ciinabox-ecs 0.2.9 → 0.2.10.alpha.1529494989

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 97e6e52b7ab9e04b778eacf504833653f164384ee2fc0e4be6404f9f5088a3fa
-  data.tar.gz: b9b53e675fb107d2966b03059410589c30f506c49b67fd0fa7c0d4f426c39d82
+  metadata.gz: 5925c9f4071982d31b38d632acbd0783cf6fa89417d2c5bc8dd46f3805bebdb1
+  data.tar.gz: c627c7dad29dea09241c7ea8b589b790a91d5a9850e6c8eaaa1514ec148cb731
 SHA512:
-  metadata.gz: 8cb3e6f8be9729adfb82069a484faa560947fb38f1b28a680d9ee10b098bfec1015d9e7fb576e107b9ead8406183b1ddccabcb41ea29269c12d08321a12f57be
-  data.tar.gz: c1777aa1ccdfe53f48e1e9178993604b637623f409392e22a32fe905cf561c71f2930e736995942f33bec8ab3f9019eb9ae9bad774ebefaaed9608396b70379b
+  metadata.gz: 8211b47987f88749bf234d50233c27e4a5368c709379918f6d2a776f5229dc9efd252aa25a4b9bf94b70fe10bcb27f54f6aec48a7d08edc88c9a029db0ea0c4e
+  data.tar.gz: 86196ce321cef4b8cb5efa3b38d6c5a10b7298d4e2decc441215b5aae6d11cfe2c1857faac8d8acac65b5131c5a8e2e7e88b8a1d81968cec2731dd96ff04b715

data/Gemfile

@@ -1,7 +1,9 @@
 source 'https://rubygems.org'
 
 gem 'rake'
-gem 'cfndsl','0.15.2'
+gem 'cfndsl', '~>0.16'
 gem 'cfn_manage'
 gem 'deep_merge'
 gem 'rubyzip'
+gem 'aws-sdk-s3', '~>1'
+gem 'aws-sdk-cloudformation', '~>1'

data/README.md

@@ -1,3 +1,5 @@
+[![Build Status](https://travis-ci.com/base2services/ciinabox-ecs.svg?branch=develop)](https://travis-ci.com/base2services/ciinabox-ecs.svg?branch=develop)
+
 # ciinabox ECS
 
 ciinabox pronounced ciin a box is a set of automation for building
@@ -67,7 +69,7 @@ If you wish to add additional containers to your ciinabox environment, you can s
 ciinaboxes/ciinabox_name/config/services.yml
 
 e.g:
-    
+
 ```yaml
     services:
       - jenkins:
@@ -80,7 +82,7 @@ e.g:
       - artifactory:
       - drone:
 ```
-    
+
 Please note that if you wish to do this, that you also need to create a CFNDSL template for the service under templates/services, with the name of the service as the filename (e.g. bitbucket.rb)
 
 ## Getting Started
@@ -91,10 +93,10 @@ To get started install `ciinabox-ecs` ruby gem
 $ gem install ciinabox-ecs
 ```
 
-During the setup process, you'll need to provide domain for the tools (e.g. `*.tools.example.com`) that has 
+During the setup process, you'll need to provide domain for the tools (e.g. `*.tools.example.com`) that has
 matching Route53 zone in same AWS account where you are creating ciinabox. Optionally you can use local hosts file
 hack in order to get routing working, but in this case usage of ACM certificates is not an option, and you'll need
-to use selfsigned IAM server certificates. 
+to use selfsigned IAM server certificates.
 
 ### Quick setup
 
@@ -146,7 +148,7 @@ $ ciinabox-ecs full_install
 
 5. Create ciinabox S3 source deployment bucket
   ```bash
-  $ ciinabox-ecs create_source_bucket [ciinabox_name] 
+  $ ciinabox-ecs create_source_bucket [ciinabox_name]
   Successfully created S3 source deployment bucket source.myciinabox.com
   ```
 
@@ -158,7 +160,7 @@ $ ciinabox-ecs full_install
 
 7. Generate ciinabox cloudformation templates
   ```bash
-  $ ciinabox-ecs generate [ciinabox_name] 
+  $ ciinabox-ecs generate [ciinabox_name]
   Writing to output/ciinabox.json
   using extras [[:yaml, "ciinaboxes/myciinabox/config/default_params.yml"], [:yaml, "config/services.yml"], [:ruby, "ext/helper.rb"]]
   Loading YAML file ciinaboxes/myciinabox/config/default_params.yml
@@ -307,6 +309,16 @@ internal_elb: false
 # needs internal_elb: true
 ```
 
+## Nginx Reverse Proxy Config
+
+If you need to pass in extra nginx configuration such as `client_max_body_size 100m;` to the proxy you can by adding the following text block to you params.yaml
+
+```yaml
+proxy_config: |
+  server_tokens off;
+  client_max_body_size 100m;
+```
+
 # Ciinabox configuration
 
 ## Bastion (Jumpbox) instance
@@ -348,6 +360,19 @@ bastionAMI:
 
