rubycfn 0.4.10 → 0.5.0

data/templates/lib/core/applications.rb

@@ -0,0 +1,479 @@
+# Generate nested stacks for each defined application, and create module dynamically.
+def create_applications
+  resource :applications_stack,
+           amount: infra_config["applications"].count,
+           type: "AWS::CloudFormation::Stack" do |r, index|
+    name = infra_config["applications"].keys[index]
+    resource_name = name.tr("-", "_").cfnize
+    simple_name = resource_name.downcase
+    app_config = infra_config["applications"].values[index]
+    warn "App config is empty" unless app_config # Rubocop didn't understand that the variable is actually used.
+    #       request_certificate("Gateway", gateway_domains[environment], :asellion_com_hosted_zone_id.ref, "us-east-1")
+
+    r._id("#{resource_name}Stack")
+    r.property(:template_url) { "#{simple_name}stack" }
+    r.property(:parameters) do
+      {
+        "Vpc": :vpc_stack.ref("Outputs.SfsVpc"),
+        "Cluster": :ecs_stack.ref("Outputs.SfsEcsCluster"),
+        "Listener": :ecs_stack.ref("Outputs.EcsLoadBalancerListener"),
+        "EcsServiceAutoScalingRoleArn": :ecs_stack.ref("Outputs.SfsEcsAutoScalingRoleArn"),
+        "HostedZoneId": :route53_stack.ref("Outputs.HostedZoneId"),
+        "HostedZoneName": :route53_stack.ref("Outputs.HostedZoneName"),
+        "LoadBalancerDnsName": :ecs_stack.ref("Outputs.EcsLoadBalancerUrl"),
+        "CanonicalHostedZoneId": :ecs_stack.ref("Outputs.EcsLoadBalancerHostedZoneId"),
+        "CertificateProviderFunctionArn": :acm_stack.ref("Outputs.CertificateProviderFunctionArn")
+      }
+    end
+    Object.const_set("#{resource_name}Stack", Module.new).class_eval <<-RUBY
+      extend ActiveSupport::Concern
+      include Rubycfn
+
+      included do
+        def env_vars_to_array(val)
+          vars = []
+          val.keys.each_with_index do |object, index|
+            vars.push(
+              Name: object,
+              Value: val.values[index]
+            )
+          end
+          vars
+        end
+
+        parameter :vpc,
+                  description: "The VPC that the ECS cluster is deployed to",
+                  type: "AWS::EC2::VPC::Id"
+
+        parameter :cluster,
+                  description: "ECS Cluster ID",
+                  type: "String"
+
+        parameter :listener,
+                  description: "The Application Load Balancer listener to register with",
+                  type: "String"
+
+        parameter :ecs_service_auto_scaling_role_arn,
+                  description: "The ECS service auto scaling role ARN",
+                  type: "String"
+
+        parameter :hosted_zone_id,
+                  description: "Hosted Zone ID",
+                  type: "String"
+
+        parameter :hosted_zone_name,
+                  description: "Hosted Zone Name",
+                  type: "String"
+
+        parameter :load_balancer_dns_name,
+                  description: "URL of the ECS ALB",
+                  type: "String"
+
+        parameter :canonical_hosted_zone_id,
+                  description: "Canonical Hosted Zone Id of ALB",
+                  type: "String"
+
+        parameter :certificate_provider_function_arn,
+                  description: "ARN of certificate provider",
+                  type: "String"
+
+        variable :min,
+                 value: app_config["min"].to_s
+
+        variable :max,
+                 value: app_config["max"].to_s
+
+        variable :container_port,
+                 value: app_config["container_port"].to_s
+
+        variable :memory,
+                 value: app_config["mem"].to_s
+
+        variable :image,
+                 value: app_config["image"]
+
+        variable :env_vars,
+                 value: app_config["env"],
+                 filter: :env_vars_to_array
+
+        variable :priority,
+                 value: app_config["priority"].to_s
+
+
+        description generate_stack_description("#{resource_name}Stack")
+        resource :service,
+                 type: "AWS::ECS::Service" do |r|
+
+          r.property(:cluster) { :cluster.ref }
+          r.property(:role) { :service_role.ref }
+          r.property(:desired_count) { min.to_i }
+          r.property(:task_definition) { :task_definition.ref }
+          r.property(:load_balancers) do
+            [
+              "ContainerName": "#{simple_name}-service",
+              "ContainerPort": container_port.to_i,
+              "TargetGroupArn": :target_group.ref
+            ]
+          end
+        end
+
+        resource :task_definition,
