formatron 0.1.0

data/lib/formatron/cloud_formation/template/vpc/subnet.rb

@@ -0,0 +1,187 @@
+require_relative 'subnet/nat'
+require_relative 'subnet/bastion'
+require_relative 'subnet/chef_server'
+require_relative 'subnet/instance'
+require_relative 'subnet/acl'
+require_relative '../vpc'
+require 'formatron/cloud_formation/resources/ec2'
+
+class Formatron
+  module CloudFormation
+    class Template
+      class VPC
+        # generates CloudFormation subnet resources
+        # rubocop:disable Metrics/ClassLength
+        class Subnet
+          SUBNET_PREFIX = 'subnet'
+          SUBNET_ROUTE_TABLE_ASSOCIATION_PREFIX = 'subnetRouteTableAssociation'
+
+          # rubocop:disable Metrics/MethodLength
+          # rubocop:disable Metrics/ParameterLists
+          # rubocop:disable Metrics/AbcSize
+          def initialize(
+            subnet:,
+            external:,
+            vpc_guid:,
+            vpc_cidr:,
+            key_pair:,
+            hosted_zone_name:,
+            kms_key:,
+            nats:,
+            private_hosted_zone_id:,
+            public_hosted_zone_id:,
+            bucket:,
+            name:,
+            target:
+          )
+            @subnet = subnet
+            @external = external
+            @vpc_guid = vpc_guid
+            @vpc_cidr = vpc_cidr
+            @cidr = @subnet.cidr
+            @acl = @subnet.acl
+            @key_pair = key_pair
+            @hosted_zone_name = hosted_zone_name
+            @kms_key = kms_key
+            @nats = nats
+            @private_hosted_zone_id = private_hosted_zone_id
+            @public_hosted_zone_id = public_hosted_zone_id
+            @bucket = bucket
+            @name = name
+            @target = target
+          end
+          # rubocop:enable Metrics/AbcSize
+          # rubocop:enable Metrics/ParameterLists
+          # rubocop:enable Metrics/MethodLength
+
+          # rubocop:disable Metrics/MethodLength
+          def merge(resources:, outputs:)
+            @guid = @subnet.guid
+            if @guid.nil?
+              @guid = @external.guid
+              _merge_external resources: resources, outputs: outputs
+            else
+              _merge_local resources: resources, outputs: outputs
+            end
+          end
+
+          def _merge_external(resources:, outputs:)
+            @gateway = @external.gateway
+            @availability_zone = @external.availability_zone
+            {
+              nat: NAT,
+              bastion: Bastion,
+              chef_server: ChefServer,
+              instance: Instance
+            }.each do |symbol, cls|
+              @subnet.send(symbol).each do |_, instance|
+                args = {
+                  symbol => instance,
+                  key_pair: @key_pair,
+                  availability_zone: @availability_zone,
+                  subnet_guid: @guid,
+                  hosted_zone_name: @hosted_zone_name,
+                  vpc_guid: @vpc_guid,
+                  vpc_cidr: @vpc_cidr,
+                  kms_key: @kms_key,
+                  private_hosted_zone_id: @private_hosted_zone_id,
+                  public_hosted_zone_id:
+                    @gateway.nil? ? @public_hosted_zone_id : nil,
+                  bucket: @bucket,
+                  name: @name,
+                  target: @target
+                }
+                instance = cls.new(**args)
+                instance.merge resources: resources, outputs: outputs
+              end
+            end
+          end
+
+          def _merge_local(resources:, outputs:)
+            @subnet_id = "#{SUBNET_PREFIX}#{@guid}"
+            @subnet_route_table_association_id =
+              "#{SUBNET_ROUTE_TABLE_ASSOCIATION_PREFIX}#{@guid}"
+            @vpc_id = "#{VPC::VPC_PREFIX}#{@vpc_guid}"
+            @public_route_table_id =
+              "#{VPC::ROUTE_TABLE_PREFIX}#{@vpc_guid}"
+            @gateway = @subnet.gateway
+            @availability_zone = @subnet.availability_zone
+            {
+              nat: NAT,
+              bastion: Bastion,
+              chef_server: ChefServer,
+              instance: Instance
+            }.each do |symbol, cls|
+              @subnet.send(symbol).each do |_, instance|
+                args = {
+                  symbol => instance,
+                  key_pair: @key_pair,
+                  availability_zone: @availability_zone,
+                  subnet_guid: @guid,
+                  hosted_zone_name: @hosted_zone_name,
+                  vpc_guid: @vpc_guid,
+                  vpc_cidr: @vpc_cidr,
+                  kms_key: @kms_key,
+                  private_hosted_zone_id: @private_hosted_zone_id,
+                  public_hosted_zone_id:
+                    @gateway.nil? ? @public_hosted_zone_id : nil,
+                  bucket: @bucket,
+                  name: @name,
+                  target: @target
+                }
+                instance = cls.new(**args)
+                instance.merge resources: resources, outputs: outputs
+              end
+            end
+            _add_subnet resources, outputs
+            _add_subnet_route_table_association resources
+            _add_acl resources if @acl && @gateway.nil?
