sumomo 0.8.8 → 0.8.12

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d6c9e1fb485114c6de088d53aaded28ef9f4784451a1e857bd74263845751106
-  data.tar.gz: 9175909b6a136b65ccfec51694ed522377701d1b3be6d2ea21b6c9ede34809ad
+  metadata.gz: f1e4cdfef8da13f712a3b71c67b94462d70b0deddcb96bb53d9d2fca00dce3c4
+  data.tar.gz: 720f5367efd7db19b35f53d849a247dc78bd2284b6737d8bb6592cd0e546d986
 SHA512:
-  metadata.gz: 633e4223e5a4e1ef5a26e72c5915cc26812db19f059a78e379a0865516ab14aeee9d67bd54d075b693ceab43c935165172b77b7eb810a1a3e673f2b564e3b764
-  data.tar.gz: ce98bc4eccd81a39ad8ef2cb1970e5ad8467f06504b84f4bfb16334b2d1106586da49014906cd21b9ee88ba1e685a7e69f9002627b15bc5dad0661bdd5f66cad
+  metadata.gz: 5586092e335a09c3ac66a5ce182b7e7a400546fbc95434e04362d97edd0d661888aad6dfb2e1c52f2f278a6f2edcc5bfebbd9acf3f787ab4c9697eb6ad9f8dfa
+  data.tar.gz: e0176d27503349f870de91783a2990f23c2873ad545185788cfa51ce44ad4bbff0799634266381f87b3af7e0cb8f4955c01f8bdb85d76c33a14f6526a2178621

data/data/sumomo/custom_resources/{USEastCertificate.js → ACMCertificate.js}

@@ -1,4 +1,6 @@
-var acm = new aws.ACM({region: "us-east-1"}); // MUST be us-east-1.
+var cert_region = request.ResourceProperties.RegionOverride || request.ResourceProperties.Region;
+
+var acm = new aws.ACM({region: cert_region});
 
 var return_properties = {};
 
@@ -66,9 +68,12 @@ function create(domain_name, on_success, on_fail)
     DomainValidationOptions: [
       {
         DomainName: domain_name,
-        ValidationDomain: extractRootDomain(domain_name)
+        ValidationDomain: extractRootDomain(domain_name),
       },
-    ]
+    ],
+    Options: {
+      CertificateTransparencyLoggingPreference: 'ENABLED'
+    }
   }
 
   if (request.ResourceProperties.ValidationMethod === "DNS")

data/data/sumomo/custom_resources/{USEastCertificateWaiter.js → ACMCertificateWaiter.js}

@@ -1,4 +1,6 @@
-var acm = new aws.ACM({region: "us-east-1"}); // MUST be us-east-1.
+var cert_region = request.ResourceProperties.RegionOverride || request.ResourceProperties.Region;
+
+var acm = new aws.ACM({region: cert_region});
 
 var arn = request.ResourceProperties.Certificate;
 

data/data/sumomo/custom_resources/AMILookup.js

@@ -144,9 +144,9 @@ var typeToArch = {
 }
 
 var archToAMINamePattern = {
-  "PV64": "amzn-ami-pv*.x86_64-ebs",
-  "HVM64": "amzn-ami-hvm*.x86_64-gp2",
-  "HVMG2": "amzn-ami-graphics-hvm-*x86_64-ebs*"
+  "PV64": "amzn-ami-pv*x86_64-ebs",
+  "HVM64": "amzn2-ami-hvm-2.0.*x86_64-gp2",
+  "HVMG2": "amzn2-ami-graphics-hvm-2.0.*x86_64-ebs*"
 };
 
 var ec2 = new aws.EC2({region: request.ResourceProperties.Region});
@@ -174,7 +174,7 @@ ec2.describeImages(describeImagesParams, function(err, describeImagesResult)
     var response = {}
     var id = "NONE";
     var images = describeImagesResult.Images;
-    // Sort images by name in decscending order. The names contain the AMI version, formatted as YYYY.MM.Ver.
+    // Sort images by name in descending order. The names contain the AMI version, formatted as YYYY.MM.Ver.
     images.sort(function(x, y) { return y.Name.localeCompare(x.Name); });
     for (var j = 0; j < images.length; j++)
     {

data/exe/sumomo

@@ -30,7 +30,7 @@ cmd_opts = case cmd
            when 'delete'
              Sumomo.delete_stack(name: ARGV[0], region: global_opts[:region])
 
