cloud-mu 3.1.6 → 3.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/bin/mu-adopt +4 -12
- data/bin/mu-azure-tests +57 -0
- data/bin/mu-cleanup +2 -4
- data/bin/mu-configure +37 -1
- data/bin/mu-deploy +3 -3
- data/bin/mu-findstray-tests +25 -0
- data/bin/mu-gen-docs +2 -4
- data/bin/mu-run-tests +23 -10
- data/cloud-mu.gemspec +2 -2
- data/cookbooks/mu-tools/libraries/helper.rb +1 -1
- data/cookbooks/mu-tools/recipes/apply_security.rb +14 -14
- data/cookbooks/mu-tools/recipes/aws_api.rb +9 -0
- data/extras/generate-stock-images +1 -0
- data/modules/mu.rb +82 -95
- data/modules/mu/adoption.rb +356 -56
- data/modules/mu/cleanup.rb +21 -20
- data/modules/mu/cloud.rb +79 -1753
- data/modules/mu/cloud/database.rb +49 -0
- data/modules/mu/cloud/dnszone.rb +46 -0
- data/modules/mu/cloud/machine_images.rb +212 -0
- data/modules/mu/cloud/providers.rb +81 -0
- data/modules/mu/cloud/resource_base.rb +920 -0
- data/modules/mu/cloud/server.rb +40 -0
- data/modules/mu/cloud/server_pool.rb +1 -0
- data/modules/mu/cloud/ssh_sessions.rb +228 -0
- data/modules/mu/cloud/winrm_sessions.rb +237 -0
- data/modules/mu/cloud/wrappers.rb +165 -0
- data/modules/mu/config.rb +122 -80
- data/modules/mu/config/alarm.rb +2 -6
- data/modules/mu/config/bucket.rb +1 -1
- data/modules/mu/config/cache_cluster.rb +1 -1
- data/modules/mu/config/collection.rb +1 -1
- data/modules/mu/config/container_cluster.rb +2 -2
- data/modules/mu/config/database.rb +83 -104
- data/modules/mu/config/database.yml +1 -2
- data/modules/mu/config/dnszone.rb +1 -1
- data/modules/mu/config/doc_helpers.rb +4 -5
- data/modules/mu/config/endpoint.rb +1 -1
- data/modules/mu/config/firewall_rule.rb +3 -19
- data/modules/mu/config/folder.rb +1 -1
- data/modules/mu/config/function.rb +1 -1
- data/modules/mu/config/group.rb +1 -1
- data/modules/mu/config/habitat.rb +1 -1
- data/modules/mu/config/loadbalancer.rb +57 -11
- data/modules/mu/config/log.rb +1 -1
- data/modules/mu/config/msg_queue.rb +1 -1
- data/modules/mu/config/nosqldb.rb +1 -1
- data/modules/mu/config/notifier.rb +1 -1
- data/modules/mu/config/ref.rb +30 -4
- data/modules/mu/config/role.rb +1 -1
- data/modules/mu/config/schema_helpers.rb +30 -34
- data/modules/mu/config/search_domain.rb +1 -1
- data/modules/mu/config/server.rb +4 -12
- data/modules/mu/config/server_pool.rb +3 -7
- data/modules/mu/config/storage_pool.rb +1 -1
- data/modules/mu/config/tail.rb +10 -0
- data/modules/mu/config/user.rb +1 -1
- data/modules/mu/config/vpc.rb +12 -17
- data/modules/mu/defaults/AWS.yaml +32 -32
- data/modules/mu/defaults/Azure.yaml +1 -0
- data/modules/mu/defaults/Google.yaml +1 -0
- data/modules/mu/deploy.rb +16 -15
- data/modules/mu/groomer.rb +15 -0
- data/modules/mu/groomers/chef.rb +3 -0
- data/modules/mu/logger.rb +120 -144
- data/modules/mu/master.rb +1 -1
- data/modules/mu/mommacat.rb +54 -25
- data/modules/mu/mommacat/daemon.rb +10 -7
- data/modules/mu/mommacat/naming.rb +82 -3
- data/modules/mu/mommacat/search.rb +47 -15
- data/modules/mu/mommacat/storage.rb +72 -41
- data/modules/mu/{clouds → providers}/README.md +1 -1
- data/modules/mu/{clouds → providers}/aws.rb +114 -47
- data/modules/mu/{clouds → providers}/aws/alarm.rb +1 -1
- data/modules/mu/{clouds → providers}/aws/bucket.rb +2 -2
- data/modules/mu/{clouds → providers}/aws/cache_cluster.rb +10 -46
- data/modules/mu/{clouds → providers}/aws/collection.rb +3 -3
- data/modules/mu/{clouds → providers}/aws/container_cluster.rb +15 -33
- data/modules/mu/providers/aws/database.rb +1744 -0
