cloud-mu 3.5.0 → 3.6.3

Sign up to get free protection for your applications and to get access to all the features.
Files changed (245) hide show
  1. checksums.yaml +4 -4
  2. data/Berksfile +5 -2
  3. data/Berksfile.lock +135 -0
  4. data/ansible/roles/mu-base/README.md +33 -0
  5. data/ansible/roles/mu-base/defaults/main.yml +2 -0
  6. data/ansible/roles/mu-base/files/check_apm.cfg +1 -0
  7. data/ansible/roles/mu-base/files/check_apm.sh +18 -0
  8. data/ansible/roles/mu-base/files/check_disk.cfg +1 -0
  9. data/ansible/roles/mu-base/files/check_elastic_shards.cfg +1 -0
  10. data/ansible/roles/mu-base/files/check_elastic_shards.sh +12 -0
  11. data/ansible/roles/mu-base/files/check_logstash.cfg +1 -0
  12. data/ansible/roles/mu-base/files/check_logstash.sh +14 -0
  13. data/ansible/roles/mu-base/files/check_mem.cfg +1 -0
  14. data/ansible/roles/mu-base/files/check_updates.cfg +1 -0
  15. data/ansible/roles/mu-base/files/logrotate.conf +35 -0
  16. data/ansible/roles/mu-base/files/nrpe-apm-sudo +1 -0
  17. data/ansible/roles/mu-base/files/nrpe-elasticshards-sudo +2 -0
  18. data/ansible/roles/mu-base/handlers/main.yml +5 -0
  19. data/ansible/roles/mu-base/meta/main.yml +53 -0
  20. data/ansible/roles/mu-base/tasks/main.yml +113 -0
  21. data/ansible/roles/mu-base/templates/nrpe.cfg.j2 +231 -0
  22. data/ansible/roles/mu-base/tests/inventory +2 -0
  23. data/ansible/roles/mu-base/tests/test.yml +5 -0
  24. data/ansible/roles/mu-base/vars/main.yml +1 -0
  25. data/ansible/roles/mu-compliance/README.md +33 -0
  26. data/ansible/roles/mu-compliance/defaults/main.yml +2 -0
  27. data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2016_V2R1_STIG_SCAP_1-2_Benchmark.xml +15674 -0
  28. data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2019_V2R1_STIG_SCAP_1-2_Benchmark.xml +17553 -0
  29. data/ansible/roles/mu-compliance/handlers/main.yml +2 -0
  30. data/ansible/roles/mu-compliance/meta/main.yml +53 -0
  31. data/ansible/roles/mu-compliance/tasks/main.yml +45 -0
  32. data/ansible/roles/mu-compliance/tests/inventory +2 -0
  33. data/ansible/roles/mu-compliance/tests/test.yml +5 -0
  34. data/ansible/roles/mu-compliance/vars/main.yml +4 -0
  35. data/ansible/roles/mu-elastic/README.md +51 -0
  36. data/ansible/roles/mu-elastic/defaults/main.yml +2 -0
  37. data/ansible/roles/mu-elastic/files/jvm.options +93 -0
  38. data/ansible/roles/mu-elastic/handlers/main.yml +10 -0
  39. data/ansible/roles/mu-elastic/meta/main.yml +52 -0
  40. data/ansible/roles/mu-elastic/tasks/main.yml +186 -0
  41. data/ansible/roles/mu-elastic/templates/elasticsearch.yml.j2 +110 -0
  42. data/ansible/roles/mu-elastic/templates/kibana.yml.j2 +131 -0
  43. data/ansible/roles/mu-elastic/templates/password_set.expect.j2 +19 -0
  44. data/ansible/roles/mu-elastic/tests/inventory +2 -0
  45. data/ansible/roles/mu-elastic/tests/test.yml +5 -0
  46. data/ansible/roles/mu-elastic/vars/main.yml +2 -0
  47. data/ansible/roles/mu-logstash/README.md +51 -0
  48. data/ansible/roles/mu-logstash/defaults/main.yml +2 -0
  49. data/ansible/roles/mu-logstash/files/02-beats-input.conf +5 -0
  50. data/ansible/roles/mu-logstash/files/10-rails-filter.conf +16 -0
  51. data/ansible/roles/mu-logstash/files/jvm.options +84 -0
  52. data/ansible/roles/mu-logstash/files/logstash.yml +304 -0
  53. data/ansible/roles/mu-logstash/handlers/main.yml +20 -0
  54. data/ansible/roles/mu-logstash/meta/main.yml +52 -0
  55. data/ansible/roles/mu-logstash/tasks/main.yml +254 -0
  56. data/ansible/roles/mu-logstash/templates/20-cloudtrail.conf.j2 +28 -0
  57. data/ansible/roles/mu-logstash/templates/30-elasticsearch-output.conf.j2 +19 -0
  58. data/ansible/roles/mu-logstash/templates/apm-server.yml.j2 +33 -0
  59. data/ansible/roles/mu-logstash/templates/heartbeat.yml.j2 +29 -0
  60. data/ansible/roles/mu-logstash/templates/nginx/apm.conf.j2 +25 -0
  61. data/ansible/roles/mu-logstash/templates/nginx/default.conf.j2 +56 -0
  62. data/ansible/roles/mu-logstash/templates/nginx/elastic.conf.j2 +27 -0
  63. data/ansible/roles/mu-logstash/tests/inventory +2 -0
  64. data/ansible/roles/mu-logstash/tests/test.yml +5 -0
  65. data/ansible/roles/mu-logstash/vars/main.yml +2 -0
  66. data/ansible/roles/mu-rdp/README.md +33 -0
  67. data/ansible/roles/mu-rdp/meta/main.yml +53 -0
  68. data/ansible/roles/mu-rdp/tasks/main.yml +9 -0
  69. data/ansible/roles/mu-rdp/tests/inventory +2 -0
  70. data/ansible/roles/mu-rdp/tests/test.yml +5 -0
  71. data/ansible/roles/mu-windows/tasks/main.yml +3 -0
  72. data/bin/mu-ansible-secret +1 -1
  73. data/bin/mu-aws-setup +4 -3
  74. data/bin/mu-azure-setup +5 -5
  75. data/bin/mu-configure +25 -17
  76. data/bin/mu-firewall-allow-clients +1 -0
  77. data/bin/mu-gcp-setup +3 -3
