ciinabox-ecs 0.1.6
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/Gemfile +7 -0
- data/LICENSE.txt +22 -0
- data/README.md +458 -0
- data/Rakefile +649 -0
- data/bin/Rakefile +1 -0
- data/bin/ciinabox-ecs +2 -0
- data/bin/ciinabox-ecs.rb +60 -0
- data/config/ciinabox_params.yml.erb +71 -0
- data/config/default_lambdas.yml +26 -0
- data/config/default_params.yml +303 -0
- data/config/default_params.yml.example +124 -0
- data/config/default_services.yml +62 -0
- data/ext/common_helper.rb +21 -0
- data/ext/config/managed_policies.yml +156 -0
- data/ext/helper.rb +29 -0
- data/ext/policies.rb +53 -0
- data/ext/zip_helper.rb +57 -0
- data/lambdas/acm_issuer_validator/lib/install.sh +20 -0
- data/templates/bastion.rb +121 -0
- data/templates/ciinabox.rb +159 -0
- data/templates/ecs-cluster.rb +252 -0
- data/templates/ecs-services.rb +340 -0
- data/templates/lambdas.rb +172 -0
- data/templates/services/bitbucket.rb +81 -0
- data/templates/services/drone.rb +394 -0
- data/templates/services/hawtio.rb +100 -0
- data/templates/services/icinga2.rb +79 -0
- data/templates/services/jenkins.rb +209 -0
- data/templates/services/nexus.rb +96 -0
- data/templates/vpc.rb +290 -0
- metadata +144 -0
data/bin/Rakefile
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
import './../Rakefile'
|
data/bin/ciinabox-ecs
ADDED
data/bin/ciinabox-ecs.rb
ADDED
@@ -0,0 +1,60 @@
|
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
|
3
|
+
require 'rake'
|
4
|
+
require 'optparse'
|
5
|
+
|
6
|
+
class CiinaboxEcsCli
|
7
|
+
|
8
|
+
def main(args)
|
9
|
+
script_dir = File.expand_path File.dirname(__FILE__)
|
10
|
+
old_pwd = Dir.pwd
|
11
|
+
|
12
|
+
Rake::TaskManager.record_task_metadata = true
|
13
|
+
|
14
|
+
Dir.chdir script_dir
|
15
|
+
app = Rake.application
|
16
|
+
app.init
|
17
|
+
app.load_rakefile
|
18
|
+
|
19
|
+
actions = app.tasks.map { |t| t.name.gsub('ciinabox:', '') }
|
20
|
+
|
21
|
+
if (args.size() ==0) or
|
22
|
+
(args.size() < 2 and (not %w(init full_install).include? args[0])) or
|
23
|
+
(args[0] == 'help') or
|
24
|
+
(not actions.include? args[0])
|
25
|
+
STDERR.puts("Usage: ciinabox-ecs action1 action2 action3 ciinabox_name")
|
26
|
+
STDERR.puts("Valid actions:")
|
27
|
+
STDERR.printf("%-20s |%-20s\n\n", 'name', 'description')
|
28
|
+
app.tasks.each do |action|
|
29
|
+
STDERR.printf("%-20s |%-20s\n", action.name.gsub('ciinabox:', ''), action.comment)
|
30
|
+
end
|
31
|
+
exit 0 if args[0] == 'help'
|
32
|
+