+          end
+          # rubocop:enable Metrics/MethodLength
+
+          def _add_subnet(resources, outputs)
+            resources[@subnet_id] = Resources::EC2.subnet(
+              vpc: @vpc_id,
+              cidr: @cidr,
+              availability_zone: @availability_zone,
+              map_public_ip_on_launch: @gateway.nil?
+            )
+            outputs[@subnet_id] = Template.output Template.ref(@subnet_id)
+          end
+
+          def _add_subnet_route_table_association(resources)
+            route_table = @public_route_table_id
+            unless @gateway.nil?
+              gateway_guid = @nats[@gateway].guid
+              route_table = "#{NAT::ROUTE_TABLE_PREFIX}#{gateway_guid}"
+            end
+            resources[@subnet_route_table_association_id] =
+              Resources::EC2.subnet_route_table_association(
+                route_table: route_table,
+                subnet: @subnet_id
+              )
+          end
+
+          def _add_acl(resources)
+            acl = ACL.new(
+              acl: @acl,
+              subnet_guid: @guid,
+              vpc_guid: @vpc_guid,
+              vpc_cidr: @vpc_cidr
+            )
+            acl.merge resources: resources
+          end
+
+          private(
+            :_merge_local,
+            :_merge_external,
+            :_add_subnet,
+            :_add_subnet_route_table_association,
+            :_add_acl
+          )
+        end
+        # rubocop:enable Metrics/ClassLength
+      end
+    end
+  end
+end

data/lib/formatron/cloud_formation/template/vpc/subnet/acl.rb

@@ -0,0 +1,147 @@
+require 'formatron/cloud_formation/resources/ec2'
+
+class Formatron
+  module CloudFormation
+    class Template
+      class VPC
+        class Subnet
+          # generates CloudFormation ACL resources
+          # rubocop:disable Metrics/ClassLength
+          class ACL
+            NETWORK_ACL_PREFIX = 'networkAcl'
+            SUBNET_NETWORK_ACL_ASSOCIATION_PREFIX =
+              'subnetNetworkAclAssociation'
+            VPC_INBOUND_NETWORK_ACL_ENTRY_PREFIX =
+              'vpcInboundNetworkAclEntry'
+            EXTERNAL_INBOUND_TCP_NETWORK_ACL_ENTRY_PREFIX =
+              'externalInboundTcpNetworkAclEntry'
+            EXTERNAL_INBOUND_UDP_NETWORK_ACL_ENTRY_PREFIX =
+              'externalInboundUdpNetworkAclEntry'
+            OUTBOUND_NETWORK_ACL_ENTRY_PREFIX =
+              'outboundNetworkAclEntry'
+            EXTERNAL_INBOUND_NETWORK_ACL_ENTRY_PREFIX =
+              'externalInboundNetworkAclEntry'
+
+            EPHEMERAL_PORT_START = 1024
+            EPHEMERAL_PORT_END = 65_535
+
+            # rubocop:disable Metrics/MethodLength
+            def initialize(acl:, subnet_guid:, vpc_guid:, vpc_cidr:)
+              @acl = acl
+              @subnet_guid = subnet_guid
+              @vpc_guid = vpc_guid
+              @vpc_cidr = vpc_cidr
+              @network_acl_id = "#{NETWORK_ACL_PREFIX}#{@subnet_guid}"
+              @subnet_network_acl_association_id =
+                "#{SUBNET_NETWORK_ACL_ASSOCIATION_PREFIX}#{@subnet_guid}"
+              @vpc_id = "#{VPC::VPC_PREFIX}#{@vpc_guid}"
+              @subnet_id = "#{Subnet::SUBNET_PREFIX}#{@subnet_guid}"
+              @network_acl_entry_vpc_inbound_id =
+                "#{VPC_INBOUND_NETWORK_ACL_ENTRY_PREFIX}#{@subnet_guid}"
+              @network_acl_entry_external_inbound_tcp_id =
+                "#{EXTERNAL_INBOUND_TCP_NETWORK_ACL_ENTRY_PREFIX}" \
+                "#{@subnet_guid}"
+              @network_acl_entry_external_inbound_udp_id =
+                "#{EXTERNAL_INBOUND_UDP_NETWORK_ACL_ENTRY_PREFIX}" \
+                "#{@subnet_guid}"
+              @network_acl_entry_outbound_id =
+                "#{OUTBOUND_NETWORK_ACL_ENTRY_PREFIX}#{@subnet_guid}"
+              @source_cidrs = @acl.source_cidr
+            end
+            # rubocop:enable Metrics/MethodLength
+
+            def merge(resources:)
+              resources[@network_acl_id] = Resources::EC2.network_acl(
+                vpc: @vpc_id
+              )
+              resources[@subnet_network_acl_association_id] =
+                Resources::EC2.subnet_network_acl_association(
+                  subnet: @subnet_id,
+                  network_acl: @network_acl_id
+                )
+              _add_default_rules resources
+              _add_source_cidrs resources
+            end
