RubyGems - cloud-mu - Versions diffs - 3.5.0 → 3.6.3 - Mend

cloud-mu 3.5.0 → 3.6.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (245) hide show

checksums.yaml +4 -4
data/Berksfile +5 -2
data/Berksfile.lock +135 -0
data/ansible/roles/mu-base/README.md +33 -0
data/ansible/roles/mu-base/defaults/main.yml +2 -0
data/ansible/roles/mu-base/files/check_apm.cfg +1 -0
data/ansible/roles/mu-base/files/check_apm.sh +18 -0
data/ansible/roles/mu-base/files/check_disk.cfg +1 -0
data/ansible/roles/mu-base/files/check_elastic_shards.cfg +1 -0
data/ansible/roles/mu-base/files/check_elastic_shards.sh +12 -0
data/ansible/roles/mu-base/files/check_logstash.cfg +1 -0
data/ansible/roles/mu-base/files/check_logstash.sh +14 -0
data/ansible/roles/mu-base/files/check_mem.cfg +1 -0
data/ansible/roles/mu-base/files/check_updates.cfg +1 -0
data/ansible/roles/mu-base/files/logrotate.conf +35 -0
data/ansible/roles/mu-base/files/nrpe-apm-sudo +1 -0
data/ansible/roles/mu-base/files/nrpe-elasticshards-sudo +2 -0
data/ansible/roles/mu-base/handlers/main.yml +5 -0
data/ansible/roles/mu-base/meta/main.yml +53 -0
data/ansible/roles/mu-base/tasks/main.yml +113 -0
data/ansible/roles/mu-base/templates/nrpe.cfg.j2 +231 -0
data/ansible/roles/mu-base/tests/inventory +2 -0
data/ansible/roles/mu-base/tests/test.yml +5 -0
data/ansible/roles/mu-base/vars/main.yml +1 -0
data/ansible/roles/mu-compliance/README.md +33 -0
data/ansible/roles/mu-compliance/defaults/main.yml +2 -0
data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2016_V2R1_STIG_SCAP_1-2_Benchmark.xml +15674 -0
data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2019_V2R1_STIG_SCAP_1-2_Benchmark.xml +17553 -0
data/ansible/roles/mu-compliance/handlers/main.yml +2 -0
data/ansible/roles/mu-compliance/meta/main.yml +53 -0
data/ansible/roles/mu-compliance/tasks/main.yml +45 -0
data/ansible/roles/mu-compliance/tests/inventory +2 -0
data/ansible/roles/mu-compliance/tests/test.yml +5 -0
data/ansible/roles/mu-compliance/vars/main.yml +4 -0
data/ansible/roles/mu-elastic/README.md +51 -0
data/ansible/roles/mu-elastic/defaults/main.yml +2 -0
data/ansible/roles/mu-elastic/files/jvm.options +93 -0
data/ansible/roles/mu-elastic/handlers/main.yml +10 -0
data/ansible/roles/mu-elastic/meta/main.yml +52 -0
data/ansible/roles/mu-elastic/tasks/main.yml +186 -0
data/ansible/roles/mu-elastic/templates/elasticsearch.yml.j2 +110 -0
data/ansible/roles/mu-elastic/templates/kibana.yml.j2 +131 -0
data/ansible/roles/mu-elastic/templates/password_set.expect.j2 +19 -0
data/ansible/roles/mu-elastic/tests/inventory +2 -0
data/ansible/roles/mu-elastic/tests/test.yml +5 -0
data/ansible/roles/mu-elastic/vars/main.yml +2 -0
data/ansible/roles/mu-logstash/README.md +51 -0
data/ansible/roles/mu-logstash/defaults/main.yml +2 -0
data/ansible/roles/mu-logstash/files/02-beats-input.conf +5 -0
data/ansible/roles/mu-logstash/files/10-rails-filter.conf +16 -0
data/ansible/roles/mu-logstash/files/jvm.options +84 -0
data/ansible/roles/mu-logstash/files/logstash.yml +304 -0
data/ansible/roles/mu-logstash/handlers/main.yml +20 -0
data/ansible/roles/mu-logstash/meta/main.yml +52 -0
data/ansible/roles/mu-logstash/tasks/main.yml +254 -0
data/ansible/roles/mu-logstash/templates/20-cloudtrail.conf.j2 +28 -0
data/ansible/roles/mu-logstash/templates/30-elasticsearch-output.conf.j2 +19 -0
data/ansible/roles/mu-logstash/templates/apm-server.yml.j2 +33 -0
data/ansible/roles/mu-logstash/templates/heartbeat.yml.j2 +29 -0
data/ansible/roles/mu-logstash/templates/nginx/apm.conf.j2 +25 -0
data/ansible/roles/mu-logstash/templates/nginx/default.conf.j2 +56 -0
data/ansible/roles/mu-logstash/templates/nginx/elastic.conf.j2 +27 -0
data/ansible/roles/mu-logstash/tests/inventory +2 -0
data/ansible/roles/mu-logstash/tests/test.yml +5 -0
data/ansible/roles/mu-logstash/vars/main.yml +2 -0
data/ansible/roles/mu-rdp/README.md +33 -0
data/ansible/roles/mu-rdp/meta/main.yml +53 -0
data/ansible/roles/mu-rdp/tasks/main.yml +9 -0
data/ansible/roles/mu-rdp/tests/inventory +2 -0
data/ansible/roles/mu-rdp/tests/test.yml +5 -0
data/ansible/roles/mu-windows/tasks/main.yml +3 -0
data/bin/mu-ansible-secret +1 -1
data/bin/mu-aws-setup +4 -3
data/bin/mu-azure-setup +5 -5
data/bin/mu-configure +25 -17
data/bin/mu-firewall-allow-clients +1 -0
data/bin/mu-gcp-setup +3 -3
data/bin/mu-load-config.rb +1 -0
data/bin/mu-node-manage +66 -33
data/bin/mu-self-update +2 -2
data/bin/mu-upload-chef-artifacts +6 -1
data/bin/mu-user-manage +1 -1
data/cloud-mu.gemspec +25 -23
data/cookbooks/firewall/CHANGELOG.md +417 -224
data/cookbooks/firewall/LICENSE +202 -0
data/cookbooks/firewall/README.md +153 -126
data/cookbooks/firewall/TODO.md +6 -0
data/cookbooks/firewall/attributes/firewalld.rb +7 -0
