cloud-mu 3.1.3 → 3.3.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (212) hide show
  1. checksums.yaml +4 -4
  2. data/Dockerfile +15 -3
  3. data/ansible/roles/mu-windows/README.md +33 -0
  4. data/ansible/roles/mu-windows/defaults/main.yml +2 -0
  5. data/ansible/roles/mu-windows/files/LaunchConfig.json +9 -0
  6. data/ansible/roles/mu-windows/files/config.xml +76 -0
  7. data/ansible/roles/mu-windows/handlers/main.yml +2 -0
  8. data/ansible/roles/mu-windows/meta/main.yml +53 -0
  9. data/ansible/roles/mu-windows/tasks/main.yml +36 -0
  10. data/ansible/roles/mu-windows/tests/inventory +2 -0
  11. data/ansible/roles/mu-windows/tests/test.yml +5 -0
  12. data/ansible/roles/mu-windows/vars/main.yml +2 -0
  13. data/bin/mu-adopt +21 -13
  14. data/bin/mu-azure-tests +57 -0
  15. data/bin/mu-cleanup +2 -4
  16. data/bin/mu-configure +52 -0
  17. data/bin/mu-deploy +3 -3
  18. data/bin/mu-findstray-tests +25 -0
  19. data/bin/mu-gen-docs +2 -4
  20. data/bin/mu-load-config.rb +4 -4
  21. data/bin/mu-node-manage +15 -16
  22. data/bin/mu-run-tests +147 -37
  23. data/cloud-mu.gemspec +22 -20
  24. data/cookbooks/mu-activedirectory/resources/domain.rb +4 -4
  25. data/cookbooks/mu-activedirectory/resources/domain_controller.rb +4 -4
  26. data/cookbooks/mu-tools/libraries/helper.rb +3 -2
  27. data/cookbooks/mu-tools/libraries/monkey.rb +35 -0
  28. data/cookbooks/mu-tools/recipes/apply_security.rb +14 -14
  29. data/cookbooks/mu-tools/recipes/aws_api.rb +9 -0
  30. data/cookbooks/mu-tools/recipes/eks.rb +2 -2
  31. data/cookbooks/mu-tools/recipes/google_api.rb +2 -2
  32. data/cookbooks/mu-tools/recipes/selinux.rb +2 -1
  33. data/cookbooks/mu-tools/recipes/windows-client.rb +163 -164
  34. data/cookbooks/mu-tools/resources/disk.rb +1 -1
  35. data/cookbooks/mu-tools/resources/windows_users.rb +44 -43
  36. data/extras/clean-stock-amis +25 -19
  37. data/extras/generate-stock-images +1 -0
  38. data/extras/image-generators/AWS/win2k12.yaml +18 -13
  39. data/extras/image-generators/AWS/win2k16.yaml +18 -13
  40. data/extras/image-generators/AWS/win2k19.yaml +21 -0
  41. data/extras/image-generators/Google/centos6.yaml +1 -0
  42. data/extras/image-generators/Google/centos7.yaml +1 -1
  43. data/modules/mommacat.ru +6 -16
  44. data/modules/mu.rb +158 -111
  45. data/modules/mu/adoption.rb +404 -71
  46. data/modules/mu/cleanup.rb +221 -306
  47. data/modules/mu/cloud.rb +129 -1633
  48. data/modules/mu/cloud/database.rb +49 -0
  49. data/modules/mu/cloud/dnszone.rb +44 -0
  50. data/modules/mu/cloud/machine_images.rb +212 -0
  51. data/modules/mu/cloud/providers.rb +81 -0
  52. data/modules/mu/cloud/resource_base.rb +926 -0
  53. data/modules/mu/cloud/server.rb +40 -0
  54. data/modules/mu/cloud/server_pool.rb +1 -0
  55. data/modules/mu/cloud/ssh_sessions.rb +228 -0
  56. data/modules/mu/cloud/winrm_sessions.rb +237 -0
  57. data/modules/mu/cloud/wrappers.rb +169 -0
  58. data/modules/mu/config.rb +171 -1767
  59. data/modules/mu/config/alarm.rb +2 -6
  60. data/modules/mu/config/bucket.rb +32 -3
  61. data/modules/mu/config/cache_cluster.rb +2 -2
  62. data/modules/mu/config/cdn.rb +100 -0
  63. data/modules/mu/config/collection.rb +4 -4
  64. data/modules/mu/config/container_cluster.rb +9 -4
  65. data/modules/mu/config/database.rb +84 -105
  66. data/modules/mu/config/database.yml +1 -2
  67. data/modules/mu/config/dnszone.rb +10 -9
  68. data/modules/mu/config/doc_helpers.rb +516 -0
  69. data/modules/mu/config/endpoint.rb +5 -4
  70. data/modules/mu/config/firewall_rule.rb +103 -4
  71. data/modules/mu/config/folder.rb +4 -4
  72. data/modules/mu/config/function.rb +19 -10
  73. data/modules/mu/config/group.rb +4 -4
  74. data/modules/mu/config/habitat.rb +4 -4
  75. data/modules/mu/config/job.rb +89 -0
  76. data/modules/mu/config/loadbalancer.rb +60 -14
  77. data/modules/mu/config/log.rb +4 -4
  78. data/modules/mu/config/msg_queue.rb +4 -4
  79. data/modules/mu/config/nosqldb.rb +4 -4
  80. data/modules/mu/config/notifier.rb +10 -21
  81. data/modules/mu/config/ref.rb +411 -0
  82. data/modules/mu/config/role.rb +4 -4
  83. data/modules/mu/config/schema_helpers.rb +509 -0
  84. data/modules/mu/config/search_domain.rb +4 -4
  85. data/modules/mu/config/server.rb +98 -71
  86. data/modules/mu/config/server.yml +1 -0
  87. data/modules/mu/config/server_pool.rb +5 -9
  88. data/modules/mu/config/storage_pool.rb +1 -1
  89. data/modules/mu/config/tail.rb +200 -0
  90. data/modules/mu/config/user.rb +4 -4
  91. data/modules/mu/config/vpc.rb +71 -27
  92. data/modules/mu/config/vpc.yml +0 -1
  93. data/modules/mu/defaults/AWS.yaml +91 -68
  94. data/modules/mu/defaults/Azure.yaml +1 -0
  95. data/modules/mu/defaults/Google.yaml +3 -2
  96. data/modules/mu/deploy.rb +43 -26
  97. data/modules/mu/groomer.rb +17 -2
  98. data/modules/mu/groomers/ansible.rb +188 -41
  99. data/modules/mu/groomers/chef.rb +116 -55
  100. data/modules/mu/logger.rb +127 -148
  101. data/modules/mu/master.rb +410 -2
  102. data/modules/mu/master/chef.rb +3 -4
  103. data/modules/mu/master/ldap.rb +3 -3
  104. data/modules/mu/master/ssl.rb +12 -3
  105. data/modules/mu/mommacat.rb +218 -2612
  106. data/modules/mu/mommacat/daemon.rb +403 -0
  107. data/modules/mu/mommacat/naming.rb +473 -0
  108. data/modules/mu/mommacat/search.rb +495 -0
  109. data/modules/mu/mommacat/storage.rb +722 -0
  110. data/modules/mu/{clouds → providers}/README.md +1 -1
  111. data/modules/mu/{clouds → providers}/aws.rb +380 -122
  112. data/modules/mu/{clouds → providers}/aws/alarm.rb +7 -5
  113. data/modules/mu/{clouds → providers}/aws/bucket.rb +297 -59
  114. data/modules/mu/{clouds → providers}/aws/cache_cluster.rb +37 -71
  115. data/modules/mu/providers/aws/cdn.rb +782 -0
  116. data/modules/mu/{clouds → providers}/aws/collection.rb +26 -25
  117. data/modules/mu/{clouds → providers}/aws/container_cluster.rb +724 -744
  118. data/modules/mu/providers/aws/database.rb +1744 -0
  119. data/modules/mu/{clouds → providers}/aws/dnszone.rb +88 -70
  120. data/modules/mu/providers/aws/endpoint.rb +1072 -0
  121. data/modules/mu/{clouds → providers}/aws/firewall_rule.rb +220 -247
  122. data/modules/mu/{clouds → providers}/aws/folder.rb +8 -8
  123. data/modules/mu/{clouds → providers}/aws/function.rb +300 -142
  124. data/modules/mu/{clouds → providers}/aws/group.rb +31 -29
  125. data/modules/mu/{clouds → providers}/aws/habitat.rb +18 -15
  126. data/modules/mu/providers/aws/job.rb +466 -0
  127. data/modules/mu/{clouds → providers}/aws/loadbalancer.rb +66 -56
  128. data/modules/mu/{clouds → providers}/aws/log.rb +17 -14
  129. data/modules/mu/{clouds → providers}/aws/msg_queue.rb +29 -19
  130. data/modules/mu/{clouds → providers}/aws/nosqldb.rb +114 -16
  131. data/modules/mu/{clouds → providers}/aws/notifier.rb +142 -65
  132. data/modules/mu/{clouds → providers}/aws/role.rb +158 -118
  133. data/modules/mu/{clouds → providers}/aws/search_domain.rb +201 -59
  134. data/modules/mu/{clouds → providers}/aws/server.rb +844 -1139
  135. data/modules/mu/{clouds → providers}/aws/server_pool.rb +74 -65
  136. data/modules/mu/{clouds → providers}/aws/storage_pool.rb +26 -44
  137. data/modules/mu/{clouds → providers}/aws/user.rb +24 -25
  138. data/modules/mu/{clouds → providers}/aws/userdata/README.md +0 -0
  139. data/modules/mu/{clouds → providers}/aws/userdata/linux.erb +5 -4
  140. data/modules/mu/{clouds → providers}/aws/userdata/windows.erb +2 -1
  141. data/modules/mu/{clouds → providers}/aws/vpc.rb +525 -931
  142. data/modules/mu/providers/aws/vpc_subnet.rb +286 -0
  143. data/modules/mu/{clouds → providers}/azure.rb +29 -9
  144. data/modules/mu/{clouds → providers}/azure/container_cluster.rb +3 -8
  145. data/modules/mu/{clouds → providers}/azure/firewall_rule.rb +18 -11
  146. data/modules/mu/{clouds → providers}/azure/habitat.rb +8 -6
  147. data/modules/mu/{clouds → providers}/azure/loadbalancer.rb +5 -5
  148. data/modules/mu/{clouds → providers}/azure/role.rb +8 -10
  149. data/modules/mu/{clouds → providers}/azure/server.rb +97 -49
  150. data/modules/mu/{clouds → providers}/azure/user.rb +6 -8
  151. data/modules/mu/{clouds → providers}/azure/userdata/README.md +0 -0
  152. data/modules/mu/{clouds → providers}/azure/userdata/linux.erb +0 -0
  153. data/modules/mu/{clouds → providers}/azure/userdata/windows.erb +0 -0
  154. data/modules/mu/{clouds → providers}/azure/vpc.rb +16 -21
  155. data/modules/mu/{clouds → providers}/cloudformation.rb +18 -7
  156. data/modules/mu/{clouds → providers}/cloudformation/alarm.rb +3 -3
  157. data/modules/mu/{clouds → providers}/cloudformation/cache_cluster.rb +3 -3
  158. data/modules/mu/{clouds → providers}/cloudformation/collection.rb +3 -3
  159. data/modules/mu/{clouds → providers}/cloudformation/database.rb +6 -17
  160. data/modules/mu/{clouds → providers}/cloudformation/dnszone.rb +3 -3
  161. data/modules/mu/{clouds → providers}/cloudformation/firewall_rule.rb +3 -3
  162. data/modules/mu/{clouds → providers}/cloudformation/loadbalancer.rb +3 -3
  163. data/modules/mu/{clouds → providers}/cloudformation/log.rb +3 -3
  164. data/modules/mu/{clouds → providers}/cloudformation/server.rb +7 -7
  165. data/modules/mu/{clouds → providers}/cloudformation/server_pool.rb +5 -5
  166. data/modules/mu/{clouds → providers}/cloudformation/vpc.rb +5 -7
  167. data/modules/mu/{clouds → providers}/docker.rb +0 -0
  168. data/modules/mu/{clouds → providers}/google.rb +68 -30
  169. data/modules/mu/{clouds → providers}/google/bucket.rb +13 -15
  170. data/modules/mu/{clouds → providers}/google/container_cluster.rb +85 -78
  171. data/modules/mu/{clouds → providers}/google/database.rb +11 -21
  172. data/modules/mu/{clouds → providers}/google/firewall_rule.rb +15 -14
  173. data/modules/mu/{clouds → providers}/google/folder.rb +20 -17
  174. data/modules/mu/{clouds → providers}/google/function.rb +140 -168
  175. data/modules/mu/{clouds → providers}/google/group.rb +29 -34
  176. data/modules/mu/{clouds → providers}/google/habitat.rb +21 -22
  177. data/modules/mu/{clouds → providers}/google/loadbalancer.rb +19 -21
  178. data/modules/mu/{clouds → providers}/google/role.rb +94 -58
  179. data/modules/mu/{clouds → providers}/google/server.rb +243 -156
  180. data/modules/mu/{clouds → providers}/google/server_pool.rb +26 -45
  181. data/modules/mu/{clouds → providers}/google/user.rb +95 -31
  182. data/modules/mu/{clouds → providers}/google/userdata/README.md +0 -0
  183. data/modules/mu/{clouds → providers}/google/userdata/linux.erb +0 -0
  184. data/modules/mu/{clouds → providers}/google/userdata/windows.erb +0 -0
  185. data/modules/mu/{clouds → providers}/google/vpc.rb +103 -79
  186. data/modules/tests/aws-jobs-functions.yaml +46 -0
  187. data/modules/tests/bucket.yml +4 -0
  188. data/modules/tests/centos6.yaml +15 -0
  189. data/modules/tests/centos7.yaml +15 -0
  190. data/modules/tests/centos8.yaml +12 -0
  191. data/modules/tests/ecs.yaml +23 -0
  192. data/modules/tests/eks.yaml +1 -1
  193. data/modules/tests/functions/node-function/lambda_function.js +10 -0
  194. data/modules/tests/functions/python-function/lambda_function.py +12 -0
  195. data/modules/tests/includes-and-params.yaml +2 -1
  196. data/modules/tests/microservice_app.yaml +288 -0
  197. data/modules/tests/rds.yaml +108 -0
  198. data/modules/tests/regrooms/aws-iam.yaml +201 -0
  199. data/modules/tests/regrooms/bucket.yml +19 -0
  200. data/modules/tests/regrooms/rds.yaml +123 -0
  201. data/modules/tests/server-with-scrub-muisms.yaml +2 -1
  202. data/modules/tests/super_complex_bok.yml +2 -2
  203. data/modules/tests/super_simple_bok.yml +3 -5
  204. data/modules/tests/win2k12.yaml +17 -5
  205. data/modules/tests/win2k16.yaml +25 -0
  206. data/modules/tests/win2k19.yaml +25 -0
  207. data/requirements.txt +1 -0
  208. data/spec/mu/clouds/azure_spec.rb +2 -2
  209. metadata +240 -154
  210. data/extras/image-generators/AWS/windows.yaml +0 -18
  211. data/modules/mu/clouds/aws/database.rb +0 -1985
  212. data/modules/mu/clouds/aws/endpoint.rb +0 -592
data/modules/mu/{clouds → providers}/aws/user.rb RENAMED
@@ -37,7 +37,7 @@ module MU
37
37
  if !@config['use_if_exists']
38
38
  raise MuError, "IAM user #{@mu_name} already exists and use_if_exists is false"
39
39
  end
40
- rescue Aws::IAM::Errors::NoSuchEntity => e
40
+ rescue Aws::IAM::Errors::NoSuchEntity
41
41
  @config['path'] ||= "/"+@deploy.deploy_id+"/"
42
42
  MU.log "Creating IAM user #{@config['path']}/#{@mu_name}"
43
43
  tags = get_tag_params
@@ -109,7 +109,7 @@ module MU
109
109
  # Create these if necessary, then append them to the list of
110
110
  # attachable_policies
111
111
  if @config['raw_policies']
112
- pol_arns = MU::Cloud::AWS::Role.manageRawPolicies(
112
+ pol_arns = MU::Cloud.resourceClass("AWS", "Role").manageRawPolicies(
113
113
  @config['raw_policies'],
114
114
  basename: @deploy.getResourceName(@config['name']),
115
115
  credentials: @credentials
@@ -120,7 +120,7 @@ module MU
120
120
 
