cloud-mu 3.5.0 → 3.6.3

Sign up to get free protection for your applications and to get access to all the features.
Files changed (245) hide show
  1. checksums.yaml +4 -4
  2. data/Berksfile +5 -2
  3. data/Berksfile.lock +135 -0
  4. data/ansible/roles/mu-base/README.md +33 -0
  5. data/ansible/roles/mu-base/defaults/main.yml +2 -0
  6. data/ansible/roles/mu-base/files/check_apm.cfg +1 -0
  7. data/ansible/roles/mu-base/files/check_apm.sh +18 -0
  8. data/ansible/roles/mu-base/files/check_disk.cfg +1 -0
  9. data/ansible/roles/mu-base/files/check_elastic_shards.cfg +1 -0
  10. data/ansible/roles/mu-base/files/check_elastic_shards.sh +12 -0
  11. data/ansible/roles/mu-base/files/check_logstash.cfg +1 -0
  12. data/ansible/roles/mu-base/files/check_logstash.sh +14 -0
  13. data/ansible/roles/mu-base/files/check_mem.cfg +1 -0
  14. data/ansible/roles/mu-base/files/check_updates.cfg +1 -0
  15. data/ansible/roles/mu-base/files/logrotate.conf +35 -0
  16. data/ansible/roles/mu-base/files/nrpe-apm-sudo +1 -0
  17. data/ansible/roles/mu-base/files/nrpe-elasticshards-sudo +2 -0
  18. data/ansible/roles/mu-base/handlers/main.yml +5 -0
  19. data/ansible/roles/mu-base/meta/main.yml +53 -0
  20. data/ansible/roles/mu-base/tasks/main.yml +113 -0
  21. data/ansible/roles/mu-base/templates/nrpe.cfg.j2 +231 -0
  22. data/ansible/roles/mu-base/tests/inventory +2 -0
  23. data/ansible/roles/mu-base/tests/test.yml +5 -0
  24. data/ansible/roles/mu-base/vars/main.yml +1 -0
  25. data/ansible/roles/mu-compliance/README.md +33 -0
  26. data/ansible/roles/mu-compliance/defaults/main.yml +2 -0
  27. data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2016_V2R1_STIG_SCAP_1-2_Benchmark.xml +15674 -0
  28. data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2019_V2R1_STIG_SCAP_1-2_Benchmark.xml +17553 -0
  29. data/ansible/roles/mu-compliance/handlers/main.yml +2 -0
  30. data/ansible/roles/mu-compliance/meta/main.yml +53 -0
  31. data/ansible/roles/mu-compliance/tasks/main.yml +45 -0
  32. data/ansible/roles/mu-compliance/tests/inventory +2 -0
  33. data/ansible/roles/mu-compliance/tests/test.yml +5 -0
  34. data/ansible/roles/mu-compliance/vars/main.yml +4 -0
  35. data/ansible/roles/mu-elastic/README.md +51 -0
  36. data/ansible/roles/mu-elastic/defaults/main.yml +2 -0
  37. data/ansible/roles/mu-elastic/files/jvm.options +93 -0
  38. data/ansible/roles/mu-elastic/handlers/main.yml +10 -0
  39. data/ansible/roles/mu-elastic/meta/main.yml +52 -0
  40. data/ansible/roles/mu-elastic/tasks/main.yml +186 -0
  41. data/ansible/roles/mu-elastic/templates/elasticsearch.yml.j2 +110 -0
  42. data/ansible/roles/mu-elastic/templates/kibana.yml.j2 +131 -0
  43. data/ansible/roles/mu-elastic/templates/password_set.expect.j2 +19 -0
  44. data/ansible/roles/mu-elastic/tests/inventory +2 -0
  45. data/ansible/roles/mu-elastic/tests/test.yml +5 -0
  46. data/ansible/roles/mu-elastic/vars/main.yml +2 -0
  47. data/ansible/roles/mu-logstash/README.md +51 -0
  48. data/ansible/roles/mu-logstash/defaults/main.yml +2 -0
  49. data/ansible/roles/mu-logstash/files/02-beats-input.conf +5 -0
  50. data/ansible/roles/mu-logstash/files/10-rails-filter.conf +16 -0
  51. data/ansible/roles/mu-logstash/files/jvm.options +84 -0
  52. data/ansible/roles/mu-logstash/files/logstash.yml +304 -0
  53. data/ansible/roles/mu-logstash/handlers/main.yml +20 -0
  54. data/ansible/roles/mu-logstash/meta/main.yml +52 -0
  55. data/ansible/roles/mu-logstash/tasks/main.yml +254 -0
  56. data/ansible/roles/mu-logstash/templates/20-cloudtrail.conf.j2 +28 -0
  57. data/ansible/roles/mu-logstash/templates/30-elasticsearch-output.conf.j2 +19 -0
  58. data/ansible/roles/mu-logstash/templates/apm-server.yml.j2 +33 -0
  59. data/ansible/roles/mu-logstash/templates/heartbeat.yml.j2 +29 -0
  60. data/ansible/roles/mu-logstash/templates/nginx/apm.conf.j2 +25 -0
  61. data/ansible/roles/mu-logstash/templates/nginx/default.conf.j2 +56 -0
  62. data/ansible/roles/mu-logstash/templates/nginx/elastic.conf.j2 +27 -0
  63. data/ansible/roles/mu-logstash/tests/inventory +2 -0
  64. data/ansible/roles/mu-logstash/tests/test.yml +5 -0
  65. data/ansible/roles/mu-logstash/vars/main.yml +2 -0
  66. data/ansible/roles/mu-rdp/README.md +33 -0
  67. data/ansible/roles/mu-rdp/meta/main.yml +53 -0
  68. data/ansible/roles/mu-rdp/tasks/main.yml +9 -0
  69. data/ansible/roles/mu-rdp/tests/inventory +2 -0
  70. data/ansible/roles/mu-rdp/tests/test.yml +5 -0
  71. data/ansible/roles/mu-windows/tasks/main.yml +3 -0
  72. data/bin/mu-ansible-secret +1 -1
  73. data/bin/mu-aws-setup +4 -3
  74. data/bin/mu-azure-setup +5 -5
  75. data/bin/mu-configure +25 -17
  76. data/bin/mu-firewall-allow-clients +1 -0
  77. data/bin/mu-gcp-setup +3 -3
  78. data/bin/mu-load-config.rb +1 -0
  79. data/bin/mu-node-manage +66 -33
  80. data/bin/mu-self-update +2 -2
  81. data/bin/mu-upload-chef-artifacts +6 -1
  82. data/bin/mu-user-manage +1 -1
  83. data/cloud-mu.gemspec +25 -23
  84. data/cookbooks/firewall/CHANGELOG.md +417 -224
