RubyGems - cloud-mu - Versions diffs - 3.5.0 → 3.6.3 - Mend

cloud-mu 3.5.0 → 3.6.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (245) hide show

checksums.yaml +4 -4
data/Berksfile +5 -2
data/Berksfile.lock +135 -0
data/ansible/roles/mu-base/README.md +33 -0
data/ansible/roles/mu-base/defaults/main.yml +2 -0
data/ansible/roles/mu-base/files/check_apm.cfg +1 -0
data/ansible/roles/mu-base/files/check_apm.sh +18 -0
data/ansible/roles/mu-base/files/check_disk.cfg +1 -0
data/ansible/roles/mu-base/files/check_elastic_shards.cfg +1 -0
data/ansible/roles/mu-base/files/check_elastic_shards.sh +12 -0
data/ansible/roles/mu-base/files/check_logstash.cfg +1 -0
data/ansible/roles/mu-base/files/check_logstash.sh +14 -0
data/ansible/roles/mu-base/files/check_mem.cfg +1 -0
data/ansible/roles/mu-base/files/check_updates.cfg +1 -0
data/ansible/roles/mu-base/files/logrotate.conf +35 -0
data/ansible/roles/mu-base/files/nrpe-apm-sudo +1 -0
data/ansible/roles/mu-base/files/nrpe-elasticshards-sudo +2 -0
data/ansible/roles/mu-base/handlers/main.yml +5 -0
data/ansible/roles/mu-base/meta/main.yml +53 -0
data/ansible/roles/mu-base/tasks/main.yml +113 -0
data/ansible/roles/mu-base/templates/nrpe.cfg.j2 +231 -0
data/ansible/roles/mu-base/tests/inventory +2 -0
data/ansible/roles/mu-base/tests/test.yml +5 -0
data/ansible/roles/mu-base/vars/main.yml +1 -0
data/ansible/roles/mu-compliance/README.md +33 -0
data/ansible/roles/mu-compliance/defaults/main.yml +2 -0
data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2016_V2R1_STIG_SCAP_1-2_Benchmark.xml +15674 -0
data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2019_V2R1_STIG_SCAP_1-2_Benchmark.xml +17553 -0
data/ansible/roles/mu-compliance/handlers/main.yml +2 -0
data/ansible/roles/mu-compliance/meta/main.yml +53 -0
data/ansible/roles/mu-compliance/tasks/main.yml +45 -0
data/ansible/roles/mu-compliance/tests/inventory +2 -0
data/ansible/roles/mu-compliance/tests/test.yml +5 -0
data/ansible/roles/mu-compliance/vars/main.yml +4 -0
data/ansible/roles/mu-elastic/README.md +51 -0
data/ansible/roles/mu-elastic/defaults/main.yml +2 -0
data/ansible/roles/mu-elastic/files/jvm.options +93 -0
data/ansible/roles/mu-elastic/handlers/main.yml +10 -0
data/ansible/roles/mu-elastic/meta/main.yml +52 -0
data/ansible/roles/mu-elastic/tasks/main.yml +186 -0
data/ansible/roles/mu-elastic/templates/elasticsearch.yml.j2 +110 -0
data/ansible/roles/mu-elastic/templates/kibana.yml.j2 +131 -0
data/ansible/roles/mu-elastic/templates/password_set.expect.j2 +19 -0
data/ansible/roles/mu-elastic/tests/inventory +2 -0
data/ansible/roles/mu-elastic/tests/test.yml +5 -0
data/ansible/roles/mu-elastic/vars/main.yml +2 -0
data/ansible/roles/mu-logstash/README.md +51 -0
data/ansible/roles/mu-logstash/defaults/main.yml +2 -0
data/ansible/roles/mu-logstash/files/02-beats-input.conf +5 -0
data/ansible/roles/mu-logstash/files/10-rails-filter.conf +16 -0
data/ansible/roles/mu-logstash/files/jvm.options +84 -0
data/ansible/roles/mu-logstash/files/logstash.yml +304 -0
data/ansible/roles/mu-logstash/handlers/main.yml +20 -0
data/ansible/roles/mu-logstash/meta/main.yml +52 -0
data/ansible/roles/mu-logstash/tasks/main.yml +254 -0
data/ansible/roles/mu-logstash/templates/20-cloudtrail.conf.j2 +28 -0
data/ansible/roles/mu-logstash/templates/30-elasticsearch-output.conf.j2 +19 -0
data/ansible/roles/mu-logstash/templates/apm-server.yml.j2 +33 -0
data/ansible/roles/mu-logstash/templates/heartbeat.yml.j2 +29 -0
data/ansible/roles/mu-logstash/templates/nginx/apm.conf.j2 +25 -0
data/ansible/roles/mu-logstash/templates/nginx/default.conf.j2 +56 -0
data/ansible/roles/mu-logstash/templates/nginx/elastic.conf.j2 +27 -0
data/ansible/roles/mu-logstash/tests/inventory +2 -0
data/ansible/roles/mu-logstash/tests/test.yml +5 -0
data/ansible/roles/mu-logstash/vars/main.yml +2 -0
data/ansible/roles/mu-rdp/README.md +33 -0
data/ansible/roles/mu-rdp/meta/main.yml +53 -0
data/ansible/roles/mu-rdp/tasks/main.yml +9 -0
data/ansible/roles/mu-rdp/tests/inventory +2 -0
data/ansible/roles/mu-rdp/tests/test.yml +5 -0
data/ansible/roles/mu-windows/tasks/main.yml +3 -0
data/bin/mu-ansible-secret +1 -1
data/bin/mu-aws-setup +4 -3
data/bin/mu-azure-setup +5 -5
data/bin/mu-configure +25 -17