 ```
 
+## Vpn (OpenVpn) instance
+
+You can create a openvpn access server instance complete by using the bellow config. It will create a new ecs cluster in the public subnet and launch [base2/openvpn-as](https://hub.docker.com/r/base2/openvpn-as/) container. It mounts a data volume to persist all configuration and logs in `/data`. Uses the existing `ecs_ami` as the underlying instance ami.
+
+```yaml
+include_vpn_stack: true
+```
+
+It is also possible to override the vpn instance type used for Launch Configuration. Defaults are below
+
+```yaml
+vpnInstanceType: t2.small
+```
 
 ## IAM Roles
 
@@ -379,14 +404,14 @@ allow_nat_connections: false
 
 ## Automatic issuance and validation of ACM SSL certificate
 
-This setting is enabled by default in default parameters. During the ciinabox init stage, you will be 
-asked if you want to utilise this functionality. Essentially, custom cloudformation resource based on 
-python [aws-acm-validator](https://pypi.python.org/pypi/aws-acm-cert-validator) python package will 
-request and validate ACM certificate through appropriate Route 53 DNS validation record. 
+This setting is enabled by default in default parameters. During the ciinabox init stage, you will be
+asked if you want to utilise this functionality. Essentially, custom cloudformation resource based on
+python [aws-acm-validator](https://pypi.python.org/pypi/aws-acm-cert-validator) python package will
+request and validate ACM certificate through appropriate Route 53 DNS validation record.
 
