terrafying-components 1.11.15 → 1.11.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (26) hide show
  1. checksums.yaml +4 -4
  2. data/lib/hash/merge_with_arrays.rb +2 -0
  3. data/lib/terrafying/components.rb +1 -0
  4. data/lib/terrafying/components/auditd.rb +7 -7
  5. data/lib/terrafying/components/ca.rb +17 -21
  6. data/lib/terrafying/components/dynamicset.rb +103 -116
  7. data/lib/terrafying/components/endpoint.rb +32 -41
  8. data/lib/terrafying/components/endpointservice.rb +15 -21
  9. data/lib/terrafying/components/ignition.rb +42 -49
  10. data/lib/terrafying/components/instance.rb +56 -55
  11. data/lib/terrafying/components/instanceprofile.rb +35 -44
  12. data/lib/terrafying/components/letsencrypt.rb +60 -71
  13. data/lib/terrafying/components/loadbalancer.rb +43 -43
  14. data/lib/terrafying/components/ports.rb +12 -11
  15. data/lib/terrafying/components/prometheus.rb +124 -95
  16. data/lib/terrafying/components/selfsignedca.rb +90 -104
  17. data/lib/terrafying/components/service.rb +41 -51
  18. data/lib/terrafying/components/staticset.rb +58 -68
  19. data/lib/terrafying/components/subnet.rb +21 -31
  20. data/lib/terrafying/components/templates/ignition.yaml +26 -5
  21. data/lib/terrafying/components/usable.rb +78 -92
  22. data/lib/terrafying/components/version.rb +3 -1
  23. data/lib/terrafying/components/vpc.rb +181 -209
  24. data/lib/terrafying/components/vpn.rb +136 -156
  25. data/lib/terrafying/components/zone.rb +38 -48
  26. metadata +6 -6
data/lib/terrafying/components/ports.rb CHANGED
@@ -1,10 +1,11 @@
1
+ # frozen_string_literal: true
1
2
 
2
3
  PORT_NAMES = {
3
- 22 => "ssh",
4
- 80 => "http",
5
- 443 => "https",
6
- 1194 => "openvpn",
7
- }
4
+ 22 => 'ssh',
5
+ 80 => 'http',
6
+ 443 => 'https',
7
+ 1194 => 'openvpn'
8
+ }.freeze
8
9
 
9
10
  def enrich_ports(ports)
10
11
  ports = add_upstream_downstream(ports)
@@ -14,9 +15,7 @@ end
14
15
 
15
16
  def add_upstream_downstream(ports)
16
17
  ports.map do |port|
17
- if port.is_a?(Numeric)
18
- port = { upstream_port: port, downstream_port: port }
19
- end
18
+ port = { upstream_port: port, downstream_port: port } if port.is_a?(Numeric)
20
19
 
21
20
  if port.key?(:number)
22
21
  port[:upstream_port] = port[:number]
@@ -53,18 +52,20 @@ def add_names(ports)
53
52
  ports.map do |port|
54
53
  {
55
54
  type: 'tcp',
56
- name: PORT_NAMES.fetch(port[:upstream_port], port[:upstream_port].to_s),
55
+ name: PORT_NAMES.fetch(port[:upstream_port], port[:upstream_port].to_s)
57
56
  }.merge(port)
58
57
  end
59
58
  end
60
59
 
61
60
  def from_port(port)
62
61
  return port unless port_range?(port)
62
+
63
63
  port.split('-').first.to_i
64
64
  end
65
65
 
66
66
  def to_port(port)
67
67
  return port unless port_range?(port)
68
+
68
69
  port.split('-').last.to_i
69
70
  end
70
71
 
@@ -73,9 +74,9 @@ def port_range?(port)
73
74
  end
74
75
 
75
76
  def is_l4_port(port)
76
- port[:type] == "tcp" || port[:type] == "udp"
77
+ port[:type] == 'tcp' || port[:type] == 'udp'
77
78
  end
78
79
 
