domed-city 3.0.1 → 3.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.rubocop.yml +3 -0
- data/CHANGELOG.md +23 -0
- data/dome.gemspec +2 -0
- data/lib/dome.rb +3 -0
- data/lib/dome/environment.rb +2 -2
- data/lib/dome/hiera_lookup.rb +91 -0
- data/lib/dome/secrets.rb +38 -0
- data/lib/dome/settings.rb +4 -0
- data/lib/dome/terraform.rb +5 -1
- data/lib/dome/version.rb +1 -1
- metadata +32 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 6744973673ccdca6eba774cc3347a1c8d7107bbd
|
|
4
|
+
data.tar.gz: 7e4811795a1b527253938ca7204e21578078b3f1
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: dabbb1a896e2d68ba2eaa5312a81f78dc7781689d542d9acc71394cd3f2d4b025eeaf0f443f8811e727c938841c0f31cc448fb722c52ca41d8e816bb897bd432
|
|
7
|
+
data.tar.gz: 95a48cda0d4a8b695666a24e4d85647da09ec4637db65e8e83eb52d8a3dc9e3ed54cc34c66d5aaa7f60e8ec9f1069efdca8fb8dab5d9ac95bd6b12d22f765684
|
data/.rubocop.yml
CHANGED
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,26 @@
|
|
|
1
|
+
# 3.1.0
|
|
2
|
+
|
|
3
|
+
Added hiera-eyaml support.
|
|
4
|
+
|
|
5
|
+
This allows us to use encrypted Terraform variables via hiera lookups (the `hiera.yaml` is consumed).
|
|
6
|
+
|
|
7
|
+
It also allows us to decrypt and extract SSL certificates or SSH keys which can then be used as appropriate.
|
|
8
|
+
|
|
9
|
+
In order to utilise these two improvements, you must update your `itv.yaml` e.g.:
|
|
10
|
+
|
|
11
|
+
```
|
|
12
|
+
dome:
|
|
13
|
+
hiera_keys:
|
|
14
|
+
artifactory_password: 'deirdre::artifactory_password'
|
|
15
|
+
certs:
|
|
16
|
+
sit.phoenix.itv.com.pem: 'phoenix::sit_wildcard_cert'
|
|
17
|
+
phoenix.key: 'phoenix::certificate_key'
|
|
18
|
+
```
|
|
19
|
+
|
|
20
|
+
This release also containes:
|
|
21
|
+
- Improved debugging/output messages.
|
|
22
|
+
- More tests.
|
|
23
|
+
|
|
1
24
|
# 3.0.1
|
|
2
25
|
|
|
3
26
|
Forcibly unsetting environment variables `AWS_ACCESS_KEY` and `AWS_SECRET_KEY`.
|
data/dome.gemspec
CHANGED
data/lib/dome.rb
CHANGED
|
@@ -3,6 +3,7 @@ require 'aws-sdk'
|
|
|
3
3
|
require 'colorize'
|
|
4
4
|
require 'fileutils'
|
|
5
5
|
require 'yaml'
|
|
6
|
+
require 'hiera'
|
|
6
7
|
|
|
7
8
|
require 'dome/settings'
|
|
8
9
|
require 'dome/version'
|
|
@@ -10,3 +11,5 @@ require 'dome/helpers/shell'
|
|
|
10
11
|
require 'dome/environment'
|
|
11
12
|
require 'dome/state'
|
|
12
13
|
require 'dome/terraform'
|
|
14
|
+
require 'dome/hiera_lookup'
|
|
15
|
+
require 'dome/secrets'
|
data/lib/dome/environment.rb
CHANGED
|
@@ -1,10 +1,11 @@
|
|
|
1
1
|
module Dome
|
|
2
2
|
class Environment
|
|
3
|
-
attr_reader :environment, :account, :settings
|
|
3
|
+
attr_reader :environment, :account, :ecosystem, :settings
|
|
4
4
|
|
|
5
5
|
def initialize(directories = Dir.pwd.split('/'))
|
|
6
6
|
@environment = directories[-1]
|
|
7
7
|
@account = directories[-2]
|
|
8
|
+
@ecosystem = directories[-2].split('-')[-1]
|
|
8
9
|
@settings = Dome::Settings.new
|
|
9
10
|
end
|
|
10
11
|
|
|
@@ -60,7 +61,6 @@ module Dome
|
|
|
60
61
|
|
|
61
62
|
private
|
|
62
63
|
|
|
63
|
-
# rubocop:disable Metrics/MethodLength
|
|
64
64
|
# rubocop:disable Metrics/AbcSize
|
|
65
65
|
def generic_error_message
|
|
66
66
|
puts "The 'account' and 'environment' variables are assigned based on your current directory.\n".colorize(:red)
|
|
@@ -0,0 +1,91 @@
|
|
|
1
|
+
module Dome
|
|
2
|
+
class HieraLookup
|
|
3
|
+
def initialize(environment)
|
|
4
|
+
@environment = environment.environment
|
|
5
|
+
@account = environment.account
|
|
6
|
+
@ecosystem = environment.ecosystem
|
|
7
|
+
@settings = Dome::Settings.new
|
|
8
|
+
end
|
|
9
|
+
|
|
10
|
+
def config
|