 ### To disable during ciinabox setup
 
-Answer question below with 'y' during ciinabox init stage 
+Answer question below with 'y' during ciinabox init stage
 
 ```text
 Use selfsigned rather than ACM issued and validated certificate (y/n)? [n]

data/Rakefile

@@ -11,6 +11,8 @@ require 'tempfile'
 require 'json'
 require_relative './ext/common_helper'
 require_relative './ext/zip_helper'
+require 'aws-sdk-s3'
+require 'aws-sdk-cloudformation'
 require 'ciinabox-ecs' if Gem::Specification::find_all_by_name('ciinabox-ecs').any?
 
 namespace :ciinabox do
@@ -38,7 +40,7 @@ namespace :ciinabox do
     config = default_params
   end
 
-  Dir["#{ciinaboxes_dir}/#{ciinabox_name}/config/*.yml"].each { |config_file|
+  Dir["#{ciinaboxes_dir}/#{ciinabox_name}/config/*.yml"].each {|config_file|
     if not config_file.include?('params.yml')
       config = config.merge(YAML.load(File.read(config_file)))
     end
@@ -48,12 +50,12 @@ namespace :ciinabox do
 
   # ciinabox binary version
   if Gem.loaded_specs['ciinabox-ecs'].nil?
-    config['ciinabox_binary_version'] = `git rev-parse --short HEAD`.gsub("\n",'')
+    config['ciinabox_binary_version'] = `git rev-parse --short HEAD`.gsub("\n", '')
   else
     config['ciinabox_binary_version'] = Gem.loaded_specs['ciinabox-ecs'].version.to_s
   end
 
-  File.write('debug-ciinabox.config.yaml',config.to_yaml) if ENV['DEBUG']
+  File.write('debug-ciinabox.config.yaml', config.to_yaml) if ENV['DEBUG']
 
   stack_name = config["stack_name"] || "ciinabox"
 
@@ -64,8 +66,8 @@ namespace :ciinabox do
     templates2 = Dir["#{ciinaboxes_dir}/#{ciinabox_name}/templates/**/*.rb"]
 
     ## we want to exclude overridden templates
-    templatesLocalFileNames = templates2.collect { |templateFile| File.basename(templateFile) }
-    templates = templates.select { |templateFile| not templatesLocalFileNames.include? File.basename(templateFile) }
+    templatesLocalFileNames = templates2.collect {|templateFile| File.basename(templateFile)}
+    templates = templates.select {|templateFile| not templatesLocalFileNames.include? File.basename(templateFile)}
     templates = templates + templates2
   end
 
@@ -87,13 +89,13 @@ namespace :ciinabox do
     tmp_file = write_config_tmp_file(config)
 
     CfnDsl::RakeTask.new do |t|
-      extras = [[:yaml,"#{current_dir}/config/default_params.yml"]]
+      extras = [[:yaml, "#{current_dir}/config/default_params.yml"]]
       extras << [:yaml, "#{current_dir}/config/default_lambdas.yml"]
       if File.exist? "#{ciinaboxes_dir}/ciinabox_config.yml"
         extras << [:yaml, "#{ciinaboxes_dir}/ciinabox_config.yml"]
       end
-      (Dir["#{ciinaboxes_dir}/#{ciinabox_name}/config/*.yml"].map { |f| [:yaml,f]}).each {|c| extras<<c}
-      extras << [:ruby,"#{current_dir}/ext/helper.rb"]
+      (Dir["#{ciinaboxes_dir}/#{ciinabox_name}/config/*.yml"].map {|f| [:yaml, f]}).each {|c| extras << c}
+      extras << [:ruby, "#{current_dir}/ext/helper.rb"]
       extras << [:yaml, tmp_file.path]
       t.cfndsl_opts = {
           verbose: true,
@@ -165,16 +167,16 @@ namespace :ciinabox do
     if File.exist?("#{ciinaboxes_dir}/#{ciinabox_name}/config/params.yml")
       config_output = user_params.merge(input_hash) #Merges input hash into user-provided template
       config_yaml = config_output.to_yaml #Convert output to YAML for writing
-      File.open("#{ciinaboxes_dir}/#{ciinabox_name}/config/params.yml", 'w') { |f| f.write(config_yaml) }
+      File.open("#{ciinaboxes_dir}/#{ciinabox_name}/config/params.yml", 'w') {|f| f.write(config_yaml)}
     else
-      File.open("#{ciinaboxes_dir}/#{ciinabox_name}/config/params.yml", 'w') { |f| f.write(input_result) }
+      File.open("#{ciinaboxes_dir}/#{ciinabox_name}/config/params.yml", 'w') {|f| f.write(input_result)}
     end
 
     default_services = YAML.load(File.read("#{current_dir}/config/default_services.yml"))
 
     class ::Hash
       def deep_merge(second)
-        merger = proc { |key, v1, v2| Hash === v1 && Hash === v2 ? v1.merge(v2, &merger) : Array === v1 && Array === v2 ? v1 | v2 : [:undefined, nil, :nil].include?(v2) ? v1 : v2 }
+        merger = proc {|key, v1, v2| Hash === v1 && Hash === v2 ? v1.merge(v2, &merger) : Array === v1 && Array === v2 ? v1 | v2 : [:undefined, nil, :nil].include?(v2) ? v1 : v2}
         self.merge(second.to_h, &merger)
       end
     end
@@ -184,10 +186,10 @@ namespace :ciinabox do
       user_services = YAML.load(File.read("#{ciinaboxes_dir}/#{ciinabox_name}/config/services.yml"))
       combined_services = default_services.deep_merge(user_services)
       yml_combined_services = combined_services.to_yaml
