sumomo 0.8.10 → 0.8.11

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 44594639cdb423778a130d3debb64caa315d70a6a983a4a5b5fb7b6ed67793f5
-  data.tar.gz: 7f6bfa09705119de6682275516395b89362b50aa491e5e48ee64709cd55c8e17
+  metadata.gz: eeda4af6bbc948dd941cc1037a71430ffde716856bd1a34e087225d69165cc97
+  data.tar.gz: ccdec3cc1a55aac396e3dadb25bae8233860cdfa80ac6cb5ed423aa2963cf34a
 SHA512:
-  metadata.gz: a336692e9a46532499c5bb4c64dcab1a8c0e485dba942090c707f07dae3c888c542d93a7e012187dae0013d564c1348e6e17061fb4e394a302aea4833c78ce0b
-  data.tar.gz: 85927305c489ef72b87a271caddde2fd09696a9dee63f2bbbbd96724f587238195458080285820868a1d2df8f7fdfb73d8dfce3e4689cdb9865349374b559634
+  metadata.gz: f106ff8f3ceb987077388ae7d68473355e9d4a2fb704b086cc0090bfd872381084740bfd1052eb175e43287c93ac095ef9b6a7221dfa80f44a1d7ded32b38f3e
+  data.tar.gz: c03dd06c48a363c5c24d9c5e7f001869cb206ff38df9f048076ab523781511cb59aaeeec11137d01b5156a6a198fbe944dc98ab0876c9f0240a8c6fd96a4763b

data/data/sumomo/custom_resources/{USEastCertificate.js → ACMCertificate.js}

@@ -1,4 +1,6 @@
-var acm = new aws.ACM({region: "us-east-1"}); // MUST be us-east-1.
+var cert_region = request.ResourceProperties.RegionOverride || request.ResourceProperties.Region;
+
+var acm = new aws.ACM({region: cert_region});
 
 var return_properties = {};
 
@@ -66,9 +68,12 @@ function create(domain_name, on_success, on_fail)
     DomainValidationOptions: [
       {
         DomainName: domain_name,
-        ValidationDomain: extractRootDomain(domain_name)
+        ValidationDomain: extractRootDomain(domain_name),
       },
-    ]
+    ],
+    Options: {
+      CertificateTransparencyLoggingPreference: 'ENABLED'
+    }
   }
 
   if (request.ResourceProperties.ValidationMethod === "DNS")

data/data/sumomo/custom_resources/{USEastCertificateWaiter.js → ACMCertificateWaiter.js}

@@ -1,4 +1,6 @@
-var acm = new aws.ACM({region: "us-east-1"}); // MUST be us-east-1.
+var cert_region = request.ResourceProperties.RegionOverride || request.ResourceProperties.Region;
+
+var acm = new aws.ACM({region: cert_region});
 
 var arn = request.ResourceProperties.Certificate;
 

data/exe/sumomo

@@ -30,11 +30,21 @@ cmd_opts = case cmd
            when 'delete'
              Sumomo.delete_stack(name: ARGV[0], region: global_opts[:region])
 
-           when 'create', 'update'
+           when 'create'
              local_opts = Trollop.options do
                opt :filename, 'File that describes the stack', type: :string, default: 'Sumomofile'
              end
-             Sumomo.send("#{cmd}_stack", name: ARGV[0], region: global_opts[:region]) do
+             Sumomo.create_stack(name: ARGV[0], region: global_opts[:region]) do
+               proc = proc {}
+               eval File.read(local_opts[:filename]), proc.binding, local_opts[:filename]
+             end
+
+           when 'update'
+             local_opts = Trollop.options do
+               opt :filename, 'File that describes the stack', type: :string, default: 'Sumomofile'
+               opt :changeset, 'Create a changeset instead of directly update', type: :boolean, default: false
+             end
+             Sumomo.update_stack(name: ARGV[0], changeset: !!local_opts[:changeset], region: global_opts[:region]) do
                proc = proc {}
                eval File.read(local_opts[:filename]), proc.binding, local_opts[:filename]
              end

