RubyGems - cloud-mu - Versions diffs - 3.5.0 → 3.6.3 - Mend

cloud-mu 3.5.0 → 3.6.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (245) hide show

checksums.yaml +4 -4
data/Berksfile +5 -2
data/Berksfile.lock +135 -0
data/ansible/roles/mu-base/README.md +33 -0
data/ansible/roles/mu-base/defaults/main.yml +2 -0
data/ansible/roles/mu-base/files/check_apm.cfg +1 -0
data/ansible/roles/mu-base/files/check_apm.sh +18 -0
data/ansible/roles/mu-base/files/check_disk.cfg +1 -0
data/ansible/roles/mu-base/files/check_elastic_shards.cfg +1 -0
data/ansible/roles/mu-base/files/check_elastic_shards.sh +12 -0
data/ansible/roles/mu-base/files/check_logstash.cfg +1 -0
data/ansible/roles/mu-base/files/check_logstash.sh +14 -0
data/ansible/roles/mu-base/files/check_mem.cfg +1 -0
data/ansible/roles/mu-base/files/check_updates.cfg +1 -0
data/ansible/roles/mu-base/files/logrotate.conf +35 -0
data/ansible/roles/mu-base/files/nrpe-apm-sudo +1 -0
data/ansible/roles/mu-base/files/nrpe-elasticshards-sudo +2 -0
data/ansible/roles/mu-base/handlers/main.yml +5 -0
data/ansible/roles/mu-base/meta/main.yml +53 -0
data/ansible/roles/mu-base/tasks/main.yml +113 -0
data/ansible/roles/mu-base/templates/nrpe.cfg.j2 +231 -0
data/ansible/roles/mu-base/tests/inventory +2 -0
data/ansible/roles/mu-base/tests/test.yml +5 -0
data/ansible/roles/mu-base/vars/main.yml +1 -0
data/ansible/roles/mu-compliance/README.md +33 -0
data/ansible/roles/mu-compliance/defaults/main.yml +2 -0
data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2016_V2R1_STIG_SCAP_1-2_Benchmark.xml +15674 -0
data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2019_V2R1_STIG_SCAP_1-2_Benchmark.xml +17553 -0
data/ansible/roles/mu-compliance/handlers/main.yml +2 -0
data/ansible/roles/mu-compliance/meta/main.yml +53 -0
data/ansible/roles/mu-compliance/tasks/main.yml +45 -0
data/ansible/roles/mu-compliance/tests/inventory +2 -0
data/ansible/roles/mu-compliance/tests/test.yml +5 -0
data/ansible/roles/mu-compliance/vars/main.yml +4 -0
data/ansible/roles/mu-elastic/README.md +51 -0
data/ansible/roles/mu-elastic/defaults/main.yml +2 -0
data/ansible/roles/mu-elastic/files/jvm.options +93 -0
data/ansible/roles/mu-elastic/handlers/main.yml +10 -0
data/ansible/roles/mu-elastic/meta/main.yml +52 -0
data/ansible/roles/mu-elastic/tasks/main.yml +186 -0
data/ansible/roles/mu-elastic/templates/elasticsearch.yml.j2 +110 -0
data/ansible/roles/mu-elastic/templates/kibana.yml.j2 +131 -0
data/ansible/roles/mu-elastic/templates/password_set.expect.j2 +19 -0
data/ansible/roles/mu-elastic/tests/inventory +2 -0
data/ansible/roles/mu-elastic/tests/test.yml +5 -0
data/ansible/roles/mu-elastic/vars/main.yml +2 -0
data/ansible/roles/mu-logstash/README.md +51 -0
data/ansible/roles/mu-logstash/defaults/main.yml +2 -0
data/ansible/roles/mu-logstash/files/02-beats-input.conf +5 -0
data/ansible/roles/mu-logstash/files/10-rails-filter.conf +16 -0
data/ansible/roles/mu-logstash/files/jvm.options +84 -0
data/ansible/roles/mu-logstash/files/logstash.yml +304 -0
data/ansible/roles/mu-logstash/handlers/main.yml +20 -0
data/ansible/roles/mu-logstash/meta/main.yml +52 -0
data/ansible/roles/mu-logstash/tasks/main.yml +254 -0
data/ansible/roles/mu-logstash/templates/20-cloudtrail.conf.j2 +28 -0