  85. data/cookbooks/firewall/LICENSE +202 -0
  86. data/cookbooks/firewall/README.md +153 -126
  87. data/cookbooks/firewall/TODO.md +6 -0
  88. data/cookbooks/firewall/attributes/firewalld.rb +7 -0
  89. data/cookbooks/firewall/attributes/iptables.rb +3 -3
  90. data/cookbooks/firewall/chefignore +115 -0
  91. data/cookbooks/firewall/libraries/helpers.rb +5 -0
  92. data/cookbooks/firewall/libraries/helpers_firewalld.rb +1 -1
  93. data/cookbooks/firewall/libraries/helpers_firewalld_dbus.rb +72 -0
  94. data/cookbooks/firewall/libraries/helpers_iptables.rb +3 -3
  95. data/cookbooks/firewall/libraries/helpers_nftables.rb +170 -0
  96. data/cookbooks/firewall/libraries/helpers_ufw.rb +7 -0
  97. data/cookbooks/firewall/libraries/helpers_windows.rb +8 -9
  98. data/cookbooks/firewall/libraries/provider_firewall_firewalld.rb +9 -9
  99. data/cookbooks/firewall/libraries/provider_firewall_iptables.rb +7 -7
  100. data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb +12 -8
  101. data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb +13 -9
  102. data/cookbooks/firewall/libraries/provider_firewall_rule.rb +1 -1
  103. data/cookbooks/firewall/libraries/provider_firewall_ufw.rb +5 -5
  104. data/cookbooks/firewall/libraries/provider_firewall_windows.rb +4 -4
  105. data/cookbooks/firewall/libraries/resource_firewall_rule.rb +3 -3
  106. data/cookbooks/firewall/metadata.json +40 -1
  107. data/cookbooks/firewall/metadata.rb +15 -0
  108. data/cookbooks/firewall/recipes/default.rb +7 -7
  109. data/cookbooks/firewall/recipes/disable_firewall.rb +1 -1
  110. data/cookbooks/firewall/recipes/firewalld.rb +87 -0
  111. data/cookbooks/firewall/renovate.json +18 -0
  112. data/cookbooks/firewall/resources/firewalld.rb +28 -0
  113. data/cookbooks/firewall/resources/firewalld_config.rb +39 -0
  114. data/cookbooks/firewall/resources/firewalld_helpers.rb +106 -0
  115. data/cookbooks/firewall/resources/firewalld_icmptype.rb +88 -0
  116. data/cookbooks/firewall/resources/firewalld_ipset.rb +104 -0
  117. data/cookbooks/firewall/resources/firewalld_policy.rb +115 -0
  118. data/cookbooks/firewall/resources/firewalld_service.rb +98 -0
  119. data/cookbooks/firewall/resources/firewalld_zone.rb +118 -0
  120. data/cookbooks/firewall/resources/nftables.rb +71 -0
  121. data/cookbooks/firewall/resources/nftables_rule.rb +113 -0
  122. data/cookbooks/mu-activedirectory/Berksfile +1 -1
  123. data/cookbooks/mu-activedirectory/metadata.rb +1 -1
  124. data/cookbooks/mu-firewall/metadata.rb +2 -2
  125. data/cookbooks/mu-master/Berksfile +4 -3
  126. data/cookbooks/mu-master/attributes/default.rb +5 -2
  127. data/cookbooks/mu-master/files/default/check_elastic.sh +761 -0
  128. data/cookbooks/mu-master/files/default/check_kibana.rb +45 -0
  129. data/cookbooks/mu-master/libraries/mu.rb +24 -0
  130. data/cookbooks/mu-master/metadata.rb +5 -5
  131. data/cookbooks/mu-master/recipes/default.rb +31 -20
  132. data/cookbooks/mu-master/recipes/firewall-holes.rb +5 -0
  133. data/cookbooks/mu-master/recipes/init.rb +58 -19
  134. data/cookbooks/mu-master/recipes/update_nagios_only.rb +251 -178
  135. data/cookbooks/mu-master/templates/default/nagios.conf.erb +5 -11
  136. data/cookbooks/mu-master/templates/default/web_app.conf.erb +3 -0
  137. data/cookbooks/mu-php54/Berksfile +1 -1
  138. data/cookbooks/mu-php54/metadata.rb +2 -2
  139. data/cookbooks/mu-tools/Berksfile +2 -3
  140. data/cookbooks/mu-tools/attributes/default.rb +3 -4
  141. data/cookbooks/mu-tools/files/amazon/etc/bashrc +90 -0
  142. data/cookbooks/mu-tools/files/amazon/etc/login.defs +292 -0
  143. data/cookbooks/mu-tools/files/amazon/etc/profile +77 -0
  144. data/cookbooks/mu-tools/files/amazon/etc/security/limits.conf +63 -0
  145. data/cookbooks/mu-tools/files/amazon/etc/sysconfig/init +19 -0
  146. data/cookbooks/mu-tools/files/amazon/etc/sysctl.conf +82 -0
  147. data/cookbooks/mu-tools/files/amazon-2023/etc/login.defs +294 -0
  148. data/cookbooks/mu-tools/files/default/logrotate.conf +35 -0
  149. data/cookbooks/mu-tools/files/default/nrpe_conf_d.pp +0 -0
  150. data/cookbooks/mu-tools/libraries/helper.rb +21 -9
  151. data/cookbooks/mu-tools/metadata.rb +4 -4
  152. data/cookbooks/mu-tools/recipes/apply_security.rb +3 -2
  153. data/cookbooks/mu-tools/recipes/aws_api.rb +23 -5
  154. data/cookbooks/mu-tools/recipes/base_repositories.rb +4 -1
  155. data/cookbooks/mu-tools/recipes/gcloud.rb +56 -56
  156. data/cookbooks/mu-tools/recipes/nagios.rb +1 -1
  157. data/cookbooks/mu-tools/recipes/nrpe.rb +20 -2
  158. data/cookbooks/mu-tools/recipes/rsyslog.rb +12 -1
  159. data/cookbooks/mu-tools/recipes/set_local_fw.rb +1 -1
  160. data/data_bags/nagios_services/apm_backend_connect.json +5 -0
  161. data/data_bags/nagios_services/apm_listen.json +5 -0
  162. data/data_bags/nagios_services/elastic_shards.json +5 -0
  163. data/data_bags/nagios_services/logstash.json +5 -0
  164. data/data_bags/nagios_services/rhel7_updates.json +8 -0