121
121
  if @config['attachable_policies']
122
122
  configured_policies = @config['attachable_policies'].map { |p|
123
- id = if p.is_a?(MU::Config::Ref)
123
+ if p.is_a?(MU::Config::Ref)
124
124
  p.cloud_id
125
125
  else
126
126
  p = MU::Config::Ref.get(p)
@@ -135,7 +135,7 @@ module MU
135
135
  attached_policies.each { |a|
136
136
  if !configured_policies.include?(a.policy_arn)
137
137
  MU.log "Removing IAM policy #{a.policy_arn} from user #{@mu_name}", MU::NOTICE
138
- MU::Cloud::AWS::Role.purgePolicy(a.policy_arn, @credentials)
138
+ MU::Cloud.resourceClass("AWS", "Role").purgePolicy(a.policy_arn, @credentials)
139
139
  else
140
140
  configured_policies.delete(a.policy_arn)
141
141
  end
@@ -151,7 +151,7 @@ module MU
151
151
  end
152
152
 
153
153
  if @config['inline_policies']
154
- docs = MU::Cloud::AWS::Role.genPolicyDocument(@config['inline_policies'], deploy_obj: @deploy)
154
+ docs = MU::Cloud.resourceClass("AWS", "Role").genPolicyDocument(@config['inline_policies'], deploy_obj: @deploy)
155
155
  docs.each { |doc|
156
156
  MU.log "Putting user policy #{doc.keys.first} to user #{@cloud_id} "
157
157
  MU::Cloud::AWS.iam(credentials: @credentials).put_user_policy(
@@ -189,17 +189,17 @@ module MU
189
189
  # Remove all users associated with the currently loaded deployment.
190
190
  # @param noop [Boolean]: If true, will only print what would be done
191
191
  # @param ignoremaster [Boolean]: If true, will remove resources not flagged as originating from this Mu server
192
- # @param region [String]: The cloud provider region
193
192
  # @return [void]
194
- def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
193
+ def self.cleanup(noop: false, deploy_id: MU.deploy_id, ignoremaster: false, credentials: nil, flags: {})
194
+ MU.log "AWS::User.cleanup: need to support flags['known']", MU::DEBUG, details: flags
195
195
 
196
196
  # XXX this doesn't belong here; maybe under roles, maybe as its own stupid first-class resource
197
197
  resp = MU::Cloud::AWS.iam(credentials: credentials).list_policies(
198
- path_prefix: "/"+MU.deploy_id+"/"
198
+ path_prefix: "/"+deploy_id+"/"
199
199
  )
200
200
  if resp and resp.policies
201
201
  resp.policies.each { |policy|
202
- MU.log "Deleting policy /#{MU.deploy_id}/#{policy.policy_name}"
202
+ MU.log "Deleting policy /#{deploy_id}/#{policy.policy_name}"
203
203
  if !noop
204
204
  attachments = begin
205
205
  MU::Cloud::AWS.iam(credentials: credentials).list_entities_for_policy(
@@ -257,7 +257,7 @@ module MU
257
257
  }
258
258
  retry
259
259
  rescue ::Aws::IAM::Errors::NoSuchEntity
260
- rescue Exception => e
260
+ rescue StandardError => e
261
261
  MU.log e.inspect, MU::ERR, details: policy
262
262
  end
263
263
  end
@@ -275,14 +275,17 @@ MU.log e.inspect, MU::ERR, details: policy
275
275
  ).tags
276
276
  has_nodelete = false
277
277
  has_ourdeploy = false
278
+ has_ourmaster = false
278
279
  tags.each { |tag|
279
- if tag.key == "MU-ID" and tag.value == MU.deploy_id
280
+ if tag.key == "MU-ID" and tag.value == deploy_id
280
281
  has_ourdeploy = true
282
+ elsif tag.key == "MU-MASTER-IP" and tag.value == MU.mu_public_ip
283
+ has_ourmaster = true
281
284
  elsif tag.key == "MU-NO-DELETE" and tag.value == "true"
282
285
  has_nodelete = true
283
286
  end
284
287
  }
285
- if has_ourdeploy and !has_nodelete
288
+ if has_ourdeploy and !has_nodelete and (ignoremaster or has_ourmaster)
286
289
  MU.log "Deleting IAM user #{u.path}#{u.user_name}"
287
290
  if !@noop
288
291
  begin
@@ -296,7 +299,7 @@ MU.log e.inspect, MU::ERR, details: policy
296
299
  group_name: g.group_name
297
300
  )
298
301
  }
299
- profile = MU::Cloud::AWS.iam(credentials: credentials).get_login_profile(
302
+ MU::Cloud::AWS.iam(credentials: credentials).get_login_profile(
300
303
  user_name: u.user_name
301
304
  )
302
305
  MU.log "Deleting IAM login profile for #{u.user_name}"
@@ -381,7 +384,7 @@ MU.log e.inspect, MU::ERR, details: policy
381
384
  # Reverse-map our cloud description into a runnable config hash.
382
385
  # We assume that any values we have in +@config+ are placeholders, and
383
386
  # calculate our own accordingly based on what's live in the cloud.
384
- def toKitten(rootparent: nil, billing: nil, habitats: nil)
387
+ def toKitten(**_args)
385
388
  bok = {
386
389
  "cloud" => "AWS",
387
390
  "credentials" => @credentials,
@@ -428,7 +431,7 @@ MU.log e.inspect, MU::ERR, details: policy
428
431
  resp.policy_names.each { |pol_name|
429
432
  pol = MU::Cloud::AWS.iam(credentials: @credentials).get_user_policy(user_name: @cloud_id, policy_name: pol_name)
430
433
  doc = JSON.parse(URI.decode(pol.policy_document))
431
- bok["inline_policies"] = MU::Cloud::AWS::Role.doc2MuPolicies(pol.policy_name, doc, bok["inline_policies"])
434
+ bok["inline_policies"] = MU::Cloud.resourceClass("AWS", "Role").doc2MuPolicies(pol.policy_name, doc, bok["inline_policies"])
432
435
  }
433
436
  end
434
437
 
@@ -457,12 +460,12 @@ MU.log e.inspect, MU::ERR, details: policy
457
460
  end
458
461
 
459
462
  # Cloud-specific configuration properties.
460
- # @param config [MU::Config]: The calling MU::Config object
463
+ # @param _config [MU::Config]: The calling MU::Config object
461
464
  # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
462
- def self.schema(config)
465
+ def self.schema(_config)
463
466
  toplevel_required = []
464
467
  polschema = MU::Config::Role.schema["properties"]["policies"]
465
- polschema.deep_merge!(MU::Cloud::AWS::Role.condition_schema)
468
+ polschema.deep_merge!(MU::Cloud.resourceClass("AWS", "Role").condition_schema)
466
469
 
467
470
  schema = {
468
471
  "inline_policies" => polschema,
@@ -514,7 +517,7 @@ style long name, like +IAMTESTS-DEV-2018112815-IS-USER-FOO+"
514
517
  # If we're attaching some managed policies, make sure all of the ones
515
518
  # that should already exist do indeed exist
516
519
  if user['attachable_policies']
517
- ok = false if !MU::Cloud::AWS::Role.validateAttachablePolicies(
520
+ ok = false if !MU::Cloud.resourceClass("AWS", "Role").validateAttachablePolicies(
518
521
  user['attachable_policies'],
519
522
  credentials: user['credentials'],
520
523
  region: user['region']
@@ -527,7 +530,7 @@ style long name, like +IAMTESTS-DEV-2018112815-IS-USER-FOO+"
527
530
  if configurator.haveLitterMate?(group, "groups")
528
531
  need_dependency = true
529
532
  else
530
- found = MU::Cloud::AWS::Group.find(cloud_id: group)
533
+ found = MU::Cloud.resourceClass("AWS", "Group").find(cloud_id: group)
531
534
  if found.nil? or found.empty? or (configurator.updating and
532
535
  found.values.first.group.path == "/"+configurator.updating+"/")
533
536
  groupdesc = {
@@ -539,11 +542,7 @@ style long name, like +IAMTESTS-DEV-2018112815-IS-USER-FOO+"
539
542
  end
540
543
 
541
544
  if need_dependency
542
- user["dependencies"] ||= []
543
- user["dependencies"] << {
544
- "type" => "group",
545
- "name" => group
546
- }
545
+ MU::Config.addDependency(user, group, "group")
547
546
  end
548
547
  }
549
548
  end
data/modules/mu/{clouds → providers}/aws/userdata/linux.erb RENAMED
@@ -42,7 +42,7 @@ if ping -c 5 8.8.8.8 > /dev/null; then
42
42
  <% if !$mu.skipApplyUpdates %>
43
43
  set +e
44
44
  if [ ! -f /.mu-installer-ran-updates ];then
45
- service ssh stop
45
+ echo "Applying package updates" > /etc/nologin
46
46
  apt-get --fix-missing -y upgrade
47
47
  touch /.mu-installer-ran-updates
48
48
  if [ $? -eq 0 ]
@@ -58,7 +58,7 @@ if ping -c 5 8.8.8.8 > /dev/null; then
58
58
  else
59
59
  echo "FAILED PACKAGE UPDATE" >&2
60
60
  fi
61
- service ssh start
61
+ rm -f /etc/nologin
62
62
  fi
63
63
  <% end %>
64
64
  elif [ -x /usr/bin/yum ];then
@@ -94,7 +94,7 @@ if ping -c 5 8.8.8.8 > /dev/null; then
94
94
  <% if !$mu.skipApplyUpdates %>
95
95
  set +e
96
96
  if [ ! -f /.mu-installer-ran-updates ];then
97
- service sshd stop
97
+ echo "Applying package updates" > /etc/nologin
98
98
  kernel_update=`yum list updates | grep kernel`
99
99
  yum -y update
100
100
  touch /.mu-installer-ran-updates
@@ -108,7 +108,7 @@ if ping -c 5 8.8.8.8 > /dev/null; then
108
108
  else
109
109
  echo "FAILED PACKAGE UPDATE" >&2
110
110
  fi
111
- service sshd start
111
+ rm -f /etc/nologin
112
112
  fi
113
113
  <% end %>
114
114
  fi
@@ -116,6 +116,7 @@ else
116
116
  /bin/logger "***** Unable to verify internet connectivity, skipping package updates from userdata"
117
117
  touch /.mu-installer-ran-updates
118
118
  fi
119
+ rm -f /etc/nologin
119
120
 
120
121
  AWSCLI='command -v aws'
121
122
  PIP='command -v pip'
data/modules/mu/{clouds → providers}/aws/userdata/windows.erb RENAMED
@@ -23,7 +23,7 @@ function log
23
23
  }
24
24
 
25
25
  function fetchSecret([string]$file){
26
- log "Fetching s3://<%= $mu.adminBucketName %>/$file to $tmp/$file"
26
+ log "aws.cmd --region $region s3 cp s3://<%= $mu.adminBucketName %>/$file $tmp/$file"
27
27
  aws.cmd --region $region s3 cp s3://<%= $mu.adminBucketName %>/$file $tmp/$file
28
28
  }
29
29
 
@@ -245,6 +245,7 @@ if($ingroup -ne $admin_username){
245
245
  net localgroup WinRMRemoteWMIUsers__ /add $admin_username
246
246
  }
247
247
 
248
+ importCert "$myname-winrm.crt" "root"
248
249
  $winrmcert = importCert "$myname-winrm.crt" "TrustedPeople"
249
250
  Set-Item -Path WSMan:\localhost\Service\Auth\Certificate -Value $true
250
251
  Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -Value 1
data/modules/mu/{clouds → providers}/aws/vpc.rb RENAMED
@@ -18,6 +18,7 @@ module MU
18
18
 
19
19
  # Creation of Virtual Private Clouds and associated artifacts (routes, subnets, etc).
20
20
  class VPC < MU::Cloud::VPC
21
+ require 'mu/providers/aws/vpc_subnet'
21
22
 
22
23
  # Initialize this cloud resource object. Calling +super+ will invoke the initializer defined under {MU::Cloud}, which should set the attribtues listed in {MU::Cloud::PUBLIC_ATTRS} as well as applicable dependency shortcuts, like +@vpc+, for us.
23
24
  # @param args [Hash]: Hash of named arguments passed via Ruby's double-splat
@@ -35,78 +36,40 @@ module MU
35
36
  def create
36
37
  MU.log "Creating VPC #{@mu_name}", details: @config
37
38
  resp = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).create_vpc(cidr_block: @config['ip_block']).vpc
38
- vpc_id = @config['vpc_id'] = resp.vpc_id
39
+ @cloud_id = resp.vpc_id
40
+ @config['vpc_id'] = @cloud_id
39
41
 
40
- MU::Cloud::AWS.createStandardTags(vpc_id, region: @config['region'], credentials: @config['credentials'])
41
- MU::MommaCat.createTag(vpc_id, "Name", @mu_name, region: @config['region'], credentials: @config['credentials'])
42
-
43
- if @config['tags']
44
- @config['tags'].each { |tag|
45
- MU::MommaCat.createTag(vpc_id, tag['key'], tag['value'], region: @config['region'], credentials: @config['credentials'])
46
- }
47
- end
48
-
49
- if @config['optional_tags']
50
- MU::MommaCat.listOptionalTags.each { |key, value|
51
- MU::MommaCat.createTag(vpc_id, key, value, region: @config['region'], credentials: @config['credentials'])
52
- }
53
- end
42
+ tag_me
54
43
 
55
44
  if resp.state != "available"
56
45
  begin
57
- MU.log "Waiting for VPC #{@mu_name} (#{vpc_id}) to be available", MU::NOTICE
46
+ MU.log "Waiting for VPC #{@mu_name} (#{@cloud_id}) to be available", MU::NOTICE
58
47
  sleep 5
59
- resp = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).describe_vpcs(vpc_ids: [vpc_id]).vpcs.first
48
+ resp = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).describe_vpcs(vpc_ids: [@cloud_id]).vpcs.first
60
49
  end while resp.state != "available"
61
50
  # There's a default route table that comes with. Let's tag it.
62
51
  resp = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).describe_route_tables(
63
52
  filters: [
64
53
  {
65
54
  name: "vpc-id",
66
- values: [vpc_id]
55
+ values: [@cloud_id]
67
56
  }
68
57
  ]
69
58
  )
70
59
  resp.route_tables.each { |rtb|
71
- MU::MommaCat.createTag(rtb.route_table_id, "Name", @mu_name+"-#DEFAULTPRIV", region: @config['region'], credentials: @config['credentials'])
72
- if @config['tags']
73
- @config['tags'].each { |tag|
74
- MU::MommaCat.createTag(rtb.route_table_id, tag['key'], tag['value'], region: @config['region'], credentials: @config['credentials'])
75
- }
76
- end
77
-
78
- MU::Cloud::AWS.createStandardTags(rtb.route_table_id, region: @config['region'], credentials: @config['credentials'])
79
-
80
- if @config['optional_tags']
81
- MU::MommaCat.listOptionalTags.each { |key, value|
82
- MU::MommaCat.createTag(rtb.route_table_id, key, value, region: @config['region'], credentials: @config['credentials'])
83
- }
84
- end
60
+ tag_me(rtb.route_table_id, @mu_name+"-#DEFAULTPRIV")
85
61
  }
86
62
  end
87
- @config['vpc_id'] = vpc_id
88
- @cloud_id = vpc_id
89
63
 