data/ansible/roles/mu-logstash/templates/30-elasticsearch-output.conf.j2 +19 -0
data/ansible/roles/mu-logstash/templates/apm-server.yml.j2 +33 -0
data/ansible/roles/mu-logstash/templates/heartbeat.yml.j2 +29 -0
data/ansible/roles/mu-logstash/templates/nginx/apm.conf.j2 +25 -0
data/ansible/roles/mu-logstash/templates/nginx/default.conf.j2 +56 -0
data/ansible/roles/mu-logstash/templates/nginx/elastic.conf.j2 +27 -0
data/ansible/roles/mu-logstash/tests/inventory +2 -0
data/ansible/roles/mu-logstash/tests/test.yml +5 -0
data/ansible/roles/mu-logstash/vars/main.yml +2 -0
data/ansible/roles/mu-rdp/README.md +33 -0
data/ansible/roles/mu-rdp/meta/main.yml +53 -0
data/ansible/roles/mu-rdp/tasks/main.yml +9 -0
data/ansible/roles/mu-rdp/tests/inventory +2 -0
data/ansible/roles/mu-rdp/tests/test.yml +5 -0
data/ansible/roles/mu-windows/tasks/main.yml +3 -0
data/bin/mu-ansible-secret +1 -1
data/bin/mu-aws-setup +4 -3
data/bin/mu-azure-setup +5 -5
data/bin/mu-configure +25 -17
data/bin/mu-firewall-allow-clients +1 -0
data/bin/mu-gcp-setup +3 -3
data/bin/mu-load-config.rb +1 -0
data/bin/mu-node-manage +66 -33
data/bin/mu-self-update +2 -2
data/bin/mu-upload-chef-artifacts +6 -1
data/bin/mu-user-manage +1 -1
data/cloud-mu.gemspec +25 -23
data/cookbooks/firewall/CHANGELOG.md +417 -224
data/cookbooks/firewall/LICENSE +202 -0
data/cookbooks/firewall/README.md +153 -126
data/cookbooks/firewall/TODO.md +6 -0
data/cookbooks/firewall/attributes/firewalld.rb +7 -0
data/cookbooks/firewall/attributes/iptables.rb +3 -3
data/cookbooks/firewall/chefignore +115 -0
data/cookbooks/firewall/libraries/helpers.rb +5 -0
data/cookbooks/firewall/libraries/helpers_firewalld.rb +1 -1
data/cookbooks/firewall/libraries/helpers_firewalld_dbus.rb +72 -0
data/cookbooks/firewall/libraries/helpers_iptables.rb +3 -3
data/cookbooks/firewall/libraries/helpers_nftables.rb +170 -0
data/cookbooks/firewall/libraries/helpers_ufw.rb +7 -0
data/cookbooks/firewall/libraries/helpers_windows.rb +8 -9
data/cookbooks/firewall/libraries/provider_firewall_firewalld.rb +9 -9
data/cookbooks/firewall/libraries/provider_firewall_iptables.rb +7 -7
data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb +12 -8
data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb +13 -9
data/cookbooks/firewall/libraries/provider_firewall_rule.rb +1 -1
data/cookbooks/firewall/libraries/provider_firewall_ufw.rb +5 -5
data/cookbooks/firewall/libraries/provider_firewall_windows.rb +4 -4
data/cookbooks/firewall/libraries/resource_firewall_rule.rb +3 -3
data/cookbooks/firewall/metadata.json +40 -1
data/cookbooks/firewall/metadata.rb +15 -0
data/cookbooks/firewall/recipes/default.rb +7 -7
data/cookbooks/firewall/recipes/disable_firewall.rb +1 -1
data/cookbooks/firewall/recipes/firewalld.rb +87 -0
data/cookbooks/firewall/renovate.json +18 -0
data/cookbooks/firewall/resources/firewalld.rb +28 -0
data/cookbooks/firewall/resources/firewalld_config.rb +39 -0
data/cookbooks/firewall/resources/firewalld_helpers.rb +106 -0
data/cookbooks/firewall/resources/firewalld_icmptype.rb +88 -0
data/cookbooks/firewall/resources/firewalld_ipset.rb +104 -0
data/cookbooks/firewall/resources/firewalld_policy.rb +115 -0
data/cookbooks/firewall/resources/firewalld_service.rb +98 -0
data/cookbooks/firewall/resources/firewalld_zone.rb +118 -0
