builderator 1.1.4 → 1.1.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 6f7315691d21aa1ee458439e175fad832f333c84
-  data.tar.gz: beaad66836ca71ea55dab73885127771f87debec
+  metadata.gz: 21016d55b87697c9e9b45661275116259721d1f5
+  data.tar.gz: 6d0502c4f842812140c78fdd0c3294db60a04acc
 SHA512:
-  metadata.gz: 41feb503cf94efa12ef41452efa31b31d823bc1fd818afaf390e5bb8f93da4319c230c7565f70d4d0f2946f91fd7fc218d83416b12f138b439b6490a196d071d
-  data.tar.gz: 9adcbfa499715d19ede3eaaaf17cff16308fd281f7f5e30d6f7b827200054e5bebcab4c60ed32fe02e150b16a7d04d5699e213c5d80de9f9e33a52d4d7afc2b9
+  metadata.gz: 97eb7cb95957c03348fb2d7814b58ef1a1ceb58dfdc643c7aedf361882f499bd1df3eec3c06520ff3914fb1b470f50b9c1eeeee3de8749ee0ab7d2dc6002cc65
+  data.tar.gz: 75840ceb5c420cbfd64896c2cfcc91976a7b99cdb1c0bfd41ba1ac8223b68bddb4060da008c10b8ddfc36918e1d61c53ce3093799e374f85181cde9fd0cdd3ee

