RubyGems - cloud-mu - Versions diffs - 3.5.0 → 3.6.3 - Mend

cloud-mu 3.5.0 → 3.6.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (245) hide show

checksums.yaml +4 -4
data/Berksfile +5 -2
data/Berksfile.lock +135 -0
data/ansible/roles/mu-base/README.md +33 -0
data/ansible/roles/mu-base/defaults/main.yml +2 -0
data/ansible/roles/mu-base/files/check_apm.cfg +1 -0
data/ansible/roles/mu-base/files/check_apm.sh +18 -0
data/ansible/roles/mu-base/files/check_disk.cfg +1 -0
data/ansible/roles/mu-base/files/check_elastic_shards.cfg +1 -0
data/ansible/roles/mu-base/files/check_elastic_shards.sh +12 -0
data/ansible/roles/mu-base/files/check_logstash.cfg +1 -0
data/ansible/roles/mu-base/files/check_logstash.sh +14 -0
data/ansible/roles/mu-base/files/check_mem.cfg +1 -0
data/ansible/roles/mu-base/files/check_updates.cfg +1 -0
data/ansible/roles/mu-base/files/logrotate.conf +35 -0
data/ansible/roles/mu-base/files/nrpe-apm-sudo +1 -0
data/ansible/roles/mu-base/files/nrpe-elasticshards-sudo +2 -0
data/ansible/roles/mu-base/handlers/main.yml +5 -0
data/ansible/roles/mu-base/meta/main.yml +53 -0
data/ansible/roles/mu-base/tasks/main.yml +113 -0
data/ansible/roles/mu-base/templates/nrpe.cfg.j2 +231 -0
data/ansible/roles/mu-base/tests/inventory +2 -0
data/ansible/roles/mu-base/tests/test.yml +5 -0
data/ansible/roles/mu-base/vars/main.yml +1 -0
data/ansible/roles/mu-compliance/README.md +33 -0
data/ansible/roles/mu-compliance/defaults/main.yml +2 -0
data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2016_V2R1_STIG_SCAP_1-2_Benchmark.xml +15674 -0
data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2019_V2R1_STIG_SCAP_1-2_Benchmark.xml +17553 -0
data/ansible/roles/mu-compliance/handlers/main.yml +2 -0
data/ansible/roles/mu-compliance/meta/main.yml +53 -0
data/ansible/roles/mu-compliance/tasks/main.yml +45 -0
data/ansible/roles/mu-compliance/tests/inventory +2 -0
data/ansible/roles/mu-compliance/tests/test.yml +5 -0
data/ansible/roles/mu-compliance/vars/main.yml +4 -0
data/ansible/roles/mu-elastic/README.md +51 -0
data/ansible/roles/mu-elastic/defaults/main.yml +2 -0
data/ansible/roles/mu-elastic/files/jvm.options +93 -0
data/ansible/roles/mu-elastic/handlers/main.yml +10 -0
data/ansible/roles/mu-elastic/meta/main.yml +52 -0
data/ansible/roles/mu-elastic/tasks/main.yml +186 -0
data/ansible/roles/mu-elastic/templates/elasticsearch.yml.j2 +110 -0
data/ansible/roles/mu-elastic/templates/kibana.yml.j2 +131 -0
data/ansible/roles/mu-elastic/templates/password_set.expect.j2 +19 -0
data/ansible/roles/mu-elastic/tests/inventory +2 -0
data/ansible/roles/mu-elastic/tests/test.yml +5 -0
data/ansible/roles/mu-elastic/vars/main.yml +2 -0
data/ansible/roles/mu-logstash/README.md +51 -0
data/ansible/roles/mu-logstash/defaults/main.yml +2 -0
data/ansible/roles/mu-logstash/files/02-beats-input.conf +5 -0
data/ansible/roles/mu-logstash/files/10-rails-filter.conf +16 -0
data/ansible/roles/mu-logstash/files/jvm.options +84 -0
data/ansible/roles/mu-logstash/files/logstash.yml +304 -0
data/ansible/roles/mu-logstash/handlers/main.yml +20 -0
data/ansible/roles/mu-logstash/meta/main.yml +52 -0
data/ansible/roles/mu-logstash/tasks/main.yml +254 -0
data/ansible/roles/mu-logstash/templates/20-cloudtrail.conf.j2 +28 -0
data/ansible/roles/mu-logstash/templates/30-elasticsearch-output.conf.j2 +19 -0
data/ansible/roles/mu-logstash/templates/apm-server.yml.j2 +33 -0
data/ansible/roles/mu-logstash/templates/heartbeat.yml.j2 +29 -0
data/ansible/roles/mu-logstash/templates/nginx/apm.conf.j2 +25 -0
data/ansible/roles/mu-logstash/templates/nginx/default.conf.j2 +56 -0