  165. data/extras/image-generators/AWS/centos7.yaml +1 -0
  166. data/extras/image-generators/AWS/rhel7.yaml +21 -0
  167. data/extras/image-generators/AWS/win2k12r2.yaml +1 -0
  168. data/extras/image-generators/AWS/win2k16.yaml +1 -0
  169. data/extras/image-generators/AWS/win2k19.yaml +1 -0
  170. data/extras/list-stock-amis +0 -0
  171. data/extras/ruby_rpm/muby.spec +8 -5
  172. data/extras/vault_tools/export_vaults.sh +1 -1
  173. data/extras/vault_tools/recreate_vaults.sh +0 -0
  174. data/extras/vault_tools/test_vaults.sh +0 -0
  175. data/install/deprecated-bash-library.sh +1 -1
  176. data/install/installer +4 -2
  177. data/modules/mommacat.ru +3 -1
  178. data/modules/mu/adoption.rb +1 -1
  179. data/modules/mu/cloud/dnszone.rb +2 -2
  180. data/modules/mu/cloud/machine_images.rb +26 -25
  181. data/modules/mu/cloud/resource_base.rb +213 -182
  182. data/modules/mu/cloud/server_pool.rb +1 -1
  183. data/modules/mu/cloud/ssh_sessions.rb +7 -5
  184. data/modules/mu/cloud/wrappers.rb +2 -2
  185. data/modules/mu/cloud.rb +1 -1
  186. data/modules/mu/config/bucket.rb +1 -1
  187. data/modules/mu/config/function.rb +6 -1
  188. data/modules/mu/config/loadbalancer.rb +24 -2
  189. data/modules/mu/config/ref.rb +12 -0
  190. data/modules/mu/config/role.rb +1 -1
  191. data/modules/mu/config/schema_helpers.rb +42 -9
  192. data/modules/mu/config/server.rb +43 -27
  193. data/modules/mu/config/tail.rb +19 -10
  194. data/modules/mu/config.rb +6 -5
  195. data/modules/mu/defaults/AWS.yaml +78 -114
  196. data/modules/mu/deploy.rb +9 -2
  197. data/modules/mu/groomer.rb +12 -4
  198. data/modules/mu/groomers/ansible.rb +104 -20
  199. data/modules/mu/groomers/chef.rb +15 -6
  200. data/modules/mu/master.rb +9 -4
  201. data/modules/mu/mommacat/daemon.rb +4 -2
  202. data/modules/mu/mommacat/naming.rb +1 -2
  203. data/modules/mu/mommacat/storage.rb +7 -2
  204. data/modules/mu/mommacat.rb +33 -6
  205. data/modules/mu/providers/aws/database.rb +161 -8
  206. data/modules/mu/providers/aws/dnszone.rb +11 -6
  207. data/modules/mu/providers/aws/endpoint.rb +81 -6
  208. data/modules/mu/providers/aws/firewall_rule.rb +254 -172
  209. data/modules/mu/providers/aws/function.rb +65 -3
  210. data/modules/mu/providers/aws/loadbalancer.rb +39 -28
  211. data/modules/mu/providers/aws/log.rb +2 -1
  212. data/modules/mu/providers/aws/role.rb +25 -7
  213. data/modules/mu/providers/aws/server.rb +36 -12
  214. data/modules/mu/providers/aws/server_pool.rb +237 -127
  215. data/modules/mu/providers/aws/storage_pool.rb +7 -1
  216. data/modules/mu/providers/aws/user.rb +1 -1
  217. data/modules/mu/providers/aws/userdata/linux.erb +6 -2
  218. data/modules/mu/providers/aws/userdata/windows.erb +7 -5
  219. data/modules/mu/providers/aws/vpc.rb +49 -25
  220. data/modules/mu/providers/aws.rb +13 -8
  221. data/modules/mu/providers/azure/container_cluster.rb +1 -1
  222. data/modules/mu/providers/azure/loadbalancer.rb +2 -2
  223. data/modules/mu/providers/azure/server.rb +5 -2
  224. data/modules/mu/providers/azure/userdata/linux.erb +1 -1
  225. data/modules/mu/providers/azure.rb +11 -8
  226. data/modules/mu/providers/cloudformation/dnszone.rb +1 -1
  227. data/modules/mu/providers/google/container_cluster.rb +15 -2
  228. data/modules/mu/providers/google/folder.rb +2 -1
  229. data/modules/mu/providers/google/function.rb +130 -4
  230. data/modules/mu/providers/google/habitat.rb +2 -1
  231. data/modules/mu/providers/google/loadbalancer.rb +407 -160
  232. data/modules/mu/providers/google/role.rb +16 -3
  233. data/modules/mu/providers/google/server.rb +5 -1
  234. data/modules/mu/providers/google/user.rb +25 -18
  235. data/modules/mu/providers/google/userdata/linux.erb +1 -1
  236. data/modules/mu/providers/google/vpc.rb +53 -7
  237. data/modules/mu/providers/google.rb +39 -39
  238. data/modules/mu.rb +8 -8
  239. data/modules/tests/elk.yaml +46 -0
  240. data/test/mu-master-test/controls/all_in_one.rb +1 -1
  241. metadata +207 -112
  242. data/cookbooks/firewall/CONTRIBUTING.md +0 -2
  243. data/cookbooks/firewall/MAINTAINERS.md +0 -19
  244. data/cookbooks/firewall/libraries/matchers.rb +0 -30
  245. data/extras/image-generators/AWS/rhel71.yaml +0 -17
@@ -439,17 +439,45 @@ module MU
439
439
  "description" => "For resources which span regions, restrict to regions inside the United States",
440
440
  "default" => false
441
441
  },
442
- "conditions" => {
443
- "type" => "array",
444
- "items" => {
445
- "type" => "object",
446
- "required" => ["name", "cloudcode"],
447
- "description" => "CloudFormation-specific. Define Conditions as in http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/conditions-section-structure.html. Arguments must use the cloudCode() macro.",
448
- "properties" => {
449
- "name" => { "required" => true, "type" => "string" },
450
- "cloudcode" => { "required" => true, "type" => "string" },
442
+ "generate_passwords" => {
443
+ "type" => "array",
444
+ "items" => {
445
+ "type" => "object",
446