data/bin/mu-firewall-allow-clients +1 -0
data/bin/mu-gcp-setup +3 -3
data/bin/mu-load-config.rb +1 -0
data/bin/mu-node-manage +66 -33
data/bin/mu-self-update +2 -2
data/bin/mu-upload-chef-artifacts +6 -1
data/bin/mu-user-manage +1 -1
data/cloud-mu.gemspec +25 -23
data/cookbooks/firewall/CHANGELOG.md +417 -224
data/cookbooks/firewall/LICENSE +202 -0
data/cookbooks/firewall/README.md +153 -126
data/cookbooks/firewall/TODO.md +6 -0
data/cookbooks/firewall/attributes/firewalld.rb +7 -0
data/cookbooks/firewall/attributes/iptables.rb +3 -3
data/cookbooks/firewall/chefignore +115 -0
data/cookbooks/firewall/libraries/helpers.rb +5 -0
data/cookbooks/firewall/libraries/helpers_firewalld.rb +1 -1
data/cookbooks/firewall/libraries/helpers_firewalld_dbus.rb +72 -0
data/cookbooks/firewall/libraries/helpers_iptables.rb +3 -3
data/cookbooks/firewall/libraries/helpers_nftables.rb +170 -0
data/cookbooks/firewall/libraries/helpers_ufw.rb +7 -0
data/cookbooks/firewall/libraries/helpers_windows.rb +8 -9
data/cookbooks/firewall/libraries/provider_firewall_firewalld.rb +9 -9
data/cookbooks/firewall/libraries/provider_firewall_iptables.rb +7 -7
data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb +12 -8
data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb +13 -9
data/cookbooks/firewall/libraries/provider_firewall_rule.rb +1 -1
data/cookbooks/firewall/libraries/provider_firewall_ufw.rb +5 -5
data/cookbooks/firewall/libraries/provider_firewall_windows.rb +4 -4
data/cookbooks/firewall/libraries/resource_firewall_rule.rb +3 -3
data/cookbooks/firewall/metadata.json +40 -1
data/cookbooks/firewall/metadata.rb +15 -0
data/cookbooks/firewall/recipes/default.rb +7 -7
data/cookbooks/firewall/recipes/disable_firewall.rb +1 -1
data/cookbooks/firewall/recipes/firewalld.rb +87 -0
data/cookbooks/firewall/renovate.json +18 -0
data/cookbooks/firewall/resources/firewalld.rb +28 -0
data/cookbooks/firewall/resources/firewalld_config.rb +39 -0
data/cookbooks/firewall/resources/firewalld_helpers.rb +106 -0
data/cookbooks/firewall/resources/firewalld_icmptype.rb +88 -0
data/cookbooks/firewall/resources/firewalld_ipset.rb +104 -0
data/cookbooks/firewall/resources/firewalld_policy.rb +115 -0
data/cookbooks/firewall/resources/firewalld_service.rb +98 -0
data/cookbooks/firewall/resources/firewalld_zone.rb +118 -0
data/cookbooks/firewall/resources/nftables.rb +71 -0
data/cookbooks/firewall/resources/nftables_rule.rb +113 -0
data/cookbooks/mu-activedirectory/Berksfile +1 -1
data/cookbooks/mu-activedirectory/metadata.rb +1 -1
data/cookbooks/mu-firewall/metadata.rb +2 -2
data/cookbooks/mu-master/Berksfile +4 -3
data/cookbooks/mu-master/attributes/default.rb +5 -2
data/cookbooks/mu-master/files/default/check_elastic.sh +761 -0
data/cookbooks/mu-master/files/default/check_kibana.rb +45 -0
data/cookbooks/mu-master/libraries/mu.rb +24 -0
data/cookbooks/mu-master/metadata.rb +5 -5
data/cookbooks/mu-master/recipes/default.rb +31 -20
data/cookbooks/mu-master/recipes/firewall-holes.rb +5 -0
data/cookbooks/mu-master/recipes/init.rb +58 -19
data/cookbooks/mu-master/recipes/update_nagios_only.rb +251 -178
data/cookbooks/mu-master/templates/default/nagios.conf.erb +5 -11
data/cookbooks/mu-master/templates/default/web_app.conf.erb +3 -0
data/cookbooks/mu-php54/Berksfile +1 -1
data/cookbooks/mu-php54/metadata.rb +2 -2
data/cookbooks/mu-tools/Berksfile +2 -3
data/cookbooks/mu-tools/attributes/default.rb +3 -4
data/cookbooks/mu-tools/files/amazon/etc/bashrc +90 -0
data/cookbooks/mu-tools/files/amazon/etc/login.defs +292 -0
data/cookbooks/mu-tools/files/amazon/etc/profile +77 -0
data/cookbooks/mu-tools/files/amazon/etc/security/limits.conf +63 -0
data/cookbooks/mu-tools/files/amazon/etc/sysconfig/init +19 -0
data/cookbooks/mu-tools/files/amazon/etc/sysctl.conf +82 -0
data/cookbooks/mu-tools/files/amazon-2023/etc/login.defs +294 -0
data/cookbooks/mu-tools/files/default/logrotate.conf +35 -0
data/cookbooks/mu-tools/files/default/nrpe_conf_d.pp +0 -0
data/cookbooks/mu-tools/libraries/helper.rb +21 -9
data/cookbooks/mu-tools/metadata.rb +4 -4
data/cookbooks/mu-tools/recipes/apply_security.rb +3 -2
data/cookbooks/mu-tools/recipes/aws_api.rb +23 -5
data/cookbooks/mu-tools/recipes/base_repositories.rb +4 -1