data/Gemfile.lock

@@ -15,13 +15,13 @@ GEM
   specs:
     addressable (2.4.0)
     ast (2.2.0)
-    aws-sdk (2.2.36)
-      aws-sdk-resources (= 2.2.36)
-    aws-sdk-core (2.2.36)
+    aws-sdk (2.3.4)
+      aws-sdk-resources (= 2.3.4)
+    aws-sdk-core (2.3.4)
       jmespath (~> 1.0)
-    aws-sdk-resources (2.2.36)
-      aws-sdk-core (= 2.2.36)
-    berkshelf (4.3.2)
+    aws-sdk-resources (2.3.4)
+      aws-sdk-core (= 2.3.4)
+    berkshelf (4.3.3)
       addressable (~> 2.3, >= 2.3.4)
       berkshelf-api-client (~> 2.0, >= 2.0.2)
       buff-config (~> 1.0)
@@ -56,40 +56,40 @@ GEM
     celluloid-io (0.16.2)
       celluloid (>= 0.16.0)
       nio4r (>= 1.1.0)
-    chef (12.7.2)
-      chef-config (= 12.7.2)
-      chef-zero (~> 4.5)
+    chef (12.5.1)
+      chef-config (= 12.5.1)
+      chef-zero (~> 4.2, >= 4.2.2)
       diff-lcs (~> 1.2, >= 1.2.4)
       erubis (~> 2.7)
       ffi-yajl (~> 2.2)
       highline (~> 1.6, >= 1.6.9)
-      mixlib-authentication (~> 1.4)
+      mixlib-authentication (~> 1.3)
       mixlib-cli (~> 1.4)
       mixlib-log (~> 1.3)
       mixlib-shellout (~> 2.0)
-      net-ssh (>= 2.9, < 4.0)
+      net-ssh (~> 2.6)
       net-ssh-multi (~> 1.1)
       ohai (>= 8.6.0.alpha.1, < 9)
       plist (~> 3.1.0)
-      proxifier (~> 1.0)
-      rspec-core (~> 3.4)
-      rspec-expectations (~> 3.4)
-      rspec-mocks (~> 3.4)
+      pry (~> 0.9)
+      rspec-core (~> 3.2)
+      rspec-expectations (~> 3.2)
+      rspec-mocks (~> 3.2)
       rspec_junit_formatter (~> 0.2.0)
       serverspec (~> 2.7)
       specinfra (~> 2.10)
       syslog-logger (~> 1.6)
-      uuidtools (~> 2.1.5)
-    chef-config (12.7.2)
+    chef-config (12.5.1)
       mixlib-config (~> 2.0)
       mixlib-shellout (~> 2.0)
-    chef-zero (4.6.1)
+    chef-zero (4.6.2)
       ffi-yajl (~> 2.2)
       hashie (>= 2.0, < 4.0)
       mixlib-log (~> 1.3)
       rack
       uuidtools (~> 2.1)
     cleanroom (1.0.0)
+    coderay (1.1.1)
     dep-selector-libgecode (1.2.0)
     dep_selector (1.0.3)
       dep-selector-libgecode (~> 1.0)
@@ -103,10 +103,10 @@ GEM
     ffi (1.9.10)
     ffi-yajl (2.2.3)
       libyajl2 (~> 1.2)
-    hashie (3.4.3)
+    hashie (3.4.4)
     highline (1.7.8)
-    hitimes (1.2.3)
-    httpclient (2.7.1)
+    hitimes (1.2.4)
+    httpclient (2.7.2)
     ignorefile (1.1.0)
     ipaddress (0.8.3)
     jmespath (1.2.4)
@@ -114,22 +114,23 @@ GEM
     json (1.8.3)
     json_pure (1.8.3)
     libyajl2 (1.2.0)
+    method_source (0.8.2)
     minitar (0.5.4)
     mixlib-authentication (1.4.0)
       mixlib-log
       rspec-core (~> 3.2)
       rspec-expectations (~> 3.2)
       rspec-mocks (~> 3.2)
-    mixlib-cli (1.5.0)
+    mixlib-cli (1.6.0)
     mixlib-config (2.2.1)
     mixlib-log (1.6.0)
     mixlib-shellout (2.2.6)
-    molinillo (0.4.4)
-    multi_json (1.11.2)
+    molinillo (0.4.5)
+    multi_json (1.12.0)
     multipart-post (2.0.0)
     net-scp (1.2.1)
       net-ssh (>= 2.6.5)
-    net-ssh (3.1.1)
+    net-ssh (2.9.4)
     net-ssh-gateway (1.2.0)
       net-ssh (>= 2.6.5)
     net-ssh-multi (1.2.1)
@@ -139,7 +140,7 @@ GEM
     nio4r (1.2.1)
     octokit (4.3.0)
       sawyer (~> 0.7.0, >= 0.5.3)
-    ohai (8.15.1)
+    ohai (8.16.0)
       chef-config (>= 12.5.0.alpha.1, < 13)
       ffi (~> 1.9)
       ffi-yajl (~> 2.2)
@@ -151,16 +152,19 @@ GEM
       plist (~> 3.1)
       systemu (~> 2.6.4)
       wmi-lite (~> 1.0)
-    parser (2.3.0.7)
+    parser (2.3.1.0)
       ast (~> 2.2)
     plist (3.1.0)
     powerpack (0.1.1)
-    proxifier (1.0.3)
+    pry (0.10.3)
+      coderay (~> 1.1.0)
+      method_source (~> 0.8.1)
+      slop (~> 3.4)
     rack (1.6.4)
     rainbow (2.1.0)
     rake (10.5.0)
     retryable (2.0.3)
-    ridley (4.5.0)
+    ridley (4.5.1)
       addressable
       buff-config (~> 1.0)
       buff-extensions (~> 1.0)
@@ -197,27 +201,28 @@ GEM
     rspec_junit_formatter (0.2.3)
       builder (< 4)
       rspec-core (>= 2, < 4, != 2.12.0)
-    rubocop (0.39.0)
-      parser (>= 2.3.0.7, < 3.0)
+    rubocop (0.40.0)
+      parser (>= 2.3.1.0, < 3.0)
       powerpack (~> 0.1)
       rainbow (>= 1.99.1, < 3.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (~> 1.0, >= 1.0.1)
-    ruby-progressbar (1.7.5)
+    ruby-progressbar (1.8.0)
     sawyer (0.7.0)
       addressable (>= 2.3.5, < 2.5)
       faraday (~> 0.8, < 0.10)
     semverse (1.2.1)
-    serverspec (2.32.0)
+    serverspec (2.34.0)
       multi_json
       rspec (~> 3.0)
       rspec-its
       specinfra (~> 2.53)
     sfl (2.2)
+    slop (3.6.0)
     solve (2.0.3)
       molinillo (~> 0.4.2)
       semverse (~> 1.1)
-    specinfra (2.56.1)
+    specinfra (2.57.2)
       net-scp
       net-ssh (>= 2.7, < 4.0)
       net-telnet
@@ -230,7 +235,7 @@ GEM
       thor
     timers (4.0.4)
       hitimes
-    unicode-display_width (1.0.3)
+    unicode-display_width (1.0.5)
     uuidtools (2.1.5)
     varia_model (0.4.1)
       buff-extensions (~> 1.0)

