RubyGems - cloud-mu - Versions diffs - 2.0.1 → 2.0.2 - Mend

cloud-mu 2.0.1 → 2.0.2

Files changed (56) hide show

checksums.yaml +4 -4
data/Berksfile +2 -1
data/bin/mu-upload-chef-artifacts +3 -0
data/cloud-mu.gemspec +2 -2
data/cookbooks/firewall/CHANGELOG.md +295 -0
data/cookbooks/firewall/CONTRIBUTING.md +2 -0
data/cookbooks/firewall/MAINTAINERS.md +19 -0
data/cookbooks/firewall/README.md +339 -0
data/cookbooks/firewall/attributes/default.rb +5 -0
data/cookbooks/firewall/attributes/firewalld.rb +1 -0
data/cookbooks/firewall/attributes/iptables.rb +17 -0
data/cookbooks/firewall/attributes/ufw.rb +12 -0
data/cookbooks/firewall/attributes/windows.rb +8 -0
data/cookbooks/firewall/libraries/helpers.rb +100 -0
data/cookbooks/firewall/libraries/helpers_firewalld.rb +116 -0
data/cookbooks/firewall/libraries/helpers_iptables.rb +112 -0
data/cookbooks/firewall/libraries/helpers_ufw.rb +135 -0
data/cookbooks/firewall/libraries/helpers_windows.rb +130 -0
data/cookbooks/firewall/libraries/matchers.rb +30 -0
data/cookbooks/firewall/libraries/provider_firewall_firewalld.rb +179 -0
data/cookbooks/firewall/libraries/provider_firewall_iptables.rb +171 -0
data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb +196 -0
data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb +196 -0
data/cookbooks/firewall/libraries/provider_firewall_rule.rb +34 -0
data/cookbooks/firewall/libraries/provider_firewall_ufw.rb +138 -0
data/cookbooks/firewall/libraries/provider_firewall_windows.rb +126 -0
data/cookbooks/firewall/libraries/resource_firewall.rb +26 -0
data/cookbooks/firewall/libraries/resource_firewall_rule.rb +52 -0
data/cookbooks/firewall/metadata.json +1 -0
data/cookbooks/firewall/recipes/default.rb +80 -0
data/cookbooks/firewall/recipes/disable_firewall.rb +23 -0
data/cookbooks/firewall/templates/default/ufw/default.erb +13 -0
data/cookbooks/mu-firewall/metadata.rb +1 -1
data/cookbooks/mu-master/recipes/default.rb +3 -1
data/cookbooks/mu-master/recipes/init.rb +3 -1
data/cookbooks/mu-master/templates/default/mu.rc.erb +3 -0
data/cookbooks/mu-tools/recipes/apply_security.rb +2 -2
data/cookbooks/mu-tools/recipes/aws_api.rb +1 -1
data/cookbooks/mu-tools/recipes/base_repositories.rb +1 -1
data/cookbooks/mu-tools/recipes/clamav.rb +1 -1
data/cookbooks/mu-tools/recipes/cloudinit.rb +1 -1
data/cookbooks/mu-tools/recipes/disable-requiretty.rb +2 -2
data/cookbooks/mu-tools/recipes/eks.rb +1 -1
data/cookbooks/mu-tools/recipes/gcloud.rb +1 -1
data/cookbooks/mu-tools/recipes/nrpe.rb +1 -1
data/cookbooks/mu-tools/recipes/rsyslog.rb +2 -2
data/cookbooks/mu-tools/recipes/set_local_fw.rb +37 -28
data/environments/dev.json +1 -1
data/environments/prod.json +1 -1
data/modules/mu/cleanup.rb +4 -0
data/modules/mu/clouds/aws/container_cluster.rb +3 -0
data/modules/mu/clouds/aws/role.rb +14 -2
data/modules/mu/clouds/aws/userdata/linux.erb +2 -3
data/modules/mu/clouds/aws.rb +30 -14
data/modules/mu.rb +4 -0
metadata +30 -2

