cloud-mu 3.5.0 → 3.6.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Berksfile +5 -2
- data/Berksfile.lock +135 -0
- data/ansible/roles/mu-base/README.md +33 -0
- data/ansible/roles/mu-base/defaults/main.yml +2 -0
- data/ansible/roles/mu-base/files/check_apm.cfg +1 -0
- data/ansible/roles/mu-base/files/check_apm.sh +18 -0
- data/ansible/roles/mu-base/files/check_disk.cfg +1 -0
- data/ansible/roles/mu-base/files/check_elastic_shards.cfg +1 -0
- data/ansible/roles/mu-base/files/check_elastic_shards.sh +12 -0
- data/ansible/roles/mu-base/files/check_logstash.cfg +1 -0
- data/ansible/roles/mu-base/files/check_logstash.sh +14 -0
- data/ansible/roles/mu-base/files/check_mem.cfg +1 -0
- data/ansible/roles/mu-base/files/check_updates.cfg +1 -0
- data/ansible/roles/mu-base/files/logrotate.conf +35 -0
- data/ansible/roles/mu-base/files/nrpe-apm-sudo +1 -0
- data/ansible/roles/mu-base/files/nrpe-elasticshards-sudo +2 -0
- data/ansible/roles/mu-base/handlers/main.yml +5 -0
- data/ansible/roles/mu-base/meta/main.yml +53 -0
- data/ansible/roles/mu-base/tasks/main.yml +113 -0
- data/ansible/roles/mu-base/templates/nrpe.cfg.j2 +231 -0
- data/ansible/roles/mu-base/tests/inventory +2 -0
- data/ansible/roles/mu-base/tests/test.yml +5 -0
- data/ansible/roles/mu-base/vars/main.yml +1 -0
- data/ansible/roles/mu-compliance/README.md +33 -0
- data/ansible/roles/mu-compliance/defaults/main.yml +2 -0
- data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2016_V2R1_STIG_SCAP_1-2_Benchmark.xml +15674 -0
- data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2019_V2R1_STIG_SCAP_1-2_Benchmark.xml +17553 -0
- data/ansible/roles/mu-compliance/handlers/main.yml +2 -0
- data/ansible/roles/mu-compliance/meta/main.yml +53 -0
- data/ansible/roles/mu-compliance/tasks/main.yml +45 -0
- data/ansible/roles/mu-compliance/tests/inventory +2 -0
- data/ansible/roles/mu-compliance/tests/test.yml +5 -0
- data/ansible/roles/mu-compliance/vars/main.yml +4 -0
- data/ansible/roles/mu-elastic/README.md +51 -0
- data/ansible/roles/mu-elastic/defaults/main.yml +2 -0
- data/ansible/roles/mu-elastic/files/jvm.options +93 -0
- data/ansible/roles/mu-elastic/handlers/main.yml +10 -0
- data/ansible/roles/mu-elastic/meta/main.yml +52 -0
- data/ansible/roles/mu-elastic/tasks/main.yml +186 -0
- data/ansible/roles/mu-elastic/templates/elasticsearch.yml.j2 +110 -0
- data/ansible/roles/mu-elastic/templates/kibana.yml.j2 +131 -0
- data/ansible/roles/mu-elastic/templates/password_set.expect.j2 +19 -0
- data/ansible/roles/mu-elastic/tests/inventory +2 -0
- data/ansible/roles/mu-elastic/tests/test.yml +5 -0
- data/ansible/roles/mu-elastic/vars/main.yml +2 -0
- data/ansible/roles/mu-logstash/README.md +51 -0
- data/ansible/roles/mu-logstash/defaults/main.yml +2 -0
- data/ansible/roles/mu-logstash/files/02-beats-input.conf +5 -0
- data/ansible/roles/mu-logstash/files/10-rails-filter.conf +16 -0
- data/ansible/roles/mu-logstash/files/jvm.options +84 -0
- data/ansible/roles/mu-logstash/files/logstash.yml +304 -0
- data/ansible/roles/mu-logstash/handlers/main.yml +20 -0
- data/ansible/roles/mu-logstash/meta/main.yml +52 -0
- data/ansible/roles/mu-logstash/tasks/main.yml +254 -0
- data/ansible/roles/mu-logstash/templates/20-cloudtrail.conf.j2 +28 -0
- data/ansible/roles/mu-logstash/templates/30-elasticsearch-output.conf.j2 +19 -0
- data/ansible/roles/mu-logstash/templates/apm-server.yml.j2 +33 -0
- data/ansible/roles/mu-logstash/templates/heartbeat.yml.j2 +29 -0
