ciinabox-ecs 0.1.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/Gemfile +7 -0
- data/LICENSE.txt +22 -0
- data/README.md +458 -0
- data/Rakefile +649 -0
- data/bin/Rakefile +1 -0
- data/bin/ciinabox-ecs +2 -0
- data/bin/ciinabox-ecs.rb +60 -0
- data/config/ciinabox_params.yml.erb +71 -0
- data/config/default_lambdas.yml +26 -0
- data/config/default_params.yml +303 -0
- data/config/default_params.yml.example +124 -0
- data/config/default_services.yml +62 -0
- data/ext/common_helper.rb +21 -0
- data/ext/config/managed_policies.yml +156 -0
- data/ext/helper.rb +29 -0
- data/ext/policies.rb +53 -0
- data/ext/zip_helper.rb +57 -0
- data/lambdas/acm_issuer_validator/lib/install.sh +20 -0
- data/templates/bastion.rb +121 -0
- data/templates/ciinabox.rb +159 -0
- data/templates/ecs-cluster.rb +252 -0
- data/templates/ecs-services.rb +340 -0
- data/templates/lambdas.rb +172 -0
- data/templates/services/bitbucket.rb +81 -0
- data/templates/services/drone.rb +394 -0
- data/templates/services/hawtio.rb +100 -0
- data/templates/services/icinga2.rb +79 -0
- data/templates/services/jenkins.rb +209 -0
- data/templates/services/nexus.rb +96 -0
- data/templates/vpc.rb +290 -0
- metadata +144 -0
data/bin/Rakefile
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
import './../Rakefile'
|
data/bin/ciinabox-ecs
ADDED
data/bin/ciinabox-ecs.rb
ADDED
@@ -0,0 +1,60 @@
|
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
|
3
|
+
require 'rake'
|
4
|
+
require 'optparse'
|
5
|
+
|
6
|
+
class CiinaboxEcsCli
|
7
|
+
|
8
|
+
def main(args)
|
9
|
+
script_dir = File.expand_path File.dirname(__FILE__)
|
10
|
+
old_pwd = Dir.pwd
|
11
|
+
|
12
|
+
Rake::TaskManager.record_task_metadata = true
|
13
|
+
|
14
|
+
Dir.chdir script_dir
|
15
|
+
app = Rake.application
|
16
|
+
app.init
|
17
|
+
app.load_rakefile
|
18
|
+
|
19
|
+
actions = app.tasks.map { |t| t.name.gsub('ciinabox:', '') }
|
20
|
+
|
21
|
+
if (args.size() ==0) or
|
22
|
+
(args.size() < 2 and (not %w(init full_install).include? args[0])) or
|
23
|
+
(args[0] == 'help') or
|
24
|
+
(not actions.include? args[0])
|
25
|
+
STDERR.puts("Usage: ciinabox-ecs action1 action2 action3 ciinabox_name")
|
26
|
+
STDERR.puts("Valid actions:")
|
27
|
+
STDERR.printf("%-20s |%-20s\n\n", 'name', 'description')
|
28
|
+
app.tasks.each do |action|
|
29
|
+
STDERR.printf("%-20s |%-20s\n", action.name.gsub('ciinabox:', ''), action.comment)
|
30
|
+
end
|
31
|
+
exit 0 if args[0] == 'help'
|
32
|
+
exit -1