data/cookbooks/mu-tools/recipes/gcloud.rb +56 -56
data/cookbooks/mu-tools/recipes/nagios.rb +1 -1
data/cookbooks/mu-tools/recipes/nrpe.rb +20 -2
data/cookbooks/mu-tools/recipes/rsyslog.rb +12 -1
data/cookbooks/mu-tools/recipes/set_local_fw.rb +1 -1
data/data_bags/nagios_services/apm_backend_connect.json +5 -0
data/data_bags/nagios_services/apm_listen.json +5 -0
data/data_bags/nagios_services/elastic_shards.json +5 -0
data/data_bags/nagios_services/logstash.json +5 -0
data/data_bags/nagios_services/rhel7_updates.json +8 -0
data/extras/image-generators/AWS/centos7.yaml +1 -0
data/extras/image-generators/AWS/rhel7.yaml +21 -0
data/extras/image-generators/AWS/win2k12r2.yaml +1 -0
data/extras/image-generators/AWS/win2k16.yaml +1 -0
data/extras/image-generators/AWS/win2k19.yaml +1 -0
data/extras/list-stock-amis +0 -0
data/extras/ruby_rpm/muby.spec +8 -5
data/extras/vault_tools/export_vaults.sh +1 -1
data/extras/vault_tools/recreate_vaults.sh +0 -0
data/extras/vault_tools/test_vaults.sh +0 -0
data/install/deprecated-bash-library.sh +1 -1
data/install/installer +4 -2
data/modules/mommacat.ru +3 -1
data/modules/mu/adoption.rb +1 -1
data/modules/mu/cloud/dnszone.rb +2 -2
data/modules/mu/cloud/machine_images.rb +26 -25
data/modules/mu/cloud/resource_base.rb +213 -182
data/modules/mu/cloud/server_pool.rb +1 -1
data/modules/mu/cloud/ssh_sessions.rb +7 -5
data/modules/mu/cloud/wrappers.rb +2 -2
data/modules/mu/cloud.rb +1 -1
data/modules/mu/config/bucket.rb +1 -1
data/modules/mu/config/function.rb +6 -1
data/modules/mu/config/loadbalancer.rb +24 -2
data/modules/mu/config/ref.rb +12 -0
data/modules/mu/config/role.rb +1 -1
data/modules/mu/config/schema_helpers.rb +42 -9
data/modules/mu/config/server.rb +43 -27
data/modules/mu/config/tail.rb +19 -10
data/modules/mu/config.rb +6 -5
data/modules/mu/defaults/AWS.yaml +78 -114
data/modules/mu/deploy.rb +9 -2
data/modules/mu/groomer.rb +12 -4
data/modules/mu/groomers/ansible.rb +104 -20
data/modules/mu/groomers/chef.rb +15 -6
data/modules/mu/master.rb +9 -4
data/modules/mu/mommacat/daemon.rb +4 -2
data/modules/mu/mommacat/naming.rb +1 -2
data/modules/mu/mommacat/storage.rb +7 -2
data/modules/mu/mommacat.rb +33 -6
data/modules/mu/providers/aws/database.rb +161 -8
data/modules/mu/providers/aws/dnszone.rb +11 -6
data/modules/mu/providers/aws/endpoint.rb +81 -6
data/modules/mu/providers/aws/firewall_rule.rb +254 -172
data/modules/mu/providers/aws/function.rb +65 -3
data/modules/mu/providers/aws/loadbalancer.rb +39 -28
data/modules/mu/providers/aws/log.rb +2 -1
data/modules/mu/providers/aws/role.rb +25 -7
data/modules/mu/providers/aws/server.rb +36 -12
data/modules/mu/providers/aws/server_pool.rb +237 -127
data/modules/mu/providers/aws/storage_pool.rb +7 -1
data/modules/mu/providers/aws/user.rb +1 -1
data/modules/mu/providers/aws/userdata/linux.erb +6 -2
data/modules/mu/providers/aws/userdata/windows.erb +7 -5
data/modules/mu/providers/aws/vpc.rb +49 -25
data/modules/mu/providers/aws.rb +13 -8
data/modules/mu/providers/azure/container_cluster.rb +1 -1
data/modules/mu/providers/azure/loadbalancer.rb +2 -2
data/modules/mu/providers/azure/server.rb +5 -2
data/modules/mu/providers/azure/userdata/linux.erb +1 -1
data/modules/mu/providers/azure.rb +11 -8
data/modules/mu/providers/cloudformation/dnszone.rb +1 -1
data/modules/mu/providers/google/container_cluster.rb +15 -2
data/modules/mu/providers/google/folder.rb +2 -1
data/modules/mu/providers/google/function.rb +130 -4
data/modules/mu/providers/google/habitat.rb +2 -1
data/modules/mu/providers/google/loadbalancer.rb +407 -160
data/modules/mu/providers/google/role.rb +16 -3
data/modules/mu/providers/google/server.rb +5 -1
data/modules/mu/providers/google/user.rb +25 -18
data/modules/mu/providers/google/userdata/linux.erb +1 -1
data/modules/mu/providers/google/vpc.rb +53 -7
data/modules/mu/providers/google.rb +39 -39
data/modules/mu.rb +8 -8
data/modules/tests/elk.yaml +46 -0
data/test/mu-master-test/controls/all_in_one.rb +1 -1
metadata +207 -112
data/cookbooks/firewall/CONTRIBUTING.md +0 -2
data/cookbooks/firewall/MAINTAINERS.md +0 -19
data/cookbooks/firewall/libraries/matchers.rb +0 -30
data/extras/image-generators/AWS/rhel71.yaml +0 -17

