RubyGems - cloud-mu - Versions diffs - 3.5.0 → 3.6.3 - Mend

cloud-mu 3.5.0 → 3.6.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (245) hide show

checksums.yaml +4 -4
data/Berksfile +5 -2
data/Berksfile.lock +135 -0
data/ansible/roles/mu-base/README.md +33 -0
data/ansible/roles/mu-base/defaults/main.yml +2 -0
data/ansible/roles/mu-base/files/check_apm.cfg +1 -0
data/ansible/roles/mu-base/files/check_apm.sh +18 -0
data/ansible/roles/mu-base/files/check_disk.cfg +1 -0
data/ansible/roles/mu-base/files/check_elastic_shards.cfg +1 -0
data/ansible/roles/mu-base/files/check_elastic_shards.sh +12 -0
data/ansible/roles/mu-base/files/check_logstash.cfg +1 -0
data/ansible/roles/mu-base/files/check_logstash.sh +14 -0
data/ansible/roles/mu-base/files/check_mem.cfg +1 -0
data/ansible/roles/mu-base/files/check_updates.cfg +1 -0
data/ansible/roles/mu-base/files/logrotate.conf +35 -0
data/ansible/roles/mu-base/files/nrpe-apm-sudo +1 -0
data/ansible/roles/mu-base/files/nrpe-elasticshards-sudo +2 -0
data/ansible/roles/mu-base/handlers/main.yml +5 -0
data/ansible/roles/mu-base/meta/main.yml +53 -0
data/ansible/roles/mu-base/tasks/main.yml +113 -0
data/ansible/roles/mu-base/templates/nrpe.cfg.j2 +231 -0
data/ansible/roles/mu-base/tests/inventory +2 -0
data/ansible/roles/mu-base/tests/test.yml +5 -0
data/ansible/roles/mu-base/vars/main.yml +1 -0
data/ansible/roles/mu-compliance/README.md +33 -0
data/ansible/roles/mu-compliance/defaults/main.yml +2 -0
data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2016_V2R1_STIG_SCAP_1-2_Benchmark.xml +15674 -0
data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2019_V2R1_STIG_SCAP_1-2_Benchmark.xml +17553 -0
data/ansible/roles/mu-compliance/handlers/main.yml +2 -0
data/ansible/roles/mu-compliance/meta/main.yml +53 -0
data/ansible/roles/mu-compliance/tasks/main.yml +45 -0
data/ansible/roles/mu-compliance/tests/inventory +2 -0
data/ansible/roles/mu-compliance/tests/test.yml +5 -0
data/ansible/roles/mu-compliance/vars/main.yml +4 -0
data/ansible/roles/mu-elastic/README.md +51 -0
data/ansible/roles/mu-elastic/defaults/main.yml +2 -0
data/ansible/roles/mu-elastic/files/jvm.options +93 -0
data/ansible/roles/mu-elastic/handlers/main.yml +10 -0
data/ansible/roles/mu-elastic/meta/main.yml +52 -0
data/ansible/roles/mu-elastic/tasks/main.yml +186 -0
data/ansible/roles/mu-elastic/templates/elasticsearch.yml.j2 +110 -0
data/ansible/roles/mu-elastic/templates/kibana.yml.j2 +131 -0
data/ansible/roles/mu-elastic/templates/password_set.expect.j2 +19 -0
data/ansible/roles/mu-elastic/tests/inventory +2 -0
data/ansible/roles/mu-elastic/tests/test.yml +5 -0
data/ansible/roles/mu-elastic/vars/main.yml +2 -0
data/ansible/roles/mu-logstash/README.md +51 -0
data/ansible/roles/mu-logstash/defaults/main.yml +2 -0
data/ansible/roles/mu-logstash/files/02-beats-input.conf +5 -0
data/ansible/roles/mu-logstash/files/10-rails-filter.conf +16 -0
data/ansible/roles/mu-logstash/files/jvm.options +84 -0
data/ansible/roles/mu-logstash/files/logstash.yml +304 -0
data/ansible/roles/mu-logstash/handlers/main.yml +20 -0
data/ansible/roles/mu-logstash/meta/main.yml +52 -0
data/ansible/roles/mu-logstash/tasks/main.yml +254 -0
data/ansible/roles/mu-logstash/templates/20-cloudtrail.conf.j2 +28 -0
data/ansible/roles/mu-logstash/templates/30-elasticsearch-output.conf.j2 +19 -0
data/ansible/roles/mu-logstash/templates/apm-server.yml.j2 +33 -0
data/ansible/roles/mu-logstash/templates/heartbeat.yml.j2 +29 -0
data/ansible/roles/mu-logstash/templates/nginx/apm.conf.j2 +25 -0
data/ansible/roles/mu-logstash/templates/nginx/default.conf.j2 +56 -0
data/ansible/roles/mu-logstash/templates/nginx/elastic.conf.j2 +27 -0
data/ansible/roles/mu-logstash/tests/inventory +2 -0
data/ansible/roles/mu-logstash/tests/test.yml +5 -0
data/ansible/roles/mu-logstash/vars/main.yml +2 -0
data/ansible/roles/mu-rdp/README.md +33 -0
data/ansible/roles/mu-rdp/meta/main.yml +53 -0
data/ansible/roles/mu-rdp/tasks/main.yml +9 -0
data/ansible/roles/mu-rdp/tests/inventory +2 -0
data/ansible/roles/mu-rdp/tests/test.yml +5 -0
data/ansible/roles/mu-windows/tasks/main.yml +3 -0
data/bin/mu-ansible-secret +1 -1
data/bin/mu-aws-setup +4 -3
data/bin/mu-azure-setup +5 -5
data/bin/mu-configure +25 -17
