ciinabox-ecs 0.1.6

data/bin/Rakefile

@@ -0,0 +1 @@
+import './../Rakefile'

data/bin/ciinabox-ecs

@@ -0,0 +1,2 @@
+#!/usr/bin/env ruby
+require_relative('./ciinabox-ecs')

data/bin/ciinabox-ecs.rb

@@ -0,0 +1,60 @@
+#!/usr/bin/env ruby
+
+require 'rake'
+require 'optparse'
+
+class CiinaboxEcsCli
+
+  def main(args)
+    script_dir = File.expand_path File.dirname(__FILE__)
+    old_pwd = Dir.pwd
+
+    Rake::TaskManager.record_task_metadata = true
+
+    Dir.chdir script_dir
+    app = Rake.application
+    app.init
+    app.load_rakefile
+
+    actions = app.tasks.map { |t| t.name.gsub('ciinabox:', '') }
+
+    if (args.size() ==0) or
+        (args.size() < 2 and (not %w(init full_install).include? args[0])) or
+        (args[0] == 'help') or
+        (not actions.include? args[0])
+      STDERR.puts("Usage: ciinabox-ecs action1 action2 action3 ciinabox_name")
+      STDERR.puts("Valid actions:")
+      STDERR.printf("%-20s |%-20s\n\n", 'name', 'description')
+      app.tasks.each do |action|
+        STDERR.printf("%-20s |%-20s\n", action.name.gsub('ciinabox:', ''), action.comment)
+      end
+      exit 0 if args[0] == 'help'
+      exit -1
+    end
+
+    methods = args[0..args.size()-2]
+    ciinabox_name = args[args.size()-1]
+
+    ENV['CIINABOX'] = ciinabox_name
+
+    if ENV.key? 'CIINABOXES_DIR'
+      ENV['CIINABOXES_DIR'] = File.expand_path(ENV['CIINABOXES_DIR'])
+    else
+      ENV['CIINABOXES_DIR'] = old_pwd
+    end
+
+    methods.each do |method_name|
+      Dir.chdir(script_dir)
+      Rake.application = nil
+      app = Rake.application
+      app.init
+      app.load_rakefile
+      Dir.chdir(old_pwd)
+      app["ciinabox:#{method_name}"].invoke()
+    end
+
+  end
+
+end
+
+CiinaboxEcsCli.new.main(ARGV)

data/config/ciinabox_params.yml.erb

@@ -0,0 +1,71 @@
+#ciinabox default config
+ciinabox_name: <%= ciinabox_name %>
+
+aws_profile: <%= ciinabox_aws_profile %>
+
+aws_region: <%= ciinabox_region %>
+
+aws_account_id: <%= ciinabox_aws_account %>
+
+stack_name: <%= stack_name %>
+
+#override S3 bucket location
+source_bucket: <%= ciinabox_source_bucket %>
+
+#change this to your own dns_domain
+#domain needs to be manage via route53 since the cloudformation adds additional records
+dns_domain: <%= ciinabox_tools_domain %>
+
+#Environment Access
+#add list of public IP addresses you want to access the environment from
+#default to public access probably best to change this
+opsAccess:
+  - <%=my_public_ip%>
+#add list of public IP addresses for your developers to access the environment
+#default to public access probably best to change this
+devAccess:
+  - <%=my_public_ip%>
+
+# Upload a default ssl cert to AWS to be used by default to ciinabox service ELBs
+default_ssl_cert_id: "arn:aws:iam::<%= ciinabox_aws_account %>:server-certificate/ciinabox"
+
+acm_auto_issue_validate: <%= acm_auto_issue_validate%>
+
+<% if ciinabox_docker_repo != '' %>
+ciinabox_repo: <%= ciinabox_docker_repo %>
+<% end %>
+
+include_diind_slave: <%= include_dind_slave %>
+include_dood_slave: <%= include_dood_slave %>
+include_bastion_stack: false
+
+<% if (defined? ciinabox_iam_role_name) and (not ciinabox_iam_role_name.nil?) and (ciinabox_iam_role_name.strip != '') %>
+ciinabox_iam_role_name: <%= ciinabox_iam_role_name %>
+<% end %>
+#add if you want volatile jenkins docker slave -- Note: by default jenkins docker slave mounts /data/jenkins-dind (on host) to /var/lib/docker (on container)
+#volatile_jenkins_slave: true
+
+#add if you want ecs docker volume != 22GB - must be > 22
+#ecs_docker_volume_size: 100
+
+#use this to change volume snapshot for running ciinabox
+#ecs_data_volume_name: "ECSDataVolume2s"
+
+#set the snapshot to restore from
+#ecs_data_volume_snapshot: snap-49e2b3b5
+
+#set the size of the ecs data volume -- NOTE: would take a new volume - i.e. change volume name
+#ecs_data_volume_size: 250
+
+#optional ciinabox name if you need more than one or you want a different name
+#stack_name: ciinabox-tools
+
+#for internal elb for jenkins
+#internal_elb: false
+
+#icinga2_image: AWS_ACCOUNT_ID.dkr.ecr.AWS_REGION/base2/icinga2:VERSION_TAG
+
+# Uncomment below to enable ciinabox environment scheduling
+# times are in UTC
+# scale_up_schedule: 0 7 * * 1-5
+# scale_down_schedule: 0 19 * * *