|
33
|
+
end
|
34
|
+
|
35
|
+
methods = args[0..args.size()-2]
|
36
|
+
ciinabox_name = args[args.size()-1]
|
37
|
+
|
38
|
+
ENV['CIINABOX'] = ciinabox_name
|
39
|
+
|
40
|
+
if ENV.key? 'CIINABOXES_DIR'
|
41
|
+
ENV['CIINABOXES_DIR'] = File.expand_path(ENV['CIINABOXES_DIR'])
|
42
|
+
else
|
43
|
+
ENV['CIINABOXES_DIR'] = old_pwd
|
44
|
+
end
|
45
|
+
|
46
|
+
methods.each do |method_name|
|
47
|
+
Dir.chdir(script_dir)
|
48
|
+
Rake.application = nil
|
49
|
+
app = Rake.application
|
50
|
+
app.init
|
51
|
+
app.load_rakefile
|
52
|
+
Dir.chdir(old_pwd)
|
53
|
+
app["ciinabox:#{method_name}"].invoke()
|
54
|
+
end
|
55
|
+
|
56
|
+
end
|
57
|
+
|
58
|
+
end
|
59
|
+
|
60
|
+
CiinaboxEcsCli.new.main(ARGV)
|
@@ -0,0 +1,71 @@
|
|
1
|
+
#ciinabox default config
|
2
|
+
ciinabox_name: <%= ciinabox_name %>
|
3
|
+
|
4
|
+
aws_profile: <%= ciinabox_aws_profile %>
|
5
|
+
|
6
|
+
aws_region: <%= ciinabox_region %>
|
7
|
+
|
8
|
+
aws_account_id: <%= ciinabox_aws_account %>
|
9
|
+
|
10
|
+
stack_name: <%= stack_name %>
|
11
|
+
|
12
|
+
#override S3 bucket location
|
13
|
+
source_bucket: <%= ciinabox_source_bucket %>
|
14
|
+
|
15
|
+
#change this to your own dns_domain
|
16
|
+
#domain needs to be manage via route53 since the cloudformation adds additional records
|
17
|
+
dns_domain: <%= ciinabox_tools_domain %>
|
18
|
+
|
19
|
+
#Environment Access
|
20
|
+
#add list of public IP addresses you want to access the environment from
|
21
|
+
#default to public access probably best to change this
|
22
|
+
opsAccess:
|
23
|
+
- <%=my_public_ip%>
|
24
|
+
#add list of public IP addresses for your developers to access the environment
|
25
|
+
#default to public access probably best to change this
|
26
|
+
devAccess:
|
27
|
+
- <%=my_public_ip%>
|
28
|
+
|
29
|
+
# Upload a default ssl cert to AWS to be used by default to ciinabox service ELBs
|
30
|
+
default_ssl_cert_id: "arn:aws:iam::<%= ciinabox_aws_account %>:server-certificate/ciinabox"
|
31
|
+
|
32
|
+
acm_auto_issue_validate: <%= acm_auto_issue_validate%>
|
33
|
+
|
34
|
+
<% if ciinabox_docker_repo != '' %>
|
35
|
+
ciinabox_repo: <%= ciinabox_docker_repo %>
|
36
|
+
<% end %>
|
37
|
+
|
38
|
+
include_diind_slave: <%= include_dind_slave %>
|
39
|
+
include_dood_slave: <%= include_dood_slave %>
|
40
|
+
include_bastion_stack: false
|
41
|
+
|
42
|
+
<% if (defined? ciinabox_iam_role_name) and (not ciinabox_iam_role_name.nil?) and (ciinabox_iam_role_name.strip != '') %>
|