data/bin/mu-firewall-allow-clients +1 -0
data/bin/mu-gcp-setup +3 -3
data/bin/mu-load-config.rb +1 -0
data/bin/mu-node-manage +66 -33
data/bin/mu-self-update +2 -2
data/bin/mu-upload-chef-artifacts +6 -1
data/bin/mu-user-manage +1 -1
data/cloud-mu.gemspec +25 -23
data/cookbooks/firewall/CHANGELOG.md +417 -224
data/cookbooks/firewall/LICENSE +202 -0
data/cookbooks/firewall/README.md +153 -126
data/cookbooks/firewall/TODO.md +6 -0
data/cookbooks/firewall/attributes/firewalld.rb +7 -0
data/cookbooks/firewall/attributes/iptables.rb +3 -3
data/cookbooks/firewall/chefignore +115 -0
data/cookbooks/firewall/libraries/helpers.rb +5 -0
data/cookbooks/firewall/libraries/helpers_firewalld.rb +1 -1
data/cookbooks/firewall/libraries/helpers_firewalld_dbus.rb +72 -0
data/cookbooks/firewall/libraries/helpers_iptables.rb +3 -3
data/cookbooks/firewall/libraries/helpers_nftables.rb +170 -0
data/cookbooks/firewall/libraries/helpers_ufw.rb +7 -0
data/cookbooks/firewall/libraries/helpers_windows.rb +8 -9
data/cookbooks/firewall/libraries/provider_firewall_firewalld.rb +9 -9
data/cookbooks/firewall/libraries/provider_firewall_iptables.rb +7 -7
data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb +12 -8
data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb +13 -9
data/cookbooks/firewall/libraries/provider_firewall_rule.rb +1 -1
data/cookbooks/firewall/libraries/provider_firewall_ufw.rb +5 -5
data/cookbooks/firewall/libraries/provider_firewall_windows.rb +4 -4
data/cookbooks/firewall/libraries/resource_firewall_rule.rb +3 -3
data/cookbooks/firewall/metadata.json +40 -1
data/cookbooks/firewall/metadata.rb +15 -0
data/cookbooks/firewall/recipes/default.rb +7 -7
data/cookbooks/firewall/recipes/disable_firewall.rb +1 -1
data/cookbooks/firewall/recipes/firewalld.rb +87 -0
data/cookbooks/firewall/renovate.json +18 -0
data/cookbooks/firewall/resources/firewalld.rb +28 -0
data/cookbooks/firewall/resources/firewalld_config.rb +39 -0
data/cookbooks/firewall/resources/firewalld_helpers.rb +106 -0
data/cookbooks/firewall/resources/firewalld_icmptype.rb +88 -0
data/cookbooks/firewall/resources/firewalld_ipset.rb +104 -0
data/cookbooks/firewall/resources/firewalld_policy.rb +115 -0
data/cookbooks/firewall/resources/firewalld_service.rb +98 -0
data/cookbooks/firewall/resources/firewalld_zone.rb +118 -0
data/cookbooks/firewall/resources/nftables.rb +71 -0
data/cookbooks/firewall/resources/nftables_rule.rb +113 -0
data/cookbooks/mu-activedirectory/Berksfile +1 -1
data/cookbooks/mu-activedirectory/metadata.rb +1 -1
data/cookbooks/mu-firewall/metadata.rb +2 -2
data/cookbooks/mu-master/Berksfile +4 -3
data/cookbooks/mu-master/attributes/default.rb +5 -2
data/cookbooks/mu-master/files/default/check_elastic.sh +761 -0
data/cookbooks/mu-master/files/default/check_kibana.rb +45 -0
data/cookbooks/mu-master/libraries/mu.rb +24 -0
data/cookbooks/mu-master/metadata.rb +5 -5
data/cookbooks/mu-master/recipes/default.rb +31 -20
data/cookbooks/mu-master/recipes/firewall-holes.rb +5 -0
data/cookbooks/mu-master/recipes/init.rb +58 -19
data/cookbooks/mu-master/recipes/update_nagios_only.rb +251 -178
data/cookbooks/mu-master/templates/default/nagios.conf.erb +5 -11
data/cookbooks/mu-master/templates/default/web_app.conf.erb +3 -0
data/cookbooks/mu-php54/Berksfile +1 -1
data/cookbooks/mu-php54/metadata.rb +2 -2
data/cookbooks/mu-tools/Berksfile +2 -3
data/cookbooks/mu-tools/attributes/default.rb +3 -4
data/cookbooks/mu-tools/files/amazon/etc/bashrc +90 -0
data/cookbooks/mu-tools/files/amazon/etc/login.defs +292 -0
data/cookbooks/mu-tools/files/amazon/etc/profile +77 -0
data/cookbooks/mu-tools/files/amazon/etc/security/limits.conf +63 -0
data/cookbooks/mu-tools/files/amazon/etc/sysconfig/init +19 -0
data/cookbooks/mu-tools/files/amazon/etc/sysctl.conf +82 -0
data/cookbooks/mu-tools/files/amazon-2023/etc/login.defs +294 -0
data/cookbooks/mu-tools/files/default/logrotate.conf +35 -0
data/cookbooks/mu-tools/files/default/nrpe_conf_d.pp +0 -0
data/cookbooks/mu-tools/libraries/helper.rb +21 -9
data/cookbooks/mu-tools/metadata.rb +4 -4
data/cookbooks/mu-tools/recipes/apply_security.rb +3 -2
data/cookbooks/mu-tools/recipes/aws_api.rb +23 -5
data/cookbooks/mu-tools/recipes/base_repositories.rb +4 -1
