chef-provisioning-aws 1.2.1 → 1.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 09d8cd1f113c14f6f206a03b49d89cae4d9294a6
-  data.tar.gz: 0fbe0de96accf8f7cc030920f108f1a68df09ece
+  metadata.gz: 77fad1ecfeeb4dabe26c39612eb4c1bde17b8e1a
+  data.tar.gz: 643e9aa5dd7a32eff6c87e5882aeccfc72c971d4
 SHA512:
-  metadata.gz: b5d93a2add78c31d46ced5badef87b3ead4da4fb203b2b00352f15e569e309afc1d2ccc87a2bf2c2f2468f5e02de64908144d0f577a983e7462b17170f2eae51
-  data.tar.gz: 37d9e8b8c2461bcf26a8488127a3ab241c0e731bc7ad3e3dd98f4e892906d8bb8d8b94dc2d9a07da9bdca2841c2f642f65bbb319a64a15c1283bb2aa7f084f64
+  metadata.gz: 274e85302ec8c237728a247f79da29e3a7550ba1a8209fbd26e36fd5fe48f3043fe11cc62f393460790d61b77a78049048febc58bc64783c41ff057d80fd8bf2
+  data.tar.gz: 71cfa5429bec399ce37837713521e3653c8d0f4b10f30f2a726b48327fa40e774255b580e932e986cf0e870d7c532340cce360958ca36e6c3ff491866e00cb28

data/README.md

@@ -2,11 +2,22 @@
 
 This README is a work in progress.  Please add to it!
 
+# Prerequesites
+
+## Credentials
+
+AWS credentials should be specified in your `~/.aws/credentials` file as documented [here](http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-config-files).  We support the use of profiles as well.  If you do not specify a profile then we use the `default` profile.
+
+You can specify a profile as the middle section of the semi-colon seperated driver url.  For example, a driver url of `aws:staging:us-east-1` would use the profile `staging`.
+
 # Resources
 
 TODO: List out weird/unique things about resources here.  We don't need to document every resource
 because users can look at the resource model.
 
+TODO: document `aws_object` and `get_aws_object` and how you can get the aws object for a base
+chef-provisioning resource like machine or load_balancer
+
 ## aws_vpc
 
 If you specify `internet_gateway true` the VPC will create and manage its own internet gateway.
@@ -170,12 +181,14 @@ machine_image 'my_image' do
 end
 