data/modules/mu/providers/google/role.rb CHANGED Viewed

@@ -564,7 +564,12 @@ module MU
             canned = Hash[MU::Cloud::Google.iam(credentials: args[:credentials]).list_roles.roles.map { |r| [r.name, r] }]
             begin
               MU::Cloud.resourceClass("Google", "Habitat").bindings(args[:project], credentials: args[:credentials]).each { |binding|
-                found[binding.role] = canned[binding.role]
+                if binding.role =~ /^roles\//
+                  found[binding.role] = canned[binding.role]
+                elsif binding.role =~ /^#{Regexp.quote(my_org.name)}\/roles\//
+                  found[binding.role] = MU::Cloud::Google.iam(credentials: args[:credentials]).get_organization_role(binding.role)
+                end
               }
             rescue ::Google::Apis::ClientError => e
               raise e if !e.message.match(/forbidden: /)
@@ -663,7 +668,6 @@ module MU
             "credentials" => @config['credentials'],
             "cloud_id" => @cloud_id
           }
           my_org = MU::Cloud::Google.getOrg(@config['credentials'])
           # This can happen if the role_source isn't set correctly. This logic
@@ -680,6 +684,9 @@ module MU
           # GSuite or Cloud Identity role
           if cloud_desc.class == ::Google::Apis::AdminDirectoryV1::Role
+if @cloud_id =~ /ncbi_snapshot_manager/
+  MU.log "directory-tier role", MU::NOTICE
+end
             return nil if cloud_desc.is_system_role
             bok["name"] = @config['name'].gsub(/[^a-z0-9]/i, '-').downcase
@@ -702,6 +709,9 @@ module MU
               bok['import'].sort! # at least be legible
             end
           else # otherwise it's a GCP IAM role of some kind
+if @cloud_id =~ /ncbi_snapshot_manager/
+  MU.log "cloud-tier role", MU::NOTICE
+end
             return nil if cloud_desc.stage == "DISABLED"
             if cloud_desc.name.match(/^roles\/([^\/]+)$/)
@@ -811,6 +821,9 @@ module MU
           # to bother with them.
           if bok['role_source'] == "canned" and
              (bok['bindings'].nil? or bok['bindings'].empty?)
+if @cloud_id =~ /ncbi_snapshot_manager/
+  MU.log "ditching at canned role check", MU::NOTICE
+end
             return nil
           end
@@ -940,7 +953,7 @@ module MU
                 }
               rescue ::Google::Apis::ClientError => e
                 if e.message.match(/forbidden: /)
-                  MU.log "Do not have permissions to retrieve bindings in project #{project}, skipping", MU::WARN
+                  MU.log "Do not have permissions to retrieve bindings in project #{project}, org #{MU::Cloud::Google.getOrg(credentials).display_name}, skipping", MU::WARN
                 else
                   raise e
                 end

data/modules/mu/providers/google/server.rb CHANGED Viewed

@@ -1109,7 +1109,11 @@ next if !create
         # @param size [String]: Size (in gb) of the new volume
         # @param type [String]: Cloud storage type of the volume, if applicable
         # @param delete_on_termination [Boolean]: Value of delete_on_termination flag to set
-        def addVolume(dev, size, type: "pd-standard", delete_on_termination: false)
+        def addVolume(dev: nil, size: 0, type: "pd-standard", delete_on_termination: false)
+          if dev.nil? or size == 0
+            raise MuError, "Must specify a device name and a size for addVolume"
+          end
           devname = dev.gsub(/.*?\/([^\/]+)$/, '\1')
           resname = MU::Cloud::Google.nameStr(@mu_name+"-"+devname)
           MU.log "Creating disk #{resname}"

data/modules/mu/providers/google/user.rb CHANGED Viewed

@@ -114,7 +114,7 @@ module MU
               primary_email: @config['email'],
               suspended: @config['suspend'],
               is_admin: @config['admin'],
-              password: MU.generateWindowsPassword,
+              password: MU.generatePassword,
               change_password_at_next_login: (@config.has_key?('force_password_change') ? @config['force_password_change'] : true)
             )
@@ -310,6 +310,10 @@ module MU
           end
         end
+        # clock projects we can't list so we don't waste time trying them over
+        # and over
+        @@cant_list = []
         # Locate and return cloud provider descriptors of this resource type
         # which match the provided parameters, or all visible resources if no
         # filters are specified. At minimum, implementations of +find+ must
@@ -341,24 +345,27 @@ module MU
           if args[:project]
             # project-local service accounts
-            resp = begin
-              MU::Cloud::Google.iam(credentials: args[:credentials]).list_project_service_accounts(
-                "projects/"+args[:project]
-              )
-            rescue ::Google::Apis::ClientError
-              MU.log "Do not have permissions to retrieve service accounts for project #{args[:project]}", MU::WARN
-            end
+            if !@@cant_list.include?(args[:project])
+              resp = begin
+                MU::Cloud::Google.iam(credentials: args[:credentials]).list_project_service_accounts(
+                  "projects/"+args[:project]
+                )
+              rescue ::Google::Apis::ClientError
+                @@cant_list << args[:project]
+                MU.log "Do not have permissions to retrieve service accounts for project #{args[:project]}, org #{MU::Cloud::Google.getOrg(args[:credentials]).display_name}", MU::WARN
+              end
-            if resp and resp.accounts
-              resp.accounts.each { |sa|
-                if args[:flags] and args[:flags]["skip_provider_owned"] and
-                   MU::Cloud::Google::User.cannedServiceAcctName?(sa.name)
-                  next
-                end
-                if !args[:cloud_id] or (sa.display_name and sa.display_name == args[:cloud_id]) or (sa.name and sa.name == args[:cloud_id]) or (sa.email and sa.email == args[:cloud_id])
-                  found[sa.name] = sa
-                end
-              }
+              if resp and resp.accounts
+                resp.accounts.each { |sa|
+                  if args[:flags] and args[:flags]["skip_provider_owned"] and
+                     MU::Cloud::Google::User.cannedServiceAcctName?(sa.name)
+                    next
+                  end
+                  if !args[:cloud_id] or (sa.display_name and sa.display_name == args[:cloud_id]) or (sa.name and sa.name == args[:cloud_id]) or (sa.email and sa.email == args[:cloud_id])
+                    found[sa.name] = sa
+                  end
+                }
+              end
             end
           else
             if cred_cfg['masquerade_as']

