp1j 383 | 3OYO/e1VE3vCf5c62bN5xYKFKH/MnKgsUFNsFpJ1t0p9cexi+607aiYOo1sOWvOj 384 | q3PUu+ltklQdvunU/Se5++qqsh7lylL5OF/F19uqfqNCMEAwDwYDVR0TAQH/BAUw 385 | AwEB/zAdBgNVHQ4EFgQUJHPtPhijPquZxTz2UGh4YV1npYMwDgYDVR0PAQH/BAQD 386 | AgGGMAoGCCqGSM49BAMDA2cAMGQCMHWDFuIZ9LZgysbL4vx/Ox9z8fbegb3352bM 387 | BFr6JV1x8VLbePblHd0V1MwDdRWeAwIwarWfOVdB1ijrwzjROzCwE0uBkHYUPr0Z 388 | vgwdtlsnwDw9TnjsBrTJkQ0aS8c0Ahl1 389 | -----END CERTIFICATE----- 390 | # rds-ca-2015-root.pem 391 | -----BEGIN CERTIFICATE----- 392 | MIID9DCCAtygAwIBAgIBQjANBgkqhkiG9w0BAQUFADCBijELMAkGA1UEBhMCVVMx 393 | EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxIjAgBgNVBAoM 394 | GUFtYXpvbiBXZWIgU2VydmljZXMsIEluYy4xEzARBgNVBAsMCkFtYXpvbiBSRFMx 395 | GzAZBgNVBAMMEkFtYXpvbiBSRFMgUm9vdCBDQTAeFw0xNTAyMDUwOTExMzFaFw0y 396 | MDAzMDUwOTExMzFaMIGKMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3Rv 397 | bjEQMA4GA1UEBwwHU2VhdHRsZTEiMCAGA1UECgwZQW1hem9uIFdlYiBTZXJ2aWNl 398 | cywgSW5jLjETMBEGA1UECwwKQW1hem9uIFJEUzEbMBkGA1UEAwwSQW1hem9uIFJE 399 | UyBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuD8nrZ8V 400 | u+VA8yVlUipCZIKPTDcOILYpUe8Tct0YeQQr0uyl018StdBsa3CjBgvwpDRq1HgF 401 | Ji2N3+39+shCNspQeE6aYU+BHXhKhIIStt3r7gl/4NqYiDDMWKHxHq0nsGDFfArf 402 | AOcjZdJagOMqb3fF46flc8k2E7THTm9Sz4L7RY1WdABMuurpICLFE3oHcGdapOb9 403 | T53pQR+xpHW9atkcf3pf7gbO0rlKVSIoUenBlZipUlp1VZl/OD/E+TtRhDDNdI2J 404 | P/DSMM3aEsq6ZQkfbz/Ilml+Lx3tJYXUDmp+ZjzMPLk/+3beT8EhrwtcG3VPpvwp 405 | BIOqsqVVTvw/CwIDAQABo2MwYTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUw 406 | AwEB/zAdBgNVHQ4EFgQUTgLurD72FchM7Sz1BcGPnIQISYMwHwYDVR0jBBgwFoAU 407 | TgLurD72FchM7Sz1BcGPnIQISYMwDQYJKoZIhvcNAQEFBQADggEBAHZcgIio8pAm 408 | MjHD5cl6wKjXxScXKtXygWH2BoDMYBJF9yfyKO2jEFxYKbHePpnXB1R04zJSWAw5 409 | 2EUuDI1pSBh9BA82/5PkuNlNeSTB3dXDD2PEPdzVWbSKvUB8ZdooV+2vngL0Zm4r 410 | 47QPyd18yPHrRIbtBtHR/6CwKevLZ394zgExqhnekYKIqqEX41xsUV0Gm6x4vpjf 411 | 2u6O/+YE2U+qyyxHE5Wd5oqde0oo9UUpFETJPVb6Q2cEeQib8PBAyi0i6KnF+kIV 412 | A9dY7IHSubtCK/i8wxMVqfd5GtbA8mmpeJFwnDvm9rBEsHybl08qlax9syEwsUYr 413 | /40NawZfTUU= 414 | -----END CERTIFICATE----- 415 | # rds-ca-2012-us-gov-west-1.pem 416 | -----BEGIN CERTIFICATE----- 417 | MIIDQzCCAqygAwIBAgIJAMGs6m/j+u8sMA0GCSqGSIb3DQEBBQUAMHUxCzAJBgNV 418 | BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdTZWF0dGxlMRMw 419 | EQYDVQQKEwpBbWF6b24uY29tMQwwCgYDVQQLEwNSRFMxHDAaBgNVBAMTE2F3cy5h 420 | bWF6b24uY29tL3Jkcy8wHhcNMTIwODE2MDY0MjAwWhcNMTcwODE1MDY0MjAwWjB1 421 | MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHU2Vh 422 | dHRsZTETMBEGA1UEChMKQW1hem9uLmNvbTEMMAoGA1UECxMDUkRTMRwwGgYDVQQD 423 | ExNhd3MuYW1hem9uLmNvbS9yZHMvMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB 424 | gQCnTB7AkRR4xuhfAuOt5foNeCRBPeUujkzmJu1yfnTbtFi+g7zmovQ9BJcRoPYL 425 | 45McnXyaT/7UjhJhCI5gnYlTIyBTRFh7lXFJryypFx8AIh6q3D/ht8b6cVro3sJ2 426 | k4x1w/c7akKKsZJtf0ZyhbMvNnBz3K3TWVB6c9DChbfyUQIDAQABo4HaMIHXMB0G 427 | A1UdDgQWBBS/OwyfNJHDnAmnZBbq9ACiXz7O1jCBpwYDVR0jBIGfMIGcgBS/Owyf 428 | NJHDnAmnZBbq9ACiXz7O1qF5pHcwdTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldh 429 | c2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxEzARBgNVBAoTCkFtYXpvbi5jb20x 430 | DDAKBgNVBAsTA1JEUzEcMBoGA1UEAxMTYXdzLmFtYXpvbi5jb20vcmRzL4IJAMGs 431 | 6m/j+u8sMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEACR37LqHlzjSH 432 | 9gHCaiVJgCb0CCxSg3PHaQuv8h4ugAqQpGxpX3Zo97VgHnjEve21gXA74kzGUUAo 433 | 7YNTZWbF2VkHUDqekXimvL3q1JEvHDKPkLJrxEic1zTU1uazb9uJeb1aVWTq6N8R 434 | bx56xd/e3o7RYcPfLD45y7RRXKz3AmE= 435 | -----END CERTIFICATE----- 436 | 437 | - type: remove 438 | path: /variables/name=postgres_password 439 | 440 | - type: remove 441 | path: /instance_groups/name=bosh/jobs/name=bbr-uaadb? 442 | 443 | - type: remove 444 | path: /instance_groups/name=bosh/jobs/name=bbr-credhubdb? -------------------------------------------------------------------------------- /operations/external-db-protobosh.yml: -------------------------------------------------------------------------------- 1 | - type: remove 2 | path: /instance_groups/name=bosh/jobs/name=postgres-9.4? 3 | 4 | - type: remove 5 | path: /instance_groups/name=bosh/jobs/name=postgres-10? 6 | 7 | - type: remove 8 | path: /instance_groups/name=bosh/jobs/name=postgres? 9 | 10 | - type: remove 11 | path: /instance_groups/name=bosh/properties/postgres 12 | 13 | - type: replace 14 | path: /instance_groups/name=bosh/jobs/- 15 | value: 16 | name: toolbelt-psql 17 | release: toolbelt 18 | 19 | - type: replace 20 | path: /releases/- 21 | value: 22 | name: "toolbelt" 23 | version: "3.7.0" 24 | url: "https://bosh.io/d/github.com/cloudfoundry-community/toolbelt-boshrelease?v=3.7.0" 25 | sha1: "377b390b7f5d358a2dae463109350250a769eb3f" 26 | 27 | - type: replace 28 | path: /instance_groups/name=bosh/properties/director/db 29 | value: 30 | host: ((terraform_outputs.protobosh_rds_host)) 31 | port: ((terraform_outputs.protobosh_rds_port)) 32 | user: ((terraform_outputs.protobosh_rds_username)) 33 | password: ((terraform_outputs.protobosh_rds_password)) 34 | database: bosh 35 | 36 | - type: replace 37 | path: /instance_groups/name=bosh/properties/registry?/db 38 | value: 39 | host: ((terraform_outputs.protobosh_rds_host)) 40 | port: ((terraform_outputs.protobosh_rds_port)) 41 | user: ((terraform_outputs.protobosh_rds_username)) 42 | password: ((terraform_outputs.protobosh_rds_password)) 43 | database: bosh 44 | 45 | - type: replace 46 | path: /instance_groups/name=bosh/jobs/name=uaa/properties/uaadb 47 | value: 48 | address: ((terraform_outputs.protobosh_rds_host)) 49 | port: ((terraform_outputs.protobosh_rds_port)) 50 | user: ((terraform_outputs.protobosh_rds_username)) 51 | password: ((terraform_outputs.protobosh_rds_password)) 52 | db_scheme: postgresql 53 | roles: 54 | - name: bosh 55 | password: ((terraform_outputs.protobosh_rds_password)) 56 | tag: admin 57 | databases: 58 | - name: bosh_uaadb 59 | tag: uaa 60 | 61 | - type: replace 62 | path: /instance_groups/name=bosh/jobs/name=uaa/properties/uaa/ca_certs? 63 | value: 64 | - |+ 65 | # UAA requires each cert as an array object 66 | # RDS US-GOV-WEST-1-BUNDLE.PEM UPDATED APRIL 2022 67 | # Amazon RDS GovCloud Root CA expires May22 68 | -----BEGIN CERTIFICATE----- 69 | MIIEDjCCAvagAwIBAgIJAMM61RQn3/kdMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYD 70 | VQQGEwJVUzEQMA4GA1UEBwwHU2VhdHRsZTETMBEGA1UECAwKV2FzaGluZ3RvbjEi 71 | MCAGA1UECgwZQW1hem9uIFdlYiBTZXJ2aWNlcywgSW5jLjETMBEGA1UECwwKQW1h 72 | em9uIFJEUzEkMCIGA1UEAwwbQW1hem9uIFJEUyBHb3ZDbG91ZCBSb290IENBMB4X 73 | DTE3MDUxOTIyMjkxMVoXDTIyMDUxODIyMjkxMVowgZMxCzAJBgNVBAYTAlVTMRAw 74 | DgYDVQQHDAdTZWF0dGxlMRMwEQYDVQQIDApXYXNoaW5ndG9uMSIwIAYDVQQKDBlB 75 | bWF6b24gV2ViIFNlcnZpY2VzLCBJbmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMSQw 76 | IgYDVQQDDBtBbWF6b24gUkRTIEdvdkNsb3VkIFJvb3QgQ0EwggEiMA0GCSqGSIb3 77 | DQEBAQUAA4IBDwAwggEKAoIBAQDGS9bh1FGiJPT+GRb3C5aKypJVDC1H2gbh6n3u 78 | j8cUiyMXfmm+ak402zdLpSYMaxiQ7oL/B3wEmumIpRDAsQrSp3B/qEeY7ipQGOfh 79 | q2TXjXGIUjiJ/FaoGqkymHRLG+XkNNBtb7MRItsjlMVNELXECwSiMa3nJL2/YyHW 80 | nTr1+11/weeZEKgVbCUrOugFkMXnfZIBSn40j6EnRlO2u/NFU5ksK5ak2+j8raZ7 81 | xW7VXp9S1Tgf1IsWHjGZZZguwCkkh1tHOlHC9gVA3p63WecjrIzcrR/V27atul4m 82 | tn56s5NwFvYPUIx1dbC8IajLUrepVm6XOwdQCfd02DmOyjWJAgMBAAGjYzBhMA4G 83 | A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRJEM+kuDUu 84 | ZTmCnA4wUrgnFaXc4zAfBgNVHSMEGDAWgBRJEM+kuDUuZTmCnA4wUrgnFaXc4zAN 85 | BgkqhkiG9w0BAQsFAAOCAQEAcfA7uirXsNZyI2j4AJFVtOTKOZlQwqbyNducnmlg 86 | /5nug9fAkwM4AgvF5bBOD1Hw6khdsccMwIj+1S7wpL+EYb/nSc8G0qe1p/9lZ/mZ 87 | ff5g4JOa26lLuCrZDqAk4TzYnt6sQKfa5ZXVUUn0BK3okhiXS0i+NloMyaBCL7vk 88 | kDwkHwEqflRKfZ9/oFTcCfoiHPA7AdBtaPVr0/Kj9L7k+ouz122huqG5KqX0Zpo8 89 | S0IGvcd2FZjNSNPttNAK7YuBVsZ0m2nIH1SLp//00v7yAHIgytQwwB17PBcp4NXD 90 | pCfTa27ng9mMMC2YLqWQpW4TkqjDin2ZC+5X/mbrjzTvVg== 91 | -----END CERTIFICATE----- 92 | - |+ 93 | # Amazon RDS us-gov-west-1 CA expires May22 94 | -----BEGIN CERTIFICATE----- 95 | MIIECjCCAvKgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgZMxCzAJBgNVBAYTAlVT 96 | MRAwDgYDVQQHDAdTZWF0dGxlMRMwEQYDVQQIDApXYXNoaW5ndG9uMSIwIAYDVQQK 97 | DBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJbmMuMRMwEQYDVQQLDApBbWF6b24gUkRT 98 | MSQwIgYDVQQDDBtBbWF6b24gUkRTIEdvdkNsb3VkIFJvb3QgQ0EwHhcNMTcwNTE5 99 | MjIzMTE5WhcNMjIwNTE4MTIwMDAwWjCBkzELMAkGA1UEBhMCVVMxEzARBgNVBAgM 100 | Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxIjAgBgNVBAoMGUFtYXpvbiBX 101 | ZWIgU2VydmljZXMsIEluYy4xEzARBgNVBAsMCkFtYXpvbiBSRFMxJDAiBgNVBAMM 102 | G0FtYXpvbiBSRFMgdXMtZ292LXdlc3QtMSBDQTCCASIwDQYJKoZIhvcNAQEBBQAD 103 | ggEPADCCAQoCggEBAM8YZLKAzzOdNnoi7Klih26Zkj+OCpDfwx4ZYB6f8L8UoQi5 104 | 8z9ZtIwMjiJ/kO08P1yl4gfc7YZcNFvhGruQZNat3YNpxwUpQcr4mszjuffbL4uz 105 | +/8FBxALdqCVOJ5Q0EVSfz3d9Bd1pUPL7ARtSpy7bn/tUPyQeI+lODYO906C0TQ3 106 | b9bjOsgAdBKkHfjLdsknsOZYYIzYWOJyFJJa0B11XjDUNBy/3IuC0KvDl6At0V5b 107 | 8M6cWcKhte2hgjwTYepV+/GTadeube1z5z6mWsN5arOAQUtYDLH6Aztq9mCJzLHm 108 | RccBugnGl3fRLJ2VjioN8PoGoN9l9hFBy5fnFgsCAwEAAaNmMGQwDgYDVR0PAQH/ 109 | BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFEG7+br8KkvwPd5g 110 | 71Rvh2stclJbMB8GA1UdIwQYMBaAFEkQz6S4NS5lOYKcDjBSuCcVpdzjMA0GCSqG 111 | SIb3DQEBCwUAA4IBAQBMA327u5ABmhX+aPxljoIbxnydmAFWxW6wNp5+rZrvPig8 112 | zDRqGQWWr7wWOIjfcWugSElYtf/m9KZHG/Z6+NG7nAoUrdcd1h/IQhb+lFQ2b5g9 113 | sVzQv/H2JNkfZA8fL/Ko/Tm/f9tcqe0zrGCtT+5u0Nvz35Wl8CEUKLloS5xEb3k5 114 | 7D9IhG3fsE3vHWlWrGCk1cKry3j12wdPG5cUsug0vt34u6rdhP+FsM0tHI15Kjch 115 | RuUCvyQecy2ZFNAa3jmd5ycNdL63RWe8oayRBpQBxPPCbHfILxGZEdJbCH9aJ2D/ 116 | l8oHIDnvOLdv7/cBjyYuvmprgPtu3QEkbre5Hln/ 117 | -----END CERTIFICATE----- 118 | - |+ 119 | # Amazon RDS us-gov-west-1 Root CA RSA2048 G1 expires April2162 120 | -----BEGIN CERTIFICATE----- 121 | MIIEBzCCAu+gAwIBAgIRAMSbo6rMlQ+TZDCb7zg40qUwDQYJKoZIhvcNAQEMBQAw 122 | gZsxCzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJ 123 | bmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTE0MDIGA1UEAwwr 124 | QW1hem9uIFJEUyB1cy1nb3Ytd2VzdC0xIFJvb3QgQ0EgUlNBMjA0OCBHMTEQMA4G 125 | A1UEBwwHU2VhdHRsZTAgFw0yMjA0MTUyMjM1MjFaGA8yMDYyMDQxNTIzMzUyMVow 126 | gZsxCzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJ 127 | bmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTE0MDIGA1UEAwwr 128 | QW1hem9uIFJEUyB1cy1nb3Ytd2VzdC0xIFJvb3QgQ0EgUlNBMjA0OCBHMTEQMA4G 129 | A1UEBwwHU2VhdHRsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM3U 130 | XJp6XLyNdOmyuj19ZKNmbJTGoRbsnrdxYLxbhQRCykOga7Hh/D5qKPMR/B80OsoK 131 | uWpxWmQCaCP4Z9Aa9N68L0TRJXZoArZjV8q5nfjsYWQqOPx+cKtIxqvyotov5WE2 132 | RKaujqpKBAyI49542NNmOEROUshunxYh/7s3Z8oPxOX8kp6hLBtckqUzFbAb7/vM 133 | X0YpgNUpJ2G1Q9MLKfxEmw2p0WE1FEW35gMvUN4jFtTaKjsXtqGu6iF4YqEASwrv 134 | vPmLhBHuyKC9ZfEvYzFjw2+l5SMENvhAde10WUpBuJnK+ZoKgFxLOUcdyZO9fR1Y 135 | wVG5twjPnOhHUOLpAP0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E 136 | FgQUsjcnO96t1VCa/JBZSqY1asXWaZ4wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3 137 | DQEBDAUAA4IBAQCYx0FHyvrX1CeuKd4CEi50QUZzY1HjGoySz+by6rY1+jZ1v2cp 138 | JIBrhQ8VUiJ8EqCDKzzv1mBOA1lx+5jpWB2yKP2hq3YJ93BNK+KO7BgasCkUYLGk 139 | v3c2jo4J5qbWsNsqa/dog+qQbLAcqCx4MeZIadpdLv++ejGPjA0+zjXWwWmQ4RKe 140 | ILiR1wO52uKF90tiDTNi3C5oMaEYbW+Kbsfsx5NpybEU7DkrVKb4MTVgtFuAELrF 141 | 8Zmdbpv8xnUA+oo/QdLLX+eJP/+8tdeDdB6rYFKpJmC2B3EnaKS4X4UpxZJFAgig 142 | oB6q5jNJ5onkWIfx8luNdbagKSFZXHhSO8KP 143 | -----END CERTIFICATE----- 144 | - |+ 145 | # Amazon RDS us-gov-west-1 Root CA RSA4096 G1 expires May2121 146 | -----BEGIN CERTIFICATE----- 147 | MIIGBzCCA++gAwIBAgIRAOzQCoOR21YG2noWOfFcuNIwDQYJKoZIhvcNAQEMBQAw 148 | gZsxCzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJ 149 | bmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTE0MDIGA1UEAwwr 150 | QW1hem9uIFJEUyB1cy1nb3Ytd2VzdC0xIFJvb3QgQ0EgUlNBNDA5NiBHMTEQMA4G 151 | A1UEBwwHU2VhdHRsZTAgFw0yMTA1MjYyMTQ0MzlaGA8yMTIxMDUyNjIyNDQzOVow 152 | gZsxCzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJ 153 | bmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTE0MDIGA1UEAwwr 154 | QW1hem9uIFJEUyB1cy1nb3Ytd2VzdC0xIFJvb3QgQ0EgUlNBNDA5NiBHMTEQMA4G 155 | A1UEBwwHU2VhdHRsZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANwY 156 | M2iZdnnlMutI9nfn2fWBICAQHWmMmpPmtSka/ziBFyaCxkHDF8RLmooW+GLe+FEF 157 | 9CQKSVqRa7X5AFiqRFF1KvgxWvazawyScuw88JW6Eqhaw0Rlm2p1Iow3TE8FSCDo 158 | Is1vEV3Brbf26CMiXbqI+aCuTOy0fjRzjl5igViTgZxt2ZXOwyKkF+2T8LQp4b4F 159 | Mh85Ctw1An1DhAemsc3SmcYnPKyFUP90DxGuTjFtfNR01GbBtVYwVvOBgIJe59Zs 160 | OWcEFOO2mU53Ik6oKcLYu4+PmE5aDvQewb6bkQZchClb7Eg0BPYekWwTPsKUTS3H 161 | bgdwVxgzjdAdU9fvaaoQmS9xdHWlonKq8CubJdLUduV3WVmDAg7MQgiT3p8JF9W2 162 | KbQpUbYxqd7j9OIe3IS3rVPwYA8PVh1hUJ+OBLw61sbGRAuN3H+B1DlJh1smg6bR 163 | g9W+oLRzfjZa32EzFmaQIxtgRfiyjxB/vqAHdl5zPou30X1CyRYquS870O02bvTN 164 | zzWSOfRY4KPmS1YFVsN+m+R4+hSUOAE//bJ25ACP9oDO5w9NWkAux4e0UUAuWCra 165 | jRROYN2J0KCogdru5G7lOQerD12zi3C2iibty6ou4tQX+MIKMMUVq8cfUH7oKv/R 166 | 8mL5PV/NUsgO248llo0lr9QBwQKdiw17wCxFR+8vAgMBAAGjQjBAMA8GA1UdEwEB 167 | /wQFMAMBAf8wHQYDVR0OBBYEFPDYnx2xYIPDDAEjb6UcF29I6DgKMA4GA1UdDwEB 168 | /wQEAwIBhjANBgkqhkiG9w0BAQwFAAOCAgEANTrAGs/GpXCADAwMGlrjXTdohp+p 169 | CIp3gbnryVYZBXvO+f8hjJ8bHk0D/DiBrkjE8o0IpNaAadOZa+WvTNMsanPmGf1A 170 | kD0vA9nm4gwEhBbzj9HRYX+dIhZhVWny9Kugm80s0h0hvbwTakUPOdMqkz6wn+xx 171 | Owh7AIwaC5TTCsQyKlv5rjVblvU1XFgBf3Pf3wvMAfjDoAEPTXER/9mLVbXe+EmW 172 | osP1JmgyDd+0WQFVK/LEDW81L5hsV5JvthAAFhGVtRw9ko5Ep28+EQUJE1wmLTdL 173 | PyjB/KfJrTMDq94WolzFv4JpUStHbclkKlXtigjKeiYZ5Yvo+vLMSkXemccSfYn7 174 | vdaUFD5vqWXvM4xhiYRq/tigw2E1bjmyd9L3XD7XalufZtMGWn7zT8HMPP+/Lch1 175 | JjZ9LL2Y99VIqhoHcuSa95FtLpYDRQ28K03uwqxqFnOQLyPVmYwsaHKnmmwaZDjF 176 | K1XxLVRLGRWvKEuSoWrsGcs3ehoxX4Knz/BaJzr/ioU1VnItj53tmOSJO0eMA6k+ 177 | egaVEb0FTa2F5xeLCKjgfDDWMz3v0TdL+kt+9z0THMlPWfOzd1C35ZzSIcTcRj22 178 | SAzsL0t5ZTI4XvoPFF8dga78/KsBRolqdPjs0UzdlKhwh1ADOkTRgLOaaidMEgsT 179 | JS/rbzD4FPbvc/g= 180 | -----END CERTIFICATE----- 181 | - |+ 182 | # Amazon RDS us-gov-west-1 Root CA ECC384 G1 expires May2121 183 | -----BEGIN CERTIFICATE----- 184 | MIICtDCCAjugAwIBAgIQPyg+edjKVnM2PB4KZVu66jAKBggqhkjOPQQDAzCBmjEL 185 | MAkGA1UEBhMCVVMxIjAgBgNVBAoMGUFtYXpvbiBXZWIgU2VydmljZXMsIEluYy4x 186 | EzARBgNVBAsMCkFtYXpvbiBSRFMxCzAJBgNVBAgMAldBMTMwMQYDVQQDDCpBbWF6 187 | b24gUkRTIHVzLWdvdi13ZXN0LTEgUm9vdCBDQSBFQ0MzODQgRzExEDAOBgNVBAcM 188 | B1NlYXR0bGUwIBcNMjEwNTI2MjE1MzI3WhgPMjEyMTA1MjYyMjUzMjdaMIGaMQsw 189 | CQYDVQQGEwJVUzEiMCAGA1UECgwZQW1hem9uIFdlYiBTZXJ2aWNlcywgSW5jLjET 190 | MBEGA1UECwwKQW1hem9uIFJEUzELMAkGA1UECAwCV0ExMzAxBgNVBAMMKkFtYXpv 191 | biBSRFMgdXMtZ292LXdlc3QtMSBSb290IENBIEVDQzM4NCBHMTEQMA4GA1UEBwwH 192 | U2VhdHRsZTB2MBAGByqGSM49AgEGBSuBBAAiA2IABFaqyIYrbpPfhiKzLEkmzp1j 193 | 3OYO/e1VE3vCf5c62bN5xYKFKH/MnKgsUFNsFpJ1t0p9cexi+607aiYOo1sOWvOj 194 | q3PUu+ltklQdvunU/Se5++qqsh7lylL5OF/F19uqfqNCMEAwDwYDVR0TAQH/BAUw 195 | AwEB/zAdBgNVHQ4EFgQUJHPtPhijPquZxTz2UGh4YV1npYMwDgYDVR0PAQH/BAQD 196 | AgGGMAoGCCqGSM49BAMDA2cAMGQCMHWDFuIZ9LZgysbL4vx/Ox9z8fbegb3352bM 197 | BFr6JV1x8VLbePblHd0V1MwDdRWeAwIwarWfOVdB1ijrwzjROzCwE0uBkHYUPr0Z 198 | vgwdtlsnwDw9TnjsBrTJkQ0aS8c0Ahl1 199 | -----END CERTIFICATE----- 200 | - |+ 201 | # rds-ca-2015-root.pem 202 | -----BEGIN CERTIFICATE----- 203 | MIID9DCCAtygAwIBAgIBQjANBgkqhkiG9w0BAQUFADCBijELMAkGA1UEBhMCVVMx 204 | EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxIjAgBgNVBAoM 205 | GUFtYXpvbiBXZWIgU2VydmljZXMsIEluYy4xEzARBgNVBAsMCkFtYXpvbiBSRFMx 206 | GzAZBgNVBAMMEkFtYXpvbiBSRFMgUm9vdCBDQTAeFw0xNTAyMDUwOTExMzFaFw0y 207 | MDAzMDUwOTExMzFaMIGKMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3Rv 208 | bjEQMA4GA1UEBwwHU2VhdHRsZTEiMCAGA1UECgwZQW1hem9uIFdlYiBTZXJ2aWNl 209 | cywgSW5jLjETMBEGA1UECwwKQW1hem9uIFJEUzEbMBkGA1UEAwwSQW1hem9uIFJE 210 | UyBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuD8nrZ8V 211 | u+VA8yVlUipCZIKPTDcOILYpUe8Tct0YeQQr0uyl018StdBsa3CjBgvwpDRq1HgF 212 | Ji2N3+39+shCNspQeE6aYU+BHXhKhIIStt3r7gl/4NqYiDDMWKHxHq0nsGDFfArf 213 | AOcjZdJagOMqb3fF46flc8k2E7THTm9Sz4L7RY1WdABMuurpICLFE3oHcGdapOb9 214 | T53pQR+xpHW9atkcf3pf7gbO0rlKVSIoUenBlZipUlp1VZl/OD/E+TtRhDDNdI2J 215 | P/DSMM3aEsq6ZQkfbz/Ilml+Lx3tJYXUDmp+ZjzMPLk/+3beT8EhrwtcG3VPpvwp 216 | BIOqsqVVTvw/CwIDAQABo2MwYTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUw 217 | AwEB/zAdBgNVHQ4EFgQUTgLurD72FchM7Sz1BcGPnIQISYMwHwYDVR0jBBgwFoAU 218 | TgLurD72FchM7Sz1BcGPnIQISYMwDQYJKoZIhvcNAQEFBQADggEBAHZcgIio8pAm 219 | MjHD5cl6wKjXxScXKtXygWH2BoDMYBJF9yfyKO2jEFxYKbHePpnXB1R04zJSWAw5 220 | 2EUuDI1pSBh9BA82/5PkuNlNeSTB3dXDD2PEPdzVWbSKvUB8ZdooV+2vngL0Zm4r 221 | 47QPyd18yPHrRIbtBtHR/6CwKevLZ394zgExqhnekYKIqqEX41xsUV0Gm6x4vpjf 222 | 2u6O/+YE2U+qyyxHE5Wd5oqde0oo9UUpFETJPVb6Q2cEeQib8PBAyi0i6KnF+kIV 223 | A9dY7IHSubtCK/i8wxMVqfd5GtbA8mmpeJFwnDvm9rBEsHybl08qlax9syEwsUYr 224 | /40NawZfTUU= 225 | -----END CERTIFICATE----- 226 | - |+ 227 | # rds-ca-2012-us-gov-west-1.pem 228 | -----BEGIN CERTIFICATE----- 229 | MIIDQzCCAqygAwIBAgIJAMGs6m/j+u8sMA0GCSqGSIb3DQEBBQUAMHUxCzAJBgNV 230 | BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdTZWF0dGxlMRMw 231 | EQYDVQQKEwpBbWF6b24uY29tMQwwCgYDVQQLEwNSRFMxHDAaBgNVBAMTE2F3cy5h 232 | bWF6b24uY29tL3Jkcy8wHhcNMTIwODE2MDY0MjAwWhcNMTcwODE1MDY0MjAwWjB1 233 | MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHU2Vh 234 | dHRsZTETMBEGA1UEChMKQW1hem9uLmNvbTEMMAoGA1UECxMDUkRTMRwwGgYDVQQD 235 | ExNhd3MuYW1hem9uLmNvbS9yZHMvMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB 236 | gQCnTB7AkRR4xuhfAuOt5foNeCRBPeUujkzmJu1yfnTbtFi+g7zmovQ9BJcRoPYL 237 | 45McnXyaT/7UjhJhCI5gnYlTIyBTRFh7lXFJryypFx8AIh6q3D/ht8b6cVro3sJ2 238 | k4x1w/c7akKKsZJtf0ZyhbMvNnBz3K3TWVB6c9DChbfyUQIDAQABo4HaMIHXMB0G 239 | A1UdDgQWBBS/OwyfNJHDnAmnZBbq9ACiXz7O1jCBpwYDVR0jBIGfMIGcgBS/Owyf 240 | NJHDnAmnZBbq9ACiXz7O1qF5pHcwdTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldh 241 | c2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxEzARBgNVBAoTCkFtYXpvbi5jb20x 242 | DDAKBgNVBAsTA1JEUzEcMBoGA1UEAxMTYXdzLmFtYXpvbi5jb20vcmRzL4IJAMGs 243 | 6m/j+u8sMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEACR37LqHlzjSH 244 | 9gHCaiVJgCb0CCxSg3PHaQuv8h4ugAqQpGxpX3Zo97VgHnjEve21gXA74kzGUUAo 245 | 7YNTZWbF2VkHUDqekXimvL3q1JEvHDKPkLJrxEic1zTU1uazb9uJeb1aVWTq6N8R 246 | bx56xd/e3o7RYcPfLD45y7RRXKz3AmE= 247 | -----END CERTIFICATE----- 248 | 249 | - type: replace 250 | path: /instance_groups/name=bosh/jobs/name=credhub/properties/credhub/data_storage 251 | value: 252 | type: postgres 253 | host: ((terraform_outputs.protobosh_rds_host)) 254 | port: ((terraform_outputs.protobosh_rds_port)) 255 | username: ((terraform_outputs.protobosh_rds_username)) 256 | password: ((terraform_outputs.protobosh_rds_password)) 257 | database: credhub 258 | require_tls: true 259 | tls_ca: |- 260 | # Credhub requires all CA certs to be one single bundle 261 | # RDS US-GOV-WEST-1-BUNDLE.PEM UPDATED APRIL 2022 262 | # Amazon RDS GovCloud Root CA expires May22 263 | -----BEGIN CERTIFICATE----- 264 | MIIEDjCCAvagAwIBAgIJAMM61RQn3/kdMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYD 265 | VQQGEwJVUzEQMA4GA1UEBwwHU2VhdHRsZTETMBEGA1UECAwKV2FzaGluZ3RvbjEi 266 | MCAGA1UECgwZQW1hem9uIFdlYiBTZXJ2aWNlcywgSW5jLjETMBEGA1UECwwKQW1h 267 | em9uIFJEUzEkMCIGA1UEAwwbQW1hem9uIFJEUyBHb3ZDbG91ZCBSb290IENBMB4X 268 | DTE3MDUxOTIyMjkxMVoXDTIyMDUxODIyMjkxMVowgZMxCzAJBgNVBAYTAlVTMRAw 269 | DgYDVQQHDAdTZWF0dGxlMRMwEQYDVQQIDApXYXNoaW5ndG9uMSIwIAYDVQQKDBlB 270 | bWF6b24gV2ViIFNlcnZpY2VzLCBJbmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMSQw 271 | IgYDVQQDDBtBbWF6b24gUkRTIEdvdkNsb3VkIFJvb3QgQ0EwggEiMA0GCSqGSIb3 272 | DQEBAQUAA4IBDwAwggEKAoIBAQDGS9bh1FGiJPT+GRb3C5aKypJVDC1H2gbh6n3u 273 | j8cUiyMXfmm+ak402zdLpSYMaxiQ7oL/B3wEmumIpRDAsQrSp3B/qEeY7ipQGOfh 274 | q2TXjXGIUjiJ/FaoGqkymHRLG+XkNNBtb7MRItsjlMVNELXECwSiMa3nJL2/YyHW 275 | nTr1+11/weeZEKgVbCUrOugFkMXnfZIBSn40j6EnRlO2u/NFU5ksK5ak2+j8raZ7 276 | xW7VXp9S1Tgf1IsWHjGZZZguwCkkh1tHOlHC9gVA3p63WecjrIzcrR/V27atul4m 277 | tn56s5NwFvYPUIx1dbC8IajLUrepVm6XOwdQCfd02DmOyjWJAgMBAAGjYzBhMA4G 278 | A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRJEM+kuDUu 279 | ZTmCnA4wUrgnFaXc4zAfBgNVHSMEGDAWgBRJEM+kuDUuZTmCnA4wUrgnFaXc4zAN 280 | BgkqhkiG9w0BAQsFAAOCAQEAcfA7uirXsNZyI2j4AJFVtOTKOZlQwqbyNducnmlg 281 | /5nug9fAkwM4AgvF5bBOD1Hw6khdsccMwIj+1S7wpL+EYb/nSc8G0qe1p/9lZ/mZ 282 | ff5g4JOa26lLuCrZDqAk4TzYnt6sQKfa5ZXVUUn0BK3okhiXS0i+NloMyaBCL7vk 283 | kDwkHwEqflRKfZ9/oFTcCfoiHPA7AdBtaPVr0/Kj9L7k+ouz122huqG5KqX0Zpo8 284 | S0IGvcd2FZjNSNPttNAK7YuBVsZ0m2nIH1SLp//00v7yAHIgytQwwB17PBcp4NXD 285 | pCfTa27ng9mMMC2YLqWQpW4TkqjDin2ZC+5X/mbrjzTvVg== 286 | -----END CERTIFICATE----- 287 | # Amazon RDS us-gov-west-1 CA expires