cfhighlander 0.2.0.alpha.10

data/cfndsl_ext/config/managed_policies.yaml

@@ -0,0 +1,172 @@
+ec2-describe:
+  action:
+    - ec2:Describe*
+    - autoscaling:Describe*
+    - elasticloadbalancing:Describe*
+
+ec2-cleanup-eni:
+  action:
+    - ec2:DeleteNetworkInterface
+    - ec2:DetachNetworkInterface
+
+ec2-create-tag:
+  action:
+    - ec2:CreateTags
+
+cloudwatch-logs:
+  action:
+    - logs:CreateLogGroup
+    - logs:CreateLogStream
+    - logs:PutLogEvents
+    - logs:DescribeLogStreams
+    - logs:DescribeLogGroups
+  resource:
+    - arn:aws:logs:*:*:*
+
+cloudwatch-monitoring-writer:
+  action:
+    - cloudwatch:PutMetricData
+
+cloudwatch-monitoring:
+  action:
+    - cloudwatch:PutMetricData
+    - cloudwatch:GetMetricStatistics
+    - cloudwatch:ListMetrics
+
+s3-list-buckets:
+  action:
+    - s3:ListAllMyBuckets
+    - s3:ListBucket
+
+s3-chef-ro:
+  action:
+    - s3:Get*
+    - s3:List*
+  resource:
+    - arn:aws:s3:::%{source_bucket}/chef
+    - arn:aws:s3:::%{source_bucket}/chef/*
+
+s3-codedeploy-ro:
+  action:
+    - s3:Get*
+    - s3:List*
+  resource:
+    - arn:aws:s3:::%{source_bucket}/codedeploy
+    - arn:aws:s3:::%{source_bucket}/codedeploy/*
+
+ecs-container-instance:
+  action:
+    - ecs:CreateCluster
+    - ecs:DeregisterContainerInstance
+    - ecs:DiscoverPollEndpoint
+    - ecs:Poll
+    - ecs:RegisterContainerInstance
+    - ecs:StartTelemetrySession
+    - ecs:Submit*
+    - ecr:GetAuthorizationToken
+    - ecr:BatchCheckLayerAvailability
+    - ecr:GetDownloadUrlForLayer
+    - ecr:BatchGetImage
+    - logs:CreateLogStream
+    - logs:PutLogEvents
+
+ecs-service-role:
+  action:
+    - ecs:CreateCluster
+    - ecs:DeregisterContainerInstance
+    - ecs:DiscoverPollEndpoint
+    - ecs:Poll
+    - ecs:RegisterContainerInstance
+    - ecs:StartTelemetrySession
+    - ecs:Submit*
+    - ec2:AuthorizeSecurityGroupIngress
+    - ec2:Describe*
+    - elasticloadbalancing:DeregisterInstancesFromLoadBalancer
+    - elasticloadbalancing:Describe*
+    - elasticloadbalancing:RegisterInstancesWithLoadBalancer
+    - elasticloadbalancing:RegisterTargets
+    - elasticloadbalancing:DeregisterTargets
+    - autoscaling:Describe*
+
+ecr-pull-images:
+  action:
+    - ecr:BatchCheckLayerAvailability
+    - ecr:BatchGetImage
+    - ecr:Get*
+    - ecr:List*
+
+attach-ebs-volume:
+  action:
+    - ec2:DescribeVolumes
+    - ec2:AttachVolume
+    - ec2:DetachVolume
+
+attach-network-interface:
+  action:
+    - ec2:DescribeNetworkInterfaces
+    - ec2:AttachNetworkInterface
+    - ec2:DetachNetworkInterface
+
+associate-address:
+  action:
+    - ec2:AssociateAddress
+
+ssm:
+  action:
+    - ssm:DescribeAssociation
+    - ssm:GetDeployablePatchSnapshotForInstance
+    - ssm:GetDocument
+    - ssm:GetParameters
+    - ssm:DescribeParameters
+    - ssm:ListAssociations
+    - ssm:ListInstanceAssociations
+    - ssm:PutInventory
+    - ssm:UpdateAssociationStatus
+    - ssm:UpdateInstanceAssociationStatus
+    - ssm:UpdateInstanceInformation
+
+ec2messages:
+  action:
+    - ec2messages:AcknowledgeMessage
+    - ec2messages:DeleteMessage
+    - ec2messages:FailMessage
+    - ec2messages:GetEndpoint
+    - ec2messages:GetMessages
+    - ec2messages:SendReply
+
+rds-backup-restore:
+  action:
+    - s3:ListBucket
+    - s3:GetBucketLocation
+    - s3:GetObjectMetaData
+    - s3:GetObject
+    - s3:PutObject
+    - s3:ListMultipartUploadParts
+    - s3:AbortMultipartUpload
+  resource:
+    - Fn::Join:
+      - ""
+      -
+        - 'arn:aws:s3:::'
+        - Fn::FindInMap:
+          - 'AccountId'
+          - Ref: 'AWS::AccountId'
+          - 'DatabaseBucket'
+    - Fn::Join:
+      - ""
+      -
+        - 'arn:aws:s3:::'
+        - Fn::FindInMap:
+          - 'AccountId'
+          - Ref: 'AWS::AccountId'
+          - 'DatabaseBucket'
+        - '/*'
+
+spot-role:
+  action:
+    - ec2:DescribeImages
+    - ec2:DescribeSubnets
+    - ec2:RequestSpotInstances
+    - ec2:TerminateInstances
+    - ec2:DescribeInstanceStatus
+    - iam:PassRole