  78. data/bin/mu-load-config.rb +1 -0
  79. data/bin/mu-node-manage +66 -33
  80. data/bin/mu-self-update +2 -2
  81. data/bin/mu-upload-chef-artifacts +6 -1
  82. data/bin/mu-user-manage +1 -1
  83. data/cloud-mu.gemspec +25 -23
  84. data/cookbooks/firewall/CHANGELOG.md +417 -224
  85. data/cookbooks/firewall/LICENSE +202 -0
  86. data/cookbooks/firewall/README.md +153 -126
  87. data/cookbooks/firewall/TODO.md +6 -0
  88. data/cookbooks/firewall/attributes/firewalld.rb +7 -0
  89. data/cookbooks/firewall/attributes/iptables.rb +3 -3
  90. data/cookbooks/firewall/chefignore +115 -0
  91. data/cookbooks/firewall/libraries/helpers.rb +5 -0
  92. data/cookbooks/firewall/libraries/helpers_firewalld.rb +1 -1
  93. data/cookbooks/firewall/libraries/helpers_firewalld_dbus.rb +72 -0
  94. data/cookbooks/firewall/libraries/helpers_iptables.rb +3 -3
  95. data/cookbooks/firewall/libraries/helpers_nftables.rb +170 -0
  96. data/cookbooks/firewall/libraries/helpers_ufw.rb +7 -0
  97. data/cookbooks/firewall/libraries/helpers_windows.rb +8 -9
  98. data/cookbooks/firewall/libraries/provider_firewall_firewalld.rb +9 -9
  99. data/cookbooks/firewall/libraries/provider_firewall_iptables.rb +7 -7
  100. data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb +12 -8
  101. data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb +13 -9
  102. data/cookbooks/firewall/libraries/provider_firewall_rule.rb +1 -1
  103. data/cookbooks/firewall/libraries/provider_firewall_ufw.rb +5 -5
  104. data/cookbooks/firewall/libraries/provider_firewall_windows.rb +4 -4
  105. data/cookbooks/firewall/libraries/resource_firewall_rule.rb +3 -3
  106. data/cookbooks/firewall/metadata.json +40 -1
  107. data/cookbooks/firewall/metadata.rb +15 -0
  108. data/cookbooks/firewall/recipes/default.rb +7 -7
  109. data/cookbooks/firewall/recipes/disable_firewall.rb +1 -1
  110. data/cookbooks/firewall/recipes/firewalld.rb +87 -0
  111. data/cookbooks/firewall/renovate.json +18 -0
  112. data/cookbooks/firewall/resources/firewalld.rb +28 -0
  113. data/cookbooks/firewall/resources/firewalld_config.rb +39 -0
  114. data/cookbooks/firewall/resources/firewalld_helpers.rb +106 -0
  115. data/cookbooks/firewall/resources/firewalld_icmptype.rb +88 -0
  116. data/cookbooks/firewall/resources/firewalld_ipset.rb +104 -0
  117. data/cookbooks/firewall/resources/firewalld_policy.rb +115 -0
  118. data/cookbooks/firewall/resources/firewalld_service.rb +98 -0
  119. data/cookbooks/firewall/resources/firewalld_zone.rb +118 -0
  120. data/cookbooks/firewall/resources/nftables.rb +71 -0
  121. data/cookbooks/firewall/resources/nftables_rule.rb +113 -0
  122. data/cookbooks/mu-activedirectory/Berksfile +1 -1
  123. data/cookbooks/mu-activedirectory/metadata.rb +1 -1
  124. data/cookbooks/mu-firewall/metadata.rb +2 -2
  125. data/cookbooks/mu-master/Berksfile +4 -3
  126. data/cookbooks/mu-master/attributes/default.rb +5 -2
  127. data/cookbooks/mu-master/files/default/check_elastic.sh +761 -0
  128. data/cookbooks/mu-master/files/default/check_kibana.rb +45 -0
  129. data/cookbooks/mu-master/libraries/mu.rb +24 -0
  130. data/cookbooks/mu-master/metadata.rb +5 -5
  131. data/cookbooks/mu-master/recipes/default.rb +31 -20
  132. data/cookbooks/mu-master/recipes/firewall-holes.rb +5 -0
  133. data/cookbooks/mu-master/recipes/init.rb +58 -19
  134. data/cookbooks/mu-master/recipes/update_nagios_only.rb +251 -178
  135. data/cookbooks/mu-master/templates/default/nagios.conf.erb +5 -11
  136. data/cookbooks/mu-master/templates/default/web_app.conf.erb +3 -0
  137. data/cookbooks/mu-php54/Berksfile +1 -1
  138. data/cookbooks/mu-php54/metadata.rb +2 -2
  139. data/cookbooks/mu-tools/Berksfile +2 -3
  140. data/cookbooks/mu-tools/attributes/default.rb +3 -4
  141. data/cookbooks/mu-tools/files/amazon/etc/bashrc +90 -0
  142. data/cookbooks/mu-tools/files/amazon/etc/login.defs +292 -0
  143. data/cookbooks/mu-tools/files/amazon/etc/profile +77 -0
  144. data/cookbooks/mu-tools/files/amazon/etc/security/limits.conf +63 -0
  145. data/cookbooks/mu-tools/files/amazon/etc/sysconfig/init +19 -0
  146. data/cookbooks/mu-tools/files/amazon/etc/sysctl.conf +82 -0
  147. data/cookbooks/mu-tools/files/amazon-2023/etc/login.defs +294 -0
  148. data/cookbooks/mu-tools/files/default/logrotate.conf +35 -0
  149. data/cookbooks/mu-tools/files/default/nrpe_conf_d.pp +0 -0
  150. data/cookbooks/mu-tools/libraries/helper.rb +21 -9
  151. data/cookbooks/mu-tools/metadata.rb +4 -4
  152. data/cookbooks/mu-tools/recipes/apply_security.rb +3 -2
  153. data/cookbooks/mu-tools/recipes/aws_api.rb +23 -5
  154. data/cookbooks/mu-tools/recipes/base_repositories.rb +4 -1
  155. data/cookbooks/mu-tools/recipes/gcloud.rb +56 -56
  156. data/cookbooks/mu-tools/recipes/nagios.rb +1 -1