 ruby_block "look up machine_image object" do
-  aws_object = Chef::Resource::AwsImage.get_aws_object(
-    'my_image',
-    run_context: run_context,
-    driver: run_context.chef_provisioning.current_driver,
-    managed_entry_store: Chef::Provisioning.chef_managed_entry_store(self.chef_server)
-  )
+  block do
+    aws_object = Chef::Resource::AwsImage.get_aws_object(
+      'my_image',
+      run_context: run_context,
+      driver: run_context.chef_provisioning.current_driver,
+      managed_entry_store: Chef::Provisioning.chef_managed_entry_store(run_context.cheffish.current_chef_server)
+    )
+  end
 end
 ```
 
@@ -188,10 +201,10 @@ available using a `lazy` attribute modifier or in a `ruby_block`.
 
 # Running Integration Tests
 
-To run the integration tests execute `bundle exec rake integration`.  If you have not set it up,
+To run the integration tests execute `bundle exec rspec`.  If you have not set it up,
 you should see an error message about a missing environment variable `AWS_TEST_DRIVER`.  You can add
 this as a normal environment variable or set it for a single run with `AWS_TEST_DRIVER=aws::eu-west-1
-bundle exec rake integration`.  The format should match what `with_driver` expects.
+bundle exec rspec`.  The format should match what `with_driver` expects.
 
 You will also need to have configured your `~/.aws/config` or environment variables with your
 AWS credentials.

data/lib/chef/provider/aws_cache_cluster.rb

@@ -0,0 +1,75 @@
+require 'chef/provisioning/aws_driver/aws_provider'
+
+class Chef::Provider::AwsCacheCluster < Chef::Provisioning::AWSDriver::AWSProvider
+
+  protected
+
+  def create_aws_object
+    converge_by "create new Elasticache Cluster #{new_resource.name} in #{region}" do
+      driver.create_cache_cluster(desired_options)
+    end
+  end
+
+  def update_aws_object(cache_cluster)
+    if update_required?(cache_cluster)
+      converge_by "update Elasticache Cluster #{new_resource.name} in #{region}" do
+        driver.modify_cache_cluster(
+          updatable_options(desired_options).merge(
+            cache_cluster_id: cache_cluster[:cache_cluster_id]
+          )
+        )
+      end
+    end
+  end
+
+  def destroy_aws_object(cache_cluster)
+    converge_by "delete Elasticache Cluster #{new_resource.name} in #{region}" do
+      driver.delete_cache_cluster(
+        cache_cluster_id: cache_cluster[:cache_cluster_id]
+      )
+    end
+  end
+
+  private
+
+  def driver
+    new_resource.driver.elasticache
+  end
+
+  def desired_options
+    @desired_options ||= begin
+      options = {}
+      options[:cache_cluster_id] = new_resource.cluster_name
+      options[:num_cache_nodes] = new_resource.number_nodes
+      options[:cache_node_type] = new_resource.node_type
+      options[:engine] = new_resource.engine
+      options[:az_mode] = new_resource.az_mode if new_resource.az_mode
+      options[:preferred_availability_zone] =
+        new_resource.preferred_availability_zone if new_resource.preferred_availability_zone
+      options[:preferred_availability_zones] =
+        new_resource.preferred_availability_zones if new_resource.preferred_availability_zones
+      options[:engine_version] = new_resource.engine_version
+      options[:cache_subnet_group_name] =
+        new_resource.subnet_group_name if new_resource.subnet_group_name
+      options[:security_group_ids] = new_resource.security_groups
+      AWSResource.lookup_options(options, resource: new_resource)
+    end
+  end
+
+  def updatable_options(options)
+    updatable = [:security_groups, :num_cache_nodes, :engine_version]
+    options.delete_if { |option, _value| !updatable.include?(option) }
+  end
+
+  def update_required?(cache_cluster)
+    current_sg_ids = cache_cluster[:security_groups].map { |sg| sg[:security_group_id] }.sort
+
+    if desired_options[:security_group_ids].sort != current_sg_ids ||
+      desired_options[:num_cache_nodes] != cache_cluster[:num_cache_nodes] ||
+      desired_options[:engine_version] != cache_cluster[:engine_version]
+      true
+    else
+      false
+    end
+  end
+end

data/lib/chef/provider/aws_cache_replication_group.rb

@@ -0,0 +1,49 @@
+require 'chef/provisioning/aws_driver/aws_provider'
+
+class Chef::Provider::AwsCacheReplicationGroup < Chef::Provisioning::AWSDriver::AWSProvider
+
+  protected
+
+  def create_aws_object
+    converge_by "create new Elasticache Replication Group #{new_resource.name} in #{region}" do
+      driver.create_replication_group(desired_options)
+    end
+  end
+
+  def update_aws_object(cache_replication_group)
+    Chef::Log.warn('Updating Elasticache Replication Groups is currently unsupported')
+  end
+
+  def destroy_aws_object(cache_replication_group)
+    converge_by "delete Elasticache Replication group #{new_resource.name} in #{region}" do
+      driver.delete_replication_group(
+        replication_group_id: cache_replication_group[:replication_group_id]
+      )
+    end
+  end
+
+  private
+
+  def driver
+    new_resource.driver.elasticache
+  end
+
+  def desired_options