- data/ansible/roles/mu-logstash/templates/nginx/apm.conf.j2 +25 -0
- data/ansible/roles/mu-logstash/templates/nginx/default.conf.j2 +56 -0
- data/ansible/roles/mu-logstash/templates/nginx/elastic.conf.j2 +27 -0
- data/ansible/roles/mu-logstash/tests/inventory +2 -0
- data/ansible/roles/mu-logstash/tests/test.yml +5 -0
- data/ansible/roles/mu-logstash/vars/main.yml +2 -0
- data/ansible/roles/mu-rdp/README.md +33 -0
- data/ansible/roles/mu-rdp/meta/main.yml +53 -0
- data/ansible/roles/mu-rdp/tasks/main.yml +9 -0
- data/ansible/roles/mu-rdp/tests/inventory +2 -0
- data/ansible/roles/mu-rdp/tests/test.yml +5 -0
- data/ansible/roles/mu-windows/tasks/main.yml +3 -0
- data/bin/mu-ansible-secret +1 -1
- data/bin/mu-aws-setup +4 -3
- data/bin/mu-azure-setup +5 -5
- data/bin/mu-configure +25 -17
- data/bin/mu-firewall-allow-clients +1 -0
- data/bin/mu-gcp-setup +3 -3
- data/bin/mu-load-config.rb +1 -0
- data/bin/mu-node-manage +66 -33
- data/bin/mu-self-update +2 -2
- data/bin/mu-upload-chef-artifacts +6 -1
- data/bin/mu-user-manage +1 -1
- data/cloud-mu.gemspec +25 -23
- data/cookbooks/firewall/CHANGELOG.md +417 -224
- data/cookbooks/firewall/LICENSE +202 -0
- data/cookbooks/firewall/README.md +153 -126
- data/cookbooks/firewall/TODO.md +6 -0
- data/cookbooks/firewall/attributes/firewalld.rb +7 -0
- data/cookbooks/firewall/attributes/iptables.rb +3 -3
- data/cookbooks/firewall/chefignore +115 -0
- data/cookbooks/firewall/libraries/helpers.rb +5 -0
- data/cookbooks/firewall/libraries/helpers_firewalld.rb +1 -1
- data/cookbooks/firewall/libraries/helpers_firewalld_dbus.rb +72 -0
- data/cookbooks/firewall/libraries/helpers_iptables.rb +3 -3
- data/cookbooks/firewall/libraries/helpers_nftables.rb +170 -0
- data/cookbooks/firewall/libraries/helpers_ufw.rb +7 -0
- data/cookbooks/firewall/libraries/helpers_windows.rb +8 -9
- data/cookbooks/firewall/libraries/provider_firewall_firewalld.rb +9 -9
- data/cookbooks/firewall/libraries/provider_firewall_iptables.rb +7 -7
- data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb +12 -8
- data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb +13 -9
- data/cookbooks/firewall/libraries/provider_firewall_rule.rb +1 -1
- data/cookbooks/firewall/libraries/provider_firewall_ufw.rb +5 -5
- data/cookbooks/firewall/libraries/provider_firewall_windows.rb +4 -4
- data/cookbooks/firewall/libraries/resource_firewall_rule.rb +3 -3
- data/cookbooks/firewall/metadata.json +40 -1
- data/cookbooks/firewall/metadata.rb +15 -0
- data/cookbooks/firewall/recipes/default.rb +7 -7
- data/cookbooks/firewall/recipes/disable_firewall.rb +1 -1
- data/cookbooks/firewall/recipes/firewalld.rb +87 -0
- data/cookbooks/firewall/renovate.json +18 -0
- data/cookbooks/firewall/resources/firewalld.rb +28 -0
- data/cookbooks/firewall/resources/firewalld_config.rb +39 -0
- data/cookbooks/firewall/resources/firewalld_helpers.rb +106 -0
- data/cookbooks/firewall/resources/firewalld_icmptype.rb +88 -0
- data/cookbooks/firewall/resources/firewalld_ipset.rb +104 -0
- data/cookbooks/firewall/resources/firewalld_policy.rb +115 -0
- data/cookbooks/firewall/resources/firewalld_service.rb +98 -0
- data/cookbooks/firewall/resources/firewalld_zone.rb +118 -0
- data/cookbooks/firewall/resources/nftables.rb +71 -0
- data/cookbooks/firewall/resources/nftables_rule.rb +113 -0
- data/cookbooks/mu-activedirectory/Berksfile +1 -1
- data/cookbooks/mu-activedirectory/metadata.rb +1 -1
