sumomo 0.8.10 → 0.8.14

data/exe/sumomo

@@ -30,11 +30,21 @@ cmd_opts = case cmd
            when 'delete'
              Sumomo.delete_stack(name: ARGV[0], region: global_opts[:region])
 
-           when 'create', 'update'
+           when 'create'
              local_opts = Trollop.options do
                opt :filename, 'File that describes the stack', type: :string, default: 'Sumomofile'
              end
-             Sumomo.send("#{cmd}_stack", name: ARGV[0], region: global_opts[:region]) do
+             Sumomo.create_stack(name: ARGV[0], region: global_opts[:region]) do
+               proc = proc {}
+               eval File.read(local_opts[:filename]), proc.binding, local_opts[:filename]
+             end
+
+           when 'update'
+             local_opts = Trollop.options do
+               opt :filename, 'File that describes the stack', type: :string, default: 'Sumomofile'
+               opt :changeset, 'Create a changeset instead of directly update', type: :boolean, default: false
+             end
+             Sumomo.update_stack(name: ARGV[0], changeset: !!local_opts[:changeset], region: global_opts[:region]) do
                proc = proc {}
                eval File.read(local_opts[:filename]), proc.binding, local_opts[:filename]
              end
@@ -46,7 +56,10 @@ cmd_opts = case cmd
            when 'login'
              puts "Login to stack #{ARGV[0]} instance at #{ARGV[1]}"
              `aws s3 cp s3://#{ARGV[0]}/cloudformation/#{ARGV[0]}_master_key.pem x.txt`
-             key = JSON.parse(File.read('x.txt'))['value']
+             key = JSON.parse(File.read('x.txt'))['value'].
+              gsub('-----BEGIN RSA PRIVATE KEY----- ', "-----BEGIN RSA PRIVATE KEY-----\n").
+              gsub(' -----END RSA PRIVATE KEY-----', "\n-----END RSA PRIVATE KEY-----").
+              gsub(/(.{64}) /, "\\1\n")
              File.write('key.pem', key)
              `chmod 0600 key.pem`
              exec "ssh -i 'key.pem' ec2-user@#{ARGV[1]} #{ARGV[2]}"

data/lib/sumomo/api.rb

@@ -159,9 +159,45 @@ module Sumomo
       end
     end
 
-    def make_api(domain_name, name:, script: nil, dns: nil, cert: nil, with_statements: [], &block)
+    def make_api(
+        domain_name,
+        name:,
+        script: nil,
+        dns: nil,
+        cert: nil,
+        mtls_truststore: nil,
+        logging: true,
+        with_statements: [], &block)
+
       api = make 'AWS::ApiGateway::RestApi', name: name do
         Name name
+        DisableExecuteApiEndpoint true
+      end
+
+      if logging
+        cloudwatchRole = make 'AWS::IAM::Role', name: "#{name}LoggingRole" do
+          AssumeRolePolicyDocument do
+            Version "2012-10-17"
+            Statement [
+              {
+                "Effect" => "Allow",
+                "Principal" => {
+                  "Service" => [
+                    "apigateway.amazonaws.com"
+                  ]
+                },
+                "Action" => "sts:AssumeRole"
+              }
+            ]
+          end
+          Path '/'
+          ManagedPolicyArns [ "arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs" ]
+        end
+
+        make 'AWS::ApiGateway::Account' do
+          depends_on api
+          CloudWatchRoleArn cloudwatchRole.Arn
+        end
       end
 
       script ||= File.read(File.join(Gem.loaded_specs['sumomo'].full_gem_path, 'data', 'sumomo', 'api_modules', 'real_script.js'))
@@ -183,7 +219,10 @@ module Sumomo
 
       files += [{ name: 'index.js', code: script }]
 
