cloud-mu 3.1.4 → 3.3.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Dockerfile +5 -1
- data/ansible/roles/mu-windows/README.md +33 -0
- data/ansible/roles/mu-windows/defaults/main.yml +2 -0
- data/ansible/roles/mu-windows/files/LaunchConfig.json +9 -0
- data/ansible/roles/mu-windows/files/config.xml +76 -0
- data/ansible/roles/mu-windows/handlers/main.yml +2 -0
- data/ansible/roles/mu-windows/meta/main.yml +53 -0
- data/ansible/roles/mu-windows/tasks/main.yml +36 -0
- data/ansible/roles/mu-windows/tests/inventory +2 -0
- data/ansible/roles/mu-windows/tests/test.yml +5 -0
- data/ansible/roles/mu-windows/vars/main.yml +2 -0
- data/bin/mu-adopt +16 -12
- data/bin/mu-azure-tests +57 -0
- data/bin/mu-cleanup +2 -4
- data/bin/mu-configure +52 -0
- data/bin/mu-deploy +3 -3
- data/bin/mu-findstray-tests +25 -0
- data/bin/mu-gen-docs +2 -4
- data/bin/mu-load-config.rb +2 -1
- data/bin/mu-node-manage +15 -16
- data/bin/mu-run-tests +37 -12
- data/cloud-mu.gemspec +5 -3
- data/cookbooks/mu-activedirectory/resources/domain.rb +4 -4
- data/cookbooks/mu-activedirectory/resources/domain_controller.rb +4 -4
- data/cookbooks/mu-tools/libraries/helper.rb +1 -1
- data/cookbooks/mu-tools/recipes/apply_security.rb +14 -14
- data/cookbooks/mu-tools/recipes/aws_api.rb +9 -0
- data/cookbooks/mu-tools/recipes/eks.rb +2 -2
- data/cookbooks/mu-tools/recipes/selinux.rb +2 -1
- data/cookbooks/mu-tools/recipes/windows-client.rb +163 -164
- data/cookbooks/mu-tools/resources/windows_users.rb +44 -43
- data/extras/clean-stock-amis +25 -19
- data/extras/generate-stock-images +1 -0
- data/extras/image-generators/AWS/win2k12.yaml +18 -13
- data/extras/image-generators/AWS/win2k16.yaml +18 -13
- data/extras/image-generators/AWS/win2k19.yaml +21 -0
- data/modules/mommacat.ru +1 -1
- data/modules/mu.rb +158 -107
- data/modules/mu/adoption.rb +386 -59
- data/modules/mu/cleanup.rb +214 -303
- data/modules/mu/cloud.rb +128 -1632
- data/modules/mu/cloud/database.rb +49 -0
- data/modules/mu/cloud/dnszone.rb +44 -0
- data/modules/mu/cloud/machine_images.rb +212 -0
- data/modules/mu/cloud/providers.rb +81 -0
- data/modules/mu/cloud/resource_base.rb +926 -0
- data/modules/mu/cloud/server.rb +40 -0
- data/modules/mu/cloud/server_pool.rb +1 -0
- data/modules/mu/cloud/ssh_sessions.rb +228 -0
- data/modules/mu/cloud/winrm_sessions.rb +237 -0
- data/modules/mu/cloud/wrappers.rb +169 -0
- data/modules/mu/config.rb +135 -82
- data/modules/mu/config/alarm.rb +2 -6
- data/modules/mu/config/bucket.rb +32 -3
- data/modules/mu/config/cache_cluster.rb +2 -2
- data/modules/mu/config/cdn.rb +100 -0
- data/modules/mu/config/collection.rb +1 -1
- data/modules/mu/config/container_cluster.rb +7 -2
- data/modules/mu/config/database.rb +84 -105
- data/modules/mu/config/database.yml +1 -2
- data/modules/mu/config/dnszone.rb +5 -4
- data/modules/mu/config/doc_helpers.rb +5 -6
- data/modules/mu/config/endpoint.rb +2 -1
- data/modules/mu/config/firewall_rule.rb +3 -19
- data/modules/mu/config/folder.rb +1 -1
- data/modules/mu/config/function.rb +17 -8
- data/modules/mu/config/group.rb +1 -1
- data/modules/mu/config/habitat.rb +1 -1
- data/modules/mu/config/job.rb +89 -0
- data/modules/mu/config/loadbalancer.rb +57 -11
- data/modules/mu/config/log.rb +1 -1
- data/modules/mu/config/msg_queue.rb +1 -1
- data/modules/mu/config/nosqldb.rb +1 -1
- data/modules/mu/config/notifier.rb +8 -19
- data/modules/mu/config/ref.rb +92 -14
- data/modules/mu/config/role.rb +1 -1
- data/modules/mu/config/schema_helpers.rb +38 -37
- data/modules/mu/config/search_domain.rb +1 -1
- data/modules/mu/config/server.rb +12 -13
- data/modules/mu/config/server.yml +1 -0
- data/modules/mu/config/server_pool.rb +3 -7
- data/modules/mu/config/storage_pool.rb +1 -1
- data/modules/mu/config/tail.rb +11 -0
- data/modules/mu/config/user.rb +1 -1
- data/modules/mu/config/vpc.rb +27 -23
- data/modules/mu/config/vpc.yml +0 -1
- data/modules/mu/defaults/AWS.yaml +91 -68
- data/modules/mu/defaults/Azure.yaml +1 -0
- data/modules/mu/defaults/Google.yaml +1 -0
- data/modules/mu/deploy.rb +33 -19
- data/modules/mu/groomer.rb +16 -1
- data/modules/mu/groomers/ansible.rb +123 -21
- data/modules/mu/groomers/chef.rb +64 -11
- data/modules/mu/logger.rb +120 -144
- data/modules/mu/master.rb +97 -4
- data/modules/mu/master/ssl.rb +0 -1
- data/modules/mu/mommacat.rb +154 -867
- data/modules/mu/mommacat/daemon.rb +23 -14
- data/modules/mu/mommacat/naming.rb +110 -3
- data/modules/mu/mommacat/search.rb +495 -0
- data/modules/mu/mommacat/storage.rb +225 -192
- data/modules/mu/{clouds → providers}/README.md +1 -1
- data/modules/mu/{clouds → providers}/aws.rb +281 -64
- data/modules/mu/{clouds → providers}/aws/alarm.rb +3 -3
- data/modules/mu/{clouds → providers}/aws/bucket.rb +275 -41
- data/modules/mu/{clouds → providers}/aws/cache_cluster.rb +14 -50
- data/modules/mu/providers/aws/cdn.rb +782 -0
- data/modules/mu/{clouds → providers}/aws/collection.rb +5 -5
- data/modules/mu/{clouds → providers}/aws/container_cluster.rb +708 -749
- data/modules/mu/providers/aws/database.rb +1744 -0
- data/modules/mu/{clouds → providers}/aws/dnszone.rb +75 -57
- data/modules/mu/providers/aws/endpoint.rb +1072 -0
- data/modules/mu/{clouds → providers}/aws/firewall_rule.rb +212 -242