79
80
  def is_l7_port(port)
80
- port[:type] == "http" || port[:type] == "https"
81
+ port[:type] == 'http' || port[:type] == 'https'
81
82
  end
data/lib/terrafying/components/prometheus.rb CHANGED
@@ -22,7 +22,10 @@ module Terrafying
22
22
  thanos_name: 'thanos',
23
23
  thanos_version: 'v0.4.0',
24
24
  prom_name: 'prometheus',
25
- prom_version: 'v2.9.2'
25
+ prom_version: 'v2.9.2',
26
+ instances: 2,
27
+ instance_type: 't3a.small',
28
+ instance_cpu_credits: 'standard'
26
29
  )
27
30
  super()
28
31
  @vpc = vpc
@@ -30,81 +33,104 @@ module Terrafying
30
33
  @thanos_version = thanos_version
31
34
  @prom_name = prom_name
32
35
  @prom_version = prom_version
36
+ @instances = instances
37
+ @instance_type = instance_type
38
+ @instance_cpu_credits = instance_cpu_credits
33
39
  end
34
40
 
35
41
  def find
36
42
  @security_group = aws.security_group_in_vpc(
37
43
  @vpc.id,
38
- "dynamicset-#{@vpc.name}-#{@prom_name}"
44
+ "staticset-#{@vpc.name}-#{@prom_name}"
39
45
  )
40
46
  end
41
47
 
42
48
  def create
43
- thanos_peers = @vpc.zone.qualify(@thanos_name)
44
-
45
- @thanos = create_thanos(thanos_peers)
49
+ prometheus_thanos_sidecar_hostname = tf_safe(@prom_name)
50
+ prometheus_thanos_sidecar_srv_fqdn = "_grpc._tcp.#{@vpc.zone.qualify prometheus_thanos_sidecar_hostname}"
51
+ @instance_vcpu_count = aws.instance_type_vcpu_count(@instance_type)
52
+ @thanos = create_thanos(prometheus_thanos_sidecar_srv_fqdn)
46
53
  create_thanos_cloudwatch_alert(@thanos)
47
54
 
48
- @prometheus = create_prom(thanos_peers)
55
+ @prometheus = create_prom
56
+
49
57
  @security_group = @prometheus.egress_security_group
50
- create_prometheus_cloudwatch_alert(@prometheus)
51
- allow_thanos_gossip(@prometheus.egress_security_group)
58
+ # Allow thanos-query connections to thanos-sidecar on prometheus instances
59
+ @vpc.zone.add_srv_in(self, prometheus_thanos_sidecar_hostname, 'grpc', 10_901, 'tcp', @prom_service.domain_names.drop(1))
60
+
61
+ allow_prometheus_thanos_sidecar_grpc(@prometheus.egress_security_group, @thanos.security_group)
52
62
 
53
63
  @prometheus.used_by_cidr(@vpc.cidr)
54
64
  @thanos.used_by_cidr(@vpc.cidr)
55
65
  end
56
66
 
57
- def create_prom(thanos_peers)
58
- add! Terrafying::Components::Service.create_in(
67
+ def create_prom
68
+ @prom_service = add! Terrafying::Components::Service.create_in(
59
69
  @vpc, @prom_name,
60
70
  ports: [
61
71
  {
62
- type: 'http',
63
- number: 9090,
64
- health_check: { path: '/status', protocol: 'HTTP' }
72
+ type: 'tcp',
73
+ number: 9090
74
+ },
75
+ {
76
+ type: 'tcp',
77
+ number: 10_902
65
78
  }
66
79
  ],
67
- instance_type: 'm5.large',
80
+ instance_type: @instance_type,
81
+ cpu_credits: @instance_cpu_credits,
68
82
  iam_policy_statements: thanos_store_access,
69
- instances: { max: 3, min: 1, desired: 2 },
70
- units: [prometheus_unit, thanos_sidecar_unit(thanos_peers)],
71
- files: [prometheus_conf, thanos_bucket]
83
+ instances: [{}] * @instances,
84
+ units: [prometheus_unit, thanos_sidecar_unit],
85
+ files: [prometheus_conf, thanos_bucket],
86
+ tags: {
87
+ prometheus_port: 9090,
88
+ prometheus_path: '/metrics',
89
+ prometheus_port_0: 10_902,
90
+ prometheus_path_0: '/metrics'
91
+ }
72
92
  )
73
93
  end
74
94
 