+ "required" => ["itemname"],
447
+ "description" => "Generate a password-like string upon initial deployment and store it in the named item in this deploy's vault.",
448
+ "properties" => {
449
+ "itemname" => {
450
+ "type" => "string",
451
+ "description" => "The vault item into which this password should be injected"
452
+ },
453
+ "username" => {
454
+ "type" => "string",
455
+ "description" => "Optional string to add to vault data under the +username+ field"
456
+ },
457
+ "minlength" => {
458
+ "type" => "integer",
459
+ "description" => "The minimum length of the generated password",
460
+ "default" => 14
461
+ },
462
+ "safe_chars" => {
463
+ "type" => "string",
464
+ "descriptions" => "Characters (in addition to digits and latin letters) which should be considered for inclusion",
465
+ "default" => '~!@#%^&*_-+=`|(){}[]:;<>,.?'
451
466
  }
452
467
  }
468
+ }
469
+ },
470
+ "conditions" => {
471
+ "type" => "array",
472
+ "items" => {
473
+ "type" => "object",
474
+ "required" => ["name", "cloudcode"],
475
+ "description" => "CloudFormation-specific. Define Conditions as in http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/conditions-section-structure.html. Arguments must use the cloudCode() macro.",
476
+ "properties" => {
477
+ "name" => { "required" => true, "type" => "string" },
478
+ "cloudcode" => { "required" => true, "type" => "string" },
479
+ }
480
+ }
453
481
  },
454
482
  "parameters" => {
455
483
  "type" => "array",
@@ -465,6 +493,11 @@ module MU
465
493
  "type" => "string",
466
494
  "description" => "Treat the value as a comma-separated list of values with this key name, equivalent to CloudFormation's various List<> types. For example, set to 'subnet_id' to pass values as an array of subnet identifiers as the 'subnets' argument of a VPC stanza."
467
495
  },
496
+ "list" => {
497
+ "type" => "boolean",
498
+ "default" => false,
499
+ "description" => "Treat the value as a comma-separated list to be converted into an array of strings. This will be ignored if {list_of} is set."
500
+ },
468
501
  "prettyname" => {
469
502
  "type" => "string",
470
503
  "description" => "An alternative name to use when generating parameter fields in, for example, CloudFormation templates"
@@ -30,12 +30,12 @@ module MU
30
30
  if !server['active_directory'].nil?
31
31
  ["domain_admin_vault", "domain_join_vault"].each { |vault_class|
32
32
  server['vault_access'] << {
33
- "vault" => server['active_directory'][vault_class]['vault'],
34
- "item" => server['active_directory'][vault_class]['item']
33
+ "vault" => server['active_directory'][vault_class]['vault'],
34
+ "item" => server['active_directory'][vault_class]['item']
35
35
  }
36
36
  item = groomclass.getSecret(
37
- vault: server['active_directory'][vault_class]['vault'],
38
- item: server['active_directory'][vault_class]['item'],
37
+ vault: server['active_directory'][vault_class]['vault'],
38
+ item: server['active_directory'][vault_class]['item'],
39
39
  )
40
40
  ["username_field", "password_field"].each { |field|
41
41
  if !item.has_key?(server['active_directory'][vault_class][field])
@@ -50,8 +50,8 @@ module MU
50
50
  server['use_cloud_provider_windows_password'] = false
51
51
 
52
52
  server['vault_access'] << {
53
- "vault" => server['windows_auth_vault']['vault'],
54
- "item" => server['windows_auth_vault']['item']
53
+ "vault" => server['windows_auth_vault']['vault'],
54
+ "item" => server['windows_auth_vault']['item']
55
55
  }
56
56
  item = groomclass.getSecret(
57
57
  vault: server['windows_auth_vault']['vault'],
@@ -67,6 +67,7 @@ module MU
67
67
  # Check all of the non-special ones while we're at it
68
68
  server['vault_access'].each { |v|
69
69
  next if v['vault'] == "splunk" and v['item'] == "admin_user"
70
+ next if !v['vault'] # assumed to be the one the server or database will always have
70
71
  item = groomclass.getSecret(vault: v['vault'], item: v['item'])
71
72
  }
72
73
  rescue MuError
@@ -445,6 +446,21 @@ module MU
445
446
  "value_is" => "centos7",
446
447
  "set" => "centos"
447
448
  },
449
+ {
450
+ "key_is" => "platform",
451
+ "value_is" => "amazon",
452
+ "set" => "ec2-user"
453
+ },
454
+ {
455
+ "key_is" => "platform",
456
+ "value_is" => "amazon2",
457
+ "set" => "ec2-user"
458
+ },
459
+ {
460
+ "key_is" => "platform",
461
+ "value_is" => "amazon2023",
462
+ "set" => "ec2-user"
463
+ },
448
464
  {
449
465
  "key_is" => "platform",
450
466
  "value_is" => "centos8",
@@ -478,32 +494,32 @@ module MU
478
494
  "type" => "object",
479
495
  "description" => "Chef Node structure artifact for mu-tools cookbook.",
480
496
  },
481
- # Objects here will be stored in this node's Chef Vault
497
+ # Objects here will be stored in this node's Chef/Ansible/etc Vault
482
498
  "secrets" => {
483
499
  "type" => "object",
484
- "description" => "JSON artifact to be stored in Chef Vault for this node. Note that these values will still be stored in plain text local to the MU server, but only accessible to nodes via Vault."