- data/modules/mu/{clouds → providers}/aws/folder.rb +1 -1
- data/modules/mu/{clouds → providers}/aws/function.rb +289 -134
- data/modules/mu/{clouds → providers}/aws/group.rb +18 -20
- data/modules/mu/{clouds → providers}/aws/habitat.rb +3 -3
- data/modules/mu/providers/aws/job.rb +466 -0
- data/modules/mu/{clouds → providers}/aws/loadbalancer.rb +50 -41
- data/modules/mu/{clouds → providers}/aws/log.rb +5 -5
- data/modules/mu/{clouds → providers}/aws/msg_queue.rb +14 -11
- data/modules/mu/{clouds → providers}/aws/nosqldb.rb +96 -5
- data/modules/mu/{clouds → providers}/aws/notifier.rb +135 -63
- data/modules/mu/{clouds → providers}/aws/role.rb +94 -57
- data/modules/mu/{clouds → providers}/aws/search_domain.rb +173 -42
- data/modules/mu/{clouds → providers}/aws/server.rb +782 -1107
- data/modules/mu/{clouds → providers}/aws/server_pool.rb +36 -46
- data/modules/mu/{clouds → providers}/aws/storage_pool.rb +21 -38
- data/modules/mu/{clouds → providers}/aws/user.rb +12 -16
- data/modules/mu/{clouds → providers}/aws/userdata/README.md +0 -0
- data/modules/mu/{clouds → providers}/aws/userdata/linux.erb +5 -4
- data/modules/mu/{clouds → providers}/aws/userdata/windows.erb +2 -1
- data/modules/mu/{clouds → providers}/aws/vpc.rb +429 -849
- data/modules/mu/providers/aws/vpc_subnet.rb +286 -0
- data/modules/mu/{clouds → providers}/azure.rb +13 -0
- data/modules/mu/{clouds → providers}/azure/container_cluster.rb +1 -5
- data/modules/mu/{clouds → providers}/azure/firewall_rule.rb +8 -1
- data/modules/mu/{clouds → providers}/azure/habitat.rb +0 -0
- data/modules/mu/{clouds → providers}/azure/loadbalancer.rb +0 -0
- data/modules/mu/{clouds → providers}/azure/role.rb +0 -0
- data/modules/mu/{clouds → providers}/azure/server.rb +32 -24
- data/modules/mu/{clouds → providers}/azure/user.rb +1 -1
- data/modules/mu/{clouds → providers}/azure/userdata/README.md +0 -0
- data/modules/mu/{clouds → providers}/azure/userdata/linux.erb +0 -0
- data/modules/mu/{clouds → providers}/azure/userdata/windows.erb +0 -0
- data/modules/mu/{clouds → providers}/azure/vpc.rb +4 -6
- data/modules/mu/{clouds → providers}/cloudformation.rb +10 -0
- data/modules/mu/{clouds → providers}/cloudformation/alarm.rb +3 -3
- data/modules/mu/{clouds → providers}/cloudformation/cache_cluster.rb +3 -3
- data/modules/mu/{clouds → providers}/cloudformation/collection.rb +3 -3
- data/modules/mu/{clouds → providers}/cloudformation/database.rb +6 -17
- data/modules/mu/{clouds → providers}/cloudformation/dnszone.rb +3 -3
- data/modules/mu/{clouds → providers}/cloudformation/firewall_rule.rb +3 -3
- data/modules/mu/{clouds → providers}/cloudformation/loadbalancer.rb +3 -3
- data/modules/mu/{clouds → providers}/cloudformation/log.rb +3 -3
- data/modules/mu/{clouds → providers}/cloudformation/server.rb +7 -7
- data/modules/mu/{clouds → providers}/cloudformation/server_pool.rb +5 -5
- data/modules/mu/{clouds → providers}/cloudformation/vpc.rb +3 -3
- data/modules/mu/{clouds → providers}/docker.rb +0 -0
- data/modules/mu/{clouds → providers}/google.rb +29 -6
- data/modules/mu/{clouds → providers}/google/bucket.rb +5 -5
- data/modules/mu/{clouds → providers}/google/container_cluster.rb +59 -37
- data/modules/mu/{clouds → providers}/google/database.rb +5 -12
- data/modules/mu/{clouds → providers}/google/firewall_rule.rb +5 -5
- data/modules/mu/{clouds → providers}/google/folder.rb +5 -9
- data/modules/mu/{clouds → providers}/google/function.rb +14 -8
- data/modules/mu/{clouds → providers}/google/group.rb +9 -17
- data/modules/mu/{clouds → providers}/google/habitat.rb +4 -8
- data/modules/mu/{clouds → providers}/google/loadbalancer.rb +5 -5
- data/modules/mu/{clouds → providers}/google/role.rb +50 -31
- data/modules/mu/{clouds → providers}/google/server.rb +142 -55
- data/modules/mu/{clouds → providers}/google/server_pool.rb +14 -14
- data/modules/mu/{clouds → providers}/google/user.rb +34 -24
- data/modules/mu/{clouds → providers}/google/userdata/README.md +0 -0
- data/modules/mu/{clouds → providers}/google/userdata/linux.erb +0 -0
- data/modules/mu/{clouds → providers}/google/userdata/windows.erb +0 -0
- data/modules/mu/{clouds → providers}/google/vpc.rb +46 -15
- data/modules/tests/aws-jobs-functions.yaml +46 -0
- data/modules/tests/centos6.yaml +15 -0
- data/modules/tests/centos7.yaml +15 -0
- data/modules/tests/centos8.yaml +12 -0
- data/modules/tests/ecs.yaml +23 -0
- data/modules/tests/eks.yaml +1 -1
- data/modules/tests/functions/node-function/lambda_function.js +10 -0
- data/modules/tests/functions/python-function/lambda_function.py +12 -0
- data/modules/tests/includes-and-params.yaml +2 -1
- data/modules/tests/microservice_app.yaml +288 -0
- data/modules/tests/rds.yaml +108 -0
- data/modules/tests/regrooms/rds.yaml +123 -0
- data/modules/tests/server-with-scrub-muisms.yaml +2 -1
- data/modules/tests/super_complex_bok.yml +2 -2
- data/modules/tests/super_simple_bok.yml +3 -5
- data/modules/tests/win2k12.yaml +25 -0
- data/modules/tests/win2k16.yaml +25 -0
- data/modules/tests/win2k19.yaml +25 -0
- data/requirements.txt +1 -0
- data/spec/mu/clouds/azure_spec.rb +2 -2
- metadata +169 -93
- data/extras/image-generators/AWS/windows.yaml +0 -18
- data/modules/mu/clouds/aws/database.rb +0 -1974
- data/modules/mu/clouds/aws/endpoint.rb +0 -596
