stack_master 2.3.0 → 2.14.1

data/lib/stack_master/commands/apply.rb

@@ -1,5 +1,3 @@
-require 'pathname'
-
 module StackMaster
   module Commands
     class Apply
@@ -205,18 +203,8 @@ module StackMaster
       end
 
       def ensure_valid_parameters!
-        if @proposed_stack.missing_parameters?
-          message = <<~MESSAGE
-            Empty/blank parameters detected, ensure values exist for those parameters.
-            Parameters will be read from the following locations:
-          MESSAGE
-          base_dir = Pathname.new(@stack_definition.base_dir)
-          @stack_definition.parameter_file_globs.each do |glob|
-            parameter_file = Pathname.new(glob).relative_path_from(base_dir)
-            message << " - #{parameter_file}\n"
-          end
-          failed!(message)
-        end
+        pv = ParameterValidator.new(stack: @proposed_stack, stack_definition: @stack_definition)
+        failed!(pv.error_message) if pv.missing_parameters?
       end
 
       def ensure_valid_template_body_size!

data/lib/stack_master/commands/compile.rb

@@ -5,7 +5,7 @@ module StackMaster
       include Commander::UI
 
       def perform
-        puts(proposed_stack.template_body)
+        StackMaster.stdout.puts(proposed_stack.template_body)
       end
 
       private

data/lib/stack_master/commands/drift.rb

@@ -0,0 +1,118 @@
+require 'diffy'
+
+module StackMaster
+  module Commands
+    class Drift
+      include Command
+      include Commander::UI
+
+      DETECTION_COMPLETE_STATES = [
+        'DETECTION_COMPLETE',
+        'DETECTION_FAILED'
+      ]
+
+      def perform
+        detect_stack_drift_result = cf.detect_stack_drift(stack_name: stack_name)
+        drift_results = wait_for_drift_results(detect_stack_drift_result.stack_drift_detection_id)
+
+        puts colorize("Drift Status: #{drift_results.stack_drift_status}", stack_drift_status_color(drift_results.stack_drift_status))
+        return if drift_results.stack_drift_status == 'IN_SYNC'
+
+        failed
+
+        resp = cf.describe_stack_resource_drifts(stack_name: stack_name)
+        resp.stack_resource_drifts.each do |drift|
+          display_drift(drift)
+        end
+      end
+
+      private
+
+      def cf
+        @cf ||= StackMaster.cloud_formation_driver
+      end
+
+      def display_drift(drift)
+        color = drift_color(drift)
+        puts colorize([drift.stack_resource_drift_status,
+                       drift.resource_type,
+                       drift.logical_resource_id,
+                       drift.physical_resource_id].join(' '), color)
+        return unless drift.stack_resource_drift_status == 'MODIFIED'
+
+        unless drift.property_differences.empty?
+          puts colorize('  Property differences:', color)
+        end
+        drift.property_differences.each do |property_difference|
+          puts colorize("  - #{property_difference.difference_type} #{property_difference.property_path}", color)
+        end
+        puts colorize('  Resource diff:', color)
+        display_resource_drift(drift)
+      end
+
+      def display_resource_drift(drift)
+        diff = ::StackMaster::Diff.new(before: prettify_json(drift.expected_properties),
+                        after: prettify_json(drift.actual_properties))
+        diff.display_colorized_diff
+      end
+
+      def prettify_json(string)
+        JSON.pretty_generate(JSON.parse(string)) + "\n"
+      rescue StandardError => e
+        puts "Failed to prettify drifted resource: #{e.message}"
+        string
+      end
+
+      def stack_drift_status_color(stack_drift_status)
+        case stack_drift_status
+        when 'IN_SYNC'
+          :green
+        when 'DRIFTED'
+          :yellow
+        else
+          :blue
+        end
+      end
+
+      def drift_color(drift)
+        case drift.stack_resource_drift_status
+        when 'IN_SYNC'
+          :green
+        when 'MODIFIED'
+          :yellow
+        when 'DELETED'
+          :red
+        else
+          :blue
+        end
+      end
+
+      def wait_for_drift_results(detection_id)
+        resp = nil
+        start_time = Time.now
+        loop do
+          resp = cf.describe_stack_drift_detection_status(stack_drift_detection_id: detection_id)
+          break if DETECTION_COMPLETE_STATES.include?(resp.detection_status)
+
+          elapsed_time = Time.now - start_time
+          if elapsed_time > @options.timeout
+            raise "Timeout waiting for stack drift detection"
+          end
+
+          sleep SLEEP_SECONDS
+        end
+        resp
+      end
+
+      def puts(string)
+        StackMaster.stdout.puts(string)
+      end
+
+      extend Forwardable
+      def_delegators :@stack_definition, :stack_name, :region
+      def_delegators :StackMaster, :colorize
+
+      SLEEP_SECONDS = 1
+    end
+  end
+end