+                 type: "AWS::ECS::TaskDefinition" do |r|
+          r.property(:family) { "#{simple_name}-service" }
+          r.property(:container_definitions) do
+            [
+              {
+                "Name": "#{simple_name}-service",
+                "Essential": true,
+                "Image": image,
+                "Memory": memory.to_i,
+                "Environment": env_vars,
+                "PortMappings": [
+                  {
+                    "ContainerPort": container_port.to_i
+                  }
+                ],
+                "LogConfiguration": {
+                  "LogDriver": "awslogs",
+                  "Options": {
+                    "awslogs-group": :cloud_watch_logs_group.ref,
+                    "awslogs-region": "AWS::Region".ref
+                  }
+                }
+              }
+            ]
+          end
+        end
+
+        resource :cloud_watch_logs_group,
+                 type: "AWS::Logs::LogGroup" do |r|
+          r.property(:log_group_name) { ["AWS::StackName".ref, "-#{simple_name}"].fnjoin }
+          r.property(:retention_in_days) { 30 }
+        end
+
+        resource :target_group,
+                 type: "AWS::ElasticLoadBalancingV2::TargetGroup" do |r|
+          r.property(:vpc_id) { :vpc.ref }
+          r.property(:port) { container_port.to_i }
+          r.property(:protocol) { "HTTP" }
+          r.property(:matcher) do
+            {
+              "HttpCode": "200-299"
+            }
+          end
+          r.property(:health_check_interval_seconds) { 10 }
+          r.property(:health_check_path) { "/" }
+          r.property(:health_check_protocol) { "HTTP" }
+          r.property(:health_check_timeout_seconds) { 5 }
+          r.property(:healthy_threshold_count) { 2 }
+        end
+
+        resource :listener_rule,
+                 type: "AWS::ElasticLoadBalancingV2::ListenerRule" do |r|
+          r.property(:listener_arn) { :listener.ref }
+          r.property(:priority) { priority.to_i }
+          r.property(:conditions) do
+            [
+              {
+                "Field": "host-header",
+                "Values": [
+                  ["origin", name.tr("_", "-"), :hosted_zone_name.ref].fnjoin("."),
+                  [name.tr("_", "-"), :hosted_zone_name.ref].fnjoin(".")
+                ]
+              }
+            ]
+          end
+          r.property(:actions) do
+            [
+              {
+                "TargetGroupArn": :target_group.ref,
+                "Type": "forward"
+              }
+            ]
+          end
+        end
+
+        assume_role_policy_document = {
+          "Statement": [
+            {
+              "Effect": "Allow",
+              "Principal": {
+                "Service": [
+                  "ecs.amazonaws.com"
+                ]
+              },
+              "Action": [
+                "sts:AssumeRole"
+              ]
+            }
+          ]
+        }
+
+        resource :service_role,
+                 type: "AWS::IAM::Role" do |r|
+          r.property(:role_name) { "ecs-service-${AWS::StackName}".fnsub }
+          r.property(:path) { "/" }
+          r.property(:assume_role_policy_document) { JSON.pretty_generate(assume_role_policy_document) }
+          r.property(:policies) do
+            [
+              {
+                "PolicyName": "ecs-service-${AWS::StackName}".fnsub,
+                "PolicyDocument": {
+                  "Version": "2012-10-17",
+                  "Statement": [
+                    {
+                      "Effect": "Allow",
+                      "Action": [
+                        "ec2:AuthorizeSecurityGroupIngress",
+                        "ec2:Describe*",
+                        "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
+                        "elasticloadbalancing:Describe*",
+                        "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
+                        "elasticloadbalancing:DeregisterTargets",
+                        "elasticloadbalancing:DescribeTargetGroups",
+                        "elasticloadbalancing:DescribeTargetHealth",
+                        "elasticloadbalancing:RegisterTargets"
+                      ],
+                      "Resource": "*"
+                    }
+                  ]
+                }
+              }
+            ]
+          end
+        end
+
+        resource :application_load_balancer_record,
+                 type: "AWS::Route53::RecordSet" do |r|
+          r.property(:type) { "A" }