  157. data/cookbooks/mu-tools/recipes/nrpe.rb +20 -2
  158. data/cookbooks/mu-tools/recipes/rsyslog.rb +12 -1
  159. data/cookbooks/mu-tools/recipes/set_local_fw.rb +1 -1
  160. data/data_bags/nagios_services/apm_backend_connect.json +5 -0
  161. data/data_bags/nagios_services/apm_listen.json +5 -0
  162. data/data_bags/nagios_services/elastic_shards.json +5 -0
  163. data/data_bags/nagios_services/logstash.json +5 -0
  164. data/data_bags/nagios_services/rhel7_updates.json +8 -0
  165. data/extras/image-generators/AWS/centos7.yaml +1 -0
  166. data/extras/image-generators/AWS/rhel7.yaml +21 -0
  167. data/extras/image-generators/AWS/win2k12r2.yaml +1 -0
  168. data/extras/image-generators/AWS/win2k16.yaml +1 -0
  169. data/extras/image-generators/AWS/win2k19.yaml +1 -0
  170. data/extras/list-stock-amis +0 -0
  171. data/extras/ruby_rpm/muby.spec +8 -5
  172. data/extras/vault_tools/export_vaults.sh +1 -1
  173. data/extras/vault_tools/recreate_vaults.sh +0 -0
  174. data/extras/vault_tools/test_vaults.sh +0 -0
  175. data/install/deprecated-bash-library.sh +1 -1
  176. data/install/installer +4 -2
  177. data/modules/mommacat.ru +3 -1
  178. data/modules/mu/adoption.rb +1 -1
  179. data/modules/mu/cloud/dnszone.rb +2 -2
  180. data/modules/mu/cloud/machine_images.rb +26 -25
  181. data/modules/mu/cloud/resource_base.rb +213 -182
  182. data/modules/mu/cloud/server_pool.rb +1 -1
  183. data/modules/mu/cloud/ssh_sessions.rb +7 -5
  184. data/modules/mu/cloud/wrappers.rb +2 -2
  185. data/modules/mu/cloud.rb +1 -1
  186. data/modules/mu/config/bucket.rb +1 -1
  187. data/modules/mu/config/function.rb +6 -1
  188. data/modules/mu/config/loadbalancer.rb +24 -2
  189. data/modules/mu/config/ref.rb +12 -0
  190. data/modules/mu/config/role.rb +1 -1
  191. data/modules/mu/config/schema_helpers.rb +42 -9
  192. data/modules/mu/config/server.rb +43 -27
  193. data/modules/mu/config/tail.rb +19 -10
  194. data/modules/mu/config.rb +6 -5
  195. data/modules/mu/defaults/AWS.yaml +78 -114
  196. data/modules/mu/deploy.rb +9 -2
  197. data/modules/mu/groomer.rb +12 -4
  198. data/modules/mu/groomers/ansible.rb +104 -20
  199. data/modules/mu/groomers/chef.rb +15 -6
  200. data/modules/mu/master.rb +9 -4
  201. data/modules/mu/mommacat/daemon.rb +4 -2
  202. data/modules/mu/mommacat/naming.rb +1 -2
  203. data/modules/mu/mommacat/storage.rb +7 -2
  204. data/modules/mu/mommacat.rb +33 -6
  205. data/modules/mu/providers/aws/database.rb +161 -8
  206. data/modules/mu/providers/aws/dnszone.rb +11 -6
  207. data/modules/mu/providers/aws/endpoint.rb +81 -6
  208. data/modules/mu/providers/aws/firewall_rule.rb +254 -172
  209. data/modules/mu/providers/aws/function.rb +65 -3
  210. data/modules/mu/providers/aws/loadbalancer.rb +39 -28
  211. data/modules/mu/providers/aws/log.rb +2 -1
  212. data/modules/mu/providers/aws/role.rb +25 -7
  213. data/modules/mu/providers/aws/server.rb +36 -12
  214. data/modules/mu/providers/aws/server_pool.rb +237 -127
  215. data/modules/mu/providers/aws/storage_pool.rb +7 -1
  216. data/modules/mu/providers/aws/user.rb +1 -1
  217. data/modules/mu/providers/aws/userdata/linux.erb +6 -2
  218. data/modules/mu/providers/aws/userdata/windows.erb +7 -5
  219. data/modules/mu/providers/aws/vpc.rb +49 -25
  220. data/modules/mu/providers/aws.rb +13 -8
  221. data/modules/mu/providers/azure/container_cluster.rb +1 -1
  222. data/modules/mu/providers/azure/loadbalancer.rb +2 -2
  223. data/modules/mu/providers/azure/server.rb +5 -2
  224. data/modules/mu/providers/azure/userdata/linux.erb +1 -1
  225. data/modules/mu/providers/azure.rb +11 -8
  226. data/modules/mu/providers/cloudformation/dnszone.rb +1 -1
  227. data/modules/mu/providers/google/container_cluster.rb +15 -2
  228. data/modules/mu/providers/google/folder.rb +2 -1
  229. data/modules/mu/providers/google/function.rb +130 -4
  230. data/modules/mu/providers/google/habitat.rb +2 -1
  231. data/modules/mu/providers/google/loadbalancer.rb +407 -160
  232. data/modules/mu/providers/google/role.rb +16 -3
  233. data/modules/mu/providers/google/server.rb +5 -1
  234. data/modules/mu/providers/google/user.rb +25 -18
  235. data/modules/mu/providers/google/userdata/linux.erb +1 -1
  236. data/modules/mu/providers/google/vpc.rb +53 -7
  237. data/modules/mu/providers/google.rb +39 -39
  238. data/modules/mu.rb +8 -8
  239. data/modules/tests/elk.yaml +46 -0
  240. data/test/mu-master-test/controls/all_in_one.rb +1 -1
  241. metadata +207 -112
  242. data/cookbooks/firewall/CONTRIBUTING.md +0 -2
  243. data/cookbooks/firewall/MAINTAINERS.md +0 -19
  244. data/cookbooks/firewall/libraries/matchers.rb +0 -30
  245. data/extras/image-generators/AWS/rhel71.yaml +0 -17
@@ -20,6 +20,7 @@ module MU
20
20
 