75
- def allow_thanos_gossip(security_group)
76
- rule_ident = Digest::SHA2.hexdigest("#{security_group}-thanos-#{@vpc.name}")[0..24]
77
- resource :aws_security_group_rule, rule_ident, {
78
- security_group_id: security_group,
79
- type: 'ingress',
80
- from_port: 10900,
81
- to_port: 10902,
82
- protocol: 'tcp',
83
- cidr_blocks: [@vpc.cidr]
84
- }
95
+ def allow_prometheus_thanos_sidecar_grpc(security_group, source_security_group)
96
+ rule_ident = Digest::SHA2.hexdigest([security_group, source_security_group, @vpc.name, 'thanos-sidecar'].join('-'))[0..24]
97
+ resource :aws_security_group_rule, rule_ident,
98
+ security_group_id: security_group,
99
+ type: 'ingress',
100
+ from_port: 10_901,
101
+ to_port: 10_901,
102
+ protocol: 'tcp',
103
+ source_security_group_id: source_security_group
85
104
  end
86
105
 
87
- def create_thanos(thanos_peers)
88
- add! Terrafying::Components::Service.create_in(
106
+ def create_thanos(prometheus_thanos_sidecar_srv_fqdn)
107
+ @thanos_service = add! Terrafying::Components::Service.create_in(
89
108
  @vpc, @thanos_name,
90
109
  ports: [
91
110
  {
92
- number: 10902,
111
+ number: 10_902,
93
112
  health_check: {
94
- path: '/status',
95
- protocol: 'HTTP'
113
+ protocol: 'HTTP',
114
+ path: '/-/healthy'
96
115
  }
97
116
  },
98
117
  {
99
- number: 10901
100
- },
101
- {
102
- number: 10900
118
+ number: 10_901,
119
+ health_check: {
120
+ protocol: 'TCP'
121
+ }
103
122
  }
104
123
  ],
105
- instance_type: 't3.medium',
106
- units: [thanos_unit(thanos_peers)],
107
- instances: { max: 3, min: 1, desired: 2 }
124
+ instance_type: @instance_type,
125
+ cpu_credits: @instance_cpu_credits,
126
+ units: [thanos_unit(prometheus_thanos_sidecar_srv_fqdn)],
127
+ instances: [{}] * @instances,
128
+ loadbalancer: true,
129
+ metrics_ports: [10_902],
130
+ tags: {
131
+ prometheus_port: 10_902,
132
+ prometheus_path: '/metrics'
133
+ }
108
134
  )
109
135
  end
110
136
 
@@ -134,7 +160,12 @@ module Terrafying
134
160
  --storage.tsdb.retention.time=1d \
135
161
  --storage.tsdb.min-block-duration=2h \
136
162
  --storage.tsdb.max-block-duration=2h \
163
+ --storage.tsdb.no-lockfile \
164
+ --storage.remote.read-concurrent-limit=#{@instance_vcpu_count} \
165
+ --query.max-concurrency=#{@instance_vcpu_count} \
137
166
  --config.file=/opt/prometheus/prometheus.yml \
167
+ --web.console.templates=/etc/prometheus/consoles \
168
+ --web.console.libraries=/etc/prometheus/console_libraries \
138
169
  --web.enable-lifecycle \
139
170
  --log.level=warn
140
171
  Restart=always
@@ -143,7 +174,7 @@ module Terrafying
143
174
  }
144
175
  end
145
176
 