data/cookbooks/firewall/libraries/provider_firewall_iptables.rb ADDED Viewed

@@ -0,0 +1,171 @@
+#
+# Author:: Seth Chisamore (<schisamo@opscode.com>)
+# Cookbook:: firewall
+# Resource:: default
+#
+# Copyright:: 2011-2016, Chef Software, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+class Chef
+  class Provider::FirewallIptables < Chef::Provider::LWRPBase
+    include FirewallCookbook::Helpers
+    include FirewallCookbook::Helpers::Iptables
+    provides :firewall, os: 'linux', platform_family: %w(rhel fedora amazon) do |node|
+      node['platform_version'].to_f < 7.0 || node['firewall']['redhat7_iptables']
+    end
+    def whyrun_supported?
+      false
+    end
+    def action_install
+      return if disabled?(new_resource)
+      # Ensure the package is installed
+      iptables_packages(new_resource).each do |p|
+        iptables_pkg = package p do
+          action :nothing
+        end
+        iptables_pkg.run_action(:install)
+        new_resource.updated_by_last_action(true) if iptables_pkg.updated_by_last_action?
+      end
+      iptables_commands(new_resource).each do |svc|
+        # must create empty file for service to start
+        unless ::File.exist?("/etc/sysconfig/#{svc}")
+          # must create empty file for service to start
+          iptables_file = lookup_or_create_rulesfile(svc)
+          iptables_file.content '# created by chef to allow service to start'
+          iptables_file.run_action(:create)
+          new_resource.updated_by_last_action(true) if iptables_file.updated_by_last_action?
+        end
+        iptables_service = lookup_or_create_service(svc)
+        [:enable, :start].each do |a|
+          iptables_service.run_action(a)
+          new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action?
+        end
+      end
+    end
+    def action_restart
+      return if disabled?(new_resource)
+      # prints all the firewall rules
+      log_iptables(new_resource)
+      # ensure it's initialized
+      new_resource.rules({}) unless new_resource.rules
+      ensure_default_rules_exist(node, new_resource)
+      # this populates the hash of rules from firewall_rule resources
+      firewall_rules = Chef.run_context.resource_collection.select { |item| item.is_a?(Chef::Resource::FirewallRule) }
+      firewall_rules.each do |firewall_rule|
+        next unless firewall_rule.action.include?(:create) && !firewall_rule.should_skip?(:create)
+        types = if ipv6_rule?(firewall_rule) # an ip4 specific rule
+                  %w(ip6tables)
+                elsif ipv4_rule?(firewall_rule) # an ip6 specific rule
+                  %w(iptables)
+                else # or not specific
+                  %w(iptables ip6tables)
+                end
+        types.each do |iptables_type|
+          # build rules to apply with weight
+          k = build_firewall_rule(node, firewall_rule, iptables_type == 'ip6tables')
+          v = firewall_rule.position
+          # unless we're adding them for the first time.... bail out.
+          next if new_resource.rules[iptables_type].key?(k) && new_resource.rules[iptables_type][k] == v
+          new_resource.rules[iptables_type][k] = v
+        end
+      end
+      iptables_commands(new_resource).each do |iptables_type|
+        # this takes the commands in each hash entry and builds a rule file
+        iptables_file = lookup_or_create_rulesfile(iptables_type)
+        iptables_file.content build_rule_file(new_resource.rules[iptables_type])
+        iptables_file.run_action(:create)
+        # if the file was unchanged, skip loop iteration, otherwise restart iptables
+        next unless iptables_file.updated_by_last_action?
+        iptables_service = lookup_or_create_service(iptables_type)
+        new_resource.notifies(:restart, iptables_service, :delayed)
+        new_resource.updated_by_last_action(true)
+      end
+    end
+    def action_disable
+      return if disabled?(new_resource)
+      iptables_flush!(new_resource)
+      iptables_default_allow!(new_resource)
+      new_resource.updated_by_last_action(true)
+      iptables_commands(new_resource).each do |svc|
+        iptables_service = lookup_or_create_service(svc)
+        [:disable, :stop].each do |a|
+          iptables_service.run_action(a)
+          new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action?
+        end
+        # must create empty file for service to start
+        iptables_file = lookup_or_create_rulesfile(svc)
+        iptables_file.content '# created by chef to allow service to start'
+        iptables_file.run_action(:create)
+        new_resource.updated_by_last_action(true) if iptables_file.updated_by_last_action?
+      end
+    end
+    def action_flush
+      return if disabled?(new_resource)
+      iptables_flush!(new_resource)
+      new_resource.updated_by_last_action(true)
+      iptables_commands(new_resource).each do |svc|
+        # must create empty file for service to start
+        iptables_file = lookup_or_create_rulesfile(svc)
+        iptables_file.content '# created by chef to allow service to start'
+        iptables_file.run_action(:create)
+        new_resource.updated_by_last_action(true) if iptables_file.updated_by_last_action?
+      end
+    end
+    def lookup_or_create_service(name)
+      begin
+        iptables_service = Chef.run_context.resource_collection.find(service: svc)
+      rescue
+        iptables_service = service name do
+          action :nothing
+        end
+      end
+      iptables_service
+    end
+    def lookup_or_create_rulesfile(name)
+      begin
+        iptables_file = Chef.run_context.resource_collection.find(file: name)
+      rescue
+        iptables_file = file "/etc/sysconfig/#{name}" do
+          action :nothing
+        end
+      end
+      iptables_file
+    end
+  end
+end

