cloud-mu 2.0.1 → 2.0.2

Sign up to get free protection for your applications and to get access to all the features.
Files changed (56) hide show
  1. checksums.yaml +4 -4
  2. data/Berksfile +2 -1
  3. data/bin/mu-upload-chef-artifacts +3 -0
  4. data/cloud-mu.gemspec +2 -2
  5. data/cookbooks/firewall/CHANGELOG.md +295 -0
  6. data/cookbooks/firewall/CONTRIBUTING.md +2 -0
  7. data/cookbooks/firewall/MAINTAINERS.md +19 -0
  8. data/cookbooks/firewall/README.md +339 -0
  9. data/cookbooks/firewall/attributes/default.rb +5 -0
  10. data/cookbooks/firewall/attributes/firewalld.rb +1 -0
  11. data/cookbooks/firewall/attributes/iptables.rb +17 -0
  12. data/cookbooks/firewall/attributes/ufw.rb +12 -0
  13. data/cookbooks/firewall/attributes/windows.rb +8 -0
  14. data/cookbooks/firewall/libraries/helpers.rb +100 -0
  15. data/cookbooks/firewall/libraries/helpers_firewalld.rb +116 -0
  16. data/cookbooks/firewall/libraries/helpers_iptables.rb +112 -0
  17. data/cookbooks/firewall/libraries/helpers_ufw.rb +135 -0
  18. data/cookbooks/firewall/libraries/helpers_windows.rb +130 -0
  19. data/cookbooks/firewall/libraries/matchers.rb +30 -0
  20. data/cookbooks/firewall/libraries/provider_firewall_firewalld.rb +179 -0
  21. data/cookbooks/firewall/libraries/provider_firewall_iptables.rb +171 -0
  22. data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb +196 -0
  23. data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb +196 -0
  24. data/cookbooks/firewall/libraries/provider_firewall_rule.rb +34 -0
  25. data/cookbooks/firewall/libraries/provider_firewall_ufw.rb +138 -0
  26. data/cookbooks/firewall/libraries/provider_firewall_windows.rb +126 -0
  27. data/cookbooks/firewall/libraries/resource_firewall.rb +26 -0
  28. data/cookbooks/firewall/libraries/resource_firewall_rule.rb +52 -0
  29. data/cookbooks/firewall/metadata.json +1 -0
  30. data/cookbooks/firewall/recipes/default.rb +80 -0
  31. data/cookbooks/firewall/recipes/disable_firewall.rb +23 -0
  32. data/cookbooks/firewall/templates/default/ufw/default.erb +13 -0
  33. data/cookbooks/mu-firewall/metadata.rb +1 -1
  34. data/cookbooks/mu-master/recipes/default.rb +3 -1
  35. data/cookbooks/mu-master/recipes/init.rb +3 -1
  36. data/cookbooks/mu-master/templates/default/mu.rc.erb +3 -0
  37. data/cookbooks/mu-tools/recipes/apply_security.rb +2 -2
  38. data/cookbooks/mu-tools/recipes/aws_api.rb +1 -1
  39. data/cookbooks/mu-tools/recipes/base_repositories.rb +1 -1
  40. data/cookbooks/mu-tools/recipes/clamav.rb +1 -1
  41. data/cookbooks/mu-tools/recipes/cloudinit.rb +1 -1
  42. data/cookbooks/mu-tools/recipes/disable-requiretty.rb +2 -2
  43. data/cookbooks/mu-tools/recipes/eks.rb +1 -1
  44. data/cookbooks/mu-tools/recipes/gcloud.rb +1 -1
  45. data/cookbooks/mu-tools/recipes/nrpe.rb +1 -1
  46. data/cookbooks/mu-tools/recipes/rsyslog.rb +2 -2
  47. data/cookbooks/mu-tools/recipes/set_local_fw.rb +37 -28
  48. data/environments/dev.json +1 -1
  49. data/environments/prod.json +1 -1
  50. data/modules/mu/cleanup.rb +4 -0
  51. data/modules/mu/clouds/aws/container_cluster.rb +3 -0
  52. data/modules/mu/clouds/aws/role.rb +14 -2
  53. data/modules/mu/clouds/aws/userdata/linux.erb +2 -3
  54. data/modules/mu/clouds/aws.rb +30 -14
  55. data/modules/mu.rb +4 -0
  56. metadata +30 -2
@@ -18,7 +18,7 @@
18
18
 