500
+ "description" => "JSON artifact to be stored the appropriate groomer vault for this node. Note that these values will still be stored in plain text local to the MU server, but only accessible to nodes via Vault."
485
501
  },
486
502
  # This node will be granted access to the following Vault items.
487
503
  "vault_access" => {
488
- "type" => "array",
489
- "minItems" => 1,
490
- "items" => {
491
- "description" => "Chef Vault items to which this node should be granted access.",
492
- "type" => "object",
493
- "title" => "vault_access",
494
- "required" => ["vault", "item"],
495
- "additionalProperties" => false,
496
- "properties" => {
497
- "vault" => {
498
- "type" => "string",
499
- "description" => "The Vault to which this node should be granted access."
500
- },
501
- "item" => {
502
- "type" => "string",
503
- "description" => "The item within the Vault to which this node should be granted access."
504
- }
505
- }
504
+ "type" => "array",
505
+ "minItems" => 1,
506
+ "items" => {
507
+ "description" => "Chef Vault items to which this node should be granted access.",
508
+ "type" => "object",
509
+ "title" => "vault_access",
510
+ "required" => ["item"],
511
+ "additionalProperties" => false,
512
+ "properties" => {
513
+ "vault" => {
514
+ "type" => "string",
515
+ "description" => "The Vault to which this node should be granted access. If not specified, will resolve to this resource's own vault (ex +MYAPP-DEV-2021091617-QT-FOODB+)"
516
+ },
517
+ "item" => {
518
+ "type" => "string",
519
+ "description" => "The item within the Vault to which this node should be granted access."
520
+ }
506
521
  }
522
+ }
507
523
  },
508
524
  "existing_deploys" => {
509
525
  "type" => "array",
@@ -590,7 +606,7 @@ module MU
590
606
  "monitoring" => {
591
607
  "type" => "boolean",
592
608
  "default" => true,
593
- "description" => "Enable detailed instance monitoring.",
609
+ "description" => "Enable detailed cloud provider instance monitoring.",
594
610
  },
595
611
  "private_ip" => {
596
612
  "type" => "string",
@@ -41,14 +41,16 @@ module MU
41
41
  attr_reader :runtimecode
42
42
  attr_reader :valid_values
43
43
  attr_reader :is_list_element
44
+ attr_reader :is_flat_list
44
45
 
45
- def initialize(name, value, prettyname = nil, cloudtype = "String", valid_values = [], description = "", is_list_element = false, prefix: "", suffix: "", pseudo: false, runtimecode: nil, index: 0)
46
+ def initialize(name, value, prettyname = nil, cloudtype = "String", valid_values = [], description = "", is_list_element = false, prefix: "", suffix: "", pseudo: false, runtimecode: nil, index: 0, is_flat_list: false)
46
47
  @name = name
47
48
  @bindings = {}
48
49
  @value = value
49
50
  @valid_values = valid_values
50
51
  @pseudo = pseudo
51
52
  @index = index
53
+ @is_flat_list = is_flat_list
52
54
  @runtimecode = runtimecode
53
55
  @cloudtype = cloudtype
54
56
  @is_list_element = is_list_element
@@ -142,7 +144,7 @@ module MU
142
144
  # @param suffix [<String>]: A static String that should be appended to the stored value when queried
143
145
  # @param pseudo [<Boolean>]: This is a pseudo-parameter, automatically provided, and not available as user input.
144
146
  # @param runtimecode [<String>]: Actual code to allow the cloud layer to interpret literally in its own idiom, e.g. '"Ref" : "AWS::StackName"' for CloudFormation
145
- def getTail(param, value: nil, prettyname: nil, cloudtype: "String", valid_values: [], description: nil, list_of: nil, prefix: "", suffix: "", pseudo: false, runtimecode: nil)
147
+ def getTail(param, value: nil, prettyname: nil, cloudtype: "String", valid_values: [], description: nil, list_of: nil, flat_list: false, prefix: "", suffix: "", pseudo: false, runtimecode: nil)
146
148
  param = param.gsub(/[^a-z0-9_]/i, "_")
147
149
  if value.nil?
148
150
  if @@parameters.nil? or !@@parameters.has_key?(param)
@@ -156,23 +158,30 @@ module MU
156
158
  if !prettyname.nil?
157
159
  prettyname.gsub!(/[^a-z0-9]/i, "") # comply with CloudFormation restrictions
158
160
  end
161
+
159
162
  if value.is_a?(MU::Config::Tail)
160
163
  MU.log "Parameter #{param} is using a nested parameter as a value. This rarely works, depending on the target cloud. YMMV.", MU::WARN
161
164
  tail = MU::Config::Tail.new(param, value, prettyname, cloudtype, valid_values, description, prefix: prefix, suffix: suffix, pseudo: pseudo, runtimecode: runtimecode)
162
- elsif !list_of.nil? or (@@tails.has_key?(param) and @@tails[param].is_a?(Array))
165
+ elsif !list_of.nil? or flat_list or (@@tails.has_key?(param) and @@tails[param].is_a?(Array))
163
166
  tail = []
164
167
  count = 0
165
168
  value.split(/\s*,\s*/).each { |subval|
166
169
  if @@tails.has_key?(param) and !@@tails[param][count].nil?
167
- subval = @@tails[param][count].values.first.to_s if subval.nil?
168
- list_of = @@tails[param][count].values.first.getName if list_of.nil?
169
- prettyname = @@tails[param][count].values.first.getPrettyName if prettyname.nil?
170
- description = @@tails[param][count].values.first.description if description.nil?
171
- valid_values = @@tails[param][count].values.first.valid_values if valid_values.nil? or valid_values.empty?