data/ansible/roles/mu-logstash/templates/nginx/elastic.conf.j2 +27 -0
data/ansible/roles/mu-logstash/tests/inventory +2 -0
data/ansible/roles/mu-logstash/tests/test.yml +5 -0
data/ansible/roles/mu-logstash/vars/main.yml +2 -0
data/ansible/roles/mu-rdp/README.md +33 -0
data/ansible/roles/mu-rdp/meta/main.yml +53 -0
data/ansible/roles/mu-rdp/tasks/main.yml +9 -0
data/ansible/roles/mu-rdp/tests/inventory +2 -0
data/ansible/roles/mu-rdp/tests/test.yml +5 -0
data/ansible/roles/mu-windows/tasks/main.yml +3 -0
data/bin/mu-ansible-secret +1 -1
data/bin/mu-aws-setup +4 -3
data/bin/mu-azure-setup +5 -5
data/bin/mu-configure +25 -17
data/bin/mu-firewall-allow-clients +1 -0
data/bin/mu-gcp-setup +3 -3
data/bin/mu-load-config.rb +1 -0
data/bin/mu-node-manage +66 -33
data/bin/mu-self-update +2 -2
data/bin/mu-upload-chef-artifacts +6 -1
data/bin/mu-user-manage +1 -1
data/cloud-mu.gemspec +25 -23
data/cookbooks/firewall/CHANGELOG.md +417 -224
data/cookbooks/firewall/LICENSE +202 -0
data/cookbooks/firewall/README.md +153 -126
data/cookbooks/firewall/TODO.md +6 -0
data/cookbooks/firewall/attributes/firewalld.rb +7 -0
data/cookbooks/firewall/attributes/iptables.rb +3 -3
data/cookbooks/firewall/chefignore +115 -0
data/cookbooks/firewall/libraries/helpers.rb +5 -0
data/cookbooks/firewall/libraries/helpers_firewalld.rb +1 -1
data/cookbooks/firewall/libraries/helpers_firewalld_dbus.rb +72 -0
data/cookbooks/firewall/libraries/helpers_iptables.rb +3 -3
data/cookbooks/firewall/libraries/helpers_nftables.rb +170 -0
data/cookbooks/firewall/libraries/helpers_ufw.rb +7 -0
data/cookbooks/firewall/libraries/helpers_windows.rb +8 -9
data/cookbooks/firewall/libraries/provider_firewall_firewalld.rb +9 -9
data/cookbooks/firewall/libraries/provider_firewall_iptables.rb +7 -7
data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb +12 -8
data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb +13 -9
data/cookbooks/firewall/libraries/provider_firewall_rule.rb +1 -1
data/cookbooks/firewall/libraries/provider_firewall_ufw.rb +5 -5
data/cookbooks/firewall/libraries/provider_firewall_windows.rb +4 -4
data/cookbooks/firewall/libraries/resource_firewall_rule.rb +3 -3
data/cookbooks/firewall/metadata.json +40 -1
data/cookbooks/firewall/metadata.rb +15 -0
data/cookbooks/firewall/recipes/default.rb +7 -7
data/cookbooks/firewall/recipes/disable_firewall.rb +1 -1
data/cookbooks/firewall/recipes/firewalld.rb +87 -0
data/cookbooks/firewall/renovate.json +18 -0
data/cookbooks/firewall/resources/firewalld.rb +28 -0
data/cookbooks/firewall/resources/firewalld_config.rb +39 -0
data/cookbooks/firewall/resources/firewalld_helpers.rb +106 -0
data/cookbooks/firewall/resources/firewalld_icmptype.rb +88 -0
data/cookbooks/firewall/resources/firewalld_ipset.rb +104 -0
data/cookbooks/firewall/resources/firewalld_policy.rb +115 -0
data/cookbooks/firewall/resources/firewalld_service.rb +98 -0
data/cookbooks/firewall/resources/firewalld_zone.rb +118 -0
data/cookbooks/firewall/resources/nftables.rb +71 -0
data/cookbooks/firewall/resources/nftables_rule.rb +113 -0
data/cookbooks/mu-activedirectory/Berksfile +1 -1
data/cookbooks/mu-activedirectory/metadata.rb +1 -1
data/cookbooks/mu-firewall/metadata.rb +2 -2
data/cookbooks/mu-master/Berksfile +4 -3
data/cookbooks/mu-master/attributes/default.rb +5 -2
data/cookbooks/mu-master/files/default/check_elastic.sh +761 -0
data/cookbooks/mu-master/files/default/check_kibana.rb +45 -0
data/cookbooks/mu-master/libraries/mu.rb +24 -0
data/cookbooks/mu-master/metadata.rb +5 -5
data/cookbooks/mu-master/recipes/default.rb +31 -20