21
21
  @lb = nil
22
22
  attr_reader :targetgroups
23
+ attr_reader :is_lambda
23
24
 
24
25
  # Initialize this cloud resource object. Calling +super+ will invoke the initializer defined under {MU::Cloud}, which should set the attribtues listed in {MU::Cloud::PUBLIC_ATTRS} as well as applicable dependency shortcuts, like +@vpc+, for us.
25
26
  # @param args [Hash]: Hash of named arguments passed via Ruby's double-splat
@@ -161,7 +162,7 @@ module MU
161
162
  parent_thread_id = Thread.current.object_id
162
163
  generic_mu_dns = nil
163
164
  dnsthread = Thread.new {
164
- if !MU::Cloud::AWS.isGovCloud?
165
+ if MU::Cloud::AWS.hosted? and !MU::Cloud::AWS.isGovCloud?
165
166
  MU.dupGlobals(parent_thread_id)
166
167
  generic_mu_dns = MU::Cloud.resourceClass("AWS", "DNSZone").genericMuDNSEntry(name: @mu_name, target: "#{lb.dns_name}.", cloudclass: MU::Cloud::LoadBalancer, sync_wait: @config['dns_sync_wait'])
167
168
  end
@@ -181,6 +182,7 @@ module MU
181
182
  end
182
183
 