data/cookbooks/mu-tools/recipes/gcloud.rb +56 -56
data/cookbooks/mu-tools/recipes/nagios.rb +1 -1
data/cookbooks/mu-tools/recipes/nrpe.rb +20 -2
data/cookbooks/mu-tools/recipes/rsyslog.rb +12 -1
data/cookbooks/mu-tools/recipes/set_local_fw.rb +1 -1
data/data_bags/nagios_services/apm_backend_connect.json +5 -0
data/data_bags/nagios_services/apm_listen.json +5 -0
data/data_bags/nagios_services/elastic_shards.json +5 -0
data/data_bags/nagios_services/logstash.json +5 -0
data/data_bags/nagios_services/rhel7_updates.json +8 -0
data/extras/image-generators/AWS/centos7.yaml +1 -0
data/extras/image-generators/AWS/rhel7.yaml +21 -0
data/extras/image-generators/AWS/win2k12r2.yaml +1 -0
data/extras/image-generators/AWS/win2k16.yaml +1 -0
data/extras/image-generators/AWS/win2k19.yaml +1 -0
data/extras/list-stock-amis +0 -0
data/extras/ruby_rpm/muby.spec +8 -5
data/extras/vault_tools/export_vaults.sh +1 -1
data/extras/vault_tools/recreate_vaults.sh +0 -0
data/extras/vault_tools/test_vaults.sh +0 -0
data/install/deprecated-bash-library.sh +1 -1
data/install/installer +4 -2
data/modules/mommacat.ru +3 -1
data/modules/mu/adoption.rb +1 -1
data/modules/mu/cloud/dnszone.rb +2 -2
data/modules/mu/cloud/machine_images.rb +26 -25
data/modules/mu/cloud/resource_base.rb +213 -182
data/modules/mu/cloud/server_pool.rb +1 -1
data/modules/mu/cloud/ssh_sessions.rb +7 -5
data/modules/mu/cloud/wrappers.rb +2 -2
data/modules/mu/cloud.rb +1 -1
data/modules/mu/config/bucket.rb +1 -1
data/modules/mu/config/function.rb +6 -1
data/modules/mu/config/loadbalancer.rb +24 -2
data/modules/mu/config/ref.rb +12 -0
data/modules/mu/config/role.rb +1 -1
data/modules/mu/config/schema_helpers.rb +42 -9
data/modules/mu/config/server.rb +43 -27
data/modules/mu/config/tail.rb +19 -10
data/modules/mu/config.rb +6 -5
data/modules/mu/defaults/AWS.yaml +78 -114
data/modules/mu/deploy.rb +9 -2
data/modules/mu/groomer.rb +12 -4
data/modules/mu/groomers/ansible.rb +104 -20
data/modules/mu/groomers/chef.rb +15 -6
data/modules/mu/master.rb +9 -4
data/modules/mu/mommacat/daemon.rb +4 -2
data/modules/mu/mommacat/naming.rb +1 -2
data/modules/mu/mommacat/storage.rb +7 -2
data/modules/mu/mommacat.rb +33 -6
data/modules/mu/providers/aws/database.rb +161 -8
data/modules/mu/providers/aws/dnszone.rb +11 -6
data/modules/mu/providers/aws/endpoint.rb +81 -6
data/modules/mu/providers/aws/firewall_rule.rb +254 -172
data/modules/mu/providers/aws/function.rb +65 -3
data/modules/mu/providers/aws/loadbalancer.rb +39 -28
data/modules/mu/providers/aws/log.rb +2 -1
data/modules/mu/providers/aws/role.rb +25 -7
data/modules/mu/providers/aws/server.rb +36 -12
data/modules/mu/providers/aws/server_pool.rb +237 -127
data/modules/mu/providers/aws/storage_pool.rb +7 -1
data/modules/mu/providers/aws/user.rb +1 -1
data/modules/mu/providers/aws/userdata/linux.erb +6 -2
data/modules/mu/providers/aws/userdata/windows.erb +7 -5
data/modules/mu/providers/aws/vpc.rb +49 -25
data/modules/mu/providers/aws.rb +13 -8
data/modules/mu/providers/azure/container_cluster.rb +1 -1
data/modules/mu/providers/azure/loadbalancer.rb +2 -2
data/modules/mu/providers/azure/server.rb +5 -2
data/modules/mu/providers/azure/userdata/linux.erb +1 -1
data/modules/mu/providers/azure.rb +11 -8
data/modules/mu/providers/cloudformation/dnszone.rb +1 -1
data/modules/mu/providers/google/container_cluster.rb +15 -2
data/modules/mu/providers/google/folder.rb +2 -1
data/modules/mu/providers/google/function.rb +130 -4
data/modules/mu/providers/google/habitat.rb +2 -1
data/modules/mu/providers/google/loadbalancer.rb +407 -160
data/modules/mu/providers/google/role.rb +16 -3
data/modules/mu/providers/google/server.rb +5 -1
data/modules/mu/providers/google/user.rb +25 -18
data/modules/mu/providers/google/userdata/linux.erb +1 -1
data/modules/mu/providers/google/vpc.rb +53 -7
data/modules/mu/providers/google.rb +39 -39
data/modules/mu.rb +8 -8
data/modules/tests/elk.yaml +46 -0
data/test/mu-master-test/controls/all_in_one.rb +1 -1
metadata +207 -112
data/cookbooks/firewall/CONTRIBUTING.md +0 -2
data/cookbooks/firewall/MAINTAINERS.md +0 -19
data/cookbooks/firewall/libraries/matchers.rb +0 -30
data/extras/image-generators/AWS/rhel71.yaml +0 -17

