chef-provisioning-aws 3.0.4 → 3.0.6
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile +16 -5
- data/Rakefile +15 -6
- data/chef-provisioning-aws.gemspec +17 -17
- data/lib/chef/provider/aws_auto_scaling_group.rb +5 -6
- data/lib/chef/provider/aws_cache_cluster.rb +21 -15
- data/lib/chef/provider/aws_cache_replication_group.rb +12 -8
- data/lib/chef/provider/aws_cache_subnet_group.rb +3 -3
- data/lib/chef/provider/aws_cloudsearch_domain.rb +9 -13
- data/lib/chef/provider/aws_cloudwatch_alarm.rb +10 -12
- data/lib/chef/provider/aws_dhcp_options.rb +18 -21
- data/lib/chef/provider/aws_ebs_volume.rb +24 -26
- data/lib/chef/provider/aws_eip_address.rb +10 -13
- data/lib/chef/provider/aws_elasticsearch_domain.rb +19 -18
- data/lib/chef/provider/aws_iam_instance_profile.rb +5 -7
- data/lib/chef/provider/aws_iam_role.rb +14 -17
- data/lib/chef/provider/aws_image.rb +6 -6
- data/lib/chef/provider/aws_instance.rb +5 -5
- data/lib/chef/provider/aws_internet_gateway.rb +8 -11
- data/lib/chef/provider/aws_key_pair.rb +15 -17
- data/lib/chef/provider/aws_launch_configuration.rb +11 -14
- data/lib/chef/provider/aws_load_balancer.rb +1 -2
- data/lib/chef/provider/aws_nat_gateway.rb +6 -7
- data/lib/chef/provider/aws_network_acl.rb +28 -29
- data/lib/chef/provider/aws_network_interface.rb +25 -27
- data/lib/chef/provider/aws_rds_instance.rb +12 -13
- data/lib/chef/provider/aws_rds_parameter_group.rb +8 -8
- data/lib/chef/provider/aws_rds_subnet_group.rb +8 -9
- data/lib/chef/provider/aws_route_table.rb +19 -20
- data/lib/chef/provider/aws_s3_bucket.rb +22 -25
- data/lib/chef/provider/aws_security_group.rb +268 -285
- data/lib/chef/provider/aws_server_certificate.rb +6 -5
- data/lib/chef/provider/aws_sns_topic.rb +4 -6
- data/lib/chef/provider/aws_sqs_queue.rb +3 -4
- data/lib/chef/provider/aws_subnet.rb +29 -34
- data/lib/chef/provider/aws_vpc.rb +108 -116
- data/lib/chef/provider/aws_vpc_peering_connection.rb +11 -11
- data/lib/chef/provisioning/aws_driver.rb +4 -2
- data/lib/chef/provisioning/aws_driver/aws_provider.rb +234 -241
- data/lib/chef/provisioning/aws_driver/aws_rds_resource.rb +5 -7
- data/lib/chef/provisioning/aws_driver/aws_resource.rb +182 -185
- data/lib/chef/provisioning/aws_driver/aws_resource_with_entry.rb +17 -17
- data/lib/chef/provisioning/aws_driver/aws_taggable.rb +13 -15
- data/lib/chef/provisioning/aws_driver/aws_tagger.rb +47 -48
- data/lib/chef/provisioning/aws_driver/credentials.rb +96 -100
- data/lib/chef/provisioning/aws_driver/credentials2.rb +42 -45
- data/lib/chef/provisioning/aws_driver/driver.rb +1349 -1362
- data/lib/chef/provisioning/aws_driver/exceptions.rb +10 -12
- data/lib/chef/provisioning/aws_driver/super_lwrp.rb +60 -60
- data/lib/chef/provisioning/aws_driver/tagging_strategy/auto_scaling.rb +49 -50
- data/lib/chef/provisioning/aws_driver/tagging_strategy/ec2.rb +37 -38
- data/lib/chef/provisioning/aws_driver/tagging_strategy/elasticsearch.rb +14 -15
- data/lib/chef/provisioning/aws_driver/tagging_strategy/elb.rb +29 -31
- data/lib/chef/provisioning/aws_driver/tagging_strategy/rds.rb +39 -40
- data/lib/chef/provisioning/aws_driver/tagging_strategy/s3.rb +41 -43
- data/lib/chef/provisioning/aws_driver/version.rb +5 -5
- data/lib/chef/provisioning/driver_init/aws.rb +2 -2
- data/lib/chef/resource/aws_auto_scaling_group.rb +1 -1
- data/lib/chef/resource/aws_cache_cluster.rb +9 -12
- data/lib/chef/resource/aws_cache_replication_group.rb +9 -11
- data/lib/chef/resource/aws_cache_subnet_group.rb +8 -10
- data/lib/chef/resource/aws_cloudsearch_domain.rb +4 -5
- data/lib/chef/resource/aws_cloudwatch_alarm.rb +17 -18
- data/lib/chef/resource/aws_dhcp_options.rb +2 -2
- data/lib/chef/resource/aws_ebs_volume.rb +10 -10
- data/lib/chef/resource/aws_eip_address.rb +5 -5
- data/lib/chef/resource/aws_elasticsearch_domain.rb +4 -4
- data/lib/chef/resource/aws_iam_instance_profile.rb +4 -5
- data/lib/chef/resource/aws_iam_role.rb +2 -3
- data/lib/chef/resource/aws_image.rb +3 -3
- data/lib/chef/resource/aws_instance.rb +4 -4
- data/lib/chef/resource/aws_internet_gateway.rb +3 -3
- data/lib/chef/resource/aws_key_pair.rb +7 -7
- data/lib/chef/resource/aws_launch_configuration.rb +4 -4
- data/lib/chef/resource/aws_load_balancer.rb +7 -7
- data/lib/chef/resource/aws_nat_gateway.rb +11 -11
- data/lib/chef/resource/aws_network_acl.rb +7 -8
- data/lib/chef/resource/aws_network_interface.rb +9 -9
- data/lib/chef/resource/aws_rds_instance.rb +4 -4
- data/lib/chef/resource/aws_rds_parameter_group.rb +3 -3
- data/lib/chef/resource/aws_rds_subnet_group.rb +4 -4
- data/lib/chef/resource/aws_route53_hosted_zone.rb +37 -40
- data/lib/chef/resource/aws_route53_record_set.rb +22 -24
- data/lib/chef/resource/aws_route_table.rb +7 -7
- data/lib/chef/resource/aws_s3_bucket.rb +7 -7
- data/lib/chef/resource/aws_security_group.rb +10 -10
- data/lib/chef/resource/aws_server_certificate.rb +6 -8
- data/lib/chef/resource/aws_sns_topic.rb +2 -2
- data/lib/chef/resource/aws_sqs_queue.rb +5 -7
- data/lib/chef/resource/aws_subnet.rb +9 -9
- data/lib/chef/resource/aws_vpc.rb +11 -11
- data/lib/chef/resource/aws_vpc_peering_connection.rb +4 -4
- data/spec/aws_support.rb +44 -45
- data/spec/aws_support/aws_resource_run_wrapper.rb +2 -2
- data/spec/aws_support/deep_matcher.rb +2 -3
- data/spec/aws_support/deep_matcher/fuzzy_match_objects.rb +6 -9
- data/spec/aws_support/deep_matcher/match_values_failure_messages.rb +30 -37
- data/spec/aws_support/deep_matcher/matchable_array.rb +0 -1
- data/spec/aws_support/deep_matcher/matchable_object.rb +1 -2
- data/spec/aws_support/deep_matcher/rspec_monkeypatches.rb +4 -4