- data/modules/tests/needwork/win2k12.yaml +0 -13
@@ -30,7 +30,7 @@ module MU
|
|
30
30
|
end
|
31
31
|
end
|
32
32
|
|
33
|
-
@mu_name ||= @deploy.getResourceName(@config["name"])
|
33
|
+
@mu_name ||= @deploy.getResourceName(@config["name"], max_length: 64)
|
34
34
|
end
|
35
35
|
|
36
36
|
# Called automatically by {MU::Deploy#createResources}
|
@@ -92,13 +92,14 @@ module MU
|
|
92
92
|
configured_policies = []
|
93
93
|
|
94
94
|
if @config['raw_policies']
|
95
|
+
MU.log "Attaching #{@config['raw_policies'].size.to_s} raw #{@config['raw_policies'].size > 1 ? "policies" : "policy"} to role #{@mu_name}", MU::NOTICE
|
95
96
|
configured_policies = @config['raw_policies'].map { |p|
|
96
97
|
@mu_name+"-"+p.keys.first.upcase
|
97
98
|
}
|
98
99
|
end
|
99
100
|
|
100
101
|
if @config['attachable_policies']
|
101
|
-
MU.log "Attaching #{@config['attachable_policies'].size.to_s} #{@config['attachable_policies'].size > 1 ? "policies" : "policy"} to role #{@mu_name}", MU::NOTICE
|
102
|
+
MU.log "Attaching #{@config['attachable_policies'].size.to_s} external #{@config['attachable_policies'].size > 1 ? "policies" : "policy"} to role #{@mu_name}", MU::NOTICE
|
102
103
|
configured_policies.concat(@config['attachable_policies'].map { |p|
|
103
104
|
id = if p.is_a?(MU::Config::Ref)
|
104
105
|
p.cloud_id
|
@@ -109,17 +110,16 @@ module MU
|
|
109
110
|
end
|
110
111
|
id.gsub(/.*?\/([^:\/]+)$/, '\1')
|
111
112
|
})
|
112
|
-
configured_policies.each { |pol|
|
113
|
-
}
|
114
113
|
end
|
115
114
|
|
115
|
+
# Purge anything that doesn't belong
|
116
116
|
if !@config['bare_policies']
|
117
117
|
attached_policies = MU::Cloud::AWS.iam(credentials: @config['credentials']).list_attached_role_policies(
|
118
118
|
role_name: @mu_name
|
119
119
|
).attached_policies
|
120
120
|
attached_policies.each { |a|
|
121
121
|
if !configured_policies.include?(a.policy_name)
|
122
|
-
MU.log "Removing IAM policy #{a.policy_name} from role #{@mu_name}", MU::NOTICE
|
122
|
+
MU.log "Removing IAM policy #{a.policy_name} from role #{@mu_name}", MU::NOTICE, details: configured_policies
|
123
123
|
MU::Cloud::AWS::Role.purgePolicy(a.policy_arn, @config['credentials'])
|
124
124
|
end
|
125
125
|
}
|
@@ -137,7 +137,7 @@ module MU
|
|
137
137
|
|
138
138
|
if !@config['bare_policies'] and
|
139
139
|
(@config['raw_policies'] or @config['attachable_policies'])
|
140
|
-
bindTo("role", @mu_name)
|
140
|
+
# bindTo("role", @mu_name)
|
141
141
|
end
|
142
142
|
end
|
143
143
|
|
@@ -153,6 +153,7 @@ module MU
|
|
153
153
|
policy.values.each { |p|
|
154
154
|
p["Version"] ||= "2012-10-17"
|
155
155
|
}
|
156
|
+
|
156
157
|
policy_name = basename+"-"+policy.keys.first.upcase
|
157
158
|
|
158
159
|
arn = "arn:"+(MU::Cloud::AWS.isGovCloud? ? "aws-us-gov" : "aws")+":iam::"+MU::Cloud::AWS.credToAcct(credentials)+":policy#{path}/#{policy_name}"
|
@@ -201,7 +202,11 @@ module MU
|
|
201
202
|
def arn
|
202
203
|
desc = cloud_desc
|
203
204
|
if desc["role"]
|
204
|
-
desc[
|
205
|
+
if desc['role'].is_a?(Hash)
|
206
|
+
desc["role"][:arn] # why though
|
207
|
+
else
|
208
|
+
desc["role"].arn
|
209
|
+
end
|
205
210
|
else
|
206
211
|
nil
|
207
212
|
end
|
@@ -212,7 +217,22 @@ module MU
|
|
212
217
|
# populated with one or both depending on what this resource has
|
213
218
|
# defined.
|
214
219
|
def cloud_desc(use_cache: true)
|
215
|
-
|
220
|
+
|
221
|
+
# we might inherit a naive cached description from the base cloud
|
222
|
+
# layer; rearrange it to our tastes
|
223
|
+
if @cloud_desc_cache.is_a?(::Aws::IAM::Types::Role)
|
224
|
+
new_desc = {
|
225
|
+
"role" => @cloud_desc_cache
|
226
|
+
}
|
227
|
+
@cloud_desc_cache = new_desc
|
228
|
+
elsif @cloud_desc_cache.is_a?(::Aws::IAM::Types::Policy)
|
229
|
+
new_desc = {
|
230
|
+
"policies" => [@cloud_desc_cache]
|
231
|
+
}
|
232
|
+
@cloud_desc_cache = new_desc
|
233
|
+
end
|
234
|
+
|
235
|
+
return @cloud_desc_cache if @cloud_desc_cache and !@cloud_desc_cache.empty? and use_cache
|
216
236
|
|
217
237
|
@cloud_desc_cache = {}
|
218
238
|
if @config['bare_policies']
|
@@ -290,21 +310,21 @@ end
|
|
290
310
|
if !policy.match(/^#{@deploy.deploy_id}/)
|
291
311
|
policy = @mu_name+"-"+policy.upcase
|
292
312
|
end
|
293
|
-
|
294
|
-
my_policies = cloud_desc["policies"]
|
313
|
+
my_policies = cloud_desc(use_cache: false)["policies"]
|
295
314
|
my_policies ||= []
|
296
|
-
|
315
|
+
|
316
|
+
seen_policy = false
|
297
317
|
my_policies.each { |p|
|
298
318
|
if p.policy_name == policy
|
319
|
+
seen_policy = true
|
299
320
|
old = MU::Cloud::AWS.iam(credentials: @config['credentials']).get_policy_version(
|
300
321
|
policy_arn: p.arn,
|
301
322
|
version_id: p.default_version_id
|
302
323
|
).policy_version
|
303
324
|
|
304
325
|
doc = JSON.parse URI.decode_www_form_component old.document
|
305
|
-
|
306
326
|
need_update = false
|
307
|
-
|
327
|
+
|
308
328
|
doc["Statement"].each { |s|
|
309
329
|
targets.each { |target|
|
310
330
|
target_string = target
|
@@ -333,6 +353,10 @@ end
|
|
333
353
|
end
|
334
354
|
end
|
335
355
|
}
|
356
|
+
|
357
|
+
if !seen_policy
|
358
|
+
MU.log "Was given new targets for policy #{policy}, but I don't see any such policy attached to role #{@cloud_id}", MU::WARN, details: targets