data/cookbooks/firewall/resources/nftables.rb +71 -0
data/cookbooks/firewall/resources/nftables_rule.rb +113 -0
data/cookbooks/mu-activedirectory/Berksfile +1 -1
data/cookbooks/mu-activedirectory/metadata.rb +1 -1
data/cookbooks/mu-firewall/metadata.rb +2 -2
data/cookbooks/mu-master/Berksfile +4 -3
data/cookbooks/mu-master/attributes/default.rb +5 -2
data/cookbooks/mu-master/files/default/check_elastic.sh +761 -0
data/cookbooks/mu-master/files/default/check_kibana.rb +45 -0
data/cookbooks/mu-master/libraries/mu.rb +24 -0
data/cookbooks/mu-master/metadata.rb +5 -5
data/cookbooks/mu-master/recipes/default.rb +31 -20
data/cookbooks/mu-master/recipes/firewall-holes.rb +5 -0
data/cookbooks/mu-master/recipes/init.rb +58 -19
data/cookbooks/mu-master/recipes/update_nagios_only.rb +251 -178
data/cookbooks/mu-master/templates/default/nagios.conf.erb +5 -11
data/cookbooks/mu-master/templates/default/web_app.conf.erb +3 -0
data/cookbooks/mu-php54/Berksfile +1 -1
data/cookbooks/mu-php54/metadata.rb +2 -2
data/cookbooks/mu-tools/Berksfile +2 -3
data/cookbooks/mu-tools/attributes/default.rb +3 -4
data/cookbooks/mu-tools/files/amazon/etc/bashrc +90 -0
data/cookbooks/mu-tools/files/amazon/etc/login.defs +292 -0
data/cookbooks/mu-tools/files/amazon/etc/profile +77 -0
data/cookbooks/mu-tools/files/amazon/etc/security/limits.conf +63 -0
data/cookbooks/mu-tools/files/amazon/etc/sysconfig/init +19 -0
data/cookbooks/mu-tools/files/amazon/etc/sysctl.conf +82 -0
data/cookbooks/mu-tools/files/amazon-2023/etc/login.defs +294 -0
data/cookbooks/mu-tools/files/default/logrotate.conf +35 -0
data/cookbooks/mu-tools/files/default/nrpe_conf_d.pp +0 -0
data/cookbooks/mu-tools/libraries/helper.rb +21 -9
data/cookbooks/mu-tools/metadata.rb +4 -4
data/cookbooks/mu-tools/recipes/apply_security.rb +3 -2
data/cookbooks/mu-tools/recipes/aws_api.rb +23 -5
data/cookbooks/mu-tools/recipes/base_repositories.rb +4 -1
data/cookbooks/mu-tools/recipes/gcloud.rb +56 -56
data/cookbooks/mu-tools/recipes/nagios.rb +1 -1
data/cookbooks/mu-tools/recipes/nrpe.rb +20 -2
data/cookbooks/mu-tools/recipes/rsyslog.rb +12 -1
data/cookbooks/mu-tools/recipes/set_local_fw.rb +1 -1
data/data_bags/nagios_services/apm_backend_connect.json +5 -0
data/data_bags/nagios_services/apm_listen.json +5 -0
data/data_bags/nagios_services/elastic_shards.json +5 -0
data/data_bags/nagios_services/logstash.json +5 -0
data/data_bags/nagios_services/rhel7_updates.json +8 -0
data/extras/image-generators/AWS/centos7.yaml +1 -0
data/extras/image-generators/AWS/rhel7.yaml +21 -0
data/extras/image-generators/AWS/win2k12r2.yaml +1 -0
data/extras/image-generators/AWS/win2k16.yaml +1 -0
data/extras/image-generators/AWS/win2k19.yaml +1 -0
data/extras/list-stock-amis +0 -0
data/extras/ruby_rpm/muby.spec +8 -5
data/extras/vault_tools/export_vaults.sh +1 -1
data/extras/vault_tools/recreate_vaults.sh +0 -0
data/extras/vault_tools/test_vaults.sh +0 -0
data/install/deprecated-bash-library.sh +1 -1
data/install/installer +4 -2
data/modules/mommacat.ru +3 -1
data/modules/mu/adoption.rb +1 -1
data/modules/mu/cloud/dnszone.rb +2 -2
data/modules/mu/cloud/machine_images.rb +26 -25
data/modules/mu/cloud/resource_base.rb +213 -182
data/modules/mu/cloud/server_pool.rb +1 -1
data/modules/mu/cloud/ssh_sessions.rb +7 -5