data/modules/mu/providers/google/userdata/linux.erb CHANGED Viewed

@@ -105,7 +105,7 @@ umask 0077
 # Install Chef now, because why not?
 if [ ! -f /opt/chef/embedded/bin/ruby ];then
-	curl https://www.chef.io/chef/install.sh > chef-install.sh
+	curl https://omnitruck.chef.io/install.sh > chef-install.sh
 	set +e
 	# We may run afoul of a synchronous bootstrap process doing the same thing. So
 	# wait until we've managed to run successfully.

data/modules/mu/providers/google/vpc.rb CHANGED Viewed

@@ -457,7 +457,7 @@ end
           end
           if name
-            subnet_mu_name ||= @config['scrub_mu_isms'] ? @cloud_id+name.downcase : MU::Cloud::Google.nameStr(@deploy.getResourceName(name, max_length: 61))
+            subnet_mu_name ||= (@config['scrub_mu_isms'] or !@deploy) ? @cloud_id+name.downcase : MU::Cloud::Google.nameStr(@deploy.getResourceName(name, max_length: 61))
           end
           MU.log "getSubnet(cloud_id: #{cloud_id}, name: #{name}, tag_key: #{tag_key}, tag_value: #{tag_value}, ip_block: #{ip_block}, region: #{region}, subnet_mu_name: #{subnet_mu_name})", MU::DEBUG, details: caller[0]
@@ -976,12 +976,7 @@ MU.log "ROUTES TO #{target_instance.name}", MU::WARN, details: resp
         # @return [String]
         def getUnusedAddressBlock(exclude: [], max_bits: 28)
           used_ranges = exclude.map { |cidr| NetAddr::IPv4Net.parse(cidr) }
-          subnets.each { |s|
-            used_ranges << NetAddr::IPv4Net.parse(s.cloud_desc.ip_cidr_range)
-            if s.cloud_desc.secondary_ip_ranges
-              used_ranges.concat(s.cloud_desc.secondary_ip_ranges.map { |r| NetAddr::IPv4Net.parse(r.ip_cidr_range) })
-            end
-          }
+          used_ranges.concat(listSubnetRanges)
 # XXX sort used_ranges
           candidate = used_ranges.first.next_sib
@@ -1003,8 +998,55 @@ MU.log "ROUTES TO #{target_instance.name}", MU::WARN, details: resp
           candidate.to_s
         end
+        # Add a new secondary IP range to the given subnet, if it doesn't
+        # already exist
+        def addSecondaryRange(subnet, cidr, name)
+          subnet = getSubnet(cloud_id: subnet, name: subnet, subnet_mu_name: subnet)
+          if !subnet
+            raise MuError, "#{self.to_s} failed to locate a subnet from '#{subnet}'"
+          end
+          secondary_ranges = subnet.cloud_desc.secondary_ip_ranges
+          secondary_ranges ||= []
+          secondary_ranges.each { |r|
+            if r.ip_cidr_range == cidr and r.range_name == name
+              return
+            elsif r.ip_cidr_range == cidr or r.range_name == name
+              MU.log "Conflicting secondary IP range, cannot add #{name} (#{cidr}) to network #{cloud_desc.name} subnet #{subnet.cloud_desc.name}", MU::WARN, details: r
+              return
+            end
+          }
+          secondary_ranges << MU::Cloud::Google.compute(:SubnetworkSecondaryRange).new(
+            ip_cidr_range: cidr,
+            range_name: name
+          )
+          MU.log "Adding new secondary IP range #{name} (#{cidr}) to network #{cloud_desc.name} subnet #{subnet.cloud_desc.name}"
+          subnetobj = MU::Cloud::Google.compute(:Subnetwork).new(
+            name: subnet.cloud_desc.name,
+            secondary_ip_ranges: secondary_ranges,
+            fingerprint: subnet.cloud_desc.fingerprint
+          )
+          MU::Cloud::Google.compute(credentials: @credentials).patch_subnetwork(@project_id, subnet.az, subnet.cloud_desc.name, subnetobj)
+        end
+        def connector(id: nil, name: nil)
+        end
         private
+        # @return [Array<NetAddr::IPv4Net>]
+        def listSubnetRanges
+          ranges = []
+          subnets.each { |s|
+            ranges << NetAddr::IPv4Net.parse(s.cloud_desc.ip_cidr_range)
+            if s.cloud_desc.secondary_ip_ranges
+              ranges.concat(s.cloud_desc.secondary_ip_ranges.map { |r| NetAddr::IPv4Net.parse(r.ip_cidr_range) })
+            end
+          }
+          ranges
+        end
         def self.genStandardSubnetACLs(vpc_cidr, vpc_name, configurator, project, _publicroute = true, credentials: nil)
           private_acl = {
             "name" => vpc_name+"-rt",
@@ -1209,6 +1251,10 @@ MU.log "ROUTES TO #{target_instance.name}", MU::WARN, details: resp
           # @return [Boolean]
           def private?
             @parent.cloud_desc
+            if !@parent.routes
+              MU.log "Failed to retrieve routes from #{@parent.to_s}", MU::WARN
+              return true
+            end
             @parent.routes.map { |r|
               if r.dest_range == "0.0.0.0/0" and !r.next_hop_gateway.nil? and
                  (r.tags.nil? or r.tags.size == 0) and