data/cookbooks/firewall/attributes/iptables.rb +3 -3
data/cookbooks/firewall/chefignore +115 -0
data/cookbooks/firewall/libraries/helpers.rb +5 -0
data/cookbooks/firewall/libraries/helpers_firewalld.rb +1 -1
data/cookbooks/firewall/libraries/helpers_firewalld_dbus.rb +72 -0
data/cookbooks/firewall/libraries/helpers_iptables.rb +3 -3
data/cookbooks/firewall/libraries/helpers_nftables.rb +170 -0
data/cookbooks/firewall/libraries/helpers_ufw.rb +7 -0
data/cookbooks/firewall/libraries/helpers_windows.rb +8 -9
data/cookbooks/firewall/libraries/provider_firewall_firewalld.rb +9 -9
data/cookbooks/firewall/libraries/provider_firewall_iptables.rb +7 -7
data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb +12 -8
data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb +13 -9
data/cookbooks/firewall/libraries/provider_firewall_rule.rb +1 -1
data/cookbooks/firewall/libraries/provider_firewall_ufw.rb +5 -5
data/cookbooks/firewall/libraries/provider_firewall_windows.rb +4 -4
data/cookbooks/firewall/libraries/resource_firewall_rule.rb +3 -3
data/cookbooks/firewall/metadata.json +40 -1
data/cookbooks/firewall/metadata.rb +15 -0
data/cookbooks/firewall/recipes/default.rb +7 -7
data/cookbooks/firewall/recipes/disable_firewall.rb +1 -1
data/cookbooks/firewall/recipes/firewalld.rb +87 -0
data/cookbooks/firewall/renovate.json +18 -0
data/cookbooks/firewall/resources/firewalld.rb +28 -0
data/cookbooks/firewall/resources/firewalld_config.rb +39 -0
data/cookbooks/firewall/resources/firewalld_helpers.rb +106 -0
data/cookbooks/firewall/resources/firewalld_icmptype.rb +88 -0
data/cookbooks/firewall/resources/firewalld_ipset.rb +104 -0
data/cookbooks/firewall/resources/firewalld_policy.rb +115 -0
data/cookbooks/firewall/resources/firewalld_service.rb +98 -0
data/cookbooks/firewall/resources/firewalld_zone.rb +118 -0
data/cookbooks/firewall/resources/nftables.rb +71 -0
data/cookbooks/firewall/resources/nftables_rule.rb +113 -0
data/cookbooks/mu-activedirectory/Berksfile +1 -1
data/cookbooks/mu-activedirectory/metadata.rb +1 -1
data/cookbooks/mu-firewall/metadata.rb +2 -2
data/cookbooks/mu-master/Berksfile +4 -3
data/cookbooks/mu-master/attributes/default.rb +5 -2
data/cookbooks/mu-master/files/default/check_elastic.sh +761 -0
data/cookbooks/mu-master/files/default/check_kibana.rb +45 -0
data/cookbooks/mu-master/libraries/mu.rb +24 -0
data/cookbooks/mu-master/metadata.rb +5 -5
data/cookbooks/mu-master/recipes/default.rb +31 -20
data/cookbooks/mu-master/recipes/firewall-holes.rb +5 -0
data/cookbooks/mu-master/recipes/init.rb +58 -19
data/cookbooks/mu-master/recipes/update_nagios_only.rb +251 -178
data/cookbooks/mu-master/templates/default/nagios.conf.erb +5 -11
data/cookbooks/mu-master/templates/default/web_app.conf.erb +3 -0
data/cookbooks/mu-php54/Berksfile +1 -1
data/cookbooks/mu-php54/metadata.rb +2 -2
data/cookbooks/mu-tools/Berksfile +2 -3
data/cookbooks/mu-tools/attributes/default.rb +3 -4
data/cookbooks/mu-tools/files/amazon/etc/bashrc +90 -0
data/cookbooks/mu-tools/files/amazon/etc/login.defs +292 -0
data/cookbooks/mu-tools/files/amazon/etc/profile +77 -0
data/cookbooks/mu-tools/files/amazon/etc/security/limits.conf +63 -0
data/cookbooks/mu-tools/files/amazon/etc/sysconfig/init +19 -0
data/cookbooks/mu-tools/files/amazon/etc/sysctl.conf +82 -0
data/cookbooks/mu-tools/files/amazon-2023/etc/login.defs +294 -0
data/cookbooks/mu-tools/files/default/logrotate.conf +35 -0
data/cookbooks/mu-tools/files/default/nrpe_conf_d.pp +0 -0
data/cookbooks/mu-tools/libraries/helper.rb +21 -9
data/cookbooks/mu-tools/metadata.rb +4 -4
data/cookbooks/mu-tools/recipes/apply_security.rb +3 -2
data/cookbooks/mu-tools/recipes/aws_api.rb +23 -5
data/cookbooks/mu-tools/recipes/base_repositories.rb +4 -1
data/cookbooks/mu-tools/recipes/gcloud.rb +56 -56
data/cookbooks/mu-tools/recipes/nagios.rb +1 -1
data/cookbooks/mu-tools/recipes/nrpe.rb +20 -2
data/cookbooks/mu-tools/recipes/rsyslog.rb +12 -1
data/cookbooks/mu-tools/recipes/set_local_fw.rb +1 -1
data/data_bags/nagios_services/apm_backend_connect.json +5 -0
data/data_bags/nagios_services/apm_listen.json +5 -0
data/data_bags/nagios_services/elastic_shards.json +5 -0
data/data_bags/nagios_services/logstash.json +5 -0
data/data_bags/nagios_services/rhel7_updates.json +8 -0
data/extras/image-generators/AWS/centos7.yaml +1 -0
data/extras/image-generators/AWS/rhel7.yaml +21 -0
data/extras/image-generators/AWS/win2k12r2.yaml +1 -0
data/extras/image-generators/AWS/win2k16.yaml +1 -0
data/extras/image-generators/AWS/win2k19.yaml +1 -0
data/extras/list-stock-amis +0 -0
data/extras/ruby_rpm/muby.spec +8 -5
data/extras/vault_tools/export_vaults.sh +1 -1
data/extras/vault_tools/recreate_vaults.sh +0 -0