|
359
|
+
end
|
336
360
|
end
|
337
361
|
|
338
362
|
# Delete an IAM policy, along with attendant versions and attachments.
|
@@ -411,14 +435,14 @@ end
|
|
411
435
|
# @param noop [Boolean]: If true, will only print what would be done
|
412
436
|
# @param ignoremaster [Boolean]: If true, will remove resources not flagged as originating from this Mu server
|
413
437
|
# @return [void]
|
414
|
-
def self.cleanup(noop: false, ignoremaster: false, credentials: nil, flags: {})
|
438
|
+
def self.cleanup(noop: false, deploy_id: MU.deploy_id, ignoremaster: false, credentials: nil, flags: {})
|
415
439
|
|
416
440
|
resp = MU::Cloud::AWS.iam(credentials: credentials).list_policies(
|
417
|
-
path_prefix: "/"+
|
441
|
+
path_prefix: "/"+deploy_id+"/"
|
418
442
|
)
|
419
443
|
if resp and resp.policies
|
420
444
|
resp.policies.each { |policy|
|
421
|
-
MU.log "Deleting IAM policy /#{
|
445
|
+
MU.log "Deleting IAM policy /#{deploy_id}/#{policy.policy_name}"
|
422
446
|
if !noop
|
423
447
|
purgePolicy(policy.arn, credentials)
|
424
448
|
end
|
@@ -429,19 +453,23 @@ end
|
|
429
453
|
roles = MU::Cloud::AWS::Role.find(credentials: credentials).values
|
430
454
|
roles.each { |r|
|
431
455
|
next if !r.respond_to?(:role_name)
|
432
|
-
if r.path.match(/^\/#{Regexp.quote(
|
456
|
+
if r.path.match(/^\/#{Regexp.quote(deploy_id)}/)
|
433
457
|
deleteme << r
|
434
458
|
next
|
435
459
|
end
|
436
460
|
# For some dumb reason, the list output that .find gets doesn't
|
437
461
|
# include the tags, so we need to fetch each role individually to
|
438
462
|
# check tags. Hardly seems efficient.
|
439
|
-
desc =
|
463
|
+
desc = begin
|
464
|
+
MU::Cloud::AWS.iam(credentials: credentials).get_role(role_name: r.role_name)
|
465
|
+
rescue Aws::IAM::Errors::NoSuchEntity
|
466
|
+
next
|
467
|
+
end
|
440
468
|
if desc.role and desc.role.tags and desc.role.tags
|
441
469
|
master_match = false
|
442
470
|
deploy_match = false
|
443
471
|
desc.role.tags.each { |t|
|
444
|
-
if t.key == "MU-ID" and t.value ==
|
472
|
+
if t.key == "MU-ID" and t.value == deploy_id
|
445
473
|
deploy_match = true
|
446
474
|
elsif t.key == "MU-MASTER-IP" and t.value == MU.mu_public_ip
|
447
475
|
master_match = true
|
@@ -508,7 +536,7 @@ end
|
|
508
536
|
|
509
537
|
begin
|
510
538
|
# managed policies get fetched by ARN, roles by plain name. Ok!
|
511
|
-
if args[:cloud_id].match(/^arn
|
539
|
+
if args[:cloud_id].match(/^arn:.*?:policy\//)
|
512
540
|
resp = MU::Cloud::AWS.iam(credentials: args[:credentials]).get_policy(
|
513
541
|
policy_arn: args[:cloud_id]
|
514
542
|
)
|
@@ -517,39 +545,26 @@ end
|
|
517
545
|
end
|
518
546
|
else
|
519
547
|
resp = MU::Cloud::AWS.iam(credentials: args[:credentials]).get_role(
|
520
|
-
role_name: args[:cloud_id]
|
548
|
+
role_name: args[:cloud_id].sub(/^arn:.*?\/([^:\/]+)$/, '\1') # XXX if it's an ARN, actually parse it and look in the correct account when applicable
|
521
549
|
)
|
550
|
+
|
522
551
|
if resp and resp.role
|
523
|
-
found[
|
552
|
+
found[resp.role.role_name] = resp.role
|
524
553
|
end
|
525
554
|
end
|
526
555
|
rescue ::Aws::IAM::Errors::NoSuchEntity
|
527
556
|
end
|
528
|
-
|
557
|
+
|
529
558
|
else
|
530
|
-
|
531
|
-
|
532
|
-
|
533
|
-
|
534
|
-
)
|
535
|
-
break if !resp or !resp.roles
|
536
|
-
resp.roles.each { |role|
|
537
|
-
found[role.role_name] = role
|
538
|
-
}
|
539
|
-
marker = resp.marker
|
540
|
-
end while marker
|
559
|
+
resp = MU::Cloud::AWS.iam(credentials: args[:credentials]).list_roles
|
560
|
+
resp.roles.each { |role|
|
561
|
+
found[role.role_name] = role
|
562
|
+
}
|
541
563
|
|
542
|
-
|
543
|
-
|
544
|
-
|
545
|
-
|
546
|
-
)
|
547
|
-
break if !resp or !resp.policies
|
548
|
-
resp.policies.each { |pol|
|
549
|
-
found[pol.arn] = pol
|
550
|
-
}
|
551
|
-
marker = resp.marker
|
552
|
-
end while marker
|
564
|
+
resp = MU::Cloud::AWS.iam(credentials: args[:credentials]).list_policies(scope: "Local")
|
565
|
+
resp.policies.each { |pol|
|
566
|
+
found[pol.arn] = pol
|
567
|
+
}
|
553
568
|
end
|
554
569
|
|
555
570
|
found
|
@@ -607,14 +622,13 @@ end
|
|
607
622
|
)
|
608
623
|
JSON.parse(URI.decode(version.policy_version.document))
|
609
624
|
end
|
610
|
-
|
611
625
|
bok["policies"] = MU::Cloud::AWS::Role.doc2MuPolicies(pol.policy_name, doc, bok["policies"])
|
612
626
|
end
|
613
627
|
}
|
614
628
|
|
615
629
|
return bok if @config['bare_policies']
|
616
630
|
end
|
617
|
-
|
631
|
+
|
618
632
|
if desc.tags and desc.tags.size > 0
|
619
633
|
bok["tags"] = MU.structToHash(desc.tags, stringify_keys: true)
|
620
634
|
end
|
@@ -687,6 +701,7 @@ end
|
|
687
701
|
end
|
688
702
|
|
689
703
|
bok["attachable_policies"].uniq! if bok["attachable_policies"]
|
704
|
+
bok["name"].gsub!(/[^a-zA-Z0-9_\-]/, "_")
|
690
705
|
|
691
706
|
bok
|
692
707
|
end
|
@@ -699,6 +714,10 @@ end
|
|
699
714
|
def self.doc2MuPolicies(basename, doc, policies = [])
|
700
715
|
policies ||= []
|
701
716
|
|
717
|
+
if !doc["Statement"].is_a?(Array)
|
718
|
+
doc["Statement"] = [doc["Statement"]]
|
719
|
+
end
|
720
|
+
|
702
721
|
doc["Statement"].each { |s|
|
703
722
|
if !s["Action"]
|
704
723
|
MU.log "Statement in policy document for #{basename} didn't have an Action field", MU::WARN, details: doc