data/lib/stack_master/commands/init.rb

@@ -29,7 +29,7 @@ module StackMaster
 
         if !@options.overwrite
           [@stack_master_filename, @stack_json_filename, @parameters_filename, @region_parameters_filename].each do |filename|
-            if File.exists?(filename)
+            if File.exist?(filename)
               StackMaster.stderr.puts("Aborting: #{filename} already exists. Use --overwrite to force overwriting file.")
               return false
             end

data/lib/stack_master/commands/nag.rb

@@ -0,0 +1,30 @@
+module StackMaster
+  module Commands
+    class Nag
+      include Command
+      include Commander::UI
+
+      def perform
+        rv = Tempfile.open(['stack', "___#{stack_definition.stack_name}.#{proposed_stack.template_format}"]) do |f|
+          f.write(proposed_stack.template_body)
+          f.flush
+          system('cfn_nag', f.path)
+          $?.exitstatus
+        end
+
+        failed!("cfn_nag check failed with exit status #{rv}") if rv > 0
+      end
+
+      private
+
+      def stack_definition
+        @stack_definition ||= @config.find_stack(@region, @stack_name)
+      end
+
+      def proposed_stack
+        @proposed_stack ||= Stack.generate(stack_definition, @config)
+      end
+
+    end
+  end
+end

data/lib/stack_master/commands/resources.rb

@@ -17,7 +17,7 @@ module StackMaster
       private
 
       def stack_resources
-        @stack_resources ||= cf.describe_stack_resources(stack_name: @stack_definition.stack_name).stack_resources
+        @stack_resources ||= cf.describe_stack_resources({ stack_name: @stack_definition.stack_name }).stack_resources
       rescue Aws::CloudFormation::Errors::ValidationError
         nil
       end

data/lib/stack_master/commands/status.rb

@@ -44,7 +44,7 @@ module StackMaster
       end
 
       def running_in_allowed_account?(allowed_accounts)
-        StackMaster.skip_account_check? || identity.running_in_allowed_account?(allowed_accounts)
+        StackMaster.skip_account_check? || identity.running_in_account?(allowed_accounts)
       end
 
       def identity

data/lib/stack_master/commands/tidy.rb

@@ -12,7 +12,7 @@ module StackMaster
         parameter_files = Set.new(find_parameter_files())
 
         status = @config.stacks.each do |stack_definition|
-          parameter_files.subtract(stack_definition.parameter_files)
+          parameter_files.subtract(stack_definition.parameter_files_from_globs)
           template = File.absolute_path(stack_definition.template_file_path)
 
           if template

data/lib/stack_master/commands/validate.rb

@@ -5,7 +5,7 @@ module StackMaster
       include Commander::UI
 
       def perform
-        failed unless Validator.valid?(@stack_definition, @config)
+        failed unless Validator.valid?(@stack_definition, @config, @options)
       end
     end
   end

data/lib/stack_master/config.rb

@@ -17,6 +17,7 @@ module StackMaster
     attr_accessor :stacks,
                   :base_dir,
                   :template_dir,
+                  :parameters_dir,
                   :stack_defaults,
                   :region_defaults,
                   :region_aliases,
@@ -27,7 +28,7 @@ module StackMaster
 
       dir = Dir.pwd
       parent_dir = File.expand_path("..", Dir.pwd)
-      while parent_dir != dir && !File.exists?(File.join(dir, config_file))
+      while parent_dir != dir && !File.exist?(File.join(dir, config_file))
         dir = parent_dir
         parent_dir = File.expand_path("..", dir)
       end
@@ -39,6 +40,7 @@ module StackMaster
       @config = config
       @base_dir = base_dir
       @template_dir = config.fetch('template_dir', nil)
+      @parameters_dir = config.fetch('parameters_dir', nil)
       @stack_defaults = config.fetch('stack_defaults', {})
       @region_aliases = Utils.underscore_keys_to_hyphen(config.fetch('region_aliases', {}))
       @region_to_aliases = @region_aliases.inject({}) do |hash, (key, value)|
@@ -48,6 +50,8 @@ module StackMaster
       end
       @region_defaults = normalise_region_defaults(config.fetch('region_defaults', {}))
       @stacks = []
+
+      raise ConfigParseError.new("Stack defaults can't be undefined") if @stack_defaults.nil?
       load_template_compilers(config)
       load_config
     end
@@ -90,6 +94,7 @@ module StackMaster
         json: :json,
         yml:  :yaml,
         yaml: :yaml,
+        erb:  :yaml_erb,
       }
     end
 