May22 288 | -----BEGIN CERTIFICATE----- 289 | MIIECjCCAvKgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgZMxCzAJBgNVBAYTAlVT 290 | MRAwDgYDVQQHDAdTZWF0dGxlMRMwEQYDVQQIDApXYXNoaW5ndG9uMSIwIAYDVQQK 291 | DBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJbmMuMRMwEQYDVQQLDApBbWF6b24gUkRT 292 | MSQwIgYDVQQDDBtBbWF6b24gUkRTIEdvdkNsb3VkIFJvb3QgQ0EwHhcNMTcwNTE5 293 | MjIzMTE5WhcNMjIwNTE4MTIwMDAwWjCBkzELMAkGA1UEBhMCVVMxEzARBgNVBAgM 294 | Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxIjAgBgNVBAoMGUFtYXpvbiBX 295 | ZWIgU2VydmljZXMsIEluYy4xEzARBgNVBAsMCkFtYXpvbiBSRFMxJDAiBgNVBAMM 296 | G0FtYXpvbiBSRFMgdXMtZ292LXdlc3QtMSBDQTCCASIwDQYJKoZIhvcNAQEBBQAD 297 | ggEPADCCAQoCggEBAM8YZLKAzzOdNnoi7Klih26Zkj+OCpDfwx4ZYB6f8L8UoQi5 298 | 8z9ZtIwMjiJ/kO08P1yl4gfc7YZcNFvhGruQZNat3YNpxwUpQcr4mszjuffbL4uz 299 | +/8FBxALdqCVOJ5Q0EVSfz3d9Bd1pUPL7ARtSpy7bn/tUPyQeI+lODYO906C0TQ3 300 | b9bjOsgAdBKkHfjLdsknsOZYYIzYWOJyFJJa0B11XjDUNBy/3IuC0KvDl6At0V5b 301 | 8M6cWcKhte2hgjwTYepV+/GTadeube1z5z6mWsN5arOAQUtYDLH6Aztq9mCJzLHm 302 | RccBugnGl3fRLJ2VjioN8PoGoN9l9hFBy5fnFgsCAwEAAaNmMGQwDgYDVR0PAQH/ 303 | BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFEG7+br8KkvwPd5g 304 | 71Rvh2stclJbMB8GA1UdIwQYMBaAFEkQz6S4NS5lOYKcDjBSuCcVpdzjMA0GCSqG 305 | SIb3DQEBCwUAA4IBAQBMA327u5ABmhX+aPxljoIbxnydmAFWxW6wNp5+rZrvPig8 306 | zDRqGQWWr7wWOIjfcWugSElYtf/m9KZHG/Z6+NG7nAoUrdcd1h/IQhb+lFQ2b5g9 307 | sVzQv/H2JNkfZA8fL/Ko/Tm/f9tcqe0zrGCtT+5u0Nvz35Wl8CEUKLloS5xEb3k5 308 | 7D9IhG3fsE3vHWlWrGCk1cKry3j12wdPG5cUsug0vt34u6rdhP+FsM0tHI15Kjch 309 | RuUCvyQecy2ZFNAa3jmd5ycNdL63RWe8oayRBpQBxPPCbHfILxGZEdJbCH9aJ2D/ 310 | l8oHIDnvOLdv7/cBjyYuvmprgPtu3QEkbre5Hln/ 311 | -----END CERTIFICATE----- 312 | # Amazon RDS us-gov-west-1 Root CA RSA2048 G1 expires April2162 313 | -----BEGIN CERTIFICATE----- 314 | MIIEBzCCAu+gAwIBAgIRAMSbo6rMlQ+TZDCb7zg40qUwDQYJKoZIhvcNAQEMBQAw 315 | gZsxCzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJ 316 | bmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTE0MDIGA1UEAwwr 317 | QW1hem9uIFJEUyB1cy1nb3Ytd2VzdC0xIFJvb3QgQ0EgUlNBMjA0OCBHMTEQMA4G 318 | A1UEBwwHU2VhdHRsZTAgFw0yMjA0MTUyMjM1MjFaGA8yMDYyMDQxNTIzMzUyMVow 319 | gZsxCzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJ 320 | bmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTE0MDIGA1UEAwwr 321 | QW1hem9uIFJEUyB1cy1nb3Ytd2VzdC0xIFJvb3QgQ0EgUlNBMjA0OCBHMTEQMA4G 322 | A1UEBwwHU2VhdHRsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM3U 323 | XJp6XLyNdOmyuj19ZKNmbJTGoRbsnrdxYLxbhQRCykOga7Hh/D5qKPMR/B80OsoK 324 | uWpxWmQCaCP4Z9Aa9N68L0TRJXZoArZjV8q5nfjsYWQqOPx+cKtIxqvyotov5WE2 325 | RKaujqpKBAyI49542NNmOEROUshunxYh/7s3Z8oPxOX8kp6hLBtckqUzFbAb7/vM 326 | X0YpgNUpJ2G1Q9MLKfxEmw2p0WE1FEW35gMvUN4jFtTaKjsXtqGu6iF4YqEASwrv 327 | vPmLhBHuyKC9ZfEvYzFjw2+l5SMENvhAde10WUpBuJnK+ZoKgFxLOUcdyZO9fR1Y 328 | wVG5twjPnOhHUOLpAP0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E 329 | FgQUsjcnO96t1VCa/JBZSqY1asXWaZ4wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3 330 | DQEBDAUAA4IBAQCYx0FHyvrX1CeuKd4CEi50QUZzY1HjGoySz+by6rY1+jZ1v2cp 331 | JIBrhQ8VUiJ8EqCDKzzv1mBOA1lx+5jpWB2yKP2hq3YJ93BNK+KO7BgasCkUYLGk 332 | v3c2jo4J5qbWsNsqa/dog+qQbLAcqCx4MeZIadpdLv++ejGPjA0+zjXWwWmQ4RKe 333 | ILiR1wO52uKF90tiDTNi3C5oMaEYbW+Kbsfsx5NpybEU7DkrVKb4MTVgtFuAELrF 334 | 8Zmdbpv8xnUA+oo/QdLLX+eJP/+8tdeDdB6rYFKpJmC2B3EnaKS4X4UpxZJFAgig 335 | oB6q5jNJ5onkWIfx8luNdbagKSFZXHhSO8KP 336 | -----END CERTIFICATE----- 337 | # Amazon RDS us-gov-west-1 Root CA RSA4096 G1 expires May2121 338 | -----BEGIN CERTIFICATE----- 339 | MIIGBzCCA++gAwIBAgIRAOzQCoOR21YG2noWOfFcuNIwDQYJKoZIhvcNAQEMBQAw 340 | gZsxCzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJ 341 | bmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTE0MDIGA1UEAwwr 342 | QW1hem9uIFJEUyB1cy1nb3Ytd2VzdC0xIFJvb3QgQ0EgUlNBNDA5NiBHMTEQMA4G 343 | A1UEBwwHU2VhdHRsZTAgFw0yMTA1MjYyMTQ0MzlaGA8yMTIxMDUyNjIyNDQzOVow 344 | gZsxCzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJ 345 | bmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTE0MDIGA1UEAwwr 346 | QW1hem9uIFJEUyB1cy1nb3Ytd2VzdC0xIFJvb3QgQ0EgUlNBNDA5NiBHMTEQMA4G 347 | A1UEBwwHU2VhdHRsZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANwY 348 | M2iZdnnlMutI9nfn2fWBICAQHWmMmpPmtSka/ziBFyaCxkHDF8RLmooW+GLe+FEF 349 | 9CQKSVqRa7X5AFiqRFF1KvgxWvazawyScuw88JW6Eqhaw0Rlm2p1Iow3TE8FSCDo 350 | Is1vEV3Brbf26CMiXbqI+aCuTOy0fjRzjl5igViTgZxt2ZXOwyKkF+2T8LQp4b4F 351 | Mh85Ctw1An1DhAemsc3SmcYnPKyFUP90DxGuTjFtfNR01GbBtVYwVvOBgIJe59Zs 352 | OWcEFOO2mU53Ik6oKcLYu4+PmE5aDvQewb6bkQZchClb7Eg0BPYekWwTPsKUTS3H 353 | bgdwVxgzjdAdU9fvaaoQmS9xdHWlonKq8CubJdLUduV3WVmDAg7MQgiT3p8JF9W2 354 | KbQpUbYxqd7j9OIe3IS3rVPwYA8PVh1hUJ+OBLw61sbGRAuN3H+B1DlJh1smg6bR 355 | g9W+oLRzfjZa32EzFmaQIxtgRfiyjxB/vqAHdl5zPou30X1CyRYquS870O02bvTN 356 | zzWSOfRY4KPmS1YFVsN+m+R4+hSUOAE//bJ25ACP9oDO5w9NWkAux4e0UUAuWCra 357 | jRROYN2J0KCogdru5G7lOQerD12zi3C2iibty6ou4tQX+MIKMMUVq8cfUH7oKv/R 358 | 8mL5PV/NUsgO248llo0lr9QBwQKdiw17wCxFR+8vAgMBAAGjQjBAMA8GA1UdEwEB 359 | /wQFMAMBAf8wHQYDVR0OBBYEFPDYnx2xYIPDDAEjb6UcF29I6DgKMA4GA1UdDwEB 360 | /wQEAwIBhjANBgkqhkiG9w0BAQwFAAOCAgEANTrAGs/GpXCADAwMGlrjXTdohp+p 361 | CIp3gbnryVYZBXvO+f8hjJ8bHk0D/DiBrkjE8o0IpNaAadOZa+WvTNMsanPmGf1A 362 | kD0vA9nm4gwEhBbzj9HRYX+dIhZhVWny9Kugm80s0h0hvbwTakUPOdMqkz6wn+xx 363 | Owh7AIwaC5TTCsQyKlv5rjVblvU1XFgBf3Pf3wvMAfjDoAEPTXER/9mLVbXe+EmW 364 | osP1JmgyDd+0WQFVK/LEDW81L5hsV5JvthAAFhGVtRw9ko5Ep28+EQUJE1wmLTdL 365 | PyjB/KfJrTMDq94WolzFv4JpUStHbclkKlXtigjKeiYZ5Yvo+vLMSkXemccSfYn7 366 | vdaUFD5vqWXvM4xhiYRq/tigw2E1bjmyd9L3XD7XalufZtMGWn7zT8HMPP+/Lch1 367 | JjZ9LL2Y99VIqhoHcuSa95FtLpYDRQ28K03uwqxqFnOQLyPVmYwsaHKnmmwaZDjF 368 | K1XxLVRLGRWvKEuSoWrsGcs3ehoxX4Knz/BaJzr/ioU1VnItj53tmOSJO0eMA6k+ 369 | egaVEb0FTa2F5xeLCKjgfDDWMz3v0TdL+kt+9z0THMlPWfOzd1C35ZzSIcTcRj22 370 | SAzsL0t5ZTI4XvoPFF8dga78/KsBRolqdPjs0UzdlKhwh1ADOkTRgLOaaidMEgsT 371 | JS/rbzD4FPbvc/g= 372 | -----END CERTIFICATE----- 373 | # Amazon RDS us-gov-west-1 Root CA ECC384 G1 expires May2121 374 | -----BEGIN CERTIFICATE----- 375 | MIICtDCCAjugAwIBAgIQPyg+edjKVnM2PB4KZVu66jAKBggqhkjOPQQDAzCBmjEL 376 | MAkGA1UEBhMCVVMxIjAgBgNVBAoMGUFtYXpvbiBXZWIgU2VydmljZXMsIEluYy4x 377 | EzARBgNVBAsMCkFtYXpvbiBSRFMxCzAJBgNVBAgMAldBMTMwMQYDVQQDDCpBbWF6 378 | b24gUkRTIHVzLWdvdi13ZXN0LTEgUm9vdCBDQSBFQ0MzODQgRzExEDAOBgNVBAcM 379 | B1NlYXR0bGUwIBcNMjEwNTI2MjE1MzI3WhgPMjEyMTA1MjYyMjUzMjdaMIGaMQsw 380 | CQYDVQQGEwJVUzEiMCAGA1UECgwZQW1hem9uIFdlYiBTZXJ2aWNlcywgSW5jLjET 381 | MBEGA1UECwwKQW1hem9uIFJEUzELMAkGA1UECAwCV0ExMzAxBgNVBAMMKkFtYXpv 382 | biBSRFMgdXMtZ292LXdlc3QtMSBSb290IENBIEVDQzM4NCBHMTEQMA4GA1UEBwwH 383 | U2VhdHRsZTB2MBAGByqGSM49AgEGBSuBBAAiA2IABFaqyIYrbpPfhiKzLEkmzp1j 384 | 3OYO/e1VE3vCf5c62bN5xYKFKH/MnKgsUFNsFpJ1t0p9cexi+607aiYOo1sOWvOj 385 | q3PUu+ltklQdvunU/Se5++qqsh7lylL5OF/F19uqfqNCMEAwDwYDVR0TAQH/BAUw 386 | AwEB/zAdBgNVHQ4EFgQUJHPtPhijPquZxTz2UGh4YV1npYMwDgYDVR0PAQH/BAQD 387 | AgGGMAoGCCqGSM49BAMDA2cAMGQCMHWDFuIZ9LZgysbL4vx/Ox9z8fbegb3352bM 388 | BFr6JV1x8VLbePblHd0V1MwDdRWeAwIwarWfOVdB1ijrwzjROzCwE0uBkHYUPr0Z 389 | vgwdtlsnwDw9TnjsBrTJkQ0aS8c0Ahl1 390 | -----END CERTIFICATE----- 391 | # rds-ca-2015-root.pem 392 | -----BEGIN CERTIFICATE----- 393 | MIID9DCCAtygAwIBAgIBQjANBgkqhkiG9w0BAQUFADCBijELMAkGA1UEBhMCVVMx 394 | EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxIjAgBgNVBAoM 395 | GUFtYXpvbiBXZWIgU2VydmljZXMsIEluYy4xEzARBgNVBAsMCkFtYXpvbiBSRFMx 396 | GzAZBgNVBAMMEkFtYXpvbiBSRFMgUm9vdCBDQTAeFw0xNTAyMDUwOTExMzFaFw0y 397 | MDAzMDUwOTExMzFaMIGKMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3Rv 398 | bjEQMA4GA1UEBwwHU2VhdHRsZTEiMCAGA1UECgwZQW1hem9uIFdlYiBTZXJ2aWNl 399 | cywgSW5jLjETMBEGA1UECwwKQW1hem9uIFJEUzEbMBkGA1UEAwwSQW1hem9uIFJE 400 | UyBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuD8nrZ8V 401 | u+VA8yVlUipCZIKPTDcOILYpUe8Tct0YeQQr0uyl018StdBsa3CjBgvwpDRq1HgF 402 | Ji2N3+39+shCNspQeE6aYU+BHXhKhIIStt3r7gl/4NqYiDDMWKHxHq0nsGDFfArf 403 | AOcjZdJagOMqb3fF46flc8k2E7THTm9Sz4L7RY1WdABMuurpICLFE3oHcGdapOb9 404 | T53pQR+xpHW9atkcf3pf7gbO0rlKVSIoUenBlZipUlp1VZl/OD/E+TtRhDDNdI2J 405 | P/DSMM3aEsq6ZQkfbz/Ilml+Lx3tJYXUDmp+ZjzMPLk/+3beT8EhrwtcG3VPpvwp 406 | BIOqsqVVTvw/CwIDAQABo2MwYTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUw 407 | AwEB/zAdBgNVHQ4EFgQUTgLurD72FchM7Sz1BcGPnIQISYMwHwYDVR0jBBgwFoAU 408 | TgLurD72FchM7Sz1BcGPnIQISYMwDQYJKoZIhvcNAQEFBQADggEBAHZcgIio8pAm 409 | MjHD5cl6wKjXxScXKtXygWH2BoDMYBJF9yfyKO2jEFxYKbHePpnXB1R04zJSWAw5 410 | 2EUuDI1pSBh9BA82/5PkuNlNeSTB3dXDD2PEPdzVWbSKvUB8ZdooV+2vngL0Zm4r 411 | 47QPyd18yPHrRIbtBtHR/6CwKevLZ394zgExqhnekYKIqqEX41xsUV0Gm6x4vpjf 412 | 2u6O/+YE2U+qyyxHE5Wd5oqde0oo9UUpFETJPVb6Q2cEeQib8PBAyi0i6KnF+kIV 413 | A9dY7IHSubtCK/i8wxMVqfd5GtbA8mmpeJFwnDvm9rBEsHybl08qlax9syEwsUYr 414 | /40NawZfTUU= 415 | -----END CERTIFICATE----- 416 | # rds-ca-2012-us-gov-west-1.pem 417 | -----BEGIN CERTIFICATE----- 418 | MIIDQzCCAqygAwIBAgIJAMGs6m/j+u8sMA0GCSqGSIb3DQEBBQUAMHUxCzAJBgNV 419 | BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdTZWF0dGxlMRMw 420 | EQYDVQQKEwpBbWF6b24uY29tMQwwCgYDVQQLEwNSRFMxHDAaBgNVBAMTE2F3cy5h 421 | bWF6b24uY29tL3Jkcy8wHhcNMTIwODE2MDY0MjAwWhcNMTcwODE1MDY0MjAwWjB1 422 | MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHU2Vh 423 | dHRsZTETMBEGA1UEChMKQW1hem9uLmNvbTEMMAoGA1UECxMDUkRTMRwwGgYDVQQD 424 | ExNhd3MuYW1hem9uLmNvbS9yZHMvMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB 425 | gQCnTB7AkRR4xuhfAuOt5foNeCRBPeUujkzmJu1yfnTbtFi+g7zmovQ9BJcRoPYL 426 | 45McnXyaT/7UjhJhCI5gnYlTIyBTRFh7lXFJryypFx8AIh6q3D/ht8b6cVro3sJ2 427 | k4x1w/c7akKKsZJtf0ZyhbMvNnBz3K3TWVB6c9DChbfyUQIDAQABo4HaMIHXMB0G 428 | A1UdDgQWBBS/OwyfNJHDnAmnZBbq9ACiXz7O1jCBpwYDVR0jBIGfMIGcgBS/Owyf 429 | NJHDnAmnZBbq9ACiXz7O1qF5pHcwdTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldh 430 | c2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxEzARBgNVBAoTCkFtYXpvbi5jb20x 431 | DDAKBgNVBAsTA1JEUzEcMBoGA1UEAxMTYXdzLmFtYXpvbi5jb20vcmRzL4IJAMGs 432 | 6m/j+u8sMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEACR37LqHlzjSH 433 | 9gHCaiVJgCb0CCxSg3PHaQuv8h4ugAqQpGxpX3Zo97VgHnjEve21gXA74kzGUUAo 434 | 7YNTZWbF2VkHUDqekXimvL3q1JEvHDKPkLJrxEic1zTU1uazb9uJeb1aVWTq6N8R 435 | bx56xd/e3o7RYcPfLD45y7RRXKz3AmE= 436 | -----END CERTIFICATE----- 437 | 438 | - type: remove 439 | path: /variables/name=postgres_password 440 | 441 | 442 | 443 | - type: remove 444 | path: /instance_groups/name=bosh/jobs/name=bbr-uaadb? 