cloud-mu 3.1.3 → 3.3.0

data/modules/tests/bucket.yml

@@ -6,7 +6,11 @@ buckets:
   policies:
   - name: testpermissions
     grant_to:
+<% if cloud == "Google" %>
     - identifier: egt.gcp.sandbox@gmail.com
+<% elsif cloud == "AWS" %>
+    - identifier: "arn:aws:iam::<%= MU::Cloud::AWS.account_number %>:root"
+<% end %>
     targets: # XXX this is redundant except for path:
     - type: bucket
       identifier: bucket

data/modules/tests/centos6.yaml

@@ -0,0 +1,15 @@
+# groomers: Chef
+---
+appname: smoketest
+vpcs:
+- name: wrapper
+servers: 
+- name: centos6
+  vpc:
+    name: wrapper
+  platform: centos6
+  size: m3.medium
+  run_list:
+  - recipe[mu-tools::apply_security]
+  - recipe[mu-tools::updates]
+  - recipe[mu-tools::split_var_partitions]

data/modules/tests/centos7.yaml

@@ -0,0 +1,15 @@
+# groomers: Chef
+---
+appname: smoketest
+vpcs:
+- name: wrapper
+servers: 
+- name: centos7
+  platform: centos7
+  vpc:
+    name: wrapper
+  size: m3.medium
+  run_list:
+  - recipe[mu-tools::apply_security]
+  - recipe[mu-tools::updates]
+  - recipe[mu-tools::split_var_partitions]

data/modules/tests/centos8.yaml

@@ -0,0 +1,12 @@
+# groomers: Chef
+# clouds: Azure, Google
+---
+appname: smoketest
+servers: 
+- name: centos8
+  platform: centos8
+  size: m3.medium
+  run_list:
+  - recipe[mu-tools::apply_security]
+  - recipe[mu-tools::updates]
+  - recipe[mu-tools::split_var_partitions]

data/modules/tests/ecs.yaml

@@ -0,0 +1,23 @@
+# Test ECS
+# clouds: AWS
+---
+appname: smoketest
+vpcs:
+- name: ecs
+container_clusters:
+- name: ecsplain
+  flavor: ECS
+  instance_type: t3.medium
+  vpc:
+    name: ecs
+  containers:
+  - name: nginx
+    image: "nginx:1.8"
+- name: ecsfargate
+  flavor: Fargate
+  instance_type: t3.medium
+  vpc:
+    name: ecs
+  containers:
+  - name: nginx
+    image: "nginx:1.8"

data/modules/tests/eks.yaml

@@ -10,7 +10,7 @@ container_clusters:
   vpc:
     vpc_name: eksvpc
   instance_count: 3
-  instance_type: t2.medium
+  instance_type: t3.medium
   kubernetes_resources:
   - apiVersion: apps/v1
     kind: Deployment

data/modules/tests/functions/node-function/lambda_function.js

@@ -0,0 +1,10 @@
+console.log('Loading function');
+
+exports.handler = async (event, context) => {
+    //console.log('Received event:', JSON.stringify(event, null, 2));
+    console.log('value1 =', event.key1);
+    console.log('value2 =', event.key2);
+    console.log('value3 =', event.key3);
+    return event.key1;  // Echo back the first key value
+    // throw new Error('Something went wrong');
+};

data/modules/tests/functions/python-function/lambda_function.py

@@ -0,0 +1,12 @@
+import json
+
+print('Loading function')
+
+
+def lambda_handler(event, context):
+    #print("Received event: " + json.dumps(event, indent=2))
+    print("value1 = " + event['key1'])
+    print("value2 = " + event['key2'])
+    print("value3 = " + event['key3'])
+    return event['key1']  # Echo back the first key value
+    #raise Exception('Something went wrong')

data/modules/tests/includes-and-params.yaml

@@ -7,7 +7,7 @@ appname: smoketest
 parameters:
 - name: instancesize
   prettyname: "Instance Size"
-  default: <%= $environment == "prod" ? "t3.large" : "t3.small" %>
+  default: <%= $environment == "prod" ? "m4.large" : "t2.small" %>
 <%= include("poolparams-include.inc") %>
 vpcs:
 - name: parsemess
@@ -18,6 +18,7 @@ server_pools:
 - name: svr
   cloud: AWS
   ssh_user: ec2-user
+  platform: amazon
   tags:
     - key: Env
       value: <%= env %>

