rubycfn 0.4.10 → 0.5.4

data/templates/lib/core/assume_role.rb

@@ -0,0 +1,40 @@
+require "aws-sdk-core"
+require "aws-sdk-s3"
+require "aws-sdk-iam"
+require "aws-sdk-organizations"
+
+def generate_session_name
+  "assume_role_" + (0...12).map { ("a".."z").to_a[rand(26)] }.join
+end
+
+def assume_role(aws_accounts, to_account, from_account = nil)
+  session_name = generate_session_name
+  if from_account
+    from_credentials = aws_accounts[from_account][:credentials]
+    credentials = Aws::AssumeRoleCredentials.new(
+      client: Aws::STS::Client.new(
+        access_key_id: from_credentials[:access_key_id],
+        region: "eu-central-1",
+        secret_access_key: from_credentials[:secret_access_key],
+        session_token: from_credentials[:session_token]
+      ),
+      role_arn: "arn:aws:iam::#{aws_accounts[to_account][:account_id]}:role/#{aws_accounts[to_account][:role_name]}",
+      role_session_name: session_name
+    )
+  else
+    credentials = Aws::AssumeRoleCredentials.new(
+      client: Aws::STS::Client.new(region: aws_accounts[to_account][:region]),
+      role_arn: "arn:aws:iam::#{aws_accounts[to_account][:account_id]}:role/#{aws_accounts[to_account][:role_name]}",
+      role_session_name: session_name
+    )
+  end
+  aws_accounts[to_account][:credentials] = {
+    access_key_id: credentials.credentials.access_key_id,
+    credentials: credentials,
+    region: aws_accounts[to_account][:region],
+    secret_access_key: credentials.credentials.secret_access_key,
+    session_name: session_name,
+    session_token: credentials.credentials.session_token
+  }
+  aws_accounts
+end

data/templates/lib/core/classes.rb

@@ -0,0 +1,25 @@
+# Add convenient method to reference secrets.
+# Would be nice for parameter store as well!
+class String
+  def secret(argument)
+    [
+      "{{resolve:secretsmanager:",
+      self.ref,
+      ":SecretString:",
+      argument,
+      "}}"
+    ].fnjoin
+  end
+end
+
+class Symbol
+  def secret(argument)
+    [
+      "{{resolve:secretsmanager:",
+      self.ref,
+      ":SecretString:",
+      argument,
+      "}}"
+    ].fnjoin
+  end
+end

data/templates/{core_compile.rb.erb → lib/core/compile.rb}

@@ -2,5 +2,6 @@ require "digest/md5"
 require "fileutils"
 
 require_relative "../aws_helper/main"
+require_relative "../core/git"
 
 compile_stacks

data/templates/lib/core/dependencies.rb

@@ -0,0 +1,29 @@
+require "aws-sdk-core"
+require "aws-sdk-cloudformation"
+require "dotenv"
+
+Dotenv.load(".env.private")
+Dotenv.load(".env")
+Dotenv.load(".env.#{ENV["ENVIRONMENT"]}")
+
+ENV["AWS_DEFAULT_REGION"] ||= "eu-west-1"
+ENV["AWS_REGION"] ||= ENV["AWS_DEFAULT_REGION"]
+
+client = Aws::CloudFormation::Client.new(region: ENV["AWS_REGION"])
+
+begin
+  res = client.describe_stacks(
+    stack_name: "<%= project_name %>#{ENV["ENVIRONMENT"].capitalize}DependencyStack"
+  )
+rescue Aws::CloudFormation::Errors::InvalidClientTokenId, Aws::CloudFormation::Errors::ValidationError => e
+  puts "E: #{e.class}"
+  raise "ERROR: Your AWS credentials are not set or invalid." if e.class == Aws::CloudFormation::Errors::InvalidClientTokenId
+  raise "ERROR: <%= project_name %>#{ENV["ENVIRONMENT"].capitalize}DependencyStack does not exist. Run `rake init` first!" if e.class == Aws::CloudFormation::Errors::ValidationError
+end
+
+dep_file = File.open(".env.dependencies.#{ENV["ENVIRONMENT"]}", "w")
+res[:stacks].each do |stack|
+  stack[:outputs].each do |output|
+    dep_file.puts "#{output[:output_key].upcase}=#{output[:output_value]}"
+  end
+end

data/templates/{core_deploy.rb.erb → lib/core/deploy.rb}

@@ -6,6 +6,10 @@ require "aws-sdk"
 
 require_relative "../aws_helper/main"
 