data/config/default_lambdas.yml

@@ -0,0 +1,26 @@
+default_lambdas:
+  roles:
+    acmissuevalidate:
+      policies_managed:
+        - 'arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole'
+      policies_inline:
+        - cloudwatch-logs
+        - route53-manage-records
+        - acm-cert-issue
+        - lambda-invoke
+
+  functions:
+    CRIssueACMCertificate:
+      local: true
+      role: acmissuevalidate
+      package_cmd: ./install.sh
+      runtime: python3.6
+      code: lambdas/acm_issuer_validator/lib
+      vpc: false
+      named: false
+      timeout: 60
+      handler: aws_acm_cert_validator_lambda/handler.lambda_handler
+      environment:
+        MAX_WAIT_TIME: 600
+      allowed_sources:
+        - principal: cloudformation.amazonaws.com

data/config/default_params.yml

@@ -0,0 +1,303 @@
+ciinabox_version: 0.1
+
+#ciinabox ECS cluster name
+cluster_name: ciinabox
+
+#you may want a different ciinabox-stack name, e.g if you have 2 ciinaboxes
+stack_name: ciinabox
+
+#log level - change to :debug to see the AWS commands being executed
+log_level: ':info'
+
+#change this to your own timezone
+timezone: GMT
+
+#change for internal ELBs
+internal_elb: false
+
+#add if you want ecs root volume != 8GB - must be > 8
+#ecs_root_volume_size: 30
+
+#add if you want ecs docker volume != 22GB - must be > 22
+#ecs_docker_volume_size: 100
+
+#use this to change volume snapshot for running ciinabox
+#ecs_data_volume_name: "ECSDataVolume2s"
+
+#set the snapshot to restore from
+#ecs_data_volume_snapshot: snap-49e2b3b5
+
+#set the size of the ecs data volume -- NOTE: would take a new volume - i.e. change volume name
+#ecs_data_volume_size: 250
+
+#optional ciinabox name if you need more than one or you want a different name
+#stack_name: ciinabox-tools
+
+#for internal elb for jenkins
+#internal_elb: false
+
+#icinga2_image: AWS_ACCOUNT_ID.dkr.ecr.AWS_REGION/base2/icinga2:VERSION_TAG
+
+#AWS Availability Zones Idenifers
+availability_zones:
+  - 'A'
+  - 'B'
+
+azId:
+  A: 0
+  B: 1
+  C: 2
+  D: 3
+  E: 4
+
+#Subnet offsets 10.150.x.0/26
+vpc:
+  SubnetOctetA: "0"
+  SubnetOctetB: "1"
+ecs:
+  SubnetOctetA: "2"
+  SubnetOctetB: "3"
+lambdaSubnets:
+  SubnetOctetA: "4"
+  SubnetOctetB: "5"
+
+#ciinabox environment config
+Mappings:
+  EnvironmentType:
+    ciinabox:
+      KeyName: ciinabox
+      NetworkPrefix: 10
+      StackOctet: 150
+      StackMask: 16
+      SubnetMask: 26
+      NatInstanceType: t2.micro
+      ECSInstanceType: t2.large
+
+#Amazon Linux AMI 2015.03.1 (HVM), SSD Volume Type
+natAMI:
+  us-east-1:
+    ami: ami-60b6c60a
+  us-west-2:
+    ami: ami-f0091d91
+  ap-southeast-2:
+    ami: ami-48d38c2b
+  eu-west-1:
+    ami: ami-bff32ccc
+  ap-southeast-1:
+    ami: ami-c9b572aa
+
+ecs_ami:
+  us-east-1:
+    ami: ami-04351e12
+  us-west-2:
+    ami: ami-57d9cd2e
+  ap-southeast-2:
+    ami: ami-42e9f921
+  eu-west-1:
+    ami: ami-809f84e6
