domed-city 3.0.1 → 3.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.rubocop.yml +3 -0
- data/CHANGELOG.md +23 -0
- data/dome.gemspec +2 -0
- data/lib/dome.rb +3 -0
- data/lib/dome/environment.rb +2 -2
- data/lib/dome/hiera_lookup.rb +91 -0
- data/lib/dome/secrets.rb +38 -0
- data/lib/dome/settings.rb +4 -0
- data/lib/dome/terraform.rb +5 -1
- data/lib/dome/version.rb +1 -1
- metadata +32 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 6744973673ccdca6eba774cc3347a1c8d7107bbd
|
|
4
|
+
data.tar.gz: 7e4811795a1b527253938ca7204e21578078b3f1
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: dabbb1a896e2d68ba2eaa5312a81f78dc7781689d542d9acc71394cd3f2d4b025eeaf0f443f8811e727c938841c0f31cc448fb722c52ca41d8e816bb897bd432
|
|
7
|
+
data.tar.gz: 95a48cda0d4a8b695666a24e4d85647da09ec4637db65e8e83eb52d8a3dc9e3ed54cc34c66d5aaa7f60e8ec9f1069efdca8fb8dab5d9ac95bd6b12d22f765684
|
data/.rubocop.yml
CHANGED
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,26 @@
|
|
|
1
|
+
# 3.1.0
|
|
2
|
+
|
|
3
|
+
Added hiera-eyaml support.
|
|
4
|
+
|
|
5
|
+
This allows us to use encrypted Terraform variables via hiera lookups (the `hiera.yaml` is consumed).
|
|
6
|
+
|
|
7
|
+
It also allows us to decrypt and extract SSL certificates or SSH keys which can then be used as appropriate.
|
|
8
|
+
|
|
9
|
+
In order to utilise these two improvements, you must update your `itv.yaml` e.g.:
|
|
10
|
+
|
|
11
|
+
```
|
|
12
|
+
dome:
|
|
13
|
+
hiera_keys:
|
|
14
|
+
artifactory_password: 'deirdre::artifactory_password'
|
|
15
|
+
certs:
|
|
16
|
+
sit.phoenix.itv.com.pem: 'phoenix::sit_wildcard_cert'
|
|
17
|
+
phoenix.key: 'phoenix::certificate_key'
|
|
18
|
+
```
|
|
19
|
+
|
|
20
|
+
This release also containes:
|
|
21
|
+
- Improved debugging/output messages.
|
|
22
|
+
- More tests.
|
|
23
|
+
|
|
1
24
|
# 3.0.1
|
|
2
25
|
|
|
3
26
|
Forcibly unsetting environment variables `AWS_ACCESS_KEY` and `AWS_SECRET_KEY`.
|
data/dome.gemspec
CHANGED
data/lib/dome.rb
CHANGED
|
@@ -3,6 +3,7 @@ require 'aws-sdk'
|
|
|
3
3
|
require 'colorize'
|
|
4
4
|
require 'fileutils'
|
|
5
5
|
require 'yaml'
|
|
6
|
+
require 'hiera'
|
|
6
7
|
|
|
7
8
|
require 'dome/settings'
|
|
8
9
|
require 'dome/version'
|
|
@@ -10,3 +11,5 @@ require 'dome/helpers/shell'
|
|
|
10
11
|
require 'dome/environment'
|
|
11
12
|
require 'dome/state'
|
|
12
13
|
require 'dome/terraform'
|
|
14
|
+
require 'dome/hiera_lookup'
|
|
15
|
+
require 'dome/secrets'
|
data/lib/dome/environment.rb
CHANGED
|
@@ -1,10 +1,11 @@
|
|
|
1
1
|
module Dome
|
|
2
2
|
class Environment
|
|
3
|
-
attr_reader :environment, :account, :settings
|
|
3
|
+
attr_reader :environment, :account, :ecosystem, :settings
|
|
4
4
|
|
|
5
5
|
def initialize(directories = Dir.pwd.split('/'))
|
|
6
6
|
@environment = directories[-1]
|
|
7
7
|
@account = directories[-2]
|
|
8
|
+
@ecosystem = directories[-2].split('-')[-1]
|
|
8
9
|
@settings = Dome::Settings.new
|
|
9
10
|
end
|
|
10
11
|
|
|
@@ -60,7 +61,6 @@ module Dome
|
|
|
60
61
|
|
|
61
62
|
private
|
|
62
63
|
|
|
63
|
-
# rubocop:disable Metrics/MethodLength
|
|
64
64
|
# rubocop:disable Metrics/AbcSize
|
|
65
65
|
def generic_error_message
|
|
66
66
|
puts "The 'account' and 'environment' variables are assigned based on your current directory.\n".colorize(:red)
|
|
@@ -0,0 +1,91 @@
|
|
|
1
|
+
module Dome
|
|
2
|
+
class HieraLookup
|
|
3
|
+
def initialize(environment)
|
|
4
|
+
@environment = environment.environment
|
|
5
|
+
@account = environment.account
|
|
6
|
+
@ecosystem = environment.ecosystem
|
|
7
|
+
@settings = Dome::Settings.new
|
|
8
|
+
end
|
|
9
|
+
|
|
10
|
+
def config
|