data/modules/mu/providers/google.rb CHANGED Viewed

@@ -29,8 +29,6 @@ module MU
       @@authorizers = {}
       @@acct_to_profile_map = {}
       @@enable_semaphores = {}
-      @@readonly_semaphore = Mutex.new
-      @@readonly = {}
       # Module used by {MU::Cloud} to insert additional instance methods into
       # instantiated resources in this cloud layer.
@@ -40,7 +38,7 @@ module MU
         # @return [String]
         def url
           desc = cloud_desc
-          (desc and desc.self_link) ? desc.self_link : nil
+          (desc and desc.respond_to?(:self_link) and desc.self_link) ? desc.self_link : nil
         end
       end
@@ -52,6 +50,12 @@ module MU
         [:url]
       end
+      # Cloud-specific resource methods or attributes we want exposed for
+      # reading by {MU::Cloud}
+      def self.customAttrReaders
+        [:project_id, :customer]
+      end
       # Is this a "real" cloud provider, or a stub like CloudFormation?
       def self.virtual?
         false
@@ -75,12 +79,6 @@ module MU
       # @param cloudobj [MU::Cloud]
       # @param deploy [MU::MommaCat]
       def self.resourceInitHook(cloudobj, deploy)
-        class << self
-          attr_reader :project_id
-          attr_reader :customer
-          # url is too complex for an attribute (we get it from the cloud API),
-          # so it's up in AdditionalResourceMethods instead
-        end
         return if !cloudobj
         cloudobj.instance_variable_set(:@customer, MU::Cloud::Google.customerID(cloudobj.config['credentials']))
@@ -96,9 +94,6 @@ module MU
           cloudobj.instance_variable_set(:@project_id, cloudobj.config['project'])
         end
-# XXX @url? Well we're not likely to have @cloud_desc at this point, so maybe
-# that needs to be a generic-to-google wrapper like def url; cloud_desc.self_link;end
 # XXX something like: vpc["habitat"] = MU::Cloud::Google.projectToRef(vpc["project"], config: configurator, credentials: vpc["credentials"])
       end
@@ -346,8 +341,10 @@ module MU
       end
       # Plant a Mu deploy secret into a storage bucket somewhere for so our kittens can consume it
-      # @param deploy_id [String]: The deploy for which we're writing the secret
+      # @param deploy [String]: The deploy for which we're writing the secret
       # @param value [String]: The contents of the secret
+      # @param name [String]: File/object name
+      # @param credentials [String]
       def self.writeDeploySecret(deploy, value, name = nil, credentials: nil)
         deploy_id = deploy.deploy_id
         name ||= deploy_id+"-secret"
@@ -847,7 +844,7 @@ MU.log e.message, MU::WARN, details: e.inspect
         require 'google/apis/iam_v1'
         if subclass.nil?
-          @@iam_api[credentials] ||= MU::Cloud::Google::GoogleEndpoint.new(api: "IamV1::IamService", scopes: ['cloud-platform', 'cloudplatformprojects', 'cloudplatformorganizations', 'cloudplatformfolders'], credentials: credentials)
+          @@iam_api[credentials] ||= MU::Cloud::Google::GoogleEndpoint.new(api: "IamV1::IamService", scopes: ['cloud-platform', 'cloudplatformprojects', 'cloudplatformorganizations', 'cloudplatformfolders'], credentials: credentials, retry_readonly: true)
           return @@iam_api[credentials]
         elsif subclass.is_a?(Symbol)
           return Object.const_get("::Google").const_get("Apis").const_get("IamV1").const_get(subclass)
@@ -863,28 +860,12 @@ MU.log e.message, MU::WARN, details: e.inspect
         # dopey extra warnings about falling back on scopes
         credentials ||= MU::Cloud::Google.credConfig(credentials, name_only: true)
-        writescopes = ['admin.directory.group.member', 'admin.directory.group', 'admin.directory.user', 'admin.directory.domain', 'admin.directory.orgunit', 'admin.directory.rolemanagement', 'admin.directory.customer', 'admin.directory.user.alias', 'admin.directory.userschema']
-        readscopes = ['admin.directory.group.member.readonly', 'admin.directory.group.readonly', 'admin.directory.user.readonly', 'admin.directory.domain.readonly', 'admin.directory.orgunit.readonly', 'admin.directory.rolemanagement.readonly', 'admin.directory.customer.readonly', 'admin.directory.user.alias.readonly', 'admin.directory.userschema.readonly']
-        @@readonly_semaphore.synchronize {
-          use_scopes = readscopes+writescopes
-          if @@readonly[credentials] and @@readonly[credentials]["AdminDirectoryV1"]
-            use_scopes = readscopes.dup
-          end
-          if subclass.nil?
-            begin
-              @@admin_directory_api[credentials] ||= MU::Cloud::Google::GoogleEndpoint.new(api: "AdminDirectoryV1::DirectoryService", scopes: use_scopes, masquerade: MU::Cloud::Google.credConfig(credentials)['masquerade_as'], credentials: credentials, auth_error_quiet: true)
-            rescue Signet::AuthorizationError
-              MU.log "Falling back to read-only access to DirectoryService API for credential set '#{credentials}'", MU::WARN
-              @@admin_directory_api[credentials] ||= MU::Cloud::Google::GoogleEndpoint.new(api: "AdminDirectoryV1::DirectoryService", scopes: readscopes, masquerade: MU::Cloud::Google.credConfig(credentials)['masquerade_as'], credentials: credentials)
-              @@readonly[credentials] ||= {}