+Dotenv.load(".env.private")
+Dotenv.load(".env.dependencies.#{ENV["ENVIRONMENT"]}")
+raise "CLOUDFORMATIONBUCKET not set. Run `rake init` and `rake update` first!" unless ENV["CLOUDFORMATIONBUCKET"]
+
 env_vars = load_env_vars
 
 set_aws_credentials(
@@ -15,12 +19,22 @@ set_aws_credentials(
 )
 
 s3_filename = get_parent_stack_s3_location(
-  env_vars[:artifact_bucket],
+  ENV["CLOUDFORMATIONBUCKET"],
   env_vars[:environment]
 )
 
 client = Aws::CloudFormation::Client.new
 
+parent_parameters = []
+File.open(".env.dependencies.#{ENV["ENVIRONMENT"]}").read.each_line do |line|
+  line.strip!
+  param, value = line.split("=")
+  parent_parameters.push(
+    parameter_key: param,
+    parameter_value: value
+  )
+end
+
 # Store previous CloudFormation events in an array, so that we don't output
 # events from previous deploys.
 
@@ -47,15 +61,13 @@ if stack_exists
     stack_name: env_vars[:stack_name],
     template_url: s3_filename,
     capabilities: %w(CAPABILITY_IAM CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND),
-    # stack_policy_body: "StackPolicyBody",
-    # stack_policy_url: "StackPolicyURL",
+    parameters: parent_parameters,
     tags: [
       {
         key: "team",
-        value: "<%= name.downcase %>"
+        value: "infra"
       }
-    ],
-    # client_request_token: "ClientRequestToken",
+    ]
   )
 else
   client.create_stack(
@@ -64,15 +76,13 @@ else
     timeout_in_minutes: 60,
     capabilities: %w(CAPABILITY_IAM CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND),
     on_failure: "ROLLBACK",
-    # stack_policy_body: "StackPolicyBody",
-    # stack_policy_url: "StackPolicyURL",
+    parameters: parent_parameters,
     tags: [
       {
         key: "team",
-        value: "<%= name.downcase %>"
+        value: "infra"
       }
     ],
-    # client_request_token: "ClientRequestToken",
     enable_termination_protection: false
   )
 end

data/templates/lib/core/git.rb

@@ -0,0 +1,15 @@
+require "git-revision"
+
+module Git
+  class Revision
+    class << self
+      def dirty?
+        !`git diff --numstat | wc -l`.strip.to_i.zero?
+      end
+    end
+  end
+end
+
+def git_revision
+  "#{Git::Revision.commit}#{Git::Revision.dirty? ? "-dirty" : ""}"
+end

data/templates/lib/core/init.rb

@@ -0,0 +1,221 @@
+require "aws-sdk"
+require "dotenv"
+require "git-revision"
+require "rubycfn"
+require "yaml"
+
+require_relative "../aws_helper/main"
+
+Dotenv.load(".env.private")
+Dotenv.load(".env")
+Dotenv.load(".env.#{ENV["ENVIRONMENT"]}")
+
+set_aws_credentials(
+  ENV["AWS_REGION"],
+  ENV["AWS_ACCESS_KEY_ID"],
+  ENV["AWS_SECRET_ACCESS_KEY"]
+)
+
+def inject_dummy_resource(stack)
+  hack_stack = JSON.parse(stack)
+  hack_stack["Resources"] = {} if hack_stack["Resources"].nil?
+  hack_stack["Resources"]["CloudFormationDummyResource"] = {
+    "Type": "AWS::CloudFormation::WaitConditionHandle",
+    "Metadata": {
+      "Comment": "Resource to update stack even if there are no changes",
+      "GitCommitHash": Git::Revision.commit
+    }
+  }
+  hack_stack.to_json
+end
+
+def read_domain_name
+  config = YAML.safe_load(File.read("config.yaml"), [Symbol])
+  config["applications"] ||= {}
+  config["environments"] ||= {}
+  config["subnets"] ||= {}
+
+  # Allow override by setting ENV var
+  domain_name = ENV["DOMAIN_NAME"]
+  subdomain = ENV["SUBDOMAIN"] # rubocop:disable Lint/UselessAssignment
+
+  # First, look at environment specific domain name configuration
+  domain_name ||= config["environments"][ENV["ENVIRONMENT"]]["domain_name"].nil? && nil || config["environments"][ENV["ENVIRONMENT"]]["domain_name"]
+
+  # Assign the global domain name configuration unless domain_name was set to false in environment config.yaml
+  domain_name ||= config["domain_name"] unless domain_name.class == FalseClass
+
+  # Set domain name to an empty string if domain_name was set to false
+  domain_name = "" if domain_name.class == FalseClass
+
+  # If the no_subdomain setting for environments in config.yaml is omitted or set to false, set subdomain to environment, else assign empty string
+  subdomain = (config["environments"][ENV["ENVIRONMENT"]]["no_subdomain"].nil? || config["environments"][ENV["ENVIRONMENT"]]["no_subdomain"] == false) && ENV["ENVIRONMENT"] || ""
+
+  # Return an array with t he subdomain and domain_name
+  [subdomain, domain_name]
+end
+
+subdomain, domain_name = read_domain_name
+
+raise "ENVIRONMENT not set" unless ENV["ENVIRONMENT"]
+warn "WARNING: domain_name not set in config.yaml... Route53 Hosted Zone will not be created" if domain_name.empty?
+
+module Project<%= project_name %>DependencyStack
+  extend ActiveSupport::Concern
+  include Rubycfn
+
+  included do
+    description "<%= project_name %>#{ENV["ENVIRONMENT"].capitalize}Dependency Stack"
+
+    parameter :environment,
+              description: "Environment name",
+              type: "String"
+
+    parameter :domain_name,
+              description: "Domain name",
+              type: "String"
+
+    condition :has_environment,
+              [["", :environment.ref].fnequals].fnnot
+
+    condition :has_domain_name,
+              [["", :domain_name.ref].fnequals].fnnot
+
+    %i(
+      artifact_bucket
+      cloudformation_bucket
+      lambda_bucket
+      logging_bucket
+    ).each do |bucket|
+      resource bucket,
+               deletion_policy: "Retain",
+               update_replace_policy: "Retain",
+               type: "AWS::S3::Bucket"
+
+      output bucket,
+             value: bucket.ref
+    end
+
+    resource :hosted_zone,
+             condition: "HasDomainName",
+             type: "AWS::Route53::HostedZone" do |r|
+      r.property(:hosted_zone_config) do
+        {
+          "Comment": ["Hosted zone for ", ["HasEnvironment", [:environment.ref, "."].fnjoin, ""].fnif, :domain_name.ref].fnjoin
+        }
+      end
+      r.property(:name) { [["HasEnvironment", [:environment.ref, "."].fnjoin, ""].fnif, :domain_name.ref].fnjoin }
+    end
+
+    output :hosted_zone_id,
+           condition: "HasDomainName",
+           value: :hosted_zone.ref
+
+    output :hosted_zone_name,
+           condition: "HasDomainName",
+           value: [["HasEnvironment", [:environment.ref, "."].fnjoin, ""].fnif, :domain_name.ref].fnjoin
+  end
+end
+
+stack = include Project<%= project_name %>DependencyStack # rubocop:disable Style/MixinUsage
+template = stack.render_template
+
+client = Aws::CloudFormation::Client.new
+
+stack_exists = false
+previous_statuses = []
+80.times do
+  previous_events = get_prior_events(client, "<%= project_name %>#{ENV["ENVIRONMENT"].capitalize}DependencyStack")
+  previous_statuses = previous_events.map(&:event_id)
+  stack_exists = previous_events.size.to_i.positive? ? true : false
+  break unless stack_exists
+
+  events_last_deploy = get_events_last_deploy(previous_events)
+  last_event = events_last_deploy.shift
+  break if last_event \
+    && (last_event.logical_resource_id == "<%= project_name %>#{ENV["ENVIRONMENT"].capitalize}DependencyStack") \
+    && (last_event.stack_name == "<%= project_name %>#{ENV["ENVIRONMENT"].capitalize}DependencyStack") \
+    && (DEPLOYABLE_STATES.include? last_event.resource_status)
+  puts "Stack is currently in #{last_event.resource_status} mode. Waiting for it to finish..." if last_event
+  sleep 15
+end
+
+template = inject_dummy_resource(template)
+
+parameters = [
+  {
+    parameter_key: "Environment",
+    parameter_value: subdomain
+  },
+  {
+    parameter_key: "DomainName",
+    parameter_value: domain_name
+  }
+]
+
+if stack_exists
+  client.update_stack(
+    stack_name: "<%= project_name %>#{ENV["ENVIRONMENT"].capitalize}DependencyStack",
+    template_body: template,
+    capabilities: %w(CAPABILITY_IAM CAPABILITY_NAMED_IAM),
+    parameters: parameters,
+    tags: [
+      {
+        key: "team",
+        value: "infra"
+      }
+    ]
+  )
+else
+  client.create_stack(
+    stack_name: "<%= project_name %>#{ENV["ENVIRONMENT"].capitalize}DependencyStack",
+    template_body: template,
+    timeout_in_minutes: 60,
+    capabilities: %w(CAPABILITY_IAM CAPABILITY_NAMED_IAM),
+    on_failure: "ROLLBACK",
+    parameters: parameters,
+    tags: [
+      {
+        key: "team",
+        value: "infra"
+      }
+    ],
+    enable_termination_protection: false
+  )
+end
+
+shown_log_lines = {}
+
+360.times do
+  resp = client.describe_stack_events(
+    stack_name: "<%= project_name %>#{ENV["ENVIRONMENT"].capitalize}DependencyStack"
+  )
+  resp.stack_events.to_a.reverse.each_with_index do |event, index|
+    next if previous_statuses.include? event.event_id
+    @completed = false
+    @stack_name = event.stack_name
+    @logical_resource_id = event.logical_resource_id
+    @resource_type = event.resource_type
+    @timestamp = event.timestamp
+    @resource_status = event.resource_status
+    @resource_status_reason = event.resource_status_reason
+    log_line = "[#{@logical_resource_id.green}] #{@timestamp.to_s.blue}: " \
+               "#{@resource_status.white} #{@resource_status_reason.to_s.red}"
+    puts log_line unless shown_log_lines[log_line]
+    shown_log_lines[log_line] = true
+    if (@stack_name == "<%= project_name %>#{ENV["ENVIRONMENT"].capitalize}DependencyStack") \
+      && (@logical_resource_id == "<%= project_name %>#{ENV["ENVIRONMENT"].capitalize}DependencyStack") \
+      && (END_STATES.include? @resource_status) \
+      && (index + 1 == resp.stack_events.to_a.size)
+      @completed = true
+    end
+  end
+  if @completed
+    puts "==================================="
+    puts " STATUS: #{@resource_status} #{@resource_status_reason}"
+    puts "==================================="
+    raise "#{@resource_status} #{@resource_status_reason}" if FAILURE_STATES.include? @resource_status
+    break
+  end
+  sleep(10)
+end

data/templates/{main.rb.erb → lib/main.rb}

@@ -1,8 +1,10 @@
 require "rubycfn"
 require "dotenv"
+require_relative "core/classes"
 
-Dotenv.load(".env")
 Dotenv.load(".env.private")
+Dotenv.load(".env.dependencies.#{ENV["ENVIRONMENT"]}")
+Dotenv.load(".env")
 Dotenv.load(".env.#{ENV["ENVIRONMENT"]}")
 
 # Include all group concerns
@@ -21,10 +23,10 @@ module SharedConcerns
 end
 
 # Include all stack concerns
-Dir[File.expand_path("../stacks/", __FILE__) + "/**/*.rb"].sort.each do |file|
-  subdir = File.basename(file, ".rb")
-  Dir[File.expand_path("../stacks/", __dir__) + "/#{subdir}/**/*.rb"].sort.each do |subfile|
-    require subfile
+# Load module code first, and last include main.rb's.
+2.times do |i|
+  Dir[File.expand_path("../stacks/", __FILE__) + "/**/*.rb"].sort.each do |file|
+    require file unless File.basename(file) == "main.rb" || i.positive?
+    require file if File.basename(file) == "main.rb" && i.positive?
   end
-  require file
 end

data/templates/lib/shared_concerns/global_variables.rb

@@ -0,0 +1,56 @@
+require "yaml"
+
+module Concerns
+  module GlobalVariables
+    extend ActiveSupport::Concern
+
+    included do
+      def load_config(_val)
+        config = YAML.safe_load(File.read("config.yaml"), [Symbol])
+        config["applications"] ||= {}
+        config["environments"] ||= {}
+        config["subnets"] ||= {}
+        config
+      end
+
+      def global_tags(_val)
+        [
+          {
+            "Key": "Team",
+            "Value": "infra"
+          },
+          {
+            "Key": "Environment",
+            "Value": environment.to_s
+          },
+          {
+            "Key": "StackName",
+            "Value": stack_name.to_s
+          }
+        ]
+      end
+
+      variable :environment,
+               default: "development",
+               global: true,
+               value: ENV["ENVIRONMENT"]
+
+      variable :region,
+               global: true,
+               default: ENV["DEFAULT_AWS_REGION"],
+               value: ENV["AWS_REGION"]
+
+      variable :infra_config,
+               global: true,
+               filter: :load_config
+
+      variable :stack_name,
+               global: true,
+               default: infra_config["environments"][environment]["stack_name"]
+
+      variable :default_tags,
+               global: true,
+               filter: :global_tags
+    end
+  end
+end