- data/spec/aws_support/delayed_stream.rb +2 -2
- data/spec/aws_support/matchers/create_an_aws_object.rb +6 -6
- data/spec/aws_support/matchers/destroy_an_aws_object.rb +6 -6
- data/spec/aws_support/matchers/have_aws_object_tags.rb +4 -5
- data/spec/aws_support/matchers/match_an_aws_object.rb +5 -6
- data/spec/aws_support/matchers/update_an_aws_object.rb +6 -7
- data/spec/integration/aws_auto_scaling_group_spec.rb +56 -64
- data/spec/integration/aws_cache_cluster_spec.rb +70 -71
- data/spec/integration/aws_cache_subnet_group_spec.rb +13 -14
- data/spec/integration/aws_cloudsearch_domain_spec.rb +6 -8
- data/spec/integration/aws_cloudwatch_alarm_spec.rb +200 -208
- data/spec/integration/aws_dhcp_options_spec.rb +32 -43
- data/spec/integration/aws_ebs_volume_spec.rb +52 -73
- data/spec/integration/aws_eip_address_spec.rb +24 -31
- data/spec/integration/aws_elasticsearch_domain_spec.rb +31 -33
- data/spec/integration/aws_iam_instance_profile_spec.rb +36 -45
- data/spec/integration/aws_iam_role_spec.rb +39 -46
- data/spec/integration/aws_internet_gateway_spec.rb +64 -75
- data/spec/integration/aws_key_pair_spec.rb +6 -6
- data/spec/integration/aws_launch_configuration_spec.rb +17 -18
- data/spec/integration/aws_nat_gateway_spec.rb +21 -24
- data/spec/integration/aws_network_acl_spec.rb +81 -95
- data/spec/integration/aws_network_interface_spec.rb +28 -43
- data/spec/integration/aws_rds_instance_spec.rb +29 -40
- data/spec/integration/aws_rds_parameter_group_spec.rb +32 -35
- data/spec/integration/aws_rds_subnet_group_spec.rb +30 -40
- data/spec/integration/aws_route53_hosted_zone_spec.rb +205 -205
- data/spec/integration/aws_route_table_spec.rb +118 -136
- data/spec/integration/aws_s3_bucket_spec.rb +19 -27
- data/spec/integration/aws_security_group_spec.rb +369 -388
- data/spec/integration/aws_server_certificate_spec.rb +16 -18
- data/spec/integration/aws_subnet_spec.rb +44 -58
- data/spec/integration/aws_vpc_peering_connection_spec.rb +43 -50
- data/spec/integration/aws_vpc_spec.rb +99 -115
- data/spec/integration/load_balancer_spec.rb +169 -183
- data/spec/integration/machine_batch_spec.rb +24 -31
- data/spec/integration/machine_image_spec.rb +54 -66
- data/spec/integration/machine_spec.rb +216 -237
- data/spec/persistence_file.txt +219 -0
- data/spec/spec_helper.rb +16 -17
- data/spec/unit/chef/provisioning/aws_driver/credentials_spec.rb +67 -74
- data/spec/unit/chef/provisioning/aws_driver/driver_spec.rb +29 -29
- data/spec/unit/chef/provisioning/aws_driver/route53_spec.rb +13 -15
- metadata +4 -3
@@ -1,17 +1,17 @@
|
|
1
|
-
require
|
2
|
-
require
|
1
|
+
require "chef/provisioning/aws_driver/aws_provider"
|
2
|
+
require "chef/provisioning/aws_driver/tagging_strategy/rds"
|
3
3
|
|
4
4
|
class Chef::Provider::AwsRdsInstance < Chef::Provisioning::AWSDriver::AWSProvider
|
5
5
|
include Chef::Provisioning::AWSDriver::TaggingStrategy::RDSConvergeTags
|
6
6
|
|
7
7
|
provides :aws_rds_instance
|
8
8
|
|
9
|
-
REQUIRED_OPTIONS = %i
|
10
|
-
db_instance_class master_username master_user_password
|
9
|
+
REQUIRED_OPTIONS = %i{db_instance_identifier allocated_storage engine
|
10
|
+
db_instance_class master_username master_user_password}.freeze
|
11
11
|
|
12
|
-
OTHER_OPTIONS = %i
|
12
|
+
OTHER_OPTIONS = %i{db_snapshot_identifier engine_version multi_az iops publicly_accessible db_name port db_subnet_group_name db_parameter_group_name}.freeze
|
13
13
|
|
14
|
-
def update_aws_object(
|
14
|
+
def update_aws_object(_instance)
|
15
15
|
Chef::Log.warn("aws_rds_instance does not support modifying a started instance")
|
16
16
|
# There are required optiosn (like `allocated_storage`) that the use may not
|
17
17
|
# specify on a resource to perform an update. For example, they may want to
|
@@ -27,7 +27,7 @@ class Chef::Provider::AwsRdsInstance < Chef::Provisioning::AWSDriver::AWSProvide
|
|
27
27
|
def create_aws_object
|
28
28
|
converge_by "create RDS instance #{new_resource.db_instance_identifier} in #{region}" do
|
29
29
|
if new_resource.db_snapshot_identifier
|
30
|
-
snap_options_hash =
|
30
|
+
snap_options_hash = %i{allocated_storage master_username master_user_password engine_version}.each { |k| options_hash.delete(k) }
|
31
31
|
new_resource.driver.rds_client.restore_db_instance_from_db_snapshot(options_hash).db_instance
|
32
32
|
else
|
33
33
|
new_resource.driver.rds_resource.create_db_instance(options_hash)
|
@@ -46,11 +46,11 @@ class Chef::Provider::AwsRdsInstance < Chef::Provisioning::AWSDriver::AWSProvide
|
|
46
46
|
# http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Status.html
|
47
47
|
# It cannot _actually_ return a deleted status, we're just looking for the error
|
48
48
|
query_method: :db_instance_status,
|
49
|
-
expected_responses: [
|
49
|
+
expected_responses: ["deleted"],
|
50
50
|
acceptable_errors: [::Aws::RDS::Errors::DBInstanceNotFound],
|
51
51
|
tries: 60,
|
52
|
-
sleep: 10
|
53
|
-
)
|
52
|
+
sleep: 10, &:reload
|
53
|
+
)
|
54
54
|
end
|
55
55
|
end
|
56
56
|
|
@@ -58,16 +58,15 @@ class Chef::Provider::AwsRdsInstance < Chef::Provisioning::AWSDriver::AWSProvide
|
|
58
58
|
# the resource as well as optional options
|
59
59
|
def options_hash
|
60
60
|
@options_hash ||= begin
|
61
|
-
opts = Hash[new_resource.additional_options.map{|(k,v)| [k.to_sym,v]}]
|
61
|
+
opts = Hash[new_resource.additional_options.map { |(k, v)| [k.to_sym, v] }]
|
62
62
|
REQUIRED_OPTIONS.each do |opt|
|
63
63
|
opts[opt] = new_resource.send(opt)
|
64
64
|
end
|
65
65
|
OTHER_OPTIONS.each do |opt|
|
66
|
-
opts[opt] = new_resource.send(opt)
|
66
|
+
opts[opt] = new_resource.send(opt) unless new_resource.send(opt).nil?