data/modules/mu/providers/aws/vpc.rb CHANGED Viewed

@@ -114,20 +114,6 @@ module MU
             raise MuError, "VPC endpoint failed #{endpoint_id}: #{resp}" if resp.state == "failed"
           end
-          if @config["enable_traffic_logging"]
-            loggroup = @deploy.findLitterMate(name: @config['name']+"loggroup", type: "logs")
-            logrole = @deploy.findLitterMate(name: @config['name']+"logrole", type: "roles")
-            MU.log "Enabling traffic logging on VPC #{@mu_name} to log group #{loggroup.mu_name}"
-            MU::Cloud::AWS.ec2(region: @region, credentials: @credentials).create_flow_logs(
-              resource_ids: [@cloud_id],
-              resource_type: "VPC",
-              traffic_type: "ALL",
-              log_group_name: loggroup.mu_name,
-              deliver_logs_permission_arn: logrole.cloudobj.arn
-            )
-          end
           nat_gateways = create_subnets
           notify
@@ -270,6 +256,39 @@ module MU
             }
           end
+          if @config["enable_traffic_logging"]
+            ext = MU::Cloud::AWS.ec2(region: @region, credentials: @credentials).describe_flow_logs(
+               filter: [
+                 { name: "resource-id", values: [@cloud_id] }
+               ]
+            )
+            # XXX a smarter guard would filter with more specificity
+            if !ext or ext.flow_logs.empty?
+              loggroup = if @config['log_group_name']
+                @config['log_group_name']
+              else
+                @deploy.findLitterMate(name: @config['name']+"loggroup", type: "logs").mu_name
+              end
+              logrole = @deploy.findLitterMate(name: @config['name']+"logrole", type: "roles")
+              MU.log "Enabling traffic logging on VPC #{@mu_name} to log group #{loggroup}"
+              MU::Cloud::AWS.ec2(region: @region, credentials: @credentials).create_flow_logs(
+                resource_ids: [@cloud_id],
+                resource_type: "VPC",
+                traffic_type: "ALL",
+                log_group_name: loggroup,
+                deliver_logs_permission_arn: logrole.cloudobj.arn,
+                tag_specifications: [
+                  {
+                    resource_type: "vpc-flow-log",
+                    tags: @tags.each_key.map { |k| { :key => k, :value => @tags[k] } }
+                  }
+                ]
+              )
+            end
+          end
         end
         # Locate an existing VPC or VPCs and return an array containing matching AWS resource descriptors for those that match.
@@ -942,13 +961,15 @@ module MU
           ok = true
           if vpc["enable_traffic_logging"]
-            logdesc = {
-              "name" => vpc['name']+"loggroup",
-            }
-            logdesc["tags"] = vpc["tags"] if !vpc["tags"].nil?
-#            logdesc["optional_tags"] = vpc["optional_tags"] if !vpc["optional_tags"].nil?
-            configurator.insertKitten(logdesc, "logs")
-            MU::Config.addDependency(vpc, vpc['name']+"loggroup", "log")
+            if !vpc['log_group_name']
+              logdesc = {
+                "name" => vpc['name']+"loggroup",
+              }
+              logdesc["tags"] = vpc["tags"] if !vpc["tags"].nil?
+#              logdesc["optional_tags"] = vpc["optional_tags"] if !vpc["optional_tags"].nil?
+              configurator.insertKitten(logdesc, "logs")
+              MU::Config.addDependency(vpc, vpc['name']+"loggroup", "log")
+            end
             roledesc = {
               "name" => vpc['name']+"logrole",
@@ -971,20 +992,23 @@ module MU
                   "targets" => [
                     {
                       "type" => "log",
-                      "identifier" => vpc['name']+"loggroup"
+                      "identifier" => vpc['log_group_name'] ? vpc['log_group_name'] : vpc['name']+"loggroup"
                     }
                   ]
                 }
-              ],
-              "dependencies" => [
+              ]
+            }
+            if !vpc['log_group_name']
+              roledesc["dependencies"] = [
                 {
                   "type" => "log",
                   "name" => vpc['name']+"loggroup"
                 }
               ]
-            }
+            end
             roledesc["tags"] = vpc["tags"] if !vpc["tags"].nil?
             roledesc["optional_tags"] = vpc["optional_tags"] if !vpc["optional_tags"].nil?
             configurator.insertKitten(roledesc, "roles")
             MU::Config.addDependency(vpc, vpc['name']+"logrole", "role")
           end