data/cfndsl_ext/iam_helper.rb

@@ -0,0 +1,55 @@
+def service_role_assume_policy(service)
+  unless service.end_with? '.amazonaws.com'
+    service = "#{service}.amazonaws.com"
+  end
+  return {
+      Version: '2012-10-17',
+      Statement: [{ Effect: 'Allow', Principal: { Service: "#{service}" }, Action: 'sts:AssumeRole' }]
+  }
+end
+
+
+def iam_policy_allow(name, actions, resource='*')
+
+  return {
+      PolicyName: name,
+      PolicyDocument: {
+          Statement: [{
+              Sid: name.gsub('_', '').gsub('-', '').downcase,
+              Action: actions,
+              Resource: resource,
+              Effect: 'Allow'
+          }]
+      }
+  }
+end
+
+class IAMPolicies
+
+  def initialize(custom_policies = nil)
+    @managed_policies = YAML.load(File.read("#{File.dirname(__FILE__)}/config/managed_policies.yaml"))
+    @policy_array = Array.new
+    @policies = (not custom_policies.nil?) ? @managed_policies.merge(custom_policies) : @managed_policies
+  end
+
+  def get_policies(group = nil)
+    if group.kind_of?(Array)
+      puts group
+      create_policies(group)
+    else
+      create_policies(@config['default_policies']) if @config.key?('default_policies')
+      create_policies(@config['group_policies'][group]) unless group.nil?
+    end
+    return @policy_array
+  end
+
+  def create_policies(policies)
+    policies.each do |policy|
+      raise "ERROR: #{policy} policy doesn't exist in the managed policies or as a custom policy" if !@policies.key?(policy)
+      resource = (@policies[policy].key?('resource') ? (@policies[policy]['resource']) : ["*"])
+      @policy_array << { PolicyName: policy, PolicyDocument: { Statement: [{ Effect: 'Allow', Action: @policies[policy]['action'], Resource: resource }] } }
+    end
+    return @policy_array
+  end
+
+end