172
- cloudtype = @@tails[param][count].values.first.getCloudType if @@tails[param][count].values.first.getCloudType != "String"
170
+ src = @@tails[param][count].is_a?(Hash) ? @@tails[param][count].values.first : @@tails[param][count]
171
+ subval ||= src.to_s
172
+ is_flat_list = !(@@tails[param][count].is_a?(Hash))
173
+ list_of ||= src.getName
174
+ prettyname ||= src.getPrettyName
175
+ description ||= src.description
176
+ valid_values = src.valid_values if valid_values.nil? or valid_values.empty?
177
+ cloudtype = src.getCloudType if src.getCloudType != "String"
173
178
  end
174
179
  prettyname = param.capitalize if prettyname.nil?
175
- tail << { list_of => MU::Config::Tail.new(list_of, subval, prettyname, cloudtype, valid_values, description, true, pseudo: pseudo, index: count) }
180
+ if !is_flat_list and list_of
181
+ tail << { list_of => MU::Config::Tail.new(list_of, subval, prettyname, cloudtype, valid_values, description, true, pseudo: pseudo, index: count) }
182
+ else
183
+ tail << MU::Config::Tail.new(param, subval, prettyname, cloudtype, valid_values, description, true, pseudo: pseudo, index: count, is_flat_list: true)
184
+ end
176
185
  count = count + 1
177
186
  }
178
187
  else
data/modules/mu/config.rb CHANGED
@@ -341,9 +341,9 @@ module MU
341
341
  end
342
342
  end
343
343
  if param.has_key?("cloudtype")
344
- getTail(param['name'], value: @@parameters[param['name']], cloudtype: param["cloudtype"], valid_values: param['valid_values'], description: param['description'], prettyname: param['prettyname'], list_of: param['list_of'])
344
+ getTail(param['name'], value: @@parameters[param['name']], cloudtype: param["cloudtype"], valid_values: param['valid_values'], description: param['description'], prettyname: param['prettyname'], list_of: param['list_of'], flat_list: param['list'])
345
345
  else
346
- getTail(param['name'], value: @@parameters[param['name']], valid_values: param['valid_values'], description: param['description'], prettyname: param['prettyname'], list_of: param['list_of'])
346
+ getTail(param['name'], value: @@parameters[param['name']], valid_values: param['valid_values'], description: param['description'], prettyname: param['prettyname'], list_of: param['list_of'], flat_list: param['list'])
347
347
  end
348
348
  }
349
349
  end
@@ -435,8 +435,8 @@ module MU
435
435
  # @param resource [Hash]
436
436
  # @param name [String]
437
437
  # @param type [String]
438
- # @param phase [String]
439
- # @param no_create_wait [Boolean]
438
+ # @param their_phase [String]
439
+ # @param my_phase [String]
440
440
  def self.addDependency(resource, name, type, their_phase: "create", my_phase: nil)
441
441
  if ![nil, "create", "groom"].include?(their_phase)
442
442
  raise MuError, "Invalid their_phase '#{their_phase}' while adding dependency #{type} #{name} to #{resource['name']}"
@@ -828,7 +828,7 @@ module MU
828
828
  begin
829
829
  JSON::Validator.validate!(myschema, plain_cfg)
830
830
  rescue JSON::Schema::ValidationError
831
- pp plain_cfg
831
+ puts PP.pp(plain_cfg, '').bold
832
832
  # Use fully_validate to get the complete error list, save some time
833
833
  errors = JSON::Validator.fully_validate(myschema, plain_cfg)
834
834
  realerrors = []
@@ -1163,6 +1163,7 @@ module MU
1163
1163
  myAZ = $myAZ
1164
1164
  myRegion = $myRegion
1165
1165
  myAppName = $myAppName
1166
+ credentials = @default_credentials ? @default_credentials : "default"
1166
1167
 
1167
1168
  # return MU::Config.global_bindings[keyset] if MU::Config.global_bindings[keyset]
1168
1169
  MU::Config.global_bindings[keyset] = binding
@@ -1,66 +1,53 @@
1
1
  ---
2
- rhel71: &5
3
- us-east-1: ami-0c834836b3bd45e2f
4
- ap-northeast-1: ami-036bb589253fe929e
5
- ap-northeast-2: ami-0e39b4957dbc7e14d
6
- ap-south-1: ami-0cd0554d9a05dddc9
7
- ap-southeast-1: ami-0bae2684e9ed09b8b
8
- ap-southeast-2: ami-0711ccf93abe3989b
9
- ca-central-1: ami-0d75d90f73e417c25
10
- eu-central-1: ami-0cae3cb53b9bbd783
11
- eu-north-1: ami-0cd30fe8547a809f7
12
- eu-west-1: ami-01441cca97c35eb0e
13
- eu-west-2: ami-051aaf1b532b3e6bc
14
- eu-west-3: ami-09a7af6793a3e8d09
15
- sa-east-1: ami-0c4064cfe711311d5
16
- us-east-2: ami-0124fd8917f59f8ce
17
- us-west-1: ami-00457c55541605cb4
18
- us-west-2: ami-02211d4e254a9e10f