-              @@readonly[credentials]["AdminDirectoryV1"] = true
-            end
-            return @@admin_directory_api[credentials]
-          elsif subclass.is_a?(Symbol)
-            return Object.const_get("::Google").const_get("Apis").const_get("AdminDirectoryV1").const_get(subclass)
-          end
-        }
+        if subclass.nil?
+          @@admin_directory_api[credentials] ||= MU::Cloud::Google::GoogleEndpoint.new(api: "AdminDirectoryV1::DirectoryService", scopes: ['admin.directory.group.member', 'admin.directory.group', 'admin.directory.user', 'admin.directory.domain', 'admin.directory.orgunit', 'admin.directory.rolemanagement', 'admin.directory.customer', 'admin.directory.user.alias', 'admin.directory.userschema'], masquerade: MU::Cloud::Google.credConfig(credentials)['masquerade_as'], credentials: credentials, auth_error_quiet: true, retry_readonly: true)
+          return @@admin_directory_api[credentials]
+        elsif subclass.is_a?(Symbol)
+          return Object.const_get("::Google").const_get("Apis").const_get("AdminDirectoryV1").const_get(subclass)
+        end
       end
       # Google's Cloud Resource Manager API
@@ -896,7 +877,7 @@ MU.log e.message, MU::WARN, details: e.inspect
           if !MU::Cloud::Google.credConfig(credentials)
             raise MuError, "No such credential set #{credentials} defined in mu.yaml!"
           end
-          @@resource_api[credentials] ||= MU::Cloud::Google::GoogleEndpoint.new(api: "CloudresourcemanagerV1::CloudResourceManagerService", scopes: ['cloud-platform', 'cloudplatformprojects', 'cloudplatformorganizations', 'cloudplatformfolders'], credentials: credentials, masquerade: MU::Cloud::Google.credConfig(credentials)['masquerade_as'])
+          @@resource_api[credentials] ||= MU::Cloud::Google::GoogleEndpoint.new(api: "CloudresourcemanagerV1::CloudResourceManagerService", scopes: ['cloud-platform', 'cloudplatformprojects', 'cloudplatformorganizations', 'cloudplatformfolders'], credentials: credentials, masquerade: MU::Cloud::Google.credConfig(credentials)['masquerade_as'], retry_readonly: true)
           return @@resource_api[credentials]
         elsif subclass.is_a?(Symbol)
           return Object.const_get("::Google").const_get("Apis").const_get("CloudresourcemanagerV1").const_get(subclass)
@@ -1110,7 +1091,7 @@ MU.log e.message, MU::WARN, details: e.inspect
         # Create a Google Cloud Platform API client
         # @param api [String]: Which API are we wrapping?
         # @param scopes [Array<String>]: Google auth scopes applicable to this API
-        def initialize(api: "ComputeV1::ComputeService", scopes: ['https://www.googleapis.com/auth/cloud-platform', 'https://www.googleapis.com/auth/compute.readonly'], masquerade: nil, credentials: nil, auth_error_quiet: false)
+        def initialize(api: "ComputeV1::ComputeService", scopes: ['https://www.googleapis.com/auth/cloud-platform', 'https://www.googleapis.com/auth/compute.readonly'], masquerade: nil, credentials: nil, auth_error_quiet: false, retry_readonly: false)
           @credentials = credentials
           @scopes = scopes.map { |s|
             if !s.match(/\//) # allow callers to use shorthand
@@ -1127,6 +1108,22 @@ MU.log e.message, MU::WARN, details: e.inspect
               @api.authorization.sub = @masquerade
               @api.authorization.fetch_access_token!
             rescue Signet::AuthorizationError => e
+              if retry_readonly
+                newscopes = @scopes.map { |s|
+                  if s =~ /\/cloud-platform$/
+                    s += ".read-only"
+                  elsif s !~ /\/cloud-platform\b/ and s !~ /\.readonly$/
+                    s += ".readonly"
+                  end
+                  s
+                }
+                if newscopes != @scopes
+                  MU.log "Falling back to read-only access to #{api} API on credential set '#{credentials}'", MU::WARN, details: @scopes
+                  @scopes = newscopes
+                  @api.authorization = MU::Cloud::Google.loadCredentials(@scopes, credentials: credentials)
+                  retry
+                end
+              end
               if auth_error_quiet
                 MU.log "Cannot masquerade as #{@masquerade} to API #{api}: #{e.message}", MU::DEBUG, details: @scopes
               else
@@ -1281,7 +1278,7 @@ MU.log e.message, MU::WARN, details: e.inspect
                 raise e
               end
             rescue ::Google::Apis::ClientError, OpenSSL::SSL::SSLError => e
-              if e.message.match(/^quotaExceeded: Request rate/)
+              if e.message.match(/^quotaExceeded: Request rate|failedPrecondition.*?already in progress/)
                 if retries <= 10
                   sleep wait_backoff
                   retries += 1
@@ -1457,6 +1454,9 @@ MU.log e.message, MU::WARN, details: e.inspect
                   faked_args.pop
                   faked_args.pop
                 end
+                if method_sym == :patch_subnetwork
+                  faked_args.pop
+                end
                 faked_args.push(cloud_id)
                 if get_method == :get_project_location_cluster
                   faked_args[0] = faked_args[0]+"/clusters/"+faked_args[1]