data/cookbooks/mu-master/recipes/firewall-holes.rb +5 -0
data/cookbooks/mu-master/recipes/init.rb +58 -19
data/cookbooks/mu-master/recipes/update_nagios_only.rb +251 -178
data/cookbooks/mu-master/templates/default/nagios.conf.erb +5 -11
data/cookbooks/mu-master/templates/default/web_app.conf.erb +3 -0
data/cookbooks/mu-php54/Berksfile +1 -1
data/cookbooks/mu-php54/metadata.rb +2 -2
data/cookbooks/mu-tools/Berksfile +2 -3
data/cookbooks/mu-tools/attributes/default.rb +3 -4
data/cookbooks/mu-tools/files/amazon/etc/bashrc +90 -0
data/cookbooks/mu-tools/files/amazon/etc/login.defs +292 -0
data/cookbooks/mu-tools/files/amazon/etc/profile +77 -0
data/cookbooks/mu-tools/files/amazon/etc/security/limits.conf +63 -0
data/cookbooks/mu-tools/files/amazon/etc/sysconfig/init +19 -0
data/cookbooks/mu-tools/files/amazon/etc/sysctl.conf +82 -0
data/cookbooks/mu-tools/files/amazon-2023/etc/login.defs +294 -0
data/cookbooks/mu-tools/files/default/logrotate.conf +35 -0
data/cookbooks/mu-tools/files/default/nrpe_conf_d.pp +0 -0
data/cookbooks/mu-tools/libraries/helper.rb +21 -9
data/cookbooks/mu-tools/metadata.rb +4 -4
data/cookbooks/mu-tools/recipes/apply_security.rb +3 -2
data/cookbooks/mu-tools/recipes/aws_api.rb +23 -5
data/cookbooks/mu-tools/recipes/base_repositories.rb +4 -1
data/cookbooks/mu-tools/recipes/gcloud.rb +56 -56
data/cookbooks/mu-tools/recipes/nagios.rb +1 -1
data/cookbooks/mu-tools/recipes/nrpe.rb +20 -2
data/cookbooks/mu-tools/recipes/rsyslog.rb +12 -1
data/cookbooks/mu-tools/recipes/set_local_fw.rb +1 -1
data/data_bags/nagios_services/apm_backend_connect.json +5 -0
data/data_bags/nagios_services/apm_listen.json +5 -0
data/data_bags/nagios_services/elastic_shards.json +5 -0
data/data_bags/nagios_services/logstash.json +5 -0
data/data_bags/nagios_services/rhel7_updates.json +8 -0
data/extras/image-generators/AWS/centos7.yaml +1 -0
data/extras/image-generators/AWS/rhel7.yaml +21 -0
data/extras/image-generators/AWS/win2k12r2.yaml +1 -0
data/extras/image-generators/AWS/win2k16.yaml +1 -0
data/extras/image-generators/AWS/win2k19.yaml +1 -0
data/extras/list-stock-amis +0 -0
data/extras/ruby_rpm/muby.spec +8 -5
data/extras/vault_tools/export_vaults.sh +1 -1
data/extras/vault_tools/recreate_vaults.sh +0 -0
data/extras/vault_tools/test_vaults.sh +0 -0
data/install/deprecated-bash-library.sh +1 -1
data/install/installer +4 -2
data/modules/mommacat.ru +3 -1
data/modules/mu/adoption.rb +1 -1
data/modules/mu/cloud/dnszone.rb +2 -2
data/modules/mu/cloud/machine_images.rb +26 -25
data/modules/mu/cloud/resource_base.rb +213 -182
data/modules/mu/cloud/server_pool.rb +1 -1
data/modules/mu/cloud/ssh_sessions.rb +7 -5
data/modules/mu/cloud/wrappers.rb +2 -2
data/modules/mu/cloud.rb +1 -1
data/modules/mu/config/bucket.rb +1 -1
data/modules/mu/config/function.rb +6 -1
data/modules/mu/config/loadbalancer.rb +24 -2
data/modules/mu/config/ref.rb +12 -0
data/modules/mu/config/role.rb +1 -1
data/modules/mu/config/schema_helpers.rb +42 -9
data/modules/mu/config/server.rb +43 -27
data/modules/mu/config/tail.rb +19 -10
data/modules/mu/config.rb +6 -5
data/modules/mu/defaults/AWS.yaml +78 -114
data/modules/mu/deploy.rb +9 -2
data/modules/mu/groomer.rb +12 -4
data/modules/mu/groomers/ansible.rb +104 -20
data/modules/mu/groomers/chef.rb +15 -6
data/modules/mu/master.rb +9 -4
data/modules/mu/mommacat/daemon.rb +4 -2
data/modules/mu/mommacat/naming.rb +1 -2
data/modules/mu/mommacat/storage.rb +7 -2
data/modules/mu/mommacat.rb +33 -6
data/modules/mu/providers/aws/database.rb +161 -8
data/modules/mu/providers/aws/dnszone.rb +11 -6