445 | 446 | - type: remove 447 | path: /instance_groups/name=bosh/jobs/name=bbr-credhubdb? 448 | -------------------------------------------------------------------------------- /operations/external-db.yml: -------------------------------------------------------------------------------- 1 | - type: remove 2 | path: /instance_groups/name=bosh/jobs/name=postgres-9.4? 3 | 4 | - type: remove 5 | path: /instance_groups/name=bosh/jobs/name=postgres-10? 6 | 7 | - type: remove 8 | path: /instance_groups/name=bosh/jobs/name=postgres? 9 | 10 | - type: remove 11 | path: /instance_groups/name=bosh/properties/postgres 12 | 13 | - type: replace 14 | path: /instance_groups/name=bosh/jobs/- 15 | value: 16 | name: postgres-client 17 | release: postgres-client 18 | 19 | - type: replace 20 | path: /releases/- 21 | value: 22 | name: postgres-client 23 | version: latest 24 | 25 | - type: replace 26 | path: /instance_groups/name=bosh/properties/director/db 27 | value: 28 | host: ((terraform_outputs.bosh_rds_host_curr)) 29 | port: ((terraform_outputs.bosh_rds_port)) 30 | user: ((terraform_outputs.bosh_rds_username)) 31 | password: ((terraform_outputs.bosh_rds_password)) 32 | database: bosh 33 | 34 | - type: replace 35 | path: /instance_groups/name=bosh/properties/registry?/db 36 | value: 37 | host: ((terraform_outputs.bosh_rds_host_curr)) 38 | port: ((terraform_outputs.bosh_rds_port)) 39 | user: ((terraform_outputs.bosh_rds_username)) 40 | password: ((terraform_outputs.bosh_rds_password)) 41 | database: bosh 42 | 43 | - type: replace 44 | path: /instance_groups/name=bosh/jobs/name=uaa/properties/uaadb 45 | value: 46 | address: ((terraform_outputs.bosh_rds_host_curr)) 47 | port: ((terraform_outputs.bosh_rds_port)) 48 | user: ((terraform_outputs.bosh_rds_username)) 49 | password: ((terraform_outputs.bosh_rds_password)) 50 | db_scheme: postgresql 51 | roles: 52 | - name: bosh 53 | password: ((terraform_outputs.bosh_rds_password)) 54 | tag: admin 55 | databases: 56 | - name: bosh_uaadb 57 | tag: uaa 58 | 59 | - type: replace 60 | path: /instance_groups/name=bosh/jobs/name=uaa/properties/uaa/ca_certs? 61 | value: 62 | - |+ 63 | # UAA requires each cert as an array object 64 | # RDS US-GOV-WEST-1-BUNDLE.PEM UPDATED APRIL 2022 65 | # Amazon RDS GovCloud Root CA expires May22 66 | -----BEGIN CERTIFICATE----- 67 | MIIEDjCCAvagAwIBAgIJAMM61RQn3/kdMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYD 68 | VQQGEwJVUzEQMA4GA1UEBwwHU2VhdHRsZTETMBEGA1UECAwKV2FzaGluZ3RvbjEi 69 | MCAGA1UECgwZQW1hem9uIFdlYiBTZXJ2aWNlcywgSW5jLjETMBEGA1UECwwKQW1h 70 | em9uIFJEUzEkMCIGA1UEAwwbQW1hem9uIFJEUyBHb3ZDbG91ZCBSb290IENBMB4X 71 | DTE3MDUxOTIyMjkxMVoXDTIyMDUxODIyMjkxMVowgZMxCzAJBgNVBAYTAlVTMRAw 72 | DgYDVQQHDAdTZWF0dGxlMRMwEQYDVQQIDApXYXNoaW5ndG9uMSIwIAYDVQQKDBlB 73 | bWF6b24gV2ViIFNlcnZpY2VzLCBJbmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMSQw 74 | IgYDVQQDDBtBbWF6b24gUkRTIEdvdkNsb3VkIFJvb3QgQ0EwggEiMA0GCSqGSIb3 75 | DQEBAQUAA4IBDwAwggEKAoIBAQDGS9bh1FGiJPT+GRb3C5aKypJVDC1H2gbh6n3u 76 | j8cUiyMXfmm+ak402zdLpSYMaxiQ7oL/B3wEmumIpRDAsQrSp3B/qEeY7ipQGOfh 77 | q2TXjXGIUjiJ/FaoGqkymHRLG+XkNNBtb7MRItsjlMVNELXECwSiMa3nJL2/YyHW 78 | nTr1+11/weeZEKgVbCUrOugFkMXnfZIBSn40j6EnRlO2u/NFU5ksK5ak2+j8raZ7 79 | xW7VXp9S1Tgf1IsWHjGZZZguwCkkh1tHOlHC9gVA3p63WecjrIzcrR/V27atul4m 80 | tn56s5NwFvYPUIx1dbC8IajLUrepVm6XOwdQCfd02DmOyjWJAgMBAAGjYzBhMA4G 81 | A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRJEM+kuDUu 82 | ZTmCnA4wUrgnFaXc4zAfBgNVHSMEGDAWgBRJEM+kuDUuZTmCnA4wUrgnFaXc4zAN 83 | BgkqhkiG9w0BAQsFAAOCAQEAcfA7uirXsNZyI2j4AJFVtOTKOZlQwqbyNducnmlg 84 | /5nug9fAkwM4AgvF5bBOD1Hw6khdsccMwIj+1S7wpL+EYb/nSc8G0qe1p/9lZ/mZ 85 | ff5g4JOa26lLuCrZDqAk4TzYnt6sQKfa5ZXVUUn0BK3okhiXS0i+NloMyaBCL7vk 86 | kDwkHwEqflRKfZ9/oFTcCfoiHPA7AdBtaPVr0/Kj9L7k+ouz122huqG5KqX0Zpo8 87 | S0IGvcd2FZjNSNPttNAK7YuBVsZ0m2nIH1SLp//00v7yAHIgytQwwB17PBcp4NXD 88 | pCfTa27ng9mMMC2YLqWQpW4TkqjDin2ZC+5X/mbrjzTvVg== 89 | -----END CERTIFICATE----- 90 | - |+ 91 | # Amazon RDS us-gov-west-1 CA expires May22 92 | -----BEGIN CERTIFICATE----- 93 | MIIECjCCAvKgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgZMxCzAJBgNVBAYTAlVT 94 | MRAwDgYDVQQHDAdTZWF0dGxlMRMwEQYDVQQIDApXYXNoaW5ndG9uMSIwIAYDVQQK 95 | DBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJbmMuMRMwEQYDVQQLDApBbWF6b24gUkRT 96 | MSQwIgYDVQQDDBtBbWF6b24gUkRTIEdvdkNsb3VkIFJvb3QgQ0EwHhcNMTcwNTE5 97 | MjIzMTE5WhcNMjIwNTE4MTIwMDAwWjCBkzELMAkGA1UEBhMCVVMxEzARBgNVBAgM 98 | Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxIjAgBgNVBAoMGUFtYXpvbiBX 99 | ZWIgU2VydmljZXMsIEluYy4xEzARBgNVBAsMCkFtYXpvbiBSRFMxJDAiBgNVBAMM 100 | G0FtYXpvbiBSRFMgdXMtZ292LXdlc3QtMSBDQTCCASIwDQYJKoZIhvcNAQEBBQAD 101 | ggEPADCCAQoCggEBAM8YZLKAzzOdNnoi7Klih26Zkj+OCpDfwx4ZYB6f8L8UoQi5 102 | 8z9ZtIwMjiJ/kO08P1yl4gfc7YZcNFvhGruQZNat3YNpxwUpQcr4mszjuffbL4uz 103 | +/8FBxALdqCVOJ5Q0EVSfz3d9Bd1pUPL7ARtSpy7bn/tUPyQeI+lODYO906C0TQ3 104 | b9bjOsgAdBKkHfjLdsknsOZYYIzYWOJyFJJa0B11XjDUNBy/3IuC0KvDl6At0V5b 105 | 8M6cWcKhte2hgjwTYepV+/GTadeube1z5z6mWsN5arOAQUtYDLH6Aztq9mCJzLHm 106 | RccBugnGl3fRLJ2VjioN8PoGoN9l9hFBy5fnFgsCAwEAAaNmMGQwDgYDVR0PAQH/ 107 | BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFEG7+br8KkvwPd5g 108 | 71Rvh2stclJbMB8GA1UdIwQYMBaAFEkQz6S4NS5lOYKcDjBSuCcVpdzjMA0GCSqG 109 | SIb3DQEBCwUAA4IBAQBMA327u5ABmhX+aPxljoIbxnydmAFWxW6wNp5+rZrvPig8 110 | zDRqGQWWr7wWOIjfcWugSElYtf/m9KZHG/Z6+NG7nAoUrdcd1h/IQhb+lFQ2b5g9 111 | sVzQv/H2JNkfZA8fL/Ko/Tm/f9tcqe0zrGCtT+5u0Nvz35Wl8CEUKLloS5xEb3k5 112 | 7D9IhG3fsE3vHWlWrGCk1cKry3j12wdPG5cUsug0vt34u6rdhP+FsM0tHI15Kjch 113 | RuUCvyQecy2ZFNAa3jmd5ycNdL63RWe8oayRBpQBxPPCbHfILxGZEdJbCH9aJ2D/ 114 | l8oHIDnvOLdv7/cBjyYuvmprgPtu3QEkbre5Hln/ 115 | -----END CERTIFICATE----- 116 | - |+ 117 | # Amazon RDS us-gov-west-1 Root CA RSA2048 G1 expires April2162 118 | -----BEGIN CERTIFICATE----- 119 | MIIEBzCCAu+gAwIBAgIRAMSbo6rMlQ+TZDCb7zg40qUwDQYJKoZIhvcNAQEMBQAw 120 | gZsxCzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJ 121 | bmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTE0MDIGA1UEAwwr 122 | QW1hem9uIFJEUyB1cy1nb3Ytd2VzdC0xIFJvb3QgQ0EgUlNBMjA0OCBHMTEQMA4G 123 | A1UEBwwHU2VhdHRsZTAgFw0yMjA0MTUyMjM1MjFaGA8yMDYyMDQxNTIzMzUyMVow 124 | gZsxCzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJ 125 | bmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTE0MDIGA1UEAwwr 126 | QW1hem9uIFJEUyB1cy1nb3Ytd2VzdC0xIFJvb3QgQ0EgUlNBMjA0OCBHMTEQMA4G 127 | A1UEBwwHU2VhdHRsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM3U 128 | XJp6XLyNdOmyuj19ZKNmbJTGoRbsnrdxYLxbhQRCykOga7Hh/D5qKPMR/B80OsoK 129 | uWpxWmQCaCP4Z9Aa9N68L0TRJXZoArZjV8q5nfjsYWQqOPx+cKtIxqvyotov5WE2 130 | RKaujqpKBAyI49542NNmOEROUshunxYh/7s3Z8oPxOX8kp6hLBtckqUzFbAb7/vM 131 | X0YpgNUpJ2G1Q9MLKfxEmw2p0WE1FEW35gMvUN4jFtTaKjsXtqGu6iF4YqEASwrv 132 | vPmLhBHuyKC9ZfEvYzFjw2+l5SMENvhAde10WUpBuJnK+ZoKgFxLOUcdyZO9fR1Y 133 | wVG5twjPnOhHUOLpAP0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E 134 | FgQUsjcnO96t1VCa/JBZSqY1asXWaZ4wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3 135 | DQEBDAUAA4IBAQCYx0FHyvrX1CeuKd4CEi50QUZzY1HjGoySz+by6rY1+jZ1v2cp 136 | JIBrhQ8VUiJ8EqCDKzzv1mBOA1lx+5jpWB2yKP2hq3YJ93BNK+KO7BgasCkUYLGk 137 | v3c2jo4J5qbWsNsqa/dog+qQbLAcqCx4MeZIadpdLv++ejGPjA0+zjXWwWmQ4RKe 138 | ILiR1wO52uKF90tiDTNi3C5oMaEYbW+Kbsfsx5NpybEU7DkrVKb4MTVgtFuAELrF 139 | 8Zmdbpv8xnUA+oo/QdLLX+eJP/+8tdeDdB6rYFKpJmC2B3EnaKS4X4UpxZJFAgig 140 | oB6q5jNJ5onkWIfx8luNdbagKSFZXHhSO8KP 141 | -----END CERTIFICATE----- 142 | - |+ 143 | # Amazon RDS us-gov-west-1 Root CA RSA4096 G1 expires May2121 144 | -----BEGIN CERTIFICATE----- 145 | MIIGBzCCA++gAwIBAgIRAOzQCoOR21YG2noWOfFcuNIwDQYJKoZIhvcNAQEMBQAw 146 | gZsxCzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJ 147 | bmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTE0MDIGA1UEAwwr 148 | QW1hem9uIFJEUyB1cy1nb3Ytd2VzdC0xIFJvb3QgQ0EgUlNBNDA5NiBHMTEQMA4G 149 | A1UEBwwHU2VhdHRsZTAgFw0yMTA1MjYyMTQ0MzlaGA8yMTIxMDUyNjIyNDQzOVow 150 | gZsxCzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJ 151 | bmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTE0MDIGA1UEAwwr 152 | QW1hem9uIFJEUyB1cy1nb3Ytd2VzdC0xIFJvb3QgQ0EgUlNBNDA5NiBHMTEQMA4G 153 | A1UEBwwHU2VhdHRsZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANwY 154 | M2iZdnnlMutI9nfn2fWBICAQHWmMmpPmtSka/ziBFyaCxkHDF8RLmooW+GLe+FEF 155 | 9CQKSVqRa7X5AFiqRFF1KvgxWvazawyScuw88JW6Eqhaw0Rlm2p1Iow3TE8FSCDo 156 | Is1vEV3Brbf26CMiXbqI+aCuTOy0fjRzjl5igViTgZxt2ZXOwyKkF+2T8LQp4b4F 157 | Mh85Ctw1An1DhAemsc3SmcYnPKyFUP90DxGuTjFtfNR01GbBtVYwVvOBgIJe59Zs 158 | OWcEFOO2mU53Ik6oKcLYu4+PmE5aDvQewb6bkQZchClb7Eg0BPYekWwTPsKUTS3H 159 | bgdwVxgzjdAdU9fvaaoQmS9xdHWlonKq8CubJdLUduV3WVmDAg7MQgiT3p8JF9W2 160 | KbQpUbYxqd7j9OIe3IS3rVPwYA8PVh1hUJ+OBLw61sbGRAuN3H+B1DlJh1smg6bR 161 | g9W+oLRzfjZa32EzFmaQIxtgRfiyjxB/vqAHdl5zPou30X1CyRYquS870O02bvTN 162 | zzWSOfRY4KPmS1YFVsN+m+R4+hSUOAE//bJ25ACP9oDO5w9NWkAux4e0UUAuWCra 163 | jRROYN2J0KCogdru5G7lOQerD12zi3C2iibty6ou4tQX+MIKMMUVq8cfUH7oKv/R 164 | 8mL5PV/NUsgO248llo0lr9QBwQKdiw17wCxFR+8vAgMBAAGjQjBAMA8GA1UdEwEB 165 | /wQFMAMBAf8wHQYDVR0OBBYEFPDYnx2xYIPDDAEjb6UcF29I6DgKMA4GA1UdDwEB 166 | /wQEAwIBhjANBgkqhkiG9w0BAQwFAAOCAgEANTrAGs/GpXCADAwMGlrjXTdohp+p 167 | CIp3gbnryVYZBXvO+f8hjJ8bHk0D/DiBrkjE8o0IpNaAadOZa+WvTNMsanPmGf1A 168 | kD0vA9nm4gwEhBbzj9HRYX+dIhZhVWny9Kugm80s0h0hvbwTakUPOdMqkz6wn+xx 169 | Owh7AIwaC5TTCsQyKlv5rjVblvU1XFgBf3Pf3wvMAfjDoAEPTXER/9mLVbXe+EmW 170 | osP1JmgyDd+0WQFVK/LEDW81L5hsV5JvthAAFhGVtRw9ko5Ep28+EQUJE1wmLTdL 171 | PyjB/KfJrTMDq94WolzFv4JpUStHbclkKlXtigjKeiYZ5Yvo+vLMSkXemccSfYn7 172 | vdaUFD5vqWXvM4xhiYRq/tigw2E1bjmyd9L3XD7XalufZtMGWn7zT8HMPP+/Lch1 173 | JjZ9LL2Y99VIqhoHcuSa95FtLpYDRQ28K03uwqxqFnOQLyPVmYwsaHKnmmwaZDjF 174 | K1XxLVRLGRWvKEuSoWrsGcs3ehoxX4Knz/BaJzr/ioU1VnItj53tmOSJO0eMA6k+ 175 | egaVEb0FTa2F5xeLCKjgfDDWMz3v0TdL+kt+9z0THMlPWfOzd1C35ZzSIcTcRj22 176 | SAzsL0t5ZTI4XvoPFF8dga78/KsBRolqdPjs0UzdlKhwh1ADOkTRgLOaaidMEgsT 177 | JS/rbzD4FPbvc/g= 178 | -----END CERTIFICATE----- 179 | - |+ 180 | # Amazon RDS us-gov-west-1 Root CA ECC384 G1 expires May2121 181 | -----BEGIN CERTIFICATE----- 182 | MIICtDCCAjugAwIBAgIQPyg+edjKVnM2PB4KZVu66jAKBggqhkjOPQQDAzCBmjEL 