- data/modules/mu/{clouds → providers}/aws/dnszone.rb +2 -5
- data/modules/mu/{clouds → providers}/aws/endpoint.rb +2 -11
- data/modules/mu/{clouds → providers}/aws/firewall_rule.rb +33 -29
- data/modules/mu/{clouds → providers}/aws/folder.rb +0 -0
- data/modules/mu/{clouds → providers}/aws/function.rb +2 -10
- data/modules/mu/{clouds → providers}/aws/group.rb +9 -13
- data/modules/mu/{clouds → providers}/aws/habitat.rb +1 -1
- data/modules/mu/{clouds → providers}/aws/loadbalancer.rb +41 -33
- data/modules/mu/{clouds → providers}/aws/log.rb +2 -2
- data/modules/mu/{clouds → providers}/aws/msg_queue.rb +2 -8
- data/modules/mu/{clouds → providers}/aws/nosqldb.rb +0 -0
- data/modules/mu/{clouds → providers}/aws/notifier.rb +0 -0
- data/modules/mu/{clouds → providers}/aws/role.rb +7 -7
- data/modules/mu/{clouds → providers}/aws/search_domain.rb +8 -13
- data/modules/mu/{clouds → providers}/aws/server.rb +55 -90
- data/modules/mu/{clouds → providers}/aws/server_pool.rb +10 -33
- data/modules/mu/{clouds → providers}/aws/storage_pool.rb +19 -36
- data/modules/mu/{clouds → providers}/aws/user.rb +8 -12
- data/modules/mu/{clouds → providers}/aws/userdata/README.md +0 -0
- data/modules/mu/{clouds → providers}/aws/userdata/linux.erb +0 -0
- data/modules/mu/{clouds → providers}/aws/userdata/windows.erb +0 -0
- data/modules/mu/{clouds → providers}/aws/vpc.rb +135 -70
- data/modules/mu/{clouds → providers}/aws/vpc_subnet.rb +0 -0
- data/modules/mu/{clouds → providers}/azure.rb +4 -1
- data/modules/mu/{clouds → providers}/azure/container_cluster.rb +1 -5
- data/modules/mu/{clouds → providers}/azure/firewall_rule.rb +8 -1
- data/modules/mu/{clouds → providers}/azure/habitat.rb +0 -0
- data/modules/mu/{clouds → providers}/azure/loadbalancer.rb +0 -0
- data/modules/mu/{clouds → providers}/azure/role.rb +0 -0
- data/modules/mu/{clouds → providers}/azure/server.rb +30 -23
- data/modules/mu/{clouds → providers}/azure/user.rb +1 -1
- data/modules/mu/{clouds → providers}/azure/userdata/README.md +0 -0
- data/modules/mu/{clouds → providers}/azure/userdata/linux.erb +0 -0
- data/modules/mu/{clouds → providers}/azure/userdata/windows.erb +0 -0
- data/modules/mu/{clouds → providers}/azure/vpc.rb +4 -6
- data/modules/mu/{clouds → providers}/cloudformation.rb +1 -1
- data/modules/mu/{clouds → providers}/cloudformation/alarm.rb +3 -3
- data/modules/mu/{clouds → providers}/cloudformation/cache_cluster.rb +3 -3
- data/modules/mu/{clouds → providers}/cloudformation/collection.rb +3 -3
- data/modules/mu/{clouds → providers}/cloudformation/database.rb +6 -17
- data/modules/mu/{clouds → providers}/cloudformation/dnszone.rb +3 -3
- data/modules/mu/{clouds → providers}/cloudformation/firewall_rule.rb +3 -3
- data/modules/mu/{clouds → providers}/cloudformation/loadbalancer.rb +3 -3
- data/modules/mu/{clouds → providers}/cloudformation/log.rb +3 -3
- data/modules/mu/{clouds → providers}/cloudformation/server.rb +7 -7
- data/modules/mu/{clouds → providers}/cloudformation/server_pool.rb +5 -5
- data/modules/mu/{clouds → providers}/cloudformation/vpc.rb +3 -3
- data/modules/mu/{clouds → providers}/docker.rb +0 -0
- data/modules/mu/{clouds → providers}/google.rb +14 -6
- data/modules/mu/{clouds → providers}/google/bucket.rb +1 -1
- data/modules/mu/{clouds → providers}/google/container_cluster.rb +28 -13
- data/modules/mu/{clouds → providers}/google/database.rb +1 -8
- data/modules/mu/{clouds → providers}/google/firewall_rule.rb +2 -2
- data/modules/mu/{clouds → providers}/google/folder.rb +4 -8