data/modules/mu/providers/aws/endpoint.rb +81 -6
data/modules/mu/providers/aws/firewall_rule.rb +254 -172
data/modules/mu/providers/aws/function.rb +65 -3
data/modules/mu/providers/aws/loadbalancer.rb +39 -28
data/modules/mu/providers/aws/log.rb +2 -1
data/modules/mu/providers/aws/role.rb +25 -7
data/modules/mu/providers/aws/server.rb +36 -12
data/modules/mu/providers/aws/server_pool.rb +237 -127
data/modules/mu/providers/aws/storage_pool.rb +7 -1
data/modules/mu/providers/aws/user.rb +1 -1
data/modules/mu/providers/aws/userdata/linux.erb +6 -2
data/modules/mu/providers/aws/userdata/windows.erb +7 -5
data/modules/mu/providers/aws/vpc.rb +49 -25
data/modules/mu/providers/aws.rb +13 -8
data/modules/mu/providers/azure/container_cluster.rb +1 -1
data/modules/mu/providers/azure/loadbalancer.rb +2 -2
data/modules/mu/providers/azure/server.rb +5 -2
data/modules/mu/providers/azure/userdata/linux.erb +1 -1
data/modules/mu/providers/azure.rb +11 -8
data/modules/mu/providers/cloudformation/dnszone.rb +1 -1
data/modules/mu/providers/google/container_cluster.rb +15 -2
data/modules/mu/providers/google/folder.rb +2 -1
data/modules/mu/providers/google/function.rb +130 -4
data/modules/mu/providers/google/habitat.rb +2 -1
data/modules/mu/providers/google/loadbalancer.rb +407 -160
data/modules/mu/providers/google/role.rb +16 -3
data/modules/mu/providers/google/server.rb +5 -1
data/modules/mu/providers/google/user.rb +25 -18
data/modules/mu/providers/google/userdata/linux.erb +1 -1
data/modules/mu/providers/google/vpc.rb +53 -7
data/modules/mu/providers/google.rb +39 -39
data/modules/mu.rb +8 -8
data/modules/tests/elk.yaml +46 -0
data/test/mu-master-test/controls/all_in_one.rb +1 -1
metadata +207 -112
data/cookbooks/firewall/CONTRIBUTING.md +0 -2
data/cookbooks/firewall/MAINTAINERS.md +0 -19
data/cookbooks/firewall/libraries/matchers.rb +0 -30
data/extras/image-generators/AWS/rhel71.yaml +0 -17

data/modules/mu/providers/aws/database.rb CHANGED Viewed

@@ -148,8 +148,11 @@ module MU
             end
           @mu_name.gsub(/(--|-$)/i, "").gsub(/(_)/, "-").gsub!(/^[^a-z]/i, "")
+          @cloud_id ||= @mu_name # XXX ??? MMMFFF
           if @config.has_key?("parameter_group_family")
             @config["parameter_group_name"] ||= @mu_name
+            @config["parameter_group_name"].downcase!
           end
           if args[:from_cloud_desc] and args[:from_cloud_desc].is_a?(Aws::RDS::Types::DBCluster)
@@ -510,8 +513,11 @@ dependencies
           if create
             MU.log "Creating a #{cluster ? "cluster" : "database" } parameter group #{@config["parameter_group_name"]}"
-            MU::Cloud::AWS.rds(region: @region, credentials: @credentials).send(cluster ? :create_db_cluster_parameter_group : :create_db_parameter_group, params)
+            begin
+              MU::Cloud::AWS.rds(region: @region, credentials: @credentials).send(cluster ? :create_db_cluster_parameter_group : :create_db_parameter_group, params)
+            rescue Aws::RDS::Errors::DBParameterGroupAlreadyExists => e
+              MU.log e.message, MU::WARN
+            end
           end
@@ -546,11 +552,58 @@ dependencies
           end
         end
+        # If we've declared special option group options, ensure that we have
+        # an option group of the same name as our database instance with the
+        # correct settings.
+        # @return [String]: The name of the option group our database should use
+        def manageOptionGroup
+          if @config['option_group_options'] and !@config['option_group_options'].empty?