183 | MAkGA1UEBhMCVVMxIjAgBgNVBAoMGUFtYXpvbiBXZWIgU2VydmljZXMsIEluYy4x 184 | EzARBgNVBAsMCkFtYXpvbiBSRFMxCzAJBgNVBAgMAldBMTMwMQYDVQQDDCpBbWF6 185 | b24gUkRTIHVzLWdvdi13ZXN0LTEgUm9vdCBDQSBFQ0MzODQgRzExEDAOBgNVBAcM 186 | B1NlYXR0bGUwIBcNMjEwNTI2MjE1MzI3WhgPMjEyMTA1MjYyMjUzMjdaMIGaMQsw 187 | CQYDVQQGEwJVUzEiMCAGA1UECgwZQW1hem9uIFdlYiBTZXJ2aWNlcywgSW5jLjET 188 | MBEGA1UECwwKQW1hem9uIFJEUzELMAkGA1UECAwCV0ExMzAxBgNVBAMMKkFtYXpv 189 | biBSRFMgdXMtZ292LXdlc3QtMSBSb290IENBIEVDQzM4NCBHMTEQMA4GA1UEBwwH 190 | U2VhdHRsZTB2MBAGByqGSM49AgEGBSuBBAAiA2IABFaqyIYrbpPfhiKzLEkmzp1j 191 | 3OYO/e1VE3vCf5c62bN5xYKFKH/MnKgsUFNsFpJ1t0p9cexi+607aiYOo1sOWvOj 192 | q3PUu+ltklQdvunU/Se5++qqsh7lylL5OF/F19uqfqNCMEAwDwYDVR0TAQH/BAUw 193 | AwEB/zAdBgNVHQ4EFgQUJHPtPhijPquZxTz2UGh4YV1npYMwDgYDVR0PAQH/BAQD 194 | AgGGMAoGCCqGSM49BAMDA2cAMGQCMHWDFuIZ9LZgysbL4vx/Ox9z8fbegb3352bM 195 | BFr6JV1x8VLbePblHd0V1MwDdRWeAwIwarWfOVdB1ijrwzjROzCwE0uBkHYUPr0Z 196 | vgwdtlsnwDw9TnjsBrTJkQ0aS8c0Ahl1 197 | -----END CERTIFICATE----- 198 | - |+ 199 | # rds-ca-2015-root.pem 200 | -----BEGIN CERTIFICATE----- 201 | MIID9DCCAtygAwIBAgIBQjANBgkqhkiG9w0BAQUFADCBijELMAkGA1UEBhMCVVMx 202 | EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxIjAgBgNVBAoM 203 | GUFtYXpvbiBXZWIgU2VydmljZXMsIEluYy4xEzARBgNVBAsMCkFtYXpvbiBSRFMx 204 | GzAZBgNVBAMMEkFtYXpvbiBSRFMgUm9vdCBDQTAeFw0xNTAyMDUwOTExMzFaFw0y 205 | MDAzMDUwOTExMzFaMIGKMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3Rv 206 | bjEQMA4GA1UEBwwHU2VhdHRsZTEiMCAGA1UECgwZQW1hem9uIFdlYiBTZXJ2aWNl 207 | cywgSW5jLjETMBEGA1UECwwKQW1hem9uIFJEUzEbMBkGA1UEAwwSQW1hem9uIFJE 208 | UyBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuD8nrZ8V 209 | u+VA8yVlUipCZIKPTDcOILYpUe8Tct0YeQQr0uyl018StdBsa3CjBgvwpDRq1HgF 210 | Ji2N3+39+shCNspQeE6aYU+BHXhKhIIStt3r7gl/4NqYiDDMWKHxHq0nsGDFfArf 211 | AOcjZdJagOMqb3fF46flc8k2E7THTm9Sz4L7RY1WdABMuurpICLFE3oHcGdapOb9 212 | T53pQR+xpHW9atkcf3pf7gbO0rlKVSIoUenBlZipUlp1VZl/OD/E+TtRhDDNdI2J 213 | P/DSMM3aEsq6ZQkfbz/Ilml+Lx3tJYXUDmp+ZjzMPLk/+3beT8EhrwtcG3VPpvwp 214 | BIOqsqVVTvw/CwIDAQABo2MwYTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUw 215 | AwEB/zAdBgNVHQ4EFgQUTgLurD72FchM7Sz1BcGPnIQISYMwHwYDVR0jBBgwFoAU 216 | TgLurD72FchM7Sz1BcGPnIQISYMwDQYJKoZIhvcNAQEFBQADggEBAHZcgIio8pAm 217 | MjHD5cl6wKjXxScXKtXygWH2BoDMYBJF9yfyKO2jEFxYKbHePpnXB1R04zJSWAw5 218 | 2EUuDI1pSBh9BA82/5PkuNlNeSTB3dXDD2PEPdzVWbSKvUB8ZdooV+2vngL0Zm4r 219 | 47QPyd18yPHrRIbtBtHR/6CwKevLZ394zgExqhnekYKIqqEX41xsUV0Gm6x4vpjf 220 | 2u6O/+YE2U+qyyxHE5Wd5oqde0oo9UUpFETJPVb6Q2cEeQib8PBAyi0i6KnF+kIV 221 | A9dY7IHSubtCK/i8wxMVqfd5GtbA8mmpeJFwnDvm9rBEsHybl08qlax9syEwsUYr 222 | /40NawZfTUU= 223 | -----END CERTIFICATE----- 224 | - |+ 225 | # rds-ca-2012-us-gov-west-1.pem 226 | -----BEGIN CERTIFICATE----- 227 | MIIDQzCCAqygAwIBAgIJAMGs6m/j+u8sMA0GCSqGSIb3DQEBBQUAMHUxCzAJBgNV 228 | BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdTZWF0dGxlMRMw 229 | EQYDVQQKEwpBbWF6b24uY29tMQwwCgYDVQQLEwNSRFMxHDAaBgNVBAMTE2F3cy5h 230 | bWF6b24uY29tL3Jkcy8wHhcNMTIwODE2MDY0MjAwWhcNMTcwODE1MDY0MjAwWjB1 231 | MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHU2Vh 232 | dHRsZTETMBEGA1UEChMKQW1hem9uLmNvbTEMMAoGA1UECxMDUkRTMRwwGgYDVQQD 233 | ExNhd3MuYW1hem9uLmNvbS9yZHMvMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB 234 | gQCnTB7AkRR4xuhfAuOt5foNeCRBPeUujkzmJu1yfnTbtFi+g7zmovQ9BJcRoPYL 235 | 45McnXyaT/7UjhJhCI5gnYlTIyBTRFh7lXFJryypFx8AIh6q3D/ht8b6cVro3sJ2 236 | k4x1w/c7akKKsZJtf0ZyhbMvNnBz3K3TWVB6c9DChbfyUQIDAQABo4HaMIHXMB0G 237 | A1UdDgQWBBS/OwyfNJHDnAmnZBbq9ACiXz7O1jCBpwYDVR0jBIGfMIGcgBS/Owyf 238 | NJHDnAmnZBbq9ACiXz7O1qF5pHcwdTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldh 239 | c2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxEzARBgNVBAoTCkFtYXpvbi5jb20x 240 | DDAKBgNVBAsTA1JEUzEcMBoGA1UEAxMTYXdzLmFtYXpvbi5jb20vcmRzL4IJAMGs 241 | 6m/j+u8sMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEACR37LqHlzjSH 242 | 9gHCaiVJgCb0CCxSg3PHaQuv8h4ugAqQpGxpX3Zo97VgHnjEve21gXA74kzGUUAo 243 | 7YNTZWbF2VkHUDqekXimvL3q1JEvHDKPkLJrxEic1zTU1uazb9uJeb1aVWTq6N8R 244 | bx56xd/e3o7RYcPfLD45y7RRXKz3AmE= 245 | -----END CERTIFICATE----- 246 | 247 | - type: replace 248 | path: /instance_groups/name=bosh/jobs/name=credhub/properties/credhub/data_storage 249 | value: 250 | type: postgres 251 | host: ((terraform_outputs.credhub_rds_host)) 252 | port: ((terraform_outputs.credhub_rds_port)) 253 | username: ((terraform_outputs.credhub_rds_username)) 254 | password: ((terraform_outputs.credhub_rds_password)) 255 | database: credhub 256 | require_tls: true 257 | tls_ca: |- 258 | # Credhub requires all CA certs to be one single bundle 259 | # RDS US-GOV-WEST-1-BUNDLE.PEM UPDATED APRIL 2022 260 | # Amazon RDS GovCloud Root CA expires May22 261 | -----BEGIN CERTIFICATE----- 262 | MIIEDjCCAvagAwIBAgIJAMM61RQn3/kdMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYD 263 | VQQGEwJVUzEQMA4GA1UEBwwHU2VhdHRsZTETMBEGA1UECAwKV2FzaGluZ3RvbjEi 264 | MCAGA1UECgwZQW1hem9uIFdlYiBTZXJ2aWNlcywgSW5jLjETMBEGA1UECwwKQW1h 265 | em9uIFJEUzEkMCIGA1UEAwwbQW1hem9uIFJEUyBHb3ZDbG91ZCBSb290IENBMB4X 266 | DTE3MDUxOTIyMjkxMVoXDTIyMDUxODIyMjkxMVowgZMxCzAJBgNVBAYTAlVTMRAw 267 | DgYDVQQHDAdTZWF0dGxlMRMwEQYDVQQIDApXYXNoaW5ndG9uMSIwIAYDVQQKDBlB 268 | bWF6b24gV2ViIFNlcnZpY2VzLCBJbmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMSQw 269 | IgYDVQQDDBtBbWF6b24gUkRTIEdvdkNsb3VkIFJvb3QgQ0EwggEiMA0GCSqGSIb3 270 | DQEBAQUAA4IBDwAwggEKAoIBAQDGS9bh1FGiJPT+GRb3C5aKypJVDC1H2gbh6n3u 271 | j8cUiyMXfmm+ak402zdLpSYMaxiQ7oL/B3wEmumIpRDAsQrSp3B/qEeY7ipQGOfh 272 | q2TXjXGIUjiJ/FaoGqkymHRLG+XkNNBtb7MRItsjlMVNELXECwSiMa3nJL2/YyHW 273 | nTr1+11/weeZEKgVbCUrOugFkMXnfZIBSn40j6EnRlO2u/NFU5ksK5ak2+j8raZ7 274 | xW7VXp9S1Tgf1IsWHjGZZZguwCkkh1tHOlHC9gVA3p63WecjrIzcrR/V27atul4m 275 | tn56s5NwFvYPUIx1dbC8IajLUrepVm6XOwdQCfd02DmOyjWJAgMBAAGjYzBhMA4G 276 | A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRJEM+kuDUu 277 | ZTmCnA4wUrgnFaXc4zAfBgNVHSMEGDAWgBRJEM+kuDUuZTmCnA4wUrgnFaXc4zAN 278 | BgkqhkiG9w0BAQsFAAOCAQEAcfA7uirXsNZyI2j4AJFVtOTKOZlQwqbyNducnmlg 279 | /5nug9fAkwM4AgvF5bBOD1Hw6khdsccMwIj+1S7wpL+EYb/nSc8G0qe1p/9lZ/mZ 280 | ff5g4JOa26lLuCrZDqAk4TzYnt6sQKfa5ZXVUUn0BK3okhiXS0i+NloMyaBCL7vk 281 | kDwkHwEqflRKfZ9/oFTcCfoiHPA7AdBtaPVr0/Kj9L7k+ouz122huqG5KqX0Zpo8 282 | S0IGvcd2FZjNSNPttNAK7YuBVsZ0m2nIH1SLp//00v7yAHIgytQwwB17PBcp4NXD 283 | pCfTa27ng9mMMC2YLqWQpW4TkqjDin2ZC+5X/mbrjzTvVg== 284 | -----END CERTIFICATE----- 285 | # Amazon RDS us-gov-west-1 CA expires May22 286 | -----BEGIN CERTIFICATE----- 287 | MIIECjCCAvKgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgZMxCzAJBgNVBAYTAlVT 288 | MRAwDgYDVQQHDAdTZWF0dGxlMRMwEQYDVQQIDApXYXNoaW5ndG9uMSIwIAYDVQQK 289 | DBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJbmMuMRMwEQYDVQQLDApBbWF6b24gUkRT 290 | MSQwIgYDVQQDDBtBbWF6b24gUkRTIEdvdkNsb3VkIFJvb3QgQ0EwHhcNMTcwNTE5 291 | MjIzMTE5WhcNMjIwNTE4MTIwMDAwWjCBkzELMAkGA1UEBhMCVVMxEzARBgNVBAgM 292 | Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxIjAgBgNVBAoMGUFtYXpvbiBX 293 | ZWIgU2VydmljZXMsIEluYy4xEzARBgNVBAsMCkFtYXpvbiBSRFMxJDAiBgNVBAMM 294 | G0FtYXpvbiBSRFMgdXMtZ292LXdlc3QtMSBDQTCCASIwDQYJKoZIhvcNAQEBBQAD 295 | ggEPADCCAQoCggEBAM8YZLKAzzOdNnoi7Klih26Zkj+OCpDfwx4ZYB6f8L8UoQi5 296 | 8z9ZtIwMjiJ/kO08P1yl4gfc7YZcNFvhGruQZNat3YNpxwUpQcr4mszjuffbL4uz 297 | +/8FBxALdqCVOJ5Q0EVSfz3d9Bd1pUPL7ARtSpy7bn/tUPyQeI+lODYO906C0TQ3 298 | b9bjOsgAdBKkHfjLdsknsOZYYIzYWOJyFJJa0B11XjDUNBy/3IuC0KvDl6At0V5b 299 | 8M6cWcKhte2hgjwTYepV+/GTadeube1z5z6mWsN5arOAQUtYDLH6Aztq9mCJzLHm 300 | RccBugnGl3fRLJ2VjioN8PoGoN9l9hFBy5fnFgsCAwEAAaNmMGQwDgYDVR0PAQH/ 301 | BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFEG7+br8KkvwPd5g 302 | 71Rvh2stclJbMB8GA1UdIwQYMBaAFEkQz6S4NS5lOYKcDjBSuCcVpdzjMA0GCSqG 303 | SIb3DQEBCwUAA4IBAQBMA327u5ABmhX+aPxljoIbxnydmAFWxW6wNp5+rZrvPig8 304 | zDRqGQWWr7wWOIjfcWugSElYtf/m9KZHG/Z6+NG7nAoUrdcd1h/IQhb+lFQ2b5g9 305 | sVzQv/H2JNkfZA8fL/Ko/Tm/f9tcqe0zrGCtT+5u0Nvz35Wl8CEUKLloS5xEb3k5 306 | 7D9IhG3fsE3vHWlWrGCk1cKry3j12wdPG5cUsug0vt34u6rdhP+FsM0tHI15Kjch 307 | RuUCvyQecy2ZFNAa3jmd5ycNdL63RWe8oayRBpQBxPPCbHfILxGZEdJbCH9aJ2D/ 308 | l8oHIDnvOLdv7/cBjyYuvmprgPtu3QEkbre5Hln/ 309 | -----END CERTIFICATE----- 310 | # Amazon RDS us-gov-west-1 Root CA RSA2048 G1 expires April2162 311 | -----BEGIN CERTIFICATE----- 312 | MIIEBzCCAu+gAwIBAgIRAMSbo6rMlQ+TZDCb7zg40qUwDQYJKoZIhvcNAQEMBQAw 313 | gZsxCzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJ 314 | bmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTE0MDIGA1UEAwwr 315 | QW1hem9uIFJEUyB1cy1nb3Ytd2VzdC0xIFJvb3QgQ0EgUlNBMjA0OCBHMTEQMA4G 316 | A1UEBwwHU2VhdHRsZTAgFw0yMjA0MTUyMjM1MjFaGA8yMDYyMDQxNTIzMzUyMVow 317 | gZsxCzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJ 318 | bmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTE0MDIGA1UEAwwr 319 | QW1hem9uIFJEUyB1cy1nb3Ytd2VzdC0xIFJvb3QgQ0EgUlNBMjA0OCBHMTEQMA4G 320 | A1UEBwwHU2VhdHRsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM3U 321 | XJp6XLyNdOmyuj19ZKNmbJTGoRbsnrdxYLxbhQRCykOga7Hh/D5qKPMR/B80OsoK 322 | uWpxWmQCaCP4Z9Aa9N68L0TRJXZoArZjV8q5nfjsYWQqOPx+cKtIxqvyotov5WE2 323 | RKaujqpKBAyI49542NNmOEROUshunxYh/7s3Z8oPxOX8kp6hLBtckqUzFbAb7/vM 324 | X0YpgNUpJ2G1Q9MLKfxEmw2p0WE1FEW35gMvUN4jFtTaKjsXtqGu6iF4YqEASwrv 325 | vPmLhBHuyKC9ZfEvYzFjw2+l5SMENvhAde10WUpBuJnK+ZoKgFxLOUcdyZO9fR1Y 326 | wVG5twjPnOhHUOLpAP0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E 327 | FgQUsjcnO96t1VCa/JBZSqY1asXWaZ4wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3 328 | DQEBDAUAA4IBAQCYx0FHyvrX1CeuKd4CEi50QUZzY1HjGoySz+by6rY1+jZ1v2cp 329 | JIBrhQ8VUiJ8EqCDKzzv1mBOA1lx+5jpWB2yKP2hq3YJ93BNK+KO7BgasCkUYLGk 330 | v3c2jo4J5qbWsNsqa/dog+qQbLAcqCx4MeZIadpdLv++ejGPjA0+zjXWwWmQ4RKe 331 | ILiR1wO52uKF90tiDTNi3C5oMaEYbW+Kbsfsx5NpybEU7DkrVKb4MTVgtFuAELrF 332 | 8Zmdbpv8xnUA+oo/QdLLX+eJP/+8tdeDdB6rYFKpJmC2B3EnaKS4X4UpxZJFAgig 333 | oB6q5jNJ5onkWIfx8luNdbagKSFZXHhSO8KP 334 | -----END CERTIFICATE----- 335 | # Amazon RDS us-gov-west-1 Root CA RSA4096 G1 expires May2121 336 | -----BEGIN CERTIFICATE----- 337 | MIIGBzCCA++gAwIBAgIRAOzQCoOR21YG2noWOfFcuNIwDQYJKoZIhvcNAQEMBQAw 338 | gZsxCzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJ 339 | bmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTE0MDIGA1UEAwwr 340 | QW1hem9uIFJEUyB1cy1nb3Ytd2VzdC0xIFJvb3QgQ0EgUlNBNDA5NiBHMTEQMA4G 341 | A1UEBwwHU2VhdHRsZTAgFw0yMTA1MjYyMTQ0MzlaGA8yMTIxMDUyNjIyNDQzOVow 342 | gZsxCzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJ 343 | bmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTE0MDIGA1UEAwwr 344 | QW1hem9uIFJEUyB1cy1nb3Ytd2VzdC0xIFJvb3QgQ0EgUlNBNDA5NiBHMTEQMA4G 345 | A1UEBwwHU2VhdHRsZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANwY 346 | M2iZdnnlMutI9nfn2fWBICAQHWmMmpPmtSka/ziBFyaCxkHDF8RLmooW+GLe+FEF 347 | 9CQKSVqRa7X5AFiqRFF1KvgxWvazawyScuw88JW6Eqhaw0Rlm2p1Iow3TE8FSCDo 348 | Is1vEV3Brbf26CMiXbqI+aCuTOy0fjRzjl5igViTgZxt2ZXOwyKkF+2T8LQp4b4F 349 | Mh85Ctw1An1DhAemsc3SmcYnPKyFUP90DxGuTjFtfNR01GbBtVYwVvOBgIJe59Zs 350 | OWcEFOO2mU53Ik6oKcLYu4+PmE5aDvQewb6bkQZchClb7Eg0BPYekWwTPsKUTS3H 351 | bgdwVxgzjdAdU9fvaaoQmS9xdHWlonKq8CubJdLUduV3WVmDAg7MQgiT3p8JF9W2 352 | KbQpUbYxqd7j9OIe3IS3rVPwYA8PVh1hUJ+OBLw61sbGRAuN3H+B1DlJh1smg6bR 353 | g9W+oLRzfjZa32EzFmaQIxtgRfiyjxB/vqAHdl5zPou30X1CyRYquS870O02bvTN 354 | zzWSOfRY4KPmS1YFVsN+m+R4+hSUOAE//bJ25ACP9oDO5w9NWkAux4e0UUAuWCra 355 | jRROYN2J0KCogdru5G7lOQerD12zi3C2iibty6ou4tQX+MIKMMUVq8cfUH7oKv/R 356 | 8mL5PV/NUsgO248llo0lr9QBwQKdiw17wCxFR+8vAgMBAAGjQjBAMA8GA1UdEwEB 357 | /wQFMAMBAf8wHQYDVR0OBBYEFPDYnx2xYIPDDAEjb6UcF29I6DgKMA4GA1UdDwEB 358 | /wQEAwIBhjANBgkqhkiG9w0BAQwFAAOCAgEANTrAGs/GpXCADAwMGlrjXTdohp+p 359 | CIp3gbnryVYZBXvO+f8hjJ8bHk0D/DiBrkjE8o0IpNaAadOZa+WvTNMsanPmGf1A 360 | kD0vA9nm4gwEhBbzj9HRYX+dIhZhVWny9Kugm80s0h0hvbwTakUPOdMqkz6wn+xx 361 | Owh7AIwaC5TTCsQyKlv5rjVblvU1XFgBf3Pf3wvMAfjDoAEPTXER/9mLVbXe+EmW 362 | osP1JmgyDd+0WQFVK/LEDW81L5hsV5JvthAAFhGVtRw9ko5Ep28+EQUJE1wmLTdL 363 | PyjB/KfJrTMDq94WolzFv4JpUStHbclkKlXtigjKeiYZ5Yvo+vLMSkXemccSfYn7 364 | vdaUFD5vqWXvM4xhiYRq/tigw2E1bjmyd9L3XD7XalufZtMGWn7zT8HMPP+/Lch1 365 | JjZ9LL2Y99VIqhoHcuSa95FtLpYDRQ28K03uwqxqFnOQLyPVmYwsaHKnmmwaZDjF 366 | K1XxLVRLGRWvKEuSoWrsGcs3ehoxX4Knz/BaJzr/ioU1VnItj53tmOSJO0eMA6k+ 367 | egaVEb0FTa2F5xeLCKjgfDDWMz3v0TdL+kt+9z0THMlPWfOzd1C35ZzSIcTcRj22 368 | SAzsL0t5ZTI4XvoPFF8dga78/KsBRolqdPjs0UzdlKhwh1ADOkTRgLOaaidMEgsT 369 | JS/rbzD4FPbvc/g= 370 | -----END CERTIFICATE----- 371 | # Amazon RDS us-gov-west-1 Root CA ECC384 G1 expires May2121 372 | -----BEGIN CERTIFICATE----- 373 | MIICtDCCAjugAwIBAgIQPyg+edjKVnM2PB4KZVu66jAKBggqhkjOPQQDAzCBmjEL 374 | MAkGA1UEBhMCVVMxIjAgBgNVBAoMGUFtYXpvbiBXZWIgU2VydmljZXMsIEluYy4x 375 | EzARBgNVBAsMCkFtYXpvbiBSRFMxCzAJBgNVBAgMAldBMTMwMQYDVQQDDCpBbWF6 376 | b24gUkRTIHVzLWdvdi13ZXN0LTEgUm9vdCBDQSBFQ0MzODQgRzExEDAOBgNVBAcM 377 | B1NlYXR0bGUwIBcNMjEwNTI2MjE1MzI3WhgPMjEyMTA1MjYyMjUzMjdaMIGaMQsw 378 | CQYDVQQGEwJVUzEiMCAGA1UECgwZQW1hem9uIFdlYiBTZXJ2aWNlcywgSW5jLjET 379 | MBEGA1UECwwKQW1hem9uIFJEUzELMAkGA1UECAwCV0ExMzAxBgNVBAMMKkFtYXpv 380 | biBSRFMgdXMtZ292LXdlc3QtMSBSb290IENBIEVDQzM4NCBHMTEQMA4GA1UEBwwH 381 | U2VhdHRsZTB2MBAGByqGSM49AgEGBSuBBAAiA2IABFaqyIYrbpPfhiKzLEkmzp1j 382 | 3OYO/e1VE3vCf5c62bN5xYKFKH/MnKgsUFNsFpJ1t0p9cexi+607aiYOo1sOWvOj 383 | q3PUu+ltklQdvunU/Se5++qqsh7lylL5OF/F19uqfqNCMEAwDwYDVR0TAQH/BAUw 384 | AwEB/zAdBgNVHQ4EFgQUJHPtPhijPquZxTz2UGh4YV1npYMwDgYDVR0PAQH/BAQD 385 | AgGGMAoGCCqGSM49BAMDA2cAMGQCMHWDFuIZ9LZgysbL4vx/Ox9z8fbegb3352bM 386 | BFr6JV1x8VLbePblHd0V1MwDdRWeAwIwarWfOVdB1ijrwzjROzCwE0uBkHYUPr0Z 387 | vgwdtlsnwDw9TnjsBrTJkQ0aS8c0Ahl1 388 | -----END CERTIFICATE----- 389 | # rds-ca-2015-root.pem 390 | -----BEGIN CERTIFICATE----- 391 | MIID9DCCAtygAwIBAgIBQjANBgkqhkiG9w0BAQUFADCBijELMAkGA1UEBhMCVVMx 392 | EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxIjAgBgNVBAoM 393 | GUFtYXpvbiBXZWIgU2VydmljZXMsIEluYy4xEzARBgNVBAsMCkFtYXpvbiBSRFMx 394 | GzAZBgNVBAMMEkFtYXpvbiBSRFMgUm9vdCBDQTAeFw0xNTAyMDUwOTExMzFaFw0y 395 | MDAzMDUwOTExMzFaMIGKMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3Rv 396 | bjEQMA4GA1UEBwwHU2VhdHRsZTEiMCAGA1UECgwZQW1hem9uIFdlYiBTZXJ2aWNl 397 | cywgSW5jLjETMBEGA1UECwwKQW1hem9uIFJEUzEbMBkGA1UEAwwSQW1hem9uIFJE 398 | UyBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuD8nrZ8V 399 | u+VA8yVlUipCZIKPTDcOILYpUe8Tct0YeQQr0uyl018StdBsa3CjBgvwpDRq1HgF 400 | Ji2N3+39+shCNspQeE6aYU+BHXhKhIIStt3r7gl/4NqYiDDMWKHxHq0nsGDFfArf 401 | AOcjZdJagOMqb3fF46flc8k2E7THTm9Sz4L7RY1WdABMuurpICLFE3oHcGdapOb9 402 | T53pQR+xpHW9atkcf3pf7gbO0rlKVSIoUenBlZipUlp1VZl/OD/E+TtRhDDNdI2J 403 | P/DSMM3aEsq6ZQkfbz/Ilml+Lx3tJYXUDmp+ZjzMPLk/+3beT8EhrwtcG3VPpvwp 404 | BIOqsqVVTvw/CwIDAQABo2MwYTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUw 405 | AwEB/zAdBgNVHQ4EFgQUTgLurD72FchM7Sz1BcGPnIQISYMwHwYDVR0jBBgwFoAU 406 | TgLurD72FchM7Sz1BcGPnIQISYMwDQYJKoZIhvcNAQEFBQADggEBAHZcgIio8pAm 407 | MjHD5cl6wKjXxScXKtXygWH2BoDMYBJF9yfyKO2jEFxYKbHePpnXB1R04zJSWAw5 408 | 2EUuDI1pSBh9BA82/5PkuNlNeSTB3dXDD2PEPdzVWbSKvUB8ZdooV+2vngL0Zm4r 409 | 47QPyd18yPHrRIbtBtHR/6CwKevLZ394zgExqhnekYKIqqEX41xsUV0Gm6x4vpjf 410 | 2u6O/+YE2U+qyyxHE5Wd5oqde0oo9UUpFETJPVb6Q2cEeQib8PBAyi0i6KnF+kIV 411 | A9dY7IHSubtCK/i8wxMVqfd5GtbA8mmpeJFwnDvm9rBEsHybl08qlax9syEwsUYr 412 | /40NawZfTUU= 413 | -----END CERTIFICATE----- 414 | # rds-ca-2012-us-gov-west-1.pem 415 | -----BEGIN CERTIFICATE----- 416 | MIIDQzCCAqygAwIBAgIJAMGs6m/j+u8sMA0GCSqGSIb3DQEBBQUAMHUxCzAJBgNV 417 | BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdTZWF0dGxlMRMw 418 | EQYDVQQKEwpBbWF6b24uY29tMQwwCgYDVQQLEwNSRFMxHDAaBgNVBAMTE2F3cy5h 419 | bWF6b24uY29tL3Jkcy8wHhcNMTIwODE2MDY0MjAwWhcNMTcwODE1MDY0MjAwWjB1 420 | MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHU2Vh 421 | dHRsZTETMBEGA1UEChMKQW1hem9uLmNvbTEMMAoGA1UECxMDUkRTMRwwGgYDVQQD 422 | ExNhd3MuYW1hem9uLmNvbS9yZHMvMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB 423 | gQCnTB7AkRR4xuhfAuOt5foNeCRBPeUujkzmJu1yfnTbtFi+g7zmovQ9BJcRoPYL 424 | 45McnXyaT/7UjhJhCI5gnYlTIyBTRFh7lXFJryypFx8AIh6q3D/ht8b6cVro3sJ2 425 | k4x1w/c7akKKsZJtf0ZyhbMvNnBz3K3TWVB6c9DChbfyUQIDAQABo4HaMIHXMB0G 426 | A1UdDgQWBBS/OwyfNJHDnAmnZBbq9ACiXz7O1jCBpwYDVR0jBIGfMIGcgBS/Owyf 427 | NJHDnAmnZBbq9ACiXz7O1qF5pHcwdTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldh 428 | c2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxEzARBgNVBAoTCkFtYXpvbi5jb20x 429 | DDAKBgNVBAsTA1JEUzEcMBoGA1UEAxMTYXdzLmFtYXpvbi5jb20vcmRzL4IJAMGs 430 | 6m/j+u8sMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEACR37LqHlzjSH 431 | 9gHCaiVJgCb0CCxSg3PHaQuv8h4ugAqQpGxpX3Zo97VgHnjEve21gXA74kzGUUAo 432 | 7YNTZWbF2VkHUDqekXimvL3q1JEvHDKPkLJrxEic1zTU1uazb9uJeb1aVWTq6N8R 433 | bx56xd/e3o7RYcPfLD45y7RRXKz3AmE= 434 | -----END CERTIFICATE----- 435 | 436 | - type: remove 437 | path: /variables/name=postgres_password 438 | -------------------------------------------------------------------------------- /operations/masterbosh-metadatav2.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /cloud_provider/properties/aws/metadata_options?/http_tokens? 3 | value: required 4 | 5 | - type: replace 6 | path: /cloud_provider/properties/aws/metadata_options?/http_put_response_hop_limit? 7 | value: 2 -------------------------------------------------------------------------------- /operations/masterbosh-ntp.yml: -------------------------------------------------------------------------------- 1 | # This works with chronyc to set NTP sources for chronyc on Jammy stemcell masterbosh using create-env 2 | - type: replace 3 | path: /resource_pools/0/env/bosh/ntp? 4 | value: 5 | - server time-a.nist.gov 6 | - server time-b.nist.gov 7 | - server time-c.nist.gov 8 | - server time-d.nist.gov 9 | - server time-b-wwv.nist.gov 10 | - server time-c-wwv.nist.gov 11 | - server time-d-wwv.nist.gov 12 | 13 | - path: /instance_groups/name=bosh/properties/agent/env/bosh/ntp? 14 | type: replace 15 | value: 16 | - server time-a.nist.gov 17 | - server time-b.nist.gov 18 | - server time-c.nist.gov 19 | - server time-d.nist.gov 20 | - server time-b-wwv.nist.gov 21 | - server time-c-wwv.nist.gov 22 | - server time-d-wwv.nist.gov -------------------------------------------------------------------------------- /operations/max-tasks.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=bosh/properties/director/max_tasks? 3 | value: 200 4 | -------------------------------------------------------------------------------- /operations/name.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /name 3 | value: ((deployment_name)) 4 | -------------------------------------------------------------------------------- /operations/nats-payload.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=bosh/properties/nats/max_payload_mb? 3 | value: 2 4 | -------------------------------------------------------------------------------- /operations/nist-ntp.yml: -------------------------------------------------------------------------------- 1 | # This works with chronyc to set NTP sources for chronyc on Bionic stemcells 2 | - type: replace 3 | path: /instance_groups/name=bosh/properties/agent/env/bosh/ntp 4 | value: 5 | - server time-a.nist.gov 6 | - server time-b.nist.gov 7 | - server time-c.nist.gov 8 | - server time-d.nist.gov 9 | - server time-b-wwv.nist.gov 10 | - server time-c-wwv.nist.gov 11 | - server time-d-wwv.nist.gov 12 | 13 | -------------------------------------------------------------------------------- /operations/remove-new-saml-key.yml: -------------------------------------------------------------------------------- 1 | - path: /instance_groups/name=bosh/jobs/name=uaa/properties/login/saml/keys/uaa-saml-key-1 2 | type: remove 3 | 4 | - path: /variables/- 5 | type: replace 6 | value: 7 | name: uaa_service_provider_ssl_key_2 8 | options: 9 | alternative_names: 10 | - ((internal_ip)) 11 | ca: default_ca 12 | common_name: ((internal_ip)) 13 | type: certificate -------------------------------------------------------------------------------- /operations/rotate-new-saml-key.yml: -------------------------------------------------------------------------------- 1 | # To rotate, increment this key after adding to the chain in operation above 2 | - path: /instance_groups/name=bosh/jobs/name=uaa/properties/login/saml/activeKeyId 3 | type: replace 4 | value: uaa-saml-key-2 5 | 6 | - path: /variables/- 7 | type: replace 8 | value: 9 | name: uaa_service_provider_ssl_key_2 10 | options: 11 | alternative_names: 12 | - ((internal_ip)) 13 | ca: default_ca 14 | common_name: ((internal_ip)) 15 | type: certificate -------------------------------------------------------------------------------- /operations/s3-blobstore-protobosh.yml: -------------------------------------------------------------------------------- 1 | - type: remove 2 | path: /instance_groups/name=bosh/jobs/name=blobstore 3 | 4 | - type: replace 5 | path: /instance_groups/name=bosh/properties/blobstore/provider 6 | value: s3 7 | - type: replace 8 | path: /instance_groups/name=bosh/properties/blobstore/credentials_source? 