+            # rubocop:enable Metrics/MethodLength
+
+            # rubocop:disable Metrics/MethodLength
+            def _add_default_rules(resources)
+              resources[@network_acl_entry_vpc_inbound_id] =
+                Resources::EC2.network_acl_entry(
+                  network_acl: @network_acl_id,
+                  cidr: @vpc_cidr,
+                  egress: false,
+                  protocol: -1,
+                  action: 'allow',
+                  icmp_code: -1,
+                  icmp_type: -1,
+                  number: 100
+                )
+              resources[@network_acl_entry_external_inbound_tcp_id] =
+                Resources::EC2.network_acl_entry(
+                  network_acl: @network_acl_id,
+                  cidr: '0.0.0.0/0',
+                  egress: false,
+                  protocol: 6,
+                  action: 'allow',
+                  start_port: EPHEMERAL_PORT_START,
+                  end_port: EPHEMERAL_PORT_END,
+                  number: 200
+                )
+              resources[@network_acl_entry_external_inbound_udp_id] =
+                Resources::EC2.network_acl_entry(
+                  network_acl: @network_acl_id,
+                  cidr: '0.0.0.0/0',
+                  egress: false,
+                  protocol: 17,
+                  action: 'allow',
+                  start_port: EPHEMERAL_PORT_START,
+                  end_port: EPHEMERAL_PORT_END,
+                  number: 300
+                )
+              resources[@network_acl_entry_outbound_id] =
+                Resources::EC2.network_acl_entry(
+                  network_acl: @network_acl_id,
+                  cidr: '0.0.0.0/0',
+                  egress: true,
+                  protocol: -1,
+                  action: 'allow',
+                  icmp_code: -1,
+                  icmp_type: -1,
+                  number: 400
+                )
+            end
+            # rubocop:enable Metrics/MethodLength
+
+            # rubocop:disable Metrics/MethodLength
+            def _add_source_cidrs(resources)
+              @source_cidrs.each_index do |index|
+                source_cidr = @source_cidrs[index]
+                resources[
+                  "#{EXTERNAL_INBOUND_NETWORK_ACL_ENTRY_PREFIX}" \
+                  "#{index}#{@subnet_guid}"
+                ] = Resources::EC2.network_acl_entry(
+                  network_acl: @network_acl_id,
+                  cidr: source_cidr,
+                  egress: false,
+                  protocol: -1,
+                  action: 'allow',
+                  icmp_code: -1,
+                  icmp_type: -1,
+                  number: 500 + index
+                )
+              end
+            end
+            # rubocop:enable Metrics/MethodLength
+
+            private(
+              :_add_default_rules,
+              :_add_source_cidrs
+            )
+          end
+          # rubocop:enable Metrics/ClassLength
+        end
+      end
+    end
+  end
+end

data/lib/formatron/cloud_formation/template/vpc/subnet/bastion.rb

@@ -0,0 +1,66 @@
+require_relative 'instance'
+
+class Formatron
+  module CloudFormation
+    class Template
+      class VPC
+        class Subnet
+          # generates CloudFormation Bastion resources
+          class Bastion
+            # rubocop:disable Metrics/MethodLength
+            # rubocop:disable Metrics/ParameterLists
+            def initialize(
+              bastion:,
+              key_pair:,
+              availability_zone:,
+              subnet_guid:,
+              hosted_zone_name:,
+              vpc_guid:,
+              vpc_cidr:,
+              kms_key:,
+              private_hosted_zone_id:,
+              public_hosted_zone_id:,
+              bucket:,
+              name:,
+              target:
+            )
+              @bastion = bastion
+              _add_open_ports
+              @instance = Instance.new(
+                instance: bastion,
+                key_pair: key_pair,
+                availability_zone: availability_zone,
+                subnet_guid: subnet_guid,
+                hosted_zone_name: hosted_zone_name,
+                vpc_guid: vpc_guid,
+                vpc_cidr: vpc_cidr,
+                kms_key: kms_key,
+                private_hosted_zone_id: private_hosted_zone_id,
+                public_hosted_zone_id: public_hosted_zone_id,
+                bucket: bucket,
+                name: name,