-           when 'create', 'update'
+           when 'create'
              local_opts = Trollop.options do
                opt :filename, 'File that describes the stack', type: :string, default: 'Sumomofile'
              end
@@ -39,6 +39,16 @@ cmd_opts = case cmd
                eval File.read(local_opts[:filename]), proc.binding, local_opts[:filename]
              end
 
+           when 'update'
+             local_opts = Trollop.options do
+               opt :filename, 'File that describes the stack', type: :string, default: 'Sumomofile'
+               opt :changeset, 'Create a changeset instead of directly update', type: :boolean, default: false
+             end
+             Sumomo.update_stack(name: ARGV[0], changeset: !!local_opts[:changeset], region: global_opts[:region]) do
+               proc = proc {}
+               eval File.read(local_opts[:filename]), proc.binding, local_opts[:filename]
+             end
+
            when 'outputs'
              puts "Outputs for stack #{ARGV[0]}"
              puts Sumomo.get_stack_outputs(name: ARGV[0], region: global_opts[:region]).to_yaml
@@ -49,7 +59,7 @@ cmd_opts = case cmd
              key = JSON.parse(File.read('x.txt'))['value']
              File.write('key.pem', key)
              `chmod 0600 key.pem`
-             exec "ssh -i 'key.pem' ec2-user@#{ARGV[1]}"
+             exec "ssh -i 'key.pem' ec2-user@#{ARGV[1]} #{ARGV[2]}"
 
            when 'testapi'
              local_opts = Trollop.options do

data/lib/sumomo/api.rb

@@ -159,9 +159,45 @@ module Sumomo
       end
     end
 
-    def make_api(domain_name, name:, script: nil, dns: nil, cert: nil, with_statements: [], &block)
+    def make_api(
+        domain_name,
+        name:,
+        script: nil,
+        dns: nil,
+        cert: nil,
+        mtls_truststore: nil,
+        logging: true,
+        with_statements: [], &block)
+
       api = make 'AWS::ApiGateway::RestApi', name: name do
         Name name
+        DisableExecuteApiEndpoint true
+      end
+
+      if logging
+        cloudwatchRole = make 'AWS::IAM::Role', name: "#{name}LoggingRole" do
+          AssumeRolePolicyDocument do
+            Version "2012-10-17"
+            Statement [
+              {
+                "Effect" => "Allow",
+                "Principal" => {
+                  "Service" => [
+                    "apigateway.amazonaws.com"
+                  ]
+                },
+                "Action" => "sts:AssumeRole"
+              }
+            ]
+          end
+          Path '/'
+          ManagedPolicyArns [ "arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs" ]
+        end
+
+        make 'AWS::ApiGateway::Account' do
+          depends_on api
+          CloudWatchRoleArn cloudwatchRole.Arn
+        end
       end
 
       script ||= File.read(File.join(Gem.loaded_specs['sumomo'].full_gem_path, 'data', 'sumomo', 'api_modules', 'real_script.js'))
@@ -183,7 +219,10 @@ module Sumomo
 
       files += [{ name: 'index.js', code: script }]
 
-      fun = make_lambda(name: "#{name}Lambda#{@version_number}", files: files, with_statements: with_statements)
+      fun = make_lambda(
+        name: "#{name}Lambda#{@version_number}",
+        files: files, 
+        role: custom_resource_exec_role(with_statements: with_statements) )
 
       resource = make 'AWS::ApiGateway::Resource', name: "#{name}Resource" do
         ParentId api.RootResourceId
@@ -230,18 +269,79 @@ module Sumomo
       stage = make 'AWS::ApiGateway::Stage', name: "#{name}Stage" do
         RestApiId api
         DeploymentId deployment
-        StageName 'test'
+
+        if logging
+          MethodSettings [ 
+            {
+              "ResourcePath" => "/*",
+              "HttpMethod" => "*",
+              "DataTraceEnabled" => true,
+              "LoggingLevel" => 'INFO'
+            }
+          ]
+        end
       end
 
       root_name = /(?<root_name>[^.]+\.[^.]+)$/.match(domain_name)[:root_name]
 
-      cert ||= make 'Custom::USEastCertificate', name: "#{name}Certificate" do
-        DomainName domain_name
+      certificate_completion = cert
+
+      bucket_name = @bucket_name
+      mtls = nil
+      if mtls_truststore
+        filename = "#{domain_name}.truststore.pem"
+        upload_file(filename, mtls_truststore)
+        truststore_uri = "s3://#{bucket_name}/uploads/#{filename}"
+        mtls = {
+          "TruststoreUri" => truststore_uri
+        }
       end
 