146
- def thanos_sidecar_unit(thanos_peers)
177
+ def thanos_sidecar_unit
147
178
  {
148
179
  name: 'thanos.service',
149
180
  contents: <<~THANOS_SIDE
@@ -154,25 +185,20 @@ module Terrafying
154
185
  After=docker.service prometheus.service
155
186
  Requires=docker.service prometheus.service
156
187
  [Service]
157
- EnvironmentFile=/run/metadata/coreos
158
188
  ExecStartPre=-/usr/bin/docker kill thanos
159
189
  ExecStartPre=-/usr/bin/docker rm thanos
160
190
  ExecStartPre=/usr/bin/docker pull improbable/thanos:#{@thanos_version}
161
191
  ExecStart=/usr/bin/docker run --name thanos \
162
- -p 10900-10902:10900-10902 \
192
+ -p 10901-10902:10901-10902 \
163
193
  -v /opt/prometheus:/opt/prometheus \
164
194
  -v /opt/thanos:/opt/thanos \
165
195
  --network=prom \
166
196
  improbable/thanos:#{@thanos_version} \
167
197
  sidecar \
168
- --cluster.peers=#{thanos_peers}:10900 \
169
- --cluster.advertise-address=$${COREOS_EC2_IPV4_LOCAL}:10900 \
170
- --grpc-advertise-address=$${COREOS_EC2_IPV4_LOCAL}:10901 \
171
198
  --prometheus.url=http://prometheus:9090 \
172
199
  --tsdb.path=/opt/prometheus/data \
173
200
  --objstore.config-file=/opt/thanos/bucket.yml \
174
- --log.level=warn \
175
- --no-cluster.disable
201
+ --log.level=warn
176
202
  Restart=always
177
203
  RestartSec=30
178
204
  THANOS_SIDE
@@ -183,66 +209,78 @@ module Terrafying
183
209
  {
184
210
  path: '/opt/prometheus/prometheus.yml',
185
211
  mode: 0o644,
186
- contents: <<~PROM
212
+ contents: ERB.new(<<~'END', 0, '-', '_').result(binding)
187
213
  global:
188
214
  external_labels:
189
215
  monitor: prometheus
190
- cluster: "#{@vpc.name}"
216
+ cluster: <%= @vpc.name %>
191
217
  replica: {{HOST}}
192
218
  scrape_interval: 15s
193
219
  scrape_configs:
194
- - job_name: "ec2"
220
+ # While AWS EC2 instance support up to 50 tags, we wouldn't be able
221
+ # to fit such a long configuration file into user_data of the
222
+ # instance; user_data is limited to just 16k.
223
+ # This configuration support scraping up to 5 ports per instance:
224
+ <%- prom_tag_name_suffixes = [''] + (0..3).map {|i| "_#{i}"} -%>
225
+ <%- prom_tag_name_suffixes.each do |suffix| -%>
226
+ - job_name: ec2<%= suffix %>
195
227
  params:
196
228
  format: ["prometheus"]
197
229
  ec2_sd_configs:
198
230
  - region: eu-west-1
199
231
  filters:
200
232
  - name: vpc-id
201
- values: ["#{@vpc.id}"]
202
- - name: tag-key
233
+ values: ["<%= @vpc.id %>"]
234
+ - # by using the same ec2_sd_configs we are able to share single
235
+ # provider instance thanks to SD configuration coalescing
236
+ # therefore "prometheus_port" tag must always be present on
237
+ # the instance to be discovered (i. e. "prometheus_port_*" tag
238
+ # would not be sufficient if " " tag is missing)
239
+ name: tag-key
203
240
  values: ["prometheus_port"]
204
241
  relabel_configs:
205
- - source_labels: [__meta_ec2_private_ip, __meta_ec2_tag_prometheus_port]
206
- replacement: $1:$2
207
- regex: ([^:]+)(?::\\\\d+)?;(\\\\d+)
242
+ - source_labels: [__meta_ec2_tag_prometheus_port<%= suffix %>]
243
+ regex: (.+)
244
+ action: keep
245
+ - source_labels: [__meta_ec2_private_ip, __meta_ec2_tag_prometheus_port<%= suffix %>]
208
246
  target_label: __address__
247
+ separator: ':'
248
+ - source_labels: [__meta_ec2_tag_prometheus_path<%= suffix %>]
249
+ target_label: __metrics_path__
250
+ regex: (.+)
209
251
  - source_labels: [__meta_ec2_instance_id]
210
252
  target_label: instance_id
211
253
  - source_labels: [__meta_ec2_tag_envoy_cluster]
212
254
  target_label: envoy_cluster
213
- - source_labels: [__meta_ec2_tag_prometheus_path]
214
- regex: (.+)
215
- replacement: $1
216
- target_label: __metrics_path__
217
- PROM
255
+ <%- end -%>
256
+ END
218
257
  }
219
258
  end
220
259
 