+                target: target
+              )
+            end
+            # rubocop:enable Metrics/ParameterLists
+            # rubocop:enable Metrics/MethodLength
+
+            def _add_open_ports
+              @bastion.security_group do |security_group|
+                security_group.open_tcp_port 22
+              end
+            end
+
+            def merge(resources:, outputs:)
+              @instance.merge resources: resources, outputs: outputs
+            end
+
+            private(
+              :_add_open_ports
+            )
+          end
+        end
+      end
+    end
+  end
+end

data/lib/formatron/cloud_formation/template/vpc/subnet/chef_server.rb

@@ -0,0 +1,205 @@
+require_relative 'instance'
+require 'formatron/s3/chef_server_cert'
+require 'formatron/s3/chef_server_keys'
+require 'formatron/cloud_formation/resources/iam'
+
+class Formatron
+  module CloudFormation
+    class Template
+      class VPC
+        class Subnet
+          # generates CloudFormation Chef Server resources
+          # rubocop:disable Metrics/ClassLength
+          class ChefServer
+            USER_PREFIX = 'user'
+            ACCESS_KEY_PREFIX = 'accessKey'
+
+            # rubocop:disable Metrics/MethodLength
+            # rubocop:disable Metrics/ParameterLists
+            # rubocop:disable Metrics/AbcSize
+            def initialize(
+              chef_server:,
+              key_pair:,
+              availability_zone:,
+              subnet_guid:,
+              hosted_zone_name:,
+              vpc_guid:,
+              vpc_cidr:,
+              kms_key:,
+              private_hosted_zone_id:,
+              public_hosted_zone_id:,
+              bucket:,
+              name:,
+              target:
+            )
+              @chef_server = chef_server
+              @bucket = bucket
+              guid = @chef_server.guid
+              @ssl_cert_key = S3::ChefServerCert.cert_key(
+                name: name,
+                target: target,
+                guid: guid
+              )
+              @ssl_key_key = S3::ChefServerCert.key_key(
+                name: name,
+                target: target,
+                guid: guid
+              )
+              @user_pem_key = S3::ChefServerKeys.user_pem_key(
+                name: name,
+                target: target,
+                guid: guid
+              )
+              @organization_pem_key =
+                S3::ChefServerKeys.organization_pem_key(
+                  name: name,
+                  target: target,
+                  guid: guid
+                )
+              @user_id = "#{USER_PREFIX}#{guid}"
+              @access_key_id = "#{ACCESS_KEY_PREFIX}#{guid}"
+              @kms_key = kms_key
+              @username = @chef_server.username
+              @password = @chef_server.password
+              @first_name = @chef_server.first_name
+              @last_name = @chef_server.last_name
+              @email = @chef_server.email
+              @version = @chef_server.version
+              @cookbooks_bucket = @chef_server.cookbooks_bucket
+              organization = @chef_server.organization
+              @organization_short_name = organization.short_name
+              @organization_full_name = organization.full_name
+              _set_default_instance_type
+              _add_ssl_cert_policy
+              _add_keys_policy
+              _add_open_ports
+              _add_setup_script
+              @instance = Instance.new(
+                instance: @chef_server,
+                key_pair: key_pair,
+                availability_zone: availability_zone,
+                subnet_guid: subnet_guid,
+                hosted_zone_name: hosted_zone_name,
+                vpc_guid: vpc_guid,
+                vpc_cidr: vpc_cidr,
+                kms_key: @kms_key,
+                private_hosted_zone_id: private_hosted_zone_id,
+                public_hosted_zone_id: public_hosted_zone_id,
+                bucket: @bucket,
+                name: name,
+                target: target
+              )
+            end
+            # rubocop:enable Metrics/AbcSize
+            # rubocop:enable Metrics/ParameterLists
+            # rubocop:enable Metrics/MethodLength
+
+            def _set_default_instance_type
+              @chef_server.instance_type(
+                't2.medium'
+              ) if @chef_server.instance_type.nil?
+            end
+
+            def _add_ssl_cert_policy
+              @chef_server.policy do |policy|
+                policy.statement do |statement|
+                  statement.action 's3:GetObject'
+                  statement.resource "arn:aws:s3:::#{@bucket}/#{@ssl_cert_key}"
+                  statement.resource "arn:aws:s3:::#{@bucket}/#{@ssl_key_key}"
+                end
+              end
+            end
+
+            def _add_keys_policy
+              @chef_server.policy do |policy|
+                policy.statement do |statement|
+                  statement.action 's3:PutObject'
+                  statement.resource "arn:aws:s3:::#{@bucket}/#{@user_pem_key}"
+                  statement.resource(
+                    "arn:aws:s3:::#{@bucket}/#{@organization_pem_key}"
+                  )
+                end
+              end
+            end
+
+            def _add_open_ports
+              @chef_server.security_group do |security_group|
+                security_group.open_tcp_port 80
+                security_group.open_tcp_port 443
+              end
+            end
+
+            # rubocop:disable Metrics/MethodLength
+            def _add_setup_script
+              @chef_server.setup do |setup|
+                scripts = setup.script
+                scripts.unshift Scripts.chef_server(
+                  username: @username,
+                  first_name: @first_name,
+                  last_name: @last_name,
+                  email: @email,
+                  password: @password,
+                  organization_short_name: @organization_short_name,
+                  organization_full_name: @organization_full_name,
+                  bucket: @bucket,
+                  user_pem_key: @user_pem_key,
+                  organization_pem_key: @organization_pem_key,
+                  kms_key: @kms_key,
+                  chef_server_version: @version,
+                  ssl_cert_key: @ssl_cert_key,
+                  ssl_key_key: @ssl_key_key,
+                  cookbooks_bucket: @cookbooks_bucket
+                )
+                setup.variable 'REGION' do |variable|
+                  variable.value Template.ref('AWS::Region')
+                end
+                setup.variable 'ACCESS_KEY_ID' do |variable|
+                  variable.value Template.ref(@access_key_id)
+                end
+                setup.variable 'SECRET_ACCESS_KEY' do |variable|
+                  variable.value Template.get_attribute(
+                    @access_key_id, 'SecretAccessKey'
+                  )
+                end
+              end
+            end
+            # rubocop:enable Metrics/MethodLength
+
+            def merge(resources:, outputs:)
+              _add_cookbooks_bucket_user resources
+              @instance.merge resources: resources, outputs: outputs
+            end
+
+            # rubocop:disable Metrics/MethodLength
+            def _add_cookbooks_bucket_user(resources)
+              resources[@user_id] = Resources::IAM.user(
+                policy_name: @user_id,
+                statements: [{
+                  actions: %w(s3:PutObject s3:GetObject s3:DeleteObject),
+                  resources: "arn:aws:s3:::#{@cookbooks_bucket}/*"
+                }, {
+                  actions: %w(s3:ListBucket),
+                  resources: "arn:aws:s3:::#{@cookbooks_bucket}"
+                }]
+              )
+              resources[@access_key_id] = Resources::IAM.access_key(
+                user_name: Template.ref(@user_id)
+              )
+            end
+            # rubocop:enable Metrics/MethodLength
+
+            private(
+              :_set_default_instance_type,
+              :_add_ssl_cert_policy,
+              :_add_keys_policy,
+              :_add_open_ports,
+              :_add_setup_script,
+              :_add_cookbooks_bucket_user
+            )
+          end
+          # rubocop:enable Metrics/ClassLength
+        end
+      end
+    end
+  end
+end