-      File.open("#{ciinaboxes_dir}/#{ciinabox_name}/config/services.yml", 'w') { |f| f.write(yml_combined_services) }
+      File.open("#{ciinaboxes_dir}/#{ciinabox_name}/config/services.yml", 'w') {|f| f.write(yml_combined_services)}
     else
       yml_default_services = default_services.to_yaml
-      File.open("#{ciinaboxes_dir}/#{ciinabox_name}/config/services.yml", 'w') { |f| f.write(yml_default_services) }
+      File.open("#{ciinaboxes_dir}/#{ciinabox_name}/config/services.yml", 'w') {|f| f.write(yml_default_services)}
     end
 
     display_active_ciinabox ciinaboxes_dir, ciinabox_name
@@ -251,13 +253,12 @@ namespace :ciinabox do
     check_active_ciinabox(config)
     ciinabox_name = config['ciinabox_name']
     cert_dir = "#{ciinaboxes_dir}/#{ciinabox_name}"
-    status, result = aws_execute( config, [
+    status, result = aws_execute(config, [
         'iam', 'upload-server-certificate',
         '--server-certificate-name ciinabox',
         "--certificate-body file://#{cert_dir}/ssl/ciinabox.crt",
         "--private-key file://#{cert_dir}/ssl/ciinabox.key",
-        "--certificate-chain file://#{cert_dir}/ssl/ciinabox.crt",
-        '--output json'
+        "--certificate-chain file://#{cert_dir}/ssl/ciinabox.crt"
     ])
     if status != 0
       puts "fail to create or update IAM server-certificates. See error logs for details"
@@ -388,6 +389,13 @@ namespace :ciinabox do
   desc('Package Lambda Functions as ZipFiles')
   task :package_lambdas do
     check_active_ciinabox(config)
+
+    # custom lambda modification
+    lambda_stack_required = config['acm_auto_issue_validate']
+    # in future any new conditions for lambda stack would be added here
+    # lambda_stack_required ||= some_new_condition
+    config['lambdas'] = nil unless lambda_stack_required
+
     if !config['lambdas'].nil? && !config['lambdas']['functions'].nil?
       log_header 'Package lambda functions'
 
@@ -514,7 +522,7 @@ namespace :ciinabox do
         '--out json'
     ])
     resp = JSON.parse(result)
-    cert_output = resp['Stacks'][0]['Outputs'].find { |k| k['OutputKey'] == 'DefaultSSLCertificate' }
+    cert_output = resp['Stacks'][0]['Outputs'].find {|k| k['OutputKey'] == 'DefaultSSLCertificate'}
     if cert_output.nil?
       STDERR.puts("ACM certificate is not present in stack outputs")
       exit -1
@@ -526,6 +534,64 @@ namespace :ciinabox do
     puts "Set #{cert_arn} as default_cert_arn"
   end
 
+
+  desc('validate cloudformation templates')
+  task :validate do
+    cfn = Aws::CloudFormation::Client.new(region: config['source_region'])
+    s3 = Aws::S3::Client.new(region: config['source_region'])
+    Dir.glob("output/**/*.json") do |file|
+      template_content = IO.read(file)
+      # Skip if empty template generated
+      next if (template_content == "null\n")
+      template = File.open(file, 'rb')
+      filename = File.basename file
+      template_bytesize = template_content.bytesize
+      file_size = File.size file
+      local_validation = (template_content.bytesize < 51200)
+      puts "INFO - #{file}: Filesize: #{file_size}, Bytesize: #{template_bytesize}, local validation: #{local_validation}"
+      begin
+        if not local_validation
+          puts "INFO - Copy #{file} -> s3://#{config['source_bucket']}/cloudformation/#{project_name}/validate/#{filename}"
+          s3.put_object({
+              body: template,
+              bucket: "#{config['source_bucket']}",
+              key: "cloudformation/#{project_name}/validate/#{filename}",
+          })
+          template_url = "https://#{config['source_bucket']}.s3.amazonaws.com/cloudformation/#{project_name}/validate/#{filename}"
+          puts "INFO - Copied #{file} to s3://#{config['source_bucket']}/cloudformation/#{project_name}/validate/#{filename}"
+          puts "INFO - Validating #{template_url}"
+        else
+          puts "INFO - Validating #{file}"
+        end
+        begin
+          resp = cfn.validate_template({ template_url: template_url }) unless local_validation
+          resp = cfn.validate_template({ template_body: template_content }) if local_validation
+          puts "INFO - Template #{filename} validated successfully"
+        rescue => e
+          puts "ERROR - Template #{filename} failed to validate: #{e}"
+          exit 1
+        end
+
+      rescue => e
+        puts "ERROR - #{e.class}, #{e}"
+        exit 1
+      end
+    end
+    puts "INFO - #{Dir["output/**/*.json"].count} templates validated successfully"
+  end
+
+  desc('vendor templates from ciinabox gem into ciinabox folder')
+  task :vendor do
+    Dir["#{current_dir}/templates/**/*.rb"].each do |template_path|