90
64
  if @config['create_internet_gateway']
91
65
  MU.log "Creating Internet Gateway #{@mu_name}"
92
66
  resp = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).create_internet_gateway
93
67
  internet_gateway_id = resp.internet_gateway.internet_gateway_id
94
68
  sleep 5
95
- MU::Cloud::AWS.createStandardTags(internet_gateway_id, region: @config['region'], credentials: @config['credentials'])
96
- MU::MommaCat.createTag(internet_gateway_id, "Name", @mu_name, region: @config['region'], credentials: @config['credentials'])
97
- if @config['tags']
98
- @config['tags'].each { |tag|
99
- MU::MommaCat.createTag(internet_gateway_id, tag['key'], tag['value'], region: @config['region'], credentials: @config['credentials'])
100
- }
101
- end
102
69
 
103
- if @config['optional_tags']
104
- MU::MommaCat.listOptionalTags.each { |key, value|
105
- MU::MommaCat.createTag(internet_gateway_id, key, value, region: @config['region'], credentials: @config['credentials'])
106
- }
107
- end
70
+ tag_me(internet_gateway_id)
108
71
 
109
- MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).attach_internet_gateway(vpc_id: vpc_id, internet_gateway_id: internet_gateway_id)
72
+ MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).attach_internet_gateway(vpc_id: @cloud_id, internet_gateway_id: internet_gateway_id)
110
73
  @config['internet_gateway_id'] = internet_gateway_id
111
74
  end
112
75
 
@@ -165,237 +128,35 @@ module MU
165
128
  )
166
129
  end
167
130
 
168
- nat_gateways = []
169
- if !@config['subnets'].nil?
170
- allocation_ids = []
171
- subnet_semaphore = Mutex.new
172
- subnetthreads = Array.new
173
- parent_thread_id = Thread.current.object_id
174
- azs = []
175
- @config['subnets'].each { |subnet|
176
- subnet_name = @config['name']+"-"+subnet['name']
177
- MU.log "Creating Subnet #{subnet_name} (#{subnet['ip_block']})", details: subnet
178
- azs = MU::Cloud::AWS.listAZs(region: @config['region'], credentials: @config['credentials']) if azs.size == 0
179
- if !subnet['availability_zone'].nil?
180
- az = subnet['availability_zone']
181
- else
182
- az = azs.pop
183
- end
184
-
185
- subnetthreads << Thread.new {
186
- MU.dupGlobals(parent_thread_id)
187
- resp = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).create_subnet(
188
- vpc_id: vpc_id,
189
- cidr_block: subnet['ip_block'],
190
- availability_zone: az
191
- ).subnet
192
- subnet_id = subnet['subnet_id'] = resp.subnet_id
193
- MU::Cloud::AWS.createStandardTags(subnet_id, region: @config['region'], credentials: @config['credentials'])
194
- MU::MommaCat.createTag(subnet_id, "Name", @mu_name+"-"+subnet['name'], region: @config['region'], credentials: @config['credentials'])
195
- if @config['tags']
196
- @config['tags'].each { |tag|
197
- MU::MommaCat.createTag(subnet_id, tag['key'], tag['value'], region: @config['region'], credentials: @config['credentials'])
198
- }
199
- end
200
-
201
- if @config['optional_tags']
202
- MU::MommaCat.listOptionalTags.each { |key, value|
203
- MU::MommaCat.createTag(subnet_id, key, value, region: @config['region'], credentials: @config['credentials'])
204
- }
205
- end
206
-
207
- retries = 0
208
- begin
209
- if resp.state != "available"
210
- begin
211
- MU.log "Waiting for Subnet #{subnet_name} (#{subnet_id}) to be available", MU::NOTICE if retries > 0 and (retries % 3) == 0
212
- sleep 5
213
- resp = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).describe_subnets(subnet_ids: [subnet_id]).subnets.first
214
- rescue Aws::EC2::Errors::InvalidSubnetIDNotFound => e
215
- sleep 10
216
- retry
217
- end while resp.state != "available"
218
- end
219
- rescue NoMethodError => e
220
- if retries <= 3
221
- MU.log "Got bogus Aws::EmptyResponse error on #{subnet_id} (retries used: #{retries}/3)", MU::WARN
222
- retries = retries + 1
223
- sleep 5
224
- resp = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).describe_subnets(subnet_ids: [subnet_id]).subnets.first
225
- retry
226
- else
227
- raise e
228
- end
229
- end
230
-
231
- if !subnet['route_table'].nil?
232
- routes = {}
233
- @config['route_tables'].each { |tbl|
234
- routes[tbl['name']] = tbl
235
- }
236
- if routes.nil? or routes[subnet['route_table']].nil?
237
- MU.log "Subnet #{subnet_name} references non-existent route #{subnet['route_table']}", MU::ERR, details: @deploy.deployment['vpcs']
238
- raise MuError, "deploy failure"
239
- end
240
- MU.log "Associating Route Table '#{subnet['route_table']}' (#{routes[subnet['route_table']]['route_table_id']}) with #{subnet_name}"
241
- retries = 0
242
- begin
243
- MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).associate_route_table(
244
- route_table_id: routes[subnet['route_table']]['route_table_id'],
245
- subnet_id: subnet_id
246
- )
247
- rescue Aws::EC2::Errors::InvalidRouteTableIDNotFound => e
248
- retries = retries + 1
249
- if retries < 10
250
- sleep 10
251
- retry
252
- else
253
- raise MuError, e.inspect
254
- end
255
- end
256
- end
257
- retries = 0
258
- begin
259
- resp = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).describe_subnets(subnet_ids: [subnet_id]).subnets.first
260
- rescue Aws::EC2::Errors::InvalidSubnetIDNotFound => e
261
- if retries < 10
262
- MU.log "Got #{e.inspect}, waiting and retrying", MU::WARN
263
- sleep 10
264
- retries = retries + 1
265
- retry
266
- end
267
- raise MuError, e.inspect, e.backtrace
268
- end
269
-
270
- if subnet['is_public'] && subnet['create_nat_gateway']
271
- MU::MommaCat.lock("nat-gateway-eipalloc")
272
- filters = [{name: "domain", values: ["vpc"]}]
273
- eips = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).describe_addresses(filters: filters).addresses
274
- allocation_id = nil
275
- eips.each { |eip|
276
- next if !eip.association_id.nil? and !eip.association_id.empty?
277
- if (eip.private_ip_address.nil? || eip.private_ip_address.empty?) and MU::MommaCat.lock(eip.allocation_id, true, true)
278
- if !allocation_ids.include?(eip.allocation_id)
279
- allocation_id = eip.allocation_id
280
- break
281
- end
282
- end
283
- }
131
+ nat_gateways = create_subnets
284
132
 
285
- if allocation_id.nil?
286
- allocation_id = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).allocate_address(domain: "vpc").allocation_id
287
- MU::MommaCat.lock(allocation_id, false, true)
288
- end
289
-
290
- allocation_ids << allocation_id
291
- resp = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).create_nat_gateway(
292
- subnet_id: subnet['subnet_id'],
293
- allocation_id: allocation_id,
294
- ).nat_gateway
295
-
296
- nat_gateway_id = resp.nat_gateway_id
297
- attempts = 0
298
- MU::MommaCat.unlock("nat-gateway-eipalloc")
299
- while resp.class.name != "Aws::EC2::Types::NatGateway" or resp.state == "pending"
300
- MU.log "Waiting for nat gateway #{nat_gateway_id} () to become available (EIP allocation: #{allocation_id})" if attempts % 5 == 0
301
- sleep 30
302
- begin
303
- resp = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).describe_nat_gateways(nat_gateway_ids: [nat_gateway_id]).nat_gateways.first
304
- rescue Aws::EmptyStructure, NoMethodError
305
- sleep 5
306
- retry
307
- end
308
- if attempts > 30
309
- MU::MommaCat.unlock(allocation_id, true)
310
- raise MuError, "Timed out while waiting for NAT Gateway #{nat_gateway_id}: #{resp}"
311
- end
312
- attempts += 1
313
- end
314
- MU::MommaCat.unlock(allocation_id, true)
315
-
316
- raise MuError, "NAT Gateway failed #{nat_gateway_id}: #{resp}" if resp.state == "failed"
317
- nat_gateways << {'id' => nat_gateway_id, 'availability_zone' => subnet['availability_zone']}
318
- @tags.each_pair { |k, v|
319
- MU::MommaCat.createTag(nat_gateway_id, k, v, region: @config['region'], credentials: @config['credentials'])
320
- }
321
- end
322
-
323
- if subnet.has_key?("map_public_ips")
324
- retries = 0
325
- begin
326
- resp = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).modify_subnet_attribute(
327
- subnet_id: subnet_id,
328
- map_public_ip_on_launch: {
329
- value: subnet['map_public_ips'],
330
- }
331
- )
332
- rescue Aws::EC2::Errors::InvalidSubnetIDNotFound => e
333
- if retries < 10
334
- MU.log "Got #{e.inspect} while trying to enable map_public_ips on subnet, waiting and retrying", MU::WARN
335
- sleep 10
336
- retries += 1
337
- retry
338
- end
339
- raise MuError, "Got #{e.inspect}, #{e.backtrace} while trying to enable map_public_ips on subnet"
340
- end
341
- end
342
-
343
- if subnet["enable_traffic_logging"]
344
- loggroup = @deploy.findLitterMate(name: @config['name']+"loggroup", type: "logs")
345
- logrole = @deploy.findLitterMate(name: @config['name']+"logrole", type: "roles")
346
- MU.log "Enabling traffic logging on Subnet #{subnet_name} in VPC #{@mu_name} to log group #{loggroup.mu_name}"
347
- MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).create_flow_logs(
348
- resource_ids: [subnet_id],
349
- resource_type: "Subnet",
350
- traffic_type: subnet["traffic_type_to_log"],
351
- log_group_name: loggroup.mu_name,
352
- deliver_logs_permission_arn: logrole.cloudobj.arn
353
- )
354
- end
355
- }
356
- }
357
-
358
- subnetthreads.each { |t|
359
- t.join
360
- }
361
-
362
- notify
363
- end
133
+ notify
364
134
 
365
135
  if !nat_gateways.empty?
366
136
  nat_gateways.each { |gateway|
367
137
  @config['subnets'].each { |subnet|
368
- if subnet['is_public'] == false && subnet['availability_zone'] == gateway['availability_zone']
369
- @config['route_tables'].each { |rtb|
370
- if rtb['name'] == subnet['route_table']
371
- rtb['routes'].each { |route|
372
- if route['gateway'] == '#NAT'
373
- route_config = {
374
- :route_table_id => rtb['route_table_id'],
375
- :destination_cidr_block => route['destination_network'],
376
- :nat_gateway_id => gateway['id']
377
- }
378
-
379
- MU.log "Creating route for #{route['destination_network']} through NAT gatway #{gateway['id']}", details: route_config
380
- nat_retries = 0
381
- begin
382
- resp = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).create_route(route_config)
383
- rescue Aws::EC2::Errors::InvalidNatGatewayIDNotFound => e
384
- if nat_retries < 5
385
- nat_retries += 1
386
- sleep 10
387
- retry
388
- else
389
- raise e
390
- end
391
- rescue Aws::EC2::Errors::RouteAlreadyExists => e
392
- MU.log "Attempt to create duplicate route to #{route['destination_network']} for #{gateway['id']} in #{rtb['route_table_id']}", MU::WARN
393
- end
394
- end
395
- }
396
- end
138
+ next if subnet['is_public'] != false or subnet['availability_zone'] != gateway['availability_zone']
139
+
140
+ @config['route_tables'].each { |rtb|
141
+ next if rtb['name'] != subnet['route_table']
142
+ rtb['routes'].each { |route|
143
+ next if route['gateway'] != '#NAT'
144
+ route_config = {
145
+ :route_table_id => rtb['route_table_id'],
146
+ :destination_cidr_block => route['destination_network'],
147
+ :nat_gateway_id => gateway['id']
148
+ }
149
+
150
+ MU.log "Creating route for #{route['destination_network']} through NAT gatway #{gateway['id']}", details: route_config
151
+ MU.retrier([Aws::EC2::Errors::InvalidNatGatewayIDNotFound], wait: 10, max: 5) {
152
+ begin
153
+ resp = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).create_route(route_config)
154
+ rescue Aws::EC2::Errors::RouteAlreadyExists
155
+ MU.log "Attempt to create duplicate route to #{route['destination_network']} for #{gateway['id']} in #{rtb['route_table_id']}", MU::WARN
156
+ end
157
+ }
397
158
  }
398
- end
159
+ }
399
160
  }
400
161
  }
401
162
  end
@@ -403,14 +164,14 @@ module MU
403
164
  if @config['enable_dns_support']
404
165
  MU.log "Enabling DNS support in #{@mu_name}"
405
166
  MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).modify_vpc_attribute(
406
- vpc_id: vpc_id,
167
+ vpc_id: @cloud_id,
407
168
  enable_dns_support: {value: @config['enable_dns_support']}
408
169
  )
409
170
  end
410
171
  if @config['enable_dns_hostnames']
411
172
  MU.log "Enabling DNS hostnames in #{@mu_name}"
412
173
  MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).modify_vpc_attribute(
413
- vpc_id: vpc_id,
174
+ vpc_id: @cloud_id,
414
175
  enable_dns_hostnames: {value: @config['enable_dns_hostnames']}
415
176
  )
416
177
  end
@@ -439,29 +200,16 @@ module MU
439
200
  dhcp_configurations: dhcpopts
440
201
  )
441
202
  dhcpopt_id = resp.dhcp_options.dhcp_options_id
442
- MU::Cloud::AWS.createStandardTags(dhcpopt_id, region: @config['region'], credentials: @config['credentials'])
443
- MU::MommaCat.createTag(dhcpopt_id, "Name", @mu_name, region: @config['region'], credentials: @config['credentials'])
444
-
445
- if @config['tags']
446
- @config['tags'].each { |tag|
447
- MU::MommaCat.createTag(dhcpopt_id, tag['key'], tag['value'], region: @config['region'], credentials: @config['credentials'])
448
- }
449
- end
203
+ tag_me(dhcpopt_id)
450
204
 
451
- if @config['optional_tags']
452
- MU::MommaCat.listOptionalTags.each { |key, value|
453
- MU::MommaCat.createTag(dhcpopt_id, key, value, region: @config['region'], credentials: @config['credentials'])
454
- }
455
- end
456
-
457
- MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).associate_dhcp_options(dhcp_options_id: dhcpopt_id, vpc_id: vpc_id)
205
+ MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).associate_dhcp_options(dhcp_options_id: dhcpopt_id, vpc_id: @cloud_id)
458
206
  end
459
207
  notify
460
208
 
461
209
  if !MU::Cloud::AWS.isGovCloud?(@config['region'])
462
210
  mu_zone = MU::Cloud::DNSZone.find(cloud_id: "platform-mu", credentials: @config['credentials']).values.first
463
211
  if !mu_zone.nil?
464
- MU::Cloud::AWS::DNSZone.toggleVPCAccess(id: mu_zone.id, vpc_id: vpc_id, region: @config['region'], credentials: @config['credentials'])
212
+ MU::Cloud.resourceClass("AWS", "DNSZone").toggleVPCAccess(id: mu_zone.id, vpc_id: @cloud_id, region: @config['region'], credentials: @config['credentials'])
465
213
  end
466
214
  end
467
215
  loadSubnets
@@ -472,9 +220,6 @@ module MU
472
220
  # Canonical Amazon Resource Number for this resource
473
221
  # @return [String]
474
222
  def arn
475
- puts @config['region']
476
- puts MU::Cloud::AWS.credToAcct(@config['credentials'])
477
- puts @cloud_id
478
223
  "arn:"+(MU::Cloud::AWS.isGovCloud?(@config["region"]) ? "aws-us-gov" : "aws")+":ec2:"+@config['region']+":"+MU::Cloud::AWS.credToAcct(@config['credentials'])+":vpc/"+@cloud_id
479
224
  end
480
225
 