data/extras/vault_tools/test_vaults.sh +0 -0
data/install/deprecated-bash-library.sh +1 -1
data/install/installer +4 -2
data/modules/mommacat.ru +3 -1
data/modules/mu/adoption.rb +1 -1
data/modules/mu/cloud/dnszone.rb +2 -2
data/modules/mu/cloud/machine_images.rb +26 -25
data/modules/mu/cloud/resource_base.rb +213 -182
data/modules/mu/cloud/server_pool.rb +1 -1
data/modules/mu/cloud/ssh_sessions.rb +7 -5
data/modules/mu/cloud/wrappers.rb +2 -2
data/modules/mu/cloud.rb +1 -1
data/modules/mu/config/bucket.rb +1 -1
data/modules/mu/config/function.rb +6 -1
data/modules/mu/config/loadbalancer.rb +24 -2
data/modules/mu/config/ref.rb +12 -0
data/modules/mu/config/role.rb +1 -1
data/modules/mu/config/schema_helpers.rb +42 -9
data/modules/mu/config/server.rb +43 -27
data/modules/mu/config/tail.rb +19 -10
data/modules/mu/config.rb +6 -5
data/modules/mu/defaults/AWS.yaml +78 -114
data/modules/mu/deploy.rb +9 -2
data/modules/mu/groomer.rb +12 -4
data/modules/mu/groomers/ansible.rb +104 -20
data/modules/mu/groomers/chef.rb +15 -6
data/modules/mu/master.rb +9 -4
data/modules/mu/mommacat/daemon.rb +4 -2
data/modules/mu/mommacat/naming.rb +1 -2
data/modules/mu/mommacat/storage.rb +7 -2
data/modules/mu/mommacat.rb +33 -6
data/modules/mu/providers/aws/database.rb +161 -8
data/modules/mu/providers/aws/dnszone.rb +11 -6
data/modules/mu/providers/aws/endpoint.rb +81 -6
data/modules/mu/providers/aws/firewall_rule.rb +254 -172
data/modules/mu/providers/aws/function.rb +65 -3
data/modules/mu/providers/aws/loadbalancer.rb +39 -28
data/modules/mu/providers/aws/log.rb +2 -1
data/modules/mu/providers/aws/role.rb +25 -7
data/modules/mu/providers/aws/server.rb +36 -12
data/modules/mu/providers/aws/server_pool.rb +237 -127
data/modules/mu/providers/aws/storage_pool.rb +7 -1
data/modules/mu/providers/aws/user.rb +1 -1
data/modules/mu/providers/aws/userdata/linux.erb +6 -2
data/modules/mu/providers/aws/userdata/windows.erb +7 -5
data/modules/mu/providers/aws/vpc.rb +49 -25
data/modules/mu/providers/aws.rb +13 -8
data/modules/mu/providers/azure/container_cluster.rb +1 -1
data/modules/mu/providers/azure/loadbalancer.rb +2 -2
data/modules/mu/providers/azure/server.rb +5 -2
data/modules/mu/providers/azure/userdata/linux.erb +1 -1
data/modules/mu/providers/azure.rb +11 -8
data/modules/mu/providers/cloudformation/dnszone.rb +1 -1
data/modules/mu/providers/google/container_cluster.rb +15 -2
data/modules/mu/providers/google/folder.rb +2 -1
data/modules/mu/providers/google/function.rb +130 -4
data/modules/mu/providers/google/habitat.rb +2 -1
data/modules/mu/providers/google/loadbalancer.rb +407 -160
data/modules/mu/providers/google/role.rb +16 -3
data/modules/mu/providers/google/server.rb +5 -1
data/modules/mu/providers/google/user.rb +25 -18
data/modules/mu/providers/google/userdata/linux.erb +1 -1
data/modules/mu/providers/google/vpc.rb +53 -7
data/modules/mu/providers/google.rb +39 -39
data/modules/mu.rb +8 -8
data/modules/tests/elk.yaml +46 -0
data/test/mu-master-test/controls/all_in_one.rb +1 -1
metadata +207 -112
data/cookbooks/firewall/CONTRIBUTING.md +0 -2
data/cookbooks/firewall/MAINTAINERS.md +0 -19
data/cookbooks/firewall/libraries/matchers.rb +0 -30
data/extras/image-generators/AWS/rhel71.yaml +0 -17

data/modules/mu/providers/aws/server_pool.rb CHANGED Viewed

@@ -113,6 +113,7 @@ module MU
                 }
               rescue MU::Groomer::RunError => e
                 MU.log "Proceeding after failed initial Groomer run, but #{member.instance_id} may not behave as expected!", MU::WARN, details: e.inspect
+                pp e.backtrace
               rescue StandardError => e
                 if !member.nil? and !done
                   MU.log "Aborted before I could finish setting up #{@config['name']}, cleaning it up. Stack trace will print once cleanup is complete.", MU::WARN if !@deploy.nocleanup
@@ -592,6 +593,12 @@ module MU
                 }
               }
             },
+            "shutdown_behavior" => {
+              "type" => "string",
+              "description" => "(Instance Templates only) Behavior when an instance is shut down at OS level",
+              "default" => "terminate",
+              "enum" => ["stop", "terminate"]
+            },
             "generate_iam_role" => {
               "type" => "boolean",
               "default" => true,
@@ -826,6 +833,15 @@ module MU
             },
             "ingress_rules" => MU::Cloud.resourceClass("AWS", "FirewallRule").ingressRuleAddtlSchema
           }
+          # Derpy hack: Make launch_template a valid basis key, largely the
+          # same schema as launch_config, just to cue us on which thing to
+          # build.