data/modules/tests/microservice_app.yaml

@@ -0,0 +1,288 @@
+# Old Sitemonitor, with serial numbers and code filed off. This will *only*
+# work on our own Labs sandbox, unless you feed it a different domain name to
+# play in.
+# clouds: AWS
+---
+appname: SMOKETEST
+parameters:
+- name: domain
+  default: "sandbox.egt-labs.com" # this must exist as a Route53 zone and have a corresponding wildcard ACM or IAM SSL certificate
+jobs:
+- name: clear-scan-data
+  schedule:
+    minute: '0'
+    hour: '1'
+    day_of_month: '*'
+    month: "*"
+    day_of_week: "?"
+    year: "*"
+  targets:
+  - type: functions
+    name: empty-out-table
+- name: run-scans
+  schedule:
+    minute: '0'
+    hour: '2'
+    day_of_month: '*'
+    month: "*"
+    day_of_week: "?"
+    year: "*"
+  targets:
+  - type: functions
+    name: queue-domains
+
+cdns:
+- name: front
+  origins:
+  - name: default
+    bucket:
+      name: bucket
+  certificate:
+    name: "*.<%= domain %>"
+  dns_records:
+  - zone:
+      name: <%= domain %>
+  behaviors:
+  - origin: default
+    forwarded_values:
+      headers:
+      - Origin
+      - Access-Control-Request-Headers
+      - Access-Control-Request-Method
+      - Access-Control-Allow-Origin
+
+roles:
+- name: dynamostream-to-es
+  can_assume:
+  - assume_method: basic
+    entity_type: service
+    entity_id: lambda.amazonaws.com
+  attachable_policies:
+  - id: AWSLambdaInvocation-DynamoDB
+  - id: AWSLambdaBasicExecutionRole
+  policies:
+  - name: allow_es_posting
+    permissions:
+    - es:ESHttpPost
+    targets:
+    - identifier: domains-scan-data
+      type: search_domain
+      path: "/*"
+- name: empty-out-table
+  can_assume:
+  - assume_method: basic
+    entity_type: service
+    entity_id: lambda.amazonaws.com
+  attachable_policies:
+  - id: AmazonDynamoDBFullAccess
+  - id: AWSLambdaBasicExecutionRole
+- name: on-demand-scanner
+  can_assume:
+  - assume_method: basic
+    entity_type: service
+    entity_id: lambda.amazonaws.com
+  attachable_policies:
+  - id: AmazonDynamoDBFullAccess
+  - id: AWSLambdaBasicExecutionRole
+- name: queue-domains
+  can_assume:
+  - assume_method: basic
+    entity_type: service
+    entity_id: lambda.amazonaws.com
+  attachable_policies:
+  - id: AmazonDynamoDBFullAccess
+  - id: AmazonSNSFullAccess
+  - id: AWSLambdaBasicExecutionRole
+- name: scheduled-scanner
+  can_assume:
+  - assume_method: basic
+    entity_type: service
+    entity_id: lambda.amazonaws.com
+  attachable_policies:
+  - id: AmazonDynamoDBFullAccess
+  - id: AWSLambdaBasicExecutionRole
+
+notifiers:
+- name: publish-domains
+  subscriptions:
+  - type: lambda
+    resource:
+      type: functions
+      name: scheduled-scanner
+
+functions:
+- name: dynamostream-to-es
+  handler: lambda_function.lambda_handler
+  memory: 128
+  runtime: python2.7
+  timeout: 900
+  code:
+    path: functions/python-function
+  role:
+    name: dynamostream-to-es
+    type: roles
+  triggers:
+  - service: dynamodb
+    name: scan-data
+  dependencies:
+  - type: search_domain
+    name: domains-scan-data
+    phase: groom
+- name: empty-out-table
+  handler: lambda_function.lambda_handler
+  memory: 128
+  runtime: python3.6
+  timeout: 300
+  code:
+    path: functions/python-function
+  environment_variable:
+  - key: table
+    value: scandata
+  role:
+    name: empty-out-table
+    type: roles
+  dependencies:
+  - type: nosqldb
+    name: scan-data
+  - type: nosqldb
+    name: domain-list
+- name: on-demand-scanner
+  handler: lambda_function.lambda_handler
+  memory: 128
+  runtime: python3.6
+  timeout: 900
+  code:
+    path: functions/python-function
+  role:
+    name: on-demand-scanner
+    type: roles
+  dependencies:
+  - type: nosqldb
+    name: scan-data
+  triggers:
+  - service: apigateway
+    name: api
+- name: queue-domains
+  handler: lambda_function.lambda_handler
+  memory: 128
+  runtime: python3.6
+  timeout: 900
+  code:
+    path: functions/python-function
+  role:
+    name: queue-domains
+    type: roles
+  invoke_on_completion:
+    invocation_type: "RequestResponse"
+  permissions:
+  - basic
+  - dynamo
+  dependencies:
+  - type: function
+    name: dynamostream-to-es
+  - type: nosqldb
+    name: domain-list
+  - type: nosqldb
+    name: scan-data
+  - type: notifier
+    name: publish-domains
+    phase: groom
+- name: scheduled-scanner
+  handler: lambda_function.lambda_handler
+  memory: 256
+  runtime: python3.6
+  timeout: 900
+  code:
+    path: functions/python-function
+  role:
+    name: scheduled-scanner
+    type: roles
+  dependencies:
+  - type: nosqldb
+    name: scan-data
+  triggers:
+  - service: sns
+    name: publish-domains
+
+endpoints:
+- name: api
+  deploy_to: production
+  log_requests: true
+  methods:
+  - path: "/"
+    type: POST
+    cors: "*"
+    responses:
+    - code: 200
+      body:
+      - is_error: false
+        content_type: application/json
+    integrate_with:
+      name: on-demand-scanner
+      type: functions
+      integration_http_method: POST
+      async: true
+      backend_http_method: POST
+      passthrough_behavior: WHEN_NO_MATCH
+  domain_names:
+  - dns_record:
+      zone:
+        name: <%= domain %>
+    certificate:
+      name: "*.<%= domain %>"
+
+buckets:
+- name: bucket
+  web: false
+  cors:
+  - allowed_methods:
+    - GET
+    - POST
+    allowed_origins:
+    - "*"
+  upload:
+#  - source: "code/build"
+  - source: "functions"
+    destination: "/"
+
+search_domains:
+- name: domains-scan-data
+  elasticsearch_version: '7.4'
+  instance_count: 1
+  instance_type: r5.large.elasticsearch
+  ebs_size: 10
+  ebs_type: gp2
+  access_policies:
+    Version: '2012-10-17'
+    Statement:
+    - Effect: Allow
+      Principal:
+        AWS: "*"
+      Action: es:ESHttp*
+nosqldbs:
+- name: scan-data
+  read_capacity: 25
+  write_capacity: 25
+  attributes:
+  - name: domain
+    type: S
+    primary_partition: true
+  - name: last_scanned_date
+    type: S
+    primary_sort: true
+  stream: NEW_IMAGE
+- name: domain-list
+  read_capacity: 100
+  write_capacity: 1
+  attributes:
+  - name: business_owner
+    type: S
+    primary_sort: true
+  - name: domain
+    type: S
+    primary_partition: true
+  populate:
+  - business_owner: TetraTech
+    staff_division: eGT
+    operational_division: eGTLabs
+    domain: egt-labs.com