@@ -491,202 +236,7 @@ module MU
491
236
  # Generate peering connections
492
237
  if !@config['peers'].nil? and @config['peers'].size > 0
493
238
  @config['peers'].each { |peer|
494
- peer_obj = nil
495
- peer_id = nil
496
- peer['name'] ||= peer['vpc_name']
497
- peer['id'] ||= peer['vpc_id']
498
-
499
- # If we know this to be a sibling VPC elsewhere in our stack,
500
- # go fetch it, and fix it if we've been misconfigured with a
501
- # duplicate peering connection
502
- if peer['vpc']['name'] and !peer['account']
503
- peer_obj = @deploy.findLitterMate(name: peer['vpc']['name'], type: "vpcs")
504
- if peer_obj
505
- if peer_obj.config['peers']
506
- skipme = false
507
- peer_obj.config['peers'].each { |peerpeer|
508
- if peerpeer['vpc']['name'] == @config['name'] and
509
- (peer['vpc']['name'] <=> @config['name']) == -1
510
- skipme = true
511
- MU.log "VPCs #{peer['vpc']['name']} and #{@config['name']} both declare mutual peering connection, ignoring #{@config['name']}'s redundant declaration", MU::DEBUG
512
- # XXX and if deploy_id matches or is unset
513
- end
514
- }
515
- end
516
- next if skipme
517
- peer['account'] = MU::Cloud::AWS.credToAcct(peer_obj.credentials)
518
- peer['vpc']['id'] = peer_obj.cloud_id
519
- peer['vpc']['region'] ||= peer_obj.config['region']
520
- end
521
- end
522
-
523
- # If we still don't know our peer's vpc identifier, go fishing
524
- if !peer_obj
525
- tag_key, tag_value = peer['vpc']['tag'].split(/=/, 2) if !peer['vpc']['tag'].nil?
526
- if peer['vpc']['deploy_id'].nil? and peer['vpc']['id'].nil? and tag_key.nil?
527
- peer['vpc']['deploy_id'] = @deploy.deploy_id
528
- end
529
- peer_obj = MU::MommaCat.findStray(
530
- "AWS",
531
- "vpcs",
532
- deploy_id: peer['vpc']['deploy_id'],
533
- cloud_id: peer['vpc']['id'],
534
- # XXX we need a credentials argument here... maybe
535
- name: peer['vpc']['name'],
536
- tag_key: tag_key,
537
- tag_value: tag_value,
538
- dummy_ok: true,
539
- region: peer['vpc']['region']
540
- )
541
- MU.log "wtf", MU::ERR, details: peer if peer_obj.nil? or peer_obj.first.nil?
542
- raise MuError, "No result looking for #{@mu_name}'s peer VPCs (#{peer['vpc']})" if peer_obj.nil? or peer_obj.first.nil?
543
- peer_obj = peer_obj.first
544
- peer['account'] ||= MU::Cloud::AWS.credToAcct(peer_obj.credentials)
545
- peer['vpc']['id'] ||= peer_obj.cloud_id
546
- peer['vpc']['region'] ||= peer_obj.config['region']
547
- end
548
-
549
- peer_id = peer['vpc']['id']
550
- peer['account'] ||= MU::Cloud::AWS.account_number
551
-
552
- # See if the peering connection exists before we bother
553
- # creating it.
554
- resp = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).describe_vpc_peering_connections(
555
- filters: [
556
- {
557
- name: "requester-vpc-info.vpc-id",
558
- values: [@cloud_id]
559
- },
560
- {
561
- name: "accepter-vpc-info.vpc-id",
562
- values: [peer_id.to_s]
563
- }
564
- ]
565
- )
566
-
567
- peering_id = if !resp or !resp.vpc_peering_connections or
568
- resp.vpc_peering_connections.empty?
569
-
570
- MU.log "Setting peering connection from VPC #{@config['name']} (#{@cloud_id} in account #{MU::Cloud::AWS.credToAcct(@config['credentials'])}) to #{peer_id} in account #{peer['account']}", details: peer
571
- resp = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).create_vpc_peering_connection(
572
- vpc_id: @cloud_id,
573
- peer_vpc_id: peer_id,
574
- peer_owner_id: peer['account'],
575
- peer_region: peer['vpc']['region']
576
- )
577
- resp.vpc_peering_connection.vpc_peering_connection_id
578
- else
579
- resp.vpc_peering_connections.first.vpc_peering_connection_id
580
- end
581
-
582
- peering_name = @deploy.getResourceName(@config['name']+"-PEER-"+peer['vpc']['id'])
583
-
584
- MU::Cloud::AWS.createStandardTags(peering_id, region: @config['region'], credentials: @config['credentials'])
585
- MU::MommaCat.createTag(peering_id, "Name", peering_name, region: @config['region'], credentials: @config['credentials'])
586
-
587
- if @config['optional_tags']
588
- MU::MommaCat.listOptionalTags.each { |key, value|
589
- MU::MommaCat.createTag(peering_id, key, value, region: @config['region'], credentials: @config['credentials'])
590
- }
591
- end
592
-
593
- if @config['tags']
594
- @config['tags'].each { |tag|
595
- MU::MommaCat.createTag(peering_id, tag['key'], tag['value'], region: @config['region'], credentials: @config['credentials'])
596
- }
597
- end
598
-
599
- # Create routes to our new friend.
600
- MU::Cloud::AWS::VPC.listAllSubnetRouteTables(@cloud_id, region: @config['region'], credentials: @config['credentials']).each { |rtb_id|
601
- my_route_config = {
602
- :route_table_id => rtb_id,
603
- :destination_cidr_block => peer_obj.cloud_desc.cidr_block,
604
- :vpc_peering_connection_id => peering_id
605
- }
606
- rtbdesc = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).describe_route_tables(
607
- route_table_ids: [rtb_id]
608
- ).route_tables.first
609
- already_exists = false
610
- rtbdesc.routes.each { |r|
611
- if r.destination_cidr_block == peer_obj.cloud_desc.cidr_block
612
- if r.vpc_peering_connection_id != peering_id
613
- MU.log "Attempt to create duplicate route to #{peer_obj.cloud_desc.cidr_block} from VPC #{@config['name']}", MU::ERR, details: r
614
- raise MuError, "Can't create route via #{peering_id}, a route to #{peer_obj.cloud_desc.cidr_block} already exists"
615
- else
616
- already_exists = true
617
- end
618
- end
619
- }
620
- next if already_exists
621
-
622
- MU.log "Creating peering route to #{peer_obj.cloud_desc.cidr_block} in #{peer['vpc']['region']} from VPC #{@config['name']} in #{@config['region']}"
623
- resp = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).create_route(my_route_config)
624
- } # MU::Cloud::AWS::VPC.listAllSubnetRouteTables
625
-
626
- begin
627
- cnxn = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).describe_vpc_peering_connections(
628
- vpc_peering_connection_ids: [peering_id]
629
- ).vpc_peering_connections.first
630
-
631
- if cnxn.status.code == "pending-acceptance"
632
- if ((!peer_obj.nil? and !peer_obj.deploydata.nil? and peer_obj.deploydata['auto_accept_peers']) or $MU_CFG['allow_invade_foreign_vpcs'])
633
- MU.log "Auto-accepting peering connection from VPC #{@config['name']} (#{@cloud_id}) to #{peer_id}", MU::NOTICE
634
- begin
635
- MU::Cloud::AWS.ec2(region: peer['vpc']['region'], credentials: peer['account']).accept_vpc_peering_connection(
636
- vpc_peering_connection_id: peering_id,
637
- )
638
- if peer['account'] != MU::Cloud::AWS.credToAcct(@config['credentials'])
639
- # this seems to take a while across accounts
640
- sleep 5
641
- end
642
- cnxn = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).describe_vpc_peering_connections(
643
- vpc_peering_connection_ids: [peering_id]
644
- ).vpc_peering_connections.first
645
- rescue Aws::EC2::Errors::VpcPeeringConnectionAlreadyExists => e
646
- MU.log "Attempt to create duplicate peering connection to #{peer_id} from VPC #{@config['name']}", MU::WARN
647
- end
648
-
649
- # Create routes back from our new friend to us.
650
- MU::Cloud::AWS::VPC.listAllSubnetRouteTables(peer_id, region: peer['vpc']['region'], credentials: peer['account']).uniq.each { |rtb_id|
651
- peer_route_config = {
652
- :route_table_id => rtb_id,
653
- :destination_cidr_block => @config['ip_block'],
654
- :vpc_peering_connection_id => peering_id
655
- }
656
- begin
657
- resp = MU::Cloud::AWS.ec2(region: peer['vpc']['region'], credentials: peer['account']).create_route(peer_route_config)
658
- rescue Aws::EC2::Errors::RouteAlreadyExists => e
659
- rtbdesc = MU::Cloud::AWS.ec2(region: peer['vpc']['region'], credentials: peer['account']).describe_route_tables(
660
- route_table_ids: [rtb_id]
661
- ).route_tables.first
662
- rtbdesc.routes.each { |r|
663
- if r.destination_cidr_block == @config['ip_block']
664
- if r.vpc_peering_connection_id != peering_id
665
- MU.log "Attempt to create duplicate route to VPC #{@config['name']} (#{@config['ip_block']}) from peer VPC #{peer_id}'s route table #{rtb_id}", MU::ERR
666
- end
667
- end
668
- }
669
- end
670
- }
671
- else
672
- MU.log "VPC #{peer_id} is not managed by this Mu server or is not configured to auto-accept peering requests. You must accept the peering request for '#{@config['name']}' (#{@cloud_id}) by hand.", MU::WARN, details: "In the AWS Console, go to VPC => Peering Connections and look in the Actions drop-down. You can also set 'Invade Foreign VPCs' to 'true' using mu-configure to auto-accept all peering connections within this account, regardless of whether this Mu server owns the VPCs. This setting is per-user."
673
- end
674
- end
675
-
676
- if cnxn.status.code == "failed" or cnxn.status.code == "rejected" or cnxn.status.code == "expired" or cnxn.status.code == "deleted"
677
- MU.log "VPC peering connection from VPC #{@config['name']} (#{@cloud_id} in #{@config['region']}) to #{peer_id} in #{peer['vpc']['region']} #{cnxn.status.code}: #{cnxn.status.message}", MU::ERR
678
- begin
679
- MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).delete_vpc_peering_connection(
680
- vpc_peering_connection_id: peering_id
681
- )
682
- rescue Aws::EC2::Errors::InvalidStateTransition => e
683
- # XXX apparently this is normal?
684
- end
685
- raise MuError, "VPC peering connection from VPC #{@config['name']} (#{@cloud_id}) to #{peer_id} #{cnxn.status.code}: #{cnxn.status.message}"
686
- end
687
-
688
- end while cnxn.status.code != "active" and !((peer_obj.nil? or peer_obj.deploydata.nil? or !peer_obj.deploydata['auto_accept_peers']) and cnxn.status.code == "pending-acceptance")
689
-
239
+ peerWith(peer)
690
240
  }
691
241
  end
692
242
 
@@ -713,7 +263,7 @@ MU.log "wtf", MU::ERR, details: peer if peer_obj.nil? or peer_obj.first.nil?
713
263
  route_config[:instance_id] = nat_instance.cloud_id
714
264
 
715
265
  MU.log "Creating route for #{route['destination_network']} through NAT host #{nat_instance.cloud_id}", details: route_config
716
- resp = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).create_route(route_config)
266
+ MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).create_route(route_config)
717
267
  end
718
268
  }
719
269
 
@@ -756,7 +306,7 @@ MU.log "wtf", MU::ERR, details: peer if peer_obj.nil? or peer_obj.first.nil?
756
306
  map[vpc.vpc_id] = vpc
757
307
  }
758
308
  return map
759
- rescue Aws::EC2::Errors::InvalidVpcIDNotFound => e
309
+ rescue Aws::EC2::Errors::InvalidVpcIDNotFound
760
310
  end
761
311
  else
762
312
  resp = MU::Cloud::AWS.ec2(region: args[:region], credentials: args[:credentials]).describe_vpcs
@@ -774,7 +324,7 @@ MU.log "wtf", MU::ERR, details: peer if peer_obj.nil? or peer_obj.first.nil?
774
324
  # Reverse-map our cloud description into a runnable config hash.
775
325
  # We assume that any values we have in +@config+ are placeholders, and
776
326
  # calculate our own accordingly based on what's live in the cloud.
777
- def toKitten(rootparent: nil, billing: nil, habitats: nil)
327
+ def toKitten(**_args)
778
328
  bok = {
779
329
  "cloud" => "AWS",
780
330
  "credentials" => @config['credentials'],
@@ -838,12 +388,9 @@ MU.log "wtf", MU::ERR, details: peer if peer_obj.nil? or peer_obj.first.nil?
838
388
  if rtb_desc.associations
839
389
  rtb_desc.associations.each { |assoc|
840
390
  if assoc.subnet_id
841
- if associations[assoc.subnet_id] and associations[assoc.subnet_id] != rtb['name']
842
- MU.log "wait more than one route table association for #{assoc.subnet_id} what", MU::WARN, details: associations[assoc.subnet_id]+" => "+rtb['name']
843
- end
844
391
  associations[assoc.subnet_id] = rtb['name']
845
392
  elsif assoc.gateway_id
846
- MU.log "association I don't understand in #{@cloud_id}", MU::WARN, details: rtb_desc
393
+ MU.log " Saw a route table association I don't know how to adopt in #{@cloud_id}", MU::WARN, details: rtb_desc
847
394
  end
848
395
  }
849
396
  end
@@ -903,20 +450,18 @@ MU.log "association I don't understand in #{@cloud_id}", MU::WARN, details: rtb_
903
450
  # Describe subnets associated with this VPC. We'll compose identifying
904
451
  # information similar to what MU::Cloud.describe builds for first-class
905
452
  # resources.
906
- # XXX this is weaksauce. Subnets should be objects with their own methods
907
- # that work like first-class objects. How would we enforce that?
908
- # @return [Array<Hash>]: A list of cloud provider identifiers of subnets associated with this VPC.
453
+ # @return [Array<MU::Cloud::AWS::VPC::Subnet>]
909
454
  def loadSubnets
910
- if @cloud_id
911
- resp = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).describe_subnets(
912
- filters: [
913
- { name: "vpc-id", values: [@cloud_id] }
914
- ]
915
- )
916
- if resp.nil? or resp.subnets.nil? or resp.subnets.size == 0
917
- MU.log "Got empty results when trying to list subnets in #{@cloud_id}", MU::WARN
918
- return []
919
- end
455
+ return [] if !@cloud_id
456
+
457
+ resp = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).describe_subnets(
458
+ filters: [
459
+ { name: "vpc-id", values: [@cloud_id] }
460
+ ]
461
+ )
462
+ if resp.nil? or resp.subnets.nil? or resp.subnets.empty?
463
+ MU.log "Got empty results when trying to list subnets in #{@cloud_id}", MU::WARN
464
+ return []
920
465
  end
921
466
 
922
467
  @subnetcachesemaphore.synchronize {
@@ -927,23 +472,21 @@ MU.log "association I don't understand in #{@cloud_id}", MU::WARN, details: rtb_
927
472
  # metadata. Like ya do.
928
473
  if !@config.nil? and @config.has_key?("subnets")
929
474
  @config['subnets'].each { |subnet|
930
- subnet['mu_name'] = @mu_name+"-"+subnet['name'] if !subnet.has_key?("mu_name")
475
+ subnet['mu_name'] ||= @mu_name+"-"+subnet['name']
931
476
  subnet['region'] = @config['region']
932
477
  subnet['credentials'] = @config['credentials']
933
- if !resp.nil? and !resp.data.nil? and !resp.data.subnets.nil?
934
- resp.data.subnets.each { |desc|
935
- if desc.cidr_block == subnet["ip_block"]
936
- subnet["tags"] = MU.structToHash(desc.tags)
937
- subnet["cloud_id"] = desc.subnet_id
938
- break
939
- end
940
- }
941
- end
478
+ resp.subnets.each { |desc|
479
+ if desc.cidr_block == subnet["ip_block"]
480
+ subnet["tags"] = MU.structToHash(desc.tags)
481
+ subnet["cloud_id"] = desc.subnet_id
482
+ break
483
+ end
484
+ }
942
485
 