exit -1
|
33
|
+
end
|
34
|
+
|
35
|
+
methods = args[0..args.size()-2]
|
36
|
+
ciinabox_name = args[args.size()-1]
|
37
|
+
|
38
|
+
ENV['CIINABOX'] = ciinabox_name
|
39
|
+
|
40
|
+
if ENV.key? 'CIINABOXES_DIR'
|
41
|
+
ENV['CIINABOXES_DIR'] = File.expand_path(ENV['CIINABOXES_DIR'])
|
42
|
+
else
|
43
|
+
ENV['CIINABOXES_DIR'] = old_pwd
|
44
|
+
end
|
45
|
+
|
46
|
+
methods.each do |method_name|
|
47
|
+
Dir.chdir(script_dir)
|
48
|
+
Rake.application = nil
|
49
|
+
app = Rake.application
|
50
|
+
app.init
|
51
|
+
app.load_rakefile
|
52
|
+
Dir.chdir(old_pwd)
|
53
|
+
app["ciinabox:#{method_name}"].invoke()
|
54
|
+
end
|
55
|
+
|
56
|
+
end
|
57
|
+
|
58
|
+
end
|
59
|
+
|
60
|
+
CiinaboxEcsCli.new.main(ARGV)
|
@@ -0,0 +1,71 @@
|
|
1
|
+
#ciinabox default config
|
2
|
+
ciinabox_name: <%= ciinabox_name %>
|
3
|
+
|
4
|
+
aws_profile: <%= ciinabox_aws_profile %>
|
5
|
+
|
6
|
+
aws_region: <%= ciinabox_region %>
|
7
|
+
|
8
|
+
aws_account_id: <%= ciinabox_aws_account %>
|
9
|
+
|
10
|
+
stack_name: <%= stack_name %>
|
11
|
+
|
12
|
+
#override S3 bucket location
|
13
|
+
source_bucket: <%= ciinabox_source_bucket %>
|
14
|
+
|
15
|
+
#change this to your own dns_domain
|
16
|
+
#domain needs to be manage via route53 since the cloudformation adds additional records
|
17
|
+
dns_domain: <%= ciinabox_tools_domain %>
|
18
|
+
|
19
|
+
#Environment Access
|
20
|
+
#add list of public IP addresses you want to access the environment from
|
21
|
+
#default to public access probably best to change this
|
22
|
+
opsAccess:
|
23
|
+
- <%=my_public_ip%>
|
24
|
+
#add list of public IP addresses for your developers to access the environment
|
25
|
+
#default to public access probably best to change this
|
26
|
+
devAccess:
|
27
|
+
- <%=my_public_ip%>
|
28
|
+
|
29
|
+
# Upload a default ssl cert to AWS to be used by default to ciinabox service ELBs
|
30
|
+
default_ssl_cert_id: "arn:aws:iam::<%= ciinabox_aws_account %>:server-certificate/ciinabox"
|
31
|
+
|
32
|
+
acm_auto_issue_validate: <%= acm_auto_issue_validate%>
|
33
|
+
|
34
|
+
<% if ciinabox_docker_repo != '' %>
|
35
|
+
ciinabox_repo: <%= ciinabox_docker_repo %>
|
36
|
+
<% end %>
|
37
|
+
|
38
|
+
include_diind_slave: <%= include_dind_slave %>
|
39
|
+
include_dood_slave: <%= include_dood_slave %>
|
40
|
+
include_bastion_stack: false
|
41
|
+
|
42
|
+
<% if (defined? ciinabox_iam_role_name) and (not ciinabox_iam_role_name.nil?) and (ciinabox_iam_role_name.strip != '') %>
|