9 | value: env_or_profile 10 | - type: replace 11 | path: /instance_groups/name=bosh/properties/blobstore/server_side_encryption? 12 | value: AES256 13 | - type: replace 14 | path: /instance_groups/name=bosh/properties/blobstore/bucket_name? 15 | value: ((terraform_outputs.protobosh_blobstore_bucket)) 16 | - type: replace 17 | path: /instance_groups/name=bosh/properties/blobstore/s3_region? 18 | value: ((terraform_outputs.vpc_region)) 19 | 20 | - type: remove 21 | path: /instance_groups/name=bosh/properties/agent/env/bosh/blobstores 22 | 23 | - type: replace 24 | path: /instance_groups/name=bosh/properties/agent/env/bosh/blobstores?/- 25 | value: 26 | provider: s3 27 | options: 28 | bucket_name: ((terraform_outputs.protobosh_blobstore_bucket)) 29 | region: ((terraform_outputs.vpc_region)) 30 | credentials_source: env_or_profile 31 | server_side_encryption: AES256 32 | 33 | - type: remove 34 | path: /resource_pools/name=vms/env/bosh/blobstores 35 | 36 | - type: replace 37 | path: /resource_pools/name=vms/env/bosh/blobstores?/- 38 | value: 39 | provider: s3 40 | options: 41 | bucket_name: ((terraform_outputs.protobosh_blobstore_bucket)) 42 | region: ((terraform_outputs.vpc_region)) 43 | credentials_source: env_or_profile 44 | server_side_encryption: AES256 45 | 46 | - type: remove 47 | path: /variables/name=blobstore_ca? 48 | 49 | - type: remove 50 | path: /variables/name=blobstore_server_tls? 51 | -------------------------------------------------------------------------------- /operations/s3-blobstore.yml: -------------------------------------------------------------------------------- 1 | # As of 04/24/2024 we import the base s3-blobstore-instance-profile.yml from bosh-deployment and tweek it 2 | 3 | - type: replace 4 | path: /instance_groups/name=bosh/properties/blobstore/server_side_encryption? 5 | value: ((blobstore.server_side_encryption)) 6 | - type: replace 7 | path: /instance_groups/name=bosh/properties/blobstore/bucket_name? 8 | value: ((terraform_outputs.bosh_blobstore_bucket)) 9 | - type: replace 10 | path: /instance_groups/name=bosh/properties/blobstore/s3_region? 11 | value: ((terraform_outputs.vpc_region)) 12 | 13 | - type: remove 14 | path: /instance_groups/name=bosh/properties/agent/env/bosh/blobstores 15 | 16 | - type: replace 17 | path: /instance_groups/name=bosh/properties/agent/env/bosh/blobstores?/- 18 | value: 19 | provider: s3 20 | options: 21 | bucket_name: ((terraform_outputs.bosh_blobstore_bucket)) 22 | region: ((terraform_outputs.vpc_region)) 23 | credentials_source: env_or_profile 24 | server_side_encryption: ((blobstore.server_side_encryption)) 25 | 26 | - type: remove 27 | path: /variables/name=blobstore_ca? 28 | 29 | - type: remove 30 | path: /variables/name=blobstore_server_tls? 31 | -------------------------------------------------------------------------------- /operations/uaa-clients.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=bosh/jobs/name=uaa/properties/uaa/clients/ci? 3 | value: 4 | override: true 5 | authorized-grant-types: client_credentials 6 | authorities: bosh.admin 7 | scope: "" 8 | secret: "((bosh_ci_client_secret))" 9 | 10 | - type: replace 11 | path: /instance_groups/name=bosh/jobs/name=uaa/properties/uaa/clients/bosh_exporter? 12 | value: 13 | override: true 14 | authorized-grant-types: client_credentials,refresh_token 15 | authorities: bosh.read 16 | scope: bosh.read 17 | secret: "((bosh_exporter_client_secret))" 18 | 19 | - type: replace 20 | path: /instance_groups/name=bosh/jobs/name=uaa/properties/uaa/clients/doomsday-readonly? 21 | value: 22 | override: true 23 | authorized-grant-types: client_credentials,refresh_token 24 | authorities: credhub.write,credhub.read 25 | scope: uaa.none 26 | secret: "((doomsday-readonly-secret))" 27 | 28 | - type: replace 29 | path: /variables/- 30 | value: 31 | name: bosh_ci_client_secret 32 | type: password 33 | 34 | - type: replace 35 | path: /variables/- 36 | value: 37 | name: bosh_exporter_client_secret 38 | type: password 39 | 40 | - type: replace 41 | path: /variables/- 42 | value: 43 | name: doomsday-readonly-secret 44 | type: password 45 | -------------------------------------------------------------------------------- /operations/update.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /update? 3 | value: 4 | canaries: 1 5 | canary_watch_time: 1000-600000 6 | update_watch_time: 1000-600000 7 | max_in_flight: 4 8 | - type: replace 9 | path: /instance_groups/name=bosh/vm_type 10 | value: m6i.xlarge.bosh.director -------------------------------------------------------------------------------- /operations/use-c5-large.yml: -------------------------------------------------------------------------------- 1 | - path: /resource_pools/name=vms/cloud_properties/instance_type? 2 | type: replace 3 | value: c5.large -------------------------------------------------------------------------------- /operations/use-trusty.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /resource_pools/name=vms/stemcell? 3 | value: 4 | url: https://bosh.io/d/stemcells/bosh-aws-xen-hvm-ubuntu-trusty-go_agent 5 | sha1: 6fc1480ececafcb4915d8abbbf40830883966a85 6 | -------------------------------------------------------------------------------- /operations/use-z3.yml: -------------------------------------------------------------------------------- 1 | 2 | - type: replace 3 | path: /instance_groups/name=bosh/azs? 4 | value: [z3] 5 | -------------------------------------------------------------------------------- /releases/generate.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | 3 | require 'erb' 4 | require 'yaml' 5 | 6 | inputs = ARGV 7 | 8 | template = ERB.new(File.read(File.join(__dir__, 'pipeline.yml.erb'))) 9 | 10 | b = binding 11 | inputs.each do |input| 12 | YAML.load(File.read(input)).map do |key, value| 13 | b.local_variable_set(key, value) 14 | end 15 | end 16 | 17 | puts template.result(b) 18 | -------------------------------------------------------------------------------- /releases/generate.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -eux 4 | 5 | dir=$(cd $(dirname $0); pwd -P) 6 | releases_yaml="${RELEASES_YAML:-"${dir}/releases.yml"}" 7 | ci_url="${CI_URL:-"https://ci.fr.cloud.gov"}" 8 | fly_target=$(fly targets | grep "${ci_url}" | head -n 1 | awk '{print $1}') 9 | 10 | if ! fly --target "${fly_target}" workers > /dev/null; then 11 | echo "Not logged in to concourse" 12 | exit 1 13 | fi 14 | 15 | config=$(mktemp) 16 | "${dir}/generate.rb" "${releases_yaml}" > "${config}" 17 | fly -t "${fly_target}" set-pipeline -p "${PIPELINE:-bosh-releases}" -c "${config}" 18 | rm "${config}" 19 | -------------------------------------------------------------------------------- /releases/pipeline.yml.erb: -------------------------------------------------------------------------------- 1 | --- 2 | resource_types: 3 | - name: registry-image 4 | type: registry-image 5 | source: 6 | aws_access_key_id: ((ecr_aws_key)) 7 | aws_secret_access_key: ((ecr_aws_secret)) 8 | repository: registry-image-resource 9 | aws_region: us-gov-west-1 10 | tag: latest 11 | 12 | - name: s3-iam 13 | type: registry-image 14 | source: 15 | aws_access_key_id: ((ecr_aws_key)) 16 | aws_secret_access_key: ((ecr_aws_secret)) 17 | repository: s3-resource 18 | aws_region: us-gov-west-1 19 | tag: latest 20 | 21 | - name: git 22 | type: registry-image 23 | source: 24 | aws_access_key_id: ((ecr_aws_key)) 25 | aws_secret_access_key: ((ecr_aws_secret)) 26 | repository: git-resource 27 | aws_region: us-gov-west-1 28 | tag: latest 29 | 30 | resources: 31 | - name: pipeline-tasks 32 | type: git 33 | source: 34 | uri: https://github.com/cloud-gov/cg-pipeline-tasks 35 | branch: main 36 | commit_verification_keys: ((cloud-gov-pgp-keys)) 37 | 38 | <% releases.map do |release| %> 39 | - name: <%= release['name'] %>-release-git-repo 40 | type: git 41 | source: 42 | uri: <%= release['uri'] %> 43 | branch: <%= release['branch'] %> 44 | commit_verification_keys: ((cloud-gov-pgp-keys)) 45 | 46 | - name: <%= release['name'] %>-release-tarball 47 | type: s3-iam 48 | source: 49 | check_every: never 50 | bucket: <%= bosh_release_bucket %> 51 | regexp: <%= release['name'] %>-(.