|
67
67
|
end
|
68
68
|
AWSResource.lookup_options(opts, resource: new_resource)
|
69
69
|
opts
|
70
70
|
end
|
71
71
|
end
|
72
|
-
|
73
72
|
end
|
@@ -1,5 +1,5 @@
|
|
1
|
-
require
|
2
|
-
require
|
1
|
+
require "chef/provisioning/aws_driver/aws_provider"
|
2
|
+
require "chef/provisioning/aws_driver/tagging_strategy/rds"
|
3
3
|
|
4
4
|
# inspiration taken from providers/aws_rds_subnet_group.rb
|
5
5
|
# but different enough that I'm not sure there is easy abstraction
|
@@ -33,7 +33,7 @@ class Chef::Provider::AwsRdsParameterGroup < Chef::Provisioning::AWSDriver::AWSP
|
|
33
33
|
|
34
34
|
def update_aws_object(_parameter_group)
|
35
35
|
updates = required_updates
|
36
|
-
|
36
|
+
unless updates.empty?
|
37
37
|
converge_by updates do
|
38
38
|
driver.modify_db_parameter_group(desired_update_options)
|
39
39
|
end
|
@@ -82,21 +82,21 @@ class Chef::Provider::AwsRdsParameterGroup < Chef::Provisioning::AWSDriver::AWSP
|
|
82
82
|
ret << " set group parameters to #{desired_options[:parameters]}"
|
83
83
|
end
|
84
84
|
|
85
|
-
|
85
|
+
unless desired_options[:db_parameter_group_family].nil?
|
86
86
|
# modify_db_parameter_group doesn't support updating the db_parameter_group_family according to
|
87
87
|
# http://docs.aws.amazon.com/AWSRubySDK/latest/AWS/RDS/Client.html#modify_db_parameter_group-instance_method
|
88
88
|
# which is frustrating because it is required for create
|
89
89
|
Chef::Log.warn "Updating description for RDS parameter groups is not supported by RDS client."
|
90
90
|
end
|
91
91
|
|
92
|
-
|
92
|
+
unless desired_options[:description].nil?
|
93
93
|
# modify_db_parameter_group doesn't support updating the description according to
|
94
94
|
# http://docs.aws.amazon.com/AWSRubySDK/latest/AWS/RDS/Client.html#modify_db_parameter_group-instance_method
|
95
95
|
# which is frustrating because it is required for create
|
96
96
|
Chef::Log.warn "Updating description for RDS parameter groups is not supported by RDS client."
|
97
97
|
end
|
98
98
|
|
99
|
-
|
99
|
+
unless desired_options[:aws_tags].nil? || desired_options[:aws_tags].empty?
|
100
100
|
# modify_db_parameter_group doesn't support the tags key according to
|
101
101
|
# http://docs.aws.amazon.com/AWSRubySDK/latest/AWS/RDS/Client.html#modify_db_parameter_group-instance_method
|
102
102
|
Chef::Log.warn "Updating tags for RDS parameter groups is not supported by RDS client."
|
@@ -118,9 +118,9 @@ class Chef::Provider::AwsRdsParameterGroup < Chef::Provisioning::AWSDriver::AWSP
|
|
118
118
|
# value for apply_method for that parameter later in a recipe, or not be itempotent.
|
119
119
|
#
|
120
120
|
# Breaking the user is never the right option, so we have elected to not be itempotent.
|
121
|
-
!
|
121
|
+
!(desired_options[:parameters].nil? || desired_options[:parameters].empty?)
|
122
122
|
end
|
123
|
-
|
123
|
+
|
124
124
|
def driver
|
125
125
|
new_resource.driver.rds
|
126
126
|
end
|
@@ -1,5 +1,5 @@
|
|
1
|
-
require
|
2
|
-
require
|
1
|
+
require "chef/provisioning/aws_driver/aws_provider"
|
2
|
+
require "chef/provisioning/aws_driver/tagging_strategy/rds"
|
3
3
|
|
4
4
|
class Chef::Provider::AwsRdsSubnetGroup < Chef::Provisioning::AWSDriver::AWSProvider
|
5
5
|
include Chef::Provisioning::AWSDriver::TaggingStrategy::RDSConvergeTags
|
@@ -12,7 +12,7 @@ class Chef::Provider::AwsRdsSubnetGroup < Chef::Provisioning::AWSDriver::AWSProv
|
|
12
12
|
end
|
13
13
|
end
|
14
14
|
|
15
|
-
def destroy_aws_object(
|
15
|
+
def destroy_aws_object(_subnet_group)
|
16
16
|
converge_by "delete RDS subnet group #{new_resource.name} in #{region}" do
|
17
17
|
driver.delete_db_subnet_group(db_subnet_group_name: new_resource.name)
|
18
18
|
end
|
@@ -20,7 +20,7 @@ class Chef::Provider::AwsRdsSubnetGroup < Chef::Provisioning::AWSDriver::AWSProv
|
|
20
20
|
|
21
21
|
def update_aws_object(subnet_group)
|
22
22
|
updates = required_updates(subnet_group)
|
23
|
-
|
23
|
+
unless updates.empty?
|
24
24
|
converge_by updates do
|
25
25
|
driver.modify_db_subnet_group(desired_options)
|
26
26
|
end
|
@@ -48,11 +48,11 @@ class Chef::Provider::AwsRdsSubnetGroup < Chef::Provisioning::AWSDriver::AWSProv
|
|
48
48
|
ret << " set group description to #{desired_options[:db_subnet_group_description]}"
|
49
49
|
end
|
50
50
|
|
51
|
-
|
51
|
+
unless xor_array(desired_options[:subnet_ids], subnet_ids(subnet_group[:subnets])).empty?
|
52
52
|
ret << " set subnets to #{desired_options[:subnet_ids]}"
|
53
53
|
end
|
54
54
|
|
55
|
-
|
55
|
+
unless desired_options[:aws_tags].nil? || desired_options[:aws_tags].empty?
|
56
56
|
# modify_db_subnet_group doesn't support the tags key according to
|
57
57
|
# http://docs.aws.amazon.com/AWSRubySDK/latest/AWS/RDS/Client.html#modify_db_subnet_group-instance_method
|
58
58
|
Chef::Log.warn "Updating tags for RDS subnet groups is not supported."
|
@@ -62,11 +62,10 @@ class Chef::Provider::AwsRdsSubnetGroup < Chef::Provisioning::AWSDriver::AWSProv
|
|
62
62
|
ret
|
63
63
|
end
|
64
64
|
|
65
|
-
|
66
65
|
private
|
67
66
|
|
68
67
|
def subnet_ids(subnets)
|
69
|
-
subnets.map {|i| i[:subnet_identifier] }
|
68
|
+
subnets.map { |i| i[:subnet_identifier] }
|
70
69
|
end
|
71
70
|
|
72
71
|
def xor_array(a, b)
|
@@ -78,7 +77,7 @@ class Chef::Provider::AwsRdsSubnetGroup < Chef::Provisioning::AWSDriver::AWSProv
|
|
78
77
|
def tag_hash_to_array(tag_hash)
|
79
78
|
ret = []
|
80
79
|
tag_hash.each do |key, value|
|
81
|
-
ret << {:
|
80
|
+
ret << { key: key, value: value }
|
82
81
|
end
|
83
82
|
ret
|
84
83
|
end
|
@@ -1,5 +1,5 @@
|
|
1
|
-
require
|
2
|
-
require
|
1
|
+
require "chef/provisioning/aws_driver/aws_provider"
|
2
|
+
require "retryable"
|
3
3
|
|
4
4
|
class Chef::Provider::AwsRouteTable < Chef::Provisioning::AWSDriver::AWSProvider
|
5
5
|
include Chef::Provisioning::AWSDriver::TaggingStrategy::EC2ConvergeTags
|
@@ -9,7 +9,7 @@ class Chef::Provider::AwsRouteTable < Chef::Provisioning::AWSDriver::AWSProvider
|
|
9
9
|
def action_create
|
10
10
|
route_table = super
|
11
11
|
|
12
|
-
|
12
|
+
unless new_resource.routes.nil?