43
|
+
ciinabox_iam_role_name: <%= ciinabox_iam_role_name %>
|
44
|
+
<% end %>
|
45
|
+
#add if you want volatile jenkins docker slave -- Note: by default jenkins docker slave mounts /data/jenkins-dind (on host) to /var/lib/docker (on container)
|
46
|
+
#volatile_jenkins_slave: true
|
47
|
+
|
48
|
+
#add if you want ecs docker volume != 22GB - must be > 22
|
49
|
+
#ecs_docker_volume_size: 100
|
50
|
+
|
51
|
+
#use this to change volume snapshot for running ciinabox
|
52
|
+
#ecs_data_volume_name: "ECSDataVolume2s"
|
53
|
+
|
54
|
+
#set the snapshot to restore from
|
55
|
+
#ecs_data_volume_snapshot: snap-49e2b3b5
|
56
|
+
|
57
|
+
#set the size of the ecs data volume -- NOTE: would take a new volume - i.e. change volume name
|
58
|
+
#ecs_data_volume_size: 250
|
59
|
+
|
60
|
+
#optional ciinabox name if you need more than one or you want a different name
|
61
|
+
#stack_name: ciinabox-tools
|
62
|
+
|
63
|
+
#for internal elb for jenkins
|
64
|
+
#internal_elb: false
|
65
|
+
|
66
|
+
#icinga2_image: AWS_ACCOUNT_ID.dkr.ecr.AWS_REGION/base2/icinga2:VERSION_TAG
|
67
|
+
|
68
|
+
# Uncomment below to enable ciinabox environment scheduling
|
69
|
+
# times are in UTC
|
70
|
+
# scale_up_schedule: 0 7 * * 1-5
|
71
|
+
# scale_down_schedule: 0 19 * * *
|
@@ -0,0 +1,26 @@
|
|
1
|
+
default_lambdas:
|
2
|
+
roles:
|
3
|
+
acmissuevalidate:
|
4
|
+
policies_managed:
|
5
|
+
- 'arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole'
|
6
|
+
policies_inline:
|
7
|
+
- cloudwatch-logs
|
8
|
+
- route53-manage-records
|
9
|
+
- acm-cert-issue
|
10
|
+
- lambda-invoke
|
11
|
+
|
12
|
+
functions:
|
13
|
+
CRIssueACMCertificate:
|
14
|
+
local: true
|
15
|
+
role: acmissuevalidate
|
16
|
+
package_cmd: ./install.sh
|
17
|
+
runtime: python3.6
|
18
|
+
code: lambdas/acm_issuer_validator/lib
|
19
|
+
vpc: false
|
20
|
+
named: false
|
21
|
+
timeout: 60
|
22
|
+
handler: aws_acm_cert_validator_lambda/handler.lambda_handler
|
23
|
+
environment:
|
24
|
+
MAX_WAIT_TIME: 600
|
25
|
+
allowed_sources:
|
26
|
+
- principal: cloudformation.amazonaws.com
|
@@ -0,0 +1,303 @@
|
|
1
|
+
ciinabox_version: 0.1
|
2
|
+
|
3
|
+
#ciinabox ECS cluster name
|
4
|
+
cluster_name: ciinabox
|
5
|
+
|
6
|
+
#you may want a different ciinabox-stack name, e.g if you have 2 ciinaboxes
|
7
|
+
stack_name: ciinabox
|
8
|
+
|
9
|
+
#log level - change to :debug to see the AWS commands being executed
|
10
|
+
log_level: ':info'
|
11
|
+
|
12
|
+