data/modules/mu/cloud/wrappers.rb +2 -2
data/modules/mu/cloud.rb +1 -1
data/modules/mu/config/bucket.rb +1 -1
data/modules/mu/config/function.rb +6 -1
data/modules/mu/config/loadbalancer.rb +24 -2
data/modules/mu/config/ref.rb +12 -0
data/modules/mu/config/role.rb +1 -1
data/modules/mu/config/schema_helpers.rb +42 -9
data/modules/mu/config/server.rb +43 -27
data/modules/mu/config/tail.rb +19 -10
data/modules/mu/config.rb +6 -5
data/modules/mu/defaults/AWS.yaml +78 -114
data/modules/mu/deploy.rb +9 -2
data/modules/mu/groomer.rb +12 -4
data/modules/mu/groomers/ansible.rb +104 -20
data/modules/mu/groomers/chef.rb +15 -6
data/modules/mu/master.rb +9 -4
data/modules/mu/mommacat/daemon.rb +4 -2
data/modules/mu/mommacat/naming.rb +1 -2
data/modules/mu/mommacat/storage.rb +7 -2
data/modules/mu/mommacat.rb +33 -6
data/modules/mu/providers/aws/database.rb +161 -8
data/modules/mu/providers/aws/dnszone.rb +11 -6
data/modules/mu/providers/aws/endpoint.rb +81 -6
data/modules/mu/providers/aws/firewall_rule.rb +254 -172
data/modules/mu/providers/aws/function.rb +65 -3
data/modules/mu/providers/aws/loadbalancer.rb +39 -28
data/modules/mu/providers/aws/log.rb +2 -1
data/modules/mu/providers/aws/role.rb +25 -7
data/modules/mu/providers/aws/server.rb +36 -12
data/modules/mu/providers/aws/server_pool.rb +237 -127
data/modules/mu/providers/aws/storage_pool.rb +7 -1
data/modules/mu/providers/aws/user.rb +1 -1
data/modules/mu/providers/aws/userdata/linux.erb +6 -2
data/modules/mu/providers/aws/userdata/windows.erb +7 -5
data/modules/mu/providers/aws/vpc.rb +49 -25
data/modules/mu/providers/aws.rb +13 -8
data/modules/mu/providers/azure/container_cluster.rb +1 -1
data/modules/mu/providers/azure/loadbalancer.rb +2 -2
data/modules/mu/providers/azure/server.rb +5 -2
data/modules/mu/providers/azure/userdata/linux.erb +1 -1
data/modules/mu/providers/azure.rb +11 -8
data/modules/mu/providers/cloudformation/dnszone.rb +1 -1
data/modules/mu/providers/google/container_cluster.rb +15 -2
data/modules/mu/providers/google/folder.rb +2 -1
data/modules/mu/providers/google/function.rb +130 -4
data/modules/mu/providers/google/habitat.rb +2 -1
data/modules/mu/providers/google/loadbalancer.rb +407 -160
data/modules/mu/providers/google/role.rb +16 -3
data/modules/mu/providers/google/server.rb +5 -1
data/modules/mu/providers/google/user.rb +25 -18
data/modules/mu/providers/google/userdata/linux.erb +1 -1
data/modules/mu/providers/google/vpc.rb +53 -7
data/modules/mu/providers/google.rb +39 -39
data/modules/mu.rb +8 -8
data/modules/tests/elk.yaml +46 -0
data/test/mu-master-test/controls/all_in_one.rb +1 -1
metadata +207 -112
data/cookbooks/firewall/CONTRIBUTING.md +0 -2
data/cookbooks/firewall/MAINTAINERS.md +0 -19
data/cookbooks/firewall/libraries/matchers.rb +0 -30
data/extras/image-generators/AWS/rhel71.yaml +0 -17

data/modules/mu/providers/aws/loadbalancer.rb CHANGED Viewed

@@ -20,6 +20,7 @@ module MU
         @lb = nil
         attr_reader :targetgroups
+        attr_reader :is_lambda
         # Initialize this cloud resource object. Calling +super+ will invoke the initializer defined under {MU::Cloud}, which should set the attribtues listed in {MU::Cloud::PUBLIC_ATTRS} as well as applicable dependency shortcuts, like +@vpc+, for us.