|
@@ -796,6 +815,19 @@ end
|
|
796
815
|
}
|
797
816
|
end
|
798
817
|
|
818
|
+
if @config['raw_policies']
|
819
|
+
raw_arns = MU::Cloud::AWS::Role.manageRawPolicies(
|
820
|
+
@config['raw_policies'],
|
821
|
+
basename: @deploy.getResourceName(@config['name']),
|
822
|
+
credentials: @credentials
|
823
|
+
)
|
824
|
+
raw_arns.each { |p_arn|
|
825
|
+
mypolicies << MU::Cloud::AWS.iam(credentials: @config['credentials']).get_policy(
|
826
|
+
policy_arn: p_arn
|
827
|
+
).policy
|
828
|
+
}
|
829
|
+
end
|
830
|
+
|
799
831
|
mypolicies.each { |p|
|
800
832
|
if entitytype == "user"
|
801
833
|
resp = MU::Cloud::AWS.iam(credentials: @config['credentials']).list_attached_user_policies(
|
@@ -838,6 +870,7 @@ end
|
|
838
870
|
else
|
839
871
|
raise MuError, "Invalid entitytype '#{entitytype}' passed to MU::Cloud::AWS::Role.bindTo. Must be be one of: user, group, role, instance_profile"
|
840
872
|
end
|
873
|
+
cloud_desc(use_cache: false)
|
841
874
|
end
|
842
875
|
|
843
876
|
# Create an instance profile for EC2 instances, named identically and
|
@@ -916,7 +949,7 @@ end
|
|
916
949
|
toplevel_required = []
|
917
950
|
aws_resource_types = MU::Cloud.resource_types.keys.reject { |t|
|
918
951
|
begin
|
919
|
-
MU::Cloud.
|
952
|
+
MU::Cloud.resourceClass("AWS", t)
|
920
953
|
false
|
921
954
|
rescue MuCloudResourceNotImplemented
|
922
955
|
true
|
@@ -1078,11 +1111,7 @@ end
|
|
1078
1111
|
role['policies'].each { |policy|
|
1079
1112
|
policy['targets'].each { |target|
|
1080
1113
|
if target['type']
|
1081
|
-
role['
|
1082
|
-
role['dependencies'] << {
|
1083
|
-
"name" => target['identifier'],
|
1084
|
-
"type" => target['type']
|
1085
|
-
}
|
1114
|
+
MU::Config.addDependency(role, target['identifier'], target['type'], no_create_wait: true)
|
1086
1115
|
end
|
1087
1116
|
}
|
1088
1117
|
}
|
@@ -1098,13 +1127,14 @@ end
|
|
1098
1127
|
# @param policies [Array<Hash>]: One or more policy chunks
|
1099
1128
|
# @param deploy_obj [MU::MommaCat]: Deployment object to use when looking up sibling Mu resources
|
1100
1129
|
# @return [Array<Hash>]
|
1101
|
-
def self.genPolicyDocument(policies, deploy_obj: nil, bucket_style: false)
|
1130
|
+
def self.genPolicyDocument(policies, deploy_obj: nil, bucket_style: false, version: "2012-10-17", doc_id: nil)
|
1102
1131
|
if policies
|
1103
1132
|
name = nil
|
1104
1133
|
doc = {
|
1105
|
-
"Version" =>
|
1134
|
+
"Version" => version,
|
1106
1135
|
"Statement" => []
|
1107
1136
|
}
|
1137
|
+
doc["Id"] = doc_id if doc_id
|
1108
1138
|
policies.each { |policy|
|
1109
1139
|
policy["flag"] ||= "Allow"
|
1110
1140
|
statement = {
|
@@ -1145,7 +1175,14 @@ end
|
|
1145
1175
|
raise MuError, "Couldn't find a #{grantee["type"]} named #{grantee["identifier"]} when generating IAM policy"
|
1146
1176
|
end
|
1147
1177
|
else
|
1148
|
-
bucket_prefix = grantee["identifier"].match(/^[^\.]+\.amazonaws\.com$/)
|
1178
|
+
bucket_prefix = if grantee["identifier"].match(/^[^\.]+\.amazonaws\.com$/)
|
1179
|
+
"Service"
|
1180
|
+
elsif grantee["identifier"] =~ /^[a-f0-9]+$/
|
1181
|
+
"CanonicalUser"
|
1182
|
+
else
|
1183
|
+
"AWS"
|
1184
|
+
end
|
1185
|
+
|
1149
1186
|
if bucket_style
|
1150
1187
|
statement["Principal"] << { bucket_prefix => grantee["identifier"] }
|
1151
1188
|
else
|
@@ -1177,7 +1214,7 @@ end
|
|
1177
1214
|
statement["Resource"] << id+"/*"
|
1178
1215
|
end
|
1179
1216
|
else
|
1180
|
-
raise MuError, "Couldn't find a #{target["
|
1217
|
+
raise MuError, "Couldn't find a #{target["type"]} named #{target["identifier"]} when generating IAM policy"
|
1181
1218
|
end
|
1182
1219
|
else
|
1183
1220
|
target["identifier"] += target["path"] if target["path"]
|
@@ -22,9 +22,9 @@ module MU
|
|
22
22
|
# @param args [Hash]: Hash of named arguments passed via Ruby's double-splat
|
23
23
|
def initialize(**args)
|
24
24
|
super
|
25
|
-
if @
|
26
|
-
|
27
|
-
|
25
|
+
describe if @mu_name and !@deploydata
|
26
|
+
@cloud_id ||= @deploydata['domain_name'] if @deploydata
|
27
|
+
|
28
28
|
@mu_name ||= @deploy.getResourceName(@config["name"])
|
29
29
|
end
|
30
30
|
|
@@ -35,7 +35,8 @@ module MU
|
|
35
35
|
params = genParams
|
36
36
|
|
37
37
|
MU.log "Creating ElasticSearch domain #{@config['domain_name']}", details: params
|
38
|
-
|
38
|
+
@cloud_id = @config['domain_name']
|
39
|
+
MU::Cloud::AWS.elasticsearch(region: @config['region'], credentials: @credentials).create_elasticsearch_domain(params).domain_status
|
39
40
|
|
40
41
|
tagDomain
|
41
42
|
|
@@ -44,17 +45,18 @@ module MU
|
|
44
45
|
# Called automatically by {MU::Deploy#createResources}
|
45
46
|
def groom
|
46
47
|
tagDomain
|
47
|
-
@config['domain_name'] ||= @
|
48
|
+
@config['domain_name'] ||= @cloud_id
|
48
49
|
params = genParams(cloud_desc) # get parameters that would change only
|
49
50
|
|
50
51
|
if params.size > 1
|
51
52
|
waitWhileProcessing # wait until the create finishes, if still going
|
52
53
|
|
53
54
|
MU.log "Updating ElasticSearch domain #{@config['domain_name']}", MU::NOTICE, details: params
|
54
|
-
MU::Cloud::AWS.elasticsearch(region: @config['region'], credentials: @
|
55
|
+
MU::Cloud::AWS.elasticsearch(region: @config['region'], credentials: @credentials).update_elasticsearch_domain_config(params)