+      relative_path = template_path.gsub("#{current_dir}/", '')
+      target_path = "#{@ciinaboxes_dir}/#{@ciinabox_name}/#{relative_path}"
+      target_dir = File.dirname(target_path)
+      FileUtils.mkdir_p target_dir
+      puts "#{relative_path} -> #{target_path}"
+      FileUtils.copy template_path, target_path
+    end
+  end
+
   def add_ciinabox_config_setting(element, value)
     file_name = "#{@ciinaboxes_dir}/#{@ciinabox_name}/config/params.yml"
     File.write(file_name,
@@ -535,7 +601,7 @@ namespace :ciinabox do
     )
   end
 
-  def remove_update_ciinabox_config_setting(element, new_value='')
+  def remove_update_ciinabox_config_setting(element, new_value = '')
     f = File.new("#{@ciinaboxes_dir}/#{@ciinabox_name}/config/params.yml", 'r+')
     found = false
     f.each do |line|
@@ -551,7 +617,7 @@ namespace :ciinabox do
       end
     end
     f.close
-    add_ciinabox_config_setting(element, new_value) if((not found) and (not new_value.empty?))
+    add_ciinabox_config_setting(element, new_value) if ((not found) and (not new_value.empty?))
   end
 
   def check_active_ciinabox(config)
@@ -609,12 +675,12 @@ namespace :ciinabox do
     question = ("#{question} (y/n)? [#{default ? 'y' : 'n'}]")
     while true
       case get_input(question)
-        when ''
-          return default
-        when 'Y', 'y', 'yes'
-          return true
-        when /\A[nN]o?\Z/ #n or no
-          return false
+      when ''
+        return default
+      when 'Y', 'y', 'yes'
+        return true
+      when /\A[nN]o?\Z/ #n or no
+        return false
       end
     end
   end

data/config/default_params.yml

@@ -287,6 +287,7 @@ ecs_iam_role_permissions_default:
 #      CertName: x
 #      StackOctetA: 11
 #      StackOctetB: 12
+vpnInstanceType: t2.small
 bastionInstanceType: t2.micro
 bastionAMI:
   us-east-1:
@@ -309,3 +310,12 @@ bastionAMI:
    ami: ami-c7ee5ca8
 
 acm_auto_issue_validate: true
+
+# Enbale open VPN
+include_vpn_stack: false
+# open the vpn upd connection port 1194 to all ips
+vpn_udp_public: false
+
+# Default public access is considered whole internet
+publicAccess:
+  - 0.0.0.0/0

data/lambdas/acm_issuer_validator/lib/install.sh

@@ -16,5 +16,5 @@ function pipinstall () {
 if [ $(which docker) == '' ]; then
     pipinstall
 else
-    docker run --rm -v $DIR/..:/dst -w /dst -u 1000 python:3-alpine pip install aws-acm-cert-validator==0.1.11 -t lib
+    docker run --rm -v $DIR/..:/dst -w /dst -u $UID python:3-alpine pip install aws-acm-cert-validator==0.1.11 -t lib
 fi

data/templates/ciinabox.rb

@@ -35,11 +35,7 @@ CloudFormation do
   }
 
   # ECS Services Stack
-  Resource('ECSServicesStack') {
-    Type 'AWS::CloudFormation::Stack'
-    Property('TemplateURL', "https://#{source_bucket}.s3.amazonaws.com/ciinabox/#{ciinabox_version}/ecs-services.json")
-    Property('TimeoutInMinutes', 15)
-    Property('Parameters',{
+  services_params = {
       ECSCluster: Ref(cluster_name),
       VPC: FnGetAtt('VPCStack', 'Outputs.VPCId'),
       SubnetPublicA: FnGetAtt('VPCStack', 'Outputs.SubnetPublicA'),
@@ -51,8 +47,14 @@ CloudFormation do
       SecurityGroupOps: FnGetAtt('VPCStack', 'Outputs.SecurityGroupOps'),
       SecurityGroupDev: FnGetAtt('VPCStack', 'Outputs.SecurityGroupDev'),
       SecurityGroupNatGateway: FnGetAtt('VPCStack', 'Outputs.SecurityGroupNatGateway'),
-      CRAcmCertArn: FnGetAtt('LambdasStack','Outputs.LambdaCRIssueACMCertificateArn')
-    })
+  }
+  services_params[:CRAcmCertArn] = FnGetAtt('LambdasStack','Outputs.LambdaCRIssueACMCertificateArn') if acm_auto_issue_validate
+
+  Resource('ECSServicesStack') {
+    Type 'AWS::CloudFormation::Stack'
+    Property('TemplateURL', "https://#{source_bucket}.s3.amazonaws.com/ciinabox/#{ciinabox_version}/ecs-services.json")
+    Property('TimeoutInMinutes', 15)
+    Property('Parameters',services_params)
   }
 
   #These are the commona params for use below in "foreign templates
@@ -70,12 +72,15 @@ CloudFormation do
     base_params.merge!("RouteTablePrivate#{az}" => FnGetAtt('VPCStack', "Outputs.RouteTablePrivate#{az}"))
   end
 
-  # Lambda functions stack
+  lambda_stack_required = acm_auto_issue_validate
+  # in future any new conditions for lambda stack would be added here
+  # lambda_stack_required ||= some_new_condition
+  # in future any new conditions for lambda stack would be added here
   Resource('LambdasStack') do
     Type 'AWS::CloudFormation::Stack'
     Property('TemplateURL', "https://#{source_bucket}.s3.amazonaws.com/ciinabox/#{ciinabox_version}/lambdas.json")
     Property('Parameters', base_params)
-  end
+  end if lambda_stack_required
 
 
   # Bastion if required
@@ -85,7 +90,12 @@ CloudFormation do