         # @param args [Hash]: Hash of named arguments passed via Ruby's double-splat
@@ -161,7 +162,7 @@ module MU
           parent_thread_id = Thread.current.object_id
           generic_mu_dns = nil
           dnsthread = Thread.new {
-            if !MU::Cloud::AWS.isGovCloud?
+            if MU::Cloud::AWS.hosted? and !MU::Cloud::AWS.isGovCloud?
               MU.dupGlobals(parent_thread_id)
               generic_mu_dns = MU::Cloud.resourceClass("AWS", "DNSZone").genericMuDNSEntry(name: @mu_name, target: "#{lb.dns_name}.", cloudclass: MU::Cloud::LoadBalancer, sync_wait: @config['dns_sync_wait'])
             end
@@ -181,6 +182,7 @@ module MU
           end
           @targetgroups = {}
+          @is_lambda = false
           if !@config['healthcheck'].nil? and @config['classic']
             MU.log "Configuring custom health check for ELB #{@mu_name}", details: @config['healthcheck']
             MU::Cloud::AWS.elb(region: @region, credentials: @credentials).configure_health_check(
@@ -203,10 +205,13 @@ module MU
                   :protocol => tg['proto'],
                   :vpc_id => @vpc.cloud_id,
                   :port => tg['port'],
-                  :target_type  => 'instance'
+                  :target_type  => tg['target_type'] || "instance"
                 }
-                if tg['target_type'] && tg['target_type'] != 'instance'
-                  tg_descriptor[:target_type] = tg['target_type']
+                if tg['target_type'] == "lambda"
+                  @is_lambda = true
+                  tg_descriptor.delete(:protocol)
+                  tg_descriptor.delete(:port)
+                  tg_descriptor.delete(:vpc_id)
                 end
                 if tg['httpcode']
                   tg_descriptor[:matcher] = {
@@ -426,17 +431,19 @@ module MU
                 timeout = 0
                 MU.log "Disabling connection draining on #{lb.dns_name}"
               end
-              @targetgroups.values.each { |tg|
-                MU::Cloud::AWS.elb2(region: @region, credentials: @credentials).modify_target_group_attributes(
-                  target_group_arn: tg.target_group_arn,
-                  attributes: [
-                    {
-                      key: "deregistration_delay.timeout_seconds",
-                      value: timeout.to_s
-                    }
-                  ]
-                )
-              }
+              if !@is_lambda
+                @targetgroups.values.each { |tg|
+                  MU::Cloud::AWS.elb2(region: @region, credentials: @credentials).modify_target_group_attributes(
+                    target_group_arn: tg.target_group_arn,
+                    attributes: [
+                      {
+                        key: "deregistration_delay.timeout_seconds",
+                        value: timeout.to_s
+                      }
+                    ]
+                  )
+                }
+              end
             end
           end
@@ -569,6 +576,11 @@ module MU
           notify
         end
+        # Called automatically by {MU::Deploy#createResources}
+        def groom
+          MU.log "LoadBalancer #{@config['name']} is at #{cloud_desc.dns_name}", MU::SUMMARY
+        end
         # Canonical Amazon Resource Number for this resource
         # @return [String]
         def arn
@@ -603,7 +615,6 @@ module MU
                   @targetgroups[tg_name] = MU::Cloud::AWS.elb2(region: @region, credentials: @credentials).describe_target_groups(target_group_arns: [tg_arn]).target_groups.first
                 }
               else
-                pp @config['targetgroups']
                 MU::Cloud::AWS.elb2(region: @region, credentials: @credentials).describe_target_groups(load_balancer_arn: @cloud_desc_cache.load_balancer_arn).target_groups.each { |tg|
                   tg_name = tg.target_group_name
                   if @config['targetgroups']
@@ -644,31 +655,31 @@ module MU
         # Register a Server node with an existing LoadBalancer.
         #
-        # @param instance_id [String] A node to register.
-        # @param targetgroups [Array<String>] The target group(s) of which this node should be made a member. Not applicable to classic LoadBalancers. If not supplied, the node will be registered to all available target groups on this LoadBalancer.
-        def registerNode(instance_id, targetgroups: nil)
+        # @param id [String] A node or function to register.