|
55
56
|
end
|
56
57
|
|
57
58
|
waitWhileProcessing # don't return until creation/updating is complete
|
59
|
+
MU.log "Search Domain #{@config['name']}: #{cloud_desc.endpoint}", MU::SUMMARY
|
58
60
|
end
|
59
61
|
|
60
62
|
@cloud_desc_cache = nil
|
@@ -63,31 +65,30 @@ module MU
|
|
63
65
|
# our druthers.
|
64
66
|
def cloud_desc(use_cache: true)
|
65
67
|
return @cloud_desc_cache if @cloud_desc_cache and use_cache
|
66
|
-
@
|
67
|
-
|
68
|
-
|
68
|
+
@cloud_id ||= @config['domain_name']
|
69
|
+
return nil if !@cloud_id
|
70
|
+
MU.retrier([::Aws::ElasticsearchService::Errors::ResourceNotFoundException], wait: 10, max: 12) {
|
71
|
+
@cloud_desc_cache = MU::Cloud::AWS.elasticsearch(region: @config['region'], credentials: @credentials).describe_elasticsearch_domain(
|
72
|
+
domain_name: @cloud_id
|
69
73
|
).domain_status
|
70
|
-
|
71
|
-
|
72
|
-
domain_name: @deploydata['domain_name']
|
73
|
-
).domain_status
|
74
|
-
else
|
75
|
-
raise MuError, "#{@mu_name} can't find its official Elasticsearch domain name!"
|
76
|
-
end
|
74
|
+
}
|
75
|
+
|
77
76
|
@cloud_desc_cache
|
78
77
|
end
|
79
78
|
|
80
79
|
# Canonical Amazon Resource Number for this resource
|
81
80
|
# @return [String]
|
82
81
|
def arn
|
83
|
-
cloud_desc
|
82
|
+
return nil if !cloud_desc
|
83
|
+
cloud_desc.arn.dup
|
84
84
|
end
|
85
85
|
|
86
86
|
# Return the metadata for this SearchDomain rule
|
87
87
|
# @return [Hash]
|
88
88
|
def notify
|
89
|
-
|
90
|
-
|
89
|
+
return nil if !cloud_desc(use_cache: false)
|
90
|
+
deploy_struct = MU.structToHash(cloud_desc, stringify_keys: true)
|
91
|
+
tags = MU::Cloud::AWS.elasticsearch(region: @config['region'], credentials: @credentials).list_tags(arn: arn).tag_list
|
91
92
|
deploy_struct['tags'] = tags.map { |t| { t.key => t.value } }
|
92
93
|
if deploy_struct['endpoint']
|
93
94
|
deploy_struct['kibana'] = deploy_struct['endpoint']+"/_plugin/kibana/"
|
@@ -119,7 +120,7 @@ module MU
|
|
119
120
|
# @param ignoremaster [Boolean]: If true, will remove resources not flagged as originating from this Mu server
|
120
121
|
# @param region [String]: The cloud provider region
|
121
122
|
# @return [void]
|
122
|
-
def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
|
123
|
+
def self.cleanup(noop: false, deploy_id: MU.deploy_id, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
|
123
124
|
MU.log "AWS::SearchDomain.cleanup: need to support flags['known']", MU::DEBUG, details: flags
|
124
125
|
|
125
126
|
list = MU::Cloud::AWS.elasticsearch(region: region, credentials: credentials).list_domain_names
|
@@ -135,7 +136,7 @@ module MU
|
|
135
136
|
deploy_match = false
|
136
137
|
master_match = false
|
137
138
|
tags.tag_list.each { |tag|
|
138
|
-
if tag.key == "MU-ID" and tag.value ==
|
139
|
+
if tag.key == "MU-ID" and tag.value == deploy_id
|
139
140
|
deploy_match = true
|
140
141
|
elsif tag.key == "MU-MASTER-IP" and tag.value == MU.mu_public_ip
|
141
142
|
master_match = true
|
@@ -156,8 +157,8 @@ module MU
|
|
156
157
|
begin
|
157
158
|
resp = MU::Cloud::AWS.iam(credentials: credentials).list_roles(marker: marker)
|
158
159
|
resp.roles.each{ |role|
|
159
|
-
# XXX Maybe we should have a more generic way to delete IAM profiles and policies. The call itself should be moved from MU::Cloud
|
160
|
-
# MU::Cloud
|
160
|
+
# XXX Maybe we should have a more generic way to delete IAM profiles and policies. The call itself should be moved from MU::Cloud.resourceClass("AWS", "Server").
|
161
|
+
# MU::Cloud.resourceClass("AWS", "Server").removeIAMProfile(role.role_name) if role.role_name.match(/^#{Regexp.quote(deploy_id)}/)
|
161
162
|
}
|
162
163
|
marker = resp.marker
|
163
164
|
end while resp.is_truncated
|
@@ -191,6 +192,96 @@ module MU
|
|
191
192
|
found
|
192
193
|
end
|
193
194
|
|
195
|
+
# Reverse-map our cloud description into a runnable config hash.
|
196
|
+
# We assume that any values we have in +@config+ are placeholders, and
|
197
|
+
# calculate our own accordingly based on what's live in the cloud.
|
198
|
+
def toKitten(**_args)
|
199
|
+
bok = {
|
200
|
+
"cloud" => "AWS",
|
201
|
+
"credentials" => @credentials,
|
202
|
+
"cloud_id" => @cloud_id,
|
203
|
+
"region" => @config['region']
|
204
|
+
}
|
205
|
+
|
206
|
+
if !cloud_desc
|
207
|
+
MU.log "toKitten failed to load a cloud_desc from #{@cloud_id}", MU::ERR, details: @config
|
208
|
+
return nil
|
209
|
+
end
|
210
|
+
|
211
|
+
bok['name'] = cloud_desc.domain_name
|
212
|
+
bok['elasticsearch_version'] = cloud_desc.elasticsearch_version
|
213
|
+
bok['instance_count'] = cloud_desc.elasticsearch_cluster_config.instance_count
|
214
|
+
bok['instance_type'] = cloud_desc.elasticsearch_cluster_config.instance_type
|
215
|
+
bok['zone_aware'] = cloud_desc.elasticsearch_cluster_config.zone_awareness_enabled
|
216
|
+
|
217
|
+
if cloud_desc.elasticsearch_cluster_config.dedicated_master_enabled
|
218
|
+
bok['dedicated_masters'] = cloud_desc.elasticsearch_cluster_config.dedicated_master_count
|
219
|
+
bok['master_instance_type'] = cloud_desc.elasticsearch_cluster_config.dedicated_master_type
|
220
|
+
end
|
221
|
+
|
222
|
+
if cloud_desc.access_policies and !cloud_desc.access_policies.empty?