data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb ADDED Viewed

@@ -0,0 +1,196 @@
+#
+# Author:: Seth Chisamore (<schisamo@opscode.com>)
+# Cookbook:: firewall
+# Resource:: default
+#
+# Copyright:: 2011-2016, Chef Software, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+class Chef
+  class Provider::FirewallIptablesUbuntu < Chef::Provider::LWRPBase
+    include FirewallCookbook::Helpers
+    include FirewallCookbook::Helpers::Iptables
+    provides :firewall, os: 'linux', platform_family: %w(debian) do |node|
+      node['firewall'] && node['firewall']['ubuntu_iptables'] &&
+        node['platform_version'].to_f > (node['platform'] == 'ubuntu' ? 14.04 : 7)
+    end
+    def whyrun_supported?
+      false
+    end
+    def action_install
+      return if disabled?(new_resource)
+      # Ensure the package is installed
+      pkg = package 'iptables-persistent' do
+        action :nothing
+      end
+      pkg.run_action(:install)
+      new_resource.updated_by_last_action(true) if pkg.updated_by_last_action?
+      rule_files = %w(rules.v4)
+      rule_files << 'rules.v6' if ipv6_enabled?(new_resource)
+      rule_files.each do |svc|
+        next if ::File.exist?("/etc/iptables/#{svc}")
+        # must create empty file for service to start
+        f = lookup_or_create_rulesfile(svc)
+        f.content '# created by chef to allow service to start'
+        f.run_action(:create)
+        new_resource.updated_by_last_action(true) if f.updated_by_last_action?
+      end
+      iptables_service = lookup_or_create_service('netfilter-persistent')
+      [:enable, :start].each do |act|
+        # iptables-persistent isn't a real service
+        iptables_service.status_command 'true'
+        iptables_service.run_action(act)
+        new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action?
+      end
+    end
+    def action_restart
+      return if disabled?(new_resource)
+      # prints all the firewall rules
+      log_iptables(new_resource)
+      # ensure it's initialized
+      new_resource.rules({}) unless new_resource.rules
+      ensure_default_rules_exist(node, new_resource)
+      # this populates the hash of rules from firewall_rule resources
+      firewall_rules = Chef.run_context.resource_collection.select { |item| item.is_a?(Chef::Resource::FirewallRule) }
+      firewall_rules.each do |firewall_rule|
+        next unless firewall_rule.action.include?(:create) && !firewall_rule.should_skip?(:create)
+        types = if ipv6_rule?(firewall_rule) # an ip4 specific rule
+                  %w(ip6tables)
+                elsif ipv4_rule?(firewall_rule) # an ip6 specific rule
+                  %w(iptables)
+                else # or not specific
+                  %w(iptables ip6tables)
+                end
+        types.each do |iptables_type|
+          # build rules to apply with weight
+          k = build_firewall_rule(node, firewall_rule, iptables_type == 'ip6tables')
+          v = firewall_rule.position
+          # unless we're adding them for the first time.... bail out.
+          next if new_resource.rules[iptables_type].key?(k) && new_resource.rules[iptables_type][k] == v
+          new_resource.rules[iptables_type][k] = v
+        end
+      end
+      rule_files = %w(iptables)
+      rule_files << 'ip6tables' if ipv6_enabled?(new_resource)
+      rule_files.each do |iptables_type|
+        iptables_filename = if iptables_type == 'ip6tables'
+                              '/etc/iptables/rules.v6'
+                            else
+                              '/etc/iptables/rules.v4'
+                            end
+        # ensure a file resource exists with the current iptables rules
+        begin
+          iptables_file = Chef.run_context.resource_collection.find(file: iptables_filename)
+        rescue
+          iptables_file = file iptables_filename do
+            action :nothing
+          end
+        end
+        iptables_file.content build_rule_file(new_resource.rules[iptables_type])
+        iptables_file.run_action(:create)
+        # if the file was changed, restart iptables
+        next unless iptables_file.updated_by_last_action?
+        service_affected = service 'netfilter-persistent' do
+          action :nothing
+        end
+        new_resource.notifies(:restart, service_affected, :delayed)
+        new_resource.updated_by_last_action(true)
+      end
+    end
+    def action_disable
+      return if disabled?(new_resource)
+      iptables_flush!(new_resource)
+      iptables_default_allow!(new_resource)
+      new_resource.updated_by_last_action(true)
+      iptables_service = lookup_or_create_service('netfilter-persistent')
+      [:disable, :stop].each do |act|
+        iptables_service.run_action(act)
+        new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action?
+      end
+      %w(rules.v4 rules.v6).each do |svc|
+        # must create empty file for service to start
+        f = lookup_or_create_rulesfile(svc)
+        f.content '# created by chef to allow service to start'
+        f.run_action(:create)
+        new_resource.updated_by_last_action(true) if f.updated_by_last_action?
+      end
+    end
+    def action_flush
+      return if disabled?(new_resource)
+      iptables_flush!(new_resource)
+      new_resource.updated_by_last_action(true)
+      rule_files = %w(rules.v4)
+      rule_files << 'rules.v6' if ipv6_enabled?(new_resource)
+      rule_files.each do |svc|
+        # must create empty file for service to start
+        f = lookup_or_create_rulesfile(svc)
+        f.content '# created by chef to allow service to start'
+        f.run_action(:create)
+        new_resource.updated_by_last_action(true) if f.updated_by_last_action?
+      end
+    end
+    def lookup_or_create_service(name)
+      begin
+        iptables_service = Chef.run_context.resource_collection.find(service: svc)
+      rescue
+        iptables_service = service name do
+          action :nothing
+        end
+      end
+      iptables_service
+    end
+    def lookup_or_create_rulesfile(name)
+      begin
+        iptables_file = Chef.run_context.resource_collection.find(file: name)
+      rescue
+        iptables_file = file "/etc/iptables/#{name}" do
+          action :nothing
+        end
+      end
+      iptables_file
+    end
+  end
+end