221
- def thanos_unit(thanos_peers)
260
+ def thanos_unit(prometheus_thanos_sidecar_srv_fqdn)
222
261
  {
223
262
  name: 'thanos.service',
224
263
  contents: <<~THANOS_UNIT
225
264
  [Install]
226
265
  WantedBy=multi-user.target
227
- [Unit]
266
+
267
+ [Unit]
228
268
  Description=Thanos Service
229
269
  After=docker.service
230
270
  Requires=docker.service
231
- [Service]
232
- EnvironmentFile=/run/metadata/coreos
271
+
272
+ [Service]
233
273
  ExecStartPre=-/usr/bin/docker kill thanos
234
274
  ExecStartPre=-/usr/bin/docker rm thanos
235
275
  ExecStartPre=/usr/bin/docker pull improbable/thanos:#{@thanos_version}
236
276
  ExecStart=/usr/bin/docker run --name thanos \
237
- -p 10900-10902:10900-10902 \
277
+ -p 10901-10902:10901-10902 \
238
278
  improbable/thanos:#{@thanos_version} \
239
279
  query \
240
- --cluster.peers=#{thanos_peers}:10900 \
241
- --cluster.advertise-address=$${COREOS_EC2_IPV4_LOCAL}:10900 \
242
- --grpc-advertise-address=$${COREOS_EC2_IPV4_LOCAL}:10901 \
243
280
  --query.replica-label=replica \
244
- --log.level=warn \
245
- --no-cluster.disable
281
+ --query.max-concurrent=#{@instance_vcpu_count} \
282
+ --store=dnssrv+#{prometheus_thanos_sidecar_srv_fqdn} \
283
+ --log.level=warn
246
284
  Restart=always
247
285
  RestartSec=30
248
286
  THANOS_UNIT
@@ -296,35 +334,26 @@ module Terrafying
296
334
  end
297
335
 
298
336
  def cloudwatch_alarm(name, namespace, dimensions)
299
- resource 'aws_cloudwatch_metric_alarm', name, {
300
- alarm_name: name,
301
- comparison_operator: 'GreaterThanOrEqualToThreshold',
302
- evaluation_periods: '1',
303
- metric_name: 'UnHealthyHostCount',
304
- namespace: namespace,
305
- period: '180',
306
- threshold: '1',
307
- statistic: 'Minimum',
308
- alarm_description: "Monitoring #{name} target group host health",
309
- dimensions: dimensions,
310
- alarm_actions: ['arn:aws:sns:eu-west-1:136393635417:prometheus_cloudwatch_topic'],
311
- ok_actions: ['arn:aws:sns:eu-west-1:136393635417:prometheus_cloudwatch_topic'],
312
- }
313
- end
314
-
315
- def create_prometheus_cloudwatch_alert(service)
316
- cloudwatch_alarm service.name, 'AWS/ApplicationELB', {
317
- LoadBalancer: output_of('aws_lb', service.load_balancer.name, 'arn_suffix'),
318
- TargetGroup: service.load_balancer.targets.first.target_group.to_s.gsub(/id/, 'arn_suffix')
319
- }
337
+ resource 'aws_cloudwatch_metric_alarm', name,
338
+ alarm_name: name,
339
+ comparison_operator: 'GreaterThanOrEqualToThreshold',
340
+ evaluation_periods: '1',
341
+ metric_name: 'UnHealthyHostCount',
342
+ namespace: namespace,
343
+ period: '180',
344
+ threshold: '1',
345
+ statistic: 'Minimum',
346
+ alarm_description: "Monitoring #{name} target group host health",
347
+ dimensions: dimensions,
348
+ alarm_actions: ['arn:aws:sns:eu-west-1:136393635417:prometheus_cloudwatch_topic'],
349
+ ok_actions: ['arn:aws:sns:eu-west-1:136393635417:prometheus_cloudwatch_topic']
320
350
  end
321
351
 