     Property('Parameters', base_params)
   end if include_bastion_stack
 
-
+  # Vpn if required
+  Resource('VpnStack') do
+    Type 'AWS::CloudFormation::Stack'
+    Property('TemplateURL', "https://#{source_bucket}.s3.amazonaws.com/ciinabox/#{ciinabox_version}/vpn.json")
+    Property('Parameters', base_params)
+  end if include_vpn_stack
 
   #Foreign templates
   #e.g CIINABOXES_DIR/CIINABOX/templates/x.rb

data/templates/ecs-cluster.rb

@@ -162,6 +162,22 @@ CloudFormation {
     if not ecs_block_device_mapping.empty?
       Property("BlockDeviceMappings", ecs_block_device_mapping)
     end
+    if defined? proxy_config
+      Metadata(
+        'AWS::CloudFormation::Init': {
+          config: {
+            files: {
+              '/opt/proxy/proxy_config.conf': {
+                content: proxy_config,
+                mode: "000644",
+                owner: "root",
+                group: "root"
+              }
+            }
+          }
+        }
+      )
+    end
     UserData FnBase64(FnJoin("", [
         "#!/bin/bash\n",
         "echo ECS_CLUSTER=", Ref('ECSCluster'), " >> /etc/ecs/ecs.config\n",

data/templates/ecs-services.rb

@@ -261,6 +261,23 @@ CloudFormation {
     end
   end
 
+  volumes = []
+  mount_points = []
+
+  # Timezone
+  volumes << { Name: 'timezone', Host: { SourcePath: '/etc/localtime' }}
+  mount_points << { ContainerPath: '/etc/localtime', SourceVolume: 'timezone', ReadOnly: true }
+
+  # Docker Socket
+  volumes << { Name: 'docker_sock', Host: { SourcePath: '/var/run/docker.sock' }}
+  mount_points << { ContainerPath: '/tmp/docker.sock', SourceVolume: 'docker_sock', ReadOnly: false }
+
+  # Proxy Config
+  if defined? proxy_config
+    volumes << { Name: 'proxy_config', Host: { SourcePath: '/opt/proxy/proxy_config.conf' }}
+    mount_points << { ContainerPath: '/etc/nginx/conf.d/proxy_config.conf', SourceVolume: 'proxy_config', ReadOnly: true }
+  end
+
   Resource('ProxyTask') {
     Type "AWS::ECS::TaskDefinition"
     Property('ContainerDefinitions', [
@@ -274,34 +291,10 @@ CloudFormation {
                 ContainerPort: 80
             }],
             Essential: true,
-            MountPoints: [
-                {
-                    ContainerPath: '/etc/localtime',
-                    SourceVolume: 'timezone',
-                    ReadOnly: true
-                },
-                {
-                    ContainerPath: '/tmp/docker.sock',
-                    SourceVolume: 'docker_sock',
-                    ReadOnly: false
-                }
-            ]
-        }
-    ])
-    Property('Volumes', [
-        {
-            Name: 'timezone',
-            Host: {
-                SourcePath: '/etc/localtime'
-            }
-        },
-        {
-            Name: 'docker_sock',
-            Host: {
-                SourcePath: '/var/run/docker.sock'
-            }
+            MountPoints: mount_points
         }
     ])
+    Property('Volumes', volumes)
   }
 
   Resource('ProxyService') {

data/templates/lambdas.rb

@@ -158,7 +158,7 @@ class Lambdas
           end
         end
 
-      end
+      end if (config.key? 'lambdas' and (not config['lambdas'].nil?))
 
     end
   end

data/templates/vpn.rb

@@ -0,0 +1,280 @@
+CloudFormation do
+
+  # Template metadata
+  AWSTemplateFormatVersion '2010-09-09'
+  Description "ciinabox - Vpn v#{ciinabox_version}"
+
+  # Parameters
+  Parameter('EnvironmentType'){ Type 'String' }
+  Parameter('EnvironmentName'){ Type 'String' }
+  Parameter('VPC'){ Type 'String' }
+  Parameter('RouteTablePrivateA'){ Type 'String' }
+  Parameter('RouteTablePrivateB'){ Type 'String' }
+  Parameter('SubnetPublicA'){ Type 'String' }
+  Parameter('SubnetPublicB'){ Type 'String' }
+  Parameter('SecurityGroupBackplane'){ Type 'String' }
+  Parameter('SecurityGroupOps'){ Type 'String' }
+  Parameter('SecurityGroupDev'){ Type 'String' }
+
+  # Global mappings
+  Mapping('EnvironmentType', Mappings['EnvironmentType'])
+  Mapping('ecsAMI', ecs_ami)
+
+  security_groups = []
+
+  rules = []
+  opsAccess.each do |ip|
+    rules << { IpProtocol: 'tcp', FromPort: '22', ToPort: '22', CidrIp: ip }
+    rules << { IpProtocol: 'tcp', FromPort: '443', ToPort: '443', CidrIp: ip }
+    rules << { IpProtocol: 'tcp', FromPort: '9443', ToPort: '9443', CidrIp: ip }
+    rules << { IpProtocol: 'tcp', FromPort: '943', ToPort: '943', CidrIp: ip }
+    rules << { IpProtocol: 'udp', FromPort: '1194', ToPort: '1194', CidrIp: ip }
+  end
+
+  Resource("VpnSecurityGroupOps") {
+    Type 'AWS::EC2::SecurityGroup'
+    Property('VpcId', Ref('VPC'))
+    Property('GroupDescription', 'Ops External Access')