data/modules/mu/providers/aws.rb CHANGED Viewed

@@ -44,6 +44,12 @@ module MU
         [cfg['account_number']]
       end
+      # Cloud-specific resource methods or attributes we want exposed for
+      # reading by {MU::Cloud}
+      def self.customAttrReaders
+        [:region, :cloudformation_data]
+      end
       # A hook that is always called just before any of the instance method of
       # our resource implementations gets invoked, so that we can ensure that
       # repetitive setup tasks (like resolving +:resource_group+ for Azure
@@ -51,10 +57,6 @@ module MU
       # @param cloudobj [MU::Cloud]
       # @param _deploy [MU::MommaCat]
       def self.resourceInitHook(cloudobj, _deploy)
-        class << self
-          attr_reader :cloudformation_data
-          attr_reader :region
-        end
         return if !cloudobj
         cloudobj.instance_variable_set(:@cloudformation_data, {})
@@ -409,8 +411,10 @@ end
       end
       # Plant a Mu deploy secret into a storage bucket somewhere for so our kittens can consume it
-      # @param deploy_id [String]: The deploy for which we're writing the secret
+      # @param deploy [String]: The deploy for which we're writing the secret
       # @param value [String]: The contents of the secret
+      # @param name [String]: File/object name
+      # @param credentials [String]
       def self.writeDeploySecret(deploy, value, name = nil, credentials: nil)
         require "aws-sdk-s3"
         name ||= deploy.deploy_id+"-secret"
@@ -531,9 +535,9 @@ end
         if !@@is_in_aws.nil?
           return @@is_in_aws
         end
+start = Time.now
         begin
-          Timeout.timeout(4) do
+          Timeout.timeout(10) do
             instance_id = URI.open("http://169.254.169.254/latest/meta-data/instance-id").read
             if !instance_id.nil? and instance_id.size > 0
               @@is_in_aws = true
@@ -550,6 +554,7 @@ end
           end
         rescue OpenURI::HTTPError, Timeout::Error, SocketError, Errno::EHOSTUNREACH
         end
+MU.log "Fetch of http://169.254.169.254/latest/meta-data/instance-id took #{sprintf("%.2fs", Time.now-start)}", MU::WARN
         @@is_in_aws = false
         false
@@ -978,7 +983,7 @@ end
             id = matches.first
           elsif matches.size == 0
             if raise_on_missing
-              raise MuError, "No IAM or ACM certificate named #{name} was found in #{region}"
+              raise MuError, "No IAM or ACM certificate named #{name} was found in #{region} (credentials: #{(credentials.nil? or credentials.empty?) ? "default" : credentials})"
             else
               return nil
             end

data/modules/mu/providers/azure/container_cluster.rb CHANGED Viewed

@@ -249,7 +249,7 @@ module MU
               os_obj = MU::Cloud::Azure.containers(:ContainerServiceWindowsProfile, model_version: "V2019_02_01").new
               os_obj.admin_username = "muadmin"
               # Azure password constraints are extra-annoying
-              winpass = MU.generateWindowsPassword(safe_pattern: '!@#$%^&*()', retries: 150)
+              winpass = MU.generatePassword(safe_pattern: '!@#$%^&*()', retries: 150)
 # TODO store this somewhere the user can get at it
               os_obj.admin_password = winpass
               os_obj

data/modules/mu/providers/azure/loadbalancer.rb CHANGED Viewed

@@ -50,8 +50,8 @@ module MU
         # Register a Server node with an existing LoadBalancer.
         #
         # @param instance_id [String] A node to register.
-        # @param targetgroups [Array<String>] The target group(s) of which this node should be made a member. Not applicable to classic LoadBalancers. If not supplied, the node will be registered to all available target groups on this LoadBalancer.
-        def registerNode(instance_id, targetgroups: nil)
+        # @param backends [Array<String>] The target group(s) of which this node should be made a member. Not applicable to classic LoadBalancers. If not supplied, the node will be registered to all available target groups on this LoadBalancer.
+        def registerTarget(instance_id, backends: nil)
         end
         # Does this resource type exist as a global (cloud-wide) artifact, or

data/modules/mu/providers/azure/server.rb CHANGED Viewed

@@ -426,7 +426,10 @@ MU.log "Azure::Server.find called", MU::NOTICE, details: args
         # @param size [String]: Size (in gb) of the new volume
         # @param type [String]: Cloud storage type of the volume, if applicable
         # @param delete_on_termination [Boolean]: Value of delete_on_termination flag to set
-        def addVolume(dev, size, type: "pd-standard", delete_on_termination: false)
+        def addVolume(dev: nil, size: 0, type: "pd-standard", delete_on_termination: false)
+          if dev.nil? or size == 0
+            raise MuError, "Must specify a device name and a size for addVolume"
+          end
         end
         # Determine whether the node in question exists at the Cloud provider
@@ -785,7 +788,7 @@ MU.log "Azure::Server.find called", MU::NOTICE, details: args
             os_obj.admin_password = begin
               @deploy.fetchSecret(@mu_name, "windows_admin_password")
             rescue MU::MommaCat::SecretError
-              pw = MU.generateWindowsPassword
+              pw = MU.generatePassword
               @deploy.saveNodeSecret(@mu_name, pw, "windows_admin_password")
               pw
             end

data/modules/mu/providers/azure/userdata/linux.erb CHANGED Viewed

@@ -105,7 +105,7 @@ umask 0077
 # Install Chef now, because why not?
 if [ ! -f /opt/chef/embedded/bin/ruby ];then
-  curl https://www.chef.io/chef/install.sh > chef-install.sh
+  curl https://omnitruck.chef.io/install.sh > chef-install.sh
   set +e
   # We may run afoul of a synchronous bootstrap process doing the same thing. So
   # wait until we've managed to run successfully.