183
184
  @targetgroups = {}
185
+ @is_lambda = false
184
186
  if !@config['healthcheck'].nil? and @config['classic']
185
187
  MU.log "Configuring custom health check for ELB #{@mu_name}", details: @config['healthcheck']
186
188
  MU::Cloud::AWS.elb(region: @region, credentials: @credentials).configure_health_check(
@@ -203,10 +205,13 @@ module MU
203
205
  :protocol => tg['proto'],
204
206
  :vpc_id => @vpc.cloud_id,
205
207
  :port => tg['port'],
206
- :target_type => 'instance'
208
+ :target_type => tg['target_type'] || "instance"
207
209
  }
208
- if tg['target_type'] && tg['target_type'] != 'instance'
209
- tg_descriptor[:target_type] = tg['target_type']
210
+ if tg['target_type'] == "lambda"
211
+ @is_lambda = true
212
+ tg_descriptor.delete(:protocol)
213
+ tg_descriptor.delete(:port)
214
+ tg_descriptor.delete(:vpc_id)
210
215
  end
211
216
  if tg['httpcode']
212
217
  tg_descriptor[:matcher] = {
@@ -426,17 +431,19 @@ module MU
426
431
  timeout = 0
427
432
  MU.log "Disabling connection draining on #{lb.dns_name}"
428
433
  end
429
- @targetgroups.values.each { |tg|
430
- MU::Cloud::AWS.elb2(region: @region, credentials: @credentials).modify_target_group_attributes(
431
- target_group_arn: tg.target_group_arn,
432
- attributes: [
433
- {
434
- key: "deregistration_delay.timeout_seconds",
435
- value: timeout.to_s
436
- }
437
- ]
438
- )
439
- }
434
+ if !@is_lambda
435
+ @targetgroups.values.each { |tg|
436
+ MU::Cloud::AWS.elb2(region: @region, credentials: @credentials).modify_target_group_attributes(
437
+ target_group_arn: tg.target_group_arn,
438
+ attributes: [
439
+ {
440
+ key: "deregistration_delay.timeout_seconds",
441
+ value: timeout.to_s
442
+ }
443
+ ]
444
+ )
445
+ }
446
+ end
440
447
  end
441
448
  end
442
449
 
@@ -569,6 +576,11 @@ module MU
569
576
  notify
570
577
  end
571
578
 
579
+ # Called automatically by {MU::Deploy#createResources}
580
+ def groom
581
+ MU.log "LoadBalancer #{@config['name']} is at #{cloud_desc.dns_name}", MU::SUMMARY
582
+ end
583
+
572
584
  # Canonical Amazon Resource Number for this resource
573
585
  # @return [String]
574
586
  def arn
@@ -603,7 +615,6 @@ module MU
603
615
  @targetgroups[tg_name] = MU::Cloud::AWS.elb2(region: @region, credentials: @credentials).describe_target_groups(target_group_arns: [tg_arn]).target_groups.first
604
616
  }
605
617
  else
606
- pp @config['targetgroups']
607
618
  MU::Cloud::AWS.elb2(region: @region, credentials: @credentials).describe_target_groups(load_balancer_arn: @cloud_desc_cache.load_balancer_arn).target_groups.each { |tg|
608
619
  tg_name = tg.target_group_name
609
620
  if @config['targetgroups']
@@ -644,31 +655,31 @@ module MU
644
655
 