+    @desired_options ||= begin
+      options = {}
+      options[:replication_group_id] = new_resource.group_name
+      options[:replication_group_description] = new_resource.description
+      options[:automatic_failover_enabled] = new_resource.automatic_failover
+      options[:num_cache_clusters] = new_resource.number_cache_clusters
+      options[:cache_node_type] = new_resource.node_type
+      options[:engine] = new_resource.engine
+      options[:engine_version] = new_resource.engine_version
+      options[:preferred_cache_cluster_a_zs] =
+        new_resource.preferred_availability_zones if new_resource.preferred_availability_zones
+      options[:cache_subnet_group_name] =
+        new_resource.subnet_group_name if new_resource.subnet_group_name
+      options[:security_group_ids] = new_resource.security_groups
+      AWSResource.lookup_options(options, resource: new_resource)
+    end
+  end
+end

data/lib/chef/provider/aws_cache_subnet_group.rb

@@ -0,0 +1,60 @@
+require 'chef/provisioning/aws_driver/aws_provider'
+
+class Chef::Provider::AwsCacheSubnetGroup < Chef::Provisioning::AWSDriver::AWSProvider
+
+  protected
+
+  def create_aws_object
+    converge_by "create new Elasticache Subnet Group #{new_resource.name} in #{region}" do
+      driver.create_cache_subnet_group(desired_options)
+    end
+  end
+
+  def update_aws_object(cache_subnet_group)
+    if update_required?(cache_subnet_group)
+      converge_by "update Elasticache Subnet Group #{new_resource.name} in #{region}" do
+        driver.modify_cache_subnet_group(desired_options)
+      end
+    end
+  end
+
+  def destroy_aws_object(cache_subnet_group)
+    converge_by "delete Elasticache Subnet Group #{new_resource.name} in #{region}" do
+      driver.delete_cache_subnet_group(
+        cache_subnet_group_name: cache_subnet_group[:cache_subnet_group_name]
+      )
+    end
+  end
+
+  private
+
+  def driver
+    new_resource.driver.elasticache
+  end
+
+  def update_cache_subnet_group
+    new_resource.driver.elasticache.modify_cache_subnet_group(desired_options)
+  end
+
+  def desired_options
+    @desired_options ||= begin
+      options = {}
+      options[:cache_subnet_group_name] = new_resource.group_name
+      options[:cache_subnet_group_description] = new_resource.description
+      options[:subnet_ids] = new_resource.subnets
+      AWSResource.lookup_options(options, resource: new_resource)
+    end
+  end
+
+  def update_required?(cache_subnet_group)
+    current_subnet_ids = cache_subnet_group[:subnets]
+                           .map { |subnet| subnet[:subnet_identifier] }.sort
+    current_description = cache_subnet_group[:cache_subnet_group_description]
+    if new_resource.description != current_description ||
+      desired_options[:subnet_ids].sort != current_subnet_ids
+      true
+    else
+      false
+    end
+  end
+end

data/lib/chef/provider/aws_instance.rb

@@ -6,7 +6,10 @@ class Chef::Provider::AwsInstance < Chef::Provisioning::AWSDriver::AWSProvider
   def update_aws_object(instance); end
 
   def destroy_aws_object(instance)
-    converge_by "delete instance #{new_resource} in VPC #{instance.vpc.id} in #{region}" do
+    message = "delete instance #{new_resource}"
+    message += " in VPC #{instance.vpc.id}" unless instance.vpc.nil?
+    message += " in #{region}"
+    converge_by message do
       instance.delete
     end
     converge_by "waited until instance #{new_resource} is :terminated" do

data/lib/chef/provider/aws_key_pair.rb

@@ -168,7 +168,7 @@ class Chef::Provider::AwsKeyPair < Chef::Provisioning::AWSDriver::AWSProvider
 
     current_key_pair = new_resource.aws_object
     if current_key_pair
-      @current_fingerprint = current_key_pair ? current_key_pair.fingerprint : nil
+      @current_fingerprint = current_key_pair.fingerprint
     else
       current_resource.action :destroy
     end

data/lib/chef/provider/aws_network_acl.rb

@@ -0,0 +1,131 @@
+require 'chef/provisioning/aws_driver/aws_provider'
+require 'chef/resource/aws_vpc'
+require 'retryable'
+
+class Chef::Provider::AwsNetworkAcl < Chef::Provisioning::AWSDriver::AWSProvider
+  def action_create
+    network_acl = super
+
+    apply_rules(network_acl)
+  end
+
+  protected
+
+  def create_aws_object
+    converge_by "create new Network ACL #{new_resource.name} in #{region}" do
+      options = {}
+      options[:vpc] = new_resource.vpc if new_resource.vpc
+      options = AWSResource.lookup_options(options, resource: new_resource)
+
+      Chef::Log.debug("VPC: #{options[:vpc]}")
+
+      network_acl = new_resource.driver.ec2.network_acls.create(options)
+      Retryable.retryable(:tries => 15, :sleep => 1, :on => AWS::EC2::Errors::InvalidNetworkAclID::NotFound) do
+        network_acl.tags['Name'] = new_resource.name
+      end
+      network_acl
+    end
+  end
+
+  def update_aws_object(network_acl)
+    if !new_resource.vpc.nil?
+      desired_vpc = Chef::Resource::AwsVpc.get_aws_object_id(new_resource.vpc, resource: new_resource)
+      if desired_vpc != network_acl.vpc_id