data/modules/mu/providers/azure.rb CHANGED Viewed

@@ -52,6 +52,12 @@ module MU
         []
       end
+      # Cloud-specific resource methods or attributes we want exposed for
+      # reading by {MU::Cloud}
+      def self.customAttrReaders
+        [:region, :resource_group]
+      end
       # A hook that is always called just before any of the instance method of
       # our resource implementations gets invoked, so that we can ensure that
       # repetitive setup tasks (like resolving +:resource_group+ for Azure
@@ -59,9 +65,6 @@ module MU
       # @param cloudobj [MU::Cloud]
       # @param deploy [MU::MommaCat]
       def self.resourceInitHook(cloudobj, deploy)
-        class << self
-          attr_reader :resource_group
-        end
         return if !cloudobj
         rg = if !deploy
@@ -565,12 +568,12 @@ MU.log "vault existence check #{vaultname}", MU::WARN, details: resp
         return @@metadata if svc == "instance" and @@metadata
         base_url = "http://169.254.169.254/metadata/#{svc}"
         args["api-version"] = api_version
-        arg_str = args.keys.map { |k| k.to_s+"="+args[k].to_s }.join("&")
+        arg_str = args.keys.sort.map { |k| k.to_s+"="+CGI.escape(args[k].to_s) }.join("&")
         begin
           Timeout.timeout(2) do
-            resp = JSON.parse(URI.open("#{base_url}/?#{arg_str}","Metadata"=>"true").read)
-            MU.log "curl -H Metadata:true "+"#{base_url}/?#{arg_str}", loglevel, details: resp
+            resp = JSON.parse(URI.open("#{base_url}?#{arg_str}","Metadata"=>"true").read)
+            MU.log "curl -H Metadata:true "+"#{base_url}?#{arg_str}", loglevel, details: resp
             if svc != "instance"
               return resp
             else
@@ -597,9 +600,9 @@ MU.log "vault existence check #{vaultname}", MU::WARN, details: resp
         cfg = credConfig(credentials)
         if cfg and MU::Cloud::Azure.hosted?
-          token = MU::Cloud::Azure.get_metadata("identity/oauth2/token", "2018-02-01", args: { "resource"=>"https://management.azure.com/" })
+          token = MU::Cloud::Azure.get_metadata("identity/oauth2/token", "2020-09-01", args: { "resource"=>"https://management.azure.com/" })
           if !token
-            MU::Cloud::Azure.get_metadata("identity/oauth2/token", "2018-02-01", args: { "resource"=>"https://management.azure.com/" }, debug: true)
+            MU::Cloud::Azure.get_metadata("identity/oauth2/token", "2020-09-01", args: { "resource"=>"https://management.azure.com/" }, debug: true)
             raise MuError, "Failed to get machine oauth token"
           end
           machine = MU::Cloud::Azure.get_metadata

data/modules/mu/providers/cloudformation/dnszone.rb CHANGED Viewed

@@ -248,7 +248,7 @@ module MU
         end
         # Placeholder. This is a NOOP for CloudFormation, which doesn't build
         # resources directly.
-        def self.genericMuDNSEntry(*args)
+        def self.genericMuDNSEntry(**args)
           MU.log "find() not implemented for CloudFormation layer", MU::DEBUG
           nil
         end

data/modules/mu/providers/google/container_cluster.rb CHANGED Viewed

@@ -95,7 +95,7 @@ module MU
           desc = {
             :name => @mu_name.downcase,
             :description => @deploy.deploy_id,
-            :network => @vpc.cloud_id,
+            :network => @vpc.url,
             :enable_tpu => @config['tpu'],
             :resource_labels => labels,
             :locations => locations,
@@ -108,6 +108,7 @@ module MU
             ),
           }
           if @config['kubernetes']
             desc[:addons_config] = MU::Cloud::Google.container(:AddonsConfig).new(
               horizontal_pod_autoscaling: MU::Cloud::Google.container(:HorizontalPodAutoscaling).new(
@@ -135,6 +136,8 @@ module MU
               end
             }
           end
           if @config['log_facility'] == "kubernetes"
             desc[:logging_service] = "logging.googleapis.com/kubernetes"
             desc[:monitoring_service] = "monitoring.googleapis.com/kubernetes"
@@ -183,6 +186,7 @@ module MU
             )
           end
           if @config['ip_aliases'] or @config['custom_subnet'] or
              @config['services_ip_block'] or @config['services_ip_block_name'] or
              @config['pod_ip_block'] or @config['pod_ip_block_name'] or
@@ -210,17 +214,26 @@ module MU
             end
             if @config['services_ip_block']
+              if @vpc.project_id != @project_id
+                alloc_desc[:services_secondary_range_name] ||= @config['name']+"-services"
+                @vpc.addSecondaryRange(desc[:subnetwork], @config['services_ip_block'], alloc_desc[:services_secondary_range_name])
+              end
               alloc_desc[:services_ipv4_cidr_block] = @config['services_ip_block']
             end
             if @config['tpu_ip_block']
               alloc_desc[:tpu_ipv4_cidr_block] = @config['tpu_ip_block']
             end
             if @config['pod_ip_block']
+              if @vpc.project_id != @project_id
+                alloc_desc[:cluster_secondary_range_name] ||= @config['name']+"-pods"
+                @vpc.addSecondaryRange(desc[:subnetwork], @config['pod_ip_block'], alloc_desc[:cluster_secondary_range_name])
+              end
               alloc_desc[:cluster_ipv4_cidr_block] = @config['pod_ip_block']
             end
             desc[:ip_allocation_policy] = MU::Cloud::Google.container(:IpAllocationPolicy).new(alloc_desc)
-            pp alloc_desc
           end
           if @config['authorized_networks'] and @config['authorized_networks'].size > 0