19
- centos6: &4
20
- us-east-1: ami-0ac9258984ed4bb4a
21
- us-east-2: ami-09888b2b4484f774a
22
- us-west-1: ami-04e7e499cdb873bfa
23
- us-west-2: ami-0fcd16e6cf3c4b100
24
- ap-northeast-1: ami-098052d1926fd4297
25
- ap-northeast-2: ami-0319e58869a7b5bf2
26
- ap-south-1: ami-0d19f7ad27c77cbf6
27
- ap-southeast-1: ami-04b6b2013a296075c
28
- ap-southeast-2: ami-07f02efb410df7e1d
29
- ca-central-1: ami-0e7cc87df5666a78c
30
- eu-central-1: ami-0cc33b333c7b7acd6
31
- eu-north-1: ami-0bc09b1d6b4f351ea
32
- eu-west-1: ami-08a7f444dba463099
33
- eu-west-2: ami-0e84e5ba9694be11b
34
- eu-west-3: ami-08e28291804571999
35
- sa-east-1: ami-0b447e11308862517
36
- centos7:
37
- us-east-1: ami-08d24209f345a21ab
38
- ap-northeast-1: ami-001cfcb3548768288
39
- ap-northeast-2: ami-0a2f6ec79ed710bf7
40
- ap-south-1: ami-05e0c30fc8b2a21a2
41
- ap-southeast-1: ami-0b28f5573dd4aa62a
42
- ap-southeast-2: ami-026419375863852b7
43
- ca-central-1: ami-01e799689fa5c1f31
44
- eu-central-1: ami-0ded33da6c28082d8
45
- eu-north-1: ami-02c7692e69b06afc5
46
- eu-west-1: ami-086619450a959a101
47
- eu-west-2: ami-05db24096d56207f6
48
- eu-west-3: ami-03ea610526da7c2f3
49
- sa-east-1: ami-0029cb6ee83a799ca
50
- us-east-2: ami-065847253b2d4acab
51
- us-west-1: ami-0ea3494c08412920e
52
- us-west-2: ami-055ce4c70b0ceabcb
53
- ubuntu16: &3
54
- us-east-1: ami-bcdc16c6
55
- us-west-1: ami-1b17257b
56
- us-west-2: ami-19e92861
57
- eu-west-1: ami-eed00d97
58
- eu-central-1: ami-e613ac89
59
- sa-east-1: ami-1ca7d970
60
- ap-northeast-1: ami-6959870f
61
- ap-northeast-2: ami-08d77266
62
- ap-southeast-1: ami-d9dca7ba
63
- ap-southeast-2: ami-02ad4060
2
+ ubuntu20: &3
3
+ af-south-1: ami-0670428c515903d37
4
+ ap-east-1: ami-0350928fdb53ae439
5
+ ap-northeast-1: ami-0a3eb6ca097b78895
6
+ ap-south-1: ami-05ba3a39a75be1ec4
7
+ ap-southeast-1: ami-0750a20e9959e44ff
8
+ ca-central-1: ami-073c944d45ffb4f27
9
+ eu-central-1: ami-02584c1c9d05efa69
10
+ eu-north-1: ami-09f0506c9ef0fb473
11
+ eu-south-1: ami-06ea0ad3f5adc2565
12
+ eu-west-1: ami-00e7df8df28dfa791
13
+ me-south-1: ami-05b680b37c7917206
14
+ sa-east-1: ami-077518a464c82703b
15
+ us-east-1: ami-0c4f7023847b90238
16
+ us-west-1: ami-0487b1fe60c1fd1a2
17
+ af-south-1: ami-000ab2cb7ff83c5eb
18
+ ap-east-1: ami-0827918a2d84bd005
19
+ ap-northeast-1: ami-079a259b40675acc6
20
+ ap-south-1: ami-075ebde7b27c12bc0
21
+ ap-southeast-1: ami-04be67a4d5cb63d4e
22
+ ca-central-1: ami-071c767dd20b7339f
23
+ eu-central-1: ami-064768e636ea1ae04
24
+ eu-north-1: ami-053d8a8a6f91d4aec
25
+ eu-south-1: ami-0b273191310849e2d
26
+ eu-west-1: ami-009c3f9c3bfcf00f0
27
+ me-south-1: ami-0151ae040b710b0cf
28
+ sa-east-1: ami-0c6915838c72f6d16
29
+ us-east-1: ami-0d70a59d7191a8079
30
+ us-west-1: ami-06c272cb6ba6b812d
31
+ us-gov-east-1: ami-0eb7ef4cc0594fa04
32
+ us-gov-west-1: ami-029a634618d6c0300
33
+ us-gov-east-1: ami-00675642586ed8b16
34
+ us-gov-west-1: ami-0947a235367a203c9
35
+ ap-northeast-2: ami-0225bc2990c54ce9a
36
+ ap-southeast-2: ami-0d539270873f66397
37
+ eu-west-2: ami-00826bd51e68b1487
38
+ us-east-2: ami-0eea504f45ef7a8f7
39
+ us-west-2: ami-0cb4e786f15603b0d
40
+ ap-northeast-2: ami-032ce4dc565d286ec
41
+ ap-southeast-2: ami-06d39abb1664bf70e
42
+ eu-west-2: ami-07c7023e96cb88196
43
+ us-east-2: ami-008e02c1f94100fd9
44
+ us-west-2: ami-025fc2c61f9333edc
45
+ ap-northeast-3: ami-0c2223049202ca738
46
+ ap-southeast-3: ami-0f06496957d1fe04a
47
+ eu-west-3: ami-0a21d1c76ac56fee7
48
+ ap-northeast-3: ami-0a4d5c02a15b5ea05
49
+ ap-southeast-3: ami-05469598f0bccf936
50
+ eu-west-3: ami-0190e6d0d8c1fe02d
64
51
  ubuntu14:
65
52
  us-east-1: ami-663a6e0c
66
53
  us-west-1: ami-13988772
@@ -73,57 +60,33 @@ ubuntu14:
73
60
  ap-southeast-1: ami-2855964b
74
61
  ap-southeast-2: ami-d19fc4b2
75
62
  win2k12r2: &1
76
- us-east-1: ami-0d28b9a40ed446e35
77
- us-east-2: ami-010d247b7ee850d55
78
- ca-central-1: ami-0c223858875f62d11
79
- us-west-2: ami-01d188c5c06078fee
80
- us-west-1: ami-0dbcc051c49ec24ec
81
- eu-west-1: ami-080c7b4d6e32bf9f3
82
- eu-west-2: ami-01b1edb5894a54bcc
83
- eu-west-3: ami-09445cdc7a2acb1c0
84
- eu-north-1: ami-0093cc63496e435df
85
- sa-east-1: ami-04d015c8b371ba7b3
86
- eu-central-1: ami-04d6144bcbb029141
87
- ap-northeast-1: ami-07fad72f121aa157c
88
- ap-south-1: ami-0b3241fd09b1ce87f