data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb ADDED Viewed

@@ -0,0 +1,196 @@
+#
+# Author:: Seth Chisamore (<schisamo@opscode.com>)
+# Cookbook Name:: firewall
+# Resource:: default
+#
+# Copyright:: 2011, Opscode, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+class Chef
+  class Provider::FirewallIptablesUbuntu1404 < Chef::Provider::LWRPBase
+    include FirewallCookbook::Helpers
+    include FirewallCookbook::Helpers::Iptables
+    provides :firewall, os: 'linux', platform_family: %w(debian) do |node|
+      node['firewall'] && node['firewall']['ubuntu_iptables'] &&
+        node['platform_version'].to_f <= (node['platform'] == 'ubuntu' ? 14.04 : 7)
+    end
+    def whyrun_supported?
+      false
+    end
+    def action_install
+      return if disabled?(new_resource)
+      # Ensure the package is installed
+      pkg = package 'iptables-persistent' do
+        action :nothing
+      end
+      pkg.run_action(:install)
+      new_resource.updated_by_last_action(true) if pkg.updated_by_last_action?
+      rule_files = %w(rules.v4)
+      rule_files << 'rules.v6' if ipv6_enabled?(new_resource)
+      rule_files.each do |svc|
+        next if ::File.exist?("/etc/iptables/#{svc}")
+        # must create empty file for service to start
+        f = lookup_or_create_rulesfile(svc)
+        f.content '# created by chef to allow service to start'
+        f.run_action(:create)
+        new_resource.updated_by_last_action(true) if f.updated_by_last_action?
+      end
+      iptables_service = lookup_or_create_service('iptables-persistent')
+      [:enable, :start].each do |act|
+        # iptables-persistent isn't a real service
+        iptables_service.status_command 'true'
+        iptables_service.run_action(act)
+        new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action?
+      end
+    end
+    def action_restart
+      return if disabled?(new_resource)
+      # prints all the firewall rules
+      log_iptables(new_resource)
+      # ensure it's initialized
+      new_resource.rules({}) unless new_resource.rules
+      ensure_default_rules_exist(node, new_resource)
+      # this populates the hash of rules from firewall_rule resources
+      firewall_rules = Chef.run_context.resource_collection.select { |item| item.is_a?(Chef::Resource::FirewallRule) }
+      firewall_rules.each do |firewall_rule|
+        next unless firewall_rule.action.include?(:create) && !firewall_rule.should_skip?(:create)
+        types = if ipv6_rule?(firewall_rule) # an ip4 specific rule
+                  %w(ip6tables)
+                elsif ipv4_rule?(firewall_rule) # an ip6 specific rule
+                  %w(iptables)
+                else # or not specific
+                  %w(iptables ip6tables)
+                end
+        types.each do |iptables_type|
+          # build rules to apply with weight
+          k = build_firewall_rule(node, firewall_rule, iptables_type == 'ip6tables')
+          v = firewall_rule.position
+          # unless we're adding them for the first time.... bail out.
+          next if new_resource.rules[iptables_type].key?(k) && new_resource.rules[iptables_type][k] == v
+          new_resource.rules[iptables_type][k] = v
+        end
+      end
+      rule_files = %w(iptables)
+      rule_files << 'ip6tables' if ipv6_enabled?(new_resource)
+      rule_files.each do |iptables_type|
+        iptables_filename = if iptables_type == 'ip6tables'
+                              '/etc/iptables/rules.v6'
+                            else
+                              '/etc/iptables/rules.v4'