-      fun = make_lambda(name: "#{name}Lambda#{@version_number}", files: files, with_statements: with_statements)
+      fun = make_lambda(
+        name: "#{name}Lambda#{@version_number}",
+        files: files, 
+        role: custom_resource_exec_role(with_statements: with_statements) )
 
       resource = make 'AWS::ApiGateway::Resource', name: "#{name}Resource" do
         ParentId api.RootResourceId
@@ -230,18 +269,79 @@ module Sumomo
       stage = make 'AWS::ApiGateway::Stage', name: "#{name}Stage" do
         RestApiId api
         DeploymentId deployment
-        StageName 'test'
+
+        if logging
+          MethodSettings [ 
+            {
+              "ResourcePath" => "/*",
+              "HttpMethod" => "*",
+              "DataTraceEnabled" => true,
+              "LoggingLevel" => 'INFO'
+            }
+          ]
+        end
       end
 
       root_name = /(?<root_name>[^.]+\.[^.]+)$/.match(domain_name)[:root_name]
 
-      cert ||= make 'Custom::USEastCertificate', name: "#{name}Certificate" do
-        DomainName domain_name
+      certificate_completion = cert
+
+      bucket_name = @bucket_name
+      mtls = nil
+      if mtls_truststore
+        filename = "#{domain_name}.truststore.pem"
+        upload_file(filename, mtls_truststore)
+        truststore_uri = "s3://#{bucket_name}/uploads/#{filename}"
+        mtls = {
+          "TruststoreUri" => truststore_uri
+        }
       end
 
-      domain = make 'Custom::APIDomainName', name: "#{name}DomainName" do
+      if cert.nil?
+        cert = make 'Custom::ACMCertificate', name: "#{name}Certificate" do
+          DomainName domain_name
+          ValidationMethod 'DNS' if dns[:type] == :route53
+          RegionOverride 'us-east-1' if !mtls
+        end
+
+        certificate_completion = cert
+
+        if dns[:type] == :route53
+          make 'AWS::Route53::RecordSet', name: "#{name}CertificateRoute53Entry" do
+            HostedZoneId dns[:hosted_zone]
+            Name cert.RecordName
+            Type cert.RecordType
+            TTL 60
+            ResourceRecords [cert.RecordValue]
+          end
+
+          cert_waiter = make 'Custom::ACMCertificateWaiter', name: "#{name}CertificateWaiter" do
+            Certificate cert
+            RegionOverride 'us-east-1' if !mtls
+          end
+
+          certificate_completion = cert_waiter
+        end
+      end
+
+      domain = make 'AWS::ApiGateway::DomainName', name: "#{name}DomainName" do
+        depends_on certificate_completion
+
         DomainName domain_name
-        CertificateArn cert
+
+        if mtls != nil
+          RegionalCertificateArn cert
+          MutualTlsAuthentication mtls
+          SecurityPolicy 'TLS_1_2'
+          EndpointConfiguration do
+            Types [ 'REGIONAL' ]
+          end
+        else
+          CertificateArn cert
+          EndpointConfiguration do
+            Types [ 'EDGE' ]
+          end
+        end
       end
 
       make 'AWS::ApiGateway::BasePathMapping', name: "#{name}BasePathMapping" do
@@ -264,8 +364,19 @@ module Sumomo
         make 'AWS::Route53::RecordSet', name: "#{name}Route53Entry" do
           HostedZoneId dns[:hosted_zone]
           Name domain_name
-          Type 'CNAME'
-          ResourceRecords [call('Fn::Join', '', [api, '.execute-api.', ref('AWS::Region'), '.amazonaws.com'])]
+
+          if mtls != nil
+            Type 'A'
+            AliasTarget do
+              DNSName domain.RegionalDomainName
+              HostedZoneId domain.RegionalHostedZoneId
+            end
+          else
+            Type 'A'
+            AliasTarget do
+              DNSName domain.DistributionDomainName
+              HostedZoneId domain.DistributionHostedZoneId
+            end          end
         end
         domain_name
       else

data/lib/sumomo/ec2.rb

@@ -96,6 +96,7 @@ module Sumomo
            call('Fn::Join', '', [
 
                   "#!/bin/bash -v\n",
+                  "yum install -y aws-cfn-bootstrap\n",
                   "yum update -y aws-cfn-bootstrap\n",
 
