chef-provisioning-aws 1.4.1 → 1.5.0

data/lib/chef/resource/aws_iam_role.rb

@@ -0,0 +1,55 @@
+require 'chef/provisioning/aws_driver/aws_resource'
+
+#
+# An AWS IAM role, specifying set of policies for acessing other AWS services.
+#
+# `name` is unique for an AWS account.
+#
+# API documentation for the AWS Ruby SDK for IAM roles (and the object returned from `aws_object`) can be found here:
+#
+# - http://docs.aws.amazon.com/sdkforruby/api/Aws/IAM.html
+#
+class Chef::Resource::AwsIamRole < Chef::Provisioning::AWSDriver::AWSResource
+  aws_sdk_type ::Aws::IAM::Role
+
+  #
+  # The name of the role to create.
+  #
+  attribute :name,   kind_of: String, name_attribute: true
+
+  #
+  # The path to the role. For more information about paths, see http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html
+  #
+  attribute :path,   kind_of: String
+
+  #
+  # The policy that grants an entity permission to assume the role.
+  #
+  attribute :assume_role_policy_document, kind_of: String
+
+  #
+  # Inline policies which _only_ apply to this role, unlike managed_policies
+  # which can be shared between users, groups and roles.  Maps to the
+  # [RolePolicy](http://docs.aws.amazon.com/sdkforruby/api/Aws/IAM/RolePolicy.html)
+  # SDK object.
+  #
+  # Hash keys are the inline policy name and the value is the policy document.
+  #
+  attribute :inline_policies, kind_of: Hash, callbacks: {
+    "inline_policies must be a hash maping policy names to policy documents" => proc do |policies|
+      policies.all? {|policy_name, policy| (policy_name.is_a?(String) || policy_name.is_a?(Symbol)) && policy.is_a?(String)}
+    end
+  }
+
+  #
+  # TODO: add when we get a policy resource
+  #
+  # attribute :managed_policies, kind_of: [Array, String, ::Aws::Iam::Policy, AwsIamPolicy], coerce: proc { |value| [value].flatten }
+
+  def aws_object
+    driver.iam_resource.role(name).load
+  rescue ::Aws::IAM::Errors::NoSuchEntity
+    nil
+  end
+
+end

data/lib/chef/resource/aws_image.rb

@@ -10,7 +10,7 @@ class Chef::Resource::AwsImage < Chef::Provisioning::AWSDriver::AWSResourceWithE
 
   attribute :name, kind_of: String,  name_attribute: true
 
-  attribute :image_id, kind_of: String, aws_id_attribute: true, lazy_default: proc {
+  attribute :image_id, kind_of: String, aws_id_attribute: true, default: lazy {
     name =~ /^ami-[a-f0-9]{8}$/ ? name : nil
   }
 

data/lib/chef/resource/aws_instance.rb

@@ -12,7 +12,7 @@ class Chef::Resource::AwsInstance < Chef::Provisioning::AWSDriver::AWSResourceWi
 
   attribute :name, kind_of: String, name_attribute: true
 
-  attribute :instance_id, kind_of: String, aws_id_attribute: true, lazy_default: proc {
+  attribute :instance_id, kind_of: String, aws_id_attribute: true, default: lazy {
     name =~ /^i-[a-f0-9]{8}$/ ? name : nil
   }
 

data/lib/chef/resource/aws_internet_gateway.rb

@@ -1,18 +1,48 @@
-require 'chef/provisioning/aws_driver/aws_resource'
-
-class Chef::Resource::AwsInternetGateway < Chef::Provisioning::AWSDriver::AWSResource
+#
+# An AWS internet gateway, allowing communication between instances inside a VPC and the internet.
+#
+# `name` is not guaranteed unique for an AWS account; therefore, Chef will
+# store the internet gateway ID associated with this name in your Chef server in the
+# data bag `data/aws_internet_gateway/<name>`.
+#
+# API documentation for the AWS Ruby SDK for VPCs (and the object returned from `aws_object` can be found here:
+#
+# - http://docs.aws.amazon.com/AWSRubySDK/latest/AWS/EC2/InternetGateway.html
+#
+class Chef::Resource::AwsInternetGateway < Chef::Provisioning::AWSDriver::AWSResourceWithEntry
   include Chef::Provisioning::AWSDriver::AWSTaggable
 
-  aws_sdk_type AWS::EC2::InternetGateway, load_provider: false, id: :id
+  aws_sdk_type AWS::EC2::InternetGateway, id: :id
+
+  require 'chef/resource/aws_vpc'
 