+        raise "Network ACL VPC cannot be changed after being created!  Desired VPC for #{new_resource.to_s} was #{new_resource.vpc} (#{desired_vpc}) and actual VPC is #{network_acl.vpc_id}"
+      end
+    end
+  end
+
+  def destroy_aws_object(network_acl)
+    # TODO if purging, do we need to destory the linked subnets?
+    converge_by "delete #{new_resource.to_s} in #{region}" do
+      network_acl.delete
+    end
+  end
+
+  private
+
+  def apply_rules(network_acl)
+    current_rules = network_acl.entries.map { |entry| entry_to_hash(entry) }
+    inbound_rules = new_resource.inbound_rules
+    outbound_rules = new_resource.outbound_rules
+    # AWS requires a deny all rule at the end. Delete here so we don't
+    # try to compare.
+    current_rules.delete_if { |rule| rule[:rule_number] == 32767 }
+
+    current_inbound_rules = current_rules.select { |rule| rule[:egress] == false }
+    # If inbound_rules is nil, leave rules alone. If empty array, delete all.
+    if inbound_rules
+      desired_inbound_rules = inbound_rules.map { |rule| rule[:egress] = false; rule }
+      compare_and_apply_rules(network_acl, :ingress, current_inbound_rules, desired_inbound_rules)
+    end
+
+    current_outbound_rules = current_rules.select { |rule| rule[:egress] == true }
+    if outbound_rules
+      desired_outbound_rules = outbound_rules.map { |rule| rule[:egress] = true; rule }
+      compare_and_apply_rules(network_acl, :egress, current_outbound_rules, desired_outbound_rules)
+    end
+  end
+
+  def compare_and_apply_rules(network_acl, direction, current_rules, desired_rules)
+    replace_rules = []
+
+    # Get the desired rules in a comparable state
+    desired_rules.clone.each do |desired_rule|
+      matching_rule = current_rules.select { |r| r[:rule_number] == desired_rule[:rule_number]}.first
+      if matching_rule
+        # Anything unhandled will be removed
+        current_rules.delete(matching_rule)
+        # Anything unhandled will be added
+        desired_rules.delete(desired_rule)
+
+        if matching_rule.merge(desired_rule) != matching_rule
+          # Replace anything with a matching rule number but different attributes
+          replace_rules << desired_rule
+        end
+      end
+    end
+
+    unless replace_rules.empty? && desired_rules.empty? && current_rules.empty?
+      action_handler.report_progress "update Network ACL #{new_resource.name} #{direction.to_s} rules"
+      replace_rules(network_acl, replace_rules)
+      add_rules(network_acl, desired_rules)
+      remove_rules(network_acl, current_rules)
+    end
+  end
+
+  def replace_rules(network_acl, rules)
+    rules.each do |rule|
+      action_handler.report_progress "  update #{rule_direction(rule)} rule #{rule[:rule_number]}"
+      network_acl.replace_entry(rule)
+    end
+  end
+
+  def add_rules(network_acl, rules)
+    rules.each do |rule|
+      action_handler.report_progress "  add #{rule_direction(rule)} rule #{rule[:rule_number]}"
+      network_acl.create_entry(rule)
+    end
+  end
+
+  def remove_rules(network_acl, rules)
+    rules.each do |rule|
+      action_handler.report_progress "  remove #{rule_direction(rule)} rule #{rule[:rule_number]}"
+      network_acl.delete_entry(rule_direction(rule).to_sym, rule[:rule_number])
+    end
+  end
+
+  def rule_direction(rule)
+    rule[:egress] == true ? 'egress' : 'ingress'
+  end
+
+  def entry_to_hash(entry)
+    options = [
+      :rule_number, :action, :protocol, :cidr_block, :egress,
+      :port_range, :icmp_code, :icmp_type
+    ]
+    entry_hash = {}
+    options.each { |option| entry_hash.merge!(option => entry.send(option.to_sym)) }
+    entry_hash
+  end
+end

data/lib/chef/provider/aws_security_group.rb

@@ -148,7 +148,7 @@ class Chef::Provider::AwsSecurityGroup < Chef::Provisioning::AWSDriver::AWSProvi
     actual_rules = {}
     actual_rules_list.each do |rule|
       port_range = {
-        port_range: rule[:from_port] ? rule[:from_port]..rule[:to_port] : nil,
+        port_range: rule[:from_port] ? rule[:from_port]..rule[:to_port] : -1..-1,
         protocol: rule[:ip_protocol].to_s.to_sym
       }
       add_rule(actual_rules, [ port_range ], rule[:groups]) if rule[:groups]

data/lib/chef/provider/aws_subnet.rb

@@ -15,6 +15,8 @@ class Chef::Provider::AwsSubnet < Chef::Provisioning::AWSDriver::AWSProvider
     if new_resource.route_table != nil
       update_route_table(subnet)
     end
+
+    update_network_acl(subnet)
   end
 
   protected
@@ -124,4 +126,16 @@ class Chef::Provider::AwsSubnet < Chef::Provisioning::AWSDriver::AWSProvider
       end
     end
   end
+
+  def update_network_acl(subnet)
+    if new_resource.network_acl
+      network_acl_id =
+        AWSResource.lookup_options({ network_acl: new_resource.network_acl }, resource: new_resource)[:network_acl]
+      if subnet.network_acl.id != network_acl_id
+        converge_by "update network acl of subnet #{new_resource.name} to #{new_resource.network_acl}" do
+          subnet.network_acl = network_acl_id
+        end
+      end
+    end
+  end
 end