data/modules/tests/rds.yaml

@@ -0,0 +1,108 @@
+# clouds: AWS
+---
+appname: smoketest
+vpcs:
+- name: rdstests
+databases:
+- name: pgcluster
+  size: db.t3.medium
+  engine: postgres
+  engine_version: "10"  
+  auto_minor_version_upgrade: true
+  backup_retention_period: 10
+  cluster_node_count: 2
+  create_cluster: true
+  cluster_parameter_group_parameters:
+  - name: log_disconnections
+    value: "0"
+  vpc:
+    name: rdstests
+  master_user: Bob
+
+#- name: mysqlcluster
+#  size: db.t3.medium
+#  engine: aurora
+#  cluster_mode: serverless
+#  create_cluster: true
+#  vpc:
+#    name: rdstests
+
+- name: maria-base
+  size: db.t3.small
+  engine: mariadb
+  db_parameter_group_parameters:
+  - name: autocommit
+    value: "0"
+  vpc:
+    name: rdstests
+  region: us-east-1
+  create_read_replica: true
+  allow_major_version_upgrade: true
+  read_replica_region: us-east-2
+  cloudwatch_logs:
+  - slowquery
+  multi_az_on_create: true
+  master_user: Bob
+- name: maria-from-snap
+  size: db.t3.small
+  engine: mariadb
+  vpc:
+    name: rdstests
+  creation_style: new_snapshot
+  source:
+    name: maria-base
+- name: maria-point-in-time
+  creation_style: point_in_time
+  size: db.t2.micro
+  engine: mariadb
+  cloudwatch_logs:
+  - error
+  - general
+  source:
+    name: maria-base
+  vpc:
+    name: rdstests
+
+- name: oracle-base
+  size: db.m5.large
+  engine: oracle
+  vpc:
+    name: rdstests
+- name: oracle-from-snap
+  size: db.m5.large
+  engine: oracle
+  vpc:
+    name: rdstests
+  creation_style: new_snapshot
+  source:
+    name: oracle-base
+- name: oracle-point-in-time
+  size: db.m5.large
+  engine: oracle
+  vpc:
+    name: rdstests
+  creation_style: point_in_time
+  source:
+    name: oracle-base
+
+- name: sqlserver-base
+  size: db.t3.small
+  engine: sqlserver-ex
+  vpc:
+    name: rdstests
+- name: sqlserver-from-snap
+  size: db.t3.small
+  engine: sqlserver-ex
+  vpc:
+    name: rdstests
+  creation_style: new_snapshot
+  source:
+    name: sqlserver-base
+- name: sqlserver-point-in-time
+  size: db.t3.small
+  engine: sqlserver-ex
+  vpc:
+    name: rdstests
+  creation_style: point_in_time
+  source:
+    name: sqlserver-base