#change this to your own timezone
|
13
|
+
timezone: GMT
|
14
|
+
|
15
|
+
#change for internal ELBs
|
16
|
+
internal_elb: false
|
17
|
+
|
18
|
+
#add if you want ecs root volume != 8GB - must be > 8
|
19
|
+
#ecs_root_volume_size: 30
|
20
|
+
|
21
|
+
#add if you want ecs docker volume != 22GB - must be > 22
|
22
|
+
#ecs_docker_volume_size: 100
|
23
|
+
|
24
|
+
#use this to change volume snapshot for running ciinabox
|
25
|
+
#ecs_data_volume_name: "ECSDataVolume2s"
|
26
|
+
|
27
|
+
#set the snapshot to restore from
|
28
|
+
#ecs_data_volume_snapshot: snap-49e2b3b5
|
29
|
+
|
30
|
+
#set the size of the ecs data volume -- NOTE: would take a new volume - i.e. change volume name
|
31
|
+
#ecs_data_volume_size: 250
|
32
|
+
|
33
|
+
#optional ciinabox name if you need more than one or you want a different name
|
34
|
+
#stack_name: ciinabox-tools
|
35
|
+
|
36
|
+
#for internal elb for jenkins
|
37
|
+
#internal_elb: false
|
38
|
+
|
39
|
+
#icinga2_image: AWS_ACCOUNT_ID.dkr.ecr.AWS_REGION/base2/icinga2:VERSION_TAG
|
40
|
+
|
41
|
+
#AWS Availability Zones Idenifers
|
42
|
+
availability_zones:
|
43
|
+
- 'A'
|
44
|
+
- 'B'
|
45
|
+
|
46
|
+
azId:
|
47
|
+
A: 0
|
48
|
+
B: 1
|
49
|
+
C: 2
|
50
|
+
D: 3
|
51
|
+
E: 4
|
52
|
+
|
53
|
+
#Subnet offsets 10.150.x.0/26
|
54
|
+
vpc:
|
55
|
+
SubnetOctetA: "0"
|
56
|
+
SubnetOctetB: "1"
|
57
|
+
ecs:
|
58
|
+
SubnetOctetA: "2"
|
59
|
+
SubnetOctetB: "3"
|
60
|
+
lambdaSubnets:
|
61
|
+
SubnetOctetA: "4"
|
62
|
+
SubnetOctetB: "5"
|
63
|
+
|
64
|
+
#ciinabox environment config
|
65
|
+
Mappings:
|
66
|
+
EnvironmentType:
|
67
|
+
ciinabox:
|
68
|
+
KeyName: ciinabox
|
69
|
+
NetworkPrefix: 10
|
70
|
+
StackOctet: 150
|
71
|
+
StackMask: 16
|
72
|
+
SubnetMask: 26
|
73
|
+
NatInstanceType: t2.micro
|
74
|
+
ECSInstanceType: t2.large
|
75
|
+
|
76
|
+
#Amazon Linux AMI 2015.03.1 (HVM), SSD Volume Type
|
77
|
+
natAMI:
|
78
|
+
us-east-1:
|
79
|
+
ami: ami-60b6c60a
|
80
|
+
us-west-2:
|
81
|
+
ami: ami-f0091d91
|
82
|
+
ap-southeast-2:
|
83
|
+
ami: ami-48d38c2b
|
84
|
+
eu-west-1:
|
85
|
+
ami: ami-bff32ccc
|
86
|
+
ap-southeast-1:
|
87
|
+
ami: ami-c9b572aa
|
88
|
+
|
89
|
+
ecs_ami:
|
90
|
+
us-east-1:
|
91
|
+
ami: ami-04351e12
|
92
|
+
us-west-2:
|
93
|
+
ami: ami-57d9cd2e
|
94
|
+
ap-southeast-2:
|
95
|
+
ami: ami-42e9f921
|
96
|
+
eu-west-1:
|
97
|
+
ami: ami-809f84e6
|
98
|
+
ap-southeast-1:
|
99
|
+
ami: ami-19f7787a
|
100
|
+
|
101
|
+
#Webhook access only via https
|
102
|
+
webHooks:
|
103
|
+
#github
|
104
|
+
- 192.30.252.0/22
|
105
|
+
#bitbucket cloud
|
106
|
+
- 104.192.142.0/24
|
107
|
+
- 104.192.136.0/21
|
108
|
+
- 131.103.26.0/23
|
109
|
+
- 131.103.26.0/24
|
110
|
+
- 131.103.27.0/24
|
111
|
+
- 131.103.29.0/24
|
112
|
+
- 165.254.226.0/23
|
113
|
+
- 165.254.226.0/24
|
114
|
+
- 165.254.227.0/24
|
115
|
+
- 131.103.28.0/24
|
116
|
+
- 185.166.140.0/22
|
117
|
+
|
118
|
+
# if set to true, security group allowing connections from NAT gateway will be assigned to
|
119
|
+
# ecs cluster (useful for windows jenkins slaves)
|
120
|
+
allow_nat_connections: false
|
121
|
+
|
122
|
+
# This option applies only for docker-in-docker jenkins slave
|
123
|
+
# If slave is volatile, docker images data is not volume-mounted from EBS drive, and is lost once
|
124
|
+
# jenkins slave is stopped (e.g. service task restarted)
|
125
|
+
volatile_jenkins_slave: false
|
126
|
+
|
127
|
+
# Include docker-in-docker jenkins slave as part of service task definition
|
128
|
+
include_diind_slave: true
|
129
|
+
|
130
|
+
# Include docker-outside-of-docker jenkins slave as part of service task definition
|
131
|
+
# Docker version will be dependant on underlying ECS host
|
132
|
+
include_dood_slave: false
|
133
|
+
|
134
|
+
# allows overwrite for ciinabox docker slave version
|
135
|
+
# currently 17.03.2-ce (tagged as latest) and 17.06.1-ce are supported
|
136
|
+
# see https://hub.docker.com/r/base2/ciinabox-docker-slave/tags/ for further details
|
137
|
+
docker_slave_version: 17.03.2-ce
|
138
|
+
|
139
|
+
# Feature toggle for ECR Credentials helper, controlled via USE_ECR_CREDENTIAL_HELPER environment variable
|
140
|
+
# If ecr credential helper is configured, it will fail on docker login command
|
141
|
+
docker_slave_enable_ecr_credentials_helper: false
|
142
|
+
|
143
|
+
# Uncomment line below if you want to use external IAM role for Instance Profile
|
144
|
+
# Note that if this options is used, permissions from 'ecs_iam_role_permissions_default'
|
145
|
+
# and 'ecs_iam_role_permissions_extras' are disregarded
|
146
|
+
|
147
|
+
# ciinabox_iam_role_name: 'ciinabox'
|
148
|
+
# Indicates whether bastion stack allowing user to access ciinabox host
|
149
|
+
# from public network will be created or not
|
150
|
+
include_bastion_stack: false
|
151
|
+
|
152
|
+
# if set to true, docker volume will be formatted as ext4 and volume-mounted under /var/lib/docker.
|
153
|
+
# Used if ECS AMI is configured with overlay2 driver. Defaults to false, as Amazon ECS AMIs (default)
|
154
|
+
# are using devicemapper, which gets configured automatically. Main advantage of using overlay2 over devicemapper is
|
155
|
+
# device size limitation
|
156
|
+
ecs_docker_volume_volumemount: false
|
157
|
+
|
158
|
+
|
159
|
+
# if set to true, EBS data volumes will be tagged to be backed up with shelvery aws backup manager
|
160
|
+
# also, retention periods can be controlled from here
|
161
|
+
data_volume_shelvery_backups: true
|
162
|
+
data_volume_retain_daily_backups: 7
|
163
|
+
data_volume_retain_weekly_backups: 4
|
164
|
+
data_volume_reatin_monthly_backups: 12
|
165
|
+
|
166
|
+
|
167
|
+
ecs_iam_role_permissions_default:
|
168
|
+
- name: assume-role
|
169
|
+
actions:
|
170
|
+
- sts:AssumeRole
|
171
|
+
resource: '*'
|
172
|
+
|
173
|
+
- name: read-only
|
174
|
+
actions:
|
175
|
+
- ec2:Describe*
|
176
|
+
- s3:Get*
|
177
|
+
- s3:List*
|
178
|
+
resource: '*'
|
179
|
+
|
180
|
+
- name: s3-write
|
181
|
+
actions:
|
182
|
+
- s3:PutObject
|
183
|
+
- s3:PutObject*
|