+          schema["basis"] = {
+            "properties" => {
+              "launch_template" => MU::Config::ServerPool.schema["properties"]["basis"]["properties"]["launch_config"].dup
+            }
+          }
           [toplevel_required, schema]
         end
@@ -893,8 +909,14 @@ module MU
             end
           }
-          if !pool["basis"]["launch_config"].nil?
-            launch = pool["basis"]["launch_config"]
+          if pool["basis"]["launch_config"] or pool["basis"]["launch_template"]
+            launch = if pool["basis"]["launch_config"]
+              MU.log "Launch Configurations are being sunsetted by AWS. You should switch to Launch Templates.", MU::WARN
+              sleep 10
+              pool["basis"]["launch_config"]
+            else
+              pool["basis"]["launch_template"]
+            end
             launch['iam_policies'] ||= pool['iam_policies']
             launch['size'] = MU::Cloud.resourceClass("AWS", "Server").validateInstanceType(launch["size"], pool["region"])
@@ -915,11 +937,10 @@ module MU
             }
             MU::Cloud.resourceClass("AWS", "Server").generateStandardRole(pool, configurator)
-            launch["ami_id"] ||= launch["image_id"]
-            if launch["server"].nil? and launch["instance_id"].nil? and launch["ami_id"].nil?
+            if launch["server"].nil? and launch["instance_id"].nil? and launch["image_id"].nil?
               img_id = MU::Cloud.getStockImage("AWS", platform: pool['platform'], region: pool['region'])
               if img_id
-                launch['ami_id'] = configurator.getTail("pool"+pool['name']+"AMI", value: img_id, prettyname: "pool"+pool['name']+"AMI", cloudtype: "AWS::EC2::Image::Id")
+                launch['image_id'] = configurator.getTail("pool"+pool['name']+"AMI", value: img_id, prettyname: "pool"+pool['name']+"AMI", cloudtype: "AWS::EC2::Image::Id")
               else
                 ok = false
@@ -1094,7 +1115,7 @@ module MU
                 launch_configuration_name: resource_id
               )
             rescue Aws::AutoScaling::Errors::ValidationError => e
-              MU.log "No such Launch Configuration #{resource_id}"
+              MU.log "No such Launch Configuration #{resource_id}", MU::DEBUG
             rescue Aws::AutoScaling::Errors::InternalFailure => e
               if retries < 5
                 MU.log "Got #{e.inspect} while removing Launch Configuration #{resource_id}.", MU::WARN
@@ -1104,6 +1125,14 @@ module MU
                 MU.log "Failed to delete Launch Configuration #{resource_id}", MU::ERR
               end
             end
+            retries = 0
+            begin
+              MU.log "Removing Launch Template #{resource_id}"
+              MU::Cloud::AWS.ec2(region: region, credentials: credentials).delete_launch_template(launch_template_name: resource_id)
+            rescue Aws::EC2::Errors::InvalidLaunchTemplateNameNotFoundException => e
+              MU.log "No such Launch Template #{resource_id}", MU::DEBUG
+            end
           }
           return nil
         end
@@ -1111,31 +1140,58 @@ module MU
         private
         def createUpdateLaunchConfig
-          return if !@config['basis'] or !@config['basis']["launch_config"]
+          return if !@config['basis'] or !(@config['basis']["launch_config"] or @config['basis']["launch_template"])
           instance_secret = Password.random(50)
           @deploy.saveNodeSecret("default", instance_secret, "instance_secret")
+          launch_chunk = if @config['basis']['launch_config']
+            @config['basis']['launch_config']
+          else
+            @config['basis']['launch_template']
+          end
+          if !launch_chunk['image_id'] and !launch_chunk['ami_id']
+            pp launch_chunk
+            raise "missing image_id from launch somehow"
+          end
+          launch_chunk['image_id'] ||= launch_chunk['ami_id']
-          if !@config['basis']['launch_config']["server"].nil?
+          if !launch_chunk["server"].nil?
             #XXX this isn't how we find these; use findStray or something
-            if @deploy.deployment["images"].nil? or @deploy.deployment["images"][@config['basis']['launch_config']["server"]].nil?
-              raise MuError, "#{@mu_name} needs an AMI from server #{@config['basis']['launch_config']["server"]}, but I don't see one anywhere"
+            if @deploy.deployment["images"].nil? or @deploy.deployment["images"][launch_chunk["server"]].nil?
+              raise MuError, "#{@mu_name} needs an AMI from server #{launch_chunk["server"]}, but I don't see one anywhere"
             end
-            @config['basis']['launch_config']["ami_id"] = @deploy.deployment["images"][@config['basis']['launch_config']["server"]]["image_id"]
-            MU.log "Using AMI '#{@config['basis']['launch_config']["ami_id"]}' from sibling server #{@config['basis']['launch_config']["server"]} in ServerPool #{@mu_name}"
-          elsif !@config['basis']['launch_config']["instance_id"].nil?