                   "# Helper function\n",
@@ -510,7 +511,7 @@ module Sumomo
 
         if ecs_cluster
           ecs_config = <<~CONFIG
-            ECS_CLUSTER={{cluster_name}}
+            ECS_CLUSTER={{ cluster_name }}
             ECS_ENGINE_AUTH_TYPE=docker
             ECS_ENGINE_AUTH_DATA={"https://index.docker.io/v1/":{"username":"{{docker_username}}","password":"{{docker_password}}","email":"{{docker_email}}"}}
           CONFIG

data/lib/sumomo/stack.rb

@@ -23,9 +23,10 @@ module Sumomo
                     description: "Lambda Function in #{@bucket_name}",
                     function_key: "cloudformation/lambda/function_#{name}",
                     handler: 'index.handler',
-                    runtime: 'nodejs10.x',
+                    runtime: 'nodejs14.x',
                     memory_size: 128,
                     timeout: 30,
+                    enable_logging: true,
                     role: nil)
 
       name ||= make_default_resource_name('Lambda')
@@ -59,9 +60,11 @@ module Sumomo
         Role role.Arn
       end
 
-      log_group = make 'AWS::Logs::LogGroup', name: "#{name}LogGroup" do
-        LogGroupName call('Fn::Join', '', ['/aws/lambda/', fun])
-        RetentionInDays 30
+      if enable_logging
+        make 'AWS::Logs::LogGroup', name: "#{name}LogGroup" do
+          LogGroupName call('Fn::Join', '', ['/aws/lambda/', fun])
+          RetentionInDays 30
+        end
       end
 
       fun

data/lib/sumomo/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Sumomo
-  VERSION = '0.8.10'
+  VERSION = '0.8.14'
 end

data/lib/sumomo.rb

@@ -36,7 +36,7 @@ module Sumomo
     end
   end
 
-  def self.update_stack(name:, region:, sns_arn: nil, &block)
+  def self.update_stack(name:, region:, sns_arn: nil, changeset: false, &block)
     cf = Aws::CloudFormation::Client.new(region: region)
     s3 = Aws::S3::Client.new(region: region)
     ec2 = Aws::EC2::Client.new(region: region)
@@ -117,11 +117,20 @@ module Sumomo
       stack_name: name,
       template_url: store.url('cloudformation/template'),
       parameters: hidden_values,
+      disable_rollback: false,
       capabilities: ['CAPABILITY_IAM']
     }
 
     begin
-      cf.update_stack(update_options)
+      if changeset
+        cf.create_change_set(
+          **update_options,
+          change_set_name: "Change#{curtimestr}"
+        )
+      else
+        cf.update_stack(update_options)
+      end
+
     rescue StandardError => e
       if e.message.end_with? 'does not exist'
         update_options[:timeout_in_minutes] = @timeout if @timeout
@@ -134,6 +143,10 @@ module Sumomo
     end
   end
 
+  def self.curtimestr
+    Time.now.strftime('%Y%m%d%H%M%S')
+  end
+
   def self.wait_for_stack(name:, region:)
     cf = Aws::CloudFormation::Client.new(region: region)
 
@@ -197,7 +210,14 @@ module Sumomo
       instance_eval(&block)
     end
 
-    def make_api(_domain_name, name:, script: nil, dns: nil, cert: nil, with_statements: [], &block)
+    def make_api(_domain_name,
+      name:, script: nil,
+      dns: nil,
+      mtls_truststore: nil,
+      cert: nil,
+      with_statements: [], &block)
+
+      # we ignore mtls_truststore here
       @apis[name] = block
     end
 

data/sumomo.gemspec

@@ -27,15 +27,17 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
 
-  spec.add_development_dependency 'bundler', '~> 1.11'
-  spec.add_development_dependency 'rake', '~> 10.0'
-  spec.add_development_dependency 'rspec', '~> 3.0'
+  spec.add_development_dependency 'bundler'
+  spec.add_development_dependency 'rake'
+  spec.add_development_dependency 'rspec'
 
   spec.add_dependency 'activesupport'
-  spec.add_dependency 'aws-sdk', '~> 2'
+  spec.add_dependency 'aws-sdk', '~> 3'
+  spec.add_dependency 'ox'
   spec.add_dependency 'hashie'
   spec.add_dependency 'momo', '0.4.1'
   spec.add_dependency 'rubyzip'
   spec.add_dependency 's3cabinet'
   spec.add_dependency 'trollop'
+  spec.add_dependency 'webrick'
 end