- data/cookbooks/mu-firewall/metadata.rb +2 -2
- data/cookbooks/mu-master/Berksfile +4 -3
- data/cookbooks/mu-master/attributes/default.rb +5 -2
- data/cookbooks/mu-master/files/default/check_elastic.sh +761 -0
- data/cookbooks/mu-master/files/default/check_kibana.rb +45 -0
- data/cookbooks/mu-master/libraries/mu.rb +24 -0
- data/cookbooks/mu-master/metadata.rb +5 -5
- data/cookbooks/mu-master/recipes/default.rb +31 -20
- data/cookbooks/mu-master/recipes/firewall-holes.rb +5 -0
- data/cookbooks/mu-master/recipes/init.rb +58 -19
- data/cookbooks/mu-master/recipes/update_nagios_only.rb +251 -178
- data/cookbooks/mu-master/templates/default/nagios.conf.erb +5 -11
- data/cookbooks/mu-master/templates/default/web_app.conf.erb +3 -0
- data/cookbooks/mu-php54/Berksfile +1 -1
- data/cookbooks/mu-php54/metadata.rb +2 -2
- data/cookbooks/mu-tools/Berksfile +2 -3
- data/cookbooks/mu-tools/attributes/default.rb +3 -4
- data/cookbooks/mu-tools/files/amazon/etc/bashrc +90 -0
- data/cookbooks/mu-tools/files/amazon/etc/login.defs +292 -0
- data/cookbooks/mu-tools/files/amazon/etc/profile +77 -0
- data/cookbooks/mu-tools/files/amazon/etc/security/limits.conf +63 -0
- data/cookbooks/mu-tools/files/amazon/etc/sysconfig/init +19 -0
- data/cookbooks/mu-tools/files/amazon/etc/sysctl.conf +82 -0
- data/cookbooks/mu-tools/files/amazon-2023/etc/login.defs +294 -0
- data/cookbooks/mu-tools/files/default/logrotate.conf +35 -0
- data/cookbooks/mu-tools/files/default/nrpe_conf_d.pp +0 -0
- data/cookbooks/mu-tools/libraries/helper.rb +21 -9
- data/cookbooks/mu-tools/metadata.rb +4 -4
- data/cookbooks/mu-tools/recipes/apply_security.rb +3 -2
- data/cookbooks/mu-tools/recipes/aws_api.rb +23 -5
- data/cookbooks/mu-tools/recipes/base_repositories.rb +4 -1
- data/cookbooks/mu-tools/recipes/gcloud.rb +56 -56
- data/cookbooks/mu-tools/recipes/nagios.rb +1 -1
- data/cookbooks/mu-tools/recipes/nrpe.rb +20 -2
- data/cookbooks/mu-tools/recipes/rsyslog.rb +12 -1
- data/cookbooks/mu-tools/recipes/set_local_fw.rb +1 -1
- data/data_bags/nagios_services/apm_backend_connect.json +5 -0
- data/data_bags/nagios_services/apm_listen.json +5 -0
- data/data_bags/nagios_services/elastic_shards.json +5 -0
- data/data_bags/nagios_services/logstash.json +5 -0
- data/data_bags/nagios_services/rhel7_updates.json +8 -0
- data/extras/image-generators/AWS/centos7.yaml +1 -0
- data/extras/image-generators/AWS/rhel7.yaml +21 -0
- data/extras/image-generators/AWS/win2k12r2.yaml +1 -0
- data/extras/image-generators/AWS/win2k16.yaml +1 -0
- data/extras/image-generators/AWS/win2k19.yaml +1 -0
- data/extras/list-stock-amis +0 -0
- data/extras/ruby_rpm/muby.spec +8 -5
- data/extras/vault_tools/export_vaults.sh +1 -1
- data/extras/vault_tools/recreate_vaults.sh +0 -0
- data/extras/vault_tools/test_vaults.sh +0 -0
- data/install/deprecated-bash-library.sh +1 -1
- data/install/installer +4 -2
- data/modules/mommacat.ru +3 -1
- data/modules/mu/adoption.rb +1 -1
- data/modules/mu/cloud/dnszone.rb +2 -2
- data/modules/mu/cloud/machine_images.rb +26 -25
- data/modules/mu/cloud/resource_base.rb +213 -182
- data/modules/mu/cloud/server_pool.rb +1 -1
- data/modules/mu/cloud/ssh_sessions.rb +7 -5
- data/modules/mu/cloud/wrappers.rb +2 -2
- data/modules/mu/cloud.rb +1 -1
- data/modules/mu/config/bucket.rb +1 -1
- data/modules/mu/config/function.rb +6 -1
- data/modules/mu/config/loadbalancer.rb +24 -2
- data/modules/mu/config/ref.rb +12 -0