+          r.property(:name) { ["origin", name.tr("_", "-"), :hosted_zone_name.ref].fnjoin(".") }
+          r.property(:hosted_zone_id) { :hosted_zone_id.ref }
+          r.property(:alias_target) do
+            {
+              "DNSName": :load_balancer_dns_name.ref,
+              "EvaluateTargetHealth": true,
+              "HostedZoneId": :canonical_hosted_zone_id.ref
+            }
+          end
+        end
+
+        resource :service_scalable_target,
+                 type: "AWS::ApplicationAutoScaling::ScalableTarget" do |r|
+          r.property(:max_capacity) { max.to_i }
+          r.property(:min_capacity) { min.to_i }
+          r.property(:resource_id) { ["service", :cluster.ref, :service.ref(:name)].fnjoin("/") }
+          r.property(:role_arn) { :ecs_service_auto_scaling_role_arn.ref }
+          r.property(:scalable_dimension) { "ecs:service:DesiredCount" }
+          r.property(:service_namespace) { "ecs" }
+        end
+
+        resource :service_scale_out_policy,
+                 type: "AWS::ApplicationAutoScaling::ScalingPolicy" do |r|
+          r.property(:policy_name) { "ServiceScaleOutPolicy" }
+          r.property(:policy_type) { "StepScaling" }
+          r.property(:scaling_target_id) { :service_scalable_target.ref }
+          r.property(:step_scaling_policy_configuration) do
+            {
+              "AdjustmentType": "ChangeInCapacity",
+              "Cooldown": 300,
+              "MetricAggregationType": "Average",
+              "StepAdjustments": [
+                {
+                  "MetricIntervalLowerBound": 0,
+                  "ScalingAdjustment": 1
+                }
+              ]
+            }
+          end
+        end
+
+        resource :service_scale_in_policy,
+                 type: "AWS::ApplicationAutoScaling::ScalingPolicy" do |r|
+          r.property(:policy_name) { "ServiceScaleInPolicy" }
+          r.property(:policy_type) { "StepScaling" }
+          r.property(:scaling_target_id) { :service_scalable_target.ref }
+          r.property(:step_scaling_policy_configuration) do
+            {
+              "AdjustmentType": "ChangeInCapacity",
+              "Cooldown": 600,
+              "MetricAggregationType": "Average",
+              "StepAdjustments": [
+                {
+                  "MetricIntervalUpperBound": 0,
+                  "ScalingAdjustment": -1
+                }
+              ]
+            }
+          end
+        end
+
+        resource :cpu_scale_out_alarm,
+                 type: "AWS::CloudWatch::Alarm" do |r|
+          r.property(:alarm_name) { "CPU utilization greater than 90% on #{simple_name}-#{environment}" }
+          r.property(:alarm_description) { "Alarm if cpu utilization greater than 90% of reserved cpu" }
+          r.property(:namespace) { "AWS/ECS" }
+          r.property(:metric_name) { "CPUUtilization" }
+          r.property(:dimensions) do
+            [
+              {
+                "Name": "ClusterName",
+                "Value": :cluster.ref
+              },
+              {
+                "Name": "ServiceName",
+                "Value": :service.ref(:name)
+              }
+            ]
+          end
+          r.property(:statistic) { "Maximum" }
+          r.property(:period) { "60" }
+          r.property(:evaluation_periods) { "3" }
+          r.property(:threshold) { "90" }
+          r.property(:comparison_operator) { "GreaterThanThreshold" }
+          r.property(:alarm_actions) { [:service_scale_out_policy.ref] }
+        end
+
+        resource :cpu_scale_in_alarm,
+                 type: "AWS::CloudWatch::Alarm" do |r|
+          r.property(:alarm_name) { "CPU utilization less than 70% on #{simple_name}-#{environment}" }
+          r.property(:alarm_description) { "Alarm if cpu utilization greater than 70% of reserved cpu" }
+          r.property(:namespace) { "AWS/ECS" }
+          r.property(:metric_name) { "CPUUtilization" }
+          r.property(:dimensions) do
+            [
+              {
+                "Name": "ClusterName",
+                "Value": :cluster.ref
+              },
+              {
+                "Name": "ServiceName",
+                "Value": :service.ref(:name)
+              }
+            ]
+          end
+          r.property(:statistic) { "Maximum" }
+          r.property(:period) { "60" }
+          r.property(:evaluation_periods) { "10" }
+          r.property(:threshold) { "70" }
+          r.property(:comparison_operator) { "LessThanThreshold" }
+          r.property(:alarm_actions) { [:service_scale_in_policy.ref] }
+        end