+  #
+  # Extend actions for the internet gateway
+  #
+  actions :create, :destroy, :detach, :purge
+
+  #
+  # The name of this internet gateway.
+  #
   attribute :name, kind_of: String, name_attribute: true
 
-  attribute :internet_gateway_id, kind_of: String, aws_id_attribute: true, lazy_default: proc {
+  #
+  # A vpc to attach to the internet gateway.
+  #
+  # May be one of:
+  # - The name of an `aws_vpc` Chef resource.
+  # - An actual `aws_vpc` resource.
+  # - An AWS `VPC` object.
+  #
+  attribute :vpc, kind_of: [ String, AwsVpc, AWS::EC2::VPC ]
+
+  attribute :internet_gateway_id, kind_of: String, aws_id_attribute: true, default: lazy {
     name =~ /^igw-[a-f0-9]{8}$/ ? name : nil
   }
 
   def aws_object
-    result = driver.ec2.internet_gateways[internet_gateway_id]
+    driver, id = get_driver_and_id
+    result = driver.ec2.internet_gateways[id] if id
     result && result.exists? ? result : nil
   end
 end

data/lib/chef/resource/aws_load_balancer.rb

@@ -8,7 +8,7 @@ class Chef::Resource::AwsLoadBalancer < Chef::Provisioning::AWSDriver::AWSResour
 
   attribute :name, kind_of: String,  name_attribute: true
 
-  attribute :load_balancer_id, kind_of: String, aws_id_attribute: true, lazy_default: proc {
+  attribute :load_balancer_id, kind_of: String, aws_id_attribute: true, default: lazy {
     name =~ /^elb-[a-f0-9]{8}$/ ? name : nil
   }
 

data/lib/chef/resource/aws_network_acl.rb

@@ -44,7 +44,7 @@ class Chef::Resource::AwsNetworkAcl < Chef::Provisioning::AWSDriver::AWSResource
   attribute :network_acl_id,
             kind_of: String,
             aws_id_attribute: true,
-            lazy_default: proc {
+            default: lazy {
               name =~ /^acl-[a-f0-9]{8}$/ ? name : nil
             }
 

data/lib/chef/resource/aws_network_interface.rb

@@ -9,7 +9,7 @@ class Chef::Resource::AwsNetworkInterface < Chef::Provisioning::AWSDriver::AWSRe
 
   attribute :name,                   kind_of: String, name_attribute: true
 
-  attribute :network_interface_id,   kind_of: String, aws_id_attribute: true, lazy_default: proc {
+  attribute :network_interface_id,   kind_of: String, aws_id_attribute: true, default: lazy {
     name =~ /^eni-[a-f0-9]{8}$/ ? name : nil
   }
 