data/lib/sumomo/api.rb

@@ -159,9 +159,45 @@ module Sumomo
       end
     end
 
-    def make_api(domain_name, name:, script: nil, dns: nil, cert: nil, with_statements: [], &block)
+    def make_api(
+        domain_name,
+        name:,
+        script: nil,
+        dns: nil,
+        cert: nil,
+        mtls_truststore: nil,
+        logging: true,
+        with_statements: [], &block)
+
       api = make 'AWS::ApiGateway::RestApi', name: name do
         Name name
+        DisableExecuteApiEndpoint true
+      end
+
+      if logging
+        cloudwatchRole = make 'AWS::IAM::Role', name: "#{name}LoggingRole" do
+          AssumeRolePolicyDocument do
+            Version "2012-10-17"
+            Statement [
+              {
+                "Effect" => "Allow",
+                "Principal" => {
+                  "Service" => [
+                    "apigateway.amazonaws.com"
+                  ]
+                },
+                "Action" => "sts:AssumeRole"
+              }
+            ]
+          end
+          Path '/'
+          ManagedPolicyArns [ "arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs" ]
+        end
+
+        make 'AWS::ApiGateway::Account' do
+          depends_on api
+          CloudWatchRoleArn cloudwatchRole.Arn
+        end
       end
 
       script ||= File.read(File.join(Gem.loaded_specs['sumomo'].full_gem_path, 'data', 'sumomo', 'api_modules', 'real_script.js'))
@@ -183,7 +219,10 @@ module Sumomo
 
       files += [{ name: 'index.js', code: script }]
 
-      fun = make_lambda(name: "#{name}Lambda#{@version_number}", files: files, with_statements: with_statements)
+      fun = make_lambda(
+        name: "#{name}Lambda#{@version_number}",
+        files: files, 
+        role: custom_resource_exec_role(with_statements: with_statements) )
 
       resource = make 'AWS::ApiGateway::Resource', name: "#{name}Resource" do
         ParentId api.RootResourceId
@@ -230,18 +269,79 @@ module Sumomo
       stage = make 'AWS::ApiGateway::Stage', name: "#{name}Stage" do
         RestApiId api
         DeploymentId deployment
-        StageName 'test'
+
+        if logging
+          MethodSettings [ 
+            {
+              "ResourcePath" => "/*",
+              "HttpMethod" => "*",
+              "DataTraceEnabled" => true,
+              "LoggingLevel" => 'INFO'
+            }
+          ]
+        end
       end
 
       root_name = /(?<root_name>[^.]+\.[^.]+)$/.match(domain_name)[:root_name]
 
-      cert ||= make 'Custom::USEastCertificate', name: "#{name}Certificate" do
-        DomainName domain_name
+      certificate_completion = cert
+
+      bucket_name = @bucket_name
+      mtls = nil
+      if mtls_truststore
+        filename = "#{domain_name}.truststore.pem"
+        upload_file(filename, mtls_truststore)
+        truststore_uri = "s3://#{bucket_name}/uploads/#{filename}"
+        mtls = {
+          "TruststoreUri" => truststore_uri
+        }
       end
 
-      domain = make 'Custom::APIDomainName', name: "#{name}DomainName" do
+      if cert.nil?
+        cert = make 'Custom::ACMCertificate', name: "#{name}Certificate" do
+          DomainName domain_name
+          ValidationMethod 'DNS' if dns[:type] == :route53
+          RegionOverride 'us-east-1' if !mtls
+        end
+
+        certificate_completion = cert
+
+        if dns[:type] == :route53
+          make 'AWS::Route53::RecordSet', name: "#{name}CertificateRoute53Entry" do
+            HostedZoneId dns[:hosted_zone]
+            Name cert.RecordName
+            Type cert.RecordType
+            TTL 60
+            ResourceRecords [cert.RecordValue]
+          end
+
+          cert_waiter = make 'Custom::ACMCertificateWaiter', name: "#{name}CertificateWaiter" do
+            Certificate cert
+            RegionOverride 'us-east-1' if !mtls
+          end
+
+          certificate_completion = cert_waiter
+        end
+      end
+
+      domain = make 'AWS::ApiGateway::DomainName', name: "#{name}DomainName" do
+        depends_on certificate_completion
+
         DomainName domain_name
-        CertificateArn cert
+
+        if mtls != nil
+          RegionalCertificateArn cert
+          MutualTlsAuthentication mtls
+          SecurityPolicy 'TLS_1_2'
+          EndpointConfiguration do
+            Types [ 'REGIONAL' ]
+          end
+        else
+          CertificateArn cert
+          EndpointConfiguration do
+            Types [ 'EDGE' ]
+          end
+        end
       end
 
       make 'AWS::ApiGateway::BasePathMapping', name: "#{name}BasePathMapping" do
@@ -264,8 +364,19 @@ module Sumomo
         make 'AWS::Route53::RecordSet', name: "#{name}Route53Entry" do
           HostedZoneId dns[:hosted_zone]
           Name domain_name
-          Type 'CNAME'
-          ResourceRecords [call('Fn::Join', '', [api, '.execute-api.', ref('AWS::Region'), '.amazonaws.com'])]
+
+          if mtls != nil
+            Type 'A'
+            AliasTarget do
+              DNSName domain.RegionalDomainName
+              HostedZoneId domain.RegionalHostedZoneId
+            end
+          else
+            Type 'A'
+            AliasTarget do
+              DNSName domain.DistributionDomainName
+              HostedZoneId domain.DistributionHostedZoneId
+            end          end
         end
         domain_name
       else

data/lib/sumomo/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Sumomo
-  VERSION = '0.8.10'
+  VERSION = '0.8.11'
 end

data/lib/sumomo.rb

@@ -36,7 +36,7 @@ module Sumomo
     end
   end
 
-  def self.update_stack(name:, region:, sns_arn: nil, &block)
+  def self.update_stack(name:, region:, sns_arn: nil, changeset: false, &block)
     cf = Aws::CloudFormation::Client.new(region: region)
     s3 = Aws::S3::Client.new(region: region)
     ec2 = Aws::EC2::Client.new(region: region)
@@ -121,7 +121,15 @@ module Sumomo
     }
 
     begin
-      cf.update_stack(update_options)
+      if changeset
+        cf.create_change_set(
+          **update_options,
+          change_set_name: "Change#{curtimestr}"
+        )
+      else
+        cf.update_stack(update_options)
+      end
+
     rescue StandardError => e
       if e.message.end_with? 'does not exist'
         update_options[:timeout_in_minutes] = @timeout if @timeout
@@ -134,6 +142,10 @@ module Sumomo
     end
   end
 
+  def self.curtimestr
+    Time.now.strftime('%Y%m%d%H%M%S')
+  end
+
   def self.wait_for_stack(name:, region:)
     cf = Aws::CloudFormation::Client.new(region: region)
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sumomo
 version: !ruby/object:Gem::Version
-  version: 0.8.10
+  version: 0.8.11
 platform: ruby
 authors:
 - David Siaw
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2021-06-11 00:00:00.000000000 Z
+date: 2021-08-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -2516,6 +2516,8 @@ files:
 - data/sumomo/api_modules/real_script.js
 - data/sumomo/api_modules/test_script.js
 - data/sumomo/custom_resource_utils.js
+- data/sumomo/custom_resources/ACMCertificate.js
+- data/sumomo/custom_resources/ACMCertificateWaiter.js
 - data/sumomo/custom_resources/AMILookup.js
 - data/sumomo/custom_resources/APIDomainName.js
 - data/sumomo/custom_resources/AvailabilityZones.js
@@ -2526,8 +2528,6 @@ files:
 - data/sumomo/custom_resources/OriginAccessIdentity.js
 - data/sumomo/custom_resources/SelectSpot.js
 - data/sumomo/custom_resources/TempS3Bucket.js
-- data/sumomo/custom_resources/USEastCertificate.js
-- data/sumomo/custom_resources/USEastCertificateWaiter.js
 - data/sumomo/sources/spot-watcher-poller.sh
 - data/sumomo/sources/spot-watcher.sh
 - exe/sumomo