+            og = begin
+              MU::Cloud::AWS.rds(region: @region, credentials: @credentials).describe_option_groups(
+                option_group_name: @mu_name
+              ).option_groups_list.first
+            rescue Aws::RDS::Errors::OptionGroupNotFoundFault
+              MU.log "Creating Option Group #{@mu_name} for #{@config['engine']} #{@config['major_version']} database #{@mu_name}"
+              MU::Cloud::AWS.rds(region: @region, credentials: @credentials).create_option_group(
+                engine_name: @config['engine'],
+                major_engine_version: @config['major_version'],
+                option_group_name: @mu_name,
+                option_group_description: @deploy_id
+              ).option_group
+            end
+            need = []
+            ext_options = og.options.map { |o| o.option_name }
+            @config['option_group_options'].each { |opt|
+              if !ext_options.include?(opt)
+                need << { option_name: opt }
+              end
+            }
+            if !need.empty?
+              MU.log "Modifying Option Group #{@mu_name}", MU::NOTICE, need
+              MU::Cloud::AWS.rds(region: @region, credentials: @credentials).modify_option_group(
+                option_group_name: @mu_name,
+                apply_immediately: true,
+                options_to_include: need
+              )
+            end
+            @mu_name
+          # Otherwise if we've declared a non-default option group, ensure that
+          # we're using it.
+          elsif @config['option_group']
+            @config['option_group']
+          else
+            nil
+          end
+        end
         # Called automatically by {MU::Deploy#createResources}
         def groom
           cloud_desc(use_cache: false)
           manageSubnetGroup if @vpc
-          manageDbParameterGroup(@config["create_cluster"], create: false)
+          manageDbParameterGroup(@config["create_cluster"])
           noun = @config['create_cluster'] ? "cluster" : "instance"
@@ -575,6 +628,55 @@ dependencies
             mods[:vpc_security_group_ids] = @config["vpc_security_group_ids"]
           end
+          option_group_name = manageOptionGroup
+          if cloud_desc.option_group_memberships.first.option_group_name != option_group_name
+            mods[:option_group_name] = option_group_name
+          end
+          # If we've declared special option group options, ensure that we have
+          # an option group of the same name as our database instance with the
+          # correct settings.
+          if @config['option_group_options'] and !@config['option_group_options'].empty?
+            og = begin
+              MU::Cloud::AWS.rds(region: @region, credentials: @credentials).describe_option_groups(
+                option_group_name: @mu_name
+              ).option_groups_list.first
+            rescue Aws::RDS::Errors::OptionGroupNotFoundFault
+              MU.log "Creating Option Group #{@mu_name} for #{@config['engine']} #{@config['major_version']} database #{@mu_name}"
+              MU::Cloud::AWS.rds(region: @region, credentials: @credentials).create_option_group(
+                engine_name: @config['engine'],
+                major_engine_version: @config['major_version'],
+                option_group_name: @mu_name,
+                option_group_description: @deploy_id
+              ).option_group
+            end
+            need = []
+            ext_options = og.options.map { |o| o.option_name }
+            @config['option_group_options'].each { |opt|
+              if !ext_options.include?(opt)
+                need << { option_name: opt }
+              end
+            }
+            if !need.empty?
+              MU.log "Modifying Option Group #{@mu_name}", MU::NOTICE, need
+              MU::Cloud::AWS.rds(region: @region, credentials: @credentials).modify_option_group(
+                option_group_name: @mu_name,
+                apply_immediately: true,
+                options_to_include: need
+              )
+            end
+            if cloud_desc.option_group_memberships.first.option_group_name != @mu_name
+              mods[:option_group_name] = @mu_name
+            end
+          # Otherwise if we've declared a non-default option group, ensure that
+          # we're using it.