645
656
  # Register a Server node with an existing LoadBalancer.
646
657
  #
647
- # @param instance_id [String] A node to register.
648
- # @param targetgroups [Array<String>] The target group(s) of which this node should be made a member. Not applicable to classic LoadBalancers. If not supplied, the node will be registered to all available target groups on this LoadBalancer.
649
- def registerNode(instance_id, targetgroups: nil)
658
+ # @param id [String] A node or function to register.
659
+ # @param backends [Array<String>] The target group(s) of which this node should be made a member. Not applicable to classic LoadBalancers. If not supplied, the node will be registered to all available target groups on this LoadBalancer.
660
+ def registerTarget(id, backends: nil)
650
661
  if @config['classic'] or !@config.has_key?("classic")
651
- MU.log "Registering #{instance_id} to ELB #{@cloud_id}"
662
+ MU.log "Registering #{id} to ELB #{@cloud_id}"
652
663
  MU::Cloud::AWS.elb(region: @region, credentials: @credentials).register_instances_with_load_balancer(
653
664
  load_balancer_name: @cloud_id,
654
665
  instances: [
655
- {instance_id: instance_id}
666
+ {instance_id: id}
656
667
  ]
657
668
  )
658
669
  else
659
- if targetgroups.nil? or !targetgroups.is_a?(Array) or targetgroups.size == 0
670
+ if backends.nil? or !backends.is_a?(Array) or backends.size == 0
660
671
  if @targetgroups.nil?
661
672
  cloud_desc
662
673
  return if @targetgroups.nil?
663
674
  end
664
- targetgroups = @targetgroups.keys
675
+ backends = @targetgroups.keys
665
676
  end
666
- targetgroups.each { |tg|
667
- MU.log "Registering #{instance_id} to Target Group #{tg}"
677
+ backends.each { |tg|
678
+ MU.log "Registering #{id} to Target Group #{tg}"
668
679
  MU::Cloud::AWS.elb2(region: @region, credentials: @credentials).register_targets(
669
680
  target_group_arn: @targetgroups[tg].target_group_arn,
670
681
  targets: [
671
- {id: instance_id}
682
+ {id: id}
672
683
  ]
673
684
  )
674
685
  }
@@ -753,7 +764,7 @@ module MU
753
764
  end
754
765
  end
755
766
  if matched
756
- if !MU::Cloud::AWS.isGovCloud?
767
+ if MU::Cloud::AWS.hosted? and !MU::Cloud::AWS.isGovCloud?
757
768
  MU::Cloud.resourceClass("AWS", "DNSZone").genericMuDNSEntry(name: lb.load_balancer_name, target: lb.dns_name, cloudclass: MU::Cloud::LoadBalancer, delete: true) if !noop
758
769
  end
759
770
  if classic
@@ -834,7 +845,7 @@ module MU
834
845
  "type" => "string",
835
846
  "enum" => ["HTTP", "HTTPS", "TCP", "SSL"],
836
847
  },
837
- "target_type " => {
848
+ "target_type" => {
838
849
  "type" => "string",
839
850
  "enum" => ["instance", "ip", "lambda"],
840
851
  }
@@ -244,7 +244,8 @@ module MU
244
244
  def self.find(**args)
245
245
  found = {}
246
246
  if !args[:cloud_id].nil? and !args[:cloud_id].match(/^arn:/i)
247
- found[args[:cloud_id]] = MU::Cloud::AWS::Log.getLogGroupByName(args[:cloud_id], region: args[:region], credentials: args[:credentials])
247
+ exists = MU::Cloud::AWS::Log.getLogGroupByName(args[:cloud_id], region: args[:region], credentials: args[:credentials])
248
+ found[args[:cloud_id]] = exists if exists
248
249
  else
249
250
  next_token = nil
250
251
  begin
@@ -184,6 +184,14 @@ module MU
184
184
  desc
185
185
  end
186
186
 
187
+ rescue Aws::IAM::Errors::AccessDenied => e
188
+ if e.message =~ /Cannot create versions for policies outside your own account/
189
+ MU.log "Deleting and recreating cross-account policy #{policy_name}", MU::NOTICE
190
+ purgePolicy(arn, credentials)
191
+ retry
192
+ else
193
+ raise e
194
+ end
187
195
  rescue Aws::IAM::Errors::NoSuchEntity
188
196
  MU.log "Creating IAM policy #{policy_name}", details: policy.values.first
189
197
  desc = MU::Cloud::AWS.iam(credentials: credentials).create_policy(
@@ -328,7 +336,7 @@ end
328
336
  version_id: p.default_version_id
329
337
  ).policy_version
330
338
 
331
- doc = JSON.parse CGI.unescape_www_form_component old.document
339
+ doc = JSON.parse URI.decode_www_form_component old.document
332
340
  need_update = false
333
341
 
334
342
  doc["Statement"].each { |s|
@@ -539,7 +547,6 @@ end
539
547
  found = {}
540
548
 