19
19
  if !node['application_attributes']['skip_recipes'].include?('rsyslog')
20
20
  case node['platform_family']
21
- when "rhel", "debian"
21
+ when "rhel", "debian", "amazon"
22
22
  package "rsyslog"
23
23
  package "rsyslog-gnutls"
24
24
  execute "chcon -R -h -t var_log_t /Mu_Logs" do
@@ -29,7 +29,7 @@ if !node['application_attributes']['skip_recipes'].include?('rsyslog')
29
29
  action [:enable, :start]
30
30
  notifies :run, "execute[chcon -R -h -t var_log_t /Mu_Logs]", :immediately
31
31
  end
32
- if platform_family?("rhel")
32
+ if platform_family?("rhel") or platform_family?("amazon")
33
33
  $rsyslog_ssl_ca_path = "/etc/pki/Mu_CA.pem"
34
34
  if !platform?("amazon")
35
35
  package node['platform_version'].to_i < 6 ? "policycoreutils" : "policycoreutils-python"
@@ -16,42 +16,51 @@
16
16
  # See the License for the specific language governing permissions and
17
17
  # limitations under the License.
18
18
 
19
+ if !node['application_attributes']['skip_recipes'].include?('set_local_fw')
20
+ master_ips = get_mu_master_ips
21
+ case node['platform_family']
22
+ when 'rhel', 'amazon'
23
+ include_recipe 'mu-firewall'
19
24
 
20
- master_ips = get_mu_master_ips
21
- case node['platform']
22
- when platform_family?('rhel')
23
- include_recipe 'mu-firewall'
24
-
25
- if elversion >= 7 # Can use firewalld, but not if iptables is already rigged
26
- package "firewall-config" do
27
- not_if "/bin/systemctl list-units | grep iptables.service"
25
+ if elversion >= 7 and node['platform_family'] != "amazon" # Can use firewalld, but not if iptables is already rigged
26
+ package "firewall-config" do
27
+ not_if "/bin/systemctl list-units | grep iptables.service"
28
+ end
29
+ execute "restart FirewallD" do # ...but only if iptables isn't live
30
+ command "/bin/firewall-cmd --reload"
31
+ action :nothing
32
+ not_if "/bin/systemctl list-units | grep iptables.service"
33
+ only_if { ::File.exist?("/bin/firewall-cmd") }
34
+ end
28
35
  end
29
- execute "restart FirewallD" do # ...but only if iptables isn't live
30
- command "/bin/firewall-cmd --reload"
31
- action :nothing
32
- not_if "/bin/systemctl list-units | grep iptables.service"
33
- only_if { ::File.exist?("/bin/firewall-cmd") }
36
+
37
+ if elversion <= 6
38
+ firewall_rule "Allow loopback in" do
39
+ raw "-A INPUT -i lo -j ACCEPT"
40
+ end
41
+
42
+ firewall_rule "Allow loopback out" do
43
+ raw "-A OUTPUT -o lo -j ACCEPT"
44
+ end
34
45
  end
35
- end
36
46
 
37
- if elversion <= 6
38
- firewall_rule "Allow loopback in" do
39
- raw "-A INPUT -i lo -j ACCEPT"
47
+ firewall_rule "Allow eth0 out" do
48
+ raw "-A OUTPUT -o eth0 -j ACCEPT"
40
49
  end
41
50
 
42
- firewall_rule "Allow loopback out" do
43
- raw "-A OUTPUT -o lo -j ACCEPT"
51
+ firewall_rule "Allow established connections" do
52
+ raw "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"
44
53
  end
45
- end
46
54
 
47
- opento = master_ips.map { |x| "#{x}/32"}
55
+ opento = master_ips.map { |x| "#{x}/32"}
48
56
 