943
486
  if subnet["cloud_id"] and !ext_ids.include?(subnet["cloud_id"])
944
487
  @subnets << MU::Cloud::AWS::VPC::Subnet.new(self, subnet)
945
488
  elsif !subnet["cloud_id"]
946
- resp.data.subnets.each { |desc|
489
+ resp.subnets.each { |desc|
947
490
  if desc.cidr_block == subnet["ip_block"]
948
491
  subnet['cloud_id'] = desc.subnet_id
949
492
  @subnets << MU::Cloud::AWS::VPC::Subnet.new(self, subnet)
@@ -956,21 +499,21 @@ MU.log "association I don't understand in #{@cloud_id}", MU::WARN, details: rtb_
956
499
 
957
500
  # Of course we might be loading up a dummy subnet object from a
958
501
  # foreign or non-Mu-created VPC and subnet. So make something up.
959
- if !resp.nil? and @subnets.empty?
960
- resp.data.subnets.each { |desc|
961
- subnet = {}
962
- subnet["ip_block"] = desc.cidr_block
963
- subnet["name"] = subnet["ip_block"].gsub(/[\.\/]/, "_")
502
+ if @subnets.empty?
503
+ resp.subnets.each { |desc|
504
+ subnet = {
505
+ "ip_block" => desc.cidr_block,
506
+ "tags" => MU.structToHash(desc.tags),
507
+ "cloud_id" => desc.subnet_id,
508
+ 'region' => @config['region'],
509
+ 'credentials' => @config['credentials'],
510
+ }
511
+ subnet['name'] = subnet["ip_block"].gsub(/[\.\/]/, "_")
964
512
  subnet['mu_name'] = @mu_name+"-"+subnet['name']
965
- subnet["tags"] = MU.structToHash(desc.tags)
966
- subnet["cloud_id"] = desc.subnet_id
967
- subnet['region'] = @config['region']
968
- subnet['credentials'] = @config['credentials']
969
- if !ext_ids.include?(desc.subnet_id)
970
- @subnets << MU::Cloud::AWS::VPC::Subnet.new(self, subnet)
971
- end
513
+ @subnets << MU::Cloud::AWS::VPC::Subnet.new(self, subnet)
972
514
  }
973
515
  end
516
+
974
517
  return @subnets
975
518
  }
976
519
  end
@@ -983,13 +526,14 @@ MU.log "association I don't understand in #{@cloud_id}", MU::WARN, details: rtb_
983
526
  def findNat(nat_cloud_id: nil, nat_filter_key: nil, nat_filter_value: nil, region: MU.curRegion, credentials: nil)
984
527
  # Discard the nat_cloud_id if it's an AWS instance ID
985
528
  nat_cloud_id = nil if nat_cloud_id && nat_cloud_id.start_with?("i-")
529
+ credentials ||= @credentials
986
530
 
987
531
  if @gateways.nil?
988
532
  @gateways =
989
533
  if nat_cloud_id
990
- MU::Cloud::AWS.ec2(region: region, credentials: nil).describe_nat_gateways(nat_gateway_ids: [nat_cloud_id])
534
+ MU::Cloud::AWS.ec2(region: region, credentials: credentials).describe_nat_gateways(nat_gateway_ids: [nat_cloud_id])
991
535
  elsif nat_filter_key && nat_filter_value
992
- MU::Cloud::AWS.ec2(region: region, credentials: nil).describe_nat_gateways(
536
+ MU::Cloud::AWS.ec2(region: region, credentials: credentials).describe_nat_gateways(
993
537
  filter: [
994
538
  {
995
539
  name: nat_filter_key,
@@ -1014,8 +558,8 @@ MU.log "association I don't understand in #{@cloud_id}", MU::WARN, details: rtb_
1014
558
 
1015
559
  deploy_id = nil
1016
560
  nat_name = nat_name.to_s if !nat_name.nil? and nat_name.class.to_s == "MU::Config::Tail"
1017
- nat_ip = nat_ip.to_s if !nat_ip.nil? and nat_ip.class.to_s == "MU::Config::Tail"
1018
561
  nat_cloud_id = nat_cloud_id.to_s if !nat_cloud_id.nil? and nat_cloud_id.class.to_s == "MU::Config::Tail"
562
+ nat_ip = nat_ip.to_s if !nat_ip.nil? and nat_ip.class.to_s == "MU::Config::Tail"
1019
563
  nat_tag_key = nat_tag_key.to_s if !nat_tag_key.nil? and nat_tag_key.class.to_s == "MU::Config::Tail"
1020
564
  nat_tag_value = nat_tag_value.to_s if !nat_tag_value.nil? and nat_tag_value.class.to_s == "MU::Config::Tail"
1021
565
 
@@ -1042,8 +586,8 @@ MU.log "association I don't understand in #{@cloud_id}", MU::WARN, details: rtb_
1042
586
  found.each { |nat|
1043
587
  # Try some AWS-specific criteria
1044
588
  cloud_desc = nat.cloud_desc
1045
- if !nat_host_ip.nil? and
1046
- (cloud_desc.private_ip_address == nat_host_ip or cloud_desc.public_ip_address == nat_host_ip)
589
+ if !nat_ip.nil? and
590
+ (cloud_desc.private_ip_address == nat_ip or cloud_desc.public_ip_address == nat_ip)
1047
591
  return nat
1048
592
  elsif cloud_desc.vpc_id == @cloud_id
1049
593
  # XXX Strictly speaking we could have different NATs in different
@@ -1090,7 +634,7 @@ MU.log "association I don't understand in #{@cloud_id}", MU::WARN, details: rtb_
1090
634
  if instance.nil?
1091
635
  begin
1092
636
  instance = MU::Cloud::AWS.ec2(region: region, credentials: credentials).describe_instances(instance_ids: [instance_id]).reservations.first.instances.first
1093
- rescue NoMethodError, Aws::EC2::Errors::InvalidInstanceIDNotFound => e
637
+ rescue NoMethodError, Aws::EC2::Errors::InvalidInstanceIDNotFound
1094
638
  MU.log "Failed to identify instance #{instance_id} in MU::Cloud::AWS::VPC.getInstanceSubnets", MU::WARN
1095
639
  return []
1096
640
  end
@@ -1133,20 +677,19 @@ MU.log "association I don't understand in #{@cloud_id}", MU::WARN, details: rtb_
1133
677
  my_subnets = MU::Cloud::AWS::VPC.getInstanceSubnets(instance: MU.myCloudDescriptor)
1134
678
  target_subnets = MU::Cloud::AWS::VPC.getInstanceSubnets(instance: target_instance, region: region, credentials: credentials)
1135
679
 
1136
- resp = nil
1137
680
  my_subnets_key = my_subnets.join(",")
1138
681
  target_subnets_key = target_subnets.join(",")
1139
682
  MU::Cloud::AWS::VPC.update_route_tables_cache(my_subnets_key, region: MU.myRegion)
1140
683
  MU::Cloud::AWS::VPC.update_route_tables_cache(target_subnets_key, region: region, credentials: credentials)
1141
684
 
1142
- if MU::Cloud::AWS::VPC.have_route_peered_vpc?(my_subnets_key, target_subnets_key, instance_id)
685
+ if MU::Cloud::AWS::VPC.can_route_to_master_peer?(my_subnets_key, target_subnets_key, instance_id)
1143
686
  return true
1144
687
  else
1145
688
  # The cache can be out of date at times, check again without it
1146
689
  MU::Cloud::AWS::VPC.update_route_tables_cache(my_subnets_key, use_cache: false, region: MU.myRegion)
1147
690
  MU::Cloud::AWS::VPC.update_route_tables_cache(target_subnets_key, use_cache: false, region: region, credentials: credentials)
1148
691
 
1149
- return MU::Cloud::AWS::VPC.have_route_peered_vpc?(my_subnets_key, target_subnets_key, instance_id)
692
+ return MU::Cloud::AWS::VPC.can_route_to_master_peer?(my_subnets_key, target_subnets_key, instance_id)
1150
693
  end
1151
694
 
1152
695
  end
@@ -1185,7 +728,7 @@ MU.log "association I don't understand in #{@cloud_id}", MU::WARN, details: rtb_
1185
728
  # @param target_subnets_key [String]: The subnet/subnets on the other side of the peered VPC.
1186
729
  # @param instance_id [String]: The instance ID in the target subnet/subnets.
1187
730
  # @return [Boolean]
1188
- def self.have_route_peered_vpc?(source_subnets_key, target_subnets_key, instance_id)
731
+ def self.can_route_to_master_peer?(source_subnets_key, target_subnets_key, instance_id)
1189
732
  my_routes = []
1190
733
  vpc_peer_mapping = {}
1191
734
 
@@ -1279,30 +822,39 @@ MU.log "association I don't understand in #{@cloud_id}", MU::WARN, details: rtb_
1279
822
  # @param ignoremaster [Boolean]: If true, will remove resources not flagged as originating from this Mu server
1280
823
  # @param region [String]: The cloud provider region
1281
824
  # @return [void]
1282
- def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
825
+ def self.cleanup(noop: false, deploy_id: MU.deploy_id, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
826
+ MU.log "AWS::VPC.cleanup: need to support flags['known']", MU::DEBUG, details: flags
827
+
1283
828
  tagfilters = [
1284
- {name: "tag:MU-ID", values: [MU.deploy_id]}
829
+ {name: "tag:MU-ID", values: [deploy_id]}
1285
830
  ]
1286
831
  if !ignoremaster
1287
832
  tagfilters << {name: "tag:MU-MASTER-IP", values: [MU.mu_public_ip]}
1288
833
  end
1289
834
 
1290
835
  vpcs = []
1291
- retries = 0
1292
- begin
836
+ MU.retrier([Aws::EC2::Errors::InvalidVpcIDNotFound], wait: 5) {
1293
837
  resp = MU::Cloud::AWS.ec2(region: region, credentials: credentials).describe_vpcs(filters: tagfilters, max_results: 1000).vpcs
1294
838
  vpcs = resp if !resp.empty?
1295
- rescue Aws::EC2::Errors::InvalidVpcIDNotFound => e
1296
- if retries < 5
1297
- sleep 5
1298
- retries += 1
1299
- retry
1300
- end
1301
- end
839
+ }
840
+
841
+ # resp = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).describe_vpc_peering_connections(
842
+ # filters: [
843
+ # {
844
+ # name: "requester-vpc-info.vpc-id",
845
+ # values: [@cloud_id]
846
+ # },
847
+ # {
848
+ # name: "accepter-vpc-info.vpc-id",
849
+ # values: [peer_id.to_s]
850
+ # }
851
+ # ]
852
+ # )
1302
853
 
1303
854
  if !vpcs.empty?
1304
855
  gwthreads = []
1305
856
  vpcs.each { |vpc|
857
+ purge_peering_connections(noop, vpc.vpc_id, region: region, credentials: credentials)
1306
858
  # NAT gateways don't have any tags, and we can't assign them a name. Lets find them based on a VPC ID
1307
859
  gwthreads << Thread.new {
1308
860
  purge_nat_gateways(noop, vpc_id: vpc.vpc_id, region: region, credentials: credentials)
@@ -1322,17 +874,17 @@ MU.log "association I don't understand in #{@cloud_id}", MU::WARN, details: rtb_
1322
874
  purge_vpcs(noop, tagfilters, region: region, credentials: credentials)
1323
875
  purge_dhcpopts(noop, tagfilters, region: region, credentials: credentials)
1324
876
 
1325
- unless noop
1326
- MU::Cloud::AWS.iam.list_roles.roles.each{ |role|
1327
- match_string = "#{MU.deploy_id}.*TRAFFIC-LOG"
1328
- }
1329
- end
877
+ # unless noop
878
+ # MU::Cloud::AWS.iam.list_roles.roles.each{ |role|
879
+ # match_string = "#{deploy_id}.*TRAFFIC-LOG"
880
+ # }
881
+ # end
1330
882
  end
1331
883
 
1332
884
  # Cloud-specific configuration properties.
1333
- # @param config [MU::Config]: The calling MU::Config object
885
+ # @param _config [MU::Config]: The calling MU::Config object
1334
886
  # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
1335
- def self.schema(config)
887
+ def self.schema(_config)
1336
888
  toplevel_required = []
1337
889
  # Flow Logs can be declared at the VPC level or the subnet level
1338
890
  flowlogs = {
@@ -1378,11 +930,7 @@ MU.log "association I don't understand in #{@cloud_id}", MU::WARN, details: rtb_
1378
930
  logdesc["tags"] = vpc["tags"] if !vpc["tags"].nil?
1379
931
  # logdesc["optional_tags"] = vpc["optional_tags"] if !vpc["optional_tags"].nil?
1380
932
  configurator.insertKitten(logdesc, "logs")
1381
- vpc['dependencies'] ||= []
1382
- vpc['dependencies'] << {
1383
- "type" => "log",
1384
- "name" => vpc['name']+"loggroup"
1385
- }
933
+ MU::Config.addDependency(vpc, vpc['name']+"loggroup", "log")
1386
934
 
1387
935
  roledesc = {
1388
936
  "name" => vpc['name']+"logrole",
@@ -1420,15 +968,10 @@ MU.log "association I don't understand in #{@cloud_id}", MU::WARN, details: rtb_
1420
968
  roledesc["tags"] = vpc["tags"] if !vpc["tags"].nil?
1421
969
  roledesc["optional_tags"] = vpc["optional_tags"] if !vpc["optional_tags"].nil?
1422
970
  configurator.insertKitten(roledesc, "roles")
1423
- vpc['dependencies'] ||= []
1424
- vpc['dependencies'] << {
1425
- "type" => "role",
1426
- "name" => vpc['name']+"logrole"
1427
- }
971
+ MU::Config.addDependency(vpc, vpc['name']+"logrole", "role")
1428
972
  end
1429
973
 
1430
974
  subnet_routes = Hash.new
1431
- public_routes = Array.new
1432
975
 
1433
976
  if vpc['subnets']
1434
977
  vpc['subnets'].each { |subnet|
@@ -1476,10 +1019,7 @@ MU.log "association I don't understand in #{@cloud_id}", MU::WARN, details: rtb_
1476
1019
  subnet_routes[table['name']].each { |subnet|
1477
1020
  nat_routes[subnet] = route['nat_host_name']
1478
1021
  }
1479
- vpc['dependencies'] << {
1480
- "type" => "server",
1481
- "name" => route['nat_host_name']
1482
- }
1022
+ MU::Config.addDependency(vpc, route['nat_host_name'], "server", no_create_wait: true)
1483
1023
  elsif route['gateway'] == '#NAT'
1484
1024
  vpc['create_nat_gateway'] = true
1485
1025
  private_rtbs << table['name']
@@ -1492,17 +1032,11 @@ MU.log "association I don't understand in #{@cloud_id}", MU::WARN, details: rtb_
1492
1032
  if route['gateway'] == '#INTERNET'
1493
1033
  if table['name'] == subnet['route_table']
1494
1034
  subnet['is_public'] = true
1495
- if vpc['create_nat_gateway']
1496
- if vpc['nat_gateway_multi_az']
1497
- subnet['create_nat_gateway'] = true
1498
- else
1499
- if nat_gateway_added
1500
- subnet['create_nat_gateway'] = false
1501
- else
1502
- subnet['create_nat_gateway'] = true
1503
- nat_gateway_added = true
1504
- end
1505
- end
1035
+ if vpc['create_nat_gateway'] and (vpc['nat_gateway_multi_az'] or !nat_gateway_added)
1036
+ subnet['create_nat_gateway'] = true
1037
+ nat_gateway_added = true
1038
+ else
1039
+ subnet['create_nat_gateway'] = false
1506
1040
  end
1507
1041
  else
1508
1042
  subnet['is_public'] = false
@@ -1600,9 +1134,11 @@ MU.log "association I don't understand in #{@cloud_id}", MU::WARN, details: rtb_
1600
1134
  @my_visible_cidrs[subnets]
1601
1135
  end
1602
1136
 
1603
- private
1604
1137
 
1605
1138
  # List the route tables for each subnet in the given VPC
1139
+ # @param vpc_id [String]:
1140
+ # @param region [String]:
1141
+ # @param credentials [String]:
1606
1142
  def self.listAllSubnetRouteTables(vpc_id, region: MU.curRegion, credentials: nil)
1607
1143
  resp = MU::Cloud::AWS.ec2(region: region, credentials: credentials).describe_subnets(
1608
1144
  filters: [
@@ -1645,6 +1181,299 @@ MU.log "association I don't understand in #{@cloud_id}", MU::WARN, details: rtb_
1645
1181
  return table_ids.uniq
1646
1182
  end
1647
1183
 