541
549
  if args[:cloud_id]
542
-
543
550
  begin
544
551
  # managed policies get fetched by ARN, roles by plain name. Ok!
545
552
  if args[:cloud_id].match(/^arn:.*?:policy\//)
@@ -560,7 +567,6 @@ end
560
567
  end
561
568
  rescue ::Aws::IAM::Errors::NoSuchEntity
562
569
  end
563
-
564
570
  else
565
571
  resp = MU::Cloud::AWS.iam(credentials: args[:credentials]).list_roles
566
572
  resp.roles.each { |role|
@@ -1118,7 +1124,7 @@ end
1118
1124
  if role['policies']
1119
1125
  role['policies'].each { |policy|
1120
1126
  policy['targets'].each { |target|
1121
- if target['type']
1127
+ if target['type'] and _configurator.haveLitterMate?(target['identifier'], target['type'])
1122
1128
  MU::Config.addDependency(role, target['identifier'], target['type'], my_phase: "groom")
1123
1129
  end
1124
1130
  }
@@ -1135,7 +1141,7 @@ end
1135
1141
  # @param policies [Array<Hash>]: One or more policy chunks
1136
1142
  # @param deploy_obj [MU::MommaCat]: Deployment object to use when looking up sibling Mu resources
1137
1143
  # @return [Array<Hash>]
1138
- def self.genPolicyDocument(policies, deploy_obj: nil, bucket_style: false, version: "2012-10-17", doc_id: nil)
1144
+ def self.genPolicyDocument(policies, deploy_obj: nil, bucket_style: false, version: "2012-10-17", doc_id: nil, credentials: nil)
1139
1145
  if policies
1140
1146
  name = nil
1141
1147
  doc = {
@@ -1211,7 +1217,19 @@ end
1211
1217
  type: target["type"]
1212
1218
  )
1213
1219
  if sibling
1214
- id = sibling.cloudobj.arn
1220
+ sibling = sibling.cloudobj
1221
+ else
1222
+ found = MU::MommaCat.findStray(
1223
+ "AWS",
1224
+ target["type"],
1225
+ cloud_id: target["identifier"],
1226
+ credentials: credentials,
1227
+ dummy_ok: true
1228
+ )
1229
+ sibling = found.first
1230
+ end
1231
+ if sibling
1232
+ id = sibling.arn
1215
1233
  id.sub!(/:([^:]+)$/, ":"+'\1'+target["path"]) if target["path"]
1216
1234
  statement["Resource"] << id
1217
1235
  if id.match(/:log-group:/)
@@ -1269,7 +1287,7 @@ end
1269
1287
  # Convert entries from the cloud-neutral @config['policies'] list into
1270
1288
  # AWS syntax.
1271
1289
  def convert_policies_to_iam
1272
- MU::Cloud::AWS::Role.genPolicyDocument(@config['policies'], deploy_obj: @deploy)
1290
+ MU::Cloud::AWS::Role.genPolicyDocument(@config['policies'], deploy_obj: @deploy, credentials: @credentials)
1273
1291
  end
1274
1292
 
1275
1293
  def get_tag_params(strip_std = false)
@@ -276,6 +276,11 @@ module MU
276
276
  :key_name => @deploy.ssh_key_name,
277
277
  :instance_type => @config["size"],
278
278
  :disable_api_termination => true,
279
+ :metadata_options => {
280
+ :http_tokens => "optional",
281
+ :http_endpoint => "enabled",
282
+ :instance_metadata_tags => "enabled"
283
+ },
279
284
  :min_count => 1,
280
285
  :max_count => 1
281
286
  }
@@ -348,7 +353,10 @@ module MU
348
353
  raise MuError.new e.message, details: mysubnet_ids
349
354
  end
350
355
  instance_descriptor[:subnet_id] = (mysubnet_ids - bad_subnets).sample
351
- MU.log "One or more subnets does not support this instance type, attempting with #{instance_descriptor[:subnet_id]} instead", MU::WARN, details: bad_subnets
356
+ if instance_descriptor[:subnet_id].nil?
357
+ raise MuError.new "Specified subnet#{bad_subnets.size > 1 ? "s do" : " does"} not support instance type #{instance_descriptor[:instance_type]}", details: bad_subnets
358
+ end
359
+ MU.log "One or more subnets does not support instance type #{instance_descriptor[:instance_type]}, attempting with #{instance_descriptor[:subnet_id]} instead", MU::WARN, details: bad_subnets
352
360
  retry
353
361
  rescue Aws::EC2::Errors::InvalidRequest => e
354
362
  MU.log e.message, MU::ERR, details: instance_descriptor
@@ -587,7 +595,6 @@ module MU
587
595
  searches << {
588
596
  filters: [
589
597
  base_filter,
590
- {name: ip_type, values: [ip]},
591
598
  {name: "tag:#{args[:tag_key]}", values: [args[:tag_value]]},
592
599
  ]
593
600
  }
@@ -855,7 +862,7 @@ module MU
855
862
  raise MuError, "#{@mu_name} is configured to use LoadBalancers, but none have been loaded by dependencies()"
856
863
  end
857
864
  @loadbalancers.each { |lb|
858
- lb.registerNode(@cloud_id)
865
+ lb.registerTarget(@cloud_id)
859
866
  }
860
867
  end
861
868
  MU.log %Q{Server #{@config['name']} private IP is #{@deploydata["private_ip_address"]}#{@deploydata["public_ip_address"] ? ", public IP is "+@deploydata["public_ip_address"] : ""}}, MU::SUMMARY
@@ -893,7 +900,8 @@ module MU
893
900
  end
894
901
  rescue MU::Groomer::RunError => e
895
902
  raise e if !@config['create_image'].nil? and !@config['image_created']
896
- MU.log "Proceeding after failed initial Groomer run, but #{@mu_name} may not behave as expected!", MU::WARN, details: e.message
903
+ MU.log "Proceeding after failed initial Groomer run, but #{@mu_name} may not behave as expected!", MU::WARN, details: e.inspect
904
+ pp e.backtrace
897
905
  rescue StandardError => e
898
906
  raise e if !@config['create_image'].nil? and !@config['image_created']
899
907
  MU.log "Caught #{e.inspect} on #{@mu_name} in an unexpected place (after @groomer.run on Full Initial Run)", MU::ERR
@@ -1250,7 +1258,7 @@ module MU
1250
1258
  resp = MU::Cloud::AWS.ec2(region: region, credentials: credentials).describe_addresses
1251
1259
  end
1252
1260
  resp.addresses.each { |address|
1253
- return address if (address.network_interface_id.nil? or address.network_interface_id.empty?) or !@eips_used.include?(address.public_ip)
1261
+ return address if (address.network_interface_id.nil? or address.network_interface_id.empty?) and !@eips_used.include?(address.public_ip)
1254
1262
  }
1255
1263
  if !ip.nil?
1256
1264
  mode = classic ? "EC2 Classic" : "VPC"
@@ -1295,7 +1303,10 @@ module MU
1295
1303
  # @param size [String]: Size (in gb) of the new volume
1296
1304
  # @param type [String]: Cloud storage type of the volume, if applicable
1297
1305
  # @param delete_on_termination [Boolean]: Value of delete_on_termination flag to set
1298
- def addVolume(dev, size, type: "gp2", delete_on_termination: false)
1306
+ def addVolume(dev: nil, size: 0, type: "gp3", delete_on_termination: false)
1307
+ if dev.nil? or size == 0
1308
+ raise MuError, "Must specify a device name and a size for addVolume"
1309
+ end
1299
1310
 
