ciinabox-ecs 0.1.6

data/config/default_params.yml.example

@@ -0,0 +1,124 @@
+#Sample file of what your params.yml file should include
+
+#ciinabox default config
+ciinabox_version: 0.1
+
+ciinabox_name: example
+
+aws_profile: example
+
+aws_region: us-east-1
+
+aws_account_id: 198712987398
+
+#override S3 bucket location
+source_bucket: source.aws.example.com
+
+#add if you want ecs docker volume != 22GB - must be > 22
+#ecs_docker_volume_size: 100
+
+#use this to change volume snapshot for running ciinabox
+#ecs_data_volume_name: "ECSDataVolume2s"
+
+#set the size of the ecs data volume -- NOTE: would take a new volume - i.e. change volume name
+#ecs_data_volume_size: 250
+
+#set the snapshot to restore from
+#ecs_data_volume_snapshot: snap-49e2b3b5
+
+#optional ciinabox name if you need more than one or you want a different name
+#stack_name: ciinabox-tools
+
+#for internal elb for jenkins
+#internal_elb: false
+
+#ciinabox ECS cluster name
+cluster_name: ciinabox
+
+#log level - change to :debug to see the AWS commands being executed
+log_level: :info
+
+#change this to your own dns_domain
+#domain needs to be manage via route53 since the cloudformation adds additional records
+dns_domain: tools.aws.example.com
+
+#icinga2_image: AWS_ACCOUNT_ID.dkr.ecr.AWS_REGION/base2/icinga2:VERSION_TAG
+
+#AWS Availability Zones Idenifers
+availability_zones:
+  - 'A'
+  - 'B'
+
+azId:
+  A: 0
+  B: 1
+  C: 2
+  D: 3
+  E: 4
+
+#ciinabox environment config
+Mappings:
+  EnvironmentType:
+    ciinabox:
+      KeyName: ciinabox
+      SSLCertARN: "arn:aws:iam::198712987398:server-certificate/ciinabox"
+      NetworkPrefix: 10
+      StackOctet: 150
+      StackMask: 16
+      SubnetMask: 26
+      NatInstanceType: t2.micro
+      ECSInstanceType: t2.large
+
+#Subnet offsets 10.150.x.0/26
+vpc:
+  SubnetOctetA: "0"
+  SubnetOctetB: "1"
+ecs:
+  SubnetOctetA: "2"
+  SubnetOctetB: "3"
+
+#Amazon Linux AMI 2015.03.1 (HVM), SSD Volume Type
+natAMI:
+  us-east-1:
+    ami: ami-60b6c60a
+  us-west-2:
+    ami: ami-f0091d91
+  ap-southeast-2:
+    ami: ami-48d38c2b
+  eu-west-1:
+    ami: ami-bff32ccc
+
+ecs_ami:
+  us-east-1:
+    ami: ami-cb2305a1
+  us-west-2:
+    ami: ami-ec75908c
+  ap-southeast-2:
+    ami: ami-83af8ae0
+  eu-west-1:
+    ami: ami-13f84d60
+
+#Environment Access
+#add list of public IP addresses you want to access the environment from
+#default to public access probably best to change this
+opsAccess:
+  - 44.33.123.223/32
+
+#add list of public IP addresses for your developers to access the environment
+#default to public access probably best to change this
+devAccess:
+  - 213.120.111.2/32 #Example
+
+# Upload a default ssl cert to AWS to be used by default to ciinabox service ELBs
+default_ssl_cert_id: "arn:aws:iam::198712987398:server-certificate/ciinabox"
+
+
+#extra_stacks:
+#  elk:
+#    #define template name? - optional
+#    file_name: elk
+#    parameters:
+#      RoleName: search
+#      CertName: x
+#      SubnetOctetA: 11
+#      SubnetOctetB: 12

data/config/default_services.yml

@@ -0,0 +1,62 @@
+# ciinabox services default configuration
+
+services:
+  - jenkins:
+      # Optional Jenkins Service Parameters
+      # ContainerImage: base2/ciinabox-jenkins:2.0
+      # ContainerMemory: 4096
+      # ContainerCPU: 300
+      # JAVA_OPTS: -Xmx4096m
+      # you only need to add these ports for JNLP slaves
+      # LoadBalancerPort: 50000
+      # InstancePort: 50000
+      # Protocol: TCP
+
+#example for Internal Port for Jenkins
+# - jenkins:
+#    LoadBalancerPort: 50000
+#    InstancePort: 50000
+#    Protocol: TCP
+# needs internal_elb: true
+# will trigger this 2nd hostname for jenkins internal-jenkins.#{dns_domain}
+
+#example for drone
+  # - drone:
+  #     params:
+  #       -
+  #         VPC:
+  #           Ref: VPC
+  #       -
+  #         SubnetPublicA:
+  #           Ref: SubnetPublicA
+  #       -
+  #         SubnetPublicB:
+  #           Ref: SubnetPublicB
+  #       -
+  #         ECSSubnetPrivateA:
+  #           Ref: ECSSubnetPrivateA
+  #       -
+  #         ECSSubnetPrivateB:
+  #           Ref: ECSSubnetPrivateB
+  #       -
+  #         SecurityGroupBackplane:
+  #           Ref: SecurityGroupBackplane
+  #       -
+  #         SecurityGroupOps:
+  #           Ref: SecurityGroupOps
+  #       -
+  #         SecurityGroupDev:
+  #           Ref: SecurityGroupDev
+  #       -
+  #         SecurityGroupNatGateway:
+  #           Ref: SecurityGroupNatGateway
+  #       -
+  #         SecurityGroupWebHooks:
+  #           Ref: SecurityGroupWebHooks
+  #       -
+  #         ECSENIPrivateIpAddress:
+  #           Ref: ECSENIPrivateIpAddress
+  #     tasks:
+  #       drone-server:
+  #         env:
+  #           DRONE_OPEN: true

data/ext/common_helper.rb

@@ -0,0 +1,21 @@
+class ::Hash
+  def deep_merge(second)
+    merger = proc { |key, v1, v2| Hash === v1 && Hash === v2 ? v1.merge(v2, &merger) : Array === v1 && Array === v2 ? v1 | v2 : [:undefined, nil, :nil].include?(v2) ? v1 : v2 }
+    self.merge(second.to_h, &merger)
+  end
+
+
+  def extend(second)
+    second.each { |k, v|
+
+      if ((self.key? k) and (v.is_a? Hash and self[k].is_a? Hash))
+        self[k].extend(v)
+      else
+        self[k] = v
+      end
+
+    } if second.is_a? Hash
+
+    self
+  end
+end

data/ext/config/managed_policies.yml

@@ -0,0 +1,156 @@
+ec2-describe:
+  action:
+    - ec2:Describe*
+    - autoscaling:Describe*
+    - elasticloadbalancing:Describe*
+
+cloudwatch-logs:
+  action:
+    - logs:CreateLogGroup
+    - logs:CreateLogStream
+    - logs:PutLogEvents
+    - logs:DescribeLogStreams
+    - logs:DescribeLogGroups
+  resource:
+    - arn:aws:logs:*:*:*
+
+cloudwatch-monitoring:
+  action:
+    - cloudwatch:PutMetricData
+    - cloudwatch:GetMetricStatistics
+    - cloudwatch:ListMetrics
+
+s3-list-buckets:
+  action:
+    - s3:ListAllMyBuckets
+    - s3:ListBucket
+
+s3-chef-ro:
+  action:
+    - s3:Get*
+    - s3:List*
+  resource:
+    - arn:aws:s3:::%{source_bucket}/chef
+    - arn:aws:s3:::%{source_bucket}/chef/*
+
+s3-environment-ro:
+  action:
+    - s3:Get*
+    - s3:List*
+  resource:
+    - arn:aws:s3:::%{source_bucket}/chef-environments
+    - arn:aws:s3:::%{source_bucket}/chef-environments/*
+
+s3-codedeploy-ro:
+  action:
+    - s3:Get*
+    - s3:List*
+  resource:
+    - arn:aws:s3:::%{source_bucket}/codedeploy
+    - arn:aws:s3:::%{source_bucket}/codedeploy/*
+
+ecs-service-role:
+  action:
+    - ecs:CreateCluster
+    - ecs:DeregisterContainerInstance
+    - ecs:DiscoverPollEndpoint
+    - ecs:Poll
+    - ecs:RegisterContainerInstance
+    - ecs:StartTelemetrySession
+    - ecs:Submit*
+    - ec2:AuthorizeSecurityGroupIngress
+    - ec2:Describe*
+    - elasticloadbalancing:DeregisterInstancesFromLoadBalancer
+    - elasticloadbalancing:Describe*
+    - elasticloadbalancing:RegisterInstancesWithLoadBalancer
+    - autoscaling:Describe*
+
+ecr-pull-images:
+  action:
+    - ecr:BatchCheckLayerAvailability
+    - ecr:BatchGetImage
+    - ecr:Get*
+    - ecr:List*
+
+attach-ebs-volume:
+  action:
+    - ec2:DescribeVolumes
+    - ec2:AttachVolume
+    - ec2:DetachVolume
+
+attach-network-interface:
+  action:
+    - ec2:DescribeNetworkInterfaces
+    - ec2:AttachNetworkInterface
+    - ec2:DetachNetworkInterface
+
+associate-address:
+  action:
+    - ec2:AssociateAddress
+
+ssm:
+  action:
+    - ssm:DescribeAssociation
+    - ssm:GetDeployablePatchSnapshotForInstance
+    - ssm:GetDocument
+    - ssm:GetParameters
+    - ssm:ListAssociations
+    - ssm:ListInstanceAssociations
+    - ssm:PutInventory
+    - ssm:UpdateAssociationStatus
+    - ssm:UpdateInstanceAssociationStatus
+    - ssm:UpdateInstanceInformation
+
+ec2messages:
+  action:
+    - ec2messages:AcknowledgeMessage
+    - ec2messages:DeleteMessage
+    - ec2messages:FailMessage
+    - ec2messages:GetEndpoint
+    - ec2messages:GetMessages
+    - ec2messages:SendReply
+
+s3-secrets-ro:
+  action:
+    - s3:Get*
+    - s3:List*
+  resource:
+    - Fn::Join:
+      - ""
+      -
+        - 'arn:aws:s3:::'
+        - Fn::FindInMap:
+          - 'Secrets'
+          - Ref: 'EnvironmentType'
+          - 'bucket'
+        - '/'
+        - Fn::FindInMap:
+          - 'Secrets'
+          - Ref: 'EnvironmentType'
+          - 'key'
+        - '/'
+        - Ref: "EnvironmentName"
+        - '/*'
+
+route53-manage-records:
+  action:
+    - route53:ListTagsForResources
+    - route53:GetHostedZone
+    - route53:ListHostedZones
+    - route53:ListHostedZonesByName
+    - route53:ChangeResourceRecordSets
+    - route53:ListResourceRecordSets
+    - route53:ListTagsForResource
+
+acm-cert-issue:
+  action:
+    - acm:DeleteCertificate
+    - acm:DescribeCertificate
+    - acm:DescribeCertificate
+    - acm:RequestCertificate
+    - acm:ListCertificates
+
+lambda-invoke:
+  action:
+    - lambda:Get*
+    - lambda:Invoke*

data/ext/helper.rb

@@ -0,0 +1,29 @@
+# ciinabox cfndsl helpers
+def add_security_group_rules (access_list)
+  rules = []
+  access_list.each do |ip|
+    rules << { IpProtocol: 'tcp', FromPort: '22', ToPort: '22', CidrIp: ip }
+  end
+end
+
+def nat_scale_up_schedule(scale_up_schedule)
+  expr = scale_up_schedule.split
+  hour = expr[1].to_i
+  minute = expr[0].to_i
+  if minute < 10
+    minute = 60 + minute - 10
+    hour = hour - 1
+  else
+    minute = minute - 10
+  end
+  return "#{minute} #{hour} #{expr[2]} #{expr[3]} #{expr[4]}"
+end
+
+def lookup_service(name, services=[])
+  services.each do |service|
+    if service.has_key? name
+      return service[name]
+    end
+  end
+  nil
+end

data/ext/policies.rb

@@ -0,0 +1,53 @@
+require 'yaml'
+
+module Configs
+  class << self; attr_accessor :managed_policies, :all end
+  script_dir  = File.expand_path File.dirname(__FILE__)
+  @managed_policies = YAML.load(File.read("#{script_dir}/config/managed_policies.yml"))
+  @all = Hash.new.tap { |h| Dir['config/*.yml'].each { |yml| h.merge!(YAML.load(File.open(yml))) }}
+  # Override with ciinabox configs
+  ciinaboxes_dir = ENV['CIINABOXES_DIR'] || 'ciinaboxes'
+  ciinabox_name = ENV['CIINABOX'] || ''
+  (Dir["#{ciinaboxes_dir}/#{ciinabox_name}/config/*.yml"]).each { |yml|
+      @all.merge!(YAML.load(File.open(yml)))
+  }
+end
+
+class Policies
+
+  def initialize
+    @policy_array = Array.new
+    @config = Configs.all
+    @policies = (@config.key?('custom_policies') ? Configs.managed_policies.merge(@config['custom_policies']) : Configs.managed_policies)
+  end
+
+  def get_policies(group = nil)
+    create_policies(@config['default_policies']) if @config.key?('default_policies')
+    create_policies(@config['group_policies'][group]) unless group.nil?
+    return @policy_array
+  end
+
+  def create_policies(policies)
+    policies.each do |policy|
+      raise "ERROR: #{policy} policy doesn't exist in the managed policies or as a custom policy" unless @policies.key?(policy)
+      resource = (@policies[policy].key?('resource') ? gsub_yml(@policies[policy]['resource']) : ["*"])
+      @policy_array << { PolicyName: policy, PolicyDocument: { Statement: [ { Effect:"Allow", Action: @policies[policy]['action'], Resource: resource }]} }
+    end
+    return @policy_array
+  end
+
+  # replaces %{variables} in the yml
+  def gsub_yml(resource)
+    replaced = []
+    resource.each { |r|
+      if r.is_a? String
+        replaced << r.gsub('%{source_bucket}', @config['source_bucket'])
+      else
+        replaced << r
+      end
+    }
+
+    return replaced
+  end
+
+end