- data/modules/mu/config/role.rb +1 -1
- data/modules/mu/config/schema_helpers.rb +42 -9
- data/modules/mu/config/server.rb +43 -27
- data/modules/mu/config/tail.rb +19 -10
- data/modules/mu/config.rb +6 -5
- data/modules/mu/defaults/AWS.yaml +78 -114
- data/modules/mu/deploy.rb +9 -2
- data/modules/mu/groomer.rb +12 -4
- data/modules/mu/groomers/ansible.rb +104 -20
- data/modules/mu/groomers/chef.rb +15 -6
- data/modules/mu/master.rb +9 -4
- data/modules/mu/mommacat/daemon.rb +4 -2
- data/modules/mu/mommacat/naming.rb +1 -2
- data/modules/mu/mommacat/storage.rb +7 -2
- data/modules/mu/mommacat.rb +33 -6
- data/modules/mu/providers/aws/database.rb +161 -8
- data/modules/mu/providers/aws/dnszone.rb +11 -6
- data/modules/mu/providers/aws/endpoint.rb +81 -6
- data/modules/mu/providers/aws/firewall_rule.rb +254 -172
- data/modules/mu/providers/aws/function.rb +65 -3
- data/modules/mu/providers/aws/loadbalancer.rb +39 -28
- data/modules/mu/providers/aws/log.rb +2 -1
- data/modules/mu/providers/aws/role.rb +25 -7
- data/modules/mu/providers/aws/server.rb +36 -12
- data/modules/mu/providers/aws/server_pool.rb +237 -127
- data/modules/mu/providers/aws/storage_pool.rb +7 -1
- data/modules/mu/providers/aws/user.rb +1 -1
- data/modules/mu/providers/aws/userdata/linux.erb +6 -2
- data/modules/mu/providers/aws/userdata/windows.erb +7 -5
- data/modules/mu/providers/aws/vpc.rb +49 -25
- data/modules/mu/providers/aws.rb +13 -8
- data/modules/mu/providers/azure/container_cluster.rb +1 -1
- data/modules/mu/providers/azure/loadbalancer.rb +2 -2
- data/modules/mu/providers/azure/server.rb +5 -2
- data/modules/mu/providers/azure/userdata/linux.erb +1 -1
- data/modules/mu/providers/azure.rb +11 -8
- data/modules/mu/providers/cloudformation/dnszone.rb +1 -1
- data/modules/mu/providers/google/container_cluster.rb +15 -2
- data/modules/mu/providers/google/folder.rb +2 -1
- data/modules/mu/providers/google/function.rb +130 -4
- data/modules/mu/providers/google/habitat.rb +2 -1
- data/modules/mu/providers/google/loadbalancer.rb +407 -160
- data/modules/mu/providers/google/role.rb +16 -3
- data/modules/mu/providers/google/server.rb +5 -1
- data/modules/mu/providers/google/user.rb +25 -18
- data/modules/mu/providers/google/userdata/linux.erb +1 -1
- data/modules/mu/providers/google/vpc.rb +53 -7
- data/modules/mu/providers/google.rb +39 -39
- data/modules/mu.rb +8 -8
- data/modules/tests/elk.yaml +46 -0
- data/test/mu-master-test/controls/all_in_one.rb +1 -1
- metadata +207 -112
- data/cookbooks/firewall/CONTRIBUTING.md +0 -2
- data/cookbooks/firewall/MAINTAINERS.md +0 -19
- data/cookbooks/firewall/libraries/matchers.rb +0 -30
- data/extras/image-generators/AWS/rhel71.yaml +0 -17
@@ -20,6 +20,7 @@ module MU
|
|
20
20
|
|
21
21
|
@lb = nil
|
22
22
|
attr_reader :targetgroups
|
23
|
+
attr_reader :is_lambda
|
23
24
|
|
24
25
|
# Initialize this cloud resource object. Calling +super+ will invoke the initializer defined under {MU::Cloud}, which should set the attribtues listed in {MU::Cloud::PUBLIC_ATTRS} as well as applicable dependency shortcuts, like +@vpc+, for us.
|
25
26
|
# @param args [Hash]: Hash of named arguments passed via Ruby's double-splat
|
@@ -161,7 +162,7 @@ module MU
|
|
161
162
|
parent_thread_id = Thread.current.object_id
|
162
163
|
generic_mu_dns = nil
|
163
164
|
dnsthread = Thread.new {
|
164
|
-
if !MU::Cloud::AWS.isGovCloud?
|
165
|
+
if MU::Cloud::AWS.hosted? and !MU::Cloud::AWS.isGovCloud?