+  ap-southeast-1:
+    ami: ami-19f7787a
+
+#Webhook access only via https
+webHooks:
+  #github
+  - 192.30.252.0/22
+  #bitbucket cloud
+  - 104.192.142.0/24
+  - 104.192.136.0/21
+  - 131.103.26.0/23
+  - 131.103.26.0/24
+  - 131.103.27.0/24
+  - 131.103.29.0/24
+  - 165.254.226.0/23
+  - 165.254.226.0/24
+  - 165.254.227.0/24
+  - 131.103.28.0/24
+  - 185.166.140.0/22
+
+# if set to true, security group allowing connections from NAT gateway will be assigned to
+# ecs cluster (useful for windows jenkins slaves)
+allow_nat_connections: false
+
+# This option applies only for docker-in-docker jenkins slave
+# If slave is volatile, docker images data is not volume-mounted from EBS drive, and is lost once
+# jenkins slave is stopped (e.g. service task restarted)
+volatile_jenkins_slave: false
+
+# Include docker-in-docker jenkins slave as part of service task definition
+include_diind_slave: true
+
+# Include docker-outside-of-docker jenkins slave as part of service task definition
+# Docker version will be dependant on underlying ECS host
+include_dood_slave: false
+
+# allows overwrite for ciinabox docker slave version
+# currently 17.03.2-ce (tagged as latest) and 17.06.1-ce are supported
+# see https://hub.docker.com/r/base2/ciinabox-docker-slave/tags/ for further details
+docker_slave_version: 17.03.2-ce
+
+# Feature toggle for ECR Credentials helper, controlled via USE_ECR_CREDENTIAL_HELPER environment variable
+# If ecr credential helper is configured, it will fail on docker login command
+docker_slave_enable_ecr_credentials_helper: false
+
+# Uncomment line below if you want to use external IAM role for Instance Profile
+# Note that if this options is used, permissions from 'ecs_iam_role_permissions_default'
+# and 'ecs_iam_role_permissions_extras' are disregarded
+
+# ciinabox_iam_role_name: 'ciinabox'
+# Indicates whether bastion stack allowing user to access ciinabox host
+# from public network will be created or not
+include_bastion_stack: false
+
+# if set to true, docker volume will be formatted as ext4 and volume-mounted under /var/lib/docker.
+# Used if ECS AMI is configured with overlay2 driver. Defaults to false, as Amazon ECS AMIs (default)
+# are using devicemapper, which gets configured automatically. Main advantage of using overlay2 over devicemapper is
+# device size limitation
+ecs_docker_volume_volumemount: false
+
+
+# if set to true, EBS data volumes will be tagged to be backed up with shelvery aws backup manager
+# also, retention periods can be controlled from here
+data_volume_shelvery_backups: true
+data_volume_retain_daily_backups: 7
+data_volume_retain_weekly_backups: 4
+data_volume_reatin_monthly_backups: 12
+
+
+ecs_iam_role_permissions_default:
+  - name: assume-role
+    actions:
+    - sts:AssumeRole
+    resource: '*'
+
+  - name: read-only
+    actions:
+    - ec2:Describe*
+    - s3:Get*
+    - s3:List*
+    resource: '*'
+
+  - name: s3-write
+    actions:
+    - s3:PutObject
+    - s3:PutObject*
+    resource: '*'
+
+  - name: Route53
+    actions:
+    - route53:ChangeResourceRecordSets
+    - route53:ListHostedZonesByName
+    resource: '*'
+
+  - name: ecsServiceRole
+    actions:
+    - ecs:CreateCluster
+    - ecs:DeregisterContainerInstance
+    - ecs:DiscoverPollEndpoint
+    - ecs:Poll
+    - ecs:RegisterContainerInstance
+    - ecs:StartTelemetrySession
+    - ecs:Submit*
+    - ec2:AuthorizeSecurityGroupIngress
+    - ec2:Describe*
+    - elasticloadbalancing:DeregisterInstancesFromLoadBalancer
+    - elasticloadbalancing:Describe*
+    - elasticloadbalancing:RegisterInstancesWithLoadBalancer
+    resource: '*'
+
+  - name: ssm-run-command
+    actions:
+    - ssm:DescribeAssociation
+    - ssm:GetDocument
+    - ssm:ListAssociations
+    - ssm:UpdateAssociationStatus
+    - ssm:UpdateInstanceInformation
+    - ec2messages:AcknowledgeMessage
+    - ec2messages:DeleteMessage
+    - ec2messages:FailMessage
+    - ec2messages:GetEndpoint
+    - ec2messages:GetMessages
+    - ec2messages:SendReply
+    - cloudwatch:PutMetricData
+    - ec2:DescribeInstanceStatus
+    - ds:CreateComputer
+    - ds:DescribeDirectories
+    - logs:CreateLogGroup
+    - logs:CreateLogStream
+    - logs:DescribeLogGroups
+    - logs:DescribeLogStreams
+    - logs:PutLogEvents
+    - s3:PutObject
+    - s3:GetObject
+    - s3:AbortMultipartUpload
+    - s3:ListMultipartUploadParts
+    - s3:ListBucketMultipartUploads
+    resource: '*'
+
+  - name: ecr
+    actions:
+    - ecr:*
+    resource: '*'
+
+  - name: packer
+    actions:
+    - cloudformation:*
+    - ec2:AttachVolume
+    - ec2:CreateVolume
+    - ec2:DeleteVolume
+    - ec2:CreateKeypair
+    - ec2:DeleteKeypair
+    - ec2:CreateSecurityGroup
+    - ec2:DeleteSecurityGroup
+    - ec2:AuthorizeSecurityGroupIngress
+    - ec2:CreateImage
+    - ec2:RunInstances
+    - ec2:TerminateInstances
+    - ec2:StopInstances
+    - ec2:DescribeVolumes
+    - ec2:DetachVolume
+    - ec2:DescribeInstances
+    - ec2:CreateSnapshot
+    - ec2:DeleteSnapshot
+    - ec2:DescribeSnapshots
+    - ec2:DescribeImages
+    - ec2:RegisterImage
+    - ec2:CreateTags
+    - ec2:ModifyImageAttribute
+    - ec2:GetPasswordData
+    - iam:PassRole
+    - dynamodb:*
+    resource: '*'
+
+
+#extra_stacks:
+#  elk:
+#    #define template name? - optional
+#    file_name: elk
+#    parameters:
+#      RoleName: search
+#      CertName: x
+#      StackOctetA: 11
+#      StackOctetB: 12
+bastionInstanceType: t2.micro
+bastionAMI:
+  us-east-1:
+   ami: ami-55ef662f
+  us-east-2:
+   ami: ami-c5062ba0
+  us-west-2:
+   ami: ami-e689729e
+  us-west-1:
+   ami: ami-02eada62
+  ap-southeast-1:
+   ami: ami-0797ea64
+  ap-southeast-2:
+   ami: ami-8536d6e7
+  eu-west-1:
+   ami: ami-acd005d5
+  eu-west-2:
+   ami: ami-1a7f6d7e
+  eu-central-1:
+   ami: ami-c7ee5ca8
+
+acm_auto_issue_validate: true