|
13
13
|
update_routes(vpc, route_table, new_resource.ignore_route_targets)
|
14
14
|
end
|
15
15
|
|
@@ -29,14 +29,14 @@ class Chef::Provider::AwsRouteTable < Chef::Provisioning::AWSDriver::AWSProvider
|
|
29
29
|
converge_by "create route table #{new_resource.name} in VPC #{new_resource.vpc} (#{vpc.id}) and region #{region}" do
|
30
30
|
route_table = vpc.create_route_table
|
31
31
|
retry_with_backoff(::Aws::EC2::Errors::ServiceError) do
|
32
|
-
route_table.create_tags(
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
|
39
|
-
|
32
|
+
route_table.create_tags(
|
33
|
+
tags: [
|
34
|
+
{
|
35
|
+
key: "Name",
|
36
|
+
value: new_resource.name
|
37
|
+
}
|
38
|
+
]
|
39
|
+
)
|
40
40
|
end
|
41
41
|
route_table
|
42
42
|
end
|
@@ -48,17 +48,17 @@ class Chef::Provider::AwsRouteTable < Chef::Provisioning::AWSDriver::AWSProvider
|
|
48
48
|
if new_resource.vpc
|
49
49
|
desired_vpc_id = Chef::Resource::AwsVpc.get_aws_object_id(new_resource.vpc, resource: new_resource)
|
50
50
|
if vpc.id != desired_vpc_id
|
51
|
-
raise "VPC of route table #{new_resource
|
51
|
+
raise "VPC of route table #{new_resource} is #{vpc.id}, but desired VPC is #{desired_vpc_id}! The AWS SDK does not support updating the main route table except by creating a new route table."
|
52
52
|
end
|
53
53
|
end
|
54
54
|
end
|
55
55
|
|
56
56
|
def destroy_aws_object(route_table)
|
57
|
-
converge_by "delete #{new_resource
|
57
|
+
converge_by "delete #{new_resource} in #{region}" do
|
58
58
|
begin
|
59
59
|
route_table.delete
|
60
60
|
rescue ::Aws::EC2::Errors::DependencyViolation
|
61
|
-
raise "#{new_resource
|
61
|
+
raise "#{new_resource} could not be deleted because it is the main route table for #{route_table.vpc.id} or it is being used by a subnet"
|
62
62
|
end
|
63
63
|
end
|
64
64
|
end
|
@@ -74,7 +74,7 @@ class Chef::Provider::AwsRouteTable < Chef::Provisioning::AWSDriver::AWSProvider
|
|
74
74
|
# Ignore the automatic local route
|
75
75
|
next if route.nil?
|
76
76
|
route_target = route.gateway_id || route.nat_gateway_id || route.instance_id || route.network_interface_id || route.vpc_peering_connection_id
|
77
|
-
next if route_target ==
|
77
|
+
next if route_target == "local"
|
78
78
|
next if ignore_route_targets.find { |target| route_target.match(/#{target}/) }
|
79
79
|
current_routes[route.destination_cidr_block] = route
|
80
80
|
end
|
@@ -94,7 +94,7 @@ class Chef::Provider::AwsRouteTable < Chef::Provisioning::AWSDriver::AWSProvider
|
|
94
94
|
end
|
95
95
|
else
|
96
96
|
action_handler.perform_action "route #{destination_cidr_block} to #{route_target} (#{target})" do
|
97
|
-
route_table.create_route({ :
|
97
|
+
route_table.create_route({ destination_cidr_block: destination_cidr_block }.merge(options))
|
98
98
|
end
|
99
99
|
end
|
100
100
|
end
|
@@ -114,10 +114,9 @@ class Chef::Provider::AwsRouteTable < Chef::Provisioning::AWSDriver::AWSProvider
|
|
114
114
|
# Add propagated routes
|
115
115
|
if gateway_ids
|
116
116
|
gateway_ids.each do |gateway_id|
|
117
|
-
if
|
118
|
-
|
119
|
-
|
120
|
-
end
|
117
|
+
next if current_propagating_vgw_set.reject! { |vgw_set| vgw_set[:gateway_id] == gateway_id }
|
118
|
+
action_handler.perform_action "enable route propagation for route table #{route_table.id} to virtual private gateway #{gateway_id}" do
|
119
|
+
route_table.client.enable_vgw_route_propagation(route_table_id: route_table.id, gateway_id: gateway_id)
|
121
120
|
end
|
122
121
|
end
|
123
122
|
end
|
@@ -1,9 +1,8 @@
|
|
1
|
-
require
|
2
|
-
require
|
3
|
-
require
|
1
|
+
require "chef/provisioning/aws_driver/aws_provider"
|
2
|
+
require "chef/provisioning/aws_driver/tagging_strategy/s3"
|
3
|
+
require "date"
|
4
4
|
|
5
5
|
class Chef::Provider::AwsS3Bucket < Chef::Provisioning::AWSDriver::AWSProvider
|
6
|
-
|
7
6
|
def aws_tagger
|
8
7
|
@aws_tagger ||= begin
|
9
8
|
s3_strategy = Chef::Provisioning::AWSDriver::TaggingStrategy::S3.new(
|
@@ -26,17 +25,17 @@ class Chef::Provider::AwsS3Bucket < Chef::Provisioning::AWSDriver::AWSProvider
|
|
26
25
|
bucket = super
|
27
26
|
|
28
27
|
if new_resource.enable_website_hosting
|
29
|
-
|
28
|
+
if !website_exist?(new_resource, bucket)
|
30
29
|
converge_by "enable website configuration for bucket #{new_resource.name}" do
|
31
|
-
create_website(bucket,new_resource
|
30
|
+
create_website(bucket, new_resource)
|
32
31
|
end
|
33
32
|
elsif modifies_website_configuration?(bucket)
|
34
33
|
converge_by "reconfigure website configuration for bucket #{new_resource.name} to #{new_resource.website_options}" do
|
35
|
-
create_website(bucket,new_resource
|
34
|
+
create_website(bucket, new_resource)
|
36
35
|
end
|
37
|
-
|
36
|
+
end
|
38
37
|
else
|
39
|
-
if website_exist?(new_resource,bucket)
|
38
|
+
if website_exist?(new_resource, bucket)
|
40
39
|
converge_by "disable website configuration for bucket #{new_resource.name}" do
|
41
40
|
new_resource.driver.s3_client.delete_bucket_website(bucket: new_resource.name)
|
42
41
|
end
|
@@ -48,20 +47,17 @@ class Chef::Provider::AwsS3Bucket < Chef::Provisioning::AWSDriver::AWSProvider
|
|
48
47
|
|
49
48
|
def create_aws_object
|
50
49
|
converge_by "create S3 bucket #{new_resource.name}" do
|
51
|
-
options = new_resource.options.merge(
|
50
|
+
options = new_resource.options.merge(bucket: new_resource.name)
|
52
51
|
new_resource.driver.s3_client.create_bucket(options)
|
53
52
|
# S3 buckets already have a top level name property so they don't need
|
54
53
|
# a 'Name' tag
|
55
54
|
end
|
56
55
|
end
|
57
56
|
|
58
|
-
def update_aws_object(bucket)
|
59
|
-
end
|
57
|
+
def update_aws_object(bucket); end
|
60
58
|
|
61
59
|
def destroy_aws_object(bucket)
|
62
|
-
if purging
|
63
|
-
new_resource.recursive_delete(true)
|
64
|
-
end
|
60
|
+
new_resource.recursive_delete(true) if purging
|
65
61
|
converge_by "delete S3 bucket #{new_resource.name}" do
|
66
62
|
if new_resource.recursive_delete
|
67
63
|
bucket.delete!