data/lib/chef/resource/aws_route53_hosted_zone.rb

@@ -0,0 +1,261 @@
+#
+# Copyright:: Copyright (c) 2015 Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/provisioning/aws_driver/aws_resource'
+require 'chef/resource/aws_route53_record_set'
+require 'securerandom'
+
+# the AWS API doesn't have these objects linked, so give it some help.
+class Aws::Route53::Types::HostedZone
+  attr_accessor :resource_record_sets
+end
+
+class Chef::Resource::AwsRoute53HostedZone < Chef::Provisioning::AWSDriver::AWSResourceWithEntry
+
+  aws_sdk_type ::Aws::Route53::Types::HostedZone, load_provider: false
+
+  resource_name :aws_route53_hosted_zone
+
+  # name of the domain. AWS will tack on a trailing dot, so we're going to prohibit it here for consistency:
+  # the name is our data bag key, and if a user has "foo.com" in one resource and "foo.com." in another, Route
+  # 53 will happily accept two different domains it calls "foo.com.".
+  attribute :name, kind_of: String, callbacks: { "domain name cannot end with a dot" => lambda { |n| n !~ /\.$/ } }
+
+  # The comment included in the CreateHostedZoneRequest element. String <= 256 characters.
+  attribute :comment, kind_of: String
+
+  # the resource name and the AWS ID have to be related here, since they're tightly coupled elsewhere.
+  attribute :aws_route53_zone_id, kind_of: String, aws_id_attribute: true,
+                                  default: lazy { name =~ /^\/hostedzone\// ? name : nil }
+
+  DEFAULTABLE_ATTRS = [:ttl, :type]
+
+  attribute :defaults, kind_of: Hash,
+            callbacks: { "'defaults' keys may be any of #{DEFAULTABLE_ATTRS}" => lambda { |dh|
+                                             (dh.keys - DEFAULTABLE_ATTRS).size == 0 } }
+
+  def record_sets(&block)
+    if block_given?
+      @record_sets_block = block
+    else
+      @record_sets_block
+    end
+  end
+
+  def aws_object
+    driver, id = get_driver_and_id
+    result = driver.route53_client.get_hosted_zone(id: id).hosted_zone if id rescue nil
+    if result
+      result.resource_record_sets = get_record_sets_from_aws(result.id).resource_record_sets
+      result
+    else
+      nil
+    end
+  end
+
+  # since this is used exactly once, it could plausibly be inlined in #aws_object.
+  def get_record_sets_from_aws(hosted_zone_id, opts={})
+    params = { hosted_zone_id: hosted_zone_id }.merge(opts)
+    driver.route53_client.list_resource_record_sets(params)
+  end
+end
+
+class Chef::Provider::AwsRoute53HostedZone < Chef::Provisioning::AWSDriver::AWSProvider
+
+  provides :aws_route53_hosted_zone
+  use_inline_resources
+
+  CREATE = "CREATE"
+  UPDATE = UPSERT = "UPSERT"
+  DELETE = "DELETE"
+  RRS_COMMENT = "Managed by chef-provisioning-aws"
+
+  attr_accessor :record_set_list
+
+  def make_hosted_zone_config(new_resource)
+    config = {}
+    # add :private_zone here once VPC validation is enabled.
+    [:comment].each do |attr|
+      value = new_resource.send(attr)
+      if value
+        config[attr] = value
+      end
+    end
+    config
+  end
+
+  # this happens at a slightly different time in the lifecycle from #get_record_sets_from_resource.
+  def populate_zone_info(record_set_resources, hosted_zone)
+    record_set_resources.each do |rs|
+      rs.aws_route53_zone_id(hosted_zone.id)
+    end
+  end
+
+  def create_aws_object
+    converge_by "create new Route 53 zone #{new_resource}" do
+
+      # AWS stores some attributes off to the side here.
+      hosted_zone_config = make_hosted_zone_config(new_resource)
+
+      values = {
+        name: new_resource.name,
+        hosted_zone_config: hosted_zone_config,
+        caller_reference: "chef-provisioning-aws-#{SecureRandom.uuid.upcase}",  # required, unique each call
+      }
+
+      # this will validate the record_set resources prior to making any AWS calls.
+      record_set_resources = get_record_sets_from_resource(new_resource)
+
+      zone = new_resource.driver.route53_client.create_hosted_zone(values).hosted_zone
+      new_resource.aws_route53_zone_id(zone.id)
+
+      if record_set_resources
+        populate_zone_info(record_set_resources, zone)
+
+        change_list = record_set_resources.map { |rs| rs.to_aws_change_struct(CREATE) }
+
+        new_resource.driver.route53_client.change_resource_record_sets(hosted_zone_id: new_resource.aws_route53_zone_id,
+                                                                       change_batch: {
+                                                                         comment: RRS_COMMENT,
+                                                                         changes: change_list,
+                                                                         })
+      end
+      zone
+    end
+  end
+
+  def update_aws_object(hosted_zone)
+    new_resource.aws_route53_zone_id(hosted_zone.id)
+
+    # this will validate the record_set resources prior to making any AWS calls.
+    record_set_resources = get_record_sets_from_resource(new_resource)
