simplygenius-atmos 0.7.1 → 0.8.0

data/lib/simplygenius/atmos/providers/aws/container_manager.rb

@@ -0,0 +1,118 @@
+require_relative '../../../atmos'
+require 'aws-sdk-ecs'
+require 'aws-sdk-ecr'
+require 'open3'
+
+module SimplyGenius
+  module Atmos
+    module Providers
+      module Aws
+
+        class ContainerManager
+          include GemLogger::LoggerSupport
+
+          def initialize(provider)
+            @provider = provider
+          end
+
+          def push(ecs_name, local_image,
+                   ecr_repo: ecs_name, revision: nil)
+
+            revision = Time.now.strftime('%Y%m%d%H%M%S') unless revision.present?
+            result = {}
+
+            ecr = ::Aws::ECR::Client.new
+            resp = nil
+
+            resp = ecr.get_authorization_token
+            auth_data = resp.authorization_data.first
+            token = auth_data.authorization_token
+            endpoint = auth_data.proxy_endpoint
+            user, password = Base64.decode64(token).split(':')
+
+            # docker login into the ECR repo for the current account so that we can pull/push to it
+            run("docker", "login", "-u", user, "-p", password, endpoint)#, stdin_data: token)
+
+            image="#{ecs_name}:latest"
+            ecs_image="#{endpoint.sub(/https?:\/\//, '')}/#{ecr_repo}"
+
+            tags = ['latest', revision]
+            logger.info "Tagging local image '#{local_image}' with #{tags}"
+            tags.each {|t| run("docker", "tag", local_image, "#{ecs_image}:#{t}") }
+
+            logger.info "Pushing tagged image to ECR repo"
+            tags.each {|t| run("docker", "push", "#{ecs_image}:#{t}") }
+
+            result[:remote_image] = "#{ecs_image}:#{revision}"
+            return result
+          end
+
+          def deploy_task(task, remote_image)
+            result = {}
+
+            ecs = ::Aws::ECS::Client.new
+            resp = nil
+
+            resp = ecs.list_task_definitions(family_prefix: task, sort: 'DESC')
+            latest_defn_arn = resp.task_definition_arns.first
+
+            logger.info "Latest task definition: #{latest_defn_arn}"
+
+            resp = ecs.describe_task_definition(task_definition: latest_defn_arn)
+            latest_defn = resp.task_definition
+
+            new_defn = latest_defn.to_h
+            [:revision, :status, :task_definition_arn,
+             :requires_attributes, :compatibilities].each do |attr|
+              new_defn.delete(attr)
+            end
+            new_defn[:container_definitions].each {|c| c[:image] = remote_image}
+
+            resp = ecs.register_task_definition(**new_defn)
+            result[:task_definition] = resp.task_definition.task_definition_arn
+
+            logger.info "Updated task=#{task} to #{result[:task_definition]} with image #{remote_image}"
+
+            return result
+          end
+
+          def deploy_service(cluster, service, remote_image)
+             result = {}
+
+             ecs = ::Aws::ECS::Client.new
+             resp = nil
+
+             # Get current task definition name from service
+             resp = ecs.describe_services(cluster: cluster, services: [service])
+             current_defn_arn = resp.services.first.task_definition
+             defn_name = current_defn_arn.split("/").last.split(":").first
+
+             logger.info "Current task definition (name=#{defn_name}): #{current_defn_arn}"
+             result = deploy_task(defn_name, remote_image)
+             new_taskdef = result[:task_definition]
+
+             logger.info "Updating service with new task definition: #{new_taskdef}"
+
+             resp = ecs.update_service(cluster: cluster, service: service, task_definition: new_taskdef)
+
+             logger.info "Updated service=#{service} on cluster=#{cluster} to #{new_taskdef} with image #{remote_image}"
+
+             return result
+          end
+
+          private
+
+          def run(*args, **opts)
+            logger.debug("Running: #{args}")
+            stdout, status = Open3.capture2e(ENV, *args, **opts)
+            logger.debug(stdout)
+            raise "Failed to run #{args}: #{stdout}" unless status.success?
+            return stdout
+          end
+
+        end
+
+      end
+    end
+  end
+end

