How do I turn EC2 instance tags into Puppet SSL Attributes?

[Martijn]

Hi group,

I'd like to use Puppet SSL attributes (https://docs.puppet.com/puppet/5.0/ssl_attributes_extensions.html#puppet-specific-registered-ids) as a kind of trusted facts, e.g. for policy-based autosigning and to define a 'role' and 'app_tier' level in our Hiera hierarchy. We run Ubuntu instances on Amazon EC2 and use a bit of Cloud-Config yaml in our user-data to bootstrap the instances: they get a hostname and Puppet repo configured, and the Puppet agent is installed and configured.

Before the Puppet agent first starts and requests a certificate I'd like to set some SSL Attributes based on the instance's Tags and other instance metadata. Some data like instance-id, hostname and cloudplatform are easy to collect. Unfortunately instance Tags aren't easily available via the EC2 Metadata URL or via Facter. All instances have an IAM Role attached so they're allowed to read instance tags, but the necessary tools to get Tags are missing.

For SSL Attributes to be encoded into the CSR the attributes need to be present before the first Puppet run starts (https://docs.puppet.com/puppet/5.0/ssl_attributes_extensions.html#timing-when-data-can-be-added-to-csrs-and-certificates). So, I'd like to turn EC2 instance tags into a csr_attributes.yaml file during the bootstrap process.

I guess I could use Cloud-init to deploy a small utility to the instance that reads the tags from the EC2 API and writes it to csr_attributes.yaml, but I'd like to keep Cloud-init as compact as possible and do most things via Puppet. This is a bit of a chicken and egg problem, so perhaps I should just do it via Cloud-init.

What do you think? How would you implement this?

Regards, Martijn