- data/modules/mu/{clouds → providers}/google/function.rb +3 -3
- data/modules/mu/{clouds → providers}/google/group.rb +8 -16
- data/modules/mu/{clouds → providers}/google/habitat.rb +3 -7
- data/modules/mu/{clouds → providers}/google/loadbalancer.rb +1 -1
- data/modules/mu/{clouds → providers}/google/role.rb +42 -34
- data/modules/mu/{clouds → providers}/google/server.rb +25 -10
- data/modules/mu/{clouds → providers}/google/server_pool.rb +10 -10
- data/modules/mu/{clouds → providers}/google/user.rb +31 -21
- data/modules/mu/{clouds → providers}/google/userdata/README.md +0 -0
- data/modules/mu/{clouds → providers}/google/userdata/linux.erb +0 -0
- data/modules/mu/{clouds → providers}/google/userdata/windows.erb +0 -0
- data/modules/mu/{clouds → providers}/google/vpc.rb +37 -2
- data/modules/tests/centos6.yaml +11 -0
- data/modules/tests/centos7.yaml +11 -0
- data/modules/tests/centos8.yaml +12 -0
- data/modules/tests/rds.yaml +108 -0
- data/modules/tests/regrooms/rds.yaml +123 -0
- data/spec/mu/clouds/azure_spec.rb +2 -2
- metadata +108 -89
- data/modules/mu/clouds/aws/database.rb +0 -1974
|
@@ -345,7 +345,7 @@ module MU
|
|
|
345
345
|
rescue Aws::Route53::Errors::LastVPCAssociation => e
|
|
346
346
|
MU.log e.inspect, MU::WARN
|
|
347
347
|
rescue Aws::Route53::Errors::VPCAssociationNotFound
|
|
348
|
-
MU.log "VPC #{vpc_id} access to zone #{id} already revoked", MU::
|
|
348
|
+
MU.log "VPC #{vpc_id} access to zone #{id} already revoked", MU::NOTICE
|
|
349
349
|
end
|
|
350
350
|
end
|
|
351
351
|
end
|
|
@@ -825,10 +825,7 @@ module MU
|
|
|
825
825
|
end
|
|
826
826
|
|
|
827
827
|
if !record['mu_type'].nil?
|
|
828
|
-
zone[
|
|
829
|
-
"type" => record['mu_type'],
|
|
830
|
-
"name" => record['target']
|
|
831
|
-
}
|
|
828
|
+
MU::Config.addDependency(zone, record['target'], record['mu_type'])
|
|
832
829
|
end
|
|
833
830
|
|
|
834
831
|
if record.has_key?('healthchecks') && !record['healthchecks'].empty?
|
|
@@ -472,11 +472,7 @@ MU::Cloud::AWS.apig(region: @config['region'], credentials: @config['credentials
|
|
|
472
472
|
endpoint['methods'].each { |m|
|
|
473
473
|
if m['integrate_with'] and m['integrate_with']['name']
|
|
474
474
|
if m['integrate_with']['type'] != "aws_generic"
|
|
475
|
-
endpoint['
|
|
476
|
-
endpoint['dependencies'] << {
|
|
477
|
-
"type" => m['integrate_with']['type'],
|
|
478
|
-
"name" => m['integrate_with']['name']
|
|
479
|
-
}
|
|
475
|
+
MU::Config.addDependency(endpoint, m['integrate_with']['name'], m['integrate_with']['type'])
|
|
480
476
|
end
|
|
481
477
|
|
|
482
478
|
m['integrate_with']['backend_http_method'] ||= m['type']
|
|
@@ -525,13 +521,8 @@ MU::Cloud::AWS.apig(region: @config['region'], credentials: @config['credentials
|
|
|
525
521
|
end
|
|
526
522
|
configurator.insertKitten(roledesc, "roles")
|
|
527
523
|
|
|
528
|
-
endpoint['dependencies'] ||= []
|
|
529
524
|
m['iam_role'] = endpoint['name']+"-"+m['integrate_with']['name']
|
|
530
|
-
|
|
531
|
-
endpoint['dependencies'] << {
|
|
532
|
-
"type" => "role",
|
|
533
|
-
"name" => endpoint['name']+"-"+m['integrate_with']['name']
|
|
534
|
-
}
|
|
525
|
+
MU::Config.addDependency(endpoint, m['iam_role'], "role")
|
|
535
526
|
end
|
|
536
527
|
end
|
|
537
528
|
}
|
|
@@ -18,7 +18,7 @@ module MU
|
|
|
18
18
|
class AWS
|
|
19
19
|
# A firewall ruleset as configured in {MU::Config::BasketofKittens::firewall_rules}
|
|
20
20
|
class FirewallRule < MU::Cloud::FirewallRule
|
|
21
|
-
require "mu/
|
|
21
|
+
require "mu/providers/aws/vpc"