-      domain = make 'Custom::APIDomainName', name: "#{name}DomainName" do
+      if cert.nil?
+        cert = make 'Custom::ACMCertificate', name: "#{name}Certificate" do
+          DomainName domain_name
+          ValidationMethod 'DNS' if dns[:type] == :route53
+          RegionOverride 'us-east-1' if !mtls
+        end
+
+        certificate_completion = cert
+
+        if dns[:type] == :route53
+          make 'AWS::Route53::RecordSet', name: "#{name}CertificateRoute53Entry" do
+            HostedZoneId dns[:hosted_zone]
+            Name cert.RecordName
+            Type cert.RecordType
+            TTL 60
+            ResourceRecords [cert.RecordValue]
+          end
+
+          cert_waiter = make 'Custom::ACMCertificateWaiter', name: "#{name}CertificateWaiter" do
+            Certificate cert
+            RegionOverride 'us-east-1' if !mtls
+          end
+
+          certificate_completion = cert_waiter
+        end
+      end
+
+      domain = make 'AWS::ApiGateway::DomainName', name: "#{name}DomainName" do
+        depends_on certificate_completion
+
         DomainName domain_name
-        CertificateArn cert
+
+        if mtls != nil
+          RegionalCertificateArn cert
+          MutualTlsAuthentication mtls
+          SecurityPolicy 'TLS_1_2'
+          EndpointConfiguration do
+            Types [ 'REGIONAL' ]
+          end
+        else
+          CertificateArn cert
+          EndpointConfiguration do
+            Types [ 'EDGE' ]
+          end
+        end
       end
 
       make 'AWS::ApiGateway::BasePathMapping', name: "#{name}BasePathMapping" do
@@ -264,8 +364,19 @@ module Sumomo
         make 'AWS::Route53::RecordSet', name: "#{name}Route53Entry" do
           HostedZoneId dns[:hosted_zone]
           Name domain_name
-          Type 'CNAME'
-          ResourceRecords [call('Fn::Join', '', [api, '.execute-api.', ref('AWS::Region'), '.amazonaws.com'])]
+
+          if mtls != nil
+            Type 'A'
+            AliasTarget do
+              DNSName domain.RegionalDomainName
+              HostedZoneId domain.RegionalHostedZoneId
+            end
+          else
+            Type 'A'
+            AliasTarget do
+              DNSName domain.DistributionDomainName
+              HostedZoneId domain.DistributionHostedZoneId
+            end          end
         end
         domain_name
       else

data/lib/sumomo/ec2.rb

@@ -254,6 +254,7 @@ module Sumomo
       has_public_ips: true,
       ingress: nil,
       egress: nil,
+      security_groups: [],
       machine_tag: nil,
       ec2_sns_arn: nil,
       ami_name: nil,
@@ -297,10 +298,12 @@ module Sumomo
 
       bucket_name = @bucket_name
 
-      script += "\n#{task_script}\n"
+      script_arr = [script]
+
+      script_arr << task_script
 
       if ecs_cluster
-        script += <<~ECS_START
+        script_arr << <<~ECS_START
 
           yum update
           yum groupinstall "Development Tools"
@@ -318,12 +321,12 @@ module Sumomo
       end
 
       if eip
-        script += <<~EIP_ALLOCATE
+        script_arr << <<~EIP_ALLOCATE
           aws ec2 associate-address --region `cat /etc/aws_region` --instance-id `curl http://169.254.169.254/latest/meta-data/instance-id` --allocation-id `cat /etc/eip_allocation_id`
         EIP_ALLOCATE
       end
 
-      script += "\nservice spot-watcher start" if spot_price && ec2_sns_arn
+      script_arr << "service spot-watcher start" if(spot_price && ec2_sns_arn)
 
       unless ingress.is_a? Array
         raise 'ec2: ingress option needs to be an array'
@@ -339,7 +342,7 @@ module Sumomo
 
       wait_handle = make 'AWS::CloudFormation::WaitConditionHandle'
 