+    Property('SecurityGroupIngress', rules)
+  }
+
+  security_groups << Ref('VpnSecurityGroupOps')
+
+  rules = []
+  devAccess.each do |ip|
+    rules << { IpProtocol: 'tcp', FromPort: '443', ToPort: '443', CidrIp: ip }
+    rules << { IpProtocol: 'tcp', FromPort: '9443', ToPort: '9443', CidrIp: ip }
+    rules << { IpProtocol: 'tcp', FromPort: '943', ToPort: '943', CidrIp: ip }
+    rules << { IpProtocol: 'udp', FromPort: '1194', ToPort: '1194', CidrIp: ip }
+  end
+
+  Resource("VpnSecurityGroupDev") {
+    Type 'AWS::EC2::SecurityGroup'
+    Property('VpcId', Ref('VPC'))
+    Property('GroupDescription', 'Dev Team Access')
+    Property('SecurityGroupIngress', rules)
+  }
+
+  security_groups << Ref('VpnSecurityGroupDev')
+
+  if vpn_udp_public
+
+    rules = []
+    publicAccess.each do |ip|
+      rules << { IpProtocol: 'udp', FromPort: '1194', ToPort: '1194', CidrIp: ip }
+    end
+
+    Resource("VpnSecurityGroupPublic") {
+      Type 'AWS::EC2::SecurityGroup'
+      Property('VpcId', Ref('VPC'))
+      Property('GroupDescription', 'VPN Access')
+      Property('SecurityGroupIngress', rules)
+    }
+
+    security_groups << Ref('VpnSecurityGroupPublic')
+  end
+
+  IAM_Role("Role") {
+    AssumeRolePolicyDocument({
+      Statement: [
+        Effect: 'Allow',
+        Principal: { Service: [ 'ec2.amazonaws.com' ] },
+        Action: [ 'sts:AssumeRole' ]
+      ]
+    })
+    Path '/'
+    Policies([
+      {
+        PolicyName: 'read-only',
+        PolicyDocument: {
+          Statement: [
+            {
+              Effect: 'Allow',
+              Action: [ 'autoscaling:Describe*', 'ec2:Describe*', 's3:Get*', 's3:List*'],
+              Resource: '*'
+            }
+          ]
+        }
+      },
+      {
+        PolicyName: 'attach-ec2-volumes',
+        PolicyDocument:  {
+          Statement: [
+            {
+              Effect: 'Allow',
+              Action: [ 'ec2:AttachVolume','ec2:CreateVolume', 'ec2:Describe*', 'ec2:DetachVolume' ],
+              Resource: '*'
+            }
+          ]
+        }
+      },
+      {
+        PolicyName: 'AttachNetworkInterface',
+        PolicyDocument: {
+          Statement: [
+            {
+              Effect: 'Allow',
+              Action: [ 'ec2:DescribeNetworkInterfaces', 'ec2:AttachNetworkInterface','ec2:AssociateAddress' ],
+              Resource: '*'
+            }
+          ]
+        }
+      },
+      {
+        PolicyName: 'ECSServiceRole',
+        PolicyDocument: {
+          Statement: [
+            {
+              Effect: 'Allow',
+              Action: [
+                'ecs:CreateCluster',
+                'ecs:DeregisterContainerInstance',
+                'ecs:DiscoverPollEndpoint',
+                'ecs:Poll',
+                'ecs:RegisterContainerInstance',
+                'ecs:StartTelemetrySession',
+                'ecs:Submit*',
+                'ec2:AuthorizeSecurityGroupIngress'
+              ],
+              Resource: '*'
+            }
+          ]
+        }
+      }
+    ])
+  }
+
+  ECS_Cluster('CiinaboxVpn')
+
+  InstanceProfile('InstanceProfile') {
+    Path '/'
+    Roles [ Ref('Role') ]
+  }
+
+  EC2_EIP('VpnIPAddress') {
+    Domain 'vpc'
+  }
+
+  EC2_Volume("VpnVolume") {
+    DeletionPolicy 'Snapshot'
+    Size '10'
+    VolumeType 'gp2'
+    if defined? vpn_data_volume_snapshot
+      SnapshotId vpn_data_volume_snapshot
+    end
+    AvailabilityZone FnSelect(0, FnGetAZs(""))
+    addTag('Name', 'ciinabox-vpn-config-xx')
+    addTag('Environment', 'ciinabox')
+    addTag('EnvironmentType', 'ciinabox')
+    addTag('shelvery:create_backup','true')
+    addTag('shelvery:config:shelvery_keep_daily_backups', '7')
+    addTag('shelvery:config:shelvery_keep_weekly_backups', '4')
+    addTag('shelvery:config:shelvery_keep_monthly_backups', '12')
+  }
+
+  AutoScaling_LaunchConfiguration('LaunchConfig') {
+    DependsOn ['VpnIPAddress']
+    ImageId FnFindInMap('ecsAMI', Ref('AWS::Region'), 'ami')
+    KeyName FnFindInMap('EnvironmentType', 'ciinabox', 'KeyName')
+    AssociatePublicIpAddress true
+    IamInstanceProfile Ref('InstanceProfile')
+    SecurityGroups security_groups
+    Property('InstanceType', vpnInstanceType)
+    UserData FnBase64(FnJoin('',[
+        "#!/bin/bash\n",
+        "echo ECS_CLUSTER=", Ref('CiinaboxVpn'), " >> /etc/ecs/ecs.config\n",
+        "INSTANCE_ID=$(echo `/opt/aws/bin/ec2-metadata -i | cut -f2 -d:`)\n",
+        'export NEW_HOSTNAME=', Ref('EnvironmentName'),"-vpn-xx-`/opt/aws/bin/ec2-metadata --instance-id|/usr/bin/awk '{print $2}'`", "\n",
+        "echo \"NEW_HOSTNAME=$NEW_HOSTNAME\" \n",
+        "hostname $NEW_HOSTNAME\n",
