ciinabox-ecs 0.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
data/bin/Rakefile ADDED
@@ -0,0 +1 @@
1
+ import './../Rakefile'
data/bin/ciinabox-ecs ADDED
@@ -0,0 +1,2 @@
1
+ #!/usr/bin/env ruby
2
+ require_relative('./ciinabox-ecs')
@@ -0,0 +1,60 @@
1
+ #!/usr/bin/env ruby
2
+
3
+ require 'rake'
4
+ require 'optparse'
5
+
6
+ class CiinaboxEcsCli
7
+
8
+ def main(args)
9
+ script_dir = File.expand_path File.dirname(__FILE__)
10
+ old_pwd = Dir.pwd
11
+
12
+ Rake::TaskManager.record_task_metadata = true
13
+
14
+ Dir.chdir script_dir
15
+ app = Rake.application
16
+ app.init
17
+ app.load_rakefile
18
+
19
+ actions = app.tasks.map { |t| t.name.gsub('ciinabox:', '') }
20
+
21
+ if (args.size() ==0) or
22
+ (args.size() < 2 and (not %w(init full_install).include? args[0])) or
23
+ (args[0] == 'help') or
24
+ (not actions.include? args[0])
25
+ STDERR.puts("Usage: ciinabox-ecs action1 action2 action3 ciinabox_name")
26
+ STDERR.puts("Valid actions:")
27
+ STDERR.printf("%-20s |%-20s\n\n", 'name', 'description')
28
+ app.tasks.each do |action|
29
+ STDERR.printf("%-20s |%-20s\n", action.name.gsub('ciinabox:', ''), action.comment)
30
+ end
31
+ exit 0 if args[0] == 'help'
32
+ exit -1
33
+ end
34
+
35
+ methods = args[0..args.size()-2]
36
+ ciinabox_name = args[args.size()-1]
37
+
38
+ ENV['CIINABOX'] = ciinabox_name
39
+
40
+ if ENV.key? 'CIINABOXES_DIR'
41
+ ENV['CIINABOXES_DIR'] = File.expand_path(ENV['CIINABOXES_DIR'])
42
+ else
43
+ ENV['CIINABOXES_DIR'] = old_pwd
44
+ end
45
+
46
+ methods.each do |method_name|
47
+ Dir.chdir(script_dir)
48
+ Rake.application = nil
49
+ app = Rake.application
50
+ app.init
51
+ app.load_rakefile
52
+ Dir.chdir(old_pwd)
53
+ app["ciinabox:#{method_name}"].invoke()
54
+ end
55
+
56
+ end
57
+
58
+ end
59
+
60
+ CiinaboxEcsCli.new.main(ARGV)
@@ -0,0 +1,71 @@
1
+ #ciinabox default config
2
+ ciinabox_name: <%= ciinabox_name %>
3
+
4
+ aws_profile: <%= ciinabox_aws_profile %>
5
+
6
+ aws_region: <%= ciinabox_region %>
7
+
8
+ aws_account_id: <%= ciinabox_aws_account %>
9
+
10
+ stack_name: <%= stack_name %>
11
+
12
+ #override S3 bucket location
13
+ source_bucket: <%= ciinabox_source_bucket %>
14
+
15
+ #change this to your own dns_domain
16
+ #domain needs to be manage via route53 since the cloudformation adds additional records
17
+ dns_domain: <%= ciinabox_tools_domain %>
18
+
19
+ #Environment Access
20
+ #add list of public IP addresses you want to access the environment from
21
+ #default to public access probably best to change this
22
+ opsAccess:
23
+ - <%=my_public_ip%>
24
+ #add list of public IP addresses for your developers to access the environment
25
+ #default to public access probably best to change this
26
+ devAccess:
27
+ - <%=my_public_ip%>
28
+
29
+ # Upload a default ssl cert to AWS to be used by default to ciinabox service ELBs
30
+ default_ssl_cert_id: "arn:aws:iam::<%= ciinabox_aws_account %>:server-certificate/ciinabox"
31
+
32
+ acm_auto_issue_validate: <%= acm_auto_issue_validate%>
33
+
34
+ <% if ciinabox_docker_repo != '' %>
35
+ ciinabox_repo: <%= ciinabox_docker_repo %>
36
+ <% end %>
37
+
38
+ include_diind_slave: <%= include_dind_slave %>
39
+ include_dood_slave: <%= include_dood_slave %>
40
+ include_bastion_stack: false
41
+
42
+ <% if (defined? ciinabox_iam_role_name) and (not ciinabox_iam_role_name.nil?) and (ciinabox_iam_role_name.strip != '') %>
43
+ ciinabox_iam_role_name: <%= ciinabox_iam_role_name %>
44
+ <% end %>
45
+ #add if you want volatile jenkins docker slave -- Note: by default jenkins docker slave mounts /data/jenkins-dind (on host) to /var/lib/docker (on container)
46
+ #volatile_jenkins_slave: true
47
+
48
+ #add if you want ecs docker volume != 22GB - must be > 22
49
+ #ecs_docker_volume_size: 100
50
+
51
+ #use this to change volume snapshot for running ciinabox
52
+ #ecs_data_volume_name: "ECSDataVolume2s"
53
+
54
+ #set the snapshot to restore from
55
+ #ecs_data_volume_snapshot: snap-49e2b3b5
56
+
57
+ #set the size of the ecs data volume -- NOTE: would take a new volume - i.e. change volume name
58
+ #ecs_data_volume_size: 250
59
+
60
+ #optional ciinabox name if you need more than one or you want a different name
61
+ #stack_name: ciinabox-tools
62
+
63
+ #for internal elb for jenkins
64
+ #internal_elb: false
65
+
66
+ #icinga2_image: AWS_ACCOUNT_ID.dkr.ecr.AWS_REGION/base2/icinga2:VERSION_TAG
67
+
68
+ # Uncomment below to enable ciinabox environment scheduling
69
+ # times are in UTC
70
+ # scale_up_schedule: 0 7 * * 1-5
71
+ # scale_down_schedule: 0 19 * * *
@@ -0,0 +1,26 @@
1
+ default_lambdas:
2
+ roles:
3
+ acmissuevalidate:
4
+ policies_managed:
5
+ - 'arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole'
6
+ policies_inline:
7
+ - cloudwatch-logs
8
+ - route53-manage-records
9
+ - acm-cert-issue
10
+ - lambda-invoke
11
+
12
+ functions:
13
+ CRIssueACMCertificate:
14
+ local: true
15
+ role: acmissuevalidate
16
+ package_cmd: ./install.sh
17
+ runtime: python3.6
18
+ code: lambdas/acm_issuer_validator/lib
19
+ vpc: false
20
+ named: false
21
+ timeout: 60
22
+ handler: aws_acm_cert_validator_lambda/handler.lambda_handler
23
+ environment:
24
+ MAX_WAIT_TIME: 600
25
+ allowed_sources:
26
+ - principal: cloudformation.amazonaws.com
@@ -0,0 +1,303 @@
1
+ ciinabox_version: 0.1
2
+
3
+ #ciinabox ECS cluster name
4
+ cluster_name: ciinabox
5
+
6
+ #you may want a different ciinabox-stack name, e.g if you have 2 ciinaboxes
7
+ stack_name: ciinabox
8
+
9
+ #log level - change to :debug to see the AWS commands being executed
10
+ log_level: ':info'
11
+
12
+ #change this to your own timezone
13
+ timezone: GMT
14
+
15
+ #change for internal ELBs
16
+ internal_elb: false
17
+
18
+ #add if you want ecs root volume != 8GB - must be > 8
19
+ #ecs_root_volume_size: 30
20
+
21
+ #add if you want ecs docker volume != 22GB - must be > 22
22
+ #ecs_docker_volume_size: 100
23
+
24
+ #use this to change volume snapshot for running ciinabox
25
+ #ecs_data_volume_name: "ECSDataVolume2s"
26
+
27
+ #set the snapshot to restore from
28
+ #ecs_data_volume_snapshot: snap-49e2b3b5
29
+
30
+ #set the size of the ecs data volume -- NOTE: would take a new volume - i.e. change volume name
31
+ #ecs_data_volume_size: 250
32
+
33
+ #optional ciinabox name if you need more than one or you want a different name
34
+ #stack_name: ciinabox-tools
35
+
36
+ #for internal elb for jenkins
37
+ #internal_elb: false
38
+
39
+ #icinga2_image: AWS_ACCOUNT_ID.dkr.ecr.AWS_REGION/base2/icinga2:VERSION_TAG
40
+
41
+ #AWS Availability Zones Idenifers
42
+ availability_zones:
43
+ - 'A'
44
+ - 'B'
45
+
46
+ azId:
47
+ A: 0
48
+ B: 1
49
+ C: 2
50
+ D: 3
51
+ E: 4
52
+
53
+ #Subnet offsets 10.150.x.0/26
54
+ vpc:
55
+ SubnetOctetA: "0"
56
+ SubnetOctetB: "1"
57
+ ecs:
58
+ SubnetOctetA: "2"
59
+ SubnetOctetB: "3"
60
+ lambdaSubnets:
61
+ SubnetOctetA: "4"
62
+ SubnetOctetB: "5"
63
+
64
+ #ciinabox environment config
65
+ Mappings:
66
+ EnvironmentType:
67
+ ciinabox:
68
+ KeyName: ciinabox
69
+ NetworkPrefix: 10
70
+ StackOctet: 150
71
+ StackMask: 16
72
+ SubnetMask: 26
73
+ NatInstanceType: t2.micro
74
+ ECSInstanceType: t2.large
75
+
76
+ #Amazon Linux AMI 2015.03.1 (HVM), SSD Volume Type
77
+ natAMI:
78
+ us-east-1:
79
+ ami: ami-60b6c60a
80
+ us-west-2:
81
+ ami: ami-f0091d91
82
+ ap-southeast-2:
83
+ ami: ami-48d38c2b
84
+ eu-west-1:
85
+ ami: ami-bff32ccc
86
+ ap-southeast-1:
87
+ ami: ami-c9b572aa
88
+
89
+ ecs_ami:
90
+ us-east-1:
91
+ ami: ami-04351e12
92
+ us-west-2:
93
+ ami: ami-57d9cd2e
94
+ ap-southeast-2:
95
+ ami: ami-42e9f921
96
+ eu-west-1:
97
+ ami: ami-809f84e6
98
+ ap-southeast-1:
99
+ ami: ami-19f7787a
100
+
101
+ #Webhook access only via https
102
+ webHooks:
103
+ #github
104
+ - 192.30.252.0/22
105
+ #bitbucket cloud
106
+ - 104.192.142.0/24
107
+ - 104.192.136.0/21
108
+ - 131.103.26.0/23
109
+ - 131.103.26.0/24
110
+ - 131.103.27.0/24
111
+ - 131.103.29.0/24
112
+ - 165.254.226.0/23
113
+ - 165.254.226.0/24
114
+ - 165.254.227.0/24
115
+ - 131.103.28.0/24
116
+ - 185.166.140.0/22
117
+
118
+ # if set to true, security group allowing connections from NAT gateway will be assigned to
119
+ # ecs cluster (useful for windows jenkins slaves)
120
+ allow_nat_connections: false
121
+
122
+ # This option applies only for docker-in-docker jenkins slave
123
+ # If slave is volatile, docker images data is not volume-mounted from EBS drive, and is lost once
124
+ # jenkins slave is stopped (e.g. service task restarted)
125
+ volatile_jenkins_slave: false
126
+
127
+ # Include docker-in-docker jenkins slave as part of service task definition
128
+ include_diind_slave: true
129
+
130
+ # Include docker-outside-of-docker jenkins slave as part of service task definition
131
+ # Docker version will be dependant on underlying ECS host
132
+ include_dood_slave: false
133
+
134
+ # allows overwrite for ciinabox docker slave version
135
+ # currently 17.03.2-ce (tagged as latest) and 17.06.1-ce are supported
136
+ # see https://hub.docker.com/r/base2/ciinabox-docker-slave/tags/ for further details
137
+ docker_slave_version: 17.03.2-ce
138
+
139
+ # Feature toggle for ECR Credentials helper, controlled via USE_ECR_CREDENTIAL_HELPER environment variable
140
+ # If ecr credential helper is configured, it will fail on docker login command
141
+ docker_slave_enable_ecr_credentials_helper: false
142
+
143
+ # Uncomment line below if you want to use external IAM role for Instance Profile
144
+ # Note that if this options is used, permissions from 'ecs_iam_role_permissions_default'
145
+ # and 'ecs_iam_role_permissions_extras' are disregarded
146
+
147
+ # ciinabox_iam_role_name: 'ciinabox'
148
+ # Indicates whether bastion stack allowing user to access ciinabox host
149
+ # from public network will be created or not
150
+ include_bastion_stack: false
151
+
152
+ # if set to true, docker volume will be formatted as ext4 and volume-mounted under /var/lib/docker.
153
+ # Used if ECS AMI is configured with overlay2 driver. Defaults to false, as Amazon ECS AMIs (default)
154
+ # are using devicemapper, which gets configured automatically. Main advantage of using overlay2 over devicemapper is
155
+ # device size limitation
156
+ ecs_docker_volume_volumemount: false
157
+
158
+
159
+ # if set to true, EBS data volumes will be tagged to be backed up with shelvery aws backup manager
160
+ # also, retention periods can be controlled from here
161
+ data_volume_shelvery_backups: true
162
+ data_volume_retain_daily_backups: 7
163
+ data_volume_retain_weekly_backups: 4
164
+ data_volume_reatin_monthly_backups: 12
165
+
166
+
167
+ ecs_iam_role_permissions_default:
168
+ - name: assume-role
169
+ actions:
170
+ - sts:AssumeRole
171
+ resource: '*'
172
+
173
+ - name: read-only
174
+ actions:
175
+ - ec2:Describe*
176
+ - s3:Get*
177
+ - s3:List*
178
+ resource: '*'
179
+
180
+ - name: s3-write
181
+ actions:
182
+ - s3:PutObject
183
+ - s3:PutObject*
184
+ resource: '*'
185
+
186
+ - name: Route53
187
+ actions:
188
+ - route53:ChangeResourceRecordSets
189
+ - route53:ListHostedZonesByName
190
+ resource: '*'
191
+
192
+ - name: ecsServiceRole
193
+ actions:
194
+ - ecs:CreateCluster
195
+ - ecs:DeregisterContainerInstance
196
+ - ecs:DiscoverPollEndpoint
197
+ - ecs:Poll
198
+ - ecs:RegisterContainerInstance
199
+ - ecs:StartTelemetrySession
200
+ - ecs:Submit*
201
+ - ec2:AuthorizeSecurityGroupIngress
202
+ - ec2:Describe*
203
+ - elasticloadbalancing:DeregisterInstancesFromLoadBalancer
204
+ - elasticloadbalancing:Describe*
205
+ - elasticloadbalancing:RegisterInstancesWithLoadBalancer
206
+ resource: '*'
207
+
208
+ - name: ssm-run-command
209
+ actions:
210
+ - ssm:DescribeAssociation
211
+ - ssm:GetDocument
212
+ - ssm:ListAssociations
213
+ - ssm:UpdateAssociationStatus
214
+ - ssm:UpdateInstanceInformation
215
+ - ec2messages:AcknowledgeMessage
216
+ - ec2messages:DeleteMessage
217
+ - ec2messages:FailMessage
218
+ - ec2messages:GetEndpoint
219
+ - ec2messages:GetMessages
220
+ - ec2messages:SendReply
221
+ - cloudwatch:PutMetricData
222
+ - ec2:DescribeInstanceStatus
223
+ - ds:CreateComputer
224
+ - ds:DescribeDirectories
225
+ - logs:CreateLogGroup
226
+ - logs:CreateLogStream
227
+ - logs:DescribeLogGroups
228
+ - logs:DescribeLogStreams
229
+ - logs:PutLogEvents
230
+ - s3:PutObject
231
+ - s3:GetObject
232
+ - s3:AbortMultipartUpload
233
+ - s3:ListMultipartUploadParts
234
+ - s3:ListBucketMultipartUploads
235
+ resource: '*'
236
+
237
+ - name: ecr
238
+ actions:
239
+ - ecr:*
240
+ resource: '*'
241
+
242
+ - name: packer
243
+ actions:
244
+ - cloudformation:*
245
+ - ec2:AttachVolume
246
+ - ec2:CreateVolume
247
+ - ec2:DeleteVolume
248
+ - ec2:CreateKeypair
249
+ - ec2:DeleteKeypair
250
+ - ec2:CreateSecurityGroup
251
+ - ec2:DeleteSecurityGroup
252
+ - ec2:AuthorizeSecurityGroupIngress
253
+ - ec2:CreateImage
254
+ - ec2:RunInstances
255
+ - ec2:TerminateInstances
256
+ - ec2:StopInstances
257
+ - ec2:DescribeVolumes
258
+ - ec2:DetachVolume
259
+ - ec2:DescribeInstances
260
+ - ec2:CreateSnapshot
261
+ - ec2:DeleteSnapshot
262
+ - ec2:DescribeSnapshots
263
+ - ec2:DescribeImages
264
+ - ec2:RegisterImage
265
+ - ec2:CreateTags
266
+ - ec2:ModifyImageAttribute
267
+ - ec2:GetPasswordData
268
+ - iam:PassRole
269
+ - dynamodb:*
270
+ resource: '*'
271
+
272
+
273
+ #extra_stacks:
274
+ # elk:
275
+ # #define template name? - optional
276
+ # file_name: elk
277
+ # parameters:
278
+ # RoleName: search
279
+ # CertName: x
280
+ # StackOctetA: 11
281
+ # StackOctetB: 12
282
+ bastionInstanceType: t2.micro
283
+ bastionAMI:
284
+ us-east-1:
285
+ ami: ami-55ef662f
286
+ us-east-2:
287
+ ami: ami-c5062ba0
288
+ us-west-2:
289
+ ami: ami-e689729e
290
+ us-west-1:
291
+ ami: ami-02eada62
292
+ ap-southeast-1:
293
+ ami: ami-0797ea64
294
+ ap-southeast-2:
295
+ ami: ami-8536d6e7
296
+ eu-west-1:
297
+ ami: ami-acd005d5
298
+ eu-west-2:
299
+ ami: ami-1a7f6d7e
300
+ eu-central-1:
301
+ ami: ami-c7ee5ca8
302
+
303
+ acm_auto_issue_validate: true