89
- ap-northeast-2: ami-0ba7cd822e36dc0df
90
- ap-southeast-1: ami-0648522a4cb50953c
91
- ap-southeast-2: ami-0fc0bd73cd61a970f
92
- win2k16: &2
93
- us-east-1: ami-018151f8c8339a093
94
- us-east-2: ami-09e045936c7d9ecd5
95
- ca-central-1: ami-0a16abf0f1c35667a
96
- us-west-2: ami-00d4216f80a82894d
97
- eu-west-1: ami-07afc1525928ccad7
98
- us-west-1: ami-0d2f7d4198b79a625
99
- eu-west-2: ami-04eb62f17efc84a37
100
- eu-west-3: ami-0b4affcd5848cf50c
101
- eu-central-1: ami-0a92ae047ebc7a3da
102
- sa-east-1: ami-0cc9a87c95fb37832
103
- ap-northeast-1: ami-014c730050acef11d
104
- ap-south-1: ami-0c3c8739263aa4844
105
- ap-northeast-2: ami-0018a05eb15503b5e
106
- ap-southeast-2: ami-0b50bfbb507285a89
107
- ap-southeast-1: ami-073c677bcf225774a
108
- eu-north-1: ami-09bb6d618593f2e7f
109
- win2k19:
110
- us-east-1: ami-09c18c34c341f2b6a
111
- us-east-2: ami-030371d5ee8881350
112
- ca-central-1: ami-018e5bf45c30fa58f
113
- us-west-2: ami-07d1e5c4f906877e1
114
- eu-west-2: ami-0b9d95fef44aa7c11
115
- us-west-1: ami-0e7e082d6fa1769f3
116
- eu-west-1: ami-05573fafa080144b6
117
- eu-central-1: ami-0122b027c265988ea
118
- eu-west-3: ami-0ba7c0a3dc4148b6a
119
- eu-north-1: ami-03d8c3307f72f9847
120
- sa-east-1: ami-0d0f66c3e0dfc09ee
121
- ap-northeast-2: ami-07eff56de9293ab16
122
- ap-northeast-1: ami-020fb790a3bed4cda
123
- ap-southeast-1: ami-0b5d036d6d711a4c8
124
- ap-southeast-2: ami-0fff96935fef7bf60
125
- ap-south-1: ami-030ec249497f66a33
126
- amazon:
63
+ us-east-1: ami-0fc211ea56b172cdb
64
+ us-east-2: ami-0c559960e17c7bbff
65
+ us-west-2: ami-0c2a974f145ad7b53
66
+ us-west-1: ami-0b4e0252dffc41c98
67
+ win2k16:
68
+ us-east-1: ami-02ae3989c58aefad5
69
+ us-east-2: ami-0269af40607a3ba35
70
+ us-west-1: ami-0051dca2f308635c0
71
+ us-west-2: ami-0d6eeeae0729c800c
72
+ win2k19: &2
73
+ us-east-1: ami-075ac92102843eaa9
74
+ us-east-2: ami-0655085ead3f9a05d
75
+ us-west-1: ami-08e8fdee01486e656
76
+ us-west-2: ami-0e5f0bd903025b4b6
77
+ centos7: &4
78
+ us-east-1: ami-021a033508ff35a45
79
+ us-east-2: ami-0eac2356dec5e031a
80
+ us-west-2: ami-05568b0fd4ad69d41
81
+ us-west-1: ami-0318b20ca171e16f0
82
+ rhel79: &5
83
+ us-east-1: ami-099b4dbc8b9cdee98
84
+ us-east-2: ami-03be73fea244ae122
85
+ us-west-1: ami-0c2b107078c52b02e
86
+ us-west-2: ami-0557fe078d2fcf2bf
87
+ amazon2023: &6
88
+ us-east-1: ami-066784287e358dad1
89
+ amazon2:
127
90
  us-east-1: ami-b73b63a0
128
91
  us-east-2: ami-58277d3d
129
92
  us-west-1: ami-23e8a343
@@ -142,4 +105,5 @@ ubuntu: *3
142
105
  centos: *4
143
106
  rhel7: *5
144
107
  rhel: *5
145
- linux: *4
108
+ linux: *6
109
+ amazon: *6
data/modules/mu/deploy.rb CHANGED
@@ -684,7 +684,6 @@ MESSAGE_END
684
684
  if !@updating or mode != "create"
685
685
  myservice = run_this_method.call
686
686
  else
687
-
688
687
  # XXX experimental create behavior for --liveupdate flag, only works on a couple of resource types. Inserting new resources into an old deploy is tricky.
689
688
  opts = {}
690
689
  if myservice["#MU_CLOUDCLASS"].cfg_name == "loadbalancer"
@@ -705,7 +704,15 @@ MESSAGE_END
705
704
  )
706
705
 
707
706
  found = found.delete_if { |x|
708
- x.cloud_id.nil? and x.cloudobj.cloud_id.nil?
707
+ failed = (x.cloud_id.nil? and x.cloudobj.cloud_id.nil?)
708
+ if !failed
709
+ begin
710
+ failed = true if !x.cloud_desc
711
+ rescue StandardError
712
+ failed = true
713
+ end
714
+ end
715
+ failed
709
716
  }
710
717
 
711
718
  if found.size == 0
@@ -129,10 +129,18 @@ module MU
129
129
  MU.log "Calling groomer method #{method}", MU::DEBUG, details: ["sensitive output suppress"]
130
130
  end
131
131
  begin
132
- if !args.nil? and args.size == 1
133
- retval = @groomer_obj.method(method).call(args.first)
134
- elsif !args.nil? and args.size > 0
135
- retval = @groomer_obj.method(method).call(*args)
132
+ if !args.nil?
133
+ if args.is_a?(Hash)
134
+ retval = @groomer_obj.method(method).call(**args)
135
+ elsif args.is_a?(Array)
136
+ if args.size == 1 and args.first.is_a?(Hash)
137
+ retval = @groomer_obj.method(method).call(**args.first)
138
+ else
139
+ retval = @groomer_obj.method(method).call(*args)
140
+ end
141
+ else
142
+ retval = @groomer_obj.method(method).call(args)
143
+ end
136
144
  else
137
145
  retval = @groomer_obj.method(method).call
138
146
  end