data/VERSION

@@ -1 +1 @@
-1.1.4
+1.1.5

data/docs/configuration/profile.md

@@ -32,6 +32,56 @@ Add a packer build
 * `source_ami` The source AMI ID for an `amazon-ebs`
 * `ssh_username` Default `ubuntu`
 * `ami_virtualization_type` Default `hvm`
+* `tagging_role` the name of an IAM role that exists in each remote account that allows the AMI to be retagged
+
+  Example usage:
+
+  <pre>
+     profile bake: Config.profile(:default) do |bake|
+       bake.packer do |packer|
+         packer.build :default do |build|
+           build.tagging_role 'CreateTagsOnAllImages'
+         end
+       end
+     end
+  </pre>
+
+  Example IAM policy in remote account:
+
+  <pre>
+  {
+      "Version": "2012-10-17",
+      "Statement": [
+          {
+              "Sid": "StmtId",
+              "Effect": "Allow",
+              "Action": [
+                  "ec2:CreateTags"
+              ],
+              "Resource": [
+                  "*"
+              ]
+          }
+      ]
+  }
+  </pre>
+
+
+  The above policy needs to be assigned to a role that enables a trust relationship with the account that builds the AMI:
+
+  <pre>
+  {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+              "AWS": "arn:aws:iam::[ami_builder_account]:user/[ami_builder_user]"
+            },
+            "Action": "sts:AssumeRole"
+        }
+  }
+  </pre>
 
 ## TODO: Share accounts
 

data/lib/builderator/config/file.rb

@@ -224,6 +224,9 @@ module Builderator
             attribute :ami_description
             attribute :ami_users, :type => :list
             attribute :ami_regions, :type => :list
+
+            ## Assumable role for tagging AMIs in remote accounts
+            attribute :tagging_role
           end
         end
 

data/lib/builderator/interface/packer.rb

@@ -33,6 +33,9 @@ module Builderator
             # has full support again.
             build_hash.delete(:ami_regions)
 
+            # This is not directly supported by Packer
+            build_hash.delete(:tagging_role)
+
             json[:builders] << build_hash
           end
 

data/lib/builderator/tasks.rb

@@ -68,11 +68,13 @@ module Builderator
 
       desc 'image [PROFILE = default]', 'Build an AMI of PROFILE'
       method_option :debug, :type => :boolean
+      method_option :remote_tag, :type => :boolean, :default => true
       method_option :copy, :type => :boolean, :default => true
       def image(profile = :default)
         prepare
 
         invoke Tasks::Packer, :build, [profile], options
+        invoke Tasks::Packer, :remote_tag, [profile], options if options['remote_tag']
         invoke Tasks::Packer, :copy, [profile], options if options['copy']
       end
 

data/lib/builderator/tasks/packer.rb

@@ -53,6 +53,7 @@ module Builderator
 
         invoke :wait, [profile], options
         invoke :tag, [profile], options
+        invoke :share, [profile], options
       end
 
       desc 'tag PROFILE', 'Tag AMIs in other regions'
@@ -128,6 +129,82 @@ module Builderator
         say_status :complete, 'All copied images are available'
       end
 
+      desc 'remote_tag PROFILE', 'Apply existing tags to the AMI in remote AWS accounts'
+      def remote_tag(profile)
+        invoke :configure, [profile], options
+
+        sts_client = Aws::STS::Client.new(region: Config.aws.region)
+        allowed_cred_keys = %w(access_key_id secret_access_key session_token)
+
+        images.each do |image_name, (image, build)|
+          filters = [{
+            :name => 'name',
+            :values => [image_name]
+          }]
+
+          if build.tagging_role.nil?
+            say_status :complete, 'No remote tagging to be performed as no IAM role is defined'
+            return
+          end
+
+          build.ami_users.each do |account|
+            role_arn = "arn:aws:iam::#{account}:role/#{build.tagging_role}"
+            begin
+              response = sts_client.assume_role( :role_arn => role_arn, :role_session_name => "tag-new-ami")
+              raise "Could not assume role [#{role_arn}].  Perhaps it does not exist?" unless response.successful?
+            rescue => e
+              say_status :skip, "Got error when trying to assume role: #{e.message} - continuing."
+              next
+            end
+
+            creds_hash = response.credentials.to_h.keep_if { |k,v| allowed_cred_keys.include?(k.to_s) }
+
+            say_status :remote_tag, "Tag AMI #{image_name} (#{image.image_id}) in account #{account}"
+            Util.ec2(Config.aws.region, creds_hash)
+                .create_tags(:dry_run => false, :resources => [image.image_id], :tags => image.tags)
+          end
+        end
+        say_status :complete, 'Remote tagging complete'
+      end
+
+      desc 'share PROFILE', 'Share copied AMIs in other accounts'
+      def share(profile)
+        invoke :configure, [profile], options
+
+        shared = false
+
+        images.each do |image_name, (image, build)|
+          build.ami_regions.each do |region|
+            build.ami_users.each do |user|
+              shared = true
+
+              filters = [{
+                :name => 'name',
+                :values => [image_name]
+              }]
+
+              regional_image = Util.ec2(region).describe_images(:filters => filters).images.first
+
+              say_status :share, "image #{image_name} (#{regional_image.image_id}) with #{user}"
+
+              share_image_parameters = {
+                :image_id => regional_image.image_id,
+                :launch_permission => {
+                  :add => [
+                    {
+                      :user_id => user
+                    }
+                  ]
+                }
+              }
+
+              Util.ec2(region).modify_image_attribute(share_image_parameters)
+            end
+          end
+        end
+        say_status :complete, 'All images are shared' if shared
+      end
+
       private
 