data/cfndsl_ext/lambda_helper.rb

@@ -0,0 +1,86 @@
+require_relative './iam_helper'
+
+def render_lambda_functions(cfndsl, lambdas, lambda_metadata, distribution)
+
+  custom_policies = (lambdas.key? 'custom_policies') ? lambdas['custom_policies'] : {}
+  lambdas['roles'].each do |lambda_role, role_config|
+    cfndsl.IAM_Role("LambdaRole#{lambda_role}") do
+      AssumeRolePolicyDocument service_role_assume_policy('lambda')
+      Path '/'
+      unless role_config['policies_inline'].nil?
+        Policies(
+            IAMPolicies.new(custom_policies).create_policies(role_config['policies_inline'])
+        )
+      end
+
+      unless role_config['policies_managed'].nil?
+        ManagedPolicyArns(role_config['policies_managed'])
+      end
+    end
+  end
+
+  lambdas['functions'].each do |key, lambda_config|
+    name = key
+    environment = lambda_config['environment'] || {}
+
+    # Create Lambda function
+    function_name = name
+    Lambda_Function(function_name) do
+      Code({
+          S3Bucket: distribution['bucket'],
+          S3Key: "#{distribution['prefix']}/#{distribution['version']}/#{lambda_metadata['path'][key]}"
+      })
+
+      Environment(Variables: Hash[environment.collect { |k, v| [k, v] }])
+
+      Handler(lambda_config['handler'] || 'index.handler')
+      MemorySize(lambda_config['memory'] || 128)
+      Role(FnGetAtt("LambdaRole#{lambda_config['role']}", 'Arn'))
+      Runtime(lambda_config['runtime'])
+      Timeout(lambda_config['timeout'] || 10)
+      if !lambda_config['vpc'].nil? && lambda_config['vpc']
+        # TODO implement VPC config
+      end
+
+      if !lambda_config['named'].nil? && lambda_config['named']
+        FunctionName(name)
+      end
+    end
+
+    Lambda_Version("#{name}Version#{lambda_metadata['version'][key]}") do
+      DeletionPolicy('Retain')
+      FunctionName(Ref(name))
+      CodeSha256(lambda_metadata['sha256'][key])
+    end
+
+    # Generate lambda function Policy
+    unless lambda_config['allowed_sources'].nil?
+      i = 1
+      lambda_config['allowed_sources'].each do |source|
+        Lambda_Permission("#{name}Permissions#{i}") do
+          FunctionName(Ref(name))
+          Action('lambda:InvokeFunction')
+          Principal(source['principal'])
+        end
+        i += 1
+      end
+    end
+
+    # Scheduled triggering of lambda function
+    if lambda_config.key?('schedules')
+      lambda_config['schedules'].each_with_index do |schedule, index|
+        Events_Rule("Lambda#{name}Schedule#{index}") do
+          ScheduleExpression("cron(#{schedule['cronExpression']})")
+          State('ENABLED')
+          target = {
+              'Arn' => FnGetAtt(name, 'Arn'), 'Id' => "lambda#{name}",
+          }
+          target['Input'] = schedule['payload'] if schedule.key?('payload')
+          Targets([target])
+        end
+      end
+    end
+
+
+  end
+end

data/cfndsl_ext/sg.rb

@@ -0,0 +1,26 @@
+
+def sg_create_rules (x, ip_blocks={})
+  rules = []
+  x.each do | group |
+    group['ips'].each do |ip|
+      group['rules'].each do |rule|
+        lookup_ips_for_sg(ip_blocks, ip).each do |cidr|
+          rules << { IpProtocol: "#{rule['IpProtocol']}", FromPort: "#{rule['FromPort']}", ToPort: "#{rule['ToPort']}", CidrIp: cidr }
+        end
+      end
+    end
+  end
+  return rules
+end
+
+
+def lookup_ips_for_sg (ips, ip_block_name={})
+  if ip_block_name == 'stack'
+    cidr = [FnJoin( "", [ "10.", Ref('StackOctet'), ".", "0.0/16" ] )]
+  elsif ips.has_key? ip_block_name
+    cidr = ips[ip_block_name]
+  else
+    cidr = [ip_block_name]
+  end
+  cidr
+end

data/hl_ext/aws_helper.rb

@@ -0,0 +1,13 @@
+require 'aws-sdk-s3'
+
+def aws_credentials
+  # TODO implement credentials e.g. for environment create/update/delete
+end
+
+def s3_bucket_region(bucket)
+  s3 = Aws::S3::Client.new
+  location = s3.get_bucket_location({ bucket: bucket }).location_constraint
+  location = 'us-east-1' if location == ''
+  location = 'eu-west-1' if location == 'EU'
+  location
+end