data/modules/mu.rb CHANGED Viewed

@@ -701,7 +701,7 @@ module MU
      !$MU_CFG['public_address'].empty? and @@my_public_ip != $MU_CFG['public_address']
     @@mu_public_addr = $MU_CFG['public_address']
     if !@@mu_public_addr.match(/^\d+\.\d+\.\d+\.\d+$/) and
-       File.exists?("/etc/hostname") and File.exists?("/etc/hosts")
+       File.exist?("/etc/hostname") and File.exist?("/etc/hosts")
       hostname = IO.readlines("/etc/hostname")[0].gsub(/\n/, '')
       hostlines = File.open('/etc/hosts').grep(/.*#{hostname}.*/)
@@ -788,7 +788,7 @@ module MU
   end
   # The version of Chef we will install on nodes.
-  @@chefVersion = "14.0.190"
+  @@chefVersion = "18.5.0"
   # The version of Chef we will install on nodes.
   # @return [String]
   def self.chefVersion
@@ -1072,23 +1072,23 @@ module MU
   end
-  # Generate a random password which will satisfy the complexity requirements of stock Amazon Windows AMIs.
+  # Generate a random password which will satisfy the complexity requirements of things like the stock Amazon Windows AMIs.
   # return [String]: A password string.
-  def self.generateWindowsPassword(safe_pattern: '~!@#%^&*_-+=`|(){}[]:;<>,.?', retries: 50)
+  def self.generatePassword(safe_pattern: '~!@#%^&*_-+=`|(){}[]:;<>,.?', length: 14, retries: 50)
     # We have dopey complexity requirements, be stringent here.
     # I'll be nice and not condense this into one elegant-but-unreadable regular expression
     attempts = 0
     safe_metachars = Regexp.escape(safe_pattern)
     begin
       if attempts > retries
-        MU.log "Failed to generate an adequate Windows password after #{attempts} attempts", MU::ERR
-        raise MuError, "Failed to generate an adequate Windows password after #{attempts} attempts"
+        MU.log "Failed to generate an adequate password after #{attempts} attempts", MU::ERR
+        raise MuError, "Failed to generate an adequate password after #{attempts} attempts"
       end
-      winpass = Password.random(14..16)
+      winpass = Password.random(length..(length+2))
       attempts += 1
     end while winpass.nil? or !winpass.match(/^[a-z]/i) or !winpass.match(/[A-Z]/) or !winpass.match(/[a-z]/) or !winpass.match(/\d/) or !winpass.match(/[#{safe_metachars}]/) or winpass.match(/[^\w\d#{safe_metachars}]/)
-    MU.log "Generated Windows password after #{attempts} attempts", MU::DEBUG
+    MU.log "Generated password after #{attempts} attempts", MU::DEBUG
     return winpass
   end

data/modules/tests/elk.yaml ADDED Viewed

@@ -0,0 +1,46 @@
+# groomers: Ansible
+---
+appname: smoketest
+generate_passwords:
+- itemname: elasticpw
+  minlength: 12
+vpcs:
+- name: wrapper
+servers:
+- name: frontend
+  platform: centos7
+  groomer: Ansible
+  vpc:
+    name: wrapper
+  size: t3.medium
+  vault_access:
+  - item: elasticpw
+  run_list:
+  - mu-logstash
+#<% if cloud != "AWS" %>
+- name: backend
+  platform: centos7
+  groomer: Ansible
+  vpc:
+    name: wrapper
+  size: m5.large
+  vault_access:
+  - item: elasticpw
+  run_list:
+  - mu-elastic
+#<% else %>
+#search_domains:
+#- name: logsearch
+#  elasticsearch_version: '7.4'
+#  instance_count: 1
+#  instance_type: r5.large.elasticsearch
+#  ebs_size: 10
+#  ebs_type: gp2
+#  access_policies:
+#    Version: '2012-10-17'
+#    Statement:
+#    - Effect: Allow
+#      Principal:
+#        AWS: "*"
+#      Action: es:ESHttp*
+#<% end %>

data/test/mu-master-test/controls/all_in_one.rb CHANGED Viewed

@@ -15,7 +15,7 @@ control 'init' do
   node = json('/tmp/chef_node.json').params
   NODE_PUB_IP=node_meta[0]['pub_ip']
   CHEF_SERVER_VERSION="12.17.15-1"
-  CHEF_CLIENT_VERSION="14.0.190"
+  CHEF_CLIENT_VERSION="18.2.7"
   KNIFE_WINDOWS="1.9.0"
   MU_BASE="/opt/mu"
   f = "/etc/ssh/sshd_config"