|
@@ -73,17 +69,18 @@ class Chef::Provider::AwsS3Bucket < Chef::Provisioning::AWSDriver::AWSProvider
|
|
73
69
|
|
74
70
|
private
|
75
71
|
|
76
|
-
def website_exist?(new_resource,
|
77
|
-
return true if new_resource.driver.s3_client.get_bucket_website(bucket: new_resource.name)
|
72
|
+
def website_exist?(new_resource, _bucket)
|
73
|
+
return true if new_resource.driver.s3_client.get_bucket_website(bucket: new_resource.name)
|
78
74
|
rescue Aws::S3::Errors::NoSuchWebsiteConfiguration
|
79
|
-
|
75
|
+
false
|
80
76
|
end
|
81
77
|
|
82
|
-
def create_website(
|
78
|
+
def create_website(_bucket, new_resource)
|
83
79
|
website_configuration = Aws::S3::Types::WebsiteConfiguration.new(
|
84
|
-
|
80
|
+
new_resource.website_options
|
81
|
+
)
|
85
82
|
s3_client = new_resource.driver.s3_client
|
86
|
-
s3_client.put_bucket_website(
|
83
|
+
s3_client.put_bucket_website(bucket: new_resource.name, website_configuration: website_configuration)
|
87
84
|
end
|
88
85
|
|
89
86
|
def modifies_website_configuration?(aws_object)
|
@@ -102,10 +99,10 @@ class Chef::Provider::AwsS3Bucket < Chef::Provisioning::AWSDriver::AWSProvider
|
|
102
99
|
def s3_website_endpoint_region
|
103
100
|
# ¯\_(ツ)_/¯
|
104
101
|
case aws_object.location_constraint
|
105
|
-
when nil,
|
106
|
-
|
107
|
-
when
|
108
|
-
|
102
|
+
when nil, "US"
|
103
|
+
"us-east-1"
|
104
|
+
when "EU"
|
105
|
+
"eu-west-1"
|
109
106
|
else
|
110
107
|
aws_object.location_constraint
|
111
108
|
end
|
@@ -1,7 +1,7 @@
|
|
1
|
-
require
|
2
|
-
require
|
3
|
-
require
|
4
|
-
require
|
1
|
+
require "chef/provisioning/aws_driver/aws_provider"
|
2
|
+
require "date"
|
3
|
+
require "ipaddr"
|
4
|
+
require "set"
|
5
5
|
|
6
6
|
class Chef::Provider::AwsSecurityGroup < Chef::Provisioning::AWSDriver::AWSProvider
|
7
7
|
include Chef::Provisioning::AWSDriver::TaggingStrategy::EC2ConvergeTags
|
@@ -21,7 +21,7 @@ class Chef::Provider::AwsSecurityGroup < Chef::Provisioning::AWSDriver::AWSProvi
|
|
21
21
|
options = { description: new_resource.description.to_s }
|
22
22
|
options[:vpc_id] = new_resource.vpc if new_resource.vpc
|
23
23
|
options[:group_name] = new_resource.name
|
24
|
-
if options[:description].nil?
|
24
|
+
if options[:description].nil? || (options[:description] == "")
|
25
25
|
options[:description] = new_resource.name.to_s
|
26
26
|
end
|
27
27
|
options = AWSResource.lookup_options(options, resource: new_resource)
|
@@ -29,7 +29,7 @@ class Chef::Provider::AwsSecurityGroup < Chef::Provisioning::AWSDriver::AWSProvi
|
|
29
29
|
|
30
30
|
sg = new_resource.driver.ec2_resource.create_security_group(options)
|
31
31
|
retry_with_backoff(::Aws::EC2::Errors::InvalidSecurityGroupsIDNotFound, ::Aws::EC2::Errors::InvalidGroupNotFound) do
|
32
|
-
new_resource.driver.ec2_resource.create_tags(resources: [sg.id],tags: [{key: "Name", value: new_resource.name}])
|
32
|
+
new_resource.driver.ec2_resource.create_tags(resources: [sg.id], tags: [{ key: "Name", value: new_resource.name }])
|
33
33
|
end
|
34
34
|
sg
|
35
35
|
end
|
@@ -39,7 +39,7 @@ class Chef::Provider::AwsSecurityGroup < Chef::Provisioning::AWSDriver::AWSProvi
|
|
39
39
|
if !new_resource.description.nil? && new_resource.description != sg.description
|
40
40
|
raise "Security group descriptions cannot be changed after being created! Desired description for #{new_resource.name} (#{sg.id}) was \"#{new_resource.description}\" and actual description is \"#{sg.description}\""
|
41
41
|
end
|
42
|
-
|
42
|
+
unless new_resource.vpc.nil?
|
43
43
|
desired_vpc = Chef::Resource::AwsVpc.get_aws_object_id(new_resource.vpc, resource: new_resource)
|
44
44
|
if desired_vpc != sg.vpc_id
|
45
45
|
raise "Security group VPC cannot be changed after being created! Desired VPC for #{new_resource.name} (#{sg.id}) was #{new_resource.vpc} (#{desired_vpc}) and actual VPC is #{sg.vpc_id}"
|
@@ -49,8 +49,8 @@ class Chef::Provider::AwsSecurityGroup < Chef::Provisioning::AWSDriver::AWSProvi
|
|
49
49
|
end
|
50
50
|
|
51
51
|
def destroy_aws_object(sg)
|
52
|
-
converge_by "delete security group #{new_resource
|
53
|
-
sg.delete(
|
52
|
+
converge_by "delete security group #{new_resource} in #{region}" do
|
53
|
+
sg.delete(dry_run: false)
|
54
54
|
end
|
55
55
|
end
|
56
56
|
|
@@ -58,13 +58,9 @@ class Chef::Provider::AwsSecurityGroup < Chef::Provisioning::AWSDriver::AWSProvi
|
|
58
58
|
|
59
59
|
def apply_rules(sg)
|
60
60
|
vpc = sg.vpc_id
|
61
|
-
|
62
|
-
update_outbound_rules(sg, vpc)
|
63
|
-
end
|
61
|
+
update_outbound_rules(sg, vpc) unless new_resource.outbound_rules.nil?
|
64
62
|
|
65
|
-
|
66
|
-
update_inbound_rules(sg, vpc)
|
67
|
-
end
|
63
|
+
update_inbound_rules(sg, vpc) unless new_resource.inbound_rules.nil?