data/lib/simplygenius/atmos/providers/aws/provider.rb

@@ -0,0 +1,53 @@
+require_relative '../../../atmos'
+
+Dir.glob(File.join(__dir__, '*.rb')) do |f|
+  require_relative "#{File.basename(f).sub(/\.rb$/, "")}"
+end
+
+module SimplyGenius
+  module Atmos
+    module Providers
+      module Aws
+
+        class Provider
+          include GemLogger::LoggerSupport
+
+          def initialize(name)
+            @name = name
+          end
+
+          def auth_manager
+            @auth_manager ||= begin
+              AuthManager.new(self)
+            end
+          end
+
+          def user_manager
+            @user_manager ||= begin
+              UserManager.new(self)
+            end
+          end
+
+          def account_manager
+            @account_manager ||= begin
+              AccountManager.new(self)
+            end
+          end
+
+          def secret_manager
+            @secret_manager ||= begin
+              S3SecretManager.new(self)
+            end
+          end
+
+          def container_manager
+            @container_manager ||= begin
+              ContainerManager.new(self)
+            end
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/simplygenius/atmos/providers/aws/s3_secret_manager.rb

@@ -0,0 +1,51 @@
+require_relative '../../../atmos'
+require 'aws-sdk-s3'
+
+module SimplyGenius
+  module Atmos
+    module Providers
+      module Aws
+
+        class S3SecretManager
+          include GemLogger::LoggerSupport
+
+          def initialize(provider)
+            @provider = provider
+            logger.debug("Secrets config is: #{Atmos.config[:secret]}")
+            @bucket_name = Atmos.config[:secret][:bucket]
+            @encrypt = Atmos.config[:secret][:encrypt]
+          end
+
+          def set(key, value)
+            opts = {}
+            opts[:server_side_encryption] = "AES256" if @encrypt
+            bucket.object(key).put(body: value, **opts)
+          end
+
+          def get(key)
+            bucket.object(key).get.body.read
+          end
+
+          def delete(key)
+            bucket.object(key).delete
+          end
+
+          def to_h
+            Hash[bucket.objects.collect {|o|
+              [o.key, o.get.body.read]
+            }]
+          end
+
+          private
+
+          def bucket
+            raise ArgumentError.new("The s3 secret bucket is not set") unless @bucket_name
+            @bucket ||= ::Aws::S3::Bucket.new(@bucket_name)
+          end
+
+        end
+
+      end
+    end
+  end
+end

data/lib/simplygenius/atmos/providers/aws/user_manager.rb

@@ -0,0 +1,213 @@
+require_relative '../../../atmos'
+require_relative '../../../atmos/otp'
+require 'aws-sdk-iam'
+require 'securerandom'
+
+module SimplyGenius
+  module Atmos
+    module Providers
+      module Aws
+
+        class UserManager
+          include GemLogger::LoggerSupport
+          include FileUtils
+
+          def initialize(provider)
+            @provider = provider
+          end
+
+          def create_user(user_name)
+            result = {}
+            client = ::Aws::IAM::Client.new
+            resource = ::Aws::IAM::Resource.new
+
+            user = resource.user(user_name)
+
+            if user.exists?
+              logger.info "User '#{user_name}' already exists"
+            else
+              logger.info "Creating new user '#{user_name}'"
+              user = resource.create_user(user_name: user_name)
+              client.wait_until(:user_exists, user_name: user_name)
+              logger.debug "User created, user_name=#{user_name}"
+            end
+
+            result[:user_name] = user_name
+
+            return result
+          end
+
+          def set_groups(user_name, groups, force: false)
+            result = {}
+            resource = ::Aws::IAM::Resource.new
+
+            user = resource.user(user_name)
+
+            existing_groups = user.groups.collect(&:name)
+            groups_to_add = groups -  existing_groups
+            groups_to_remove = existing_groups - groups
+
+            result[:groups] = existing_groups
+
+            groups_to_add.each do |group|
+              logger.debug "Adding group: #{group}"
+              user.add_group(group_name: group)
+              result[:groups] << group
+            end
+
+            if force
+              groups_to_remove.each do |group|
+                logger.debug "Removing group: #{group}"
+                user.remove_group(group_name: group)
+                result[:groups].delete(group)
+              end
+            end
+
+            logger.info "User associated with groups=#{result[:groups]}"
+
+            return result
+          end
+
+          def enable_login(user_name, force: false)
+            result = {}
+            resource = ::Aws::IAM::Resource.new
+
+            user = resource.user(user_name)
+
+            password = ""
+            classes = [/[a-z]/, /[A-Z]/, /[0-9]/, /[!@#$%^&*()_+\-=\[\]{}|']/]
+            while ! classes.all? {|c| password =~ c }
+              password = SecureRandom.base64(15)
+            end
+
+            exists = false
+            begin
+              user.login_profile.create_date
+              exists = true
+            rescue ::Aws::IAM::Errors::NoSuchEntity
+              exists = false
+            end
+
+            if exists
+              logger.info "User login already exists"
+              if force
+                user.login_profile.update(password: password, password_reset_required: true)
+                result[:password] = password
+                logger.info "Updated user login with password=#{password}"
+              end
+            else
+              user.create_login_profile(password: password, password_reset_required: true)
+              result[:password] = password
+              logger.info "User login enabled with password=#{password}"
+            end
+
+            return result
+          end
+
+          def enable_mfa(user_name, force: false)
+            result = {}
+            client = ::Aws::IAM::Client.new
+            resource = ::Aws::IAM::Resource.new
+
+            user = resource.user(user_name)
+
+            if user.mfa_devices.first
+              logger.info "User mfa devices already exist"
+              if force
+                logger.info "Deleting old mfa devices"
+                user.mfa_devices.each do |dev|
+                  dev.disassociate
+                  client.delete_virtual_mfa_device(serial_number: dev.serial_number)
+                  Otp.instance.remove(user_name)
+                end
+              else
+                return result
+              end
+            end
+
+            resp = client.create_virtual_mfa_device(
+              virtual_mfa_device_name: user_name
+            )
+
+            serial = resp.virtual_mfa_device.serial_number
+            seed = resp.virtual_mfa_device.base_32_string_seed
+
+            Otp.instance.add(user_name, seed)
+            code1 = Otp.instance.generate(user_name)
+            interval = (30 - (Time.now.to_i % 30)) + 1
+            logger.info "Waiting for #{interval}s to generate second otp key for enablement"
+            sleep interval
+            code2 = Otp.instance.generate(user_name)
+            raise "MFA codes should not be the same" if code1 == code2
+
+            resp = client.enable_mfa_device({
+              user_name: user_name,
+              serial_number: serial,
+              authentication_code_1: code1,
+              authentication_code_2: code2,
+            })
+
+            result[:mfa_secret] = seed
+
+            return result
+          end
+
+          def enable_access_keys(user_name, force: false)
+            result = {}
+            resource = ::Aws::IAM::Resource.new
+
+            user = resource.user(user_name)
+
+            if user.access_keys.first
+              logger.info "User access keys already exist"
+              if force
+                logger.info "Deleting old access keys"
+                user.access_keys.each do |key|
+                  key.delete
+                end
+              else
+                return result
+              end
+            end
+
+            # TODO: auto add to ~/.aws/credentials and config
+            key_pair = user.create_access_key_pair
+            result[:key] = key_pair.access_key_id
+            result[:secret] = key_pair.secret
+            logger.debug "User keys generated key=#{key_pair.access_key_id}, secret=#{key_pair.secret}"
+
+            return result
+          end
+
+          def set_public_key(user_name, public_key, force: false)
+            result = {}
+            client = ::Aws::IAM::Client.new
+            resource = ::Aws::IAM::Resource.new
+
+            user = resource.user(user_name)
+            keys = client.list_ssh_public_keys(user_name: user_name).ssh_public_keys
+            if keys.size > 0
+              logger.info "User ssh public keys already exist"
+              if force
+                logger.info "Deleting old ssh public keys"
+                keys.each do |key|
+                  client.delete_ssh_public_key(user_name: user_name,
+                                               ssh_public_key_id: key.ssh_public_key_id)
+                end
+              else
+                return result
+              end
+            end
+
+            client.upload_ssh_public_key(user_name: user_name, ssh_public_key_body: public_key)
+            logger.debug "User public key assigned: #{public_key}"
+
+            return result
+          end
+
+        end
+
+      end
+    end
+  end
+end

data/lib/simplygenius/atmos/settings_hash.rb

@@ -0,0 +1,93 @@
+require 'hashie'
+
+module SimplyGenius
+  module Atmos
+
+    class SettingsHash <  Hashie::Mash
+      include GemLogger::LoggerSupport
+      include Hashie::Extensions::DeepMerge
+      include Hashie::Extensions::DeepFetch
+      disable_warnings
+
+      PATH_PATTERN = /[\.\[\]]/
+
+      def notation_get(key)
+        path = key.to_s.split(PATH_PATTERN).compact
+        path = path.collect {|p| p =~ /^\d+$/ ? p.to_i : p }
+        result = nil
+
+        begin
+          result = deep_fetch(*path)
+        rescue Hashie::Extensions::DeepFetch::UndefinedPathError => e
+          logger.debug("Settings missing value for key='#{key}'")
+        end
+
+        return result
+      end
+
+      def notation_put(key, value, additive: true)
+        path = key.to_s.split(PATH_PATTERN).compact
+        path = path.collect {|p| p =~ /^\d+$/ ? p.to_i : p }
+        current_level = self
+        path.each_with_index do |p, i|
+
+          if i == path.size - 1
+            if additive && current_level[p].is_a?(Array)
+              current_level[p] = current_level[p] | Array(value)
+            else
+              current_level[p] = value
+            end
+          else
+            if current_level[p].nil?
+              if path[i+1].is_a?(Integer)
+                current_level[p] = []
+              else
+                current_level[p] = {}
+              end
+            end
+          end
+
+          current_level = current_level[p]
+        end
+      end
+
+      def self.add_config(yml_file, key, value, additive: true)
+        orig_config_with_comments = File.read(yml_file)
+
+        comment_places = {}
+        comment_lines = []
+        orig_config_with_comments.each_line do |line|
+          line.gsub!(/\s+$/, "\n")
+          if line =~ /^\s*(#.*)?$/
+            comment_lines << line
+          else
+            if comment_lines.present?
+              comment_places[line.chomp] = comment_lines
+              comment_lines = []
+            end
+          end
+        end
+        comment_places["<EOF>"] = comment_lines
+
+        orig_config = SettingsHash.new((YAML.load_file(yml_file) rescue {}))
+        orig_config.notation_put(key, value, additive: additive)
+        new_config_no_comments = YAML.dump(orig_config.to_hash)
+        new_config_no_comments.sub!(/\A---\n/, "")
+
+        new_yml = ""
+        new_config_no_comments.each_line do |line|
+          line.gsub!(/\s+$/, "\n")
+          cline = comment_places.keys.find {|k| line =~ /^#{k}/ }
+          comments = comment_places[cline]
+          comments.each {|comment| new_yml << comment } if comments
+          new_yml << line
+        end
+        comment_places["<EOF>"].each {|comment| new_yml << comment }
+
+        return new_yml
+      end
+
+    end
+
+  end
+end