data/hl_ext/common_helper.rb

@@ -0,0 +1,21 @@
+class ::Hash
+  def deep_merge(second)
+    merger = proc { |key, v1, v2| Hash === v1 && Hash === v2 ? v1.merge(v2, &merger) : Array === v1 && Array === v2 ? v1 | v2 : [:undefined, nil, :nil].include?(v2) ? v1 : v2 }
+    self.merge(second.to_h, &merger)
+  end
+
+
+  def extend(second)
+    second.each { |k, v|
+
+      if ((self.key? k) and (v.is_a? Hash and self[k].is_a? Hash))
+        self[k].extend(v)
+      else
+        self[k] = v
+      end
+
+    } if second.is_a? Hash
+
+    self
+  end
+end

data/hl_ext/mapping_helper.rb

@@ -0,0 +1,99 @@
+require_relative '../lib/highlander.mapproviders'
+
+# Return mapping provider as class
+def mappings_provider(provider_name)
+  return nil if provider_name.nil?
+  provider = nil
+  providers = Object.const_get('Highlander').const_get('MapProviders')
+  begin
+    providers.const_get(provider_name)
+  rescue NameError => e
+    if e.to_s.include? 'uninitialized constant Highlander::MapProviders::'
+      return nil
+    end
+    STDERR.puts(e.to_s)
+    raise e
+  end
+end
+
+# Return all of the maps from mapping provider
+def mappings_provider_maps(provider_name, config)
+  provider = mappings_provider(provider_name)
+
+  if provider.nil?
+    STDERR.puts("Can't find mapping provider #{provider_name} and it's maps")
+    return nil
+  else
+    return provider.getMaps(config)
+  end
+end
+
+# Renders CloudFormation function for retrieving Mapping value. If key name and map name are not given,
+# extraction from mapping provider will be tried
+def mapping_value(component:, provider_name:, value_name:, key_name: nil)
+
+  provider = nil
+
+  # if key name is nil, provider must provide key
+  if key_name.nil?
+    provider = mappings_provider(provider_name)
+    if provider.nil?
+      STDERR.puts("Error: mapping provider #{provider_name} not found, can't render value of #{value_name} attribute")
+      return nil
+    end
+    unless provider.respond_to? 'getDefaultKey'
+      STDERR.puts("Error: #{provider} does not implement getDefaultKey. Can't render value of #{value_name} attribtue")
+      return nil
+    end
+
+    key_name = provider.getDefaultKey
+  end
+
+  # Map name defaults to provider name. If provider exists and implements getMapName
+  # map name will be dynamically resolved via this method
+  map_name = provider_name
+
+  provider = mappings_provider(provider_name) if provider.nil?
+  unless provider.nil?
+    if provider.respond_to? 'getMapName'
+      map_name = provider.getMapName
+    end
+  end
+
+  # there is no provider
+  # and map name is not a reference
+  if((provider.nil?) and (not map_name.start_with? 'Ref('))
+    # check if mapping exists on component
+    unless ((component.config['mappings'].key? map_name))
+      STDERR.puts("Could not resolve mapping value: MapName=#{map_name},Key=#{key_name},Attribute=#{value_name}")
+      return nil
+    end
+  end
+
+  # both map name and key name could be predefined via intrinsic functions
+  if map_name.class == Hash
+    map_name = map_name.to_s
+  elsif( not map_name.include? 'Ref(')
+    map_name = "'#{map_name}'"
+  end
+
+  if key_name.class == Hash
+    key_name = key_name.to_s
+  elsif( not key_name.include? 'Ref(')
+    key_name = "'#{key_name}'"
+  end
+
+  if value_name.nil?
+    STDERR.puts("No value defined for mapping parameter. MapName=#{map_name},Key=#{key_name},Attribute=#{value_name}")
+    return nil
+  end
+  if value_name.class == Hash
+    value_name = value_name.to_s
+  elsif( not value_name.include? 'Ref(')
+    value_name = "'#{value_name}'"
+  end
+
+
+  return "FnFindInMap(#{map_name},#{key_name},#{value_name})"
+
+end

data/hl_ext/vpc.rb

@@ -0,0 +1,12 @@
+def subnet_parameters(subnets, maximum_availability_zones)
+  subnets.each { |subnet_name, subnet_config|
+    # Account mappings for AZs
+    maximum_availability_zones.times do |x|
+
+      # Request output from other component as input
+      # to this component
+      OutputParam component: 'vpc', name: "Subnet#{subnet_config['name']}#{x}"
+
+    end
+  }
+end