|
68
64
|
end
|
69
65
|
|
70
66
|
def update_inbound_rules(sg, vpc)
|
@@ -94,100 +90,95 @@ class Chef::Provider::AwsSecurityGroup < Chef::Provisioning::AWSDriver::AWSProvi
|
|
94
90
|
# Actually update the rules (remove, add)
|
95
91
|
#
|
96
92
|
update_rules(desired_rules, sg.ip_permissions,
|
97
|
-
|
98
|
-
|
99
|
-
|
100
|
-
|
101
|
-
|
102
|
-
|
103
|
-
|
104
|
-
|
105
|
-
|
106
|
-
|
107
|
-
|
108
|
-
|
109
|
-
|
110
|
-
|
111
|
-
|
112
|
-
|
113
|
-
|
114
|
-
|
115
|
-
|
116
|
-
|
117
|
-
|
118
|
-
|
119
|
-
|
120
|
-
|
121
|
-
|
122
|
-
|
123
|
-
|
124
|
-
|
125
|
-
|
126
|
-
|
127
|
-
|
128
|
-
|
129
|
-
|
130
|
-
|
131
|
-
|
132
|
-
|
133
|
-
|
134
|
-
|
135
|
-
|
136
|
-
|
137
|
-
|
138
|
-
|
139
|
-
|
140
|
-
|
141
|
-
|
142
|
-
|
143
|
-
|
144
|
-
|
145
|
-
|
146
|
-
|
147
|
-
|
148
|
-
|
149
|
-
|
150
|
-
|
151
|
-
|
152
|
-
|
153
|
-
|
154
|
-
|
155
|
-
|
156
|
-
|
157
|
-
|
158
|
-
|
159
|
-
|
160
|
-
|
161
|
-
|
162
|
-
|
163
|
-
|
164
|
-
|
165
|
-
|
166
|
-
|
167
|
-
|
168
|
-
|
169
|
-
|
170
|
-
|
171
|
-
|
172
|
-
|
173
|
-
|
174
|
-
|
175
|
-
|
176
|
-
|
177
|
-
|
178
|
-
|
179
|
-
|
180
|
-
|
181
|
-
|
182
|
-
|
183
|
-
|
184
|
-
|
185
|
-
|
186
|
-
end
|
187
|
-
end
|
188
|
-
end
|
189
|
-
end
|
190
|
-
)
|
93
|
+
authorize: proc do |port_range, protocol, actors|
|
94
|
+
names = actors.map { |a| a.is_a?(Hash) ? a[:group_id] : a }
|
95
|
+
converge_by "authorize #{names.join(', ')} to send traffic to group #{new_resource.name} (#{sg.id}) on port_range #{port_range.inspect} with protocol #{protocol || 'nil'}" do
|
96
|
+
names.each do |iprange|
|
97
|
+
begin
|
98
|
+
if iprange.include?("-")
|
99
|
+
# user_id_group_pairs allows to add inbound rules for source security group
|
100
|
+
sg.authorize_ingress(
|
101
|
+
ip_permissions: [{
|
102
|
+
ip_protocol: protocol,
|
103
|
+
from_port: port_range.first,
|
104
|
+
to_port: port_range.last,
|
105
|
+
user_id_group_pairs: actors
|
106
|
+
}]
|
107
|
+
)
|
108
|
+
# sg.authorize_ingress({
|
109
|
+
# group
|
110
|
+
# ip_permissions: [{
|
111
|
+
# ip_protocol: protocol,
|
112
|
+
# from_port: port_range.first,
|
113
|
+
# to_port: port_range.last,
|
114
|
+
# prefix_list_ids: [{
|
115
|
+
# prefix_list_id: iprange
|
116
|
+
# }]
|
117
|
+
# }]
|
118
|
+
# })
|
119
|
+
else
|
120
|
+
sg.authorize_ingress(
|
121
|
+
ip_permissions: [{
|
122
|
+
ip_protocol: protocol,
|
123
|
+
from_port: port_range.first,
|
124
|
+
to_port: port_range.last,
|
125
|
+
ip_ranges: [{
|
126
|
+
cidr_ip: iprange
|
127
|
+
}]
|
128
|
+
}]
|
129
|
+
)
|
130
|
+
end
|
131
|
+
rescue ::Aws::EC2::Errors::InvalidPermissionDuplicate => e
|
132
|
+
Chef::Log.debug("Ignoring duplicate permission")
|
133
|
+
end
|
134
|
+
end
|
135
|
+
end
|
136
|
+
end,
|
137
|
+
|
138
|
+
revoke: proc do |port_range, protocol, actors|
|
139
|
+
names = actors.map { |a| a.is_a?(Hash) ? a[:group_id] : a }
|
140
|
+
converge_by "revoke the ability of #{names.join(', ')} to send traffic to group #{new_resource.name} (#{sg.id}) on port_range #{port_range.inspect} with protocol #{protocol || 'nil'}" do
|
141
|
+
names.each do |iprange|
|
142
|
+
begin
|
143
|
+
if iprange.include?("-")
|
144
|
+
# user_id_group_pairs allows to revoke inbound rules for source security group
|
145
|
+
sg.revoke_ingress(
|
146
|
+
ip_permissions: [{
|
147
|
+
ip_protocol: protocol,
|
148
|
+
from_port: port_range.first,
|
149
|
+
to_port: port_range.last,
|
150
|
+
user_id_group_pairs: actors
|
151
|
+
}]
|
152
|
+
)
|
153
|
+
# sg.revoke_ingress({
|
154
|
+
# group
|
155
|
+
# ip_permissions: [{
|
156
|
+
# ip_protocol: protocol,
|
157
|
+
# from_port: port_range.first,
|
158
|
+
# to_port: port_range.last,
|
159
|
+
# prefix_list_ids: [{
|
160
|
+
# prefix_list_id: iprange
|
161
|
+
# }]
|
162
|
+
# }]
|
163
|
+
# })
|
164
|
+
else
|
165
|
+
sg.revoke_ingress(
|
166
|
+
ip_permissions: [{
|
167
|
+
ip_protocol: protocol,
|
168
|
+
from_port: port_range.first,
|
169
|
+
to_port: port_range.last,
|
170
|
+
ip_ranges: [{
|
171
|
+
cidr_ip: iprange
|
172
|
+
}]
|
173
|
+
}]
|
174
|
+
)
|
175
|
+
end
|
176
|
+
rescue ::Aws::EC2::Errors::InvalidPermissionNotFound => e
|
177
|
+
Chef::Log.debug("Ignoring missing permission")
|
178
|
+
end
|
179
|
+
end
|
180
|
+
end
|
181
|
+
end)
|
191
182
|
end
|
192
183
|
|
193
184
|
def update_outbound_rules(sg, vpc)
|
@@ -217,101 +208,95 @@ class Chef::Provider::AwsSecurityGroup < Chef::Provisioning::AWSDriver::AWSProvi
|
|
217
208
|
#
|
218
209
|
Chef::Log.info("dr: #{desired_rules}")
|
219
210
|
update_rules(desired_rules, sg.ip_permissions_egress,
|
220
|
-
|
221
|
-
|
222
|
-
|
223
|
-
|
224
|
-
|
225
|
-
|
226
|
-
|
227
|
-
|
228
|
-
|
229
|
-
|
230
|
-
|
231
|
-
|
232
|
-
|
233
|
-
|
234
|
-
|
235
|
-
|
236
|
-
|
237
|
-
|
238
|
-
|
239
|
-
|
240
|
-
|
241
|
-
|
242
|
-
|
243
|
-
|
244
|
-
|
245
|
-
|
246
|
-
|
247
|
-
|
248
|
-
|
249
|
-
|
250
|
-
|
251
|
-
|
252
|
-
|
253
|
-
|
254
|
-
|
255
|
-
|
256
|
-
|
257
|
-
|
258
|
-
|
259
|
-
|
260
|
-
|
261
|
-
|
262
|
-
|
263
|
-
|
264
|
-
|
265
|
-
|
266
|
-
|
267
|
-
|
268
|
-
|
269
|
-
|
270
|
-
|
271
|
-
|
272
|
-
|
273
|
-
|
274
|
-
|
275
|
-
|
276
|
-
|
277
|
-
|
278
|
-
|
279
|
-
|
280
|
-
|
281
|
-
|
282
|
-
|
283
|
-
|
284
|
-
|
285
|
-
|
286
|
-
|
287
|
-
|
288
|
-
|
289
|
-
|
290
|
-
|
291
|
-
|
292
|
-
|
293
|
-
|
294
|
-
|
295
|
-
|
296
|
-
|
297
|
-
|
298
|
-
|
299
|
-
|
300
|
-
|
301
|
-
|
302
|
-
|
303
|
-
|
304
|
-
|
305
|
-
|
306
|
-
|
307
|
-
|
308
|
-
|
309
|
-
Chef::Log.debug("Ignoring missing permission")
|
310
|
-
end
|
311
|
-
end
|
312
|
-
end
|
313
|
-
end
|
314
|
-
)
|
211
|
+
authorize: proc do |port_range, protocol, actors|
|
212
|
+
Chef::Log.info("proto: #{protocol.inspect}")
|
213
|
+