|
165
166
|
MU.dupGlobals(parent_thread_id)
|
166
167
|
generic_mu_dns = MU::Cloud.resourceClass("AWS", "DNSZone").genericMuDNSEntry(name: @mu_name, target: "#{lb.dns_name}.", cloudclass: MU::Cloud::LoadBalancer, sync_wait: @config['dns_sync_wait'])
|
167
168
|
end
|
@@ -181,6 +182,7 @@ module MU
|
|
181
182
|
end
|
182
183
|
|
183
184
|
@targetgroups = {}
|
185
|
+
@is_lambda = false
|
184
186
|
if !@config['healthcheck'].nil? and @config['classic']
|
185
187
|
MU.log "Configuring custom health check for ELB #{@mu_name}", details: @config['healthcheck']
|
186
188
|
MU::Cloud::AWS.elb(region: @region, credentials: @credentials).configure_health_check(
|
@@ -203,10 +205,13 @@ module MU
|
|
203
205
|
:protocol => tg['proto'],
|
204
206
|
:vpc_id => @vpc.cloud_id,
|
205
207
|
:port => tg['port'],
|
206
|
-
:target_type => 'instance
|
208
|
+
:target_type => tg['target_type'] || "instance"
|
207
209
|
}
|
208
|
-
if tg['target_type']
|
209
|
-
|
210
|
+
if tg['target_type'] == "lambda"
|
211
|
+
@is_lambda = true
|
212
|
+
tg_descriptor.delete(:protocol)
|
213
|
+
tg_descriptor.delete(:port)
|
214
|
+
tg_descriptor.delete(:vpc_id)
|
210
215
|
end
|
211
216
|
if tg['httpcode']
|
212
217
|
tg_descriptor[:matcher] = {
|
@@ -426,17 +431,19 @@ module MU
|
|
426
431
|
timeout = 0
|
427
432
|
MU.log "Disabling connection draining on #{lb.dns_name}"
|
428
433
|
end
|
429
|
-
|
430
|
-
|
431
|
-
|
432
|
-
|
433
|
-
|
434
|
-
|
435
|
-
|
436
|
-
|
437
|
-
|
438
|
-
|
439
|
-
|
434
|
+
if !@is_lambda
|
435
|
+
@targetgroups.values.each { |tg|
|
436
|
+
MU::Cloud::AWS.elb2(region: @region, credentials: @credentials).modify_target_group_attributes(
|
437
|
+
target_group_arn: tg.target_group_arn,
|
438
|
+
attributes: [
|
439
|
+
{
|
440
|
+
key: "deregistration_delay.timeout_seconds",
|
441
|
+
value: timeout.to_s
|
442
|
+
}
|
443
|
+
]
|
444
|
+
)
|
445
|
+
}
|
446
|
+
end
|
440
447
|
end
|
441
448
|
end
|
442
449
|
|
@@ -569,6 +576,11 @@ module MU
|
|
569
576
|
notify
|
570
577
|
end
|
571
578
|
|
579
|
+
# Called automatically by {MU::Deploy#createResources}
|
580
|
+
def groom
|
581
|
+
MU.log "LoadBalancer #{@config['name']} is at #{cloud_desc.dns_name}", MU::SUMMARY
|
582
|
+
end
|
583
|
+
|
572
584
|
# Canonical Amazon Resource Number for this resource
|
573
585
|
# @return [String]
|
574
586
|
def arn
|
@@ -603,7 +615,6 @@ module MU
|
|
603
615
|
@targetgroups[tg_name] = MU::Cloud::AWS.elb2(region: @region, credentials: @credentials).describe_target_groups(target_group_arns: [tg_arn]).target_groups.first
|
604
616
|
}
|
605
617
|
else
|
606
|
-
pp @config['targetgroups']
|
607
618
|
MU::Cloud::AWS.elb2(region: @region, credentials: @credentials).describe_target_groups(load_balancer_arn: @cloud_desc_cache.load_balancer_arn).target_groups.each { |tg|
|
608
619
|
tg_name = tg.target_group_name
|
609
620
|
if @config['targetgroups']
|
@@ -644,31 +655,31 @@ module MU
|
|
644
655
|
|
645
656
|
# Register a Server node with an existing LoadBalancer.
|
646
657
|
#
|
647
|
-
# @param
|
648
|
-
# @param
|
649
|
-
def
|
658
|
+
# @param id [String] A node or function to register.
|
659
|
+
# @param backends [Array<String>] The target group(s) of which this node should be made a member. Not applicable to classic LoadBalancers. If not supplied, the node will be registered to all available target groups on this LoadBalancer.
|
660
|
+
def registerTarget(id, backends: nil)
|
650
661
|
if @config['classic'] or !@config.has_key?("classic")
|
651
|
-
MU.log "Registering #{
|
662
|
+
MU.log "Registering #{id} to ELB #{@cloud_id}"
|
652
663
|
MU::Cloud::AWS.elb(region: @region, credentials: @credentials).register_instances_with_load_balancer(
|
653
664
|
load_balancer_name: @cloud_id,
|
654
665
|
instances: [
|
655
|
-
{instance_id:
|
666
|
+
{instance_id: id}
|
656
667
|
]
|
657
668
|
)
|
658
669
|
else
|
659
|
-
if
|
670
|
+
if backends.nil? or !backends.is_a?(Array) or backends.size == 0
|
660
671
|
if @targetgroups.nil?
|
661
672
|
cloud_desc
|
662
673
|
return if @targetgroups.nil?
|
663
674
|
end
|
664
|
-
|
675
|
+
backends = @targetgroups.keys
|
665
676
|
end
|
666
|
-
|
667
|
-
MU.log "Registering #{
|
677
|
+
backends.each { |tg|
|
678
|
+
MU.log "Registering #{id} to Target Group #{tg}"
|
668
679
|
MU::Cloud::AWS.elb2(region: @region, credentials: @credentials).register_targets(
|
669
680
|
target_group_arn: @targetgroups[tg].target_group_arn,
|
670
681
|
targets: [
|
671
|
-
{id:
|
682
|
+
{id: id}
|
672
683
|
]
|
673
684
|
)
|
674
685
|
}
|
@@ -753,7 +764,7 @@ module MU
|
|
753
764
|
end
|
754
765
|
end
|
755
766
|
if matched
|
756
|
-
if !MU::Cloud::AWS.isGovCloud?