+        # @param backends [Array<String>] The target group(s) of which this node should be made a member. Not applicable to classic LoadBalancers. If not supplied, the node will be registered to all available target groups on this LoadBalancer.
+        def registerTarget(id, backends: nil)
           if @config['classic'] or !@config.has_key?("classic")
-            MU.log "Registering #{instance_id} to ELB #{@cloud_id}"
+            MU.log "Registering #{id} to ELB #{@cloud_id}"
             MU::Cloud::AWS.elb(region: @region, credentials: @credentials).register_instances_with_load_balancer(
               load_balancer_name: @cloud_id,
               instances: [
-                {instance_id: instance_id}
+                {instance_id: id}
               ]
             )
           else
-            if targetgroups.nil? or !targetgroups.is_a?(Array) or targetgroups.size == 0
+            if backends.nil? or !backends.is_a?(Array) or backends.size == 0
               if @targetgroups.nil?
                 cloud_desc
                 return if @targetgroups.nil?
               end
-              targetgroups = @targetgroups.keys
+              backends = @targetgroups.keys
             end
-            targetgroups.each { |tg|
-              MU.log "Registering #{instance_id} to Target Group #{tg}"
+            backends.each { |tg|
+              MU.log "Registering #{id} to Target Group #{tg}"
               MU::Cloud::AWS.elb2(region: @region, credentials: @credentials).register_targets(
                 target_group_arn: @targetgroups[tg].target_group_arn,
                 targets: [
-                  {id: instance_id}
+                  {id: id}
                 ]
               )
             }
@@ -753,7 +764,7 @@ module MU
                 end
               end
               if matched
-                if !MU::Cloud::AWS.isGovCloud?
+                if MU::Cloud::AWS.hosted? and !MU::Cloud::AWS.isGovCloud?
                   MU::Cloud.resourceClass("AWS", "DNSZone").genericMuDNSEntry(name: lb.load_balancer_name, target: lb.dns_name, cloudclass: MU::Cloud::LoadBalancer, delete: true) if !noop
                 end
                 if classic
@@ -834,7 +845,7 @@ module MU
                     "type" => "string",
                     "enum" => ["HTTP", "HTTPS", "TCP", "SSL"],
                   },
-                  "target_type " => {
+                  "target_type" => {
                     "type" => "string",
                     "enum" => ["instance", "ip", "lambda"],
                   }

data/modules/mu/providers/aws/log.rb CHANGED Viewed

@@ -244,7 +244,8 @@ module MU
         def self.find(**args)
           found = {}
           if !args[:cloud_id].nil? and !args[:cloud_id].match(/^arn:/i)
-            found[args[:cloud_id]] = MU::Cloud::AWS::Log.getLogGroupByName(args[:cloud_id], region: args[:region], credentials: args[:credentials])
+            exists = MU::Cloud::AWS::Log.getLogGroupByName(args[:cloud_id], region: args[:region], credentials: args[:credentials])
+            found[args[:cloud_id]] = exists if exists
           else
             next_token = nil
             begin

data/modules/mu/providers/aws/role.rb CHANGED Viewed

@@ -184,6 +184,14 @@ module MU
                 desc
               end
+            rescue Aws::IAM::Errors::AccessDenied => e
+              if e.message =~ /Cannot create versions for policies outside your own account/
+                MU.log "Deleting and recreating cross-account policy #{policy_name}", MU::NOTICE
+                purgePolicy(arn, credentials)
+                retry
+              else
+                raise e
+              end
             rescue Aws::IAM::Errors::NoSuchEntity
               MU.log "Creating IAM policy #{policy_name}", details: policy.values.first
               desc = MU::Cloud::AWS.iam(credentials: credentials).create_policy(
@@ -328,7 +336,7 @@ end
                 version_id: p.default_version_id
               ).policy_version
-              doc = JSON.parse CGI.unescape_www_form_component old.document
+              doc = JSON.parse URI.decode_www_form_component old.document
               need_update = false
               doc["Statement"].each { |s|
@@ -539,7 +547,6 @@ end
           found = {}
           if args[:cloud_id]