data/modules/mu/providers/google/folder.rb CHANGED Viewed

@@ -260,7 +260,8 @@ module MU
             args[:flags]['parent_id']
           else
             my_org = MU::Cloud::Google.getOrg(args[:credentials])
-            my_org.name
+# XXX re-raise with a clear permission error
+            my_org.name if my_org
           end
           if args[:cloud_id]

data/modules/mu/providers/google/function.rb CHANGED Viewed

@@ -120,7 +120,7 @@ module example.com/cloudfunction
         def groom
           desc = {}
-          func_obj = buildDesc
+          func_obj = buildDesc(true)
           labels = Hash[@tags.keys.map { |k|
             [k.downcase, @tags[k].downcase.gsub(/[^-_a-z0-9]/, '-')] }
@@ -161,6 +161,13 @@ module example.com/cloudfunction
                cloud_desc.event_trigger.resource != @config['triggers'].first['resource']
               need_update = true
             end
+          elsif !cloud_desc.https_trigger
+            need_update = true
+          end
+          if (@config['internal_only'] and cloud_desc.ingress_settings != "ALLOW_INTERNAL_ONLY") or
+             (!@config['internal_only'] and cloud_desc.ingress_settings != "ALLOW_ALL")
+            need_update = true
           end
           current = Dir.mktmpdir(@mu_name+"-current") { |dir|
@@ -206,6 +213,7 @@ module example.com/cloudfunction
           end
           if need_update
+            MU::Cloud::Google::Function.uploadPackage(@config['code']['zip_file'], @mu_name+"-cloudfunction.zip", credentials: @credentials)
             MU.log "Updating Cloud Function #{@cloud_id}", MU::NOTICE, details: func_obj
             begin
               MU::Cloud::Google.function(credentials: @credentials).patch_project_location_function(
@@ -235,6 +243,71 @@ module example.com/cloudfunction
             tempfile.unlink
           end
+          policy = MU::Cloud::Google.function(credentials: @credentials).get_project_location_function_iam_policy(@cloud_id)
+          if @config['allow_unauthenticated'] and !allowsUnauthencated?
+            policy ||= MU::Cloud::Google.function(:Policy).new(
+              bindings: []
+            )
+            policy.bindings ||= []
+            policy.bindings << MU::Cloud::Google.function(:Binding).new(
+              members: ["allUsers"],
+              role: "roles/cloudfunctions.invoker"
+            )
+            pol_req = MU::Cloud::Google.function(:SetIamPolicyRequest).new(
+              policy: policy
+            )
+            MU.log "Enabling anonymous invocation of Cloud Function #{@mu_name}", MU::NOTICE
+            MU::Cloud::Google.function(credentials: @credentials).set_function_iam_policy(@cloud_id, pol_req)
+          elsif !@config['allow_unauthenticated'] and allowsUnauthencated?
+            policy.bindings.reject! { |b|
+              b.members.include?("allUsers") and b.role == "roles/cloudfunctions.invoker"
+            }
+            pol_req = MU::Cloud::Google.function(:SetIamPolicyRequest).new(
+              policy: policy
+            )
+            MU.log "Disabling anonymous invocation of Cloud Function #{@mu_name}", MU::NOTICE
+            MU::Cloud::Google.function(credentials: @credentials).set_function_iam_policy(@cloud_id, pol_req)
+          end
+          # If we have a loadbalancer configured, attach us to it
+          if !@config['loadbalancers'].nil?
+            if @loadbalancers.nil?
+              raise MuError, "#{@mu_name} is configured to use LoadBalancers, but none have been loaded by dependencies()"
+            end
+            neg_name = @deploy.getResourceName(@config["name"], max_length: 19, never_gen_unique: true).downcase
+            neg_desc = begin
+              MU::Cloud::Google.compute(credentials: @config['credentials']).get_region_network_endpoint_group(@project_id, @config['region'], neg_name)
+            rescue ::Google::Apis::ClientError => e
+              raise e if e.message !~ /notFound:/
+              neg_obj = MU::Cloud::Google.compute(:NetworkEndpointGroup).new(
+                name: neg_name,
+                description: @deploy.deploy_id,
+                cloud_function: MU::Cloud::Google.compute(:NetworkEndpointGroupCloudFunction).new(
+                  function: @cloud_id.gsub(/.*?\//, '')
+                ),
+                network_endpoint_type: "SERVERLESS"
+              )
+              MU.log "Creating Network Endpoint Group #{neg_name}", details: neg_obj
+              MU::Cloud::Google.compute(credentials: @config['credentials']).insert_region_network_endpoint_group(@project_id, @config['region'], neg_obj)
+              retry
+            end
+            @loadbalancers.each { |lb|
+#              if !lb.targetgroups
+#                MU.retrier([], max: 6, wait: 15, loop_if: Proc.new { !lb.targetgroups }) {
+#                  lb.cloud_desc(use_cache: false)
+#                }
+#              end
+#              lb.targetgroups.each_pair { |tg_name, tg|
+#                addTrigger(tg.target_group_arn, "elasticloadbalancing", tg_name)
+#              }
+              lb.registerTarget(neg_desc.self_link)
+            }
+          end
         end
         # Return the metadata for this project's configuration
@@ -330,6 +403,12 @@ module example.com/cloudfunction
           bok["handler"] = cloud_desc.entry_point