49
- opento.uniq.each { |src|
50
- [:tcp, :udp, :icmp].each { |proto|
51
- firewall_rule "allow all #{src} #{proto} traffic" do
52
- source src
53
- protocol proto
54
- end
57
+ opento.uniq.each { |src|
58
+ [:tcp, :udp, :icmp].each { |proto|
59
+ firewall_rule "allow all #{src} #{proto} traffic" do
60
+ source src
61
+ protocol proto
62
+ end
63
+ }
55
64
  }
56
- }
65
+ end
57
66
  end
@@ -1,5 +1,5 @@
1
1
  {
2
- "name": "DEV",
2
+ "name": "dev",
3
3
  "default_attributes": {
4
4
  },
5
5
  "json_class": "Chef::Environment",
@@ -1,5 +1,5 @@
1
1
  {
2
- "name": "PROD",
2
+ "name": "prod",
3
3
  "default_attributes": {
4
4
  },
5
5
  "json_class": "Chef::Environment",
@@ -157,6 +157,10 @@ module MU
157
157
  rescue MU::MuError, NoMethodError => e
158
158
  MU.log e.message, MU::WARN
159
159
  next
160
+ rescue ::Aws::EC2::Errors::AuthFailure => e
161
+ # AWS has been having transient auth problems with ap-east-1 lately
162
+ MU.log e.message+" in "+r, MU::ERR
163
+ next
160
164
  end
161
165
 
162
166
  if @mommacat.nil? or @mommacat.numKittens(types: [t]) > 0
@@ -586,6 +586,9 @@ module MU
586
586
  "sgs" => ["container_cluster#{cluster['name']}"],
587
587
  "port_range" => "1-65535"
588
588
  ]
589
+ worker_pool["application_attributes"] ||= {}
590
+ worker_pool["application_attributes"]["skip_recipes"] ||= []
591
+ worker_pool["application_attributes"]["skip_recipes"] << "set_local_fw"
589
592
  end
590
593
  if cluster["vpc"]
591
594
  worker_pool["vpc"] = cluster["vpc"].dup
@@ -37,6 +37,10 @@ module MU
37
37
  def create
38
38
  if @config['iam_policies']
39
39
  @config['iam_policies'].each { |policy|
40
+ policy.values.each { |p|
41
+ p["Version"] ||= "2012-10-17"
42
+ }
43
+
40
44
  policy_name = @mu_name+"-"+policy.keys.first.upcase
41
45
  MU.log "Creating IAM policy #{policy_name}"
42
46
  resp = MU::Cloud::AWS.iam(credentials: @config['credentials']).create_policy(
@@ -111,6 +115,9 @@ module MU
111
115
 
112
116
  if @config['iam_policies']
113
117
  @config['iam_policies'].each { |policy|
118
+ policy.values.each { |p|
119
+ p["Version"] ||= "2012-10-17"
120
+ }
114
121
  policy_name = @mu_name+"-"+policy.keys.first.upcase
115
122
 
116
123
  arn = "arn:"+(MU::Cloud::AWS.isGovCloud? ? "aws-us-gov" : "aws")+":iam::"+MU::Cloud::AWS.credToAcct(@config['credentials'])+":policy/#{@deploy.deploy_id}/#{policy_name}"
@@ -207,6 +214,7 @@ module MU
207
214
  if !policy.match(/^#{@deploy.deploy_id}/)
208
215
  policy = @mu_name+"-"+policy.upcase
209
216
  end
217
+
210
218
  my_policies = cloud_desc["policies"]
211
219
  my_policies.each { |p|
212
220
  if p.policy_name == policy
@@ -224,15 +232,19 @@ module MU
224
232
  type: target["type"]
225
233
  )
226
234
  sibling.cloudobj.arn
227
- else
235
+ elsif target.is_a?(Hash)
228
236
  target['identifier']
237
+ else
238
+ target
229
239
  end
230
- if sibling and !s["Resource"].include?(targetstr)
240
+
241
+ if targetstr and !s["Resource"].include?(targetstr)
231
242
  s["Resource"] << targetstr
232
243
  need_update = true
233
244
  end
234
245
  }
235
246
  }
247
+
236
248
  if need_update
237
249
  MU.log "Updating IAM policy #{policy} to grant permissions on #{targets.to_s}", details: doc
238
250
  update_policy(p.arn, doc)
@@ -66,7 +66,7 @@ if ping -c 5 8.8.8.8 > /dev/null; then
66
66
  version=6
67
67
  fi
68
68
  fi
69
- if [ $version -eq 7 ];then
69
+ if [ "$version" == "7" ];then
70
70
  userdata_dir="/var/lib/cloud/instances/$instance_id"
71
71
  else
72
72
  userdata_dir="/var/lib/cloud/instance"
@@ -79,7 +79,7 @@ if ping -c 5 8.8.8.8 > /dev/null; then
79
79
 
