rubycfn 0.4.10 → 0.5.4

data/templates/lib/stacks/ecs_stack/lifecycle_hook.rb

@@ -0,0 +1,190 @@
+module EcsStack
+  module LifecycleHook
+    extend ActiveSupport::Concern
+    ## Drains instances on termination
+    included do
+      unless infra_config["environments"][environment]["cluster_size"].nil? || infra_config["environments"][environment]["cluster_size"].to_i.zero?
+        resource :ecs_lifecycle_notification_topic,
+                 depends_on: :lifecycle_handler_function,
+                 type: "AWS::SNS::Topic" do |r|
+          r.property(:subscription) do
+            [
+              {
+                "Endpoint": :lifecycle_handler_function.ref(:arn),
+                "Protocol": "lambda"
+              }
+            ]
+          end
+        end
+
+        resource :instance_terminating_hook,
+                 depends_on: :ecs_lifecycle_notification_topic,
+                 type: "AWS::AutoScaling::LifecycleHook" do |r|
+          r.property(:auto_scaling_group_name) { :ecs_auto_scaling_group.ref }
+          r.property(:default_result) { "ABANDON" }
+          r.property(:heartbeat_timeout) { 900 }
+          r.property(:lifecycle_transition) { "autoscaling:EC2_INSTANCE_TERMINATING" }
+          r.property(:notification_target_arn) { :ecs_lifecycle_notification_topic.ref }
+          r.property(:role_arn) { :autoscaling_notification_role.ref(:arn) }
+        end
+
+        resource :autoscaling_notification_role,
+                 type: "AWS::IAM::Role" do |r|
+          r.property(:assume_role_policy_document) do
+            {
+              "Version": "2012-10-17",
+              "Statement": [
+                {
+                  "Effect": "Allow",
+                  "Principal": {
+                    "Service": [
+                      "autoscaling.amazonaws.com"
+                    ]
+                  },
+                  "Action": [
+                    "sts:AssumeRole"
+                  ]
+                }
+              ]
+            }
+          end
+          r.property(:managed_policy_arns) { ["arn:aws:iam::aws:policy/service-role/AutoScalingNotificationAccessRole"] }
+        end
+
+        resource :lambda_execution_role,
+                 type: "AWS::IAM::Role" do |r|
+          r.property(:policies) do
+            [
+              {
+                "PolicyName": "lambda-inline",
+                "PolicyDocument": {
+                  "Version": "2012-10-17",
+                  "Statement": [
+                    {
+                      "Effect": "Allow",
+                      "Action": [
+                        "autoscaling:CompleteLifecycleAction",
+                        "logs:CreateLogGroup",
+                        "logs:CreateLogStream",
+                        "logs:PutLogEvents",
+                        "ec2:DescribeInstances",
+                        "ec2:DescribeInstanceAttribute",
+                        "ec2:DescribeInstanceStatus",
+                        "ec2:DescribeHosts",
+                        "ecs:ListContainerInstances",
+                        "ecs:SubmitContainerStateChange",
+                        "ecs:SubmitTaskStateChange",
+                        "ecs:DescribeContainerInstances",
+                        "ecs:UpdateContainerInstancesState",
+                        "ecs:ListTasks",
+                        "ecs:DescribeTasks",
+                        "sns:Publish",
+                        "sns:ListSubscriptions"
+                      ],
+                      "Resource": "*"
+                    }
+                  ]
+                }
+              }
+            ]
+          end
+          r.property(:assume_role_policy_document) do
+            {
+              "Version": "2012-10-17",
+              "Statement": [
+                {
+                  "Effect": "Allow",
+                  "Principal": {
+                    "Service": [
+                      "lambda.amazonaws.com"
+                    ]
+                  },
+                  "Action": [
+                    "sts:AssumeRole"
+                  ]
+                }
+              ]
+            }
+          end
+          r.property(:managed_policy_arns) do
+            [
+              "arn:aws:iam::aws:policy/service-role/AutoScalingNotificationAccessRole"
+            ]
+          end
+        end
+
+        resource :lambda_invoke_permission,
+                 type: "AWS::Lambda::Permission" do |r|
+          r.property(:function_name) { :lifecycle_handler_function.ref }
+          r.property(:action) { "lambda:InvokeFunction" }
+          r.property(:principal) { "sns.amazonaws.com" }
+          r.property(:source_arn) { :ecs_lifecycle_notification_topic.ref }
+        end
+
+        resource :lifecycle_handler_function,
+                 type: "AWS::Lambda::Function" do |r|
+          r.property(:environment) do
+            {
+              "Variables": {
+                "CLUSTER": :ecs_cluster.ref
+              }
+            }
+          end
+          r.property(:code) do
+            {
+              "ZipFile": {
+                "Fn::Join": [
+                  "\n",
+                  [
+                    "import boto3,json,os,time",
+                    "ec2Client = boto3.client('ec2')",
+                    "ecsClient = boto3.client('ecs')",
+                    "autoscalingClient = boto3.client('autoscaling')",
+                    "snsClient = boto3.client('sns')",
+                    "lambdaClient = boto3.client('lambda')",
+                    "def publishSNSMessage(snsMessage,snsTopicArn):",
+                    "    response = snsClient.publish(TopicArn=snsTopicArn,Message=json.dumps(snsMessage),Subject='reinvoking')",
+                    "def setContainerInstanceStatusToDraining(ecsClusterName,containerInstanceArn):",
+                    "    response = ecsClient.update_container_instances_state(cluster=ecsClusterName,containerInstances=[containerInstanceArn],status='DRAINING')",
+                    "def tasksRunning(ecsClusterName,ec2InstanceId):",
+                    "    ecsContainerInstances = ecsClient.describe_container_instances(cluster=ecsClusterName,containerInstances=ecsClient.list_container_instances(cluster=ecsClusterName)['containerInstanceArns'])['containerInstances']",
+                    "    for i in ecsContainerInstances:",
+                    "        if i['ec2InstanceId'] == ec2InstanceId:",
+                    "            if i['status'] == 'ACTIVE':",
+                    "                setContainerInstanceStatusToDraining(ecsClusterName,i['containerInstanceArn'])",
+                    "                return 1",
+                    "            if (i['runningTasksCount']>0) or (i['pendingTasksCount']>0):",
+                    "                return 1",
+                    "            return 0",
+                    "    return 2",
+                    "def lambda_handler(event, context):",
+                    "    ecsClusterName=os.environ['CLUSTER']",
+                    "    snsTopicArn=event['Records'][0]['Sns']['TopicArn']",
+                    "    snsMessage=json.loads(event['Records'][0]['Sns']['Message'])",
+                    "    lifecycleHookName=snsMessage['LifecycleHookName']",
+                    "    lifecycleActionToken=snsMessage['LifecycleActionToken']",
+                    "    asgName=snsMessage['AutoScalingGroupName']",
+                    "    ec2InstanceId=snsMessage['EC2InstanceId']",
+                    "    checkTasks=tasksRunning(ecsClusterName,ec2InstanceId)",
+                    "    if checkTasks==0:",
+                    "        try:",
+                    "            response = autoscalingClient.complete_lifecycle_action(LifecycleHookName=lifecycleHookName,AutoScalingGroupName=asgName,LifecycleActionToken=lifecycleActionToken,LifecycleActionResult='CONTINUE')",
+                    "        except BaseException as e:",
+                    "            print(str(e))",
+                    "    elif checkTasks==1:",
+                    "        time.sleep(5)",
+                    "        publishSNSMessage(snsMessage,snsTopicArn)"
+                  ]
+                ]
+              }
+            }
+          end
+          r.property(:handler) { "index.lambda_handler" }
+          r.property(:role) { :lambda_execution_role.ref(:arn) }
+          r.property(:runtime) { "python3.6" }
+          r.property(:timeout) { 10 }
+        end
+      end
+    end
+  end
+end

data/templates/lib/stacks/ecs_stack/load_balancer.rb

@@ -0,0 +1,70 @@
+module EcsStack
+  module LoadBalancer
+    extend ActiveSupport::Concern
+    included do
+      parameter :public_subnets,
+                description: "List of Public EC2 Subnets for the ALB"
+
+      unless infra_config["environments"][environment]["cluster_size"].nil? || infra_config["environments"][environment]["cluster_size"].to_i.zero?
+        resource :ecs_load_balancer,
+                 type: "AWS::ElasticLoadBalancingV2::LoadBalancer" do |r|
+          r.property(:name) { environment }
+          r.property(:subnets) { :public_subnets.ref.fnsplit(",") }
+          r.property(:security_groups) do
+            [
+              :ecs_host_security_group.ref,
+              :load_balancer_security_group.ref # Not sure if necessary
+            ]
+          end
+          r.property(:tags) do
+            [
+              {
+                "Key": "Name",
+                "Value": "#{environment}_ecs_loadbalancer"
+              }
+            ]
+          end
+        end
+
+        resource :load_balancer_listener,
+                 type: "AWS::ElasticLoadBalancingV2::Listener" do |r|
+          r.property(:load_balancer_arn) { :ecs_load_balancer.ref }
+          r.property(:port) { 80 }
+          r.property(:protocol) { "HTTP" }
+          r.property(:default_actions) do
+            [
+              {
+                "Type": "forward",
+                "TargetGroupArn": :default_target_group.ref
+              }
+            ]
+          end
+        end
+
+        resource :default_target_group,
+                 type: "AWS::ElasticLoadBalancingV2::TargetGroup" do |r|
+          r.property(:name) { "#{environment}-default" }
+          r.property(:vpc_id) { :vpc.ref }
+          r.property(:port) { 80 }
+          r.property(:protocol) { "HTTP" }
+        end
+
+        output :ecs_load_balancer,
+               description: "ECS Application Load Balancer",
+               value: :ecs_load_balancer.ref
+
+        output :ecs_load_balancer_url,
+               description: "URL of the ECS ALB",
+               value: :ecs_load_balancer.ref("DNSName")
+
+        output :ecs_load_balancer_listener,
+               description: "ECS Port 80 listener",
+               value: :load_balancer_listener.ref
+
+        output :ecs_load_balancer_hosted_zone_id,
+               description: "Canonical Hosted Zone ID of the ALB",
+               value: :ecs_load_balancer.ref("CanonicalHostedZoneID")
+      end
+    end
+  end
+end

data/templates/{ecs_stack.rb.erb → lib/stacks/ecs_stack/main.rb}

@@ -6,6 +6,9 @@ module EcsStack
     include Concerns::GlobalVariables
     include Concerns::SharedMethods
     include EcsStack::EcsCluster
+    include EcsStack::LifecycleHook
+    include EcsStack::LoadBalancer
+    include EcsStack::Rollback
 
     description generate_stack_description("EcsStack")
   end

data/templates/lib/stacks/ecs_stack/rollback.rb

@@ -0,0 +1,77 @@
+module EcsStack
+  module Rollback
+    extend ActiveSupport::Concern
+    included do
+      resource :application_deployment_failure_rollback_lambda,
+               type: "AWS::Lambda::Function" do |r|
+        r.property(:code) do
+          {
+            "S3Bucket": "xebia-${AWS::Region}".fnsub,
+            "S3Key": "ecs-rollback-0.0.6.zip"
+          }
+        end
+        r.property(:handler) { "index.lambda_handler" }
+        r.property(:role) { :application_deployment_failure_rollback_lambda_role.ref(:arn) }
+        r.property(:runtime) { "ruby2.5" }
+        r.property(:timeout) { 500 }
+      end
+
+      resource :application_deployment_failure_rollback_lambda_role,
+               type: "AWS::IAM::Role" do |r|
+        r.property(:assume_role_policy_document) do
+          {
+            "Version": "2012-10-17",
+            "Statement": [
+              {
+                "Effect": "Allow",
+                "Principal": {
+                  "Service": [
+                    "lambda.amazonaws.com"
+                  ]
+                },
+                "Action": "sts:AssumeRole"
+              }
+            ]
+          }
+        end
+        r.property(:role_name) { "#{environment}-EcsApplicationFailureDetectionRole" }
+      end
+
+      resource :application_deployment_failure_rollback_lambda_policy,
+               type: "AWS::IAM::Policy" do |r|
+        r.property(:policy_document) do
+          {
+            "Version": "2012-10-17",
+            "Statement": [
+              {
+                "Effect": "Allow",
+                "Action": %w(logs:CreateLogGroup logs:CreateLogStream logs:PutLogEvents),
+                "Resource": [
+                  "arn:aws:logs:*:*:*"
+                ]
+              },
+              {
+                "Effect": "Allow",
+                "Action": [
+                  "ecs:*"
+                ],
+                "Resource": [
+                  "*"
+                ]
+              }
+            ]
+          }
+        end
+        r.property(:policy_name) { "#{environment}-EcsApplicationFailureDetectionPolicy" }
+        r.property(:roles) do
+          [
+            :application_deployment_failure_rollback_lambda_role.ref
+          ]
+        end
+      end
+
+      output :application_deployment_failure_rollback_function_arn,
+             value: :application_deployment_failure_rollback_lambda.ref(:arn)
+    end
+  end
+end

data/templates/{project_stack.rb.erb → lib/stacks/parent_stack/main.rb}

@@ -1,11 +1,11 @@
-module <%= name %>Stack
+module InfraStack
   extend ActiveSupport::Concern
   include Rubycfn
 
   included do
     include Concerns::GlobalVariables
     include Concerns::SharedMethods
-    include <%= name %>Stack::Parent
+    include InfraStack::Parent
 
     description generate_stack_description("ParentStack")
   end

data/templates/lib/stacks/parent_stack/parent.rb

@@ -0,0 +1,18 @@
+require_relative "../../core/applications"
+
+module InfraStack
+  module Parent
+    extend ActiveSupport::Concern
+    included do
+      generate_bootstrap_parameters
+
+      resource :vpc_stack,
+               type: "AWS::CloudFormation::Stack" do |r|
+        r.property(:template_url) { "vpcstack" }
+        r.property(:tags) { default_tags }
+      end
+
+      create_applications
+    end
+  end
+end

data/templates/lib/stacks/vpc_stack/infra_vpc.rb

@@ -0,0 +1,193 @@
+module VpcStack
+  module InfraVpc
+    extend ActiveSupport::Concern
+    included do
+      vpc_subnets = infra_config["subnets"]
+
+      variable :cidr_block,
+               default: "10.0.0.0/16",
+               value: infra_config["environments"][environment]["vpc_cidr"]
+
+      resource :infra_vpc,
+               type: "AWS::EC2::VPC" do |r|
+        r.property(:cidr_block) { cidr_block }
+        r.property(:enable_dns_support) { true }
+        r.property(:enable_dns_hostnames) { true }
+        r.property(:tags) do
+          [
+            {
+              "Key": "Name",
+              "Value": "infra_#{environment}_vpc"
+            },
+            {
+              "Key": "Environment",
+              "Value": environment.to_s
+            }
+          ]
+        end
+      end
+
+      resource :infra_internet_gateway,
+               type: "AWS::EC2::InternetGateway"
+
+      resource :infra_route,
+               type: "AWS::EC2::Route" do |r|
+        r.property(:destination_cidr_block) { "0.0.0.0/0" }
+        r.property(:gateway_id) { :infra_internet_gateway.ref }
+        r.property(:route_table_id) { :infra_route_table.ref }
+      end
+
+      resource :infra_route_table,
+               type: "AWS::EC2::RouteTable" do |r|
+        r.property(:vpc_id) { :infra_vpc.ref }
+        r.property(:tags) do
+          [
+            {
+              "Key": "Name",
+              "Value": "Infra #{environment} Public Route Table"
+            },
+            {
+              "Key": "Environment",
+              "Value": environment.to_s
+            }
+          ]
+        end
+      end
+
+      resource :infra_private_route_table,
+               amount: 3,
+               type: "AWS::EC2::RouteTable" do |r, index|
+        r.property(:vpc_id) { :infra_vpc.ref }
+        r.property(:tags) do
+          [
+            {
+              "Key": "Name",
+              "Value": "Infra #{environment} Private Route Table #{index.zero? && "" || index + 1}"
+            },
+            {
+              "Key": "Environment",
+              "Value": environment.to_s
+            }
+          ]
+        end
+      end
+
+      resource :infra_vpc_gateway_attachment,
+               type: "AWS::EC2::VPCGatewayAttachment" do |r|
+        r.property(:internet_gateway_id) { :infra_internet_gateway.ref }
+        r.property(:vpc_id) { :infra_vpc.ref }
+      end
+
+      vpc_subnets.each_with_index do |subnet, _subnet_count|
+        subnet.each do |subnet_name, arguments|
+          resource "infra_#{subnet_name}_subnet".cfnize,
+                   type: "AWS::EC2::Subnet",
+                   amount: 3 do |r, index|
+            subnet_cidr = [
+              :infra_vpc.ref(:cidr_block),
+              (3 * arguments["offset"]).to_s,
+              (Math.log(256) / Math.log(2)).floor.to_s
+            ].fncidr.fnselect(index + (3 * arguments["offset"]) - 3)
+
+            r.property(:availability_zone) do
+              {
+                "Fn::GetAZs": ""
+              }.fnselect(index)
+            end
+            r.property(:cidr_block) { subnet_cidr }
+            r.property(:map_public_ip_on_launch) { arguments["public"] }
+            r.property(:tags) do
+              [
+                {
+                  "Key": "Name",
+                  "Value": "#{environment}_#{subnet_name}_#{index + 1}".cfnize
+                },
+                {
+                  "Key": "Team",
+                  "Value": arguments["owner"]
+                },
+                {
+                  "Key": "resource_type",
+                  "Value": subnet_name.to_s.cfnize
+                }
+              ]
+            end
+            r.property(:vpc_id) { :infra_vpc.ref }
+
+            if arguments["output_cidr"]
+              cidr_output_name = "#{subnet_name}_subnet#{index.positive? ? (index + 1) : ""}_cidr".cfnize
+
+              output cidr_output_name,
+                     value: subnet_cidr
+            end
+          end
+
+          if arguments["public"]
+            resource "infra_#{subnet_name}_subnet_route_table_association".cfnize,
+                     amount: 3,
+                     type: "AWS::EC2::SubnetRouteTableAssociation" do |r, index|
+              r.property(:route_table_id) { :infra_route_table.ref }
+              r.property(:subnet_id) { "infra_#{subnet_name}_subnet#{index.zero? && "" || index + 1}".cfnize.ref }
+            end
+          else
+            resource "infra_#{subnet_name}_subnet_route_table_association".cfnize,
+                     amount: 3,
+                     type: "AWS::EC2::SubnetRouteTableAssociation" do |r, index|
+              r.property(:route_table_id) { "infra_private_route_table#{index.zero? && "" || index + 1}".cfnize.ref }
+              r.property(:subnet_id) { "infra_#{subnet_name}_subnet#{index.zero? && "" || index + 1}".cfnize.ref }
+            end
+          end
+
+          # Generate outputs for these subnets
+          3.times do |i|
+            output_name = "#{subnet_name}_subnet#{i.positive? ? (i + 1) : ""}_name".cfnize
+
+            output output_name,
+                   value: "infra_#{subnet_name}_subnet#{i.positive? ? (i + 1) : ""}".cfnize.ref
+          end
+
+          # Deploy NAT Gateway in subnet marked with "deploy_nat": true
+          if arguments["deploy_nat"]
+            resource "infra_#{subnet_name}_elastic_ip".cfnize,
+                     amount: 3,
+                     type: "AWS::EC2::EIP" do |r, _|
+              r.property(:domain) { "vpc" }
+            end
+
+            resource "infra_#{subnet_name}_nat_gateway".cfnize,
+                     amount: 3,
+                     type: "AWS::EC2::NatGateway" do |r, index|
+              r.property(:allocation_id) { "infra_#{subnet_name}_elastic_ip#{index.zero? && "" || index + 1}".cfnize.ref(:allocation_id) }
+              r.property(:subnet_id) { "infra_#{subnet_name}_subnet#{index.zero? && "" || index + 1}".cfnize.ref }
+            end
+
+            resource :infra_nat_gateway_route,
+                     depends_on: :infra_vpc_gateway_attachment,
+                     amount: 3,
+                     type: "AWS::EC2::Route" do |r, index|
+              r.depends_on [
+                "InfraEc2PublicNatGateway#{index.zero? && "" || index + 1}"
+              ]
+              r.property(:destination_cidr_block) { "0.0.0.0/0" }
+              r.property(:nat_gateway_id) { "infra_#{subnet_name}_nat_gateway#{index.zero? && "" || index + 1}".cfnize.ref }
+              r.property(:route_table_id) { "infra_private_route_table#{index.zero? && "" || index + 1}".cfnize.ref }
+            end
+
+            # Generate outputs for NAT gateway
+            3.times do |i|
+              output_name = "nat_gateway_#{subnet_name}#{i.positive? ? (i + 1) : ""}"
+
+              output output_name,
+                     value: "infra_#{subnet_name}_nat_gateway#{i.positive? ? (i + 1) : ""}".cfnize.ref
+            end
+          end
+        end
+      end
+
+      output :vpc_cidr,
+             value: :infra_vpc.ref(:cidr_block)
+      output :vpc_id,
+             value: :infra_vpc.ref
+    end
+  end
+end