43
|
+
ciinabox_iam_role_name: <%= ciinabox_iam_role_name %>
|
44
|
+
<% end %>
|
45
|
+
#add if you want volatile jenkins docker slave -- Note: by default jenkins docker slave mounts /data/jenkins-dind (on host) to /var/lib/docker (on container)
|
46
|
+
#volatile_jenkins_slave: true
|
47
|
+
|
48
|
+
#add if you want ecs docker volume != 22GB - must be > 22
|
49
|
+
#ecs_docker_volume_size: 100
|
50
|
+
|
51
|
+
#use this to change volume snapshot for running ciinabox
|
52
|
+
#ecs_data_volume_name: "ECSDataVolume2s"
|
53
|
+
|
54
|
+
#set the snapshot to restore from
|
55
|
+
#ecs_data_volume_snapshot: snap-49e2b3b5
|
56
|
+
|
57
|
+
#set the size of the ecs data volume -- NOTE: would take a new volume - i.e. change volume name
|
58
|
+
#ecs_data_volume_size: 250
|
59
|
+
|
60
|
+
#optional ciinabox name if you need more than one or you want a different name
|
61
|
+
#stack_name: ciinabox-tools
|
62
|
+
|
63
|
+
#for internal elb for jenkins
|
64
|
+
#internal_elb: false
|
65
|
+
|
66
|
+
#icinga2_image: AWS_ACCOUNT_ID.dkr.ecr.AWS_REGION/base2/icinga2:VERSION_TAG
|
67
|
+
|
68
|
+
# Uncomment below to enable ciinabox environment scheduling
|
69
|
+
# times are in UTC
|
70
|
+
# scale_up_schedule: 0 7 * * 1-5
|
71
|
+
# scale_down_schedule: 0 19 * * *
|
@@ -0,0 +1,26 @@
|
|
1
|
+
default_lambdas:
|
2
|
+
roles:
|
3
|
+
acmissuevalidate:
|
4
|
+
policies_managed:
|
5
|
+
- 'arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole'
|
6
|
+
policies_inline:
|
7
|
+
- cloudwatch-logs
|
8
|
+
- route53-manage-records
|
9
|
+
- acm-cert-issue
|
10
|
+
- lambda-invoke
|
11
|
+
|
12
|
+
functions:
|
13
|
+
CRIssueACMCertificate:
|
14
|
+
local: true
|
15
|
+
role: acmissuevalidate
|
16
|
+
package_cmd: ./install.sh
|
17
|
+
runtime: python3.6
|
18
|
+
code: lambdas/acm_issuer_validator/lib
|
19
|
+
vpc: false
|
20
|
+
named: false
|
21
|
+
timeout: 60
|
22
|
+
handler: aws_acm_cert_validator_lambda/handler.lambda_handler
|
23
|
+
environment:
|
24
|
+
MAX_WAIT_TIME: 600
|
25
|
+
allowed_sources:
|
26
|
+
- principal: cloudformation.amazonaws.com
|
@@ -0,0 +1,303 @@
|
|
1
|
+
ciinabox_version: 0.1
|
2
|
+
|
3
|
+
#ciinabox ECS cluster name
|
4
|
+
cluster_name: ciinabox
|
5
|
+
|
6
|
+
#you may want a different ciinabox-stack name, e.g if you have 2 ciinaboxes
|
7
|
+
stack_name: ciinabox
|
8
|
+
|
9
|
+
#log level - change to :debug to see the AWS commands being executed
|
10
|
+
log_level: ':info'
|
11
|
+
|
12
|
+