+          elsif @config['option_group'] and cloud_desc.option_group_memberships.first.option_group_name != @config['option_group']
+            mods[:option_group_name] = @config['option_group']
+          end
           if @config['cloudwatch_logs'] and cloud_desc.enabled_cloudwatch_logs_exports.sort != @config['cloudwatch_logs'].sort
             mods[:cloudwatch_logs_export_configuration] = {
@@ -614,7 +716,9 @@ dependencies
             mods[:apply_immediately] = true
             mods[:allow_major_version_upgrade] = true
             wait_until_available
-            MU::Cloud::AWS.rds(region: @region, credentials: @credentials).send("modify_db_#{noun}".to_sym, mods)
+            MU.retrier([Aws::RDS::Errors::InvalidDBInstanceState, Aws::RDS::Errors::InvalidParameterValue], wait: 60, max: 15) {
+              MU::Cloud::AWS.rds(region: @region, credentials: @credentials).send("modify_db_#{noun}".to_sym, mods)
+            }
             wait_until_available
           end
@@ -812,7 +916,7 @@ dependencies
           threads = threaded_resource_purge(:describe_db_subnet_groups, :db_subnet_groups, :db_subnet_group_name, "subgrp", region, credentials, ignoremaster, known: flags['known'], deploy_id: deploy_id) { |id|
             MU.log "Deleting RDS subnet group #{id}"
-            MU.retrier([Aws::RDS::Errors::InvalidDBSubnetGroupStateFault], wait: 30, max: 5, ignoreme: [Aws::RDS::Errors::DBSubnetGroupNotFoundFault]) {
+            MU.retrier([Aws::RDS::Errors::InvalidDBSubnetGroupStateFault], wait: 60, max: 10, ignoreme: [Aws::RDS::Errors::DBSubnetGroupNotFoundFault]) {
               MU::Cloud::AWS.rds(region: region, credentials: credentials).delete_db_subnet_group(db_subnet_group_name: id) if !noop
             }
           }
@@ -820,7 +924,7 @@ dependencies
           ["db", "db_cluster"].each { |type|
             threads.concat threaded_resource_purge("describe_#{type}_parameter_groups".to_sym, "#{type}_parameter_groups".to_sym, "#{type}_parameter_group_name".to_sym, (type == "db" ? "pg" : "cluster-pg"), region, credentials, ignoremaster, known: flags['known'], deploy_id: deploy_id) { |id|
               MU.log "Deleting RDS #{type} parameter group #{id}"
-              MU.retrier([Aws::RDS::Errors::InvalidDBParameterGroupState], wait: 30, max: 5, ignoreme: [Aws::RDS::Errors::DBParameterGroupNotFound]) {
+              MU.retrier([Aws::RDS::Errors::InvalidDBParameterGroupState], wait: 60, max: 10, ignoreme: [Aws::RDS::Errors::DBParameterGroupNotFound]) {
                 MU::Cloud::AWS.rds(region: region, credentials: credentials).send("delete_#{type}_parameter_group", { "#{type}_parameter_group_name".to_sym => id }) if !noop
               }
             }
@@ -862,7 +966,6 @@ dependencies
             }
           }
           schema = {
             "db_parameter_group_parameters" => rds_parameters_primitive,
             "cluster_parameter_group_parameters" => rds_parameters_primitive,
@@ -881,8 +984,21 @@ dependencies
               "type" => "string",
               "default" => "gp2"
             },
+            "option_group" => {
+              "description" => "The name of a non-default RDS option group to use with this instance/cluster (this will be ignored if +option_group_options+ is declared).",
+              "type" => "string"
+            },
+            "option_group_options" => {
+              "description" => "One or more option group options to enable, with default settings. If specified, +option_group+ will be overridden.",
+              "type" => "array",
+              "items" => {
+                "type" => "string",
+                "description" => "Option group identifiers supported by the relevant database engine, such as +MARIADB_AUDIT_PLUGIN+ for MariaDB/MySQL. See https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithOptionGroups.html for current options."
+              }
+            },
             "cloudwatch_logs" => {
               "type" => "array",
+              "description" => "Enable output of logs to CloudWatch",
               "items" => {
                 "type" => "string",
                 "enum" => ["audit", "error", "general", "slowquery", "profiler", "postgresql", "alert", "listener", "trace", "upgrade", "agent"]
@@ -950,10 +1066,13 @@ dependencies
                 "versions" => [],
                 "families" => [],
                 "features" => {},
+                "options" => {},
                 "raw" => {}
               }
               engines[version.engine]['versions'] << version.engine_version
               engines[version.engine]['families'] << version.db_parameter_group_family
+              engines[version.engine]['options'][version.major_engine_version] ||= MU::Cloud::AWS.rds().describe_option_group_options(engine_name: version.engine, major_engine_version: version.major_engine_version).option_group_options.map { |o| o.name }
               engines[version.engine]['raw'][version.engine_version] = version
               [:supports_read_replica, :supports_log_exports_to_cloudwatch_logs].each { |feature|
                 if version.respond_to?(feature) and version.send(feature) == true
@@ -976,7 +1095,7 @@ dependencies
           @@engine_cache[credentials][region] = engines
           return engine ? @@engine_cache[credentials][region][engine] : @@engine_cache[credentials][region]
         end
-        private_class_method :get_supported_engines
+#        private_class_method :get_supported_engines
         # Make sure any source database/cluster/snapshot we've asked for exists
         # and is valid.
@@ -1039,6 +1158,28 @@ dependencies
         end
         private_class_method :validate_master_password
+        def self.valid_option_group_options?(db)
+          return true if !db['option_group_options'] or db['option_group_options'].empty?