|
|
22
22
|
|
|
23
23
|
@admin_sgs = Hash.new
|
|
24
24
|
@admin_sg_semaphore = Mutex.new
|
|
@@ -398,7 +398,7 @@ module MU
|
|
|
398
398
|
|
|
399
399
|
# Some services create sneaky rogue ENIs which then block removal of
|
|
400
400
|
# associated security groups. Find them and fry them.
|
|
401
|
-
MU::Cloud
|
|
401
|
+
MU::Cloud.resourceClass("AWS", "VPC").purge_interfaces(noop, filters, region: region, credentials: credentials)
|
|
402
402
|
|
|
403
403
|
resp = MU::Cloud::AWS.ec2(credentials: credentials, region: region).describe_security_groups(
|
|
404
404
|
filters: filters
|
|
@@ -421,7 +421,7 @@ module MU
|
|
|
421
421
|
# try to get out from under loose network interfaces with which
|
|
422
422
|
# we're associated
|
|
423
423
|
if sg.vpc_id
|
|
424
|
-
default_sg = MU::Cloud
|
|
424
|
+
default_sg = MU::Cloud.resourceClass("AWS", "VPC").getDefaultSg(sg.vpc_id, region: region, credentials: credentials)
|
|
425
425
|
if default_sg
|
|
426
426
|
eni_resp = MU::Cloud::AWS.ec2(credentials: credentials, region: region).describe_network_interfaces(
|
|
427
427
|
filters: [ {name: "group-id", values: [sg.group_id]} ]
|
|
@@ -514,6 +514,31 @@ module MU
|
|
|
514
514
|
end
|
|
515
515
|
private_class_method :revoke_rules
|
|
516
516
|
|
|
517
|
+
# Return an AWS-specific chunk of schema commonly used in the +ingress_rules+ parameter of other resource types.
|
|
518
|
+
# @return [Hash]
|
|
519
|
+
def self.ingressRuleAddtlSchema
|
|
520
|
+
{
|
|
521
|
+
"items" => {
|
|
522
|
+
"properties" => {
|
|
523
|
+
"sgs" => {
|
|
524
|
+
"type" => "array",
|
|
525
|
+
"items" => {
|
|
526
|
+
"description" => "Other AWS Security Groups; resources that are associated with this group will have this rule applied to their traffic",
|
|
527
|
+
"type" => "string"
|
|
528
|
+
}
|
|
529
|
+
},
|
|
530
|
+
"lbs" => {
|
|
531
|
+
"type" => "array",
|
|
532
|
+
"items" => {
|
|
533
|
+
"description" => "AWS Load Balancers which will have this rule applied to their traffic",
|
|
534
|
+
"type" => "string"
|
|
535
|
+
}
|
|
536
|
+
}
|
|
537
|
+
}
|
|
538
|
+
}
|
|
539
|
+
}
|
|
540
|
+
end
|
|
541
|
+
|
|
517
542
|
# Cloud-specific configuration properties.
|
|
518
543
|
# @param _config [MU::Config]: The calling MU::Config object
|
|
519
544
|
# @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
|
|
@@ -623,36 +648,16 @@ module MU
|
|
|
623
648
|
|
|
624
649
|
if rule['firewall_rules']
|
|
625
650
|
rule['firewall_rules'].each { |sg|
|
|
626
|
-
if sg
|
|
627
|
-
|
|
628
|
-
"type" => "firewall_rule",
|
|
629
|
-
"name" => sg.name,
|
|
630
|
-
"no_create_wait" => true
|
|
631
|
-
}
|
|
632
|
-
elsif sg['name'] and !sg['deploy_id']
|
|
633
|
-
acl["dependencies"] << {
|
|
634
|
-
"type" => "firewall_rule",
|
|
635
|
-
"name" => sg['name'],
|
|
636
|
-
"no_create_wait" => true
|
|
637
|
-
}
|
|
651
|
+
if sg['name'] and !sg['deploy_id']
|
|
652
|
+
MU::Config.addDependency(acl, sg['name'], "firewall_rule", no_create_wait: true)
|
|
638
653
|
end
|
|
639
654
|
}
|
|
640
655
|
end
|
|
641
656
|
|
|
642
657
|
if rule['loadbalancers']
|
|
643
658
|
rule['loadbalancers'].each { |lb|
|
|
644
|
-
if lb
|
|
645
|
-
|
|
646
|
-
"type" => "loadbalancer",
|
|
647
|
-
"name" => lb.name,
|
|
648
|
-
"phase" => "groom"
|
|
649
|
-
}
|
|
650
|
-
elsif lb['name'] and !lb['deploy_id']
|
|
651
|
-
acl["dependencies"] << {
|
|
652
|
-
"type" => "loadbalancer",
|
|
653
|
-
"name" => lb['name'],
|
|
654
|
-
"phase" => "groom"
|
|
655
|
-
}
|
|
659
|
+
if lb['name'] and !lb['deploy_id']
|
|
660
|
+
MU::Config.addDependency(acl, lb['name'], "loadbalancer", phase: "groom")
|
|
656
661
|
end
|
|
657
662
|
}
|
|
658
663
|
end
|
|
@@ -739,7 +744,6 @@ module MU
|
|
|
739
744
|
# "ingress_rules" structure parsed and validated by MU::Config.
|
|
740
745
|
#########################################################################
|
|
741
746
|
def setRules(rules, add_to_self: false, ingress: true, egress: false)
|
|
742
|
-
describe
|
|
743
747
|
# XXX warn about attempt to set rules before we exist
|
|
744
748
|
return if rules.nil? or rules.size == 0 or !@cloud_id
|
|
745
749
|
|
|
@@ -760,7 +764,7 @@ module MU
|
|
|
760
764
|
ec2_rules = convertToEc2(rules)
|
|
761
765
|
return if ec2_rules.nil?
|
|
762
766
|
|
|
763
|
-
ext_permissions = MU.structToHash(cloud_desc.ip_permissions)
|
|
767
|
+
ext_permissions = MU.structToHash(cloud_desc(use_cache: false).ip_permissions)
|
|
764
768
|
|
|
765
769
|
purge_extraneous_rules(ec2_rules, ext_permissions)
|
|
766
770
|
|
|
File without changes
|
|
@@ -505,11 +505,7 @@ MU.log shortname, MU::NOTICE, details: function.configuration.role
|
|
|
505
505
|
function["add_firewall_rules"] << {"name" => fwname}
|
|
506
506
|
function["permissions"] ||= []
|
|
507
507
|
function["permissions"] << "network"
|
|
508
|
-
function
|
|
509
|
-
function['dependencies'] << {
|
|
510
|
-
"name" => fwname,
|
|
511
|
-
"type" => "firewall_rule"
|
|
512
|
-
}
|
|
508
|
+
MU::Config.addDependency(function, fwname, "firewall_rule")
|
|
513
509
|
end
|
|
514
510
|
|
|
515
511
|
if !function['iam_role']
|
|
@@ -541,13 +537,9 @@ MU.log shortname, MU::NOTICE, details: function.configuration.role
|
|
|
541
537
|
}
|
|
542
538
|
configurator.insertKitten(roledesc, "roles")
|
|
543
539
|
|
|
544
|
-
function['dependencies'] ||= []
|
|
545
540
|
function['iam_role'] = function['name']+"execrole"
|
|
546
541
|
|
|
547
|
-
function['
|
|
548
|
-
"type" => "role",
|
|
549
|
-
"name" => function['name']+"execrole"
|
|
550
|
-
}
|
|
542
|
+
MU::Config.addDependency(function, function['name']+"execrole", "role")
|
|
551
543
|
end
|
|
552
544
|
|
|
553
545
|
ok
|
|
@@ -60,7 +60,7 @@ module MU
|
|
|
60
60
|
userid = user
|
|
61
61
|
userdesc = @deploy.findLitterMate(name: user, type: "users")
|
|
62
62
|
userid = userdesc.cloud_id if userdesc
|
|
63
|
-
found = MU::Cloud
|
|
63
|
+
found = MU::Cloud.resourceClass("AWS", "User").find(cloud_id: userid)
|
|
64
64
|
if found.size == 1
|
|
65
65
|
userdesc = found.values.first
|
|
66
66
|
MU.log "Adding IAM user #{userdesc.path}#{userdesc.user_name} to group #{@mu_name}", MU::NOTICE
|
|
@@ -88,7 +88,7 @@ module MU
|
|
|
88
88
|
# Create these if necessary, then append them to the list of
|
|
89
89
|
# attachable_policies
|
|
90
90
|
if @config['raw_policies']
|
|
91
|
-
pol_arns = MU::Cloud
|
|
91
|
+
pol_arns = MU::Cloud.resourceClass("AWS", "Role").manageRawPolicies(
|
|
92
92
|
@config['raw_policies'],
|
|
93
93
|
basename: @deploy.getResourceName(@config['name']),
|
|
94
94
|
credentials: @credentials
|
|
@@ -114,7 +114,7 @@ module MU
|
|
|
114
114
|
attached_policies.each { |a|
|
|
115
115
|
if !configured_policies.include?(a.policy_arn)
|
|
116
116
|
MU.log "Removing IAM policy #{a.policy_arn} from group #{@mu_name}", MU::NOTICE
|
|
117
|
-
MU::Cloud
|
|
117
|
+
MU::Cloud.resourceClass("AWS", "Role").purgePolicy(a.policy_arn, @credentials)
|
|
118
118
|
else
|
|
119
119
|
configured_policies.delete(a.policy_arn)
|
|
120
120
|
end
|
|
@@ -131,7 +131,7 @@ module MU
|
|
|
131
131
|
end
|
|
132
132
|
|
|
133
133
|
if @config['inline_policies']
|
|
134
|
-
docs = MU::Cloud
|
|
134
|
+
docs = MU::Cloud.resourceClass("AWS", "Role").genPolicyDocument(@config['inline_policies'], deploy_obj: @deploy)
|
|
135
135
|
docs.each { |doc|
|
|
136
136
|
MU.log "Putting user policy #{doc.keys.first} to group #{@cloud_id} "
|
|
137
137
|
MU::Cloud::AWS.iam(credentials: @credentials).put_group_policy(
|
|
@@ -291,7 +291,7 @@ module MU
|
|
|
291
291
|
resp.policy_names.each { |pol_name|
|
|
292
292
|
pol = MU::Cloud::AWS.iam(credentials: @credentials).get_group_policy(group_name: @cloud_id, policy_name: pol_name)
|
|
293
293
|
doc = JSON.parse(URI.decode(pol.policy_document))
|
|
294
|
-
bok["inline_policies"] = MU::Cloud
|
|
294
|
+
bok["inline_policies"] = MU::Cloud.resourceClass("AWS", "Role").doc2MuPolicies(pol.policy_name, doc, bok["inline_policies"])
|
|
295
295
|
}
|
|
296
296
|
end
|
|
297
297
|
|
|
@@ -324,7 +324,7 @@ module MU
|
|
|
324
324
|
def self.schema(_config)
|
|
325
325
|
toplevel_required = []
|
|
326
326
|
polschema = MU::Config::Role.schema["properties"]["policies"]
|
|
327
|
-
polschema.deep_merge!(MU::Cloud
|
|
327
|
+
polschema.deep_merge!(MU::Cloud.resourceClass("AWS", "Role").condition_schema)
|
|
328
328
|
|
|
329
329
|
schema = {
|
|
330
330
|
"inline_policies" => polschema,
|
|
@@ -364,7 +364,7 @@ style long name, like +IAMTESTS-DEV-2018112815-IS-GROUP-FOO+. This parameter wil
|
|
|
364
364
|
# If we're attaching some managed policies, make sure all of the ones
|
|
365
365
|
# that should already exist do indeed exist
|
|
366
366
|
if group['attachable_policies']
|
|
367
|
-
ok = false if !MU::Cloud
|
|
367
|
+
ok = false if !MU::Cloud.resourceClass("AWS", "Role").validateAttachablePolicies(
|
|
368
368
|
group['attachable_policies'],
|
|
369
369
|
credentials: group['credentials'],
|
|
370
370
|
region: group['region']
|
|
@@ -378,13 +378,9 @@ style long name, like +IAMTESTS-DEV-2018112815-IS-GROUP-FOO+. This parameter wil
|
|
|
378
378
|
if group['members']
|
|
379
379
|
group['members'].each { |user|
|
|
380
380
|
if configurator.haveLitterMate?(user, "users")
|
|
381
|
-
group
|
|
382
|
-
group["dependencies"] << {
|
|
383
|
-
"type" => "user",
|
|
384
|
-
"name" => user
|
|
385
|
-
}
|
|
381
|
+
MU::Config.addDependency(group, user, "user")
|
|
386
382
|
else
|
|
387
|
-
found = MU::Cloud
|
|
383
|
+
found = MU::Cloud.resourceClass("AWS", "User").find(cloud_id: user)
|
|
388
384
|
if found.nil? or found.empty?
|
|
389
385
|
MU.log "Error in members for group #{group['name']}: No such user #{user}", MU::ERR
|
|
390
386
|
ok = false
|
|
@@ -144,7 +144,7 @@ module MU
|
|
|
144
144
|
def self.orgMasterCreds?(credentials = nil)
|
|
145
145
|
acct_num = MU::Cloud::AWS.iam(credentials: credentials).list_users.users.first.arn.split(/:/)[4]
|
|
146
146
|
|
|
147
|
-
parentorg = MU::Cloud
|
|
147
|
+
parentorg = MU::Cloud.resourceClass("AWS", "Folder").find(credentials: credentials).values.first
|
|
148
148
|
acct_num == parentorg.master_account_id
|
|
149
149
|
end
|
|
150
150
|
|
|
@@ -163,7 +163,7 @@ module MU
|
|
|
163
163
|
dnsthread = Thread.new {
|
|
164
164
|
if !MU::Cloud::AWS.isGovCloud?
|
|
165
165
|
MU.dupGlobals(parent_thread_id)
|
|
166
|
-
generic_mu_dns = MU::Cloud
|
|
166
|
+
generic_mu_dns = MU::Cloud.resourceClass("AWS", "DNSZone").genericMuDNSEntry(name: @mu_name, target: "#{lb.dns_name}.", cloudclass: MU::Cloud::LoadBalancer, sync_wait: @config['dns_sync_wait'])
|
|
167
167
|
end
|
|
168
168
|
}
|
|
169
169
|
|
|
@@ -239,16 +239,35 @@ module MU
|
|
|
239
239
|
end
|
|
240
240
|
end
|
|
241
241
|
|
|
242
|
+
redirect_block = Proc.new { |r|
|
|
243
|
+
{
|
|
244
|
+
:protocol => r['protocol'],
|
|
245
|
+
:port => r['port'].to_s,
|
|
246
|
+
:host => r['host'],
|
|
247
|
+
:path => r['path'],
|
|
248
|
+
:query => r['query'],
|
|
249
|
+
:status_code => "HTTP_"+r['status_code'].to_s
|
|
250
|
+
}
|
|
251
|
+
}
|
|
252
|
+
|
|
242
253
|
if !@config['classic']
|
|
243
254
|
@config["listeners"].each { |l|
|
|
244
|
-
if
|
|
245
|
-
|
|
246
|
-
|
|
247
|
-
|
|
248
|
-
|
|
255
|
+
action = if l['redirect']
|
|
256
|
+
{
|
|
257
|
+
:type => "redirect",
|
|
258
|
+
:redirect_config => redirect_block.call(l['redirect'])
|
|
259
|
+
}
|
|
260
|
+
else
|
|
261
|
+
if !@targetgroups.has_key?(l['targetgroup'])
|
|
262
|
+
raise MuError, "Listener in #{@mu_name} configured for target group #{l['targetgroup']}, but I don't have data on a targetgroup by that name"
|
|
263
|
+
end
|
|
264
|
+
{
|
|
249
265
|
:target_group_arn => @targetgroups[l['targetgroup']].target_group_arn,
|
|
250
266
|
:type => "forward"
|
|
251
|
-
}
|
|
267
|
+
}
|
|
268
|
+
end
|
|
269
|
+
listen_descriptor = {
|
|
270
|
+
:default_actions => [ action ],
|
|
252
271
|
:load_balancer_arn => lb.load_balancer_arn,
|
|
253
272
|
:port => l['lb_port'],
|
|
254
273
|
:protocol => l['lb_protocol']
|
|
@@ -276,10 +295,17 @@ module MU
|
|
|
276
295
|
:actions => []
|
|
277
296
|
}
|
|
278
297
|
rule['actions'].each { |a|
|
|
279
|
-
rule_descriptor[:actions] <<
|
|
280
|
-
|
|
281
|
-
|
|
282
|
-
|
|
298
|
+
rule_descriptor[:actions] << if a['action'] == "forward"
|
|
299
|
+
{
|
|
300
|
+
:target_group_arn => @targetgroups[a['targetgroup']].target_group_arn,
|
|
301
|
+
:type => a['action']
|
|
302
|
+
}
|
|
303
|
+
elsif a['action'] == "redirect"
|
|
304
|
+
{
|
|
305
|
+
:redirect_config => redirect_block.call(rule['redirect']),
|
|
306
|
+
:type => a['action']
|
|
307
|
+
}
|
|
308
|
+
end
|
|
283
309
|
}
|
|
284
310
|
MU::Cloud::AWS.elb2(region: @config['region'], credentials: @config['credentials']).create_rule(rule_descriptor)
|
|
285
311
|
}
|
|
@@ -536,7 +562,7 @@ module MU
|
|
|
536
562
|
}
|
|
537
563
|
end
|
|
538
564
|
if !MU::Cloud::AWS.isGovCloud?
|
|
539
|
-
MU::Cloud
|
|
565
|
+
MU::Cloud.resourceClass("AWS", "DNSZone").createRecordsFromConfig(@config['dns_records'], target: cloud_desc.dns_name)
|
|
540
566
|
end
|
|
541
567
|
end
|
|
542
568
|
|
|
@@ -706,7 +732,7 @@ module MU
|
|
|
706
732
|
end
|
|
707
733
|
if matched
|
|
708
734
|
if !MU::Cloud::AWS.isGovCloud?
|
|
709
|
-
MU::Cloud
|
|
735
|
+
MU::Cloud.resourceClass("AWS", "DNSZone").genericMuDNSEntry(name: lb.load_balancer_name, target: lb.dns_name, cloudclass: MU::Cloud::LoadBalancer, delete: true) if !noop
|
|
710
736
|
end
|
|
711
737
|
if classic
|
|
712
738
|
MU.log "Removing Elastic Load Balancer #{lb.load_balancer_name}"
|
|
@@ -793,26 +819,7 @@ module MU
|
|
|
793
819
|
}
|
|
794
820
|
}
|
|
795
821
|
},
|
|
796
|
-
"ingress_rules" =>
|
|
797
|
-
"items" => {
|
|
798
|
-
"properties" => {
|
|
799
|
-
"sgs" => {
|
|
800
|
-
"type" => "array",
|
|
801
|
-
"items" => {
|
|
802
|
-
"description" => "Other AWS Security Groups; resources that are associated with this group will have this rule applied to their traffic",
|
|
803
|
-
"type" => "string"
|
|
804
|
-
}
|
|
805
|
-
},
|
|
806
|
-
"lbs" => {
|
|
807
|
-
"type" => "array",
|
|
808
|
-
"items" => {
|
|
809
|
-
"description" => "AWS Load Balancers which will have this rule applied to their traffic",
|
|
810
|
-
"type" => "string"
|
|
811
|
-
}
|
|
812
|
-
}
|
|
813
|
-
}
|
|
814
|
-
}
|
|
815
|
-
}
|
|
822
|
+
"ingress_rules" => MU::Cloud.resourceClass("AWS", "FirewallRule").ingressRuleAddtlSchema
|
|
816
823
|
}
|
|
817
824
|
[toplevel_required, schema]
|
|
818
825
|
end
|
|
@@ -923,6 +930,7 @@ module MU
|
|
|
923
930
|
return matches
|
|
924
931
|
|
|
925
932
|
end
|
|
933
|
+
|
|
926
934
|
end
|
|
927
935
|
end
|
|
928
936
|
end
|
|
@@ -233,8 +233,8 @@ module MU
|
|
|
233
233
|
# unless noop
|
|
234
234
|
# MU::Cloud::AWS.iam(credentials: credentials).list_roles.roles.each{ |role|
|
|
235
235
|
# match_string = "#{MU.deploy_id}.*CloudTrail"
|
|
236
|
-
# Maybe we should have a more generic way to delete IAM profiles and policies. The call itself should be moved from MU::Cloud
|
|
237
|
-
# MU::Cloud
|
|
236
|
+
# Maybe we should have a more generic way to delete IAM profiles and policies. The call itself should be moved from MU::Cloud.resourceClass("AWS", "Server").
|
|
237
|
+
# MU::Cloud.resourceClass("AWS", "Server").removeIAMProfile(role.role_name) if role.role_name.match(match_string)
|
|
238
238
|
# }
|
|
239
239
|
# end
|
|
240
240
|
end
|
|
@@ -327,16 +327,10 @@ module MU
|
|
|
327
327
|
failq.delete("failqueue")
|
|
328
328
|
ok = false if !configurator.insertKitten(failq, "msg_queues")
|
|
329
329
|
queue['failqueue']['name'] = failq['name']
|
|
330
|
-
queue[
|
|
331
|
-
"name" => failq['name'],
|
|
332
|
-
"type" => "msg_queue"
|
|
333
|
-
}
|
|
330
|
+
MU::Config.addDependency(queue, failq["name"], "msg_queue")
|
|
334
331
|
else
|
|
335
332
|
if configurator.haveLitterMate?(queue['failqueue']['name'], "msg_queue")
|
|
336
|
-
queue['
|
|
337
|
-
"name" => queue['failqueue']['name'],
|
|
338
|
-
"type" => "msg_queue"
|
|
339
|
-
}
|
|
333
|
+
MU::Config.addDependency(queue, queue['failqueue']['name'], "msg_queue")
|
|
340
334
|
else
|
|
341
335
|
failq = MU::Cloud::AWS::MsgQueue.find(cloud_id: queue['failqueue']['name'])
|
|
342
336
|
if !failq
|
|
File without changes
|
|
File without changes
|
|
@@ -615,7 +615,6 @@ end
|
|
|
615
615
|
)
|
|
616
616
|
JSON.parse(URI.decode(version.policy_version.document))
|
|
617
617
|
end
|
|
618
|
-
|
|
619
618
|
bok["policies"] = MU::Cloud::AWS::Role.doc2MuPolicies(pol.policy_name, doc, bok["policies"])
|
|
620
619
|
end
|
|
621
620
|
}
|
|
@@ -695,6 +694,7 @@ end
|
|
|
695
694
|
end
|
|
696
695
|
|
|
697
696
|
bok["attachable_policies"].uniq! if bok["attachable_policies"]
|
|
697
|
+
bok["name"].gsub!(/[^a-zA-Z0-9_\-]/, "_")
|
|
698
698
|
|
|
699
699
|
bok
|
|
700
700
|
end
|
|
@@ -707,6 +707,10 @@ end
|
|
|
707
707
|
def self.doc2MuPolicies(basename, doc, policies = [])
|
|
708
708
|
policies ||= []
|
|
709
709
|
|
|
710
|
+
if !doc["Statement"].is_a?(Array)
|
|
711
|
+
doc["Statement"] = [doc["Statement"]]
|
|
712
|
+
end
|
|
713
|
+
|
|
710
714
|
doc["Statement"].each { |s|
|
|
711
715
|
if !s["Action"]
|
|
712
716
|
MU.log "Statement in policy document for #{basename} didn't have an Action field", MU::WARN, details: doc
|
|
@@ -925,7 +929,7 @@ end
|
|
|
925
929
|
toplevel_required = []
|
|
926
930
|
aws_resource_types = MU::Cloud.resource_types.keys.reject { |t|
|
|
927
931
|
begin
|
|
928
|
-
MU::Cloud.
|
|
932
|
+
MU::Cloud.resourceClass("AWS", t)
|
|
929
933
|
false
|
|
930
934
|
rescue MuCloudResourceNotImplemented
|
|
931
935
|
true
|
|
@@ -1087,11 +1091,7 @@ end
|
|
|
1087
1091
|
role['policies'].each { |policy|
|
|
1088
1092
|
policy['targets'].each { |target|
|
|
1089
1093
|
if target['type']
|
|
1090
|
-
role['
|
|
1091
|
-
role['dependencies'] << {
|
|
1092
|
-
"name" => target['identifier'],
|
|
1093
|
-
"type" => target['type']
|
|
1094
|
-
}
|
|
1094
|
+
MU::Config.addDependency(role, target['identifier'], target['type'])
|
|
1095
1095
|
end
|
|
1096
1096
|
}
|
|
1097
1097
|
}
|