1184
+ # Remove all network interfaces associated with the currently loaded deployment.
1185
+ # @param noop [Boolean]: If true, will only print what would be done
1186
+ # @param filters [Array<Hash>]: EC2 tags to filter against when search for resources to purge
1187
+ # @param region [String]: The cloud provider region
1188
+ # @return [void]
1189
+ def self.purge_interfaces(noop = false, filters = [{name: "tag:MU-ID", values: [MU.deploy_id]}], region: MU.curRegion, credentials: nil)
1190
+ resp = MU::Cloud::AWS.ec2(credentials: credentials, region: region).describe_network_interfaces(
1191
+ filters: filters
1192
+ )
1193
+ ifaces = resp.data.network_interfaces
1194
+
1195
+ return if ifaces.nil? or ifaces.size == 0
1196
+
1197
+ ifaces.each { |iface|
1198
+ if iface.vpc_id
1199
+ default_sg = MU::Cloud::AWS::VPC.getDefaultSg(iface.vpc_id, region: region, credentials: credentials)
1200
+ if default_sg and (iface.groups.size > 1 or (iface.groups.size == 1 and iface.groups.first.group_id != default_sg))
1201
+ MU.log "Removing extra security groups from ENI #{iface.network_interface_id}"
1202
+ if !noop
1203
+ begin
1204
+ MU::Cloud::AWS.ec2(credentials: credentials, region: region).modify_network_interface_attribute(
1205
+ network_interface_id: iface.network_interface_id,
1206
+ groups: [default_sg]
1207
+ )
1208
+ rescue ::Aws::EC2::Errors::AuthFailure
1209
+ MU.log "Permission denied attempting to trim Security Group list for #{iface.network_interface_id}", MU::WARN, details: iface.groups.map { |g| g.group_name }.join(",")+" => default"
1210
+ end
1211
+ end
1212
+ end
1213
+ end
1214
+ begin
1215
+ if iface.attachment and iface.attachment.status == "attached"
1216
+ MU.log "Detaching Network Interface #{iface.network_interface_id} from #{iface.attachment.instance_owner_id}"
1217
+ tried_lbs = false
1218
+ begin
1219
+ MU::Cloud::AWS.ec2(credentials: credentials, region: region).detach_network_interface(attachment_id: iface.attachment.attachment_id) if !noop
1220
+ rescue Aws::EC2::Errors::OperationNotPermitted => e
1221
+ MU.log "Can't detach #{iface.network_interface_id}: #{e.message}", MU::WARN, details: iface.attachment
1222
+ next
1223
+ rescue Aws::EC2::Errors::IncorrectState => e
1224
+ MU.log e.message, MU::WARN
1225
+ sleep 5
1226
+ retry
1227
+ rescue Aws::EC2::Errors::InvalidAttachmentIDNotFound => e
1228
+ # suits me just fine
1229
+ rescue Aws::EC2::Errors::AuthFailure => e
1230
+ if !tried_lbs and iface.attachment.instance_owner_id == "amazon-elb"
1231
+ MU::Cloud.resourceClass("AWS", "LoadBalancer").cleanup(
1232
+ noop: noop,
1233
+ region: region,
1234
+ credentials: credentials,
1235
+ flags: {"vpc_id" => iface.vpc_id}
1236
+ )
1237
+ tried_lbs = true
1238
+ retry
1239
+ end
1240
+ MU.log e.message, MU::ERR, details: iface.attachment
1241
+ end
1242
+ end
1243
+ MU.log "Deleting Network Interface #{iface.network_interface_id}"
1244
+ MU::Cloud::AWS.ec2(credentials: credentials, region: region).delete_network_interface(network_interface_id: iface.network_interface_id) if !noop
1245
+ rescue Aws::EC2::Errors::InvalidNetworkInterfaceIDNotFound
1246
+ # ok then!
1247
+ rescue Aws::EC2::Errors::InvalidParameterValue => e
1248
+ MU.log e.message, MU::ERR, details: iface
1249
+ end
1250
+ }
1251
+ end
1252
+
1253
+ # Fetch the group id of the +default+ security group for the given VPC
1254
+ # @param vpc_id [String]
1255
+ # @param region [String]
1256
+ # @param credentials [String]
1257
+ # @return [String]
1258
+ def self.getDefaultSg(vpc_id, region: MU.curRegion, credentials: nil)
1259
+ default_sg_resp = MU::Cloud::AWS.ec2(region: region, credentials: credentials).describe_security_groups(
1260
+ filters: [
1261
+ { name: "group-name", values: ["default"] },
1262
+ { name: "vpc-id", values: [vpc_id] }
1263
+ ]
1264
+ ).security_groups
1265
+ if default_sg_resp and default_sg_resp.size == 1
1266
+ return default_sg_resp.first.group_id
1267
+ end
1268
+ nil
1269
+ end
1270
+
1271
+ # Try to locate the default VPC for a region, and return a BoK-style
1272
+ # config fragment for something that might want to live in it.
1273
+ def self.defaultVpc(region, credentials)
1274
+ cfg_fragment = nil
1275
+ MU::Cloud::AWS.ec2(region: region, credentials: credentials).describe_vpcs.vpcs.each { |vpc|
1276
+ if vpc.is_default
1277
+ cfg_fragment = {
1278
+ "id" => vpc.vpc_id,
1279
+ "cloud" => "AWS",
1280
+ "region" => region,
1281
+ "credentials" => credentials
1282
+ }
1283
+ cfg_fragment['subnets'] = MU::Cloud::AWS.ec2(region: region, credentials: credentials).describe_subnets(
1284
+ filters: [
1285
+ {
1286
+ name: "vpc-id",
1287
+ values: [vpc.vpc_id]
1288
+ }
1289
+ ]
1290
+ ).subnets.map { |s| { "subnet_id" => s.subnet_id } }
1291
+ break
1292
+ end
1293
+ }
1294
+
1295
+ cfg_fragment
1296
+ end
1297
+
1298
+ # Return a {MU::Config::Ref} that indicates this VPC.
1299
+ # @param subnet_ids [Array<String>]: Optional list of subnet ids with which to infer a +subnet_pref+ parameter.
1300
+ # @return [MU::Config::Ref]
1301
+ def getReference(subnet_ids = [])
1302
+ have_private = have_public = false
1303
+ subnets.each { |s|
1304
+ next if subnet_ids and !subnet_ids.empty? and !subnet_ids.include?(s.cloud_id)
1305
+ if s.private?
1306
+ have_private = true
1307
+ else
1308
+ have_public = true
1309
+ end
1310
+ }
1311
+ subnet_pref = if have_private == have_public
1312
+ "any"
1313
+ elsif have_private
1314
+ "all_private"
1315
+ elsif have_public
1316
+ "all_public"
1317
+ end
1318
+ MU::Config::Ref.get(
1319
+ id: @cloud_id,
1320
+ cloud: "AWS",
1321
+ credentials: @credentials,
1322
+ region: @config['region'],
1323
+ type: "vpcs",
1324
+ subnet_pref: subnet_pref
1325
+ )
1326
+ end
1327
+
1328
+ private
1329
+
1330
+ def peerWith(peer)
1331
+ peer_ref = MU::Config::Ref.get(peer['vpc'])
1332
+ peer_obj = peer_ref.kitten
1333
+ peer_id = peer_ref.kitten.cloud_id
1334
+ if peer_id == @cloud_id
1335
+ MU.log "#{@mu_name} attempted to peer with itself (#{@cloud_id})", MU::ERR, details: peer
1336
+ raise "#{@mu_name} attempted to peer with itself (#{@cloud_id})"
1337
+ end
1338
+
1339
+ if peer_obj and peer_obj.config['peers']
1340
+ peer_obj.config['peers'].each { |peerpeer|
1341
+ if peerpeer['vpc']['name'] == @config['name'] and
1342
+ (peer['vpc']['name'] <=> @config['name']) == -1
1343
+ MU.log "VPCs #{peer['vpc']['name']} and #{@config['name']} both declare mutual peering connection, ignoring #{@config['name']}'s redundant declaration", MU::DEBUG
1344
+ return
1345
+ # XXX and if deploy_id matches or is unset
1346
+ end
1347
+ }
1348
+
1349
+ peer['account'] ||= MU::Cloud::AWS.credToAcct(peer_obj.credentials)
1350
+ end
1351
+
1352
+ peer['account'] ||= MU::Cloud::AWS.account_number
1353
+
1354
+ # See if the peering connection exists before we bother
1355
+ # creating it.
1356
+ resp = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).describe_vpc_peering_connections(
1357
+ filters: [
1358
+ {
1359
+ name: "requester-vpc-info.vpc-id",
1360
+ values: [@cloud_id]
1361
+ },
1362
+ {
1363
+ name: "accepter-vpc-info.vpc-id",
1364
+ values: [peer_id.to_s]
1365
+ }
1366
+ ]
1367
+ )
1368
+
1369
+ peering_id = if !resp or !resp.vpc_peering_connections or
1370
+ resp.vpc_peering_connections.empty?
1371
+
1372
+ MU.log "Setting peering connection from VPC #{@config['name']} (#{@cloud_id} in account #{MU::Cloud::AWS.credToAcct(@config['credentials'])}) to #{peer_id} in account #{peer['account']}", details: peer
1373
+ resp = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).create_vpc_peering_connection(
1374
+ vpc_id: @cloud_id,
1375
+ peer_vpc_id: peer_id,
1376
+ peer_owner_id: peer['account'],
1377
+ peer_region: peer_obj.config['region']
1378
+ )
1379
+ resp.vpc_peering_connection.vpc_peering_connection_id
1380
+ else
1381
+ resp.vpc_peering_connections.first.vpc_peering_connection_id
1382
+ end
1383
+
1384
+ peering_name = @deploy.getResourceName(@config['name']+"-PEER-"+peer_id)
1385
+
1386
+ tag_me(peering_id, peering_name)
1387
+
1388
+ # Create routes to our new friend.
1389
+ MU::Cloud::AWS::VPC.listAllSubnetRouteTables(@cloud_id, region: @config['region'], credentials: @config['credentials']).each { |rtb_id|
1390
+ my_route_config = {
1391
+ :route_table_id => rtb_id,
1392
+ :destination_cidr_block => peer_obj.cloud_desc.cidr_block,
1393
+ :vpc_peering_connection_id => peering_id
1394
+ }
1395
+ rtbdesc = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).describe_route_tables(
1396
+ route_table_ids: [rtb_id]
1397
+ ).route_tables.first
1398
+ already_exists = false
1399
+ rtbdesc.routes.each { |r|
1400
+ if r.destination_cidr_block == peer_obj.cloud_desc.cidr_block
1401
+ if r.vpc_peering_connection_id != peering_id
1402
+ MU.log "Attempt to create duplicate route to #{peer_obj.cloud_desc.cidr_block} from VPC #{@config['name']}", MU::ERR, details: r
1403
+ raise MuError, "Can't create route via #{peering_id}, a route to #{peer_obj.cloud_desc.cidr_block} already exists"
1404
+ else
1405
+ already_exists = true
1406
+ end
1407
+ end
1408
+ }
1409
+ next if already_exists
1410
+
1411
+ MU.log "Creating peering route to #{peer_obj.cloud_desc.cidr_block} in #{peer['vpc']['region']} from VPC #{@config['name']} in #{@config['region']}"
1412
+ resp = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).create_route(my_route_config)
1413
+ } # MU::Cloud::AWS::VPC.listAllSubnetRouteTables
1414
+
1415
+ can_auto_accept = ((!peer_obj.nil? and !peer_obj.deploydata.nil? and peer_obj.deploydata['auto_accept_peers']) or $MU_CFG['allow_invade_foreign_vpcs'])
1416
+
1417
+ cnxn = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).describe_vpc_peering_connections(
1418
+ vpc_peering_connection_ids: [peering_id]
1419
+ ).vpc_peering_connections.first
1420
+
1421
+ loop_if = Proc.new {
1422
+ cnxn = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).describe_vpc_peering_connections(
1423
+ vpc_peering_connection_ids: [peering_id]
1424
+ ).vpc_peering_connections.first
1425
+ ((can_auto_accept and cnxn.status.code == "pending-acceptance") or (cnxn.status.code != "active" and cnxn.status.code != "pending-acceptance"))
1426
+ }
1427
+
1428
+ MU.retrier(wait: 5, loop_if: loop_if, ignoreme: [Aws::EC2::Errors::VpcPeeringConnectionAlreadyExists, Aws::EC2::Errors::RouteAlreadyExists]) {
1429
+ if cnxn.status.code == "pending-acceptance"
1430
+ if can_auto_accept
1431
+ MU.log "Auto-accepting peering connection #{peering_id} from VPC #{@config['name']} (#{@cloud_id}) to #{peer_id}", MU::NOTICE
1432
+ MU::Cloud::AWS.ec2(region: peer_obj.config['region'], credentials: peer['account']).accept_vpc_peering_connection(
1433
+ vpc_peering_connection_id: peering_id,
1434
+ )
1435
+
1436
+ # Create routes back from our new friend to us.
1437
+ MU::Cloud::AWS::VPC.listAllSubnetRouteTables(peer_id, region: peer_obj.config['region'], credentials: peer['account']).uniq.each { |rtb_id|
1438
+ peer_route_config = {
1439
+ :route_table_id => rtb_id,
1440
+ :destination_cidr_block => @config['ip_block'],
1441
+ :vpc_peering_connection_id => peering_id
1442
+ }
1443
+ resp = MU::Cloud::AWS.ec2(region: peer_obj.config['region'], credentials: peer['account']).create_route(peer_route_config)
1444
+ }
1445
+ else
1446
+ MU.log "VPC #{peer_id} is not managed by this Mu server or is not configured to auto-accept peering requests. You must accept the peering request for '#{@config['name']}' (#{@cloud_id}) by hand.", MU::WARN, details: "In the AWS Console, go to VPC => Peering Connections and look in the Actions drop-down. You can also set 'Invade Foreign VPCs' to 'true' using mu-configure to auto-accept all peering connections within this account, regardless of whether this Mu server owns the VPCs. This setting is per-user."
1447
+ end
1448
+ end
1449
+
1450
+ if ["failed", "rejected", "expired", "deleted"].include?(cnxn.status.code)
1451
+ MU.log "VPC peering connection from VPC #{@config['name']} (#{@cloud_id} in #{@config['region']}) to #{peer_id} in #{peer_obj.config['region']} #{cnxn.status.code}: #{cnxn.status.message}", MU::ERR
1452
+ begin
1453
+ MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).delete_vpc_peering_connection(
1454
+ vpc_peering_connection_id: peering_id
1455
+ )
1456
+ rescue Aws::EC2::Errors::InvalidStateTransition
1457
+ # XXX apparently this is normal?
1458
+ end
1459
+ raise MuError, "VPC peering connection from VPC #{@config['name']} (#{@cloud_id}) to #{peer_id} #{cnxn.status.code}: #{cnxn.status.message}"
1460
+ end
1461
+
1462
+ }
1463
+
1464
+ end
1465
+
1466
+ def tag_me(resource_id = @cloud_id, name = @mu_name)
1467
+ MU::Cloud::AWS.createStandardTags(
1468
+ resource_id,
1469
+ region: @config['region'],
1470
+ credentials: @config['credentials'],
1471
+ optional: @config['optional_tags'],
1472
+ nametag: name,
1473
+ othertags: @config['tags']
1474
+ )
1475
+ end
1476
+
1648
1477
  # Helper method for manufacturing route tables. Expect to be called from
1649
1478
  # {MU::Cloud::AWS::VPC#create} or {MU::Cloud::AWS::VPC#groom}.
1650
1479
  # @param rtb [Hash]: A route table description parsed through {MU::Config::BasketofKittens::vpcs::route_tables}.
@@ -1656,21 +1485,9 @@ MU.log "association I don't understand in #{@cloud_id}", MU::WARN, details: rtb_
1656
1485
  resp = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).create_route_table(vpc_id: vpc_id).route_table
1657
1486
  route_table_id = rtb['route_table_id'] = resp.route_table_id
1658
1487
  sleep 5
1659
- MU::MommaCat.createTag(route_table_id, "Name", vpc_name+"-"+rtb['name'].upcase, credentials: @config['credentials'])
1660
-
1661
- if @config['tags']
1662
- @config['tags'].each { |tag|
1663
- MU::MommaCat.createTag(route_table_id, tag['key'], tag['value'], credentials: @config['credentials'])
1664
- }
1665
- end
1666
1488
 