|
11
|
+
@config ||= YAML.load_file(File.join(puppet_dir, 'hiera.yaml')).merge(default_config)
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
def default_config
|
|
15
|
+
{
|
|
16
|
+
logger: 'noop',
|
|
17
|
+
yaml: {
|
|
18
|
+
datadir: "#{puppet_dir}/hieradata"
|
|
19
|
+
},
|
|
20
|
+
eyaml: {
|
|
21
|
+
datadir: "#{puppet_dir}/hieradata",
|
|
22
|
+
pkcs7_private_key: eyaml_private_key,
|
|
23
|
+
pkcs7_public_key: eyaml_public_key
|
|
24
|
+
}
|
|
25
|
+
}
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
def puppet_dir
|
|
29
|
+
directory = File.join(@settings.project_root, 'puppet')
|
|
30
|
+
puts "The configured Puppet directory is: #{directory.colorize(:green)}" unless @directory
|
|
31
|
+
@directory ||= directory
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
def eyaml_private_key
|
|
35
|
+
private_key = File.join(puppet_dir, 'keys/private_key.pkcs7.pem')
|
|
36
|
+
raise "Cannot find eyaml private key! Make sure it exists at #{private_key}" unless File.exist?(private_key)
|
|
37
|
+
puts "Found eyaml private key: #{private_key.colorize(:green)}"
|
|
38
|
+
private_key
|
|
39
|
+
end
|
|
40
|
+
|
|
41
|
+
def eyaml_public_key
|
|
42
|
+
public_key = File.join(puppet_dir, 'keys/public_key.pkcs7.pem')
|
|
43
|
+
raise "Cannot find eyaml public key! Make sure it exists at #{public_key}" unless File.exist?(public_key)
|
|
44
|
+
puts "Found eyaml public key: #{public_key.colorize(:green)}"
|
|
45
|
+
public_key
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
def lookup(key, default = nil, order_override = nil, resolution_type = :priority)
|
|
49
|
+
hiera = Hiera.new(config: config)
|
|
50
|
+
|
|
51
|
+
hiera_scope = {}
|
|
52
|
+
hiera_scope['ecosystem'] = @ecosystem
|
|
53
|
+
hiera_scope['location'] = 'aeuw1'
|
|
54
|
+
hiera_scope['env'] = @environment
|
|
55
|
+
|
|
56
|
+
hiera.lookup(key.to_s, default, hiera_scope, order_override, resolution_type)
|
|
57
|
+
end
|
|
58
|
+
|
|
59
|
+
def secret_env_vars(secret_vars)
|
|
60
|
+
secret_vars.each_pair do |key, val|
|
|
61
|
+
hiera_lookup = lookup(val)
|
|
62
|
+
terraform_env_var = "TF_VAR_#{key}"
|
|
63
|
+
ENV[terraform_env_var] = hiera_lookup
|
|
64
|
+
if hiera_lookup
|
|
65
|
+
puts "Setting #{terraform_env_var.colorize(:green)}."
|
|
66
|
+
else
|
|
67
|
+
puts "Hiera lookup failed for '#{val}', so #{terraform_env_var} was not set.".colorize(:red)
|
|
68
|
+
end
|
|
69
|
+
end
|
|
70
|
+
end
|
|
71
|
+
|
|
72
|
+
def extract_certs(certs)
|
|
73
|
+
create_certificate_directory
|
|
74
|
+
|
|
75
|
+
certs.each_pair do |key, val|
|
|
76
|
+
directory = "#{certificate_directory}/#{key}"
|
|
77
|
+
puts "Extracting certificate #{key.colorize(:green)} into #{directory.colorize(:green)}"
|
|
78
|
+
File.open(directory, 'w') { |f| f.write(lookup(val)) }
|
|
79
|
+
end
|
|
80
|
+
end
|
|
81
|
+
|
|
82
|
+
def create_certificate_directory
|
|
83
|
+
puts "Creating certificate directory at #{certificate_directory.colorize(:green)}"
|
|
84
|
+
FileUtils.mkdir_p certificate_directory
|
|
85
|
+
end
|
|
86
|
+
|
|
87
|
+
def certificate_directory
|
|
88
|
+
"#{@settings.project_root}/terraform/certs"
|
|
89
|
+
end
|
|
90
|
+
end
|
|
91
|
+
end
|
data/lib/dome/secrets.rb
ADDED
|
@@ -0,0 +1,38 @@
|
|
|
1
|
+
module Dome
|
|
2
|
+
class Secrets
|
|
3
|
+
attr_reader :settings, :hiera
|
|
4
|
+
|
|
5
|
+
def initialize(environment)
|
|
6
|
+
@environment = environment
|
|
7
|
+
@settings = Dome::Settings.new
|
|
8
|
+
@hiera = Dome::HieraLookup.new(@environment)
|
|
9
|
+
end
|
|
10
|
+
|
|
11
|
+
def secret_env_vars
|
|
12
|
+
return if dome_config.nil? || hiera_keys_config.nil?