+
+    if new_resource.comment != hosted_zone.config.comment
+      new_resource.driver.route53_client.update_hosted_zone_comment(id: hosted_zone.id, comment: new_resource.comment)
+    end
+
+    if record_set_resources
+      populate_zone_info(record_set_resources, hosted_zone)
+
+      aws_record_sets = hosted_zone.resource_record_sets
+
+      change_list = []
+
+      # TODO: the SOA and NS records have identical :name properties (the zone name), so one of them will
+      # be overwritten in the `keyed_aws_objects` hash. mostly we're declining to operate on SOA and NS,
+      # so it probably doesn't matter, but bears investigating.
+
+      # we already checked for duplicate Chef RR resources in #get_record_sets_from_resource.
+      keyed_chef_resources = record_set_resources.reduce({}) { |coll, rs| (coll[rs.aws_key] ||= []) << rs; coll }
+      keyed_aws_objects    = aws_record_sets.reduce({})      { |coll, rs| coll[rs.aws_key] = rs; coll }
+
+      # because DNS is important, we're going to err on the side of caution and only operate on records for
+      # which we have a Chef resource. "total management" might be a nice resource option to have.
+      keyed_chef_resources.each do |key, chef_resource_ary|
+        chef_resource_ary.each do |chef_resource|
+          # RR already exists...
+          if keyed_aws_objects.has_key?(key)
+            # ... do we want to delete it?
+            if chef_resource.action.first == :destroy
+              change_list << chef_resource.to_aws_change_struct(DELETE)
+            # ... update it, then, only if the fields differ.
+            elsif chef_resource.to_aws_struct != keyed_aws_objects[key]
+              change_list << chef_resource.to_aws_change_struct(UPDATE)
+            end
+          # otherwise, RR does not already exist...
+          else
+            # using UPSERT instead of CREATE; there are merits to both.
+            change_list << chef_resource.to_aws_change_struct(UPSERT)
+          end
+        end
+      end
+
+      Chef::Log.debug("RecordSet changes: #{change_list.inspect}")
+      if change_list.size > 0
+        new_resource.driver.route53_client.change_resource_record_sets(hosted_zone_id: new_resource.aws_route53_zone_id,
+                                                                       change_batch: {
+                                                                         comment: RRS_COMMENT,
+                                                                         changes: change_list,
+                                                                         })
+      else
+        Chef::Log.info("All aws_route53_record_set resources up to date (nothing to do).")
+      end
+    end
+  end
+
+  def destroy_aws_object(hosted_zone)
+    converge_by "delete Route53 zone #{new_resource}" do
+      Chef::Log.info("Deleting all non-SOA/NS records for #{hosted_zone.name}")
+
+      rr_changes = hosted_zone.resource_record_sets.reject { |aws_rr|
+        %w{SOA NS}.include?(aws_rr.type)
+        }.map { |aws_rr|
+          {
+            action: DELETE,
+            resource_record_set: aws_rr.to_change_struct,
+          }
+        }
+
+      if rr_changes.size > 0
+        aws_struct = {
+          hosted_zone_id: hosted_zone.id,
+          change_batch: {
+            comment: "Purging RRs prior to deleting resource",
+            changes: rr_changes,
+          }
+        }
+
+        new_resource.driver.route53_client.change_resource_record_sets(aws_struct)
+      end
+
+      result = new_resource.driver.route53_client.delete_hosted_zone(id: hosted_zone.id)
+    end
+  end
+
+  # `record_sets` is defined on the `aws_route53_hosted_zone` resource as a block attribute, so compile that,
+  # validate it, and return a list of AWSRoute53RecordSet resource objects.
+  def get_record_sets_from_resource(new_resource)
+
+    return nil unless new_resource.record_sets
+    instance_eval(&new_resource.record_sets)
+
+    # because we're in the provider, the RecordSet resources happen in their own mini Chef run, and they're the
+    # only things in the resource_collection.
+    record_set_resources = run_context.resource_collection.to_a
+    return nil unless record_set_resources
+
+    record_set_resources.each do |rs|
+      rs.aws_route53_hosted_zone(new_resource)
+      rs.aws_route53_zone_name(new_resource.name)
+
+      if new_resource.defaults
+        new_resource.class::DEFAULTABLE_ATTRS.each do |att|
+          # check if the RecordSet has its own value, without triggering validation. in Chef >= 12.5, there is
+          # #property_is_set?.
+          if rs.instance_variable_get("@#{att}").nil? && !new_resource.defaults[att].nil?
+            rs.send(att, new_resource.defaults[att])
+          end
+        end
+      end
+
+      rs.validate!
+    end
+
+    Chef::Resource::AwsRoute53RecordSet.verify_unique!(record_set_resources)
+    record_set_resources
+  end
+end