|
11
|
+
@config ||= YAML.load_file(File.join(puppet_dir, 'hiera.yaml')).merge(default_config)
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
def default_config
|
|
15
|
+
{
|
|
16
|
+
logger: 'noop',
|
|
17
|
+
yaml: {
|
|
18
|
+
datadir: "#{puppet_dir}/hieradata"
|
|
19
|
+
},
|
|
20
|
+
eyaml: {
|
|
21
|
+
datadir: "#{puppet_dir}/hieradata",
|
|
22
|
+
pkcs7_private_key: eyaml_private_key,
|
|
23
|
+
pkcs7_public_key: eyaml_public_key
|
|
24
|
+
}
|
|
25
|
+
}
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
def puppet_dir
|
|
29
|
+
directory = File.join(@settings.project_root, 'puppet')
|
|
30
|
+
puts "The configured Puppet directory is: #{directory.colorize(:green)}" unless @directory
|
|
31
|
+
@directory ||= directory
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
def eyaml_private_key
|
|
35
|
+
private_key = File.join(puppet_dir, 'keys/private_key.pkcs7.pem')
|
|
36
|
+
raise "Cannot find eyaml private key! Make sure it exists at #{private_key}" unless File.exist?(private_key)
|
|
37
|
+
puts "Found eyaml private key: #{private_key.colorize(:green)}"
|
|
38
|
+
private_key
|
|
39
|
+
end
|
|
40
|
+
|
|
41
|
+
def eyaml_public_key
|
|
42
|
+
public_key = File.join(puppet_dir, 'keys/public_key.pkcs7.pem')
|
|
43
|
+
raise "Cannot find eyaml public key! Make sure it exists at #{public_key}" unless File.exist?(public_key)
|
|
44
|
+
puts "Found eyaml public key: #{public_key.colorize(:green)}"
|
|
45
|
+
public_key
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
def lookup(key, default = nil, order_override = nil, resolution_type = :priority)
|
|
49
|
+
hiera = Hiera.new(config: config)
|
|
50
|
+
|
|
51
|
+
hiera_scope = {}
|
|
52
|
+
hiera_scope['ecosystem'] = @ecosystem
|
|
53
|
+
hiera_scope['location'] = 'aeuw1'
|
|
54
|
+
hiera_scope['env'] = @environment
|
|
55
|
+
|
|
56
|
+
hiera.lookup(key.to_s, default, hiera_scope, order_override, resolution_type)
|
|
57
|
+
end
|
|
58
|
+
|
|
59
|
+
def secret_env_vars(secret_vars)
|
|
60
|
+
secret_vars.each_pair do |key, val|
|
|
61
|
+
hiera_lookup = lookup(val)
|
|
62
|
+
terraform_env_var = "TF_VAR_#{key}"
|
|
63
|
+
ENV[terraform_env_var] = hiera_lookup
|
|
64
|
+
if hiera_lookup
|
|
65
|
+
puts "Setting #{terraform_env_var.colorize(:green)}."
|
|
66
|
+
else
|
|
67
|
+
puts "Hiera lookup failed for '#{val}', so #{terraform_env_var} was not set.".colorize(:red)
|
|
68
|
+
end
|
|
69
|
+
end
|
|
70
|
+
end
|
|
71
|
+
|
|
72
|
+
def extract_certs(certs)
|
|
73
|
+
create_certificate_directory
|
|
74
|
+
|
|
75
|
+
certs.each_pair do |key, val|
|
|
76
|
+
directory = "#{certificate_directory}/#{key}"
|
|
77
|
+
puts "Extracting certificate #{key.colorize(:green)} into #{directory.colorize(:green)}"
|
|
78
|
+
File.open(directory, 'w') { |f| f.write(lookup(val)) }
|
|
79
|
+
end
|
|
80
|
+
end
|
|
81
|
+
|
|
82
|
+
def create_certificate_directory
|
|
83
|
+
puts "Creating certificate directory at #{certificate_directory.colorize(:green)}"
|
|
84
|
+
FileUtils.mkdir_p certificate_directory
|
|
85
|
+
end
|
|
86
|
+
|
|
87
|
+
def certificate_directory
|
|
88
|
+
"#{@settings.project_root}/terraform/certs"
|
|
89
|
+
end
|
|
90
|
+
end
|
|
91
|
+
end
|
data/lib/dome/secrets.rb
ADDED
|
@@ -0,0 +1,38 @@
|
|
|
1
|
+
module Dome
|
|
2
|
+
class Secrets
|
|
3
|
+
attr_reader :settings, :hiera
|
|
4
|
+
|
|
5
|
+
def initialize(environment)
|
|
6
|
+
@environment = environment
|
|
7
|
+
@settings = Dome::Settings.new
|
|
8
|
+
@hiera = Dome::HieraLookup.new(@environment)
|
|
9
|
+
end
|
|
10
|
+
|
|
11
|
+
def secret_env_vars
|
|
12
|
+
return if dome_config.nil? || hiera_keys_config.nil?