|
223
|
+
bok['access_policies'] = JSON.parse(cloud_desc.access_policies)
|
224
|
+
end
|
225
|
+
|
226
|
+
if cloud_desc.advanced_options and !cloud_desc.advanced_options.empty?
|
227
|
+
bok['advanced_options'] = cloud_desc.advanced_options
|
228
|
+
end
|
229
|
+
|
230
|
+
bok['ebs_size'] = cloud_desc.ebs_options.volume_size
|
231
|
+
bok['ebs_type'] = cloud_desc.ebs_options.volume_type
|
232
|
+
bok['ebs_iops'] = cloud_desc.ebs_options.iops if cloud_desc.ebs_options.iops
|
233
|
+
|
234
|
+
if cloud_desc.snapshot_options and cloud_desc.snapshot_options.automated_snapshot_start_hour
|
235
|
+
bok['snapshot_hour'] = cloud_desc.snapshot_options.automated_snapshot_start_hour
|
236
|
+
end
|
237
|
+
|
238
|
+
if cloud_desc.cognito_options.user_pool_id and
|
239
|
+
cloud_desc.cognito_options.identity_pool_id
|
240
|
+
bok['user_pool_id'] = cloud_desc.cognito_options.user_pool_id
|
241
|
+
bok['identity_pool_id'] = cloud_desc.cognito_options.identity_pool_id
|
242
|
+
end
|
243
|
+
|
244
|
+
tags = MU::Cloud::AWS.elasticsearch(region: @config['region'], credentials: @credentials).list_tags(arn: cloud_desc.arn).tag_list
|
245
|
+
if tags and !tags.empty?
|
246
|
+
bok['tags'] = MU.structToHash(tags)
|
247
|
+
end
|
248
|
+
|
249
|
+
if cloud_desc.vpc_options
|
250
|
+
bok['vpc'] = MU::Config::Ref.get(
|
251
|
+
id: cloud_desc.vpc_options.vpc_id,
|
252
|
+
cloud: "AWS",
|
253
|
+
credentials: @credentials,
|
254
|
+
type: "vpcs",
|
255
|
+
region: @config['region'],
|
256
|
+
subnets: cloud_desc.vpc_options.subnet_ids.map { |s| { "subnet_id" => s } }
|
257
|
+
)
|
258
|
+
if cloud_desc.vpc_options.security_group_ids and
|
259
|
+
!cloud_desc.vpc_options.security_group_ids.empty?
|
260
|
+
bok['add_firewall_rules'] = cloud_desc.vpc_options.security_group_ids.map { |sg|
|
261
|
+
MU::Config::Ref.get(
|
262
|
+
id: sg,
|
263
|
+
cloud: "AWS",
|
264
|
+
credentials: @credentials,
|
265
|
+
region: @config['region'],
|
266
|
+
type: "firewall_rules",
|
267
|
+
)
|
268
|
+
}
|
269
|
+
end
|
270
|
+
end
|
271
|
+
|
272
|
+
if cloud_desc.log_publishing_options
|
273
|
+
# XXX this is primitive... there are multiple other log types now,
|
274
|
+
# and this should be a Ref blob, not a flat string
|
275
|
+
cloud_desc.log_publishing_options.each_pair { |type, whither|
|
276
|
+
if type == "SEARCH_SLOW_LOGS"
|
277
|
+
bok['slow_logs'] = whither.cloud_watch_logs_log_group_arn
|
278
|
+
end
|
279
|
+
}
|
280
|
+
end
|
281
|
+
|
282
|
+
bok
|
283
|
+
end
|
284
|
+
|
194
285
|
# Cloud-specific configuration properties.
|
195
286
|
# @param _config [MU::Config]: The calling MU::Config object
|
196
287
|
# @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
|
@@ -200,7 +291,7 @@ module MU
|
|
200
291
|
versions = begin
|
201
292
|
MU::Cloud::AWS.elasticsearch.list_elasticsearch_versions.elasticsearch_versions
|
202
293
|
rescue MuError
|
203
|
-
["7.1", "6.8", "6.7", "6.5", "6.4", "6.3", "6.2", "6.0", "5.6"]
|
294
|
+
["7.4", "7.1", "6.8", "6.7", "6.5", "6.4", "6.3", "6.2", "6.0", "5.6"]
|
204
295
|
end
|
205
296
|
instance_types = begin
|
206
297
|
MU::Cloud::AWS.elasticsearch.list_elasticsearch_instance_types(
|
@@ -215,6 +306,8 @@ module MU
|
|
215
306
|
).elasticsearch_instance_types
|
216
307
|
end
|
217
308
|
|
309
|
+
polschema = MU::Config::Role.schema["properties"]["policies"]
|
310
|
+
polschema.deep_merge!(MU::Cloud.resourceClass("AWS", "Role").condition_schema)
|
218
311
|
|
219
312
|
schema = {
|
220
313
|
"name" => {
|
@@ -236,9 +329,10 @@ module MU
|
|
236
329
|
"default" => 0,
|
237
330
|
"description" => "Separate, dedicated master node(s), over and above the search instances specified in instance_count."