-            @config['basis']['launch_config']["ami_id"] = MU::Cloud.resourceClass("AWS", "Server").createImage(
+            launch_chunk["image_id"] = @deploy.deployment["images"][launch_chunk["server"]]["image_id"]
+            MU.log "Using AMI '#{launch_chunk["image_id"]}' from sibling server #{launch_chunk["server"]} in ServerPool #{@mu_name}"
+          elsif !launch_chunk["instance_id"].nil?
+            launch_chunk["image_id"] = MU::Cloud.resourceClass("AWS", "Server").createImage(
               name: @mu_name,
-              instance_id: @config['basis']['launch_config']["instance_id"],
+              instance_id: launch_chunk["instance_id"],
               credentials: @credentials,
               region: @region
             )[@region]
           end
-          MU::Cloud.resourceClass("AWS", "Server").waitForAMI(@config['basis']['launch_config']["ami_id"].to_s, credentials: @credentials)
-          oldlaunch = MU::Cloud::AWS.autoscale(region: @region, credentials: @credentials).describe_launch_configurations(
-            launch_configuration_names: [@mu_name]
-          ).launch_configurations.first
+          if launch_chunk["image_id"]
+            MU::Cloud.resourceClass("AWS", "Server").waitForAMI(launch_chunk["image_id"].to_s, credentials: @credentials)
+          end
+          oldlaunch = if @config['basis']['launch_template']
+            begin
+              MU::Cloud::AWS.ec2(region: @region, credentials: @credentials).describe_launch_templates(
+                launch_template_names: [@mu_name]
+              ).launch_templates.first
+            rescue Aws::EC2::Errors::InvalidLaunchTemplateNameNotFoundException
+              nil
+            end
+          else
+            MU::Cloud::AWS.autoscale(region: @region, credentials: @credentials).describe_launch_configurations(
+              launch_configuration_names: [@mu_name]
+            ).launch_configurations.first
+          end
           userdata = MU::Cloud.fetchUserdata(
             platform: @config["platform"],
@@ -1160,10 +1216,10 @@ module MU
           )
           # Figure out which devices are embedded in the AMI already.
-          image = MU::Cloud::AWS.ec2.describe_images(image_ids: [@config["basis"]["launch_config"]["ami_id"]]).images.first
+          image = MU::Cloud::AWS.ec2.describe_images(image_ids: [launch_chunk["image_id"]]).images.first
           if image.nil?
-            raise "#{@config["basis"]["launch_config"]["ami_id"]} does not exist, cannot update/create launch config #{@mu_name}"
+            raise "#{launch_chunk["image_id"]} does not exist, cannot update/create launch config #{@mu_name}"
           end
           ext_disks = {}
@@ -1179,8 +1235,8 @@ module MU
           end
           storage = []
-          if !@config["basis"]["launch_config"]["storage"].nil?
-            @config["basis"]["launch_config"]["storage"].each { |vol|
+          if !launch_chunk["storage"].nil?
+            launch_chunk["storage"].each { |vol|
               if ext_disks.has_key?(vol["device"])
                 if ext_disks[vol["device"]].has_key?(:snapshot_id)
                   vol.delete("encrypted")
@@ -1194,151 +1250,205 @@ module MU
           storage.concat(MU::Cloud.resourceClass("AWS", "Server").ephemeral_mappings)
           if !oldlaunch.nil?
-            olduserdata = Base64.decode64(oldlaunch.user_data)
-            if userdata == olduserdata and
-                oldlaunch.image_id == @config["basis"]["launch_config"]["ami_id"] and
-                oldlaunch.ebs_optimized == @config["basis"]["launch_config"]["ebs_optimized"] and
-                oldlaunch.instance_type == @config["basis"]["launch_config"]["size"] and
-                oldlaunch.instance_monitoring.enabled == @config["basis"]["launch_config"]["monitoring"]
-                # XXX check more things
+            if @config['basis']['launch_template']
+MU.log "XXX LAUNCH TEMPLATE ADD A NEW VERSION", MU::ERR
+            else
+              olduserdata = Base64.decode64(oldlaunch.user_data)
+              if userdata == olduserdata and
+                  oldlaunch.image_id == launch_chunk["image_id"] and
+                  oldlaunch.ebs_optimized == launch_chunk["ebs_optimized"] and
+                  oldlaunch.instance_type == launch_chunk["size"] and
+                  oldlaunch.instance_monitoring.enabled == launch_chunk["monitoring"]
+                  # XXX check more things
 #                launch.block_device_mappings != storage
 #                XXX block device comparison isn't this simple
-              return
-            end
+                return
+              end
-            # Put our Autoscale group onto a temporary launch config
-            begin
+              # Put our Autoscale group onto a temporary launch config
+              try_ami = oldlaunch.image_id
+              begin
-              MU::Cloud::AWS.autoscale(region: @region, credentials: @credentials).create_launch_configuration(
-                launch_configuration_name: @mu_name+"-TMP",