+          engine = get_supported_engines(db['region'], db['credentials'], engine: db['engine'])
+          if engine.nil? or !engine['options'] or !engine['raw'][db['engine_version']]
+            return true # we can't be sure, so let the API sort it out later
+          end
+          major_version = engine['raw'][db['engine_version']].major_engine_version
+          return true if !engine['options'][major_version]
+          ok = true
+          db['option_group_options'].each { |opt|
+            if !engine['options'][major_version].include?(opt)
+              MU.log "#{opt} not a valid Option Group entry for #{db['engine']} #{major_version}", MU::ERR, details: engine['options'][major_version]
+              ok = false
+            end
+          }
+          ok
+        end
+        private_class_method :valid_option_group_options?
         # Cloud-specific pre-processing of {MU::Config::BasketofKittens::databases}, bare and unvalidated.
         # @param db [Hash]: The resource to process and validate
         # @param _configurator [MU::Config]: The overall deployment configurator of which this resource is a ember
@@ -1054,6 +1195,17 @@ dependencies
           ok = false if !valid_cloudwatch_logs?(db)
+          ok = false if !valid_option_group_options?(db)
+          engine = self.get_supported_engines(
+            db['region'],
+            db['credentials'],
+            engine: db['engine']
+          )
+          if engine and engine['raw'] and engine['raw'][db['engine_version']]
+            db['major_version'] = engine['raw'][db['engine_version']].major_engine_version
+          end
           db["license_model"] ||=
             if ["postgres", "postgresql", "aurora-postgresql"].include?(db["engine"])
               "postgresql-license"
@@ -1346,6 +1498,7 @@ dependencies
           MU.retrier([Aws::RDS::Errors::InvalidParameterValue, Aws::RDS::Errors::DBSubnetGroupNotFoundFault], max: 10, wait: 15) {
             if %w{existing_snapshot new_snapshot}.include?(@config["creation_style"])
+              params[:option_group_name] = manageOptionGroup
               clean_parent_opts.call
               MU.log "Creating database #{noun} #{@cloud_id} from snapshot #{@config["snapshot_id"]}"
               MU::Cloud::AWS.rds(region: @region, credentials: @credentials).send("restore_db_#{noun}_from_#{noun == "instance" ? "db_" : ""}snapshot".to_sym, params)

data/modules/mu/providers/aws/dnszone.rb CHANGED Viewed

@@ -588,12 +588,17 @@ module MU
             ip = nil
             records = []
-            lookup = MU::Cloud::AWS.route53(credentials: credentials).list_resource_record_sets(
-              hosted_zone_id: mu_zone.id,
-              start_record_name: "#{dns_name}.platform-mu",
-              start_record_type: record_type,
-              max_items: 1
-            ).resource_record_sets
+            begin
+              lookup = MU::Cloud::AWS.route53(credentials: credentials).list_resource_record_sets(
+                hosted_zone_id: mu_zone.id,
+                start_record_name: "#{dns_name}.platform-mu",
+                start_record_type: record_type,
+                max_items: 1
+              ).resource_record_sets
+            rescue Aws::Route53::Errors::InvalidInput => e
+              MU.log "Failed to look up record during #{delete ? "delete" : "add"}: "+e.message, MU::ERR, details: { "hosted_zone_id" => mu_zone.id, "start_record_name" => "#{dns_name}.platform-mu", "start_record_type" => record_type }
+              return nil
+            end
             lookup.each { |record|
               if record.name.match(/^#{dns_name}\.platform-mu/i) and record.type == record_type

data/modules/mu/providers/aws/endpoint.rb CHANGED Viewed

@@ -13,14 +13,54 @@ module MU
         # Called automatically by {MU::Deploy#createResources}
         def create
-          resp = MU::Cloud::AWS.apig(region: @region, credentials: @credentials).create_rest_api(
+          desc = {
             name: @mu_name,
             description: @deploy.deploy_id,
             endpoint_configuration: {
-              types: ["REGIONAL"] # XXX expose in BoK ["REGIONAL", "EDGE", "PRIVATE"]
+              types: [@config['endpoint_type']]
             },
             tags: @tags
-          )
+          }
+# XXX NLB? what the fork?
+#          if @vpc
+#            MU::Cloud::AWS.apig(region: @region, credentials: @credentials).create_vpc_link(
+#              name: @mu_name,
+#              target_arns: [Required] The ARN of the network load balancer of the VPC targeted by the VPC link. The network load balancer must be owned by the same AWS account of the API owner.