*).tgz 52 | region_name: <%= aws_region %> 53 | server_side_encryption: AES256 54 | endpoint: <%= aws_s3_endpoint %> 55 | 56 | - name: <%= release['name'] %>-final-builds-dir-tarball 57 | type: s3-iam 58 | source: 59 | check_every: never 60 | bucket: <%= bosh_release_bucket %> 61 | versioned_file: final-builds-dir-<%= release['name'] %>.tgz 62 | region_name: <%= aws_region %> 63 | server_side_encryption: AES256 64 | endpoint: <%= aws_s3_endpoint %> 65 | 66 | - name: <%= release['name'] %>-releases-dir-tarball 67 | type: s3-iam 68 | source: 69 | check_every: never 70 | bucket: <%= bosh_release_bucket %> 71 | versioned_file: releases-dir-<%= release['name'] %>.tgz 72 | region_name: <%= aws_region %> 73 | server_side_encryption: AES256 74 | endpoint: <%= aws_s3_endpoint %> 75 | <% end %> 76 | 77 | jobs: 78 | <% releases.map do |release| %> 79 | - name: build-<%= release['name'] %>-release 80 | plan: 81 | - in_parallel: 82 | - get: release-git-repo 83 | resource: <%= release['name'] %>-release-git-repo 84 | trigger: true 85 | params: {depth: 1} 86 | - get: pipeline-tasks 87 | params: {depth: 1} 88 | - get: final-builds-dir-tarball 89 | resource: <%= release['name'] %>-final-builds-dir-tarball 90 | - get: releases-dir-tarball 91 | resource: <%= release['name'] %>-releases-dir-tarball 92 | - task: finalize-release 93 | file: pipeline-tasks/finalize-bosh-release.yml 94 | tags: [iaas] 95 | params: 96 | PRIVATE_YML_CONTENT: |- 97 | --- 98 | blobstore: 99 | options: 100 | region: <%= aws_region %> 101 | bucket_name: <%= release_blobstore_bucket %> 102 | credentials_source: env_or_profile 103 | host: <%= aws_s3_endpoint %> 104 | server_side_encryption: AES256 105 | - in_parallel: 106 | - put: <%= release['name'] %>-release-tarball 107 | tags: [iaas] 108 | params: 109 | file: finalized-release/<%= release['name'] %>-*.tgz 110 | - put: <%= release['name'] %>-final-builds-dir-tarball 111 | tags: [iaas] 112 | params: 113 | file: finalized-release/final-builds-dir-<%= release['name'] %>.tgz 114 | - put: <%= release['name'] %>-releases-dir-tarball 115 | tags: [iaas] 116 | params: 117 | file: finalized-release/releases-dir-<%= release['name'] %>.tgz 118 | <% end %> 119 | -------------------------------------------------------------------------------- /releases/releases.yml: -------------------------------------------------------------------------------- 1 | bosh_release_bucket: cloud-gov-bosh-releases 2 | release_blobstore_bucket: cloud-gov-release-blobstore 3 | aws_region: us-gov-west-1 4 | aws_s3_endpoint: s3-fips.us-gov-west-1.amazonaws.com 5 | 6 | releases: 7 | - name: fisma-jammy 8 | uri: https://github.com/cloud-gov/cg-harden-boshrelease 9 | branch: jammy-main 10 | - name: nessus-agent 11 | uri: https://github.com/cloud-gov/cg-nessus-agent-boshrelease 12 | branch: main 13 | - name: awslogs-jammy 14 | uri: https://github.com/cloud-gov/cg-awslogs-boshrelease 15 | branch: jammy 16 | - name: clamav 17 | uri: https://github.com/cloud-gov/cg-clamav-boshrelease 18 | branch: main 19 | - name: nessus-manager 20 | uri: https://github.com/cloud-gov/cg-nessus-manager-boshrelease 21 | branch: main 22 | - name: shibboleth 23 | uri: https://github.com/cloud-gov/shibboleth-boshrelease 24 | branch: main 25 | - name: uaa-customized 26 | uri: https://github.com/cloud-gov/uaa-customized-boshrelease 27 | branch: main 28 | - name: cron 29 | uri: https://github.com/cloud-gov/cron-boshrelease 30 | branch: main 31 | - name: oauth2-proxy 32 | uri: https://github.com/cloud-gov/oauth2-proxy-boshrelease 33 | branch: main 34 | - name: postfix 35 | uri: https://github.com/cloud-gov/postfix-boshrelease 36 | branch: main 37 | - name: domain-broker 38 | uri: https://github.com/cloud-gov/cf-domain-broker-alb-boshrelease 39 | branch: main 40 | - name: aide 41 | uri: https://github.com/cloud-gov/aide-boshrelease 42 | branch: main 43 | - name: postgres-client 44 | uri: https://github.com/cloud-gov/postgres-client-boshrelease 45 | branch: main 46 | -------------------------------------------------------------------------------- /runtime-config/runtime.yml: -------------------------------------------------------------------------------- 1 | releases: 2 | - {name: fisma-jammy, version: ((release_fisma_jammy))} 3 | - {name: aide, version: ((release_aide))} 4 | - {name: clamav, version: ((release_clamav))} 5 | - {name: jammy-snort, version: ((release_jammy_snort))} 6 | - {name: awslogs-jammy, version: ((release_awslogs_jammy))} 7 | - {name: nessus-agent, version: ((release_nessus_agent))} 8 | - {name: node-exporter, version: ((release_node_exporter))} 9 | - {name: syslog, version: ((release_syslog))} 10 | 11 | addons: 12 | - include: 13 | stemcell: 14 | - os: ubuntu-jammy 15 | name: hardening-jammy 16 | jobs: 17 | - name: snort 18 | release: jammy-snort 19 | - name: clamav 20 | release: clamav 21 | properties: 22 | clamav: 23 | dbMirror1: ((/clamav_mirror)) 24 | alert_on_stale_defs: ((/clamav_alert_on_stale_defs)) 25 | schedule_enabled: ((/clamav_schedule_enabled)) 26 | on_access_enabled: ((/clamav_onaccess_enabled)) 27 | cron: 28 | schedule: ((/clamav_cron_schedule)) 29 | include_directories: ((/clamav_include_directories)) 30 | exclude_directories: ((/clamav_exclude_directories)) 31 | - name: syslog_forwarder 32 | properties: 33 | syslog: 34 | address: ((terraform_outputs.platform_syslog_elb_dns_name)) 35 | port: 5514 36 | release: syslog 37 | - name: aide 38 | release: aide 39 | - name: harden 40 | release: fisma-jammy 41 | - name: node_exporter 42 | release: node-exporter 43 | - name: nessus-agent 44 | release: nessus-agent 45 | properties: 46 | nessus-agent: 47 | key: ((/nessus_agent_key)) 48 | group: ((/nessus_agent_group)) 49 | server: ((terraform_outputs.nessus_static_ip)) 50 | port: 8834 51 | - name: awslogs-jammy 52 | release: awslogs-jammy 53 | properties: 54 | awslogs-jammy: 55 | region: us-gov-west-1 56 | awslogs_files_config: 57 | - name: /var/log/audit/audit.log 58 | file: /var/log/audit/audit.log 59 | log_group_name: /var/log/audit/audit.log 60 | log_stream_name: "{{instance_id}}" 61 | initial_position: start_of_file 62 | datetime_format: "%Y-%m-%dT%H:%M:%S" 63 | - name: /var/log/auth.log 64 | file: /var/log/auth.log 65 | log_group_name: /var/log/auth.log 66 | log_stream_name: "{{instance_id}}" 67 | initial_position: start_of_file 68 | datetime_format: "%Y-%m-%dT%H:%M:%S" 69 | - name: /var/log/dpkg.log 70 | file: /var/log/dpkg.log 71 | log_group_name: /var/log/dpkg.log 72 | log_stream_name: "{{instance_id}}" 73 | initial_position: start_of_file 74 | datetime_format: "%Y-%m-%dT%H:%M:%S" 75 | - name: /var/log/syslog 76 | file: /var/log/syslog 77 | log_group_name: /var/log/syslog 78 | log_stream_name: "{{instance_id}}" 79 | initial_position: start_of_file 80 | datetime_format: "%Y-%m-%dT%H:%M:%S" 81 | tags: 82 | environment: ((bosh_environment)) 83 | variables: 84 | - name: nessus_agent_key 85 | type: password 86 | - name: nessus_agent_group 87 | type: password 88 | -------------------------------------------------------------------------------- /variables/development.yml: -------------------------------------------------------------------------------- 1 | director_name: bosh 2 | environment: development 3 | deployment_name: developmentbosh 4 | network: development-bosh 5 | instance_profile: development-bosh-profile 6 | gateway_host: prometheus-staging.service.cf.internal 7 | gateway_deployment: "" 8 | blobstore: 9 | server_side_encryption: "aws:kms" 10 | -------------------------------------------------------------------------------- /variables/master.yml: -------------------------------------------------------------------------------- 1 | director_name: master-bosh 2 | private_key: ../ca.key 3 | environment: master 4 | -------------------------------------------------------------------------------- /variables/production.yml: -------------------------------------------------------------------------------- 1 | director_name: bosh 2 | environment: production 3 | deployment_name: productionbosh 4 | network: production-bosh 5 | instance_profile: production-bosh-profile 6 | gateway_host: prometheus-production.service.cf.internal 7 | gateway_deployment: "" 8 | blobstore: 9 | server_side_encryption: "AES256" 10 | -------------------------------------------------------------------------------- /variables/staging.yml: -------------------------------------------------------------------------------- 1 | director_name: bosh 2 | environment: staging 3 | deployment_name: stagingbosh 4 | network: staging-bosh 5 | instance_profile: staging-bosh-profile 6 | gateway_host: prometheus-staging.service.cf.internal 7 | gateway_deployment: "" 8 | blobstore: 9 | server_side_encryption: "AES256" 10 | -------------------------------------------------------------------------------- /variables/terraform-master.yml: -------------------------------------------------------------------------------- 1 | internal_ip: ((terraform_outputs.master_bosh_static_ip)) 2 | dns_recursor_ip: ((terraform_outputs.vpc_cidr_dns)) 3 | region: ((terraform_outputs.vpc_region)) 4 | az: ((terraform_outputs.az1)) 5 | internal_cidr: ((terraform_outputs.private_subnet_az1_cidr)) 6 | internal_gw: ((terraform_outputs.private_subnet_az1_gateway)) 7 | subnet_id: ((terraform_outputs.private_subnet_az1)) 8 | default_security_groups: [((terraform_outputs.bosh_security_group))] 9 | iam_instance_profile: ((terraform_outputs.master_bosh_profile)) 10 | nessus_agent_server: ((terraform_outputs.nessus_static_ip)) 11 | -------------------------------------------------------------------------------- /variables/terraform-westa-hub.yml: -------------------------------------------------------------------------------- 1 | internal_ip: ((terraform_outputs.protobosh_static_ip)) 2 | dns_recursor_ip: ((terraform_outputs.vpc_cidr_dns)) 3 | region: ((terraform_outputs.vpc_region)) 4 | az: ((terraform_outputs.az1)) 5 | internal_cidr: ((terraform_outputs.private_subnet_az1_cidr)) 6 | internal_gw: ((terraform_outputs.private_subnet_az1_gateway)) 7 | subnet_id: ((terraform_outputs.private_subnet_az1)) 8 | default_security_groups: [((terraform_outputs.bosh_security_group))] 9 | iam_instance_profile: ((terraform_outputs.protobosh_profile)) 10 | nessus_agent_server: ((terraform_outputs.nessus_static_ip)) 11 | -------------------------------------------------------------------------------- /variables/terraform.yml: -------------------------------------------------------------------------------- 1 | internal_ip: ((terraform_outputs.bosh_static_ip)) 2 | dns_recursor_ip: ((terraform_outputs.vpc_cidr_dns)) 3 | -------------------------------------------------------------------------------- /variables/tooling.yml: -------------------------------------------------------------------------------- 1 | director_name: toolingbosh 2 | environment: tooling 3 | deployment_name: toolingbosh 4 | network: bosh 5 | instance_profile: bosh-profile 6 | gateway_host: prometheus-tooling.service.cf.internal 7 | gateway_deployment: prometheus-production 8 | blobstore: 9 | server_side_encryption: "AES256" 10 | -------------------------------------------------------------------------------- /variables/westa-hub-tooling.yml: -------------------------------------------------------------------------------- 1 | director_name: toolingbosh 2 | environment: tooling 3 | deployment_name: toolingbosh 4 | network: bosh 5 | instance_profile: westa-hub-bosh 6 | gateway_host: prometheus-tooling.service.cf.internal 7 | gateway_deployment: prometheus-production 8 | --------------------------------------------------------------------------------