|
|
13
|
+
@hiera.secret_env_vars(hiera_keys_config)
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
def extract_certs
|
|
17
|
+
return if dome_config.nil? || certs_config.nil?
|
|
18
|
+
@hiera.extract_certs(certs_config)
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
def dome_config
|
|
22
|
+
puts "No #{'dome'.colorize(:green)} key found in your itv.yaml." unless @settings.parse['dome']
|
|
23
|
+
@settings.parse['dome']
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
def hiera_keys_config
|
|
27
|
+
puts "No #{'hiera_keys'.colorize(:green)} sub-key under #{'dome'.colorize(:green)} key found "\
|
|
28
|
+
'in your itv.yaml.' unless @settings.parse['dome']['hiera_keys']
|
|
29
|
+
@settings.parse['dome']['hiera_keys']
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
def certs_config
|
|
33
|
+
puts "No #{'certs'.colorize(:green)} sub-key under #{'dome'.colorize(:green)} key found "\
|
|
34
|
+
'in your itv.yaml.' unless @settings.parse['dome']['certs']
|
|
35
|
+
@settings.parse['dome']['certs']
|
|
36
|
+
end
|
|
37
|
+
end
|
|
38
|
+
end
|
data/lib/dome/settings.rb
CHANGED
data/lib/dome/terraform.rb
CHANGED
|
@@ -6,6 +6,7 @@ module Dome
|
|
|
6
6
|
|
|
7
7
|
def initialize
|
|
8
8
|
@environment = Dome::Environment.new
|
|
9
|
+
@secrets = Dome::Secrets.new(@environment)
|
|
9
10
|
@state = Dome::State.new(@environment)
|
|
10
11
|
@plan_file = "plans/#{@environment.account}-#{@environment.environment}-plan.tf"
|
|
11
12
|
end
|
|
@@ -45,13 +46,16 @@ module Dome
|
|
|
45
46
|
end
|
|
46
47
|
|
|
47
48
|
def apply
|
|
49
|
+
@secrets.secret_env_vars
|
|
48
50
|
command = "terraform apply #{@plan_file}"
|
|
49
51
|
failure_message = 'something went wrong when applying the TF plan'
|
|
50
52
|
execute_command(command, failure_message)
|
|
51
53
|
end
|
|
52
54
|
|
|
53
55
|
def create_plan
|
|
54
|
-
|
|
56
|
+
@secrets.secret_env_vars
|
|
57
|
+
@secrets.extract_certs
|
|
58
|
+
command = "terraform plan -refresh=true -out=#{@plan_file} -var-file=params/env.tfvars"
|
|
55
59
|
failure_message = 'something went wrong when creating the TF plan'
|
|
56
60
|
execute_command(command, failure_message)
|
|
57
61
|
end
|
data/lib/dome/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: domed-city
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.0
|
|
4
|
+
version: 3.1.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- ITV
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2016-
|
|
11
|
+
date: 2016-09-19 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -108,6 +108,34 @@ dependencies:
|
|
|
108
108
|
- - "~>"
|
|
109
109
|
- !ruby/object:Gem::Version
|
|
110
110
|
version: '0.7'
|
|
111
|
+
- !ruby/object:Gem::Dependency
|
|
112
|
+
name: hiera
|
|
113
|
+
requirement: !ruby/object:Gem::Requirement
|
|
114
|
+
requirements:
|
|
115
|
+
- - "~>"
|
|
116
|
+
- !ruby/object:Gem::Version
|
|
117
|
+
version: '1.3'
|
|
118
|
+
type: :runtime
|
|
119
|
+
prerelease: false
|
|
120
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
121
|
+
requirements:
|
|
122
|
+
- - "~>"
|
|
123
|
+
- !ruby/object:Gem::Version
|
|
124
|
+
version: '1.3'
|
|
125
|
+
- !ruby/object:Gem::Dependency
|
|
126
|
+
name: hiera-eyaml
|
|
127
|
+
requirement: !ruby/object:Gem::Requirement
|
|
128
|
+
requirements:
|
|
129
|
+
- - "~>"
|
|
130
|
+
- !ruby/object:Gem::Version
|
|
131
|
+
version: '2.1'
|
|
132
|
+
type: :runtime
|
|
133
|
+
prerelease: false
|
|
134
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
135
|
+
requirements:
|
|
136
|
+
- - "~>"
|
|
137
|
+
- !ruby/object:Gem::Version
|
|
138
|
+
version: '2.1'
|
|
111
139
|
description:
|
|
112
140
|
email:
|
|
113
141
|
- common-platform-team-group@itv.com
|
|
@@ -131,6 +159,8 @@ files:
|
|
|
131
159
|
- lib/dome.rb
|
|
132
160
|
- lib/dome/environment.rb
|
|
133
161
|
- lib/dome/helpers/shell.rb
|
|
162
|
+
- lib/dome/hiera_lookup.rb
|
|
163
|
+
- lib/dome/secrets.rb
|
|
134
164
|
- lib/dome/settings.rb
|
|
135
165
|
- lib/dome/state.rb
|
|
136
166
|
- lib/dome/terraform.rb
|