1667
- if @config['optional_tags']
1668
- MU::MommaCat.listOptionalTags.each { |key, value|
1669
- MU::MommaCat.createTag(route_table_id, key, value, region: @config['region'], credentials: @config['credentials'])
1670
- }
1671
- end
1489
+ tag_me(route_table_id, vpc_name+"-"+rtb['name'].upcase)
1672
1490
 
1673
- MU::Cloud::AWS.createStandardTags(route_table_id, credentials: @config['credentials'])
1674
1491
  rtb['routes'].each { |route|
1675
1492
  if route['nat_host_id'].nil? and route['nat_host_name'].nil?
1676
1493
  route_config = {
@@ -1693,7 +1510,6 @@ MU.log "association I don't understand in #{@cloud_id}", MU::WARN, details: rtb_
1693
1510
  return rtb
1694
1511
  end
1695
1512
 
1696
-
1697
1513
  # Remove all network gateways associated with the currently loaded deployment.
1698
1514
  # @param noop [Boolean]: If true, will only print what would be done
1699
1515
  # @param region [String]: The cloud provider region
@@ -1746,6 +1562,7 @@ MU.log "association I don't understand in #{@cloud_id}", MU::WARN, details: rtb_
1746
1562
  }
1747
1563
  return nil
1748
1564
  end
1565
+ private_class_method :purge_gateways
1749
1566
 
1750
1567
  # Remove all NAT gateways associated with the VPC of the currently loaded deployment.
1751
1568
  # @param noop [Boolean]: If true, will only print what would be done
@@ -1763,36 +1580,25 @@ MU.log "association I don't understand in #{@cloud_id}", MU::WARN, details: rtb_
1763
1580
  ).nat_gateways
1764
1581
 
1765
1582
  threads = []
1766
- parent_thread_id = Thread.current.object_id
1583
+
1767
1584
  if !gateways.empty?
1768
1585
  gateways.each { |gateway|
1586
+ next if noop
1587
+ MU.log "Deleting NAT Gateway #{gateway.nat_gateway_id}"
1769
1588
  threads << Thread.new {
1770
- MU.dupGlobals(parent_thread_id)
1771
- MU.log "Deleting NAT Gateway #{gateway.nat_gateway_id}"
1772
- if !noop
1773
- begin
1774
- MU::Cloud::AWS.ec2(credentials: credentials, region: region).delete_nat_gateway(nat_gateway_id: gateway.nat_gateway_id)
1775
- resp = MU::Cloud::AWS.ec2(credentials: credentials, region: region).describe_nat_gateways(nat_gateway_ids: [gateway.nat_gateway_id]).nat_gateways.first
1589
+ MU::Cloud::AWS.ec2(credentials: credentials, region: region).delete_nat_gateway(nat_gateway_id: gateway.nat_gateway_id)
1590
+
1591
+ resp = MU::Cloud::AWS.ec2(credentials: credentials, region: region).describe_nat_gateways(nat_gateway_ids: [gateway.nat_gateway_id]).nat_gateways.first
1592
+
1593
+ loop_if = Proc.new {
1594
+ resp = MU::Cloud::AWS.ec2(credentials: credentials, region: region).describe_nat_gateways(nat_gateway_ids: [gateway.nat_gateway_id]).nat_gateways.first
1595
+ (resp.state != "deleted" and resp.state != "failed")
1596
+ }
1597
+
1598
+ MU.retrier([Aws::EmptyStructure, NoMethodError], ignoreme: [Aws::EC2::Errors::NatGatewayMalformed, Aws::EC2::Errors::NatGatewayNotFound], max: 50, loop_if: loop_if) { |retries, _wait|
1599
+ MU.log "Waiting for nat gateway #{gateway.nat_gateway_id} to delete" if retries % 3 == 0
1600
+ }
1776
1601
 
1777
- attempts = 0
1778
- while resp.state != "deleted" and resp.state != "failed"
1779
- MU.log "Waiting for nat gateway #{gateway.nat_gateway_id} to delete" if attempts % 2 == 0
1780
- sleep 30
1781
- begin
1782
- resp = MU::Cloud::AWS.ec2(credentials: credentials, region: region).describe_nat_gateways(nat_gateway_ids: [gateway.nat_gateway_id]).nat_gateways.first
1783
- rescue Aws::EmptyStructure, NoMethodError
1784
- sleep 5
1785
- retry
1786
- rescue Aws::EC2::Errors::NatGatewayNotFound
1787
- MU.log "NAT gateway #{gateway.nat_gateway_id} already deleted", MU::NOTICE
1788
- end
1789
- MU.log "Timed out while waiting for NAT Gateway to delete #{gateway.nat_gateway_id}: #{resp}", MU::WARN if attempts > 50
1790
- attempts += 1
1791
- end
1792
- rescue Aws::EC2::Errors::NatGatewayMalformed
1793
- MU.log "NAT Gateway #{gateway.nat_gateway_id} was already deleted", MU::NOTICE
1794
- end
1795
- end
1796
1602
  }
1797
1603
  }
1798
1604
  end
@@ -1803,6 +1609,7 @@ MU.log "association I don't understand in #{@cloud_id}", MU::WARN, details: rtb_
1803
1609
 
1804
1610
  return nil
1805
1611
  end
1612
+ private_class_method :purge_nat_gateways
1806
1613
 
1807
1614
  # Remove all VPC endpoints associated with the VPC of the currently loaded deployment.
1808
1615
  # @param noop [Boolean]: If true, will only print what would be done
@@ -1820,38 +1627,21 @@ MU.log "association I don't understand in #{@cloud_id}", MU::WARN, details: rtb_
1820
1627
  ).vpc_endpoints
1821
1628
 
1822
1629
  threads = []
1823
- parent_thread_id = Thread.current.object_id
1630
+
1824
1631
  if !vpc_endpoints.empty?
1825
1632
  vpc_endpoints.each { |endpoint|
1633
+ MU.log "Deleting VPC endpoint #{endpoint.vpc_endpoint_id}"
1634
+ next if noop
1826
1635
  threads << Thread.new {
1827
- MU.dupGlobals(parent_thread_id)
1828
- MU.log "Deleting VPC endpoint #{endpoint.vpc_endpoint_id}"
1829
- if !noop
1830
- begin
1831
- MU::Cloud::AWS.ec2(credentials: credentials, region: region).delete_vpc_endpoints(vpc_endpoint_ids: [endpoint.vpc_endpoint_id])
1832
- resp = MU::Cloud::AWS.ec2(credentials: credentials, region: region).describe_vpc_endpoints(vpc_endpoint_ids: [endpoint.vpc_endpoint_id]).vpc_endpoints.first
1833
-
1834
- attempts = 0
1835
- while resp.state != "deleted"
1836
- MU.log "Waiting for VPC endpoint #{endpoint.vpc_endpoint_id} to delete" if attempts % 5 == 0
1837
- sleep 30
1838
- begin
1839
- resp = MU::Cloud::AWS.ec2(credentials: credentials, region: region).describe_vpc_endpoints(vpc_endpoint_ids: [endpoint.vpc_endpoint_id]).vpc_endpoints.first
1840
- rescue Aws::EmptyStructure, NoMethodError
1841
- sleep 5
1842
- retry
1843
- rescue Aws::EC2::Errors::InvalidVpcEndpointIdNotFound
1844
- MU.log "VPC endpoint #{endpoint.vpc_endpoint_id} already deleted", MU::NOTICE
1845
- end
1846
- MU.log "Timed out while waiting for VPC endpoint to delete #{endpoint.vpc_endpoint_id}: #{resp}", MU::WARN if attempts > 50
1847
- attempts += 1
1848
- end
1849
- rescue Aws::EC2::Errors::VpcEndpointIdMalformed
1850
- MU.log "VPC endpoint #{endpoint.vpc_endpoint_id} was already deleted", MU::NOTICE
1851
- rescue Aws::EC2::Errors::InvalidVpcEndpointIdNotFound
1852
- MU.log "VPC endpoint #{endpoint.vpc_endpoint_id} already deleted", MU::NOTICE
1853
- end
1854
- end
1636
+ MU::Cloud::AWS.ec2(credentials: credentials, region: region).delete_vpc_endpoints(vpc_endpoint_ids: [endpoint.vpc_endpoint_id])
1637
+ resp = MU::Cloud::AWS.ec2(credentials: credentials, region: region).describe_vpc_endpoints(vpc_endpoint_ids: [endpoint.vpc_endpoint_id]).vpc_endpoints.first
1638
+ loop_if = Proc.new {
1639
+ resp = MU::Cloud::AWS.ec2(credentials: credentials, region: region).describe_vpc_endpoints(vpc_endpoint_ids: [endpoint.vpc_endpoint_id]).vpc_endpoints.first
1640
+ resp.state != "deleted"
1641
+ }
1642
+ MU.retrier([Aws::EmptyStructure, NoMethodError], ignoreme: [Aws::EC2::Errors::InvalidVpcEndpointIdNotFound, Aws::EC2::Errors::VpcEndpointIdMalformed], max: 20, wait: 10, loop_if: loop_if) { |retries, _wait|
1643
+ MU.log "Waiting for VPC endpoint #{endpoint.vpc_endpoint_id} to delete" if retries % 5 == 0
1644
+ }
1855
1645
  }
1856
1646
  }
1857
1647
  end
@@ -1862,6 +1652,7 @@ MU.log "association I don't understand in #{@cloud_id}", MU::WARN, details: rtb_
1862
1652
 
1863
1653
  return nil
1864
1654
  end
1655
+ private_class_method :purge_endpoints
1865
1656
 
1866
1657
  # Remove all route tables associated with the currently loaded deployment.
1867
1658
  # @param noop [Boolean]: If true, will only print what would be done
@@ -1882,7 +1673,7 @@ MU.log "association I don't understand in #{@cloud_id}", MU::WARN, details: rtb_
1882
1673
  MU.log "Deleting Network Interface #{route.network_interface_id}"
1883
1674
  begin
1884
1675
  MU::Cloud::AWS.ec2(credentials: credentials, region: region).delete_network_interface(network_interface_id: route.network_interface_id) if !noop
1885
- rescue Aws::EC2::Errors::InvalidNetworkInterfaceIDNotFound => e
1676
+ rescue Aws::EC2::Errors::InvalidNetworkInterfaceIDNotFound
1886
1677
  MU.log "Network Interface #{route.network_interface_id} has already been deleted", MU::WARN
1887
1678
  end
1888
1679
  end
@@ -1902,9 +1693,9 @@ MU.log "association I don't understand in #{@cloud_id}", MU::WARN, details: rtb_
1902
1693
  table.associations.each { |assoc|
1903
1694
  begin
1904
1695
  MU::Cloud::AWS.ec2(credentials: credentials, region: region).disassociate_route_table(association_id: assoc.route_table_association_id) if !noop
1905
- rescue Aws::EC2::Errors::InvalidAssociationIDNotFound => e
1696
+ rescue Aws::EC2::Errors::InvalidAssociationIDNotFound
1906
1697
  MU.log "Route table association #{assoc.route_table_association_id} already removed", MU::WARN
1907
- rescue Aws::EC2::Errors::InvalidParameterValue => e
1698
+ rescue Aws::EC2::Errors::InvalidParameterValue
1908
1699
  # normal and ignorable with the default route table
1909
1700
  can_delete = false
1910
1701
  next
@@ -1920,124 +1711,7 @@ MU.log "association I don't understand in #{@cloud_id}", MU::WARN, details: rtb_
1920
1711
  }
1921
1712
  return nil
1922
1713
  end
1923
-
1924
-
1925
- # Remove all network interfaces associated with the currently loaded deployment.
1926
- # @param noop [Boolean]: If true, will only print what would be done
1927
- # @param filters [Array<Hash>]: EC2 tags to filter against when search for resources to purge
1928
- # @param region [String]: The cloud provider region
1929
- # @return [void]
1930
- def self.purge_interfaces(noop = false, filters = [{name: "tag:MU-ID", values: [MU.deploy_id]}], region: MU.curRegion, credentials: nil)
1931
- resp = MU::Cloud::AWS.ec2(credentials: credentials, region: region).describe_network_interfaces(
1932
- filters: filters
1933
- )
1934
- ifaces = resp.data.network_interfaces
1935
-
1936
- return if ifaces.nil? or ifaces.size == 0
1937
-
1938
- ifaces.each { |iface|
1939
- if iface.vpc_id
1940
- default_sg_resp = MU::Cloud::AWS.ec2(region: region, credentials: credentials).describe_security_groups(
1941
- filters: [
1942
- { name: "group-name", values: ["default"] },
1943
- { name: "vpc-id", values: [iface.vpc_id] }
1944
- ]
1945
- ).security_groups
1946
- if default_sg_resp and default_sg_resp.size == 1
1947
- default_sg = default_sg_resp.first.group_id
1948
- if iface.groups.size != 1 or
1949
- iface.groups.first.group_id != default_sg
1950
- MU.log "Removing extra security groups from ENI #{iface.network_interface_id}"
1951
- MU::Cloud::AWS.ec2(credentials: credentials, region: region).modify_network_interface_attribute(
1952
- network_interface_id: iface.network_interface_id,
1953
- groups: [default_sg]
1954
- )
1955
- end
1956
- end
1957
- end
1958
- begin
1959
- if iface.attachment and iface.attachment.status == "attached"
1960
- MU.log "Detaching Network Interface #{iface.network_interface_id} from #{iface.attachment.instance_owner_id}"
1961
- tried_lbs = false
1962
- begin
1963
- MU::Cloud::AWS.ec2(credentials: credentials, region: region).detach_network_interface(attachment_id: iface.attachment.attachment_id) if !noop
1964
- rescue Aws::EC2::Errors::OperationNotPermitted => e
1965
- MU.log "Can't detach #{iface.network_interface_id}: #{e.message}", MU::WARN, details: iface.attachment
1966
- next
1967
- rescue Aws::EC2::Errors::InvalidAttachmentIDNotFound => e
1968
- # suits me just fine
1969
- rescue Aws::EC2::Errors::AuthFailure => e
1970
- if !tried_lbs and iface.attachment.instance_owner_id == "amazon-elb"
1971
- MU::Cloud::AWS::LoadBalancer.cleanup(
1972
- noop: noop,
1973
- region: region,
1974
- credentials: credentials,
1975
- flags: {"vpc_id" => iface.vpc_id}
1976
- )
1977
- tried_lbs = true
1978
- retry
1979
- end
1980
- MU.log e.message, MU::ERR, details: iface.attachment
1981
- end
1982
- end
1983
- MU.log "Deleting Network Interface #{iface.network_interface_id}"
1984
- MU::Cloud::AWS.ec2(credentials: credentials, region: region).delete_network_interface(network_interface_id: iface.network_interface_id) if !noop
1985
- rescue Aws::EC2::Errors::InvalidNetworkInterfaceIDNotFound => e
1986
- # ok then!
1987
- rescue Aws::EC2::Errors::InvalidParameterValue => e
1988
- MU.log e.message, MU::ERR, details: iface
1989
- end
1990
- }
1991
- end
1992
-
1993
- # Remove all subnets associated with the currently loaded deployment.
1994
- # @param noop [Boolean]: If true, will only print what would be done
1995
- # @param tagfilters [Array<Hash>]: EC2 tags to filter against when search for resources to purge
1996
- # @param region [String]: The cloud provider region
1997
- # @return [void]
1998
- def self.purge_subnets(noop = false, tagfilters = [{name: "tag:MU-ID", values: [MU.deploy_id]}], region: MU.curRegion, credentials: nil)
1999
- resp = MU::Cloud::AWS.ec2(credentials: credentials, region: region).describe_subnets(
2000
- filters: tagfilters
2001
- )
2002
- subnets = resp.data.subnets
2003
-
2004
- return if subnets.nil? or subnets.size == 0
2005
-
2006
- retries = 0
2007
- subnets.each { |subnet|
2008
- MU.log "Deleting Subnet #{subnet.subnet_id}"
2009
- begin
2010
- if subnet.state != "available"
2011
- MU.log "Waiting for #{subnet.subnet_id} to be in a removable state...", MU::NOTICE
2012
- sleep 30
2013
- else
2014
- MU::Cloud::AWS.ec2(credentials: credentials, region: region).delete_subnet(subnet_id: subnet.subnet_id) if !noop
2015
- end
2016
- rescue Aws::EC2::Errors::DependencyViolation => e
2017
- # We're often stuck waiting for an RDS database or something else
2018
- # that takes 5-ever to delete.
2019
- if retries < 19
2020
- loglevel = (retries > 0 and (retries % 3) == 0) ? MU::NOTICE : MU::DEBUG
2021
- MU.log "#{e.message} (retry #{retries.to_s}/20)", loglevel
2022
- if loglevel == MU::NOTICE
2023
- MU::Cloud::AWS::VPC.purge_interfaces(noop, [{name: "subnet-id", values: [subnet.subnet_id]}], region: region, credentials: credentials)
2024
- end
2025
- sleep 30
2026
- retries = retries + 1
2027
- retry
2028
- elsif retries < 20
2029
- MU.log "#{e.message} (final attempt)", MU::WARN
2030
- sleep 60
2031
- retries = retries + 1
2032
- retry
2033
- else
2034
- raise e
2035
- end
2036
- rescue Aws::EC2::Errors::InvalidSubnetIDNotFound
2037
- next
2038
- end while subnet.state != "available"
2039
- }
2040
- end
1714
+ private_class_method :purge_routetables
2041
1715
 