80
80
  sed -i 's/^Defaults.*requiretty$/Defaults !requiretty/' /etc/sudoers
81
81
 
82
- if [ $version == 7 ];then
82
+ if [ "$version" == "7" ];then
83
83
  chmod 755 /etc/rc.d/rc.local
84
84
  systemctl reset-failed sshd.service
85
85
  fi
@@ -161,7 +161,6 @@ if [ "$need_reboot" == "1" ];then
161
161
  shutdown -r now "Applying new kernel"
162
162
  fi
163
163
  <% end %>
164
- fi
165
164
 
166
165
  if [ "$AWSCLI" != "" ];then
167
166
  $AWSCLI --region="$region" s3 cp s3://<%= MU.adminBucketName %>/<%= $mu.muID %>-secret .
@@ -142,6 +142,13 @@ module MU
142
142
  [:arn]
143
143
  end
144
144
 
145
+ # Given an AWS region, check the API to make sure it's a valid one
146
+ # @param r [String]
147
+ # @return [String]
148
+ def self.validate_region(r)
149
+ MU::Cloud::AWS.ec2(region: r).describe_availability_zones.availability_zones.first.region_name
150
+ end
151
+
145
152
  # If we've configured AWS as a provider, or are simply hosted in AWS,
146
153
  # decide what our default region is.
147
154
  def self.myRegion
@@ -151,12 +158,6 @@ module MU
151
158
  return nil
152
159
  end
153
160
 
154
- # Given an AWS region, check the API to make sure it's a valid one
155
- # @param r [String]
156
- # @return [String]
157
- def self.validate_region(r)
158
- MU::Cloud::AWS.ec2(region: r).describe_availability_zones.availability_zones.first.region_name
159
- end
160
161
 
161
162
  if $MU_CFG and $MU_CFG['aws']
162
163
  $MU_CFG['aws'].each_pair { |credset, cfg|
@@ -537,6 +538,7 @@ module MU
537
538
  end
538
539
 
539
540
  @@regions = {}
541
+ @@regions_semaphore = Mutex.new
540
542
  # List the Amazon Web Services region names available to this account. The
541
543
  # region that is local to this Mu server will be listed first.
542
544
  # @param us_only [Boolean]: Restrict results to United States only
@@ -547,13 +549,20 @@ module MU
547
549
  return [] if credConfig.nil?
548
550
  result = MU::Cloud::AWS.ec2(region: myRegion, credentials: credentials).describe_regions.regions
549
551
  regions = []
550
- result.each { |r|
551
- @@regions[r.region_name] = Proc.new {
552
- listAZs(region: r.region_name, credentials: credentials)
553
- }
552
+ @@regions_semaphore.synchronize {
553
+ begin
554
+ result.each { |r|
555
+ @@regions[r.region_name] = Proc.new {
556
+ listAZs(region: r.region_name, credentials: credentials)
557
+ }
558
+ }
559
+ rescue ::Aws::EC2::Errors::AuthFailure => e
560
+ MU.log "Region #{r.region_name} throws #{e.message}, ignoring it", MU::ERR
561
+ end
554
562
  }
555
563
  end
556
564
 