|
|
13
|
+
@hiera.secret_env_vars(hiera_keys_config)
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
def extract_certs
|
|
17
|
+
return if dome_config.nil? || certs_config.nil?
|
|
18
|
+
@hiera.extract_certs(certs_config)
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
def dome_config
|
|
22
|
+
puts "No #{'dome'.colorize(:green)} key found in your itv.yaml." unless @settings.parse['dome']
|
|
23
|
+
@settings.parse['dome']
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
def hiera_keys_config
|
|
27
|
+
puts "No #{'hiera_keys'.colorize(:green)} sub-key under #{'dome'.colorize(:green)} key found "\
|
|
28
|
+
'in your itv.yaml.' unless @settings.parse['dome']['hiera_keys']
|
|
29
|
+
@settings.parse['dome']['hiera_keys']
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
def certs_config
|
|
33
|
+
puts "No #{'certs'.colorize(:green)} sub-key under #{'dome'.colorize(:green)} key found "\
|
|
34
|
+
'in your itv.yaml.' unless @settings.parse['dome']['certs']
|
|
35
|
+
@settings.parse['dome']['certs']
|
|
36
|
+
end
|
|
37
|
+
end
|
|
38
|
+
end
|
data/lib/dome/settings.rb
CHANGED
data/lib/dome/terraform.rb
CHANGED
|
@@ -6,6 +6,7 @@ module Dome
|
|
|
6
6
|
|
|
7
7
|
def initialize
|
|
8
8
|
@environment = Dome::Environment.new
|
|
9
|
+
@secrets = Dome::Secrets.new(@environment)
|
|
9
10
|
@state = Dome::State.new(@environment)
|
|
10
11
|
@plan_file = "plans/#{@environment.account}-#{@environment.environment}-plan.tf"
|
|
11
12
|
end
|
|
@@ -45,13 +46,16 @@ module Dome
|
|
|
45
46
|
end
|
|
46
47
|
|
|
47
48
|
def apply
|
|
49
|
+
@secrets.secret_env_vars
|
|
48
50
|
command = "terraform apply #{@plan_file}"
|
|
49
51
|
failure_message = 'something went wrong when applying the TF plan'
|
|
50
52
|
execute_command(command, failure_message)
|
|
51
53
|
end
|
|
52
54
|
|
|
53
55
|
def create_plan
|
|
54
|
-
|
|
56
|
+
@secrets.secret_env_vars
|
|
57
|
+
@secrets.extract_certs
|
|
58
|
+
command = "terraform plan -refresh=true -out=#{@plan_file} -var-file=params/env.tfvars"
|
|
55
59
|
failure_message = 'something went wrong when creating the TF plan'
|
|
56
60
|
execute_command(command, failure_message)
|
|
57
61
|
end
|
data/lib/dome/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: domed-city
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.0
|
|
4
|
+
version: 3.1.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- ITV
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2016-
|
|
11
|
+
date: 2016-09-19 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -108,6 +108,34 @@ dependencies:
|
|
|
108
108
|
- - "~>"
|
|
109
109
|
- !ruby/object:Gem::Version
|
|
110
110
|
version: '0.7'
|
|
111
|
+
- !ruby/object:Gem::Dependency
|
|
112
|
+
name: hiera
|
|
113
|
+
requirement: !ruby/object:Gem::Requirement
|
|
114
|
+
requirements:
|
|
115
|
+
- - "~>"
|
|
116
|
+
- !ruby/object:Gem::Version
|
|
117
|
+
version: '1.3'
|
|
118
|
+
type: :runtime
|
|
119
|
+
prerelease: false
|
|
120
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
121
|
+
requirements:
|
|
122
|
+
- - "~>"
|
|
123
|
+
- !ruby/object:Gem::Version
|
|
124
|
+
version: '1.3'
|
|
125
|
+
- !ruby/object:Gem::Dependency
|
|
126
|
+
name: hiera-eyaml
|
|
127
|
+
requirement: !ruby/object:Gem::Requirement
|
|
128
|
+
requirements:
|
|
129
|
+
- - "~>"
|
|
130
|
+
- !ruby/object:Gem::Version
|
|
131
|
+
version: '2.1'
|
|
132
|
+
type: :runtime
|
|
133
|
+
prerelease: false
|
|
134
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
135
|
+
requirements:
|
|
136
|
+
- - "~>"
|
|
137
|
+
- !ruby/object:Gem::Version
|
|
138
|
+
version: '2.1'
|
|
111
139
|
description:
|
|
112
140
|
email:
|
|
113
141
|
- common-platform-team-group@itv.com
|
|
@@ -131,6 +159,8 @@ files:
|
|
|
131
159
|
- lib/dome.rb
|
|
132
160
|
- lib/dome/environment.rb
|
|
133
161
|
- lib/dome/helpers/shell.rb
|
|
162
|
+
- lib/dome/hiera_lookup.rb
|
|
163
|
+
- lib/dome/secrets.rb
|
|
134
164
|
- lib/dome/settings.rb
|
|
135
165
|
- lib/dome/state.rb
|
|
136
166
|
- lib/dome/terraform.rb
|