             begin
               # managed policies get fetched by ARN, roles by plain name. Ok!
               if args[:cloud_id].match(/^arn:.*?:policy\//)
@@ -560,7 +567,6 @@ end
               end
             rescue ::Aws::IAM::Errors::NoSuchEntity
             end
           else
             resp = MU::Cloud::AWS.iam(credentials: args[:credentials]).list_roles
             resp.roles.each { |role|
@@ -1118,7 +1124,7 @@ end
           if role['policies']
             role['policies'].each { |policy|
               policy['targets'].each { |target|
-                if target['type']
+                if target['type'] and _configurator.haveLitterMate?(target['identifier'], target['type'])
                   MU::Config.addDependency(role, target['identifier'], target['type'], my_phase: "groom")
                 end
               }
@@ -1135,7 +1141,7 @@ end
         # @param policies [Array<Hash>]: One or more policy chunks
         # @param deploy_obj [MU::MommaCat]: Deployment object to use when looking up sibling Mu resources
         # @return [Array<Hash>]
-        def self.genPolicyDocument(policies, deploy_obj: nil, bucket_style: false, version: "2012-10-17", doc_id: nil)
+        def self.genPolicyDocument(policies, deploy_obj: nil, bucket_style: false, version: "2012-10-17", doc_id: nil, credentials: nil)
           if policies
             name = nil
             doc = {
@@ -1211,7 +1217,19 @@ end
                       type: target["type"]
                     )
                     if sibling
-                      id = sibling.cloudobj.arn
+                      sibling = sibling.cloudobj
+                    else
+                      found = MU::MommaCat.findStray(
+                        "AWS",
+                        target["type"],
+                        cloud_id: target["identifier"],
+                        credentials: credentials,
+                        dummy_ok: true
+                      )
+                      sibling = found.first
+                    end
+                    if sibling
+                      id = sibling.arn
                       id.sub!(/:([^:]+)$/, ":"+'\1'+target["path"]) if target["path"]
                       statement["Resource"] << id
                       if id.match(/:log-group:/)
@@ -1269,7 +1287,7 @@ end
         # Convert entries from the cloud-neutral @config['policies'] list into
         # AWS syntax.
         def convert_policies_to_iam
-          MU::Cloud::AWS::Role.genPolicyDocument(@config['policies'], deploy_obj: @deploy)
+          MU::Cloud::AWS::Role.genPolicyDocument(@config['policies'], deploy_obj: @deploy, credentials: @credentials)
         end
         def get_tag_params(strip_std = false)

data/modules/mu/providers/aws/server.rb CHANGED Viewed

@@ -276,6 +276,11 @@ module MU
           :key_name => @deploy.ssh_key_name,
           :instance_type => @config["size"],
           :disable_api_termination => true,
+          :metadata_options => {
+            :http_tokens => "optional",
+            :http_endpoint => "enabled",
+            :instance_metadata_tags => "enabled"
+          },
           :min_count => 1,
           :max_count => 1
         }
@@ -348,7 +353,10 @@ module MU
             raise MuError.new e.message, details: mysubnet_ids
           end
           instance_descriptor[:subnet_id] = (mysubnet_ids - bad_subnets).sample
-          MU.log "One or more subnets does not support this instance type, attempting with #{instance_descriptor[:subnet_id]} instead", MU::WARN, details: bad_subnets
+          if instance_descriptor[:subnet_id].nil?
+            raise MuError.new "Specified subnet#{bad_subnets.size > 1 ? "s do" : " does"} not support instance type #{instance_descriptor[:instance_type]}", details: bad_subnets
+          end
+          MU.log "One or more subnets does not support instance type #{instance_descriptor[:instance_type]}, attempting with #{instance_descriptor[:subnet_id]} instead", MU::WARN, details: bad_subnets
           retry
         rescue Aws::EC2::Errors::InvalidRequest => e
           MU.log e.message, MU::ERR, details: instance_descriptor
@@ -587,7 +595,6 @@ module MU
           searches << {
             filters: [
               base_filter,
-              {name: ip_type, values: [ip]},
               {name: "tag:#{args[:tag_key]}", values: [args[:tag_value]]},
             ]
           }
@@ -855,7 +862,7 @@ module MU
               raise MuError, "#{@mu_name} is configured to use LoadBalancers, but none have been loaded by dependencies()"
             end
             @loadbalancers.each { |lb|
-              lb.registerNode(@cloud_id)
+              lb.registerTarget(@cloud_id)
             }
           end
           MU.log %Q{Server #{@config['name']} private IP is #{@deploydata["private_ip_address"]}#{@deploydata["public_ip_address"] ? ", public IP is "+@deploydata["public_ip_address"] : ""}}, MU::SUMMARY
@@ -893,7 +900,8 @@ module MU
             end
           rescue MU::Groomer::RunError => e
             raise e if !@config['create_image'].nil? and !@config['image_created']
-            MU.log "Proceeding after failed initial Groomer run, but #{@mu_name} may not behave as expected!", MU::WARN, details: e.message
+            MU.log "Proceeding after failed initial Groomer run, but #{@mu_name} may not behave as expected!", MU::WARN, details: e.inspect
+            pp e.backtrace
           rescue StandardError => e
             raise e if !@config['create_image'].nil? and !@config['image_created']
             MU.log "Caught #{e.inspect} on #{@mu_name} in an unexpected place (after @groomer.run on Full Initial Run)", MU::ERR
@@ -1250,7 +1258,7 @@ module MU
             resp = MU::Cloud::AWS.ec2(region: region, credentials: credentials).describe_addresses
           end
           resp.addresses.each { |address|
-            return address if (address.network_interface_id.nil? or address.network_interface_id.empty?) or !@eips_used.include?(address.public_ip)
+            return address if (address.network_interface_id.nil? or address.network_interface_id.empty?) and !@eips_used.include?(address.public_ip)
           }
           if !ip.nil?