#change this to your own timezone
|
13
|
+
timezone: GMT
|
14
|
+
|
15
|
+
#change for internal ELBs
|
16
|
+
internal_elb: false
|
17
|
+
|
18
|
+
#add if you want ecs root volume != 8GB - must be > 8
|
19
|
+
#ecs_root_volume_size: 30
|
20
|
+
|
21
|
+
#add if you want ecs docker volume != 22GB - must be > 22
|
22
|
+
#ecs_docker_volume_size: 100
|
23
|
+
|
24
|
+
#use this to change volume snapshot for running ciinabox
|
25
|
+
#ecs_data_volume_name: "ECSDataVolume2s"
|
26
|
+
|
27
|
+
#set the snapshot to restore from
|
28
|
+
#ecs_data_volume_snapshot: snap-49e2b3b5
|
29
|
+
|
30
|
+
#set the size of the ecs data volume -- NOTE: would take a new volume - i.e. change volume name
|
31
|
+
#ecs_data_volume_size: 250
|
32
|
+
|
33
|
+
#optional ciinabox name if you need more than one or you want a different name
|
34
|
+
#stack_name: ciinabox-tools
|
35
|
+
|
36
|
+
#for internal elb for jenkins
|
37
|
+
#internal_elb: false
|
38
|
+
|
39
|
+
#icinga2_image: AWS_ACCOUNT_ID.dkr.ecr.AWS_REGION/base2/icinga2:VERSION_TAG
|
40
|
+
|
41
|
+
#AWS Availability Zones Idenifers
|
42
|
+
availability_zones:
|
43
|
+
- 'A'
|
44
|
+
- 'B'
|
45
|
+
|
46
|
+
azId:
|
47
|
+
A: 0
|
48
|
+
B: 1
|
49
|
+
C: 2
|
50
|
+
D: 3
|
51
|
+
E: 4
|
52
|
+
|
53
|
+
#Subnet offsets 10.150.x.0/26
|
54
|
+
vpc:
|
55
|
+
SubnetOctetA: "0"
|
56
|
+
SubnetOctetB: "1"
|
57
|
+
ecs:
|
58
|
+
SubnetOctetA: "2"
|
59
|
+
SubnetOctetB: "3"
|
60
|
+
lambdaSubnets:
|
61
|
+
SubnetOctetA: "4"
|
62
|
+
SubnetOctetB: "5"
|
63
|
+
|
64
|
+
#ciinabox environment config
|
65
|
+
Mappings:
|
66
|
+
EnvironmentType:
|
67
|
+
ciinabox:
|
68
|
+
KeyName: ciinabox
|
69
|
+
NetworkPrefix: 10
|
70
|
+
StackOctet: 150
|
71
|
+
StackMask: 16
|
72
|
+
SubnetMask: 26
|
73
|
+
NatInstanceType: t2.micro
|
74
|
+
ECSInstanceType: t2.large
|
75
|
+
|
76
|
+
#Amazon Linux AMI 2015.03.1 (HVM), SSD Volume Type
|
77
|
+
natAMI:
|
78
|
+
us-east-1:
|
79
|
+
ami: ami-60b6c60a
|
80
|
+
us-west-2:
|
81
|
+
ami: ami-f0091d91
|
82
|
+
ap-southeast-2:
|
83
|
+
ami: ami-48d38c2b
|
84
|
+
eu-west-1:
|
85
|
+
ami: ami-bff32ccc
|
86
|
+
ap-southeast-1:
|
87
|
+
ami: ami-c9b572aa
|
88
|
+
|
89
|
+
ecs_ami:
|
90
|
+
us-east-1:
|
91
|
+
ami: ami-04351e12
|
92
|
+
us-west-2:
|
93
|
+
ami: ami-57d9cd2e
|
94
|
+
ap-southeast-2:
|
95
|
+
ami: ami-42e9f921
|
96
|
+
eu-west-1:
|
97
|
+
ami: ami-809f84e6
|
98
|
+
ap-southeast-1:
|
99
|
+
ami: ami-19f7787a
|
100
|
+
|
101
|
+
#Webhook access only via https
|
102
|
+
webHooks:
|
103
|
+
#github
|
104
|
+
- 192.30.252.0/22
|
105
|
+
#bitbucket cloud
|
106
|
+
- 104.192.142.0/24
|
107
|
+
- 104.192.136.0/21
|
108
|
+
- 131.103.26.0/23
|
109
|
+
- 131.103.26.0/24
|
110
|
+
- 131.103.27.0/24
|
111
|
+
- 131.103.29.0/24
|
112
|
+
- 165.254.226.0/23
|
113
|
+
- 165.254.226.0/24
|
114
|
+
- 165.254.227.0/24
|
115
|
+
- 131.103.28.0/24
|
116
|
+
- 185.166.140.0/22
|
117
|
+
|
118
|
+
# if set to true, security group allowing connections from NAT gateway will be assigned to
|
119
|
+
# ecs cluster (useful for windows jenkins slaves)
|
120
|
+
allow_nat_connections: false
|
121
|
+
|
122
|
+
# This option applies only for docker-in-docker jenkins slave
|
123
|
+
# If slave is volatile, docker images data is not volume-mounted from EBS drive, and is lost once
|
124
|
+
# jenkins slave is stopped (e.g. service task restarted)
|
125
|
+
volatile_jenkins_slave: false
|
126
|
+
|
127
|
+
# Include docker-in-docker jenkins slave as part of service task definition
|
128
|
+
include_diind_slave: true
|
129
|
+
|
130
|
+
# Include docker-outside-of-docker jenkins slave as part of service task definition
|
131
|
+
# Docker version will be dependant on underlying ECS host
|
132
|
+
include_dood_slave: false
|
133
|
+
|
134
|
+
# allows overwrite for ciinabox docker slave version
|
135
|
+
# currently 17.03.2-ce (tagged as latest) and 17.06.1-ce are supported
|
136
|
+
# see https://hub.docker.com/r/base2/ciinabox-docker-slave/tags/ for further details
|
137
|
+
docker_slave_version: 17.03.2-ce
|
138
|
+
|
139
|
+
# Feature toggle for ECR Credentials helper, controlled via USE_ECR_CREDENTIAL_HELPER environment variable
|
140
|
+
# If ecr credential helper is configured, it will fail on docker login command
|
141
|
+
docker_slave_enable_ecr_credentials_helper: false
|
142
|
+
|
143
|
+
# Uncomment line below if you want to use external IAM role for Instance Profile
|
144
|
+
# Note that if this options is used, permissions from 'ecs_iam_role_permissions_default'
|
145
|
+
# and 'ecs_iam_role_permissions_extras' are disregarded
|
146
|
+
|
147
|
+
# ciinabox_iam_role_name: 'ciinabox'
|
148
|
+
# Indicates whether bastion stack allowing user to access ciinabox host
|
149
|
+
# from public network will be created or not
|
150
|
+
include_bastion_stack: false
|
151
|
+
|
152
|
+
# if set to true, docker volume will be formatted as ext4 and volume-mounted under /var/lib/docker.
|
153
|
+
# Used if ECS AMI is configured with overlay2 driver. Defaults to false, as Amazon ECS AMIs (default)
|
154
|
+
# are using devicemapper, which gets configured automatically. Main advantage of using overlay2 over devicemapper is
|
155
|
+
# device size limitation
|
156
|
+
ecs_docker_volume_volumemount: false
|
157
|
+
|
158
|
+
|
159
|
+
# if set to true, EBS data volumes will be tagged to be backed up with shelvery aws backup manager
|
160
|
+
# also, retention periods can be controlled from here
|
161
|
+
data_volume_shelvery_backups: true
|
162
|
+
data_volume_retain_daily_backups: 7
|
163
|
+
data_volume_retain_weekly_backups: 4
|
164
|
+
data_volume_reatin_monthly_backups: 12
|
165
|
+
|
166
|
+
|
167
|
+
ecs_iam_role_permissions_default:
|
168
|
+
- name: assume-role
|
169
|
+
actions:
|
170
|
+
- sts:AssumeRole
|
171
|
+
resource: '*'
|
172
|
+
|
173
|
+
- name: read-only
|
174
|
+
actions:
|
175
|
+
- ec2:Describe*
|
176
|
+
- s3:Get*
|
177
|
+
- s3:List*
|
178
|
+
resource: '*'
|
179
|
+
|
180
|
+
- name: s3-write
|
181
|
+
actions:
|
182
|
+
- s3:PutObject
|
183
|
+
- s3:PutObject*
|