-      user_data = initscript(wait_handle, name, script)
+      user_data = initscript(wait_handle, name, call('Fn::Join', "\n", script_arr))
 
       role_policy_doc = {
         'Version' => '2012-10-17',
@@ -407,7 +410,7 @@ module Sumomo
       launch_config = make 'AWS::AutoScaling::LaunchConfiguration' do
         AssociatePublicIpAddress has_public_ips
         KeyName keypair
-        SecurityGroups [web_sec_group]
+        SecurityGroups [web_sec_group] + security_groups
         ImageId ami_name
         UserData user_data
         InstanceType type

data/lib/sumomo/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Sumomo
-  VERSION = '0.8.8'
+  VERSION = '0.8.12'
 end

data/lib/sumomo.rb

@@ -26,7 +26,17 @@ module Sumomo
     "cloudformation/#{make_master_key_name(name: name)}.pem"
   end
 
-  def self.update_stack(name:, region:, sns_arn: nil, &block)
+  def self.create_stack(name:, region:, sns_arn: nil, &block)
+    cf = Aws::CloudFormation::Client.new(region: region)
+    begin
+      cf.describe_stacks(stack_name: name)
+      raise "There is already a stack named '#{name}'"
+    rescue Aws::CloudFormation::Errors::ValidationError
+      update_stack(name: name, region: region, sns_arn: sns_arn, &block)
+    end
+  end
+
+  def self.update_stack(name:, region:, sns_arn: nil, changeset: false, &block)
     cf = Aws::CloudFormation::Client.new(region: region)
     s3 = Aws::S3::Client.new(region: region)
     ec2 = Aws::EC2::Client.new(region: region)
@@ -111,7 +121,15 @@ module Sumomo
     }
 
     begin
-      cf.update_stack(update_options)
+      if changeset
+        cf.create_change_set(
+          **update_options,
+          change_set_name: "Change#{curtimestr}"
+        )
+      else
+        cf.update_stack(update_options)
+      end
+
     rescue StandardError => e
       if e.message.end_with? 'does not exist'
         update_options[:timeout_in_minutes] = @timeout if @timeout
@@ -124,6 +142,10 @@ module Sumomo
     end
   end
 
+  def self.curtimestr
+    Time.now.strftime('%Y%m%d%H%M%S')
+  end
+
   def self.wait_for_stack(name:, region:)
     cf = Aws::CloudFormation::Client.new(region: region)
 
@@ -187,7 +209,14 @@ module Sumomo
       instance_eval(&block)
     end
 
-    def make_api(_domain_name, name:, script: nil, dns: nil, cert: nil, with_statements: [], &block)
+    def make_api(_domain_name,
+      name:, script: nil,
+      dns: nil,
+      mtls_truststore: nil,
+      cert: nil,
+      with_statements: [], &block)
+
+      # we ignore mtls_truststore here
       @apis[name] = block
     end
 
@@ -249,6 +278,4 @@ module Sumomo
 
     map
   end
-
-  singleton_class.send(:alias_method, :create_stack, :update_stack)
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sumomo
 version: !ruby/object:Gem::Version
-  version: 0.8.8
+  version: 0.8.12
 platform: ruby
 authors:
 - David Siaw
-autorequire: 
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2020-04-23 00:00:00.000000000 Z
+date: 2021-08-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -2516,6 +2516,8 @@ files:
 - data/sumomo/api_modules/real_script.js
 - data/sumomo/api_modules/test_script.js
 - data/sumomo/custom_resource_utils.js
+- data/sumomo/custom_resources/ACMCertificate.js
+- data/sumomo/custom_resources/ACMCertificateWaiter.js
 - data/sumomo/custom_resources/AMILookup.js
 - data/sumomo/custom_resources/APIDomainName.js
 - data/sumomo/custom_resources/AvailabilityZones.js
@@ -2526,8 +2528,6 @@ files:
 - data/sumomo/custom_resources/OriginAccessIdentity.js
 - data/sumomo/custom_resources/SelectSpot.js
 - data/sumomo/custom_resources/TempS3Bucket.js
-- data/sumomo/custom_resources/USEastCertificate.js
-- data/sumomo/custom_resources/USEastCertificateWaiter.js
 - data/sumomo/sources/spot-watcher-poller.sh
 - data/sumomo/sources/spot-watcher.sh
 - exe/sumomo
@@ -2548,7 +2548,7 @@ homepage: https://github.com/davidsiaw/sumomo
 licenses: []
 metadata:
   allowed_push_host: https://rubygems.org
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -2563,8 +2563,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
-signing_key: 
+rubygems_version: 3.1.2
+signing_key:
 specification_version: 4
 summary: An advanced infrastructure description language for AWS
 test_files: []