|
767
|
+
if MU::Cloud::AWS.hosted? and !MU::Cloud::AWS.isGovCloud?
|
757
768
|
MU::Cloud.resourceClass("AWS", "DNSZone").genericMuDNSEntry(name: lb.load_balancer_name, target: lb.dns_name, cloudclass: MU::Cloud::LoadBalancer, delete: true) if !noop
|
758
769
|
end
|
759
770
|
if classic
|
@@ -834,7 +845,7 @@ module MU
|
|
834
845
|
"type" => "string",
|
835
846
|
"enum" => ["HTTP", "HTTPS", "TCP", "SSL"],
|
836
847
|
},
|
837
|
-
"target_type
|
848
|
+
"target_type" => {
|
838
849
|
"type" => "string",
|
839
850
|
"enum" => ["instance", "ip", "lambda"],
|
840
851
|
}
|
@@ -244,7 +244,8 @@ module MU
|
|
244
244
|
def self.find(**args)
|
245
245
|
found = {}
|
246
246
|
if !args[:cloud_id].nil? and !args[:cloud_id].match(/^arn:/i)
|
247
|
-
|
247
|
+
exists = MU::Cloud::AWS::Log.getLogGroupByName(args[:cloud_id], region: args[:region], credentials: args[:credentials])
|
248
|
+
found[args[:cloud_id]] = exists if exists
|
248
249
|
else
|
249
250
|
next_token = nil
|
250
251
|
begin
|
@@ -184,6 +184,14 @@ module MU
|
|
184
184
|
desc
|
185
185
|
end
|
186
186
|
|
187
|
+
rescue Aws::IAM::Errors::AccessDenied => e
|
188
|
+
if e.message =~ /Cannot create versions for policies outside your own account/
|
189
|
+
MU.log "Deleting and recreating cross-account policy #{policy_name}", MU::NOTICE
|
190
|
+
purgePolicy(arn, credentials)
|
191
|
+
retry
|
192
|
+
else
|
193
|
+
raise e
|
194
|
+
end
|
187
195
|
rescue Aws::IAM::Errors::NoSuchEntity
|
188
196
|
MU.log "Creating IAM policy #{policy_name}", details: policy.values.first
|
189
197
|
desc = MU::Cloud::AWS.iam(credentials: credentials).create_policy(
|
@@ -328,7 +336,7 @@ end
|
|
328
336
|
version_id: p.default_version_id
|
329
337
|
).policy_version
|
330
338
|
|
331
|
-
doc = JSON.parse
|
339
|
+
doc = JSON.parse URI.decode_www_form_component old.document
|
332
340
|
need_update = false
|
333
341
|
|
334
342
|
doc["Statement"].each { |s|
|
@@ -539,7 +547,6 @@ end
|
|
539
547
|
found = {}
|
540
548
|
|
541
549
|
if args[:cloud_id]
|
542
|
-
|
543
550
|
begin
|
544
551
|
# managed policies get fetched by ARN, roles by plain name. Ok!
|
545
552
|
if args[:cloud_id].match(/^arn:.*?:policy\//)
|
@@ -560,7 +567,6 @@ end
|
|
560
567
|
end
|
561
568
|
rescue ::Aws::IAM::Errors::NoSuchEntity
|
562
569
|
end
|
563
|
-
|
564
570
|
else
|
565
571
|
resp = MU::Cloud::AWS.iam(credentials: args[:credentials]).list_roles
|
566
572
|
resp.roles.each { |role|
|
@@ -1118,7 +1124,7 @@ end
|
|
1118
1124
|
if role['policies']
|
1119
1125
|
role['policies'].each { |policy|
|
1120
1126
|
policy['targets'].each { |target|
|
1121
|
-
if target['type']
|
1127
|
+
if target['type'] and _configurator.haveLitterMate?(target['identifier'], target['type'])
|
1122
1128
|
MU::Config.addDependency(role, target['identifier'], target['type'], my_phase: "groom")
|
1123
1129
|
end
|
1124
1130
|
}
|
@@ -1135,7 +1141,7 @@ end
|
|
1135
1141
|
# @param policies [Array<Hash>]: One or more policy chunks
|
1136
1142
|
# @param deploy_obj [MU::MommaCat]: Deployment object to use when looking up sibling Mu resources
|
1137
1143
|
# @return [Array<Hash>]
|
1138
|
-
def self.genPolicyDocument(policies, deploy_obj: nil, bucket_style: false, version: "2012-10-17", doc_id: nil)
|
1144
|
+
def self.genPolicyDocument(policies, deploy_obj: nil, bucket_style: false, version: "2012-10-17", doc_id: nil, credentials: nil)
|
1139
1145
|
if policies
|
1140
1146
|
name = nil
|
1141
1147
|
doc = {
|
@@ -1211,7 +1217,19 @@ end
|
|
1211
1217
|
type: target["type"]
|
1212
1218
|
)
|
1213
1219
|
if sibling
|
1214
|
-
|
1220
|
+
sibling = sibling.cloudobj
|
1221
|
+
else
|
1222
|
+
found = MU::MommaCat.findStray(
|
1223
|
+
"AWS",
|
1224
|
+
target["type"],
|
1225
|
+
cloud_id: target["identifier"],
|
1226
|
+
credentials: credentials,
|
1227
|
+
dummy_ok: true
|
1228
|
+
)
|
1229
|
+
sibling = found.first
|
1230
|
+
end
|
1231
|
+
if sibling
|
1232
|
+
id = sibling.arn
|
1215
1233
|
id.sub!(/:([^:]+)$/, ":"+'\1'+target["path"]) if target["path"]
|
1216
1234
|
statement["Resource"] << id
|
1217
1235
|
if id.match(/:log-group:/)