|
238
331
|
},
|
332
|
+
"policies" => polschema,
|
239
333
|
"access_policies" => {
|
240
334
|
"type" => "object",
|
241
|
-
"description" => "An IAM policy document for access to ElasticSearch. Our parser expects this to be defined inline like the rest of your YAML/JSON Basket of Kittens, not as raw JSON. For guidance on ElasticSearch IAM capabilities, see: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-ac.html"
|
335
|
+
"description" => "An IAM policy document for access to ElasticSearch (see {policies} for setting complex access policies with runtime dependencies). Our parser expects this to be defined inline like the rest of your YAML/JSON Basket of Kittens, not as raw JSON. For guidance on ElasticSearch IAM capabilities, see: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-ac.html"
|
242
336
|
},
|
243
337
|
"master_instance_type" => {
|
244
338
|
"type" => "string",
|
@@ -246,7 +340,7 @@ module MU
|
|
246
340
|
},
|
247
341
|
"ebs_type" => {
|
248
342
|
"type" => "string",
|
249
|
-
"default" => "
|
343
|
+
"default" => "gp2",
|
250
344
|
"description" => "Type of EBS storage to use for cluster nodes. If 'none' is specified, EBS storage will not be used, but this is only valid for certain instance types.",
|
251
345
|
"enum" => ["standard", "gp2", "io1", "none"]
|
252
346
|
},
|
@@ -378,9 +472,9 @@ module MU
|
|
378
472
|
|
379
473
|
if dom['slow_logs']
|
380
474
|
if configurator.haveLitterMate?(dom['slow_logs'], "log")
|
381
|
-
dom
|
475
|
+
MU::Config.addDependency(dom, dom['slow_logs'], "log")
|
382
476
|
else
|
383
|
-
log_group = MU::Cloud
|
477
|
+
log_group = MU::Cloud.resourceClass("AWS", "Log").find(cloud_id: dom['slow_logs'], region: dom['region']).values.first
|
384
478
|
if !log_group
|
385
479
|
MU.log "Specified slow_logs CloudWatch log group '#{dom['slow_logs']}' in SearchDomain '#{dom['name']}' doesn't appear to exist", MU::ERR
|
386
480
|
ok = false
|
@@ -395,7 +489,7 @@ module MU
|
|
395
489
|
"credentials" => dom['credentials']
|
396
490
|
}
|
397
491
|
ok = false if !configurator.insertKitten(log_group, "logs")
|
398
|
-
dom
|
492
|
+
MU::Config.addDependency(dom, dom['slow_logs'], "log")
|
399
493
|
end
|
400
494
|
|
401
495
|
if dom['advanced_options']
|
@@ -456,12 +550,7 @@ module MU
|
|
456
550
|
]
|
457
551
|
}
|
458
552
|
configurator.insertKitten(roledesc, "roles")
|
459
|
-
|
460
|
-
dom['dependencies'] ||= []
|
461
|
-
dom['dependencies'] << {
|
462
|
-
"type" => "role",
|
463
|
-
"name" => dom['name']+"cognitorole"
|
464
|
-
}
|
553
|
+
MU::Config.addDependency(dom, dom['name']+"cognitorole", "role")
|
465
554
|
end
|
466
555
|
|
467
556
|
end
|
@@ -514,9 +603,51 @@ module MU
|
|
514
603
|
params[:snapshot_options][:automated_snapshot_start_hour] = @config['snapshot_hour']
|
515
604
|
end
|
516
605
|
|
517
|
-
if
|
518
|
-
#
|
519
|
-
|
606
|
+
if ext
|
607
|
+
# Despite being called access_policies, this parameter actually
|
608
|
+
# only accepts one policy. So, we'll munge everything we have
|
609
|
+
# together into one policy with multiple Statements.
|
610
|
+
policy = nil
|
611
|
+
# TODO check against ext.access_policy.options
|
612
|
+
|
613
|
+
if @config['access_policies']
|
614
|
+
policy = @config['access_policies']
|
615
|
+
# ensure the "Statement" key is cased in a predictable way
|
616
|
+
statement_key = nil
|
617
|
+
policy.each_pair { |k, v|
|
618
|
+
if k.downcase == "statement" and k != "Statement"
|
619
|
+
statement_key = k
|
620
|
+
break
|
621
|
+
end
|
622
|
+
}
|
623
|
+
if statement_key
|
624
|
+
policy["Statement"] = policy.delete(statement_key)
|
625
|
+
end
|
626
|
+
if !policy["Statement"].is_a?(Array)
|
627
|
+
policy["Statement"] = [policy["Statement"]]
|
628
|
+
end
|
629
|
+
end
|
630
|
+
|
631
|
+
if @config['policies']
|
632
|
+
@config['policies'].each { |p|
|
633
|
+
p['targets'].each { |t|
|
634
|
+
if t['path']
|
635
|
+
t['path'].gsub!(/#SELF/, @mu_name.downcase)
|
636
|
+
end
|
637
|
+
}
|
638
|
+
parsed = MU::Cloud.resourceClass("AWS", "Role").genPolicyDocument([p], deploy_obj: @deploy, bucket_style: true).first.values.first
|
639
|
+
|
640
|
+
if policy and policy["Statement"]
|
641
|
+
policy["Statement"].concat(parsed["Statement"])
|
642
|
+
else
|
643
|
+
policy = parsed
|
644
|
+
end
|
645
|
+
}
|
646
|
+
end
|
647
|
+
|
648
|
+
if policy
|
649
|
+
params[:access_policies] = JSON.generate(policy)
|
650
|
+
end
|
520
651
|
end
|
521
652
|
|
522
653
|
if @config['slow_logs']
|
@@ -525,7 +656,7 @@ module MU
|
|
525
656
|
arn = @config['slow_logs']
|
526
657
|
else
|
527
658
|
log_group = @deploy.findLitterMate(type: "log", name: @config['slow_logs'])
|
528
|
-
log_group = MU::Cloud
|
659
|
+
log_group = MU::Cloud.resourceClass("AWS", "Log").find(cloud_id: log_group.mu_name, region: log_group.cloudobj.config['region']).values.first
|
529
660
|
if log_group.nil? or log_group.arn.nil?
|
530
661
|
raise MuError, "Failed to retrieve ARN of sibling LogGroup '#{@config['slow_logs']}'"
|
531
662
|
end
|
@@ -552,7 +683,7 @@ module MU
|
|
552
683
|
params[:log_publishing_options]["SEARCH_SLOW_LOGS"] = {}
|
553
684
|
params[:log_publishing_options]["SEARCH_SLOW_LOGS"][:enabled] = true
|
554
685
|
params[:log_publishing_options]["SEARCH_SLOW_LOGS"][:cloud_watch_logs_log_group_arn] = arn
|
555
|
-
MU::Cloud
|
686
|
+
MU::Cloud.resourceClass("AWS", "Log").allowService("es.amazonaws.com", arn, @config['region'])
|
556
687
|
end
|
557
688
|
end
|
558
689
|
|
@@ -682,7 +813,7 @@ module MU
|
|
682
813
|
raise MU::MuError, "Can't tag ElasticSearch domain, cloud descriptor came back without an ARN"
|
683
814
|
end
|
684
815
|
|
685
|
-
MU::Cloud::AWS.elasticsearch(region: @config['region'], credentials: @
|
816
|
+
MU::Cloud::AWS.elasticsearch(region: @config['region'], credentials: @credentials).add_tags(
|
686
817
|
arn: domain.arn,
|
687
818
|
tag_list: tags
|
688
819
|
)
|
@@ -693,7 +824,7 @@ module MU
|
|
693
824
|
interval = 60
|
694
825
|
|
695
826
|
begin
|
696
|
-
resp = cloud_desc
|
827
|
+
resp = cloud_desc(use_cache: false)
|
697
828
|
|
698
829
|
if (resp.endpoint.nil? or resp.endpoint.empty?) and
|
699
830
|
(resp.endpoints.nil? or resp.endpoints.empty?) and
|