Chef::Log.info("port_range: #{port_range.inspect}")
|
214
|
+
names = actors.map { |a| a.is_a?(Hash) ? a[:group_id] : a }
|
215
|
+
converge_by "authorize group #{new_resource.name} (#{sg.id}) to send traffic to #{names.join(', ')} on port_range #{port_range.inspect} with protocol #{protocol || 'nil'}" do
|
216
|
+
names.each do |iprange|
|
217
|
+
begin
|
218
|
+
if iprange.include?("-")
|
219
|
+
sg.authorize_egress(
|
220
|
+
ip_permissions: [{
|
221
|
+
ip_protocol: protocol,
|
222
|
+
from_port: port_range.first,
|
223
|
+
to_port: port_range.last,
|
224
|
+
user_id_group_pairs: actors
|
225
|
+
}]
|
226
|
+
)
|
227
|
+
# sg.authorize_egress({
|
228
|
+
# group
|
229
|
+
# ip_permissions: [{
|
230
|
+
# ip_protocol: protocol,
|
231
|
+
# from_port: port_range.first,
|
232
|
+
# to_port: port_range.last,
|
233
|
+
# prefix_list_ids: [{
|
234
|
+
# prefix_list_id: iprange
|
235
|
+
# }]
|
236
|
+
# }]
|
237
|
+
# })
|
238
|
+
else
|
239
|
+
sg.authorize_egress(
|
240
|
+
ip_permissions: [{
|
241
|
+
ip_protocol: protocol,
|
242
|
+
from_port: port_range.first,
|
243
|
+
to_port: port_range.last,
|
244
|
+
ip_ranges: [{
|
245
|
+
cidr_ip: iprange
|
246
|
+
}]
|
247
|
+
}]
|
248
|
+
)
|
249
|
+
end
|
250
|
+
rescue ::Aws::EC2::Errors::InvalidPermissionDuplicate => e
|
251
|
+
Chef::Log.debug("Ignoring duplicate permission")
|
252
|
+
end
|
253
|
+
end
|
254
|
+
end
|
255
|
+
end,
|
256
|
+
|
257
|
+
revoke: proc do |port_range, protocol, actors|
|
258
|
+
names = actors.map { |a| a.is_a?(Hash) ? a[:group_id] : a }
|
259
|
+
converge_by "revoke the ability of group #{new_resource.name} (#{sg.id}) to send traffic to #{names.join(', ')} on port_range #{port_range.inspect} with protocol #{protocol || 'nil'}" do
|
260
|
+
names.each do |iprange|
|
261
|
+
begin
|
262
|
+
if iprange.include?("-")
|
263
|
+
sg.revoke_egress(
|
264
|
+
ip_permissions: [{
|
265
|
+
ip_protocol: protocol,
|
266
|
+
from_port: port_range.first,
|
267
|
+
to_port: port_range.last,
|
268
|
+
user_id_group_pairs: actors
|
269
|
+
}]
|
270
|
+
)
|
271
|
+
# sg.revoke_egress({
|
272
|
+
# group
|
273
|
+
# ip_permissions: [{
|
274
|
+
# ip_protocol: protocol,
|
275
|
+
# from_port: port_range.first,
|
276
|
+
# to_port: port_range.last,
|
277
|
+
# prefix_list_ids: [{
|
278
|
+
# prefix_list_id: iprange
|
279
|
+
# }]
|
280
|
+
# }]
|
281
|
+
# })
|
282
|
+
else
|
283
|
+
sg.revoke_egress(
|
284
|
+
ip_permissions: [{
|
285
|
+
ip_protocol: protocol,
|
286
|
+
from_port: port_range.first,
|
287
|
+
to_port: port_range.last,
|
288
|
+
ip_ranges: [{
|
289
|
+
cidr_ip: iprange
|
290
|
+
}]
|
291
|
+
}]
|
292
|
+
)
|
293
|
+
end
|
294
|
+
rescue ::Aws::EC2::Errors::InvalidPermissionNotFound => e
|
295
|
+
Chef::Log.debug("Ignoring missing permission")
|
296
|
+
end
|
297
|
+
end
|
298
|
+
end
|
299
|
+
end)
|
315
300
|
end
|
316
301
|
|
317
302
|
def update_rules(desired_rules, actual_rules_list, authorize: nil, revoke: nil)
|
@@ -322,22 +307,21 @@ class Chef::Provider::AwsSecurityGroup < Chef::Provisioning::AWSDriver::AWSProvi
|
|
322
307
|
port_range: rule[:from_port] ? rule[:from_port]..rule[:to_port] : -1..-1,
|
323
308
|
protocol: rule[:ip_protocol].to_s.to_sym
|
324
309
|
}
|
325
|
-
rule[:user_id_group_pairs].map! { |h| h.
|
326
|
-
add_rule(actual_rules, [
|
327
|
-
add_rule(actual_rules, [
|
310
|
+
rule[:user_id_group_pairs].map! { |h| h.reject { |x| x == :group_name } }
|
311
|
+
add_rule(actual_rules, [port_range], rule[:user_id_group_pairs]) if rule[:user_id_group_pairs]
|
312
|
+
add_rule(actual_rules, [port_range], rule[:ip_ranges].map { |r| r[:cidr_ip] }) if rule[:ip_ranges]
|
328
313
|
end
|
329
314
|
|
330
315
|
#
|
331
316
|
# Get the list of permissions to add and remove
|
332
317
|
#
|
333
318
|
actual_rules.each do |port_range, actors|
|
334
|
-
|
335
|
-
|
336
|
-
|
337
|
-
|
338
|
-
|
339
|
-
|
340
|
-
end
|
319
|
+
next unless desired_rules[port_range]
|
320
|
+
intersection = actors & desired_rules[port_range]
|
321
|
+
# Anything unhandled in desired_rules will be added
|
322
|
+
desired_rules[port_range] -= intersection
|
323
|
+
# Anything unhandled in actual_rules will be removed
|
324
|
+
actual_rules[port_range] -= intersection
|
341
325
|
end
|
342
326
|
|
343
327
|
#
|
@@ -375,18 +359,18 @@ class Chef::Provider::AwsSecurityGroup < Chef::Provisioning::AWSDriver::AWSProvi
|
|
375
359
|
case port_spec
|
376
360
|
when Integer
|
377
361
|
port_spec = 0 if port_spec == -1
|
378
|
-
[
|
362
|
+
[{ port_range: port_spec..port_spec, protocol: :tcp }]
|
379
363
|
when Range
|
380
364
|
port_spec = 0..0 if port_spec == (-1..-1)
|
381
|
-
[
|
365
|
+
[{ port_range: port_spec, protocol: :tcp }]
|
382
366
|
when Array
|
383
367
|
port_spec.map { |p| get_port_ranges(p) }.flatten
|
384
368
|
when String, Symbol
|
385
369
|
protocol = port_spec.to_s.downcase.to_sym
|
386
370
|
if protocol.to_s =~ /(any|all|-1)/i
|
387
|
-
[
|
371
|
+
[{ port_range: -1..-1, protocol: :"-1" }]
|
388
372
|
else
|
389
|
-
[
|
373
|
+
[{ port_range: 0..0, protocol: protocol }]
|
390
374
|
end
|
391
375
|
when Hash
|
392
376
|
port_range = port_spec[:port_range] || port_spec[:ports] || port_spec[:port] || 0
|
@@ -394,9 +378,9 @@ class Chef::Provider::AwsSecurityGroup < Chef::Provisioning::AWSDriver::AWSProvi
|
|
394
378
|
if port_spec[:protocol]
|
395
379
|
protocol = port_spec[:protocol].to_s.downcase.to_sym
|
396
380
|
if protocol.to_s =~ /(any|all|-1)/i
|
397
|
-
[
|
381
|
+
[{ port_range: -1..-1, protocol: :"-1" }]
|
398
382
|
else
|
399
|
-
[
|
383
|
+
[{ port_range: port_range, protocol: protocol }]
|
400
384
|
end
|
401
385
|
else
|
402
386
|
get_port_ranges(port_range)
|
@@ -404,7 +388,7 @@ class Chef::Provider::AwsSecurityGroup < Chef::Provisioning::AWSDriver::AWSProvi