|
@@ -1269,7 +1287,7 @@ end
|
|
1269
1287
|
# Convert entries from the cloud-neutral @config['policies'] list into
|
1270
1288
|
# AWS syntax.
|
1271
1289
|
def convert_policies_to_iam
|
1272
|
-
MU::Cloud::AWS::Role.genPolicyDocument(@config['policies'], deploy_obj: @deploy)
|
1290
|
+
MU::Cloud::AWS::Role.genPolicyDocument(@config['policies'], deploy_obj: @deploy, credentials: @credentials)
|
1273
1291
|
end
|
1274
1292
|
|
1275
1293
|
def get_tag_params(strip_std = false)
|
@@ -276,6 +276,11 @@ module MU
|
|
276
276
|
:key_name => @deploy.ssh_key_name,
|
277
277
|
:instance_type => @config["size"],
|
278
278
|
:disable_api_termination => true,
|
279
|
+
:metadata_options => {
|
280
|
+
:http_tokens => "optional",
|
281
|
+
:http_endpoint => "enabled",
|
282
|
+
:instance_metadata_tags => "enabled"
|
283
|
+
},
|
279
284
|
:min_count => 1,
|
280
285
|
:max_count => 1
|
281
286
|
}
|
@@ -348,7 +353,10 @@ module MU
|
|
348
353
|
raise MuError.new e.message, details: mysubnet_ids
|
349
354
|
end
|
350
355
|
instance_descriptor[:subnet_id] = (mysubnet_ids - bad_subnets).sample
|
351
|
-
|
356
|
+
if instance_descriptor[:subnet_id].nil?
|
357
|
+
raise MuError.new "Specified subnet#{bad_subnets.size > 1 ? "s do" : " does"} not support instance type #{instance_descriptor[:instance_type]}", details: bad_subnets
|
358
|
+
end
|
359
|
+
MU.log "One or more subnets does not support instance type #{instance_descriptor[:instance_type]}, attempting with #{instance_descriptor[:subnet_id]} instead", MU::WARN, details: bad_subnets
|
352
360
|
retry
|
353
361
|
rescue Aws::EC2::Errors::InvalidRequest => e
|
354
362
|
MU.log e.message, MU::ERR, details: instance_descriptor
|
@@ -587,7 +595,6 @@ module MU
|
|
587
595
|
searches << {
|
588
596
|
filters: [
|
589
597
|
base_filter,
|
590
|
-
{name: ip_type, values: [ip]},
|
591
598
|
{name: "tag:#{args[:tag_key]}", values: [args[:tag_value]]},
|
592
599
|
]
|
593
600
|
}
|
@@ -855,7 +862,7 @@ module MU
|
|
855
862
|
raise MuError, "#{@mu_name} is configured to use LoadBalancers, but none have been loaded by dependencies()"
|
856
863
|
end
|
857
864
|
@loadbalancers.each { |lb|
|
858
|
-
lb.
|
865
|
+
lb.registerTarget(@cloud_id)
|
859
866
|
}
|
860
867
|
end
|
861
868
|
MU.log %Q{Server #{@config['name']} private IP is #{@deploydata["private_ip_address"]}#{@deploydata["public_ip_address"] ? ", public IP is "+@deploydata["public_ip_address"] : ""}}, MU::SUMMARY
|
@@ -893,7 +900,8 @@ module MU
|
|
893
900
|
end
|
894
901
|
rescue MU::Groomer::RunError => e
|
895
902
|
raise e if !@config['create_image'].nil? and !@config['image_created']
|
896
|
-
MU.log "Proceeding after failed initial Groomer run, but #{@mu_name} may not behave as expected!", MU::WARN, details: e.