+
+        resource :ecs_application_certificate,
+                 type: "Custom::Certificate" do |r|
+          r.property(:service_token) { :certificate_provider_function_arn.ref }
+          r.property(:region) { "us-east-1" }
+          r.property(:domain_name) { [name.tr("_", "-"), :hosted_zone_name.ref].fnjoin(".") }
+          r.property(:validation_method) { "DNS" }
+        end
+
+        resource :ecs_application_issued_certificate,
+                 type: "Custom::IssuedCertificate" do |r|
+          r.property(:service_token) { :certificate_provider_function_arn.ref }
+          r.property(:region) { "us-east-1" }
+          r.property(:certificate_arn) { :ecs_application_certificate.ref }
+        end
+
+        resource :ecs_application_dns_record,
+                 type: "Custom::CertificateDNSRecord" do |r|
+          r.property(:service_token) { :certificate_provider_function_arn.ref }
+          r.property(:region) { "us-east-1" }
+          r.property(:domain_name) { [name.tr("_", "-"), :hosted_zone_name.ref].fnjoin(".") }
+          r.property(:certificate_arn) { :ecs_application_certificate.ref }
+        end
+
+        resource :ecs_application_validation_record,
+                 type: "AWS::Route53::RecordSetGroup" do |r|
+          r.property(:hosted_zone_id) { :hosted_zone_id.ref }
+          r.property(:record_sets) do
+            [
+              {
+                "Name": :ecs_application_dns_record.ref(:name),
+                "Type": :ecs_application_dns_record.ref(:type),
+                "TTL": 60,
+                "Weight": 1,
+                "SetIdentifier": :ecs_application_certificate.ref,
+                "ResourceRecords": [
+                  :ecs_application_dns_record.ref(:value)
+                ]
+              }
+            ]
+          end
+        end
+
+        resource :cloudfront_distribution,
+                 depends_on: :ecs_application_issued_certificate,
+                 type: "AWS::CloudFront::Distribution" do |r|
+          r.property(:distribution_config) do
+            {
+              "Comment": ["Distribution config for", [name.tr("_", "-"), :hosted_zone_name.ref].fnjoin(".")].fnjoin(" "),
+              "Aliases": [
+                [name.tr("_", "-"), :hosted_zone_name.ref].fnjoin(".")
+              ],
+              "DefaultCacheBehavior": {
+                "AllowedMethods": %w(GET HEAD OPTIONS PUT PATCH POST DELETE),
+                "DefaultTTL": 0,
+                "TargetOriginId": "EcsApplication",
+                "ForwardedValues": {
+                  "QueryString": true,
+                  "Cookies": {
+                    "Forward": "all"
+                  },
+                  "Headers": ["*"]
+                },
+                "MaxTTL": 0,
+                "MinTTL": 0,
+                "ViewerProtocolPolicy": "redirect-to-https"
+              },
+              "Enabled": true,
+              "HttpVersion": "http2",
+              "IPV6Enabled": false,
+              "Origins": [
+                {
+                  "DomainName": ["origin", name.tr("_", "-"), :hosted_zone_name.ref].fnjoin("."),
+                  "Id": "EcsApplication",
+                  "CustomOriginConfig": {
+                    "OriginProtocolPolicy": "http-only",
+                    "HTTPPort": container_port.to_i,
+                    "OriginKeepaliveTimeout": 5,
+                    "OriginReadTimeout": 30
+                  }
+                }
+              ],
+              "PriceClass": "PriceClass_All",
+              "ViewerCertificate": {
+                "AcmCertificateArn": :ecs_application_certificate.ref,
+                "SslSupportMethod": "sni-only"
+              }
+            }
+          end
+          r.property(:tags) do
+            [
+              {
+                "Key": "Environment",
+                "Value": environment.to_s
+              }
+            ]
+          end
+        end
+
+        resource :application_cloudfront_dns_record,
+                 type: "AWS::Route53::RecordSetGroup" do |r|
+          r.property(:hosted_zone_id) { :hosted_zone_id.ref }
+          r.property(:record_sets) do
+            [
+              {
+                "Name": [name.tr("_", "-"), :hosted_zone_name.ref].fnjoin("."),
+                "Type": "A",
+                "AliasTarget": {
+                  "HostedZoneId": "Z2FDTNDATAQYW2",
+                  "DNSName": :cloudfront_distribution.ref(:domain_name)
+                }
+              }
+            ]
+          end
+        end
+      end
+    RUBY
+  end
+end

data/templates/lib/core/assume_role.rb

@@ -0,0 +1,40 @@
+require "aws-sdk-core"
+require "aws-sdk-s3"
+require "aws-sdk-iam"
+require "aws-sdk-organizations"
+
+def generate_session_name
+  "assume_role_" + (0...12).map { ("a".."z").to_a[rand(26)] }.join
+end
+
+def assume_role(aws_accounts, to_account, from_account = nil)
+  session_name = generate_session_name
+  if from_account
+    from_credentials = aws_accounts[from_account][:credentials]
+    credentials = Aws::AssumeRoleCredentials.new(
+      client: Aws::STS::Client.new(
+        access_key_id: from_credentials[:access_key_id],
+        region: "eu-central-1",
+        secret_access_key: from_credentials[:secret_access_key],
+        session_token: from_credentials[:session_token]
+      ),
+      role_arn: "arn:aws:iam::#{aws_accounts[to_account][:account_id]}:role/#{aws_accounts[to_account][:role_name]}",
+      role_session_name: session_name
+    )
+  else
+    credentials = Aws::AssumeRoleCredentials.new(
+      client: Aws::STS::Client.new(region: aws_accounts[to_account][:region]),
+      role_arn: "arn:aws:iam::#{aws_accounts[to_account][:account_id]}:role/#{aws_accounts[to_account][:role_name]}",
+      role_session_name: session_name
+    )
+  end
+  aws_accounts[to_account][:credentials] = {
+    access_key_id: credentials.credentials.access_key_id,
+    credentials: credentials,
+    region: aws_accounts[to_account][:region],
+    secret_access_key: credentials.credentials.secret_access_key,
+    session_name: session_name,
+    session_token: credentials.credentials.session_token
+  }
+  aws_accounts
+end

data/templates/lib/core/classes.rb

@@ -0,0 +1,25 @@
+# Add convenient method to reference secrets.
+# Would be nice for parameter store as well!
+class String
+  def secret(argument)
+    [
+      "{{resolve:secretsmanager:",
+      self.ref,
+      ":SecretString:",
+      argument,
+      "}}"
+    ].fnjoin
+  end
+end
+
+class Symbol
+  def secret(argument)
+    [
+      "{{resolve:secretsmanager:",
+      self.ref,
+      ":SecretString:",
+      argument,
+      "}}"
+    ].fnjoin
+  end
+end

data/templates/{core_compile.rb.erb → lib/core/compile.rb}

@@ -2,5 +2,6 @@ require "digest/md5"
 require "fileutils"
 
 require_relative "../aws_helper/main"
+require_relative "../core/git"
 
 compile_stacks

data/templates/lib/core/dependencies.rb

@@ -0,0 +1,22 @@
+require "aws-sdk-core"
+require "aws-sdk-cloudformation"
+require "dotenv"
+
+Dotenv.load(".env.private")
+Dotenv.load(".env")
+Dotenv.load(".env.#{ENV["ENVIRONMENT"]}")
+
+ENV["AWS_DEFAULT_REGION"] ||= "eu-west-1"
+ENV["AWS_REGION"] ||= ENV["AWS_DEFAULT_REGION"]
+
+client = Aws::CloudFormation::Client.new(region: ENV["AWS_REGION"])
+res = client.describe_stacks(
+  stack_name: "DependencyStack"
+)
+
+dep_file = File.open(".env.dependencies", "w")
+res[:stacks].each do |stack|
+  stack[:outputs].each do |output|
+    dep_file.puts "#{output[:output_key].upcase}=#{output[:output_value]}"
+  end
+end

data/templates/{core_deploy.rb.erb → lib/core/deploy.rb}

@@ -6,6 +6,10 @@ require "aws-sdk"
 
 require_relative "../aws_helper/main"
 
+Dotenv.load(".env.private")
+Dotenv.load(".env.dependencies")
+raise "CLOUDFORMATIONBUCKET not found in DependencyStack outputs" unless ENV["CLOUDFORMATIONBUCKET"]
+
 env_vars = load_env_vars
 
 set_aws_credentials(
@@ -15,12 +19,22 @@ set_aws_credentials(
 )
 
 s3_filename = get_parent_stack_s3_location(
-  env_vars[:artifact_bucket],
+  ENV["CLOUDFORMATIONBUCKET"],
   env_vars[:environment]
 )
 
 client = Aws::CloudFormation::Client.new
 
+parent_parameters = []
+File.open(".env.dependencies").read.each_line do |line|
+  line.strip!
+  param, value = line.split("=")
+  parent_parameters.push(
+    parameter_key: param,
+    parameter_value: value
+  )
+end
+
 # Store previous CloudFormation events in an array, so that we don't output
 # events from previous deploys.
 
@@ -47,15 +61,13 @@ if stack_exists
     stack_name: env_vars[:stack_name],
     template_url: s3_filename,
     capabilities: %w(CAPABILITY_IAM CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND),
-    # stack_policy_body: "StackPolicyBody",
-    # stack_policy_url: "StackPolicyURL",
+    parameters: parent_parameters,
     tags: [
       {
         key: "team",
-        value: "<%= name.downcase %>"
+        value: "infra"
       }
-    ],
-    # client_request_token: "ClientRequestToken",
+    ]
   )
 else
   client.create_stack(
@@ -64,15 +76,13 @@ else
     timeout_in_minutes: 60,
     capabilities: %w(CAPABILITY_IAM CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND),
     on_failure: "ROLLBACK",
-    # stack_policy_body: "StackPolicyBody",
-    # stack_policy_url: "StackPolicyURL",
+    parameters: parent_parameters,
     tags: [
       {
         key: "team",
-        value: "<%= name.downcase %>"
+        value: "infra"
       }
     ],
-    # client_request_token: "ClientRequestToken",
     enable_termination_protection: false
   )
 end

data/templates/lib/core/git.rb

@@ -0,0 +1,15 @@
+require "git-revision"
+
+module Git
+  class Revision
+    class << self
+      def dirty?
+        !`git diff --numstat | wc -l`.strip.to_i.zero?
+      end
+    end
+  end
+end
+
+def git_revision
+  "#{Git::Revision.commit}#{Git::Revision.dirty? ? "-dirty" : ""}"
+end