-                user_data: Base64.encode64(olduserdata),
-                image_id: oldlaunch.image_id,
-                key_name: oldlaunch.key_name,
-                security_groups: oldlaunch.security_groups,
-                instance_type: oldlaunch.instance_type,
-                block_device_mappings: storage,
-                instance_monitoring: oldlaunch.instance_monitoring,
-                iam_instance_profile: oldlaunch.iam_instance_profile,
-                ebs_optimized: oldlaunch.ebs_optimized,
-                associate_public_ip_address: oldlaunch.associate_public_ip_address
-              )
-            rescue ::Aws::AutoScaling::Errors::ValidationError => e
-              if e.message.match(/Member must have length less than or equal to (\d+)/)
-                MU.log "Userdata script too long updating #{@mu_name} Launch Config (#{Base64.encode64(userdata).size.to_s}/#{Regexp.last_match[1]} bytes)", MU::ERR
-              else
-                MU.log "Error updating #{@mu_name} Launch Config", MU::ERR, details: e.message
+                MU::Cloud::AWS.autoscale(region: @region, credentials: @credentials).create_launch_configuration(
+                  launch_configuration_name: @mu_name+"-TMP",
+                  user_data: Base64.encode64(olduserdata),
+                  image_id: try_ami,
+                  key_name: oldlaunch.key_name,
+                  security_groups: oldlaunch.security_groups,
+                  instance_type: oldlaunch.instance_type,
+                  block_device_mappings: storage,
+                  instance_monitoring: oldlaunch.instance_monitoring,
+                  iam_instance_profile: oldlaunch.iam_instance_profile,
+                  ebs_optimized: oldlaunch.ebs_optimized,
+                  associate_public_ip_address: oldlaunch.associate_public_ip_address
+                )
+              rescue ::Aws::AutoScaling::Errors::ValidationError => e
+                if e.message.match(/Member must have length less than or equal to (\d+)/)
+                  MU.log "Userdata script too long updating #{@mu_name} Launch Config (#{Base64.encode64(userdata).size.to_s}/#{Regexp.last_match[1]} bytes)", MU::ERR
+                elsif e.message.match(/AMI cannot be described/) and try_ami == oldlaunch.image_id and try_ami != launch_chunk["image_id"]
+                  try_ami = launch_chunk["image_id"]
+                  retry
+                else
+                  MU.log "Error saving copy of old #{@mu_name} Launch Config: #{e.message}", MU::ERR
+                end
+                raise e.message
               end
-              raise e.message
-            end
-            MU::Cloud::AWS.autoscale(region: @region, credentials: @credentials).update_auto_scaling_group(
-              auto_scaling_group_name: @mu_name,
-              launch_configuration_name: @mu_name+"-TMP"
-            )
-            # ...now back to an identical one with the "real" name
-            MU::Cloud::AWS.autoscale(region: @region, credentials: @credentials).delete_launch_configuration(
-              launch_configuration_name: @mu_name
-            )
+              MU::Cloud::AWS.autoscale(region: @region, credentials: @credentials).update_auto_scaling_group(
+                auto_scaling_group_name: @mu_name,
+                launch_configuration_name: @mu_name+"-TMP"
+              )
+              # ...now back to an identical one with the "real" name
+              MU::Cloud::AWS.autoscale(region: @region, credentials: @credentials).delete_launch_configuration(
+                launch_configuration_name: @mu_name
+              )
+            end
           end
-          # Now to build the new one
           sgs = []
           if @dependencies.has_key?("firewall_rule")
             @dependencies['firewall_rule'].values.each { |sg|
               sgs << sg.cloud_id
             }
           end
-          launch_options = {
-            :launch_configuration_name => @mu_name,
-            :user_data => Base64.encode64(userdata),
-            :image_id => @config["basis"]["launch_config"]["ami_id"],
-            :key_name => @deploy.ssh_key_name,
-            :security_groups => sgs,
-            :instance_type => @config["basis"]["launch_config"]["size"],
-            :block_device_mappings => storage,
-            :instance_monitoring => {:enabled => @config["basis"]["launch_config"]["monitoring"]},
-            :ebs_optimized => @config["basis"]["launch_config"]["ebs_optimized"]
-          }
-          if @config["vpc"] or @config["vpc_zone_identifier"]
-            launch_options[:associate_public_ip_address] = @config["associate_public_ip"]
-          end
-          ["kernel_id", "ramdisk_id", "spot_price"].each { |arg|
-            if @config['basis']['launch_config'][arg]
-              launch_options[arg.to_sym] = @config['basis']['launch_config'][arg]
-            end
-          }
-          rolename = nil
           ['generate_iam_role', 'iam_policies', 'canned_iam_policies', 'iam_role'].each { |field|
-            if !@config['basis']['launch_config'].nil?