|
903
|
+
MU.log "Proceeding after failed initial Groomer run, but #{@mu_name} may not behave as expected!", MU::WARN, details: e.inspect
|
904
|
+
pp e.backtrace
|
897
905
|
rescue StandardError => e
|
898
906
|
raise e if !@config['create_image'].nil? and !@config['image_created']
|
899
907
|
MU.log "Caught #{e.inspect} on #{@mu_name} in an unexpected place (after @groomer.run on Full Initial Run)", MU::ERR
|
@@ -1250,7 +1258,7 @@ module MU
|
|
1250
1258
|
resp = MU::Cloud::AWS.ec2(region: region, credentials: credentials).describe_addresses
|
1251
1259
|
end
|
1252
1260
|
resp.addresses.each { |address|
|
1253
|
-
return address if (address.network_interface_id.nil? or address.network_interface_id.empty?)
|
1261
|
+
return address if (address.network_interface_id.nil? or address.network_interface_id.empty?) and !@eips_used.include?(address.public_ip)
|
1254
1262
|
}
|
1255
1263
|
if !ip.nil?
|
1256
1264
|
mode = classic ? "EC2 Classic" : "VPC"
|
@@ -1295,7 +1303,10 @@ module MU
|
|
1295
1303
|
# @param size [String]: Size (in gb) of the new volume
|
1296
1304
|
# @param type [String]: Cloud storage type of the volume, if applicable
|
1297
1305
|
# @param delete_on_termination [Boolean]: Value of delete_on_termination flag to set
|
1298
|
-
def addVolume(dev, size, type: "
|
1306
|
+
def addVolume(dev: nil, size: 0, type: "gp3", delete_on_termination: false)
|
1307
|
+
if dev.nil? or size == 0
|
1308
|
+
raise MuError, "Must specify a device name and a size for addVolume"
|
1309
|
+
end
|
1299
1310
|
|
1300
1311
|
if setDeleteOntermination(dev, delete_on_termination)
|
1301
1312
|
MU.log "A volume #{dev} already attached to #{self}, skipping", MU::NOTICE
|
@@ -1401,7 +1412,7 @@ module MU
|
|
1401
1412
|
if @eips_used.include?(ip)
|
1402
1413
|
is_free = false
|
1403
1414
|
resp.addresses.each { |address|
|
1404
|
-
if address.public_ip == ip and (address.instance_id.nil? and address.
|
1415
|
+
if address.public_ip == ip and (address.instance_id.nil? and address.association.nil?) or address.instance_id == instance_id
|
1405
1416
|
@eips_used.delete(ip)
|
1406
1417
|
is_free = true
|
1407
1418
|
end
|
@@ -1434,8 +1445,11 @@ module MU
|
|
1434
1445
|
allocation_ids: [elastic_ip.allocation_id]
|
1435
1446
|
)
|
1436
1447
|
first_addr = resp.addresses.first
|
1437
|
-
if first_addr and first_addr.instance_id != instance_id
|
1438
|
-
|
1448
|
+
if first_addr and !first_addr.association_id.nil? and first_addr.instance_id != instance_id
|
1449
|
+
ifaces = MU::Cloud::AWS.ec2(credentials: credentials, region: region).describe_network_interfaces(
|
1450
|
+
filters: [{name: "association.allocation-id", values: [elastic_ip.allocation_id]}]
|
1451
|
+
).data.network_interfaces
|
1452
|
+
raise MuError.new "Tried to associate #{elastic_ip.public_ip} with #{instance_id}, but it's already associated with #{first_addr.instance_id}!", details: ifaces
|
1439
1453
|
end
|
1440
1454
|
end
|
1441
1455
|
}
|
@@ -1747,6 +1761,16 @@ module MU
|
|
1747
1761
|
"key_is" => "platform",
|
1748
1762
|
"value_is" => "amazon",
|
1749
1763
|
"set" => "ec2-user"
|
1764
|
+
},
|
1765
|
+
{
|
1766
|
+
"key_is" => "platform",
|
1767
|
+
"value_is" => "amazon2",
|
1768
|
+
"set" => "ec2-user"
|
1769
|
+
},
|
1770
|
+
{
|
1771
|
+
"key_is" => "platform",
|
1772
|
+
"value_is" => "amazon2023",
|
1773
|
+
"set" => "ec2-user"
|
1750
1774
|
}
|
1751
1775
|
]
|
1752
1776
|
}
|
@@ -2098,9 +2122,9 @@ module MU
|
|
2098
2122
|
end
|
2099
2123
|
end
|
2100
2124
|
|
2101
|
-
win_admin_password ||= MU.
|
2102
|
-
ec2config_password ||= MU.
|
2103
|
-
sshd_password ||= MU.
|
2125
|
+
win_admin_password ||= MU.generatePassword
|
2126
|
+
ec2config_password ||= MU.generatePassword
|
2127
|
+
sshd_password ||= MU.generatePassword
|
2104
2128
|
|
2105
2129
|
# We're creating the vault here so when we run
|
2106
2130
|
# MU::Cloud::Server.initialSSHTasks and we need to set the Windows
|