+                            end
+        # ensure a file resource exists with the current iptables rules
+        begin
+          iptables_file = Chef.run_context.resource_collection.find(file: iptables_filename)
+        rescue
+          iptables_file = file iptables_filename do
+            action :nothing
+          end
+        end
+        iptables_file.content build_rule_file(new_resource.rules[iptables_type])
+        iptables_file.run_action(:create)
+        # if the file was changed, restart iptables
+        next unless iptables_file.updated_by_last_action?
+        service_affected = service 'iptables-persistent' do
+          action :nothing
+        end
+        new_resource.notifies(:restart, service_affected, :delayed)
+        new_resource.updated_by_last_action(true)
+      end
+    end
+    def action_disable
+      return if disabled?(new_resource)
+      iptables_flush!(new_resource)
+      iptables_default_allow!(new_resource)
+      new_resource.updated_by_last_action(true)
+      iptables_service = lookup_or_create_service('iptables-persistent')
+      [:disable, :stop].each do |act|
+        iptables_service.run_action(act)
+        new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action?
+      end
+      %w(rules.v4 rules.v6).each do |svc|
+        # must create empty file for service to start
+        f = lookup_or_create_rulesfile(svc)
+        f.content '# created by chef to allow service to start'
+        f.run_action(:create)
+        new_resource.updated_by_last_action(true) if f.updated_by_last_action?
+      end
+    end
+    def action_flush
+      return if disabled?(new_resource)
+      iptables_flush!(new_resource)
+      new_resource.updated_by_last_action(true)
+      rule_files = %w(rules.v4)
+      rule_files << 'rules.v6' if ipv6_enabled?(new_resource)
+      rule_files.each do |svc|
+        # must create empty file for service to start
+        f = lookup_or_create_rulesfile(svc)
+        f.content '# created by chef to allow service to start'
+        f.run_action(:create)
+        new_resource.updated_by_last_action(true) if f.updated_by_last_action?
+      end
+    end
+    def lookup_or_create_service(name)
+      begin
+        iptables_service = Chef.run_context.resource_collection.find(service: svc)
+      rescue
+        iptables_service = service name do
+          action :nothing
+        end
+      end
+      iptables_service
+    end
+    def lookup_or_create_rulesfile(name)
+      begin
+        iptables_file = Chef.run_context.resource_collection.find(file: name)
+      rescue
+        iptables_file = file "/etc/iptables/#{name}" do
+          action :nothing
+        end
+      end
+      iptables_file
+    end
+  end
+end

data/cookbooks/firewall/libraries/provider_firewall_rule.rb ADDED Viewed

@@ -0,0 +1,34 @@
+#
+# Author:: Ronald Doorn (<rdoorn@schubergphilis.com>)
+# Cookbook:: firewall
+# Provider:: rule_iptables
+#
+# Copyright:: 2015-2016, computerlyrik
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+class Chef
+  class Provider::FirewallRuleGeneric < Chef::Provider::LWRPBase
+    provides :firewall_rule
+    def action_create
+      return unless new_resource.notify_firewall
+      firewall_resource = Chef.run_context.resource_collection.find(firewall: new_resource.firewall_name)
+      raise 'could not find a firewall resource' unless firewall_resource
+      new_resource.notifies(:restart, firewall_resource, :delayed)
+      new_resource.updated_by_last_action(true)
+    end
+  end
+end