322
352
  def create_thanos_cloudwatch_alert(service)
323
353
  service.load_balancer.targets.each_with_index do |target, i|
324
- cloudwatch_alarm "#{service.name}_#{i}", 'AWS/NetworkELB', {
325
- LoadBalancer: output_of('aws_lb', service.load_balancer.name, 'arn_suffix'),
326
- TargetGroup: target.target_group.to_s.gsub(/id/, 'arn_suffix')
327
- }
354
+ cloudwatch_alarm "#{service.name}_#{i}", 'AWS/NetworkELB',
355
+ LoadBalancer: output_of('aws_lb', service.load_balancer.name, 'arn_suffix'),
356
+ TargetGroup: target.target_group.to_s.gsub(/id/, 'arn_suffix')
328
357
  end
329
358
  end
330
359
  end
data/lib/terrafying/components/selfsignedca.rb CHANGED
@@ -1,189 +1,175 @@
1
+ # frozen_string_literal: true
2
+
1
3
  require 'terrafying/components/ca'
2
4
  require 'terrafying/generator'
3
5
 
4
6
  module Terrafying
5
-
6
7
  module Components
7
-
8
8
  class SelfSignedCA < Terrafying::Context
9
-
10
9
  attr_reader :name, :source, :ca_key
11
10
 
12
11
  include CA
13
12
 
14
- def self.create(name, bucket, options={})
13
+ def self.create(name, bucket, options = {})
15
14
  SelfSignedCA.new.create name, bucket, options
16
15
  end
17
16
 
18
- def initialize()
17
+ def initialize
19
18
  super
20
19
  end
21
20
 
22
- def create(name, bucket, options={})
21
+ def create(name, bucket, options = {})
23
22
  options = {
24
- prefix: "",
23
+ prefix: '',
25
24
  common_name: name,
26
- organization: "uSwitch Limited",
25
+ organization: 'uSwitch Limited',
27
26
  public_certificate: false,
28
- curve: "P384",
27
+ curve: 'P384'
29
28
  }.merge(options)
30
29
 
31
30
  @name = name
32
31
  @bucket = bucket
33
32
  @prefix = options[:prefix]
34
- @algorithm = options[:algorithm] || "ECDSA"
33
+ @algorithm = options[:algorithm] || 'ECDSA'
35
34
 
36
35
  @ident = "#{name}-ca"
37
36
 
38
- if options[:public_certificate]
39
- cert_acl = "public-read"
40
- else
41
- cert_acl = "private"
42
- end
37
+ cert_acl = if options[:public_certificate]
38
+ 'public-read'
39
+ else
40
+ 'private'
41
+ end
43
42
 
44
43
  @source = object_url(@name, :cert)
45
44
 
46
45
  if options[:ca_key] && options[:ca_cert]
47
46
  @ca_key = options[:ca_key]
48
47
  @ca_cert = options[:ca_cert]
49
- resource :aws_s3_bucket_object, "#{@name}-cert", {
50
- bucket: @bucket,
51
- key: object_key(@name, :cert),
52
- content: @ca_cert,
53
- acl: cert_acl,
54
- }
48
+ resource :aws_s3_bucket_object, "#{@name}-cert",
49
+ bucket: @bucket,
50
+ key: object_key(@name, :cert),
51
+ content: @ca_cert,
52
+ acl: cert_acl
55
53
  return self
56
54
  end
57
55
 