565
+
557
566
  regions = if us_only
558
567
  @@regions.keys.delete_if { |r| !r.match(/^us\-/) }.uniq
559
568
  else
@@ -589,10 +598,17 @@ module MU
589
598
  if !MU::Cloud::CloudFormation.emitCloudFormation
590
599
  MU::Cloud::AWS.listRegions.each { |region|
591
600
  MU.log "Replicating #{keyname} to EC2 in #{region}", MU::DEBUG, details: @ssh_public_key
592
- MU::Cloud::AWS.ec2(region: region, credentials: credentials).import_key_pair(
593
- key_name: keyname,
594
- public_key_material: public_key
595
- )
601
+ begin
602
+ MU::Cloud::AWS.ec2(region: region, credentials: credentials).import_key_pair(
603
+ key_name: keyname,
604
+ public_key_material: public_key
605
+ )
606
+ rescue ::Aws::EC2::Errors::AuthFailure => e
607
+ @@regions_semaphore.synchronize {
608
+ @@regions.delete(region)
609
+ }
610
+ MU.log "#{region} threw #{e.message}, skipping", MU::ERR
611
+ end
596
612
  }
597
613
  end
598
614
  end
data/modules/mu.rb CHANGED
@@ -80,6 +80,10 @@ module MU
80
80
  @@myRoot
81
81
  end
82
82
 
83
+ # Front our global $MU_CFG hash with a read-only copy
84
+ def self.muCfg
85
+ Marshal.load(Marshal.dump($MU_CFG)).freeze
86
+ end
83
87
 
84
88
  # The main (root) Mu user's data directory.
85
89
  @@mainDataDir = File.expand_path(@@myRoot+"/../var")
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: cloud-mu
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.0.1
4
+ version: 2.0.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - John Stange
@@ -12,7 +12,7 @@ authors:
12
12
  autorequire:
13
13
  bindir: bin
14
14
  cert_chain: []
15
- date: 2019-03-01 00:00:00.000000000 Z
15
+ date: 2019-05-06 00:00:00.000000000 Z
16
16
  dependencies:
17
17
  - !ruby/object:Gem::Dependency
18
18
  name: erubis
@@ -399,6 +399,34 @@ files:
399
399
  - cookbooks/awscli/metadata.rb
400
400
  - cookbooks/awscli/recipes/default.rb
401
401
  - cookbooks/awscli/templates/default/config.erb
402
+ - cookbooks/firewall/CHANGELOG.md
403
+ - cookbooks/firewall/CONTRIBUTING.md
404
+ - cookbooks/firewall/MAINTAINERS.md
405
+ - cookbooks/firewall/README.md
406
+ - cookbooks/firewall/attributes/default.rb
407
+ - cookbooks/firewall/attributes/firewalld.rb
408
+ - cookbooks/firewall/attributes/iptables.rb
409
+ - cookbooks/firewall/attributes/ufw.rb
410
+ - cookbooks/firewall/attributes/windows.rb
411
+ - cookbooks/firewall/libraries/helpers.rb
412
+ - cookbooks/firewall/libraries/helpers_firewalld.rb
413
+ - cookbooks/firewall/libraries/helpers_iptables.rb
414
+ - cookbooks/firewall/libraries/helpers_ufw.rb
415
+ - cookbooks/firewall/libraries/helpers_windows.rb
416
+ - cookbooks/firewall/libraries/matchers.rb
417
+ - cookbooks/firewall/libraries/provider_firewall_firewalld.rb
418
+ - cookbooks/firewall/libraries/provider_firewall_iptables.rb
419
+ - cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb
420
+ - cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb
421
+ - cookbooks/firewall/libraries/provider_firewall_rule.rb
422
+ - cookbooks/firewall/libraries/provider_firewall_ufw.rb
423
+ - cookbooks/firewall/libraries/provider_firewall_windows.rb
424
+ - cookbooks/firewall/libraries/resource_firewall.rb
425
+ - cookbooks/firewall/libraries/resource_firewall_rule.rb
426
+ - cookbooks/firewall/metadata.json
427
+ - cookbooks/firewall/recipes/default.rb
428
+ - cookbooks/firewall/recipes/disable_firewall.rb
429
+ - cookbooks/firewall/templates/default/ufw/default.erb
402
430
  - cookbooks/mu-activedirectory/Berksfile
403
431
  - cookbooks/mu-activedirectory/CHANGELOG.md
404
432
  - cookbooks/mu-activedirectory/LICENSE