-              @config[field] = @config['basis']['launch_config'][field]
+            if launch_chunk
+              @config[field] = launch_chunk[field]
             else
-              @config['basis']['launch_config'][field] = @config[field]
+              launch_chunk[field] = @config[field]
             end
           }
-          @config['iam_role'] = @config['basis']['launch_config']['iam_role'] = launch_options[:iam_instance_profile] = MU::Cloud.resourceClass("AWS", "Server").getIAMProfile(
+          @config['iam_role'] = launch_chunk['iam_role'] = MU::Cloud.resourceClass("AWS", "Server").getIAMProfile(
             @config['name'],
             @deploy,
-            generated: @config['basis']['launch_config']['generate_iam_role'],
-            role_name: @config['basis']['launch_config']['iam_role'],
+            generated: launch_chunk['generate_iam_role'],
+            role_name: launch_chunk['iam_role'],
             region: @region,
             credentials: @credentials
           ).values.first
-          lc_attempts = 0
-          begin
-            MU::Cloud::AWS.autoscale(region: @region, credentials: @credentials).create_launch_configuration(launch_options)
-          rescue Aws::AutoScaling::Errors::ValidationError => e
-            if lc_attempts > 3
-              MU.log "Got error while creating #{@mu_name} Launch Config#{@credentials ? " with credentials #{@credentials}" : ""}: #{e.message}, retrying in 10s", MU::WARN, details: launch_options.reject { |k,_v | k == :user_data }
+          if @config['basis']['launch_config']
+            @config['basis']['launch_config']['iam_role'] = @config['iam_role']
+            launch_options = {
+              :launch_configuration_name => @mu_name,
+              :user_data => Base64.encode64(userdata),
+              :image_id => launch_chunk["image_id"],
+              :key_name => @deploy.ssh_key_name,
+              :iam_instance_profile => @config['iam_role'],
+              :security_groups => sgs,
+              :instance_type => launch_chunk["size"],
+              :block_device_mappings => storage,
+              :instance_monitoring => {:enabled => launch_chunk["monitoring"]},
+              :ebs_optimized => launch_chunk["ebs_optimized"]
+            }
+            if @config["vpc"] or @config["vpc_zone_identifier"]
+              launch_options[:associate_public_ip_address] = @config["associate_public_ip"]
             end
-            sleep 5
-            lc_attempts += 1
-            retry
+            ["kernel_id", "ramdisk_id", "spot_price"].each { |arg|
+              if launch_chunk[arg]
+                launch_options[arg.to_sym] = launch_chunk[arg]
+              end
+            }
+            rolename = nil
+            lc_attempts = 0
+            begin
+              MU::Cloud::AWS.autoscale(region: @region, credentials: @credentials).create_launch_configuration(launch_options)
+            rescue Aws::AutoScaling::Errors::ValidationError => e
+              if lc_attempts > 3
+                MU.log "Got error while creating #{@mu_name} Launch Config#{@credentials ? " with credentials #{@credentials}" : ""}: #{e.message}, retrying in 5s", MU::WARN, details: launch_options.reject { |k,_v | k == :user_data }
+              end
+              sleep 5
+              lc_attempts += 1
+              retry
+            end
+            MU.log "Launch Configuration #{@mu_name} created"
+          elsif !oldlaunch # XXX actually just generate a version instead of a whole new template
+            @config['basis']['launch_template']['iam_role'] = @config['iam_role']
+            launch_options = {
+              :launch_template_name => @mu_name,
+              :version_description => "initial",
+              :launch_template_data => {
+                :image_id => launch_chunk["image_id"],
+                :instance_type => launch_chunk["size"],
+                :block_device_mappings => storage,
+                :key_name => @deploy.ssh_key_name,
+                :security_group_ids => sgs,
+                :instance_initiated_shutdown_behavior => @config['shutdown_behavior'],
+                :metadata_options => {
+                  :http_tokens => "optional",
+                  :http_endpoint => "enabled",
+                  :instance_metadata_tags => "enabled"
+                },
+                :iam_instance_profile => {
+                  :name => @config['iam_role']
+                },
+                :ebs_optimized => launch_chunk["ebs_optimized"],
+                :monitoring => {:enabled => launch_chunk["monitoring"]},
+                :tag_specifications => [
+                 :resource_type => "instance",
+                 :tags => @tags.keys.map { |t| { key: t, value: @tags[t] } }
+                ],
+                :user_data => Base64.encode64(userdata),
+              },
+            }
+            ["kernel_id", "ramdisk_id"].each { |arg|
+              if launch_chunk[arg]
+                launch_options[:launch_template_data][arg.to_sym] = launch_chunk[arg]
+              end
+            }
+            lt_attempts = 0
+            resp = nil
+            begin
+              resp = MU::Cloud::AWS.ec2(region: @region, credentials: @credentials).create_launch_template(launch_options)
+              pp resp
+              if !resp or !resp.launch_template or resp.launch_template.empty? or (resp and resp.warning and resp.warning.errors)
+                MU.log "Got error while creating #{@mu_name} Launch Template#{@credentials ? " with credentials #{@credentials}" : ""}: #{resp.warning.errors.first.message} (deleting then retrying in 5s)", MU::WARN, details: launch_options
+                MU::Cloud::AWS.ec2(region: @region, credentials: @credentials).delete_launch_template(launch_template_id: resp.launch_template.launch_template_id)
+                sleep 5
+                lt_attempts += 1
+              end
+            end while lt_attempts < 5 and resp and resp.warning and resp.warning.errors
+            MU.log "Launch Template #{@mu_name} created"
           end
           if !oldlaunch.nil?
-            # Tell the ASG to use the new one, and nuke the old one
-            MU::Cloud::AWS.autoscale(region: @region, credentials: @credentials).update_auto_scaling_group(
-              auto_scaling_group_name: @mu_name,
-              launch_configuration_name: @mu_name
-            )
-            MU::Cloud::AWS.autoscale(region: @region, credentials: @credentials).delete_launch_configuration(
-              launch_configuration_name: @mu_name+"-TMP"