58
56
  provider :tls, {}
59
57
 
60
- resource :tls_private_key, @ident, {
61
- algorithm: @algorithm,
62
- ecdsa_curve: options[:curve],
63
- }
64
-
65
- resource :tls_self_signed_cert, @ident, {
66
- key_algorithm: @algorithm,
67
- private_key_pem: output_of(:tls_private_key, @ident, :private_key_pem),
68
- subject: {
69
- common_name: options[:common_name],
70
- organization: options[:organization],
71
- },
72
- is_ca_certificate: true,
73
- validity_period_hours: 24 * 365,
74
- allowed_uses: [
75
- "certSigning",
76
- "digitalSignature",
77
- ],
78
- }
58
+ resource :tls_private_key, @ident,
59
+ algorithm: @algorithm,
60
+ ecdsa_curve: options[:curve]
61
+
62
+ resource :tls_self_signed_cert, @ident,
63
+ key_algorithm: @algorithm,
64
+ private_key_pem: output_of(:tls_private_key, @ident, :private_key_pem),
65
+ subject: {
66
+ common_name: options[:common_name],
67
+ organization: options[:organization]
68
+ },
69
+ is_ca_certificate: true,
70
+ validity_period_hours: 24 * 365,
71
+ allowed_uses: %w[
72
+ certSigning
73
+ digitalSignature
74
+ ]
79
75
 
80
76
  @ca_key = output_of(:tls_private_key, @ident, :private_key_pem)
81
77
  @ca_cert = output_of(:tls_self_signed_cert, @ident, :cert_pem)
82
78
 
83
- resource :aws_s3_bucket_object, object_name(@name, :cert), {
84
- bucket: @bucket,
85
- key: object_key(@name, :cert),
86
- content: @ca_cert,
87
- acl: cert_acl,
88
- }
79
+ resource :aws_s3_bucket_object, object_name(@name, :cert),
80
+ bucket: @bucket,
81
+ key: object_key(@name, :cert),
82
+ content: @ca_cert,
83
+ acl: cert_acl
89
84
 
90
85
  self
91
86
  end
92
87
 
93
88
  def keypair
94
- @ca_key_ref ||= resource :aws_s3_bucket_object, object_name(@name, :key), {
95
- bucket: @bucket,
96
- key: File.join('', @prefix, @name, "ca.key"),
97
- content: @ca_key,
98
- }
89
+ @ca_key_ref ||= resource :aws_s3_bucket_object, object_name(@name, :key),
90
+ bucket: @bucket,
91
+ key: File.join('', @prefix, @name, 'ca.key'),
92
+ content: @ca_key
99
93
 
100
94
  {
101
95
  ca: self,
102
96
  path: {
103
- cert: File.join("/etc/ssl", @name, "ca.cert"),
104
- key: File.join("/etc/ssl", @name, "ca.key"),
97
+ cert: File.join('/etc/ssl', @name, 'ca.cert'),
98
+ key: File.join('/etc/ssl', @name, 'ca.key')
105
99
  },
106
100
  source: {
107
101
  cert: object_url(@name, :cert),
108
- key: object_url(@name, :key),
102
+ key: object_url(@name, :key)
109
103
  },
110
104
  resources: [
111
105
  "aws_s3_bucket_object.#{object_name(@name, :key)}",
112
106
  "aws_s3_bucket_object.#{object_name(@name, :cert)}"
113
107
  ],
114
108
  iam_statement: {
115
- Effect: "Allow",
109
+ Effect: 'Allow',
116
110
  Action: [
117
- "s3:GetObjectAcl",
118
- "s3:GetObject",
111
+ 's3:GetObjectAcl',
112
+ 's3:GetObject'
119
113
  ],
120
114
  Resource: [
121
115
  object_arn(@name, :cert),
122
- object_arn(@name, :key),
116
+ object_arn(@name, :key)
123
117
  ]
124
118
  }
125
119
  }
126
120
  end
127
121
 
128
- def create_keypair_in(ctx, name, options={})
122
+ def create_keypair_in(ctx, name, options = {})
129
123
  options = {
130
124
  common_name: name,
131
- organization: "uSwitch Limited",
125
+ organization: 'uSwