cloud-mu 3.1.6 → 3.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/bin/mu-adopt +4 -12
- data/bin/mu-azure-tests +57 -0
- data/bin/mu-cleanup +2 -4
- data/bin/mu-configure +37 -1
- data/bin/mu-deploy +3 -3
- data/bin/mu-findstray-tests +25 -0
- data/bin/mu-gen-docs +2 -4
- data/bin/mu-run-tests +23 -10
- data/cloud-mu.gemspec +2 -2
- data/cookbooks/mu-tools/libraries/helper.rb +1 -1
- data/cookbooks/mu-tools/recipes/apply_security.rb +14 -14
- data/cookbooks/mu-tools/recipes/aws_api.rb +9 -0
- data/extras/generate-stock-images +1 -0
- data/modules/mu.rb +82 -95
- data/modules/mu/adoption.rb +356 -56
- data/modules/mu/cleanup.rb +21 -20
- data/modules/mu/cloud.rb +79 -1753
- data/modules/mu/cloud/database.rb +49 -0
- data/modules/mu/cloud/dnszone.rb +46 -0
- data/modules/mu/cloud/machine_images.rb +212 -0
- data/modules/mu/cloud/providers.rb +81 -0
- data/modules/mu/cloud/resource_base.rb +920 -0
- data/modules/mu/cloud/server.rb +40 -0
- data/modules/mu/cloud/server_pool.rb +1 -0
- data/modules/mu/cloud/ssh_sessions.rb +228 -0
- data/modules/mu/cloud/winrm_sessions.rb +237 -0
- data/modules/mu/cloud/wrappers.rb +165 -0
- data/modules/mu/config.rb +122 -80
- data/modules/mu/config/alarm.rb +2 -6
- data/modules/mu/config/bucket.rb +1 -1
- data/modules/mu/config/cache_cluster.rb +1 -1
- data/modules/mu/config/collection.rb +1 -1
- data/modules/mu/config/container_cluster.rb +2 -2
- data/modules/mu/config/database.rb +83 -104
- data/modules/mu/config/database.yml +1 -2
- data/modules/mu/config/dnszone.rb +1 -1
- data/modules/mu/config/doc_helpers.rb +4 -5
- data/modules/mu/config/endpoint.rb +1 -1
- data/modules/mu/config/firewall_rule.rb +3 -19
- data/modules/mu/config/folder.rb +1 -1
- data/modules/mu/config/function.rb +1 -1
- data/modules/mu/config/group.rb +1 -1
- data/modules/mu/config/habitat.rb +1 -1
- data/modules/mu/config/loadbalancer.rb +57 -11
- data/modules/mu/config/log.rb +1 -1
- data/modules/mu/config/msg_queue.rb +1 -1
- data/modules/mu/config/nosqldb.rb +1 -1
- data/modules/mu/config/notifier.rb +1 -1
- data/modules/mu/config/ref.rb +30 -4
- data/modules/mu/config/role.rb +1 -1
- data/modules/mu/config/schema_helpers.rb +30 -34
- data/modules/mu/config/search_domain.rb +1 -1
- data/modules/mu/config/server.rb +4 -12
- data/modules/mu/config/server_pool.rb +3 -7
- data/modules/mu/config/storage_pool.rb +1 -1
- data/modules/mu/config/tail.rb +10 -0
- data/modules/mu/config/user.rb +1 -1
- data/modules/mu/config/vpc.rb +12 -17
- data/modules/mu/defaults/AWS.yaml +32 -32
- data/modules/mu/defaults/Azure.yaml +1 -0
- data/modules/mu/defaults/Google.yaml +1 -0
- data/modules/mu/deploy.rb +16 -15
- data/modules/mu/groomer.rb +15 -0
- data/modules/mu/groomers/chef.rb +3 -0
- data/modules/mu/logger.rb +120 -144
- data/modules/mu/master.rb +1 -1
- data/modules/mu/mommacat.rb +54 -25
- data/modules/mu/mommacat/daemon.rb +10 -7
- data/modules/mu/mommacat/naming.rb +82 -3
- data/modules/mu/mommacat/search.rb +47 -15
- data/modules/mu/mommacat/storage.rb +72 -41
- data/modules/mu/{clouds → providers}/README.md +1 -1
- data/modules/mu/{clouds → providers}/aws.rb +114 -47
- data/modules/mu/{clouds → providers}/aws/alarm.rb +1 -1
- data/modules/mu/{clouds → providers}/aws/bucket.rb +2 -2
- data/modules/mu/{clouds → providers}/aws/cache_cluster.rb +10 -46
- data/modules/mu/{clouds → providers}/aws/collection.rb +3 -3
- data/modules/mu/{clouds → providers}/aws/container_cluster.rb +15 -33
- data/modules/mu/providers/aws/database.rb +1744 -0
- data/modules/mu/{clouds → providers}/aws/dnszone.rb +2 -5
- data/modules/mu/{clouds → providers}/aws/endpoint.rb +2 -11
- data/modules/mu/{clouds → providers}/aws/firewall_rule.rb +33 -29
- data/modules/mu/{clouds → providers}/aws/folder.rb +0 -0
- data/modules/mu/{clouds → providers}/aws/function.rb +2 -10
- data/modules/mu/{clouds → providers}/aws/group.rb +9 -13
- data/modules/mu/{clouds → providers}/aws/habitat.rb +1 -1
- data/modules/mu/{clouds → providers}/aws/loadbalancer.rb +41 -33
- data/modules/mu/{clouds → providers}/aws/log.rb +2 -2
- data/modules/mu/{clouds → providers}/aws/msg_queue.rb +2 -8
- data/modules/mu/{clouds → providers}/aws/nosqldb.rb +0 -0
- data/modules/mu/{clouds → providers}/aws/notifier.rb +0 -0
- data/modules/mu/{clouds → providers}/aws/role.rb +7 -7
- data/modules/mu/{clouds → providers}/aws/search_domain.rb +8 -13
- data/modules/mu/{clouds → providers}/aws/server.rb +55 -90
- data/modules/mu/{clouds → providers}/aws/server_pool.rb +10 -33
- data/modules/mu/{clouds → providers}/aws/storage_pool.rb +19 -36
- data/modules/mu/{clouds → providers}/aws/user.rb +8 -12
- data/modules/mu/{clouds → providers}/aws/userdata/README.md +0 -0
- data/modules/mu/{clouds → providers}/aws/userdata/linux.erb +0 -0
- data/modules/mu/{clouds → providers}/aws/userdata/windows.erb +0 -0
- data/modules/mu/{clouds → providers}/aws/vpc.rb +135 -70
- data/modules/mu/{clouds → providers}/aws/vpc_subnet.rb +0 -0
- data/modules/mu/{clouds → providers}/azure.rb +4 -1
- data/modules/mu/{clouds → providers}/azure/container_cluster.rb +1 -5
- data/modules/mu/{clouds → providers}/azure/firewall_rule.rb +8 -1
- data/modules/mu/{clouds → providers}/azure/habitat.rb +0 -0
- data/modules/mu/{clouds → providers}/azure/loadbalancer.rb +0 -0
- data/modules/mu/{clouds → providers}/azure/role.rb +0 -0
- data/modules/mu/{clouds → providers}/azure/server.rb +30 -23
- data/modules/mu/{clouds → providers}/azure/user.rb +1 -1
- data/modules/mu/{clouds → providers}/azure/userdata/README.md +0 -0
- data/modules/mu/{clouds → providers}/azure/userdata/linux.erb +0 -0
- data/modules/mu/{clouds → providers}/azure/userdata/windows.erb +0 -0
- data/modules/mu/{clouds → providers}/azure/vpc.rb +4 -6
- data/modules/mu/{clouds → providers}/cloudformation.rb +1 -1
- data/modules/mu/{clouds → providers}/cloudformation/alarm.rb +3 -3
- data/modules/mu/{clouds → providers}/cloudformation/cache_cluster.rb +3 -3
- data/modules/mu/{clouds → providers}/cloudformation/collection.rb +3 -3
- data/modules/mu/{clouds → providers}/cloudformation/database.rb +6 -17
- data/modules/mu/{clouds → providers}/cloudformation/dnszone.rb +3 -3
- data/modules/mu/{clouds → providers}/cloudformation/firewall_rule.rb +3 -3
- data/modules/mu/{clouds → providers}/cloudformation/loadbalancer.rb +3 -3
- data/modules/mu/{clouds → providers}/cloudformation/log.rb +3 -3
- data/modules/mu/{clouds → providers}/cloudformation/server.rb +7 -7
- data/modules/mu/{clouds → providers}/cloudformation/server_pool.rb +5 -5
- data/modules/mu/{clouds → providers}/cloudformation/vpc.rb +3 -3
- data/modules/mu/{clouds → providers}/docker.rb +0 -0
- data/modules/mu/{clouds → providers}/google.rb +14 -6
- data/modules/mu/{clouds → providers}/google/bucket.rb +1 -1
- data/modules/mu/{clouds → providers}/google/container_cluster.rb +28 -13
- data/modules/mu/{clouds → providers}/google/database.rb +1 -8
- data/modules/mu/{clouds → providers}/google/firewall_rule.rb +2 -2
- data/modules/mu/{clouds → providers}/google/folder.rb +4 -8
- data/modules/mu/{clouds → providers}/google/function.rb +3 -3
- data/modules/mu/{clouds → providers}/google/group.rb +8 -16
- data/modules/mu/{clouds → providers}/google/habitat.rb +3 -7
- data/modules/mu/{clouds → providers}/google/loadbalancer.rb +1 -1
- data/modules/mu/{clouds → providers}/google/role.rb +42 -34
- data/modules/mu/{clouds → providers}/google/server.rb +25 -10
- data/modules/mu/{clouds → providers}/google/server_pool.rb +10 -10
- data/modules/mu/{clouds → providers}/google/user.rb +31 -21
- data/modules/mu/{clouds → providers}/google/userdata/README.md +0 -0
- data/modules/mu/{clouds → providers}/google/userdata/linux.erb +0 -0
- data/modules/mu/{clouds → providers}/google/userdata/windows.erb +0 -0
- data/modules/mu/{clouds → providers}/google/vpc.rb +37 -2
- data/modules/tests/centos6.yaml +11 -0
- data/modules/tests/centos7.yaml +11 -0
- data/modules/tests/centos8.yaml +12 -0
- data/modules/tests/rds.yaml +108 -0
- data/modules/tests/regrooms/rds.yaml +123 -0
- data/spec/mu/clouds/azure_spec.rb +2 -2
- metadata +108 -89
- data/modules/mu/clouds/aws/database.rb +0 -1974
@@ -345,7 +345,7 @@ module MU
|
|
345
345
|
rescue Aws::Route53::Errors::LastVPCAssociation => e
|
346
346
|
MU.log e.inspect, MU::WARN
|
347
347
|
rescue Aws::Route53::Errors::VPCAssociationNotFound
|
348
|
-
MU.log "VPC #{vpc_id} access to zone #{id} already revoked", MU::
|
348
|
+
MU.log "VPC #{vpc_id} access to zone #{id} already revoked", MU::NOTICE
|
349
349
|
end
|
350
350
|
end
|
351
351
|
end
|
@@ -825,10 +825,7 @@ module MU
|
|
825
825
|
end
|
826
826
|
|
827
827
|
if !record['mu_type'].nil?
|
828
|
-
zone[
|
829
|
-
"type" => record['mu_type'],
|
830
|
-
"name" => record['target']
|
831
|
-
}
|
828
|
+
MU::Config.addDependency(zone, record['target'], record['mu_type'])
|
832
829
|
end
|
833
830
|
|
834
831
|
if record.has_key?('healthchecks') && !record['healthchecks'].empty?
|
@@ -472,11 +472,7 @@ MU::Cloud::AWS.apig(region: @config['region'], credentials: @config['credentials
|
|
472
472
|
endpoint['methods'].each { |m|
|
473
473
|
if m['integrate_with'] and m['integrate_with']['name']
|
474
474
|
if m['integrate_with']['type'] != "aws_generic"
|
475
|
-
endpoint['
|
476
|
-
endpoint['dependencies'] << {
|
477
|
-
"type" => m['integrate_with']['type'],
|
478
|
-
"name" => m['integrate_with']['name']
|
479
|
-
}
|
475
|
+
MU::Config.addDependency(endpoint, m['integrate_with']['name'], m['integrate_with']['type'])
|
480
476
|
end
|
481
477
|
|
482
478
|
m['integrate_with']['backend_http_method'] ||= m['type']
|
@@ -525,13 +521,8 @@ MU::Cloud::AWS.apig(region: @config['region'], credentials: @config['credentials
|
|
525
521
|
end
|
526
522
|
configurator.insertKitten(roledesc, "roles")
|
527
523
|
|
528
|
-
endpoint['dependencies'] ||= []
|
529
524
|
m['iam_role'] = endpoint['name']+"-"+m['integrate_with']['name']
|
530
|
-
|
531
|
-
endpoint['dependencies'] << {
|
532
|
-
"type" => "role",
|
533
|
-
"name" => endpoint['name']+"-"+m['integrate_with']['name']
|
534
|
-
}
|
525
|
+
MU::Config.addDependency(endpoint, m['iam_role'], "role")
|
535
526
|
end
|
536
527
|
end
|
537
528
|
}
|
@@ -18,7 +18,7 @@ module MU
|
|
18
18
|
class AWS
|
19
19
|
# A firewall ruleset as configured in {MU::Config::BasketofKittens::firewall_rules}
|
20
20
|
class FirewallRule < MU::Cloud::FirewallRule
|
21
|
-
require "mu/
|
21
|
+
require "mu/providers/aws/vpc"
|
22
22
|
|
23
23
|
@admin_sgs = Hash.new
|
24
24
|
@admin_sg_semaphore = Mutex.new
|
@@ -398,7 +398,7 @@ module MU
|
|
398
398
|
|
399
399
|
# Some services create sneaky rogue ENIs which then block removal of
|
400
400
|
# associated security groups. Find them and fry them.
|
401
|
-
MU::Cloud
|
401
|
+
MU::Cloud.resourceClass("AWS", "VPC").purge_interfaces(noop, filters, region: region, credentials: credentials)
|
402
402
|
|
403
403
|
resp = MU::Cloud::AWS.ec2(credentials: credentials, region: region).describe_security_groups(
|
404
404
|
filters: filters
|
@@ -421,7 +421,7 @@ module MU
|
|
421
421
|
# try to get out from under loose network interfaces with which
|
422
422
|
# we're associated
|
423
423
|
if sg.vpc_id
|
424
|
-
default_sg = MU::Cloud
|
424
|
+
default_sg = MU::Cloud.resourceClass("AWS", "VPC").getDefaultSg(sg.vpc_id, region: region, credentials: credentials)
|
425
425
|
if default_sg
|
426
426
|
eni_resp = MU::Cloud::AWS.ec2(credentials: credentials, region: region).describe_network_interfaces(
|
427
427
|
filters: [ {name: "group-id", values: [sg.group_id]} ]
|
@@ -514,6 +514,31 @@ module MU
|
|
514
514
|
end
|
515
515
|
private_class_method :revoke_rules
|
516
516
|
|
517
|
+
# Return an AWS-specific chunk of schema commonly used in the +ingress_rules+ parameter of other resource types.
|
518
|
+
# @return [Hash]
|
519
|
+
def self.ingressRuleAddtlSchema
|
520
|
+
{
|
521
|
+
"items" => {
|
522
|
+
"properties" => {
|
523
|
+
"sgs" => {
|
524
|
+
"type" => "array",
|
525
|
+
"items" => {
|
526
|
+
"description" => "Other AWS Security Groups; resources that are associated with this group will have this rule applied to their traffic",
|
527
|
+
"type" => "string"
|
528
|
+
}
|
529
|
+
},
|
530
|
+
"lbs" => {
|
531
|
+
"type" => "array",
|
532
|
+
"items" => {
|
533
|
+
"description" => "AWS Load Balancers which will have this rule applied to their traffic",
|
534
|
+
"type" => "string"
|
535
|
+
}
|
536
|
+
}
|
537
|
+
}
|
538
|
+
}
|
539
|
+
}
|
540
|
+
end
|
541
|
+
|
517
542
|
# Cloud-specific configuration properties.
|
518
543
|
# @param _config [MU::Config]: The calling MU::Config object
|
519
544
|
# @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
|
@@ -623,36 +648,16 @@ module MU
|
|
623
648
|
|
624
649
|
if rule['firewall_rules']
|
625
650
|
rule['firewall_rules'].each { |sg|
|
626
|
-
if sg
|
627
|
-
|
628
|
-
"type" => "firewall_rule",
|
629
|
-
"name" => sg.name,
|
630
|
-
"no_create_wait" => true
|
631
|
-
}
|
632
|
-
elsif sg['name'] and !sg['deploy_id']
|
633
|
-
acl["dependencies"] << {
|
634
|
-
"type" => "firewall_rule",
|
635
|
-
"name" => sg['name'],
|
636
|
-
"no_create_wait" => true
|
637
|
-
}
|
651
|
+
if sg['name'] and !sg['deploy_id']
|
652
|
+
MU::Config.addDependency(acl, sg['name'], "firewall_rule", no_create_wait: true)
|
638
653
|
end
|
639
654
|
}
|
640
655
|
end
|
641
656
|
|
642
657
|
if rule['loadbalancers']
|
643
658
|
rule['loadbalancers'].each { |lb|
|
644
|
-
if lb
|
645
|
-
|
646
|
-
"type" => "loadbalancer",
|
647
|
-
"name" => lb.name,
|
648
|
-
"phase" => "groom"
|
649
|
-
}
|
650
|
-
elsif lb['name'] and !lb['deploy_id']
|
651
|
-
acl["dependencies"] << {
|
652
|
-
"type" => "loadbalancer",
|
653
|
-
"name" => lb['name'],
|
654
|
-
"phase" => "groom"
|
655
|
-
}
|
659
|
+
if lb['name'] and !lb['deploy_id']
|
660
|
+
MU::Config.addDependency(acl, lb['name'], "loadbalancer", phase: "groom")
|
656
661
|
end
|
657
662
|
}
|
658
663
|
end
|
@@ -739,7 +744,6 @@ module MU
|
|
739
744
|
# "ingress_rules" structure parsed and validated by MU::Config.
|
740
745
|
#########################################################################
|
741
746
|
def setRules(rules, add_to_self: false, ingress: true, egress: false)
|
742
|
-
describe
|
743
747
|
# XXX warn about attempt to set rules before we exist
|
744
748
|
return if rules.nil? or rules.size == 0 or !@cloud_id
|
745
749
|
|
@@ -760,7 +764,7 @@ module MU
|
|
760
764
|
ec2_rules = convertToEc2(rules)
|
761
765
|
return if ec2_rules.nil?
|
762
766
|
|
763
|
-
ext_permissions = MU.structToHash(cloud_desc.ip_permissions)
|
767
|
+
ext_permissions = MU.structToHash(cloud_desc(use_cache: false).ip_permissions)
|
764
768
|
|
765
769
|
purge_extraneous_rules(ec2_rules, ext_permissions)
|
766
770
|
|
File without changes
|
@@ -505,11 +505,7 @@ MU.log shortname, MU::NOTICE, details: function.configuration.role
|
|
505
505
|
function["add_firewall_rules"] << {"name" => fwname}
|
506
506
|
function["permissions"] ||= []
|
507
507
|
function["permissions"] << "network"
|
508
|
-
function
|
509
|
-
function['dependencies'] << {
|
510
|
-
"name" => fwname,
|
511
|
-
"type" => "firewall_rule"
|
512
|
-
}
|
508
|
+
MU::Config.addDependency(function, fwname, "firewall_rule")
|
513
509
|
end
|
514
510
|
|
515
511
|
if !function['iam_role']
|
@@ -541,13 +537,9 @@ MU.log shortname, MU::NOTICE, details: function.configuration.role
|
|
541
537
|
}
|
542
538
|
configurator.insertKitten(roledesc, "roles")
|
543
539
|
|
544
|
-
function['dependencies'] ||= []
|
545
540
|
function['iam_role'] = function['name']+"execrole"
|
546
541
|
|
547
|
-
function['
|
548
|
-
"type" => "role",
|
549
|
-
"name" => function['name']+"execrole"
|
550
|
-
}
|
542
|
+
MU::Config.addDependency(function, function['name']+"execrole", "role")
|
551
543
|
end
|
552
544
|
|
553
545
|
ok
|
@@ -60,7 +60,7 @@ module MU
|
|
60
60
|
userid = user
|
61
61
|
userdesc = @deploy.findLitterMate(name: user, type: "users")
|
62
62
|
userid = userdesc.cloud_id if userdesc
|
63
|
-
found = MU::Cloud
|
63
|
+
found = MU::Cloud.resourceClass("AWS", "User").find(cloud_id: userid)
|
64
64
|
if found.size == 1
|
65
65
|
userdesc = found.values.first
|
66
66
|
MU.log "Adding IAM user #{userdesc.path}#{userdesc.user_name} to group #{@mu_name}", MU::NOTICE
|
@@ -88,7 +88,7 @@ module MU
|
|
88
88
|
# Create these if necessary, then append them to the list of
|
89
89
|
# attachable_policies
|
90
90
|
if @config['raw_policies']
|
91
|
-
pol_arns = MU::Cloud
|
91
|
+
pol_arns = MU::Cloud.resourceClass("AWS", "Role").manageRawPolicies(
|
92
92
|
@config['raw_policies'],
|
93
93
|
basename: @deploy.getResourceName(@config['name']),
|
94
94
|
credentials: @credentials
|
@@ -114,7 +114,7 @@ module MU
|
|
114
114
|
attached_policies.each { |a|
|
115
115
|
if !configured_policies.include?(a.policy_arn)
|
116
116
|
MU.log "Removing IAM policy #{a.policy_arn} from group #{@mu_name}", MU::NOTICE
|
117
|
-
MU::Cloud
|
117
|
+
MU::Cloud.resourceClass("AWS", "Role").purgePolicy(a.policy_arn, @credentials)
|
118
118
|
else
|
119
119
|
configured_policies.delete(a.policy_arn)
|
120
120
|
end
|
@@ -131,7 +131,7 @@ module MU
|
|
131
131
|
end
|
132
132
|
|
133
133
|
if @config['inline_policies']
|
134
|
-
docs = MU::Cloud
|
134
|
+
docs = MU::Cloud.resourceClass("AWS", "Role").genPolicyDocument(@config['inline_policies'], deploy_obj: @deploy)
|
135
135
|
docs.each { |doc|
|
136
136
|
MU.log "Putting user policy #{doc.keys.first} to group #{@cloud_id} "
|
137
137
|
MU::Cloud::AWS.iam(credentials: @credentials).put_group_policy(
|
@@ -291,7 +291,7 @@ module MU
|
|
291
291
|
resp.policy_names.each { |pol_name|
|
292
292
|
pol = MU::Cloud::AWS.iam(credentials: @credentials).get_group_policy(group_name: @cloud_id, policy_name: pol_name)
|
293
293
|
doc = JSON.parse(URI.decode(pol.policy_document))
|
294
|
-
bok["inline_policies"] = MU::Cloud
|
294
|
+
bok["inline_policies"] = MU::Cloud.resourceClass("AWS", "Role").doc2MuPolicies(pol.policy_name, doc, bok["inline_policies"])
|
295
295
|
}
|
296
296
|
end
|
297
297
|
|
@@ -324,7 +324,7 @@ module MU
|
|
324
324
|
def self.schema(_config)
|
325
325
|
toplevel_required = []
|
326
326
|
polschema = MU::Config::Role.schema["properties"]["policies"]
|
327
|
-
polschema.deep_merge!(MU::Cloud
|
327
|
+
polschema.deep_merge!(MU::Cloud.resourceClass("AWS", "Role").condition_schema)
|
328
328
|
|
329
329
|
schema = {
|
330
330
|
"inline_policies" => polschema,
|
@@ -364,7 +364,7 @@ style long name, like +IAMTESTS-DEV-2018112815-IS-GROUP-FOO+. This parameter wil
|
|
364
364
|
# If we're attaching some managed policies, make sure all of the ones
|
365
365
|
# that should already exist do indeed exist
|
366
366
|
if group['attachable_policies']
|
367
|
-
ok = false if !MU::Cloud
|
367
|
+
ok = false if !MU::Cloud.resourceClass("AWS", "Role").validateAttachablePolicies(
|
368
368
|
group['attachable_policies'],
|
369
369
|
credentials: group['credentials'],
|
370
370
|
region: group['region']
|
@@ -378,13 +378,9 @@ style long name, like +IAMTESTS-DEV-2018112815-IS-GROUP-FOO+. This parameter wil
|
|
378
378
|
if group['members']
|
379
379
|
group['members'].each { |user|
|
380
380
|
if configurator.haveLitterMate?(user, "users")
|
381
|
-
group
|
382
|
-
group["dependencies"] << {
|
383
|
-
"type" => "user",
|
384
|
-
"name" => user
|
385
|
-
}
|
381
|
+
MU::Config.addDependency(group, user, "user")
|
386
382
|
else
|
387
|
-
found = MU::Cloud
|
383
|
+
found = MU::Cloud.resourceClass("AWS", "User").find(cloud_id: user)
|
388
384
|
if found.nil? or found.empty?
|
389
385
|
MU.log "Error in members for group #{group['name']}: No such user #{user}", MU::ERR
|
390
386
|
ok = false
|
@@ -144,7 +144,7 @@ module MU
|
|
144
144
|
def self.orgMasterCreds?(credentials = nil)
|
145
145
|
acct_num = MU::Cloud::AWS.iam(credentials: credentials).list_users.users.first.arn.split(/:/)[4]
|
146
146
|
|
147
|
-
parentorg = MU::Cloud
|
147
|
+
parentorg = MU::Cloud.resourceClass("AWS", "Folder").find(credentials: credentials).values.first
|
148
148
|
acct_num == parentorg.master_account_id
|
149
149
|
end
|
150
150
|
|
@@ -163,7 +163,7 @@ module MU
|
|
163
163
|
dnsthread = Thread.new {
|
164
164
|
if !MU::Cloud::AWS.isGovCloud?
|
165
165
|
MU.dupGlobals(parent_thread_id)
|
166
|
-
generic_mu_dns = MU::Cloud
|
166
|
+
generic_mu_dns = MU::Cloud.resourceClass("AWS", "DNSZone").genericMuDNSEntry(name: @mu_name, target: "#{lb.dns_name}.", cloudclass: MU::Cloud::LoadBalancer, sync_wait: @config['dns_sync_wait'])
|
167
167
|
end
|
168
168
|
}
|
169
169
|
|
@@ -239,16 +239,35 @@ module MU
|
|
239
239
|
end
|
240
240
|
end
|
241
241
|
|
242
|
+
redirect_block = Proc.new { |r|
|
243
|
+
{
|
244
|
+
:protocol => r['protocol'],
|
245
|
+
:port => r['port'].to_s,
|
246
|
+
:host => r['host'],
|
247
|
+
:path => r['path'],
|
248
|
+
:query => r['query'],
|
249
|
+
:status_code => "HTTP_"+r['status_code'].to_s
|
250
|
+
}
|
251
|
+
}
|
252
|
+
|
242
253
|
if !@config['classic']
|
243
254
|
@config["listeners"].each { |l|
|
244
|
-
if
|
245
|
-
|
246
|
-
|
247
|
-
|
248
|
-
|
255
|
+
action = if l['redirect']
|
256
|
+
{
|
257
|
+
:type => "redirect",
|
258
|
+
:redirect_config => redirect_block.call(l['redirect'])
|
259
|
+
}
|
260
|
+
else
|
261
|
+
if !@targetgroups.has_key?(l['targetgroup'])
|
262
|
+
raise MuError, "Listener in #{@mu_name} configured for target group #{l['targetgroup']}, but I don't have data on a targetgroup by that name"
|
263
|
+
end
|
264
|
+
{
|
249
265
|
:target_group_arn => @targetgroups[l['targetgroup']].target_group_arn,
|
250
266
|
:type => "forward"
|
251
|
-
}
|
267
|
+
}
|
268
|
+
end
|
269
|
+
listen_descriptor = {
|
270
|
+
:default_actions => [ action ],
|
252
271
|
:load_balancer_arn => lb.load_balancer_arn,
|
253
272
|
:port => l['lb_port'],
|
254
273
|
:protocol => l['lb_protocol']
|
@@ -276,10 +295,17 @@ module MU
|
|
276
295
|
:actions => []
|
277
296
|
}
|
278
297
|
rule['actions'].each { |a|
|
279
|
-
rule_descriptor[:actions] <<
|
280
|
-
|
281
|
-
|
282
|
-
|
298
|
+
rule_descriptor[:actions] << if a['action'] == "forward"
|
299
|
+
{
|
300
|
+
:target_group_arn => @targetgroups[a['targetgroup']].target_group_arn,
|
301
|
+
:type => a['action']
|
302
|
+
}
|
303
|
+
elsif a['action'] == "redirect"
|
304
|
+
{
|
305
|
+
:redirect_config => redirect_block.call(rule['redirect']),
|
306
|
+
:type => a['action']
|
307
|
+
}
|
308
|
+
end
|
283
309
|
}
|
284
310
|
MU::Cloud::AWS.elb2(region: @config['region'], credentials: @config['credentials']).create_rule(rule_descriptor)
|
285
311
|
}
|
@@ -536,7 +562,7 @@ module MU
|
|
536
562
|
}
|
537
563
|
end
|
538
564
|
if !MU::Cloud::AWS.isGovCloud?
|
539
|
-
MU::Cloud
|
565
|
+
MU::Cloud.resourceClass("AWS", "DNSZone").createRecordsFromConfig(@config['dns_records'], target: cloud_desc.dns_name)
|
540
566
|
end
|
541
567
|
end
|
542
568
|
|
@@ -706,7 +732,7 @@ module MU
|
|
706
732
|
end
|
707
733
|
if matched
|
708
734
|
if !MU::Cloud::AWS.isGovCloud?
|
709
|
-
MU::Cloud
|
735
|
+
MU::Cloud.resourceClass("AWS", "DNSZone").genericMuDNSEntry(name: lb.load_balancer_name, target: lb.dns_name, cloudclass: MU::Cloud::LoadBalancer, delete: true) if !noop
|
710
736
|
end
|
711
737
|
if classic
|
712
738
|
MU.log "Removing Elastic Load Balancer #{lb.load_balancer_name}"
|
@@ -793,26 +819,7 @@ module MU
|
|
793
819
|
}
|
794
820
|
}
|
795
821
|
},
|
796
|
-
"ingress_rules" =>
|
797
|
-
"items" => {
|
798
|
-
"properties" => {
|
799
|
-
"sgs" => {
|
800
|
-
"type" => "array",
|
801
|
-
"items" => {
|
802
|
-
"description" => "Other AWS Security Groups; resources that are associated with this group will have this rule applied to their traffic",
|
803
|
-
"type" => "string"
|
804
|
-
}
|
805
|
-
},
|
806
|
-
"lbs" => {
|
807
|
-
"type" => "array",
|
808
|
-
"items" => {
|
809
|
-
"description" => "AWS Load Balancers which will have this rule applied to their traffic",
|
810
|
-
"type" => "string"
|
811
|
-
}
|
812
|
-
}
|
813
|
-
}
|
814
|
-
}
|
815
|
-
}
|
822
|
+
"ingress_rules" => MU::Cloud.resourceClass("AWS", "FirewallRule").ingressRuleAddtlSchema
|
816
823
|
}
|
817
824
|
[toplevel_required, schema]
|
818
825
|
end
|
@@ -923,6 +930,7 @@ module MU
|
|
923
930
|
return matches
|
924
931
|
|
925
932
|
end
|
933
|
+
|
926
934
|
end
|
927
935
|
end
|
928
936
|
end
|
@@ -233,8 +233,8 @@ module MU
|
|
233
233
|
# unless noop
|
234
234
|
# MU::Cloud::AWS.iam(credentials: credentials).list_roles.roles.each{ |role|
|
235
235
|
# match_string = "#{MU.deploy_id}.*CloudTrail"
|
236
|
-
# Maybe we should have a more generic way to delete IAM profiles and policies. The call itself should be moved from MU::Cloud
|
237
|
-
# MU::Cloud
|
236
|
+
# Maybe we should have a more generic way to delete IAM profiles and policies. The call itself should be moved from MU::Cloud.resourceClass("AWS", "Server").
|
237
|
+
# MU::Cloud.resourceClass("AWS", "Server").removeIAMProfile(role.role_name) if role.role_name.match(match_string)
|
238
238
|
# }
|
239
239
|
# end
|
240
240
|
end
|
@@ -327,16 +327,10 @@ module MU
|
|
327
327
|
failq.delete("failqueue")
|
328
328
|
ok = false if !configurator.insertKitten(failq, "msg_queues")
|
329
329
|
queue['failqueue']['name'] = failq['name']
|
330
|
-
queue[
|
331
|
-
"name" => failq['name'],
|
332
|
-
"type" => "msg_queue"
|
333
|
-
}
|
330
|
+
MU::Config.addDependency(queue, failq["name"], "msg_queue")
|
334
331
|
else
|
335
332
|
if configurator.haveLitterMate?(queue['failqueue']['name'], "msg_queue")
|
336
|
-
queue['
|
337
|
-
"name" => queue['failqueue']['name'],
|
338
|
-
"type" => "msg_queue"
|
339
|
-
}
|
333
|
+
MU::Config.addDependency(queue, queue['failqueue']['name'], "msg_queue")
|
340
334
|
else
|
341
335
|
failq = MU::Cloud::AWS::MsgQueue.find(cloud_id: queue['failqueue']['name'])
|
342
336
|
if !failq
|
File without changes
|
File without changes
|
@@ -615,7 +615,6 @@ end
|
|
615
615
|
)
|
616
616
|
JSON.parse(URI.decode(version.policy_version.document))
|
617
617
|
end
|
618
|
-
|
619
618
|
bok["policies"] = MU::Cloud::AWS::Role.doc2MuPolicies(pol.policy_name, doc, bok["policies"])
|
620
619
|
end
|
621
620
|
}
|
@@ -695,6 +694,7 @@ end
|
|
695
694
|
end
|
696
695
|
|
697
696
|
bok["attachable_policies"].uniq! if bok["attachable_policies"]
|
697
|
+
bok["name"].gsub!(/[^a-zA-Z0-9_\-]/, "_")
|
698
698
|
|
699
699
|
bok
|
700
700
|
end
|
@@ -707,6 +707,10 @@ end
|
|
707
707
|
def self.doc2MuPolicies(basename, doc, policies = [])
|
708
708
|
policies ||= []
|
709
709
|
|
710
|
+
if !doc["Statement"].is_a?(Array)
|
711
|
+
doc["Statement"] = [doc["Statement"]]
|
712
|
+
end
|
713
|
+
|
710
714
|
doc["Statement"].each { |s|
|
711
715
|
if !s["Action"]
|
712
716
|
MU.log "Statement in policy document for #{basename} didn't have an Action field", MU::WARN, details: doc
|
@@ -925,7 +929,7 @@ end
|
|
925
929
|
toplevel_required = []
|
926
930
|
aws_resource_types = MU::Cloud.resource_types.keys.reject { |t|
|
927
931
|
begin
|
928
|
-
MU::Cloud.
|
932
|
+
MU::Cloud.resourceClass("AWS", t)
|
929
933
|
false
|
930
934
|
rescue MuCloudResourceNotImplemented
|
931
935
|
true
|
@@ -1087,11 +1091,7 @@ end
|
|
1087
1091
|
role['policies'].each { |policy|
|
1088
1092
|
policy['targets'].each { |target|
|
1089
1093
|
if target['type']
|
1090
|
-
role['
|
1091
|
-
role['dependencies'] << {
|
1092
|
-
"name" => target['identifier'],
|
1093
|
-
"type" => target['type']
|
1094
|
-
}
|
1094
|
+
MU::Config.addDependency(role, target['identifier'], target['type'])
|
1095
1095
|
end
|
1096
1096
|
}
|
1097
1097
|
}
|