2042
1716
  # Remove all DHCP options sets associated with the currently loaded
2043
1717
  # deployment.
@@ -2056,7 +1730,9 @@ MU.log "association I don't understand in #{@cloud_id}", MU::WARN, details: rtb_
2056
1730
  sets.each { |optset|
2057
1731
  begin
2058
1732
  MU.log "Deleting DHCP Option Set #{optset.dhcp_options_id}"
2059
- MU::Cloud::AWS.ec2(credentials: credentials, region: region).delete_dhcp_options(dhcp_options_id: optset.dhcp_options_id)
1733
+ if !noop
1734
+ MU::Cloud::AWS.ec2(credentials: credentials, region: region).delete_dhcp_options(dhcp_options_id: optset.dhcp_options_id)
1735
+ end
2060
1736
  rescue Aws::EC2::Errors::DependencyViolation => e
2061
1737
  MU.log e.inspect, MU::ERR
2062
1738
  # rescue Aws::EC2::Errors::InvalidSubnetIDNotFound
@@ -2065,6 +1741,62 @@ MU.log "association I don't understand in #{@cloud_id}", MU::WARN, details: rtb_
2065
1741
  end
2066
1742
  }
2067
1743
  end
1744
+ private_class_method :purge_dhcpopts
1745
+
1746
+ def self.purge_peering_connections(noop, vpc_id, region: MU.curRegion, credentials: nil)
1747
+ my_peer_conns = MU::Cloud::AWS.ec2(credentials: credentials, region: region).describe_vpc_peering_connections(
1748
+ filters: [
1749
+ {
1750
+ name: "requester-vpc-info.vpc-id",
1751
+ values: [vpc_id]
1752
+ }
1753
+ ]
1754
+ ).vpc_peering_connections
1755
+ my_peer_conns.concat(MU::Cloud::AWS.ec2(credentials: credentials, region: region).describe_vpc_peering_connections(
1756
+ filters: [
1757
+ {
1758
+ name: "accepter-vpc-info.vpc-id",
1759
+ values: [vpc_id]
1760
+ }
1761
+ ]
1762
+ ).vpc_peering_connections)
1763
+
1764
+ my_peer_conns.each { |cnxn|
1765
+ [cnxn.accepter_vpc_info.vpc_id, cnxn.requester_vpc_info.vpc_id].each { |peer_vpc|
1766
+ MU::Cloud::AWS::VPC.listAllSubnetRouteTables(peer_vpc, region: region, credentials: credentials).each { |rtb_id|
1767
+ begin
1768
+ resp = MU::Cloud::AWS.ec2(credentials: credentials, region: region).describe_route_tables(
1769
+ route_table_ids: [rtb_id]
1770
+ )
1771
+ rescue Aws::EC2::Errors::InvalidRouteTableIDNotFound
1772
+ next
1773
+ end
1774
+ resp.route_tables.each { |rtb|
1775
+ rtb.routes.each { |route|
1776
+ if route.vpc_peering_connection_id == cnxn.vpc_peering_connection_id
1777
+ MU.log "Removing route #{route.destination_cidr_block} from route table #{rtb_id} in VPC #{peer_vpc}"
1778
+ MU::Cloud::AWS.ec2(credentials: credentials, region: region).delete_route(
1779
+ route_table_id: rtb_id,
1780
+ destination_cidr_block: route.destination_cidr_block
1781
+ ) if !noop
1782
+ end
1783
+ }
1784
+ }
1785
+ }
1786
+ }
1787
+ MU.log "Deleting VPC peering connection #{cnxn.vpc_peering_connection_id}"
1788
+ begin
1789
+ MU::Cloud::AWS.ec2(credentials: credentials, region: region).delete_vpc_peering_connection(
1790
+ vpc_peering_connection_id: cnxn.vpc_peering_connection_id
1791
+ ) if !noop
1792
+ rescue Aws::EC2::Errors::InvalidStateTransition
1793
+ MU.log "VPC peering connection #{cnxn.vpc_peering_connection_id} not in removable (state #{cnxn.status.code})", MU::WARN
1794
+ rescue Aws::EC2::Errors::OperationNotPermitted => e
1795
+ MU.log "VPC peering connection #{cnxn.vpc_peering_connection_id} refuses to delete: #{e.message}", MU::WARN
1796
+ end
1797
+ }
1798
+ end
1799
+ private_class_method :purge_peering_connections
2068
1800
 
2069
1801
  # Remove all VPCs associated with the currently loaded deployment.
2070
1802
  # @param noop [Boolean]: If true, will only print what would be done
@@ -2073,177 +1805,39 @@ MU.log "association I don't understand in #{@cloud_id}", MU::WARN, details: rtb_
2073
1805
  # @return [void]
2074
1806
  def self.purge_vpcs(noop = false, tagfilters = [{name: "tag:MU-ID", values: [MU.deploy_id]}], region: MU.curRegion, credentials: nil)
2075
1807
  resp = MU::Cloud::AWS.ec2(credentials: credentials, region: region).describe_vpcs(
2076
- filters: tagfilters
1808
+ filters: tagfilters
2077
1809
  )
2078
1810
 
2079
1811
  vpcs = resp.data.vpcs
2080
1812
  return if vpcs.nil? or vpcs.size == 0
2081
1813
 
2082
1814
  vpcs.each { |vpc|
2083
- my_peer_conns = MU::Cloud::AWS.ec2(credentials: credentials, region: region).describe_vpc_peering_connections(
2084
- filters: [
2085
- {
2086
- name: "requester-vpc-info.vpc-id",
2087
- values: [vpc.vpc_id]
2088
- }
2089
- ]
2090
- ).vpc_peering_connections
2091
- my_peer_conns.concat(MU::Cloud::AWS.ec2(credentials: credentials, region: region).describe_vpc_peering_connections(
2092
- filters: [
2093
- {
2094
- name: "accepter-vpc-info.vpc-id",
2095
- values: [vpc.vpc_id]
2096
- }
2097
- ]
2098
- ).vpc_peering_connections)
2099
- my_peer_conns.each { |cnxn|
2100
-
2101
- [cnxn.accepter_vpc_info.vpc_id, cnxn.requester_vpc_info.vpc_id].each { |peer_vpc|
2102
- MU::Cloud::AWS::VPC.listAllSubnetRouteTables(peer_vpc, region: region, credentials: credentials).each { |rtb_id|
2103
- begin
2104
- resp = MU::Cloud::AWS.ec2(credentials: credentials, region: region).describe_route_tables(
2105
- route_table_ids: [rtb_id]
2106
- )
2107
- rescue Aws::EC2::Errors::InvalidRouteTableIDNotFound => e
2108
- next
2109
- end
2110
- resp.route_tables.each { |rtb|
2111
- rtb.routes.each { |route|
2112
- if route.vpc_peering_connection_id == cnxn.vpc_peering_connection_id
2113
- MU.log "Removing route #{route.destination_cidr_block} from route table #{rtb_id} in VPC #{peer_vpc}"
2114
- MU::Cloud::AWS.ec2(credentials: credentials, region: region).delete_route(
2115
- route_table_id: rtb_id,
2116
- destination_cidr_block: route.destination_cidr_block
2117
- ) if !noop
2118
- end
2119
- }
2120
- }
2121
- }
2122
- }
2123
- MU.log "Deleting VPC peering connection #{cnxn.vpc_peering_connection_id}"
2124
- begin
2125
- MU::Cloud::AWS.ec2(credentials: credentials, region: region).delete_vpc_peering_connection(
2126
- vpc_peering_connection_id: cnxn.vpc_peering_connection_id
2127
- ) if !noop
2128
- rescue Aws::EC2::Errors::InvalidStateTransition => e
2129
- MU.log "VPC peering connection #{cnxn.vpc_peering_connection_id} not in removable (state #{cnxn.status.code})", MU::WARN
2130
- rescue Aws::EC2::Errors::OperationNotPermitted => e
2131
- MU.log "VPC peering connection #{cnxn.vpc_peering_connection_id} refuses to delete: #{e.message}", MU::WARN
2132
- end
1815
+ purge_peering_connections(noop, vpc.vpc_id, region: region, credentials: credentials)
1816
+
1817
+ on_retry = Proc.new {
1818
+ MU::Cloud.resourceClass("AWS", "FirewallRule").cleanup(
1819
+ noop: noop,
1820
+ region: region,
1821
+ credentials: credentials,
1822
+ flags: { "vpc_id" => vpc.vpc_id }
1823
+ )
1824
+ purge_gateways(noop, tagfilters, region: region, credentials: credentials)
2133
1825
  }
2134
1826
 
2135
- retries = 0
2136
- begin
1827
+ MU.retrier([Aws::EC2::Errors::DependencyViolation], ignoreme: [Aws::EC2::Errors::InvalidVpcIDNotFound], max: 20, on_retry: on_retry) {
2137
1828
  MU.log "Deleting VPC #{vpc.vpc_id}"
2138
1829
  MU::Cloud::AWS.ec2(credentials: credentials, region: region).delete_vpc(vpc_id: vpc.vpc_id) if !noop
2139
- rescue Aws::EC2::Errors::InvalidVpcIDNotFound
2140
- MU.log "VPC #{vpc.vpc_id} has already been deleted", MU::WARN
2141
- rescue Aws::EC2::Errors::DependencyViolation => e
2142
- if retries < 5
2143
- MU.log "#{vpc.vpc_id} in #{region} had hidden dependencies, will try to remove them", MU::NOTICE
2144
- retries += 1
2145
- # fry some common rogue resources
2146
- MU::Cloud::AWS::FirewallRule.cleanup(
2147
- noop: noop,
2148
- region: region,
2149
- credentials: credentials,
2150
- flags: { "vpc_id" => vpc.vpc_id }
2151
- )
2152
- purge_gateways(noop, tagfilters, region: region, credentials: credentials)
2153
- sleep 10
2154
- retry
2155
- else
2156
- MU.log "Failed to remove #{vpc.vpc_id} in #{region}: #{e.message}", MU::ERR
2157
- next
2158
- end
2159
- end
1830
+ }
2160
1831
 
2161
1832
  if !MU::Cloud::AWS.isGovCloud?(region)
2162
1833
  mu_zone = MU::Cloud::DNSZone.find(cloud_id: "platform-mu", region: region, credentials: credentials).values.first
2163
1834
  if !mu_zone.nil?
2164
- MU::Cloud::AWS::DNSZone.toggleVPCAccess(id: mu_zone.id, vpc_id: vpc.vpc_id, remove: true, credentials: credentials)
1835
+ MU::Cloud.resourceClass("AWS", "DNSZone").toggleVPCAccess(id: mu_zone.id, vpc_id: vpc.vpc_id, remove: true, credentials: credentials)
2165
1836
  end
2166
1837
  end
2167
1838
  }
2168
1839
  end
2169
-
2170
- protected
2171
-
2172
- # Subnets are almost a first-class resource. So let's kinda sorta treat
2173
- # them like one. This should only be invoked on objects that already
2174
- # exists in the cloud layer.
2175
- class Subnet < MU::Cloud::AWS::VPC
2176
-
2177
- attr_reader :cloud_id
2178
- attr_reader :ip_block
2179
- attr_reader :mu_name
2180
- attr_reader :name
2181
- attr_reader :az
2182
- attr_reader :cloud_desc
2183
-
2184
- # @param parent [MU::Cloud::AWS::VPC]: The parent VPC of this subnet.
2185
- # @param config [Hash<String>]:
2186
- def initialize(parent, config)
2187
- @parent = parent
2188
- @config = MU::Config.manxify(config)
2189
- @cloud_id = config['cloud_id']
2190
- @mu_name = config['mu_name']
2191
- @name = config['name']
2192
- @deploydata = config # This is a dummy for the sake of describe()
2193
- resp = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).describe_subnets(subnet_ids: [@cloud_id]).subnets.first
2194
- @az = resp.availability_zone
2195
- @ip_block = resp.cidr_block
2196
- @cloud_desc = resp # XXX this really isn't the cloud implementation's business
2197
-
2198
- end
2199
-
2200
- # Return the cloud identifier for the default route of this subnet.
2201
- def defaultRoute
2202
- resp = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).describe_route_tables(
2203
- filters: [{name: "association.subnet-id", values: [@cloud_id]}]
2204
- )
2205
- if resp.route_tables.size == 0 # use default route table for the VPC
2206
- resp = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).describe_route_tables(
2207
- filters: [{name: "vpc-id", values: [@parent.cloud_id]}]
2208
- )
2209
- end
2210
- resp.route_tables.each { |route_table|
2211
- route_table.routes.each { |route|
2212
- if route.destination_cidr_block =="0.0.0.0/0" and route.state != "blackhole"
2213
- return route.instance_id if !route.instance_id.nil?
2214
- return route.gateway_id if !route.gateway_id.nil?
2215
- return route.vpc_peering_connection_id if !route.vpc_peering_connection_id.nil?
2216
- return route.network_interface_id if !route.network_interface_id.nil?
2217
- end
2218
- }
2219
- }
2220
- return nil
2221
- end
2222
-
2223
- # Is this subnet privately-routable only, or public?
2224
- # @return [Boolean]
2225
- def private?
2226
- return false if @cloud_id.nil?
2227
- resp = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).describe_route_tables(
2228
- filters: [{name: "association.subnet-id", values: [@cloud_id]}]
2229
- )
2230
- if resp.route_tables.size == 0 # use default route table for the VPC
2231
- resp = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).describe_route_tables(
2232
- filters: [{name: "vpc-id", values: [@parent.cloud_id]}]
2233
- )
2234
- end
2235
- resp.route_tables.each { |route_table|
2236
- route_table.routes.each { |route|
2237
- return false if !route.gateway_id.nil? and route.gateway_id != "local" # you can have an IgW and route it to a subset of IPs instead of 0.0.0.0/0
2238
- if route.destination_cidr_block == "0.0.0.0/0"
2239
- return true if !route.instance_id.nil?
2240
- return true if route.nat_gateway_id
2241
- end
2242
- }
2243
- }
2244
- return true
2245
- end
2246
- end
1840
+ private_class_method :purge_vpcs
2247
1841
 
2248
1842
  end #class
2249
1843
  end #class