+#              tags: @tags
+#            )
+#          end
+# XXX this is incomplete; need to cover non-VPC case, IP ranges, and fall back on account number if all else fails
+          if @config['endpoint_type'] == "PRIVATE"
+            desc[:policy] = JSON.generate(
+              {
+                "Version" => "2012-10-17",
+                "Statement" => [
+                  {
+                    "Effect" => "Deny",
+                    "Principal" => "*",
+                    "Action" => "execute-api:Invoke",
+                    "Resource" => "arn:aws:execute-api:#{@region}:#{MU::Cloud::AWS.credToAcct(@credentials)}:*/*/*/*",
+                    "Condition" => {
+                      "StringNotEquals" => {
+                        "aws =>sourceVpc": @vpc.cloud_id
+                      }
+                    }
+                  },
+                  {
+                    "Effect" => "Allow",
+                    "Principal" => "*",
+                    "Action" => "execute-api:Invoke",
+                    "Resource" => "arn:aws:execute-api:#{@region}:#{MU::Cloud::AWS.credToAcct(@credentials)}:*/*/*/*"
+                  }
+                ]
+              }
+            )
+          end
+          resp = MU::Cloud::AWS.apig(region: @region, credentials: @credentials).create_rest_api(desc)
           @cloud_id = resp.id
           generate_methods(false)
         end
@@ -629,6 +669,11 @@ MU::Cloud::AWS.apig(region: @region, credentials: @credentials).get_resource(
         def self.schema(_config)
           toplevel_required = []
           schema = {
+            "endpoint_type" => {
+              "default" => "REGIONAL",
+              "type" => "string",
+              "enum" => ["REGIONAL", "EDGE", "PRIVATE"]
+            },
             "domain_names" => {
               "type" => "array",
               "items" => {
@@ -791,7 +836,7 @@ MU::Cloud::AWS.apig(region: @region, credentials: @credentials).get_resource(
                       "type" => {
                         "type" => "string",
                         "description" => "A Mu resource type, for integrations with a sibling resource (e.g. a function), or the string +aws_generic+, which we can use in combination with +aws_generic_action+ to integrate with arbitrary AWS services.",
-                        "enum" => ["aws_generic"].concat(MU::Cloud.resource_types.values.map { |t| t[:cfg_plural] }.sort)
+                        "enum" => ["aws_generic", "mock"].concat(MU::Cloud.resource_types.values.map { |t| t[:cfg_plural] }.sort)
                       },
                       "aws_generic_action" => {
                         "type" => "string",
@@ -863,6 +908,23 @@ MU::Cloud::AWS.apig(region: @region, credentials: @credentials).get_resource(
           "arn:#{MU::Cloud::AWS.isGovCloud?(@region) ? "aws-us-gov" : "aws"}:execute-api:#{@region}:#{MU::Cloud::AWS.credToAcct(@credentials)}:#{@cloud_id}"
         end
+        # Go fish for the account-wide CloudWatch Logs role that grants APIG
+        # permissions to generate logs. This appears to have disappeared from
+        # the web console.
+        def self.findCloudWatchLogsRole(credentials = nil)
+          roles = MU::Cloud.resourceClass("AWS", "Role").find(credentials: credentials)
+          roles.each_pair { |id, r|
+            next if r.is_a?(Aws::IAM::Types::Policy)
+            attached_policies = MU::Cloud::AWS.iam(credentials: @credentials).list_attached_role_policies(
+              role_name: r.role_name
+            ).attached_policies
+            if attached_policies.size == 1 and attached_policies.first.policy_arn == "arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs"
+              return r.arn
+            end
+          }
+          nil
+        end
         # Cloud-specific pre-processing of {MU::Config::BasketofKittens::endpoints}, bare and unvalidated.
         # @param endpoint [Hash]: The resource to process and validate
@@ -893,9 +955,22 @@ MU::Cloud::AWS.apig(region: @region, credentials: @credentials).get_resource(
           if endpoint['access_logs']
             resp = MU::Cloud::AWS.apig(credentials: endpoint['credentials'], region: endpoint['region']).get_account
             if !resp.cloudwatch_role_arn
-              MU.log "Endpoint '#{endpoint['name']}' is configured to use CloudWatch Logs, but the account-wide API Gateway log role is not configured", MU::ERR, details: "https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-cloudwatch-logs/"
-              ok = false
+              logs_role = findCloudWatchLogsRole
+              if logs_role
+                MU.log "Updating API Gateway account-wide to add log role #{logs_role}", MU::NOTICE
+                MU::Cloud::AWS.apig(credentials: endpoint['credentials'], region: endpoint['region']).update_account(
+                  patch_operations: [
+                    op: "replace",
+                    path: "/cloudwatchRoleArn",
+                    value: logs_role
+                  ]
+                )
+              else
+                MU.log "Endpoint '#{endpoint['name']}' is configured to use CloudWatch Logs, but the account-wide API Gateway log role is not configured", MU::ERR, details: "https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-cloudwatch-logs/"
+                ok = false
+              end
             else
               roles = MU::Cloud::AWS::Role.find(cloud_id: resp.cloudwatch_role_arn, credentials: endpoint['credentials'], region: endpoint['region'])
               if roles.empty?