|
|
404
388
|
# The to_s.to_sym dance is because if you specify a protocol number, AWS symbolifies it,
|
405
389
|
# but 26.to_sym doesn't work (so we have to to_s it first).
|
406
390
|
when nil
|
407
|
-
[
|
391
|
+
[{ port_range: -1..-1, protocol: :"-1" }]
|
408
392
|
end
|
409
393
|
end
|
410
394
|
|
@@ -414,72 +398,71 @@ class Chef::Provider::AwsSecurityGroup < Chef::Provisioning::AWSDriver::AWSProvi
|
|
414
398
|
def get_actors(vpc, actor_spec)
|
415
399
|
result = case actor_spec
|
416
400
|
|
417
|
-
|
418
|
-
|
419
|
-
|
420
|
-
|
421
|
-
|
422
|
-
|
423
|
-
|
424
|
-
|
425
|
-
|
426
|
-
|
427
|
-
|
428
|
-
|
429
|
-
|
430
|
-
|
431
|
-
|
432
|
-
|
433
|
-
|
434
|
-
|
435
|
-
|
436
|
-
|
437
|
-
|
438
|
-
|
439
|
-
|
440
|
-
|
441
|
-
|
442
|
-
|
443
|
-
|
444
|
-
|
445
|
-
|
446
|
-
|
447
|
-
|
448
|
-
|
449
|
-
|
450
|
-
|
451
|
-
|
452
|
-
|
453
|
-
|
454
|
-
|
455
|
-
|
456
|
-
|
457
|
-
|
458
|
-
|
459
|
-
|
460
|
-
|
461
|
-
|
462
|
-
|
463
|
-
|
464
|
-
|
465
|
-
|
466
|
-
|
467
|
-
|
468
|
-
|
469
|
-
|
470
|
-
|
471
|
-
|
472
|
-
|
473
|
-
|
474
|
-
|
475
|
-
|
476
|
-
|
477
|
-
|
478
|
-
|
401
|
+
# An array is always considered a list of actors. Each one may follow any supported format.
|
402
|
+
when Array
|
403
|
+
actor_spec.map { |a| get_actors(vpc, a) }
|
404
|
+
|
405
|
+
# Hashes come in several forms:
|
406
|
+
when Hash
|
407
|
+
# The default AWS Ruby SDK form with :user_id, :group_id and :group_name forms
|
408
|
+
if actor_spec.keys.all? { |key| %i{user_id group_id group_name}.include?(key) }
|
409
|
+
if actor_spec.key?(:group_name)
|
410
|
+
vpc_object = Chef::Resource::AwsVpc.get_aws_object(vpc, resource: new_resource)
|
411
|
+
actor_spec[:group_id] ||= vpc_object.security_groups(filters: [name: "group-name", values: [actor_spec[:group_name]]]).first.id
|
412
|
+
end
|
413
|
+
actor_spec[:user_id] ||= new_resource.driver.account_id
|
414
|
+
|
415
|
+
{ user_id: actor_spec[:user_id], group_id: actor_spec[:group_id] }
|
416
|
+
|
417
|
+
# load_balancer: <load balancer name>
|
418
|
+
elsif actor_spec.keys == [:load_balancer]
|
419
|
+
lb = Chef::Resource::AwsLoadBalancer.get_aws_object(actor_spec[:load_balancer], resource: new_resource)
|
420
|
+
get_actors(vpc, lb)
|
421
|
+
|
422
|
+
# security_group: <security group name>
|
423
|
+
elsif actor_spec.keys == [:security_group]
|
424
|
+
Chef::Resource::AwsSecurityGroup.get_aws_object(actor_spec[:security_group], resource: new_resource)
|
425
|
+
|
426
|
+
else
|
427
|
+
raise "Unable to reference security group with spec #{actor_spec}"
|
428
|
+
end
|
429
|
+
|
430
|
+
# If a load balancer is specified, grab it and then get its automatic security group
|
431
|
+
when /^elb-[a-fA-F0-9]+$/, Aws::ElasticLoadBalancing::Types::LoadBalancerDescription, Chef::Resource::AwsLoadBalancer
|
432
|
+
lb = actor_spec
|
433
|
+
if lb.class != Aws::ElasticLoadBalancing::Types::LoadBalancerDescription
|
434
|
+
lb = Chef::Resource::AwsLoadBalancer.get_aws_object(actor_spec, resource: new_resource)
|
435
|
+
end
|
436
|
+
# get secgroup via vpc_id
|
437
|
+
vpc_object = Chef::Resource::AwsVpc.get_aws_object(vpc, resource: new_resource)
|
438
|
+
results = vpc_object.security_groups.to_a.select { |s| s.group_name == lb.source_security_group.group_name }
|
439
|
+
if results.size == 1
|
440
|
+
get_actors(vpc, results.first.id)
|
441
|
+
else
|
442
|
+
raise ::Chef::Provisioning::AWSDriver::Exceptions::MultipleSecurityGroupError.new(lb.source_security_group.group_name, results)
|
443
|
+
end
|
444
|
+
|
445
|
+
# If a security group is specified, grab it
|
446
|
+
when /^sg-[a-fA-F0-9]+$/, ::Aws::EC2::SecurityGroup, Chef::Resource::AwsSecurityGroup
|
447
|
+
Chef::Resource::AwsSecurityGroup.get_aws_object(actor_spec, resource: new_resource)
|
448
|
+
|
449
|
+
# If an IP addresses / CIDR are passed, return it verbatim; otherwise, assume it's the
|
450
|
+
# name of a security group.
|
451
|
+
when String
|
452
|
+
begin
|
453
|
+
IPAddr.new(actor_spec)
|
454
|
+
# Add /32 to the end of raw IP addresses
|
455
|
+
actor_spec =~ /\// ? actor_spec : "#{actor_spec}/32"
|
456
|
+
rescue IPAddr::InvalidAddressError
|
457
|
+
Chef::Resource::AwsSecurityGroup.get_aws_object(actor_spec, resource: new_resource)
|
458
|
+
end
|
459
|
+
|
460
|
+
else
|
461
|
+
raise "Unexpected actor #{actor_spec} / #{actor_spec.class} in rules list"
|
462
|
+
end
|
479
463
|
|
480
464
|
result = { user_id: result.owner_id, group_id: result.id } if result.is_a?(::Aws::EC2::SecurityGroup)
|
481
465
|
|
482
|
-
[
|
466
|
+
[result].flatten
|
483
467
|
end
|
484
|
-
|
485
468
|
end
|