@@ -109,12 +114,15 @@ module StackMaster
       stacks.each do |region, stacks_for_region|
         region = Utils.underscore_to_hyphen(region)
         stacks_for_region.each do |stack_name, attributes|
+          raise ConfigParseError.new("Entry for stack #{stack_name} has no attributes") if attributes.nil?
+
           stack_name = Utils.underscore_to_hyphen(stack_name)
           stack_attributes = build_stack_defaults(region).deeper_merge!(attributes).merge(
             'region' => region,
             'stack_name' => stack_name,
             'base_dir' => @base_dir,
             'template_dir' => @template_dir,
+            'parameters_dir' => @parameters_dir,
             'additional_parameter_lookup_dirs' => @region_to_aliases[region])
           stack_attributes['allowed_accounts'] = attributes['allowed_accounts'] if attributes['allowed_accounts']
           @stacks << StackDefinition.new(stack_attributes)

data/lib/stack_master/diff.rb

@@ -0,0 +1,45 @@
+module StackMaster
+  class Diff
+    def initialize(name: nil, before:, after:, context: 10_000)
+      @name = name
+      @before = before
+      @after = after
+      @context = context
+    end
+
+    def display
+      stdout.print "#{@name} diff: "
+      if diff == ''
+        stdout.puts "No changes"
+      else
+        stdout.puts
+        display_colorized_diff
+      end
+    end
+
+    def display_colorized_diff
+      diff.each_line do |line|
+        if line.start_with?('+')
+          stdout.print colorize(line, :green)
+        elsif line.start_with?('-')
+          stdout.print colorize(line, :red)
+        else
+          stdout.print line
+        end
+      end
+    end
+
+    def different?
+      diff != ''
+    end
+
+    private
+
+    def diff
+      @diff ||= Diffy::Diff.new(@before, @after, context: @context).to_s
+    end
+
+    extend Forwardable
+    def_delegators :StackMaster, :colorize, :stdout
+  end
+end

data/lib/stack_master/identity.rb

@@ -1,23 +1,55 @@
 module StackMaster
   class Identity
-    def running_in_allowed_account?(allowed_accounts)
-      allowed_accounts.nil? || allowed_accounts.empty? || allowed_accounts.include?(account)
+    AllowedAccountAliasesError = Class.new(StandardError)
+    MissingIamPermissionsError = Class.new(StandardError)
+
+    def running_in_account?(accounts)
+      return true if accounts.nil? || accounts.empty? || contains_account_id?(accounts)
+
+      # skip alias check (which makes an API call) if all values are account IDs
+      return false if accounts.all? { |account| account_id?(account) }
+
+      contains_account_alias?(accounts)
+    rescue MissingIamPermissionsError
+      raise AllowedAccountAliasesError, 'Failed to validate whether the current AWS account is allowed'
     end
 
     def account
       @account ||= sts.get_caller_identity.account
     end
 
-    private
+    def account_aliases
+      @aliases ||= iam.list_account_aliases.account_aliases
+    rescue Aws::IAM::Errors::AccessDenied
+      raise MissingIamPermissionsError, 'Failed to retrieve account aliases. Missing required IAM permission: iam:ListAccountAliases'
+    end
 
-    attr_reader :sts
+    private
 
     def region
       @region ||= ENV['AWS_REGION'] || Aws.config[:region] || Aws.shared_config.region || 'us-east-1'
     end
 
     def sts
-      @sts ||= Aws::STS::Client.new(region: region)
+      @sts ||= Aws::STS::Client.new({ region: region })
+    end
+
+    def iam
+      @iam ||= Aws::IAM::Client.new({ region: region })
+    end
+
+    def contains_account_id?(ids)
+      ids.include?(account)
+    end
+
+    def contains_account_alias?(aliases)
+      account_aliases.any? { |account_alias| aliases.include?(account_alias) }
+    end
+
+    def account_id?(id_or_alias)
+      # While it's not explicitly documented as prohibited, it cannot (currently) be possible to set an account alias of
+      # 12 digits, as that could cause one console sign-in URL to resolve to two separate accounts.
+      /^[0-9]{12}$/.match?(id_or_alias)
     end
   end
 end

data/lib/stack_master/parameter_loader.rb

@@ -5,10 +5,10 @@ module StackMaster
 
     COMPILE_TIME_PARAMETERS_KEY = 'compile_time_parameters'
 
-    def self.load(parameter_files)
+    def self.load(parameter_files: [], parameters: {})
       StackMaster.debug 'Searching for parameter files...'
-      parameter_files.reduce({template_parameters: {}, compile_time_parameters: {}}) do |hash, file_name|
-        parameters = load_parameters(file_name)
+      all_parameters = parameter_files.map { |file_name| load_parameters(file_name) } + [parameters]
+      all_parameters.reduce({template_parameters: {}, compile_time_parameters: {}}) do |hash, parameters|
         template_parameters = create_template_parameters(parameters)
         compile_time_parameters = create_compile_time_parameters(parameters)
 
@@ -16,13 +16,12 @@ module StackMaster
         merge_and_camelize(hash[:compile_time_parameters], compile_time_parameters)
         hash
       end
-
     end
 
     private
 
     def self.load_parameters(file_name)
-      file_exists = File.exists?(file_name)
+      file_exists = File.exist?(file_name)
       StackMaster.debug file_exists ? "  #{file_name} found" : "  #{file_name} not found"
       file_exists ? load_file(file_name) : {}
     end

data/lib/stack_master/parameter_resolvers/acm_certificate.rb

@@ -19,9 +19,9 @@ module StackMaster
       def all_certs
         certs = []
         next_token = nil
-        client = Aws::ACM::Client.new(region: @stack_definition.region)
+        client = Aws::ACM::Client.new({ region: @stack_definition.region })
         loop do
-          resp = client.list_certificates(certificate_statuses: ['ISSUED'], next_token: next_token)
+          resp = client.list_certificates({ certificate_statuses: ['ISSUED'], next_token: next_token })
           certs << resp.certificate_summary_list
           next_token = resp.next_token
           break if next_token.nil?

data/lib/stack_master/parameter_resolvers/ami_finder.rb

@@ -19,7 +19,7 @@ module StackMaster
       end
 
       def find_latest_ami(filters, owners = ['self'])
-        images = ec2.describe_images(owners: owners, filters: filters).images
+        images = ec2.describe_images({ owners: owners, filters: filters }).images
         sorted_images = images.sort do |a, b|
           Time.parse(a.creation_date) <=> Time.parse(b.creation_date)
         end
@@ -29,8 +29,8 @@ module StackMaster
       private
 
       def ec2
-        @ec2 ||= Aws::EC2::Client.new(region: @region)
+        @ec2 ||= Aws::EC2::Client.new({ region: @region })
       end
     end
   end
-end
+end

data/lib/stack_master/parameter_resolvers/latest_container.rb

@@ -14,7 +14,7 @@ module StackMaster
         end
 
         @region = parameters['region'] || @stack_definition.region
-        ecr_client = Aws::ECR::Client.new(region: @region)
+        ecr_client = Aws::ECR::Client.new({ region: @region })
 
         images = fetch_images(parameters['repository_name'], parameters['registry_id'], ecr_client)
 

data/lib/stack_master/parameter_resolvers/parameter_store.rb

@@ -11,11 +11,11 @@ module StackMaster
 
       def resolve(value)
         begin
-          ssm = Aws::SSM::Client.new(region: @stack_definition.region)
-          resp = ssm.get_parameter(
+          ssm = Aws::SSM::Client.new({ region: @stack_definition.region })
+          resp = ssm.get_parameter({
             name: value,
             with_decryption: true
-          )
+          })
         rescue Aws::SSM::Errors::ParameterNotFound
           raise ParameterNotFound, "Unable to find #{value} in Parameter Store"
         end

data/lib/stack_master/parameter_resolvers/stack_output.rb

@@ -53,7 +53,7 @@ module StackMaster
 
         @stacks.fetch(stack_key) do
           regional_cf = cf_for_region(unaliased_region)
-          cf_stack = regional_cf.describe_stacks(stack_name: stack_name).stacks.first
+          cf_stack = regional_cf.describe_stacks({ stack_name: stack_name }).stacks.first
           @stacks[stack_key] = cf_stack
         end
       end

data/lib/stack_master/parameter_validator.rb

@@ -0,0 +1,53 @@
+require 'pathname'
+
+module StackMaster
+  class ParameterValidator
+    def initialize(stack:, stack_definition:)
+      @stack = stack
+      @stack_definition = stack_definition
+    end
+
+    def error_message
+      return nil unless missing_parameters?
+      message = "Empty/blank parameters detected. Please provide values for these parameters:\n"
+      missing_parameters.each do |parameter_name|
+        message << " - #{parameter_name}\n"
+      end
+      if @stack_definition.parameter_files.empty?
+        message << message_for_parameter_globs
+      else
+        message << message_for_parameter_files
+      end
+      message
+    end
+
+    def missing_parameters?
+      missing_parameters.any?
+    end
+
+    private
+
+    def message_for_parameter_files
+      "Parameters are configured to be read from the following files:\n".tap do |message|
+        @stack_definition.parameter_files.each do |parameter_file|
+          message << " - #{parameter_file}\n"
+        end
+      end
+    end
+
+    def message_for_parameter_globs
+      "Parameters will be read from files matching the following globs:\n".tap do |message|
+        base_dir = Pathname.new(@stack_definition.base_dir)
+        @stack_definition.parameter_file_globs.each do |glob|
+          parameter_file = Pathname.new(glob).relative_path_from(base_dir)
+          message << " - #{parameter_file}\n"
+        end
+      end
+    end
+
+    def missing_parameters
+      @missing_parameters ||=
+        @stack.parameters_with_defaults.select { |_key, value| value.nil? }.keys
+    end
+  end
+end

data/lib/stack_master/role_assumer.rb

@@ -44,10 +44,11 @@ module StackMaster
     def assume_role_credentials(account, role)
       credentials_key = "#{account}:#{role}"
       @credentials.fetch(credentials_key) do
-        @credentials[credentials_key] = Aws::AssumeRoleCredentials.new(
+        @credentials[credentials_key] = Aws::AssumeRoleCredentials.new({
+          region: StackMaster.cloud_formation_driver.region,
           role_arn: "arn:aws:iam::#{account}:role/#{role}",
           role_session_name: "stack-master-role-assumer"
-        )
+        })
       end
     end
   end

data/lib/stack_master/security_group_finder.rb

@@ -4,7 +4,7 @@ module StackMaster
     MultipleSecurityGroupsFound = Class.new(StandardError)
 
     def initialize(region)
-      @resource = Aws::EC2::Resource.new(region: region)
+      @resource = Aws::EC2::Resource.new({ region: region })
     end
 
     def find(reference)

data/lib/stack_master/sns_topic_finder.rb

@@ -3,7 +3,7 @@ module StackMaster
     TopicNotFound = Class.new(StandardError)
 
     def initialize(region)
-      @resource = Aws::SNS::Resource.new(region: region)
+      @resource = Aws::SNS::Resource.new({ region: region })
     end
 
     def find(reference)

data/lib/stack_master/sparkle_formation/compile_time/empty_validator.rb

@@ -19,7 +19,7 @@ module StackMaster
 
         def has_invalid_values?
           values = build_values(@definition, @parameter)
-          values.include?(nil) || values.include?('')
+          values.include?(nil)
         end
 
         def create_error

data/lib/stack_master/sparkle_formation/template_file.rb

@@ -5,19 +5,6 @@ module StackMaster
   module SparkleFormation
     TemplateFileNotFound = ::Class.new(StandardError)
 
-    class SfEruby < Erubis::Eruby
-      include Erubis::ArrayEnhancer
-
-      def add_expr(src, code, indicator)
-        case indicator
-          when '='
-            src << " #{@bufvar} << (" << code << ');'
-          else
-            super
-        end
-      end
-    end
-
     class TemplateContext < AttributeStruct
       include ::SparkleFormation::SparkleAttribute
       include ::SparkleFormation::SparkleAttribute::Aws
@@ -49,47 +36,12 @@ module StackMaster
       end
     end
 
-    # Splits up long strings with multiple lines in them to multiple strings
-    # in the CF array. Makes the compiled template and diffs more readable.
-    class CloudFormationLineFormatter
-      def self.format(template)
-        new(template).format
-      end
-
-      def initialize(template)
-        @template = template
-      end
-
-      def format
-        @template.flat_map do |lines|
-          lines = lines.to_s if Symbol === lines
-          if String === lines
-            newlines = []
-            lines.count("\n").times do
-              newlines << "\n"
-            end
-            newlines = lines.split("\n").map do |line|
-              "#{line}#{newlines.pop}"
-            end
-            if lines.start_with?("\n")
-              newlines.insert(0, "\n")
-            end
-            newlines
-          else
-            lines
-          end
-        end
-      end
-    end
-
     module Template
       def self.render(prefix, file_name, vars)
         file_path = File.join(::SparkleFormation.sparkle_path, prefix, file_name)
-        template = File.read(file_path)
         template_context = TemplateContext.build(vars, prefix)
-        compiled_template = SfEruby.new(template).evaluate(template_context)
-        CloudFormationLineFormatter.format(compiled_template)
-      rescue Errno::ENOENT => e
+        CloudFormationInterpolatingEruby.evaluate_file(file_path, template_context)
+      rescue Errno::ENOENT
         Kernel.raise TemplateFileNotFound, "Could not find template file at path: #{file_path}"
       end
     end