           bok["timeout"] = cloud_desc.timeout.gsub(/[^\d]/, '').to_i
+          if cloud_desc.ingress_settings and cloud_desc.ingress_settings == "ALLOW_INTERNAL_ONLY"
+            bok['internal_only'] = true
+          else
+            bok['internal_only'] = false
+          end
           if cloud_desc.vpc_connector
             bok["vpc_connector"] = cloud_desc.vpc_connector
           elsif cloud_desc.network
@@ -350,7 +429,7 @@ module example.com/cloudfunction
               type: "vpcs"
             )
           end
           if cloud_desc.environment_variables and cloud_desc.environment_variables.size > 0
             bok['environment_variable'] = cloud_desc.environment_variables.keys.map { |k| { "key" => k, "value" => cloud_desc.environment_variables[k] } }
           end
@@ -373,6 +452,9 @@ module example.com/cloudfunction
             'zip_file' => codefile
           }
+          bok['allow_unauthenticated'] = allowsUnauthencated?
           bok
         end
@@ -411,6 +493,16 @@ module example.com/cloudfunction
               "type" => "string",
               "description" => "+DEPRECATED+ VPC Connector to attach, of the form +projects/my-project/locations/some-region/connectors/my-connector+. This option will be removed once proper google-cloud-sdk support for VPC Connectors becomes available, at which point we will piggyback on the normal +vpc+ stanza and resolve connectors as needed."
             },
+            "allow_unauthenticated" => {
+              "type" => "boolean",
+              "default" => false,
+              "description" => "Only applicable for HTTPS-triggered functions; allows function invocation without credentials"
+            },
+            "internal_only" => {
+              "type" => "boolean",
+              "default" => false,
+              "description" => "Permit only traffic from VPC networks in the same project or VPC SC perimeter"
+            },
             "vpc_connector_allow_all_egress" => {
               "type" => "boolean",
               "default" => false,
@@ -473,11 +565,13 @@ module example.com/cloudfunction
         # @return [String]: The Cloud Storage URL to the result
         def self.uploadPackage(zipfile, filename, credentials: nil)
           bucket = MU::Cloud::Google.adminBucketName(credentials)
           obj_obj = MU::Cloud::Google.storage(:Object).new(
             content_type: "application/zip",
             name: filename
           )
+          MU.log "Uploading #{zipfile} to #{bucket}/#{filename}"
           MU::Cloud::Google.storage(credentials: credentials).insert_object(
             bucket,
             obj_obj,
@@ -574,12 +668,33 @@ module example.com/cloudfunction
 #            ok = false
 #          end
+          if !function["loadbalancers"].nil?
+            function["loadbalancers"].each { |lb|
+              lb["name"] ||= lb["concurrent_load_balancer"]
+              if lb["name"]
+                MU::Config.addDependency(function, lb["name"], "loadbalancer")
+              end
+            }
+          end
           ok
         end
         private
-        def buildDesc
+        def allowsUnauthencated?
+          policy = MU::Cloud::Google.function(credentials: @credentials).get_project_location_function_iam_policy(@cloud_id)
+          if policy and policy.bindings
+            policy.bindings.each { |b|
+              if b.members.include?("allUsers") and b.role == "roles/cloudfunctions.invoker"
+                return true
+              end
+            }
+          end
+          false
+        end
+        def buildDesc(no_upload = false)
           labels = Hash[@tags.keys.map { |k|
             [k.downcase, @tags[k].downcase.gsub(/[^-_a-z0-9]/, '-')] }
           ]
@@ -631,6 +746,12 @@ module example.com/cloudfunction
             desc[:https_trigger] = MU::Cloud::Google.function(:HttpsTrigger).new
           end
+          if @config["internal_only"]
+            desc[:ingress_settings] = "ALLOW_INTERNAL_ONLY"
+          else
+            desc[:ingress_settings] = "ALLOW_ALL"
+          end
           if @config['environment_variable']
             @config['environment_variable'].each { |var|
@@ -658,7 +779,12 @@ module example.com/cloudfunction
             else
               MU.log "#{@mu_name} using code packaged at #{@config['code']['zip_file']}"
             end
-            desc[:source_archive_url] = MU::Cloud::Google::Function.uploadPackage(@config['code']['zip_file'], @mu_name+"-cloudfunction.zip", credentials: @credentials)
+            bucket = MU::Cloud::Google.adminBucketName(credentials)
+            desc[:source_archive_url] = "gs://#{bucket}/#{@mu_name}-cloudfunction.zip"
+            if !no_upload
+              MU::Cloud::Google::Function.uploadPackage(@config['code']['zip_file'], @mu_name+"-cloudfunction.zip", credentials: @credentials)
+            end
             if tempfile
               tempfile.close

data/modules/mu/providers/google/habitat.rb CHANGED Viewed

@@ -303,7 +303,8 @@ module MU
           bok['name'] = cloud_desc.project_id
           bok['cloud_id'] = cloud_desc.project_id
 #          if cloud_desc.name != cloud_desc.project_id
-            bok['display_name'] = cloud_desc.name
+          bok['display_name'] = cloud_desc.name
+          bok['display_name'] ||= ""
 #          end
           if cloud_desc.parent and cloud_desc.parent.id