       ## Find details for generated images in current region

data/lib/builderator/util.rb

@@ -60,8 +60,15 @@ module Builderator
       ##
       # AWS Clients
       ##
-      def ec2(region = Config.aws.region)
-        clients["ec2-#{region}"] ||= Aws::EC2::Client.new(:region => region)
+      def ec2(region = Config.aws.region, credentials=nil)
+        options = { :region => region }
+
+        # Don't memoize if supplying explicit credentials as it could be an assumed role for a remote account
+        if credentials.nil?
+          clients["ec2-#{region}"] ||= Aws::EC2::Client.new(options)
+        else
+          Aws::EC2::Client.new options.merge(credentials)
+        end
       end
 
       def asg(region = Config.aws.region)

data/rvm.env

@@ -1,14 +1,14 @@
-declare -x GEM_HOME="/home/jenkins/.rvm/gems/ruby-2.1.5@bakery-0"
-declare -x GEM_PATH="/home/jenkins/.rvm/gems/ruby-2.1.5@bakery-0:/home/jenkins/.rvm/gems/ruby-2.1.5@global"
+declare -x GEM_HOME="/home/jenkins/.rvm/gems/ruby-2.1.5@bakery-1"
+declare -x GEM_PATH="/home/jenkins/.rvm/gems/ruby-2.1.5@bakery-1:/home/jenkins/.rvm/gems/ruby-2.1.5@global"
 declare -x HOME="/home/jenkins"
-declare -x HUDSON_COOKIE="65158711-c2ba-4a30-9b80-ed21ba86750e"
+declare -x HUDSON_COOKIE="84805bab-9ad6-4496-9036-833e511db870"
 declare -x IRBRC="/home/jenkins/.rvm/rubies/ruby-2.1.5/.irbrc"
 declare -x LANG="en_US.UTF-8"
 declare -x LC_ALL="en_US.UTF-8"
 declare -x MY_RUBY_HOME="/home/jenkins/.rvm/rubies/ruby-2.1.5"
 declare -x NLSPATH="/usr/dt/lib/nls/msg/%L/%N.cat"
 declare -x OLDPWD
-declare -x PATH="/home/jenkins/.rvm/gems/ruby-2.1.5@bakery-0/bin:/home/jenkins/.rvm/gems/ruby-2.1.5@global/bin:/home/jenkins/.rvm/rubies/ruby-2.1.5/bin:/home/jenkins/.rvm/bin:/usr/local/bin:/usr/local/sbin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin"
+declare -x PATH="/home/jenkins/.rvm/gems/ruby-2.1.5@bakery-1/bin:/home/jenkins/.rvm/gems/ruby-2.1.5@global/bin:/home/jenkins/.rvm/rubies/ruby-2.1.5/bin:/home/jenkins/.rvm/bin:/usr/local/bin:/usr/local/sbin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin"
 declare -x PWD="/home/jenkins/workspace/gem-public-builderator-master"
 declare -x RUBY_VERSION="ruby-2.1.5"
 declare -x SHLVL="1"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: builderator
 version: !ruby/object:Gem::Version
-  version: 1.1.4
+  version: 1.1.5
 platform: ruby
 authors:
 - John Manero
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-04-22 00:00:00.000000000 Z
+date: 2016-05-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake