ciinabox-ecs 0.1.6

Sign up to get free protection for your applications and to get access to all the features.
Files changed (32) hide show
  1. checksums.yaml +7 -0
  2. data/Gemfile +7 -0
  3. data/LICENSE.txt +22 -0
  4. data/README.md +458 -0
  5. data/Rakefile +649 -0
  6. data/bin/Rakefile +1 -0
  7. data/bin/ciinabox-ecs +2 -0
  8. data/bin/ciinabox-ecs.rb +60 -0
  9. data/config/ciinabox_params.yml.erb +71 -0
  10. data/config/default_lambdas.yml +26 -0
  11. data/config/default_params.yml +303 -0
  12. data/config/default_params.yml.example +124 -0
  13. data/config/default_services.yml +62 -0
  14. data/ext/common_helper.rb +21 -0
  15. data/ext/config/managed_policies.yml +156 -0
  16. data/ext/helper.rb +29 -0
  17. data/ext/policies.rb +53 -0
  18. data/ext/zip_helper.rb +57 -0
  19. data/lambdas/acm_issuer_validator/lib/install.sh +20 -0
  20. data/templates/bastion.rb +121 -0
  21. data/templates/ciinabox.rb +159 -0
  22. data/templates/ecs-cluster.rb +252 -0
  23. data/templates/ecs-services.rb +340 -0
  24. data/templates/lambdas.rb +172 -0
  25. data/templates/services/bitbucket.rb +81 -0
  26. data/templates/services/drone.rb +394 -0
  27. data/templates/services/hawtio.rb +100 -0
  28. data/templates/services/icinga2.rb +79 -0
  29. data/templates/services/jenkins.rb +209 -0
  30. data/templates/services/nexus.rb +96 -0
  31. data/templates/vpc.rb +290 -0
  32. metadata +144 -0
data/templates/ecs-services.rb ADDED
@@ -0,0 +1,340 @@
1
+ require 'cfndsl'
2
+
3
+ CloudFormation {
4
+
5
+ # Template metadata
6
+ AWSTemplateFormatVersion "2010-09-09"
7
+ Description "ciinabox - ECS Services v#{ciinabox_version}"
8
+
9
+ # Parameters
10
+ Parameter("ECSCluster") { Type 'String' }
11
+ Parameter("VPC") { Type 'String' }
12
+ Parameter("SubnetPublicA") { Type 'String' }
13
+ Parameter("SubnetPublicB") { Type 'String' }
14
+ Parameter("ECSSubnetPrivateA") { Type 'String' }
15
+ Parameter("ECSSubnetPrivateB") { Type 'String' }
16
+ Parameter("ECSENIPrivateIpAddress") { Type 'String' }
17
+ Parameter("SecurityGroupBackplane") { Type 'String' }
18
+ Parameter("SecurityGroupOps") { Type 'String' }
19
+ Parameter("SecurityGroupDev") { Type 'String' }
20
+ Parameter('SecurityGroupNatGateway') { Type 'String' }
21
+
22
+ # Lambda function ARN for CR that creates and validates ACM
23
+ Parameter('CRAcmCertArn') { Type 'String' }
24
+
25
+ Resource("ECSRole") {
26
+ Type 'AWS::IAM::Role'
27
+ Property('AssumeRolePolicyDocument', {
28
+ Statement: [
29
+ Effect: 'Allow',
30
+ Principal: { Service: ['ecs.amazonaws.com'] },
31
+ Action: ['sts:AssumeRole']
32
+ ]
33
+ })
34
+ Property('Path', '/')
35
+ Property('Policies', [
36
+ {
37
+ PolicyName: 'read-only',
38
+ PolicyDocument: {
39
+ Statement: [
40
+ {
41
+ Effect: 'Allow',
42
+ Action: ['ec2:Describe*', 's3:Get*', 's3:List*'],
43
+ Resource: '*'
44
+ }
45
+ ]
46
+ }
47
+ },
48
+ {
49
+ PolicyName: 's3-write',
50
+ PolicyDocument: {
51
+ Statement: [
52
+ {
53
+ Effect: 'Allow',
54
+ Action: ['s3:PutObject', 's3:PutObject*'],
55
+ Resource: '*'
56
+ }
57
+ ]
58
+ }
59
+ },
60
+ #http://docs.aws.amazon.com/AmazonECS/latest/developerguide/instance_IAM_role.html
61
+ {
62
+ PolicyName: 'ecsServiceRole',
63
+ PolicyDocument: {
64
+ Statement: [
65
+ {
66
+ Effect: 'Allow',
67
+ Action: [
68
+ "ec2:AttachNetworkInterface",
69
+ "ec2:CreateNetworkInterface",
70
+ "ec2:CreateNetworkInterfacePermission",
71
+ "ec2:DeleteNetworkInterface",
72
+ "ec2:DeleteNetworkInterfacePermission",
73
+ "ec2:Describe*",
74
+ "ec2:DetachNetworkInterface",
75
+ "ecs:CreateCluster",
76
+ "ecs:DeregisterContainerInstance",
77
+ "ecs:DiscoverPollEndpoint",
78
+ "ecs:Poll",
79
+ "ecs:RegisterContainerInstance",
80
+ "ecs:StartTelemetrySession",
81
+ "ecs:Submit*",
82
+ "ec2:AuthorizeSecurityGroupIngress",
83
+ "ec2:Describe*",
84
+ "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
85
+ "elasticloadbalancing:DeregisterTargets",
86
+ "elasticloadbalancing:Describe*",
87
+ "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
88
+ "elasticloadbalancing:RegisterTargets",
89
+ "ecr:GetAuthorizationToken",
90
+ "ecr:BatchCheckLayerAvailability",
91
+ "ecr:GetDownloadUrlForLayer",
92
+ "ecr:BatchGetImage",
93
+ "logs:CreateLogStream",
94
+ "logs:PutLogEvents"
95
+ ],
96
+ Resource: '*'
97
+ }
98
+ ]
99
+ }
100
+ },
101
+ {
102
+ PolicyName: 'packer',
103
+ PolicyDocument: {
104
+ Statement: [
105
+ {
106
+ Effect: 'Allow',
107
+ Action: [
108
+ 'ec2:AttachVolume',
109
+ 'ec2:CreateVolume',
110
+ 'ec2:DeleteVolume',
111
+ 'ec2:CreateKeypair',
112
+ 'ec2:DeleteKeypair',
113
+ 'ec2:CreateSecurityGroup',
114
+ 'ec2:DeleteSecurityGroup',
115
+ 'ec2:AuthorizeSecurityGroupIngress',
116
+ 'ec2:CreateImage',
117
+ 'ec2:RunInstances',
118
+ 'ec2:TerminateInstances',
119
+ 'ec2:StopInstances',
120
+ 'ec2:DescribeVolumes',
121
+ 'ec2:DetachVolume',
122
+ 'ec2:DescribeInstances',
123
+ 'ec2:CreateSnapshot',
124
+ 'ec2:DeleteSnapshot',
125
+ 'ec2:DescribeSnapshots',
126
+ 'ec2:DescribeImages',
127
+ 'ec2:RegisterImage',
128
+ 'ec2:CreateTags',
129
+ 'ec2:ModifyImageAttribute',
130
+ 'dynamodb:*'
131
+ ],
132
+ Resource: '*'
133
+ }
134
+ ]
135
+ }
136
+ }
137
+ ])
138
+ }
139
+
140
+ if defined? webHooks
141
+ rules = []
142
+ webHooks.each do |ip|
143
+ rules << { IpProtocol: 'tcp', FromPort: '443', ToPort: '443', CidrIp: ip }
144
+ end
145
+ else
146
+ rules = [{ IpProtocol: 'tcp', FromPort: '443', ToPort: '443', CidrIp: '192.168.1.1/32' }]
147
+ end
148
+
149
+ Resource("SecurityGroupWebHooks") {
150
+ Type 'AWS::EC2::SecurityGroup'
151
+ Property('VpcId', Ref('VPC'))
152
+ Property('GroupDescription', 'WebHooks like github')
153
+ Property('SecurityGroupIngress', rules)
154
+ }
155
+
156
+ Resource('ToolsSSLCertificate') {
157
+ Type 'Custom::AwsAcmIssueValidator'
158
+ Property('ServiceToken', Ref('CRAcmCertArn'))
159
+ Property('DomainName', "*.#{dns_domain}")
160
+ Property('FallbackCertificateArn', default_ssl_cert_id)
161
+ } if acm_auto_issue_validate
162
+
163
+ certificate_arn = acm_auto_issue_validate ?
164
+ FnGetAtt('ToolsSSLCertificate', 'CertificateArn') : default_ssl_cert_id
165
+
166
+ Output('DefaultSSLCertificate') {
167
+ Value(certificate_arn)
168
+ }
169
+
170
+ elb_listners = []
171
+ elb_listners << { LoadBalancerPort: '80', InstancePort: '8080', Protocol: 'HTTP' }
172
+ elb_listners << { LoadBalancerPort: '443', InstancePort: '8080', Protocol: 'HTTPS', SSLCertificateId: certificate_arn }
173
+ services.each do |service|
174
+ if service.is_a?(Hash) && (!service.values.include? nil)
175
+ service.each do |name, properties|
176
+ unless properties['LoadBalancerPort'].nil? || properties['InstancePort'].nil? || properties['Protocol'].nil?
177
+ elb_listners << { LoadBalancerPort: properties['LoadBalancerPort'], InstancePort: properties['InstancePort'], Protocol: properties['Protocol'] }
178
+ end
179
+ end
180
+ end
181
+ end
182
+
183
+ proxy_elb_sgs = [
184
+ Ref('SecurityGroupBackplane'),
185
+ Ref('SecurityGroupOps'),
186
+ Ref('SecurityGroupDev'),
187
+ Ref('SecurityGroupWebHooks')
188
+ ]
189
+
190
+ proxy_elb_sgs << Ref('SecurityGroupNatGateway') if allow_nat_connections
191
+
192
+ Resource('CiinaboxProxyELB') {
193
+ Type 'AWS::ElasticLoadBalancing::LoadBalancer'
194
+ Property('Listeners', elb_listners)
195
+ Property('HealthCheck', {
196
+ Target: "TCP:8080",
197
+ HealthyThreshold: '3',
198
+ UnhealthyThreshold: '2',
199
+ Interval: '15',
200
+ Timeout: '5'
201
+ })
202
+ Property('CrossZone', true)
203
+ Property('SecurityGroups', proxy_elb_sgs)
204
+ Property('Subnets', [
205
+ Ref('SubnetPublicA'), Ref('SubnetPublicB')
206
+ ])
207
+ }
208
+
209
+ Resource("CiinaboxProxyDNS") {
210
+ Type 'AWS::Route53::RecordSet'
211
+ Property('HostedZoneName', FnJoin('', [dns_domain, '.']))
212
+ Property('Name', FnJoin('', ['*.', dns_domain, '.']))
213
+ Property('Type', 'A')
214
+ Property('AliasTarget', {
215
+ 'DNSName' => FnGetAtt('CiinaboxProxyELB', 'DNSName'),
216
+ 'HostedZoneId' => FnGetAtt('CiinaboxProxyELB', 'CanonicalHostedZoneNameID')
217
+ })
218
+ }
219
+
220
+ if defined? internal_elb and internal_elb
221
+ Resource('CiinaboxProxyELBInternal') {
222
+ Type 'AWS::ElasticLoadBalancing::LoadBalancer'
223
+ Property('Listeners', elb_listners)
224
+ Property('Scheme', 'internal')
225
+ Property('HealthCheck', {
226
+ Target: "TCP:8080",
227
+ HealthyThreshold: '3',
228
+ UnhealthyThreshold: '2',
229
+ Interval: '15',
230
+ Timeout: '5'
231
+ })
232
+ Property('CrossZone', true)
233
+ Property('SecurityGroups', [
234
+ Ref('SecurityGroupBackplane'),
235
+ Ref('SecurityGroupOps'),
236
+ Ref('SecurityGroupDev'),
237
+ Ref('SecurityGroupWebHooks')
238
+ ])
239
+ Property('Subnets', [
240
+ Ref('ECSSubnetPrivateA'), Ref('ECSSubnetPrivateB')
241
+ ])
242
+ }
243
+
244
+ services.each do |service|
245
+ #Services look like this:
246
+ #[
247
+ # {\"jenkins\"=>{\"LoadBalancerPort\"=>50000, \"InstancePort\"=>50000, \"Protocol\"=>\"TCP\"}}",
248
+ # {\"bitbucket\"=>{\"LoadBalancerPort\"=>22, \"InstancePort\"=>7999, \"Protocol\"=>\"TCP\"}}"
249
+ #]
250
+ name, details = service.first
251
+ Resource("CiinaboxProxyDNSInternal") {
252
+ Type 'AWS::Route53::RecordSet'
253
+ Property('HostedZoneName', FnJoin('', [dns_domain, '.']))
254
+ Property('Name', FnJoin('', ["internal-#{name}.", dns_domain, '.']))
255
+ Property('Type', 'A')
256
+ Property('AliasTarget', {
257
+ 'DNSName' => FnGetAtt('CiinaboxProxyELBInternal', 'DNSName'),
258
+ 'HostedZoneId' => FnGetAtt('CiinaboxProxyELB', 'CanonicalHostedZoneNameID')
259
+ })
260
+ }
261
+ end
262
+ end
263
+
264
+ Resource('ProxyTask') {
265
+ Type "AWS::ECS::TaskDefinition"
266
+ Property('ContainerDefinitions', [
267
+ {
268
+ Name: 'proxy',
269
+ Memory: 256,
270
+ Cpu: 100,
271
+ Image: 'jwilder/nginx-proxy',
272
+ PortMappings: [{
273
+ HostPort: 8080,
274
+ ContainerPort: 80
275
+ }],
276
+ Essential: true,
277
+ MountPoints: [
278
+ {
279
+ ContainerPath: '/etc/localtime',
280
+ SourceVolume: 'timezone',
281
+ ReadOnly: true
282
+ },
283
+ {
284
+ ContainerPath: '/tmp/docker.sock',
285
+ SourceVolume: 'docker_sock',
286
+ ReadOnly: false
287
+ }
288
+ ]
289
+ }
290
+ ])
291
+ Property('Volumes', [
292
+ {
293
+ Name: 'timezone',
294
+ Host: {
295
+ SourcePath: '/etc/localtime'
296
+ }
297
+ },
298
+ {
299
+ Name: 'docker_sock',
300
+ Host: {
301
+ SourcePath: '/var/run/docker.sock'
302
+ }
303
+ }
304
+ ])
305
+ }
306
+
307
+ Resource('ProxyService') {
308
+ Type 'AWS::ECS::Service'
309
+ Property('Cluster', Ref('ECSCluster'))
310
+ Property('DesiredCount', 1)
311
+ Property('Role', Ref('ECSRole'))
312
+ Property('TaskDefinition', Ref('ProxyTask'))
313
+ Property('LoadBalancers', [
314
+ { ContainerName: 'proxy', ContainerPort: '80', LoadBalancerName: Ref('CiinaboxProxyELB') }
315
+ ])
316
+ }
317
+
318
+ services.each do |name|
319
+ name.each do |service_name, service|
320
+ params = {
321
+ ECSCluster: Ref('ECSCluster'),
322
+ ECSRole: Ref('ECSRole'),
323
+ ServiceELB: Ref('CiinaboxProxyELB')
324
+ }
325
+ params['InternalELB'] = Ref('CiinaboxProxyELBInternal') if defined? internal_elb and internal_elb
326
+ if (defined? service['params']) and service['params'].kind_of?(Array)
327
+ service['params'].each do |param|
328
+ params.merge!(param)
329
+ end
330
+ end
331
+ # ECS Task Def and Service Stack
332
+ Resource("#{service_name}Stack") {
333
+ Type 'AWS::CloudFormation::Stack'
334
+ Property('TemplateURL', "https://#{source_bucket}.s3.amazonaws.com/ciinabox/#{ciinabox_version}/services/#{service_name}.json")
335
+ Property('TimeoutInMinutes', 5)
336
+ Property('Parameters', params)
337
+ }
338
+ end
339
+ end
340
+ }
data/templates/lambdas.rb ADDED
@@ -0,0 +1,172 @@
1
+ require 'cfndsl'
2
+ require 'digest'
3
+ require 'base64'
4
+ require_relative '../ext/policies'
5
+ class Lambdas
6
+
7
+
8
+ def initialize(config)
9
+ puts config
10
+ @config = config
11
+ end
12
+
13
+ def create_stack()
14
+ ciinaboxes_dir = ENV['CIINABOXES_DIR'] || 'ciinaboxes'
15
+ source_bucket = @config['source_bucket']
16
+ config = @config
17
+ CloudFormation do
18
+
19
+ # Template metadata
20
+ AWSTemplateFormatVersion "2010-09-09"
21
+ Description "ciinabox - Lambda Functions v#{config['ciinabox_version']}"
22
+
23
+ # Parameters
24
+ Parameter("EnvironmentType") { Type 'String' }
25
+ Parameter("EnvironmentName") { Type 'String' }
26
+ Parameter("VPC") { Type 'String' }
27
+
28
+ # Route Tables
29
+ Parameter("RouteTablePrivateA") { Type 'String' }
30
+ Parameter("RouteTablePrivateB") { Type 'String' }
31
+
32
+ # Public Subnets
33
+ Parameter("SubnetPublicA") { Type 'String' }
34
+ Parameter("SubnetPublicB") { Type 'String' }
35
+
36
+ # Security Groups
37
+ Parameter("SecurityGroupBackplane") { Type 'String' }
38
+ Parameter("SecurityGroupOps") { Type 'String' }
39
+ Parameter("SecurityGroupDev") { Type 'String' }
40
+
41
+ Mapping('EnvironmentType', config['Mappings']['EnvironmentType'])
42
+
43
+ ## Subnets for Lambdas
44
+ config['availability_zones'].each do |az|
45
+ Resource("SubnetPrivate#{az}") {
46
+ Type 'AWS::EC2::Subnet'
47
+ Property('VpcId', Ref('VPC'))
48
+ Property('CidrBlock', FnJoin("", [FnFindInMap('EnvironmentType', 'ciinabox', 'NetworkPrefix'), ".", FnFindInMap('EnvironmentType', 'ciinabox', 'StackOctet'), ".", config['lambdaSubnets']["SubnetOctet#{az}"], ".0/", FnFindInMap('EnvironmentType', 'ciinabox', 'SubnetMask')]))
49
+ Property('AvailabilityZone', FnSelect(config['azId'][az], FnGetAZs(Ref("AWS::Region"))))
50
+ Property('Tags', [{ Key: 'Name', Value: "ciinabox-lambda-private-#{az}" }])
51
+ }
52
+ end
53
+
54
+ config['availability_zones'].each do |az|
55
+ Resource("SubnetRouteTableAssociationPrivate#{az}") {
56
+ Type 'AWS::EC2::SubnetRouteTableAssociation'
57
+ Property('SubnetId', Ref("SubnetPrivate#{az}"))
58
+ Property('RouteTableId', Ref("RouteTablePrivate#{az}"))
59
+ }
60
+ end
61
+
62
+ config['lambdas']['functions'].each do |name, lambda_config|
63
+
64
+
65
+ environment = lambda_config['environment'] || {}
66
+ environment['LAMBDA_PACKAGE_TIMESTAMP'] = lambda_config['timestamp']
67
+ environment['LAMBDA_PACKAGE_SHA256'] = lambda_config['code_sha256']
68
+
69
+ # Create Role for Lambda function
70
+ role_name = lambda_config['role']
71
+ role_config = config['lambdas']['roles'][role_name]
72
+ Resource("LambdaRole#{role_name}") do
73
+ Type 'AWS::IAM::Role'
74
+ Property('AssumeRolePolicyDocument', Statement: [
75
+ Effect: 'Allow',
76
+ Principal: { Service: ['lambda.amazonaws.com'] },
77
+ Action: ['sts:AssumeRole']
78
+ ])
79
+ Property('Path', '/')
80
+ unless role_config['policies_inline'].nil?
81
+ Property('Policies', Policies.new.create_policies(role_config['policies_inline']))
82
+ end
83
+
84
+ unless role_config['policies_managed'].nil?
85
+ Property('ManagedPolicyArns', role_config['policies_managed'])
86
+ end
87
+ end
88
+
89
+ # Create Lambda function
90
+ function_name = name
91
+ Resource(function_name) do
92
+ Type 'AWS::Lambda::Function'
93
+ Property('Code', S3Bucket: source_bucket,
94
+ S3Key: "ciinabox/#{config['ciinabox_version']}/lambdas/#{name}/#{lambda_config['timestamp']}/src.zip")
95
+ Property('Environment', Variables: Hash[environment.collect { |k, v| [k, v] }])
96
+ Property('Handler', lambda_config['handler'] || 'index.handler')
97
+ Property('MemorySize', lambda_config['memory'] || 128)
98
+ Property('Role', FnGetAtt("LambdaRole#{lambda_config['role']}", 'Arn'))
99
+ Property('Runtime', lambda_config['runtime'])
100
+ Property('Timeout', lambda_config['timeout'] || 10)
101
+ if (lambda_config['vpc'] != nil && lambda_config['vpc'])
102
+ Property('VpcConfig', {
103
+ SubnetIds: config['availability_zones'].collect { |az| Ref("SubnetPrivate#{az}") },
104
+ SecurityGroupIds: [Ref('SecurityGroupBackplane')]
105
+ })
106
+ end
107
+ if !lambda_config['named'].nil? && lambda_config['named']
108
+ Property('FunctionName', name)
109
+ end
110
+ end
111
+
112
+ Output("Lambda#{function_name}Arn") {
113
+ Value(
114
+ FnGetAtt(function_name, 'Arn')
115
+ )
116
+ }
117
+
118
+ # Create Lambda version
119
+ sha256 = lambda_config['code_sha256']
120
+ Resource("#{name}Version#{lambda_config['timestamp']}") do
121
+ Type 'AWS::Lambda::Version'
122
+ DeletionPolicy 'Retain'
123
+ Property('FunctionName', Ref(name))
124
+ Property('CodeSha256', sha256)
125
+ end
126
+
127
+ lambda_config['allowed_sources'] = [] if lambda_config['allowed_sources'].nil?
128
+
129
+ # if lambda has schedule defined
130
+ if lambda_config.key?('schedules')
131
+ lambda_config['allowed_sources'] << { 'principal' => 'events.amazonaws.com' }
132
+ lambda_config['schedules'].each_with_index do |schedule, index|
133
+ Resource("Lambda#{name}Schedule#{index}") do
134
+ Type 'AWS::Events::Rule'
135
+ Condition(schedule['condition']) if schedule.key?('condition')
136
+ Property('ScheduleExpression', "cron(#{schedule['cronExpression']})")
137
+ Property('State', 'ENABLED')
138
+ target = {
139
+ 'Arn' => FnGetAtt(name, 'Arn'), 'Id' => "lambda#{name}"
140
+ }
141
+ target['Input'] = schedule['payload'] if schedule.key?('payload')
142
+ Property('Targets', [target])
143
+ end
144
+ end
145
+ end
146
+
147
+ # Generate lambda function Policy
148
+ unless lambda_config['allowed_sources'].nil?
149
+ i = 1
150
+ lambda_config['allowed_sources'].each do |source|
151
+ Resource("#{name}Permissions#{i}") do
152
+ Type 'AWS::Lambda::Permission'
153
+ Property('FunctionName', Ref(name))
154
+ Property('Action', 'lambda:InvokeFunction')
155
+ Property('Principal', source['principal'])
156
+ end
157
+ i += 1
158
+ end
159
+ end
160
+
161
+ end
162
+
163
+ end
164
+ end
165
+
166
+ end
167
+
168
+ if defined? lambdas or config.key? 'lambdas'
169
+ lambdas = Lambdas.new(config)
170
+ lambdas.create_stack()
171
+ end
172
+