-            )
-            MU.log "Launch Configuration #{@mu_name} replaced"
-          else
-            MU.log "Launch Configuration #{@mu_name} created"
+            if @config['basis']['launch_template']
+MU.log "XXX LAUNCH TEMPLATE MAKE ASG USE NEW VERSION", MU::ERR
+            else
+              # Tell the ASG to use the new LaunchConfig, and nuke the old one
+              MU::Cloud::AWS.autoscale(region: @region, credentials: @credentials).update_auto_scaling_group(
+                auto_scaling_group_name: @mu_name,
+                launch_configuration_name: @mu_name
+              )
+              MU::Cloud::AWS.autoscale(region: @region, credentials: @credentials).delete_launch_configuration(
+                launch_configuration_name: @mu_name+"-TMP"
+              )
+              MU.log "Launch Configuration #{@mu_name} replaced"
+            end
           end
         end
         def buildOptionsHash
           asg_options = {
             :auto_scaling_group_name => @mu_name,
-            :launch_configuration_name => @mu_name,
             :default_cooldown => @config["default_cooldown"],
             :health_check_type => @config["health_check_type"],
             :health_check_grace_period => @config["health_check_grace_period"],
-            :tags => []
           }
+          asg_options[:tags] = @tags.keys.map { |t| { key: t, value: @tags[t], propagate_at_launch: true } }
-          MU::MommaCat.listStandardTags.each_pair { |name, value|
-            asg_options[:tags] << {key: name, value: value, propagate_at_launch: true}
-          }
-          if @config['optional_tags']
-            MU::MommaCat.listOptionalTags.each_pair { |name, value|
-              asg_options[:tags] << {key: name, value: value, propagate_at_launch: true}
-            }
-          end
-          if @config['tags']
-            @config['tags'].each { |tag|
-              asg_options[:tags] << {key: tag['key'], value: tag['value'], propagate_at_launch: true}
+          if @config['basis']['launch_config']
+            asg_options[:launch_configuration_name] = @mu_name
+          else
+            asg_options[:launch_template] = {
+              :launch_template_name => @mu_name,
+              :version => "$Default"
             }
           end

data/modules/mu/providers/aws/storage_pool.rb CHANGED Viewed

@@ -31,7 +31,8 @@ module MU
           MU.log "Creating storage pool #{@mu_name}"
           resp = MU::Cloud::AWS.efs(region: @region, credentials: @credentials).create_file_system(
             creation_token: @mu_name,
-            performance_mode: @config['storage_type']
+            performance_mode: @config['storage_type'],
+            encrypted: @config['encrypt']
           )
           attempts = 0
@@ -438,6 +439,11 @@ module MU
         def self.schema(_config)
           toplevel_required = []
           schema = {
+            "encrypt" => {
+              "type" => "boolean",
+              "description" => "Encrypt EFS data at rest",
+              "default" => true
+            },
             "ingress_rules" => {
               "type" => "array",
               "description" => "Firewall rules to apply to our mountpoints",

data/modules/mu/providers/aws/user.rb CHANGED Viewed

@@ -82,7 +82,7 @@ module MU
                 MU.log "User #{@mu_name}'s AWS Console password can be retrieved from: https://#{$MU_CFG['public_address']}/scratchpad/#{scratchitem}", MU::SUMMARY
               rescue Aws::IAM::Errors::PasswordPolicyViolation => e
                 if retries < 1
-                  pw = MU.generateWindowsPassword
+                  pw = MU.generatePassword
                   retries += 1
                   sleep 1
                   retry

data/modules/mu/providers/aws/userdata/linux.erb CHANGED Viewed

@@ -32,13 +32,17 @@ done
 if ping -c 5 8.8.8.8 > /dev/null; then
   if [ -f /etc/debian_version ];then
+    export DEBIAN_FRONTEND="noninteractive"
     if ! grep '^/bin/sh /var/lib/cloud/instance/user-data.txt$' /etc/rc.local > /dev/null;then
       echo "/bin/sh /var/lib/cloud/instance/user-data.txt" >> /etc/rc.local
     fi
     apt-get update -y
     if [ ! -f /usr/bin/pip ] ;then /usr/bin/apt-get --fix-missing -y install python-pip;fi
     if [ ! -f /usr/bin/curl ] ;then /usr/bin/apt-get --fix-missing -y install curl;fi
-    AWSCLI=/usr/local/bin/aws
+    AWSCLI=/usr/bin/aws
+    if [ ! -x /usr/bin/aws ];then
+      apt-get -y install awscli
+    fi
 <% if !$mu.skipApplyUpdates %>
     set +e
     if [ ! -f /.mu-installer-ran-updates ];then
@@ -147,7 +151,7 @@ fi
 umask 0077
 if [ ! -f /opt/chef/embedded/bin/ruby ];then
-  curl https://www.chef.io/chef/install.sh > chef-install.sh
+  curl https://omnitruck.chef.io/install.sh > chef-install.sh
   set +e
   # We may run afoul of a synchronous bootstrap process doing the same thing. So
   # wait until we've managed to run successfully.

data/modules/mu/providers/aws/userdata/windows.erb CHANGED Viewed

@@ -11,8 +11,8 @@ $cygwin_dir = "$basedir/cygwin"
 $username = (whoami).Split('\')[1]
 $WebClient = New-Object System.Net.WebClient
 $awsmeta = "http://169.254.169.254/latest"
-$pydir = 'c:\bin\python\python27'
-$pyv = '2.7.14'
+$pydir = 'c:\bin\python\python310'
+$pyv = '3.10.5'
 $env:Path += ";$pydir\Scripts;$pydir"
 function log
@@ -91,12 +91,12 @@ If ([Environment]::OSVersion.Version.Major -lt 10) {
 <% end %>
 If (!(Test-Path "$pydir\python.exe")){
-  If (!(Test-Path $tmp\python-$pyv.msi)){
+  If (!(Test-Path $tmp\python-$pyv.exe)){
     log "Downloading Python installer"
-    $WebClient.DownloadFile("https://www.python.org/ftp/python/$pyv/python-$pyv.msi","$tmp/python-$pyv.msi")
+    $WebClient.DownloadFile("https://www.python.org/ftp/python/$pyv/python-$pyv-amd64.exe","$tmp/python-$pyv.exe")
   }
   log "Running Python installer"
-  (Start-Process -FilePath msiexec -ArgumentList "/i $tmp\python-$pyv.msi /qn ALLUSERS=1 TARGETDIR=$pydir" -Wait -Passthru).ExitCode
+  (Start-Process -FilePath "$tmp/python-$pyv.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 TargetDir=$pydir" -Wait -Passthru).ExitCode
 }
 If (!(Test-Path "$pydir\Scripts\aws.cmd")){
@@ -109,6 +109,8 @@ If (!(Test-Path "$pydir\Scripts\aws.cmd")){
   pip install awscli
 }
+(Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -ComputerName $server -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(0)
 function removeChef($location){
   $install_chef = $false
   $my_chef = (Get-ItemProperty $location | Where-Object {$_.DisplayName -like "chef client*"}).DisplayName