             mode = classic ? "EC2 Classic" : "VPC"
@@ -1295,7 +1303,10 @@ module MU
         # @param size [String]: Size (in gb) of the new volume
         # @param type [String]: Cloud storage type of the volume, if applicable
         # @param delete_on_termination [Boolean]: Value of delete_on_termination flag to set
-        def addVolume(dev, size, type: "gp2", delete_on_termination: false)
+        def addVolume(dev: nil, size: 0, type: "gp3", delete_on_termination: false)
+          if dev.nil? or size == 0
+            raise MuError, "Must specify a device name and a size for addVolume"
+          end
           if setDeleteOntermination(dev, delete_on_termination)
             MU.log "A volume #{dev} already attached to #{self}, skipping", MU::NOTICE
@@ -1401,7 +1412,7 @@ module MU
               if @eips_used.include?(ip)
                 is_free = false
                 resp.addresses.each { |address|
-                  if address.public_ip == ip and (address.instance_id.nil? and address.network_interface_id.nil?) or address.instance_id == instance_id
+                  if address.public_ip == ip and (address.instance_id.nil? and address.association.nil?) or address.instance_id == instance_id
                     @eips_used.delete(ip)
                     is_free = true
                   end
@@ -1434,8 +1445,11 @@ module MU
                 allocation_ids: [elastic_ip.allocation_id]
               )
               first_addr = resp.addresses.first
-              if first_addr and first_addr.instance_id != instance_id
-                raise MuError, "Tried to associate #{elastic_ip.public_ip} with #{instance_id}, but it's already associated with #{first_addr.instance_id}!"
+              if first_addr and !first_addr.association_id.nil? and first_addr.instance_id != instance_id
+                ifaces = MU::Cloud::AWS.ec2(credentials: credentials, region: region).describe_network_interfaces(
+                  filters: [{name: "association.allocation-id", values: [elastic_ip.allocation_id]}]
+                ).data.network_interfaces
+                raise MuError.new "Tried to associate #{elastic_ip.public_ip} with #{instance_id}, but it's already associated with #{first_addr.instance_id}!", details: ifaces
               end
             end
           }
@@ -1747,6 +1761,16 @@ module MU
                   "key_is" => "platform",
                   "value_is" => "amazon",
                   "set" => "ec2-user"
+                },
+                {
+                  "key_is" => "platform",
+                  "value_is" => "amazon2",
+                  "set" => "ec2-user"
+                },
+                {
+                  "key_is" => "platform",
+                  "value_is" => "amazon2023",
+                  "set" => "ec2-user"
                 }
               ]
             }
@@ -2098,9 +2122,9 @@ module MU
               end
             end
-            win_admin_password ||= MU.generateWindowsPassword
-            ec2config_password ||= MU.generateWindowsPassword
-            sshd_password ||= MU.generateWindowsPassword
+            win_admin_password ||= MU.generatePassword
+            ec2config_password ||= MU.generatePassword
+            sshd_password ||= MU.generatePassword
             # We're creating the vault here so when we run
             # MU::Cloud::Server.initialSSHTasks and we need to set the Windows