data/lib/chef/resource/aws_route53_record_set.rb

@@ -0,0 +1,162 @@
+#
+# Copyright:: Copyright (c) 2015 Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+class Aws::Route53::Types::ResourceRecordSet
+  # removing AWS's trailing dots may not be the best thing, but otherwise our job gets much harder.
+  def aws_key
+    "#{name.sub(/\.$/, '')}"
+  end
+
+  # the API doesn't seem to provide any facility to convert these types into the data structures used by the
+  # API; see http://redirx.me/?t3za for the RecordSet type specifically.
+  def to_change_struct
+    {
+      name: name,
+      type: type,
+      ttl: ttl,
+      resource_records: resource_records.map {|r| {:value => r.value}},
+    }
+  end
+end
+
+class Chef::Resource::AwsRoute53RecordSet < Chef::Provisioning::AWSDriver::SuperLWRP
+
+  actions :create, :destroy
+  default_action :create
+
+  resource_name :aws_route53_record_set
+  attribute :aws_route53_zone_id, kind_of: String, required: true
+
+  attribute :rr_name, required: true
+
+  attribute :type, equal_to: %w(SOA A TXT NS CNAME MX PTR SRV SPF AAAA), required: true
+
+  attribute :ttl, kind_of: Fixnum, required: true
+
+  attribute :resource_records, kind_of: Array, required: true
+
+  # this gets set internally and is not intended for DSL use in recipes.
+  attribute :aws_route53_zone_name, kind_of: String, required: true,
+                                    is: lambda { |zone_name| validate_zone_name!(rr_name, zone_name) }
+
+  attribute :aws_route53_hosted_zone, required: true
+
+  def initialize(name, *args)
+    self.rr_name(name) unless @rr_name
+    super(name, *args)
+  end
+
+  def validate_rr_type!(type, rr_list)
+    case type
+    # we'll check for integers, but leave the user responsible for valid DNS names.
+    when "A"
+      rr_list.all? { |v| v =~ /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/ } ||
+          raise(::Chef::Exceptions::ValidationFailed,
+                "A records are of the form '141.2.25.3'")
+    when "MX"
+      rr_list.all? { |v| v =~ /^\d+\s+[^ ]+/} ||
+          raise(::Chef::Exceptions::ValidationFailed,
+                "MX records must have a priority and mail server, of the form '15 mail.example.com.'")
+    when "SRV"
+      rr_list.all? { |v| v =~ /^\d+\s+\d+\s+\d+\s+[^ ]+$/ } ||
+          raise(::Chef::Exceptions::ValidationFailed,
+                "SRV records must have a priority, weight, port, and hostname, of the form '15 10 25 service.example.com.'")
+    when "CNAME"
+      rr_list.size == 1 ||
+                raise(::Chef::Exceptions::ValidationFailed,
+                      "CNAME records may only have a single value (a hostname).")
+
+    when "TXT", "PTR", "AAAA", "SPF"
+      true
+    else
+      raise ArgumentError, "Argument '#{type}' must be one of #{%w(A MX SRV CNAME TXT PTR AAAA SPF)}"
+    end
+  end
+
+  def validate_zone_name!(rr_name, zone_name)
+    if rr_name.end_with?('.') && rr_name !~ /#{zone_name}\.$/
+      raise(::Chef::Exceptions::ValidationFailed, "RecordSet name #{rr_name} does not match parent HostedZone name #{zone_name}.")
+    end
+    true
+  end
+
+  # because these resources can't actually converge themselves, we have to trigger the validations.
+  def validate!
+    [:rr_name, :type, :ttl, :resource_records, :aws_route53_zone_name].each { |f| self.send(f) }
+
+    # this was in an :is validator, but didn't play well with inheriting default values.
+    validate_rr_type!(type, resource_records)
+  end
+
+  def aws_key
+    "#{fqdn}"
+  end
+
+  def fqdn
+    if rr_name !~ /#{aws_route53_zone_name}\.?$/
+      "#{rr_name}.#{aws_route53_zone_name}"
+    else
+      rr_name
+    end
+  end
+
+  def to_aws_struct
+    {
+      name: fqdn,
+      type: type,
+      ttl: ttl,
+      resource_records: resource_records.map { |rr| { value: rr } },
+    }
+  end
+
+  def to_aws_change_struct(aws_action)
+    # there are more elements which are optional, notably 'weight' and 'region': see the API doc at
+    # http://redirx.me/?t3zo
+    {
+      action: aws_action,
+      resource_record_set: self.to_aws_struct
+    }
+  end
+
+  def self.verify_unique!(record_sets)
+    seen = {}
+
+    record_sets.each do |rs|
+      key = rs.aws_key
+      if seen.has_key?(key)
+        raise Chef::Exceptions::ValidationFailed.new("Duplicate RecordSet found in resource: [#{key}]")
+      else
+        seen[key] = 1
+      end
+    end
+
+    # TODO: be helpful and print out all duplicates, not just the first.
+
+    true
+  end
+end
+
+class Chef::Provider::AwsRoute53RecordSet < Chef::Provider::LWRPBase
+  provides :aws_route53_record_set
+
+  # to make RR changes in transactional batches, it has to be done in the parent resource.
+  action :create do
+  end
+
+  action :destroy do
+  end
+end