184
|
+
resource: '*'
|
185
|
+
|
186
|
+
- name: Route53
|
187
|
+
actions:
|
188
|
+
- route53:ChangeResourceRecordSets
|
189
|
+
- route53:ListHostedZonesByName
|
190
|
+
resource: '*'
|
191
|
+
|
192
|
+
- name: ecsServiceRole
|
193
|
+
actions:
|
194
|
+
- ecs:CreateCluster
|
195
|
+
- ecs:DeregisterContainerInstance
|
196
|
+
- ecs:DiscoverPollEndpoint
|
197
|
+
- ecs:Poll
|
198
|
+
- ecs:RegisterContainerInstance
|
199
|
+
- ecs:StartTelemetrySession
|
200
|
+
- ecs:Submit*
|
201
|
+
- ec2:AuthorizeSecurityGroupIngress
|
202
|
+
- ec2:Describe*
|
203
|
+
- elasticloadbalancing:DeregisterInstancesFromLoadBalancer
|
204
|
+
- elasticloadbalancing:Describe*
|
205
|
+
- elasticloadbalancing:RegisterInstancesWithLoadBalancer
|
206
|
+
resource: '*'
|
207
|
+
|
208
|
+
- name: ssm-run-command
|
209
|
+
actions:
|
210
|
+
- ssm:DescribeAssociation
|
211
|
+
- ssm:GetDocument
|
212
|
+
- ssm:ListAssociations
|
213
|
+
- ssm:UpdateAssociationStatus
|
214
|
+
- ssm:UpdateInstanceInformation
|
215
|
+
- ec2messages:AcknowledgeMessage
|
216
|
+
- ec2messages:DeleteMessage
|
217
|
+
- ec2messages:FailMessage
|
218
|
+
- ec2messages:GetEndpoint
|
219
|
+
- ec2messages:GetMessages
|
220
|
+
- ec2messages:SendReply
|
221
|
+
- cloudwatch:PutMetricData
|
222
|
+
- ec2:DescribeInstanceStatus
|
223
|
+
- ds:CreateComputer
|
224
|
+
- ds:DescribeDirectories
|
225
|
+
- logs:CreateLogGroup
|
226
|
+
- logs:CreateLogStream
|
227
|
+
- logs:DescribeLogGroups
|
228
|
+
- logs:DescribeLogStreams
|
229
|
+
- logs:PutLogEvents
|
230
|
+
- s3:PutObject
|
231
|
+
- s3:GetObject
|
232
|
+
- s3:AbortMultipartUpload
|
233
|
+
- s3:ListMultipartUploadParts
|
234
|
+
- s3:ListBucketMultipartUploads
|
235
|
+
resource: '*'
|
236
|
+
|
237
|
+
- name: ecr
|
238
|
+
actions:
|
239
|
+
- ecr:*
|
240
|
+
resource: '*'
|
241
|
+
|
242
|
+
- name: packer
|
243
|
+
actions:
|
244
|
+
- cloudformation:*
|
245
|
+
- ec2:AttachVolume
|
246
|
+
- ec2:CreateVolume
|
247
|
+
- ec2:DeleteVolume
|
248
|
+
- ec2:CreateKeypair
|
249
|
+
- ec2:DeleteKeypair
|
250
|
+
- ec2:CreateSecurityGroup
|
251
|
+
- ec2:DeleteSecurityGroup
|
252
|
+
- ec2:AuthorizeSecurityGroupIngress
|
253
|
+
- ec2:CreateImage
|
254
|
+
- ec2:RunInstances
|
255
|
+
- ec2:TerminateInstances
|
256
|
+
- ec2:StopInstances
|
257
|
+
- ec2:DescribeVolumes
|
258
|
+
- ec2:DetachVolume
|
259
|
+
- ec2:DescribeInstances
|
260
|
+
- ec2:CreateSnapshot
|
261
|
+
- ec2:DeleteSnapshot
|
262
|
+
- ec2:DescribeSnapshots
|
263
|
+
- ec2:DescribeImages
|
264
|
+
- ec2:RegisterImage
|
265
|
+
- ec2:CreateTags
|
266
|
+
- ec2:ModifyImageAttribute
|
267
|
+
- ec2:GetPasswordData
|
268
|
+
- iam:PassRole
|
269
|
+
- dynamodb:*
|
270
|
+
resource: '*'
|
271
|
+
|
272
|
+
|
273
|
+
#extra_stacks:
|
274
|
+
# elk:
|
275
|
+
# #define template name? - optional
|
276
|
+
# file_name: elk
|
277
|
+
# parameters:
|
278
|
+
# RoleName: search
|
279
|
+
# CertName: x
|
280
|
+
# StackOctetA: 11
|
281
|
+
# StackOctetB: 12
|
282
|
+
bastionInstanceType: t2.micro
|
283
|
+
bastionAMI:
|
284
|
+
us-east-1:
|
285
|
+
ami: ami-55ef662f
|
286
|
+
us-east-2:
|
287
|
+
ami: ami-c5062ba0
|
288
|
+
us-west-2:
|
289
|
+
ami: ami-e689729e
|
290
|
+
us-west-1:
|
291
|
+
ami: ami-02eada62
|
292
|
+
ap-southeast-1:
|
293
|
+
ami: ami-0797ea64
|
294
|
+
ap-southeast-2:
|
295
|
+
ami: ami-8536d6e7
|
296
|
+
eu-west-1:
|
297
|
+
ami: ami-acd005d5
|
298
|
+
eu-west-2:
|
299
|
+
ami: ami-1a7f6d7e
|
300
|
+
eu-central-1:
|
301
|
+
ami: ami-c7ee5ca8
|
302
|
+
|
303
|
+
acm_auto_issue_validate: true
|