1300
1311
  if setDeleteOntermination(dev, delete_on_termination)
1301
1312
  MU.log "A volume #{dev} already attached to #{self}, skipping", MU::NOTICE
@@ -1401,7 +1412,7 @@ module MU
1401
1412
  if @eips_used.include?(ip)
1402
1413
  is_free = false
1403
1414
  resp.addresses.each { |address|
1404
- if address.public_ip == ip and (address.instance_id.nil? and address.network_interface_id.nil?) or address.instance_id == instance_id
1415
+ if address.public_ip == ip and (address.instance_id.nil? and address.association.nil?) or address.instance_id == instance_id
1405
1416
  @eips_used.delete(ip)
1406
1417
  is_free = true
1407
1418
  end
@@ -1434,8 +1445,11 @@ module MU
1434
1445
  allocation_ids: [elastic_ip.allocation_id]
1435
1446
  )
1436
1447
  first_addr = resp.addresses.first
1437
- if first_addr and first_addr.instance_id != instance_id
1438
- raise MuError, "Tried to associate #{elastic_ip.public_ip} with #{instance_id}, but it's already associated with #{first_addr.instance_id}!"
1448
+ if first_addr and !first_addr.association_id.nil? and first_addr.instance_id != instance_id
1449
+ ifaces = MU::Cloud::AWS.ec2(credentials: credentials, region: region).describe_network_interfaces(
1450
+ filters: [{name: "association.allocation-id", values: [elastic_ip.allocation_id]}]
1451
+ ).data.network_interfaces
1452
+ raise MuError.new "Tried to associate #{elastic_ip.public_ip} with #{instance_id}, but it's already associated with #{first_addr.instance_id}!", details: ifaces
1439
1453
  end
1440
1454
  end
1441
1455
  }
@@ -1747,6 +1761,16 @@ module MU
1747
1761
  "key_is" => "platform",
1748
1762
  "value_is" => "amazon",
1749
1763
  "set" => "ec2-user"
1764
+ },
1765
+ {
1766
+ "key_is" => "platform",
1767
+ "value_is" => "amazon2",
1768
+ "set" => "ec2-user"
1769
+ },
1770
+ {
1771
+ "key_is" => "platform",
1772
+ "value_is" => "amazon2023",
1773
+ "set" => "ec2-user"
1750
1774
  }
1751
1775
  ]
1752
1776
  }
@@ -2098,9 +2122,9 @@ module MU
2098
2122
  end
2099
2123
  end
2100
2124
 
2101
- win_admin_password ||= MU.generateWindowsPassword
2102
- ec2config_password ||= MU.generateWindowsPassword
2103
- sshd_password ||= MU.generateWindowsPassword
2125
+ win_admin_password ||= MU.generatePassword
2126
+ ec2config_password ||= MU.generatePassword
2127
+ sshd_password ||= MU.generatePassword
2104
2128
 
2105
2129
  # We're creating the vault here so when we run
2106
2130
  # MU::Cloud::Server.initialSSHTasks and we need to set the Windows