+        "sed -i \"s/^HOSTNAME=.*/HOSTNAME=$NEW_HOSTNAME/\" /etc/sysconfig/network\n",
+        "stop ecs\n",
+        "service docker stop\n",
+        "aws --region ", Ref("AWS::Region"), " ec2 attach-volume --volume-id ", Ref('VpnVolume'), " --instance-id ${INSTANCE_ID} --device /dev/sdb\n",
+        'aws --region ', Ref('AWS::Region'), ' ec2 associate-address --allocation-id ', FnGetAtt('VpnIPAddress','AllocationId') ," --instance-id ${INSTANCE_ID}\n",
+        "sleep 3\n",
+        "mkdir /data \n",
+        "e2fsck -fy /dev/xvdb ; if [ $? -eq 8 ]; then mkfs.ext4 /dev/xvdb && mount /dev/xvdb /data; else mount /dev/xvdb /data; fi\n",
+        "service docker start\n",
+        "start ecs\n",
+    ]))
+  }
+
+  AutoScalingGroup('AutoScaleGroup') {
+    UpdatePolicy('AutoScalingRollingUpdate', {
+        'MinInstancesInService' => '0',
+        'MaxBatchSize' => '1',
+    })
+    LaunchConfigurationName Ref('LaunchConfig')
+    HealthCheckGracePeriod '500'
+    HealthCheckType 'EC2'
+    MinSize 1
+    MaxSize 1
+    VPCZoneIdentifier [ Ref('SubnetPublicA') ]
+    addTag('Name', FnJoin('-',[Ref('EnvironmentName'), 'vpn' , 'xx']), true)
+    addTag('Environment', Ref('EnvironmentName'), true)
+    addTag('EnvironmentType', Ref('EnvironmentType'), true)
+    addTag('Role', 'vpn', true)
+  }
+
+  Route53_RecordSet('VpnRecordSet') {
+    DependsOn ['VpnIPAddress']
+    HostedZoneName FnJoin('', [ dns_domain, '.' ])
+    Comment 'Vpn record set'
+    Name FnJoin('', [ 'opvn.', dns_domain, '.' ])
+    Type 'A'
+    TTL '60'
+    ResourceRecords [  Ref('VpnIPAddress') ]
+  }
+
+  ECS_TaskDefinition('OpenVpnTask') {
+    ContainerDefinitions([
+      {
+        Name: 'openvpn',
+        MemoryReservation: '1024',
+        Cpu: '1024',
+        Image: 'base2/openvpn-as',
+        Essential: true,
+        Privileged: true,
+        MountPoints: [
+          {
+            ContainerPath: '/etc/localtime',
+            SourceVolume: 'timezone',
+            ReadOnly: true
+          },
+          {
+            ContainerPath: '/config',
+            SourceVolume: 'data',
+            ReadOnly: false
+          }
+        ]
+      }
+    ])
+    NetworkMode 'host'
+    Volumes([
+      {
+        Name: 'timezone',
+        Host: {
+          SourcePath: '/etc/localtime'
+        }
+      },
+      {
+        Name: 'data',
+        Host: {
+          SourcePath: '/data'
+        }
+      }
+    ])
+  }
+
+  ECS_Service('OpenVpnService') {
+    Cluster Ref('CiinaboxVpn')
+    DesiredCount 1
+    DeploymentConfiguration({
+      MaximumPercent: 100,
+      MinimumHealthyPercent: 0
+    })
+    TaskDefinition Ref('OpenVpnTask')
+  }
+
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ciinabox-ecs
 version: !ruby/object:Gem::Version
-  version: 0.2.9
+  version: 0.2.10.alpha.1529494989
 platform: ruby
 authors:
 - Base2Services
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-05-07 00:00:00.000000000 Z
+date: 2018-06-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -24,34 +24,62 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '12'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-s3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-cloudformation
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
 - !ruby/object:Gem::Dependency
   name: cfndsl
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.15.2
+        version: '0.16'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.15.2
+        version: '0.16'
 - !ruby/object:Gem::Dependency
   name: cfn_manage
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.3.0
+        version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.3.0
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: deep_merge
   requirement: !ruby/object:Gem::Requirement
@@ -104,7 +132,6 @@ files:
 - ext/helper.rb
 - ext/policies.rb
 - ext/zip_helper.rb
-- lambdas/acm_issuer_validator/install.sh
 - lambdas/acm_issuer_validator/lib/install.sh
 - lib/ciinabox-ecs.rb
 - templates/bastion.rb
@@ -120,6 +147,7 @@ files:
 - templates/services/jenkins.rb
 - templates/services/nexus.rb
 - templates/vpc.rb
+- templates/vpn.rb
 homepage: https://github.com/base2Services/ciinabox-ecs
 licenses:
 - MIT
@@ -135,12 +163,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.7.6
+rubygems_version: 2.7.7
 signing_key: 
 specification_version: 4
 summary: Manage ciinabox on Aws Ecs

data/lambdas/acm_issuer_validator/install.sh

@@ -1,8 +0,0 @@
-#!/bin/bash
-
-rm -rf lib/*
-
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-rm -rf $DIR/lib/*
-
-docker run --rm -v $DIR:/dst -w /dst -u 1000 python:3-alpine pip install aws-acm-cert-validator==0.1.11 -t lib