184
|
+
resource: '*'
|
185
|
+
|
186
|
+
- name: Route53
|
187
|
+
actions:
|
188
|
+
- route53:ChangeResourceRecordSets
|
189
|
+
- route53:ListHostedZonesByName
|
190
|
+
resource: '*'
|
191
|
+
|
192
|
+
- name: ecsServiceRole
|
193
|
+
actions:
|
194
|
+
- ecs:CreateCluster
|
195
|
+
- ecs:DeregisterContainerInstance
|
196
|
+
- ecs:DiscoverPollEndpoint
|
197
|
+
- ecs:Poll
|
198
|
+
- ecs:RegisterContainerInstance
|
199
|
+
- ecs:StartTelemetrySession
|
200
|
+
- ecs:Submit*
|
201
|
+
- ec2:AuthorizeSecurityGroupIngress
|
202
|
+
- ec2:Describe*
|
203
|
+
- elasticloadbalancing:DeregisterInstancesFromLoadBalancer
|
204
|
+
- elasticloadbalancing:Describe*
|
205
|
+
- elasticloadbalancing:RegisterInstancesWithLoadBalancer
|
206
|
+
resource: '*'
|
207
|
+
|
208
|
+
- name: ssm-run-command
|
209
|
+
actions:
|
210
|
+
- ssm:DescribeAssociation
|
211
|
+
- ssm:GetDocument
|
212
|
+
- ssm:ListAssociations
|
213
|
+
- ssm:UpdateAssociationStatus
|
214
|
+
- ssm:UpdateInstanceInformation
|
215
|
+
- ec2messages:AcknowledgeMessage
|
216
|
+
- ec2messages:DeleteMessage
|
217
|
+
- ec2messages:FailMessage
|
218
|
+
- ec2messages:GetEndpoint
|
219
|
+
- ec2messages:GetMessages
|
220
|
+
- ec2messages:SendReply
|
221
|
+
- cloudwatch:PutMetricData
|
222
|
+
- ec2:DescribeInstanceStatus
|
223
|
+
- ds:CreateComputer
|
224
|
+
- ds:DescribeDirectories
|
225
|
+
- logs:CreateLogGroup
|
226
|
+
- logs:CreateLogStream
|
227
|
+
- logs:DescribeLogGroups
|
228
|
+
- logs:DescribeLogStreams
|
229
|
+
- logs:PutLogEvents
|
230
|
+
- s3:PutObject
|
231
|
+
- s3:GetObject
|
232
|
+
- s3:AbortMultipartUpload
|
233
|
+
- s3:ListMultipartUploadParts
|
234
|
+
- s3:ListBucketMultipartUploads
|
235
|
+
resource: '*'
|
236
|
+
|
237
|
+
- name: ecr
|
238
|
+
actions:
|
239
|
+
- ecr:*
|
240
|
+
resource: '*'
|
241
|
+
|
242
|
+
- name: packer
|
243
|
+
actions:
|
244
|
+
- cloudformation:*
|
245
|
+
- ec2:AttachVolume
|
246
|
+
- ec2:CreateVolume
|
247
|
+
- ec2:DeleteVolume
|
248
|
+
- ec2:CreateKeypair
|
249
|
+
- ec2:DeleteKeypair
|
250
|
+
- ec2:CreateSecurityGroup
|
251
|
+
- ec2:DeleteSecurityGroup
|
252
|
+
- ec2:AuthorizeSecurityGroupIngress
|
253
|
+
- ec2:CreateImage
|
254
|
+
- ec2:RunInstances
|
255
|
+
- ec2:TerminateInstances
|
256
|
+
- ec2:StopInstances
|
257
|
+
- ec2:DescribeVolumes
|
258
|
+
- ec2:DetachVolume
|
259
|
+
- ec2:DescribeInstances
|
260
|
+
- ec2:CreateSnapshot
|
261
|
+
- ec2:DeleteSnapshot
|
262
|
+
- ec2:DescribeSnapshots
|
263
|
+
- ec2:DescribeImages
|
264
|
+
- ec2:RegisterImage
|
265
|
+
- ec2:CreateTags
|
266
|
+
- ec2:ModifyImageAttribute
|
267
|
+
- ec2:GetPasswordData
|
268
|
+
- iam:PassRole
|
269
|
+
- dynamodb:*
|
270
|
+
resource: '*'
|
271
|
+
|
272
|
+
|
273
|
+
#extra_stacks:
|
274
|
+
# elk:
|
275
|
+
# #define template name? - optional
|
276
|
+
# file_name: elk
|
277
|
+
# parameters:
|
278
|
+
# RoleName: search
|
279
|
+
# CertName: x
|
280
|
+
# StackOctetA: 11
|
281
|
+
# StackOctetB: 12
|
282
|
+
bastionInstanceType: t2.micro
|
283
|
+
bastionAMI:
|
284
|
+
us-east-1:
|
285
|
+
ami: ami-55ef662f
|
286
|
+
us-east-2:
|
287
|
+
ami: ami-c5062ba0
|
288
|
+
us-west-2:
|
289
|
+
ami: ami-e689729e
|
290
|
+
us-west-1:
|
291
|
+
ami: ami-02eada62
|
292
|
+
ap-southeast-1:
|
293
|
+
ami: ami-0797ea64
|
294
|
+
ap-southeast-2:
|
295
|
+
ami: ami-8536d6e7
|
296
|
+
eu-west-1:
|
297
|
+
ami: ami-acd005d5
|
298
|
+
eu-west-2:
|
299
|
+
ami: ami-1a7f6d7e
|
300
|
+
eu-central-1:
|
301
|
+
ami: ami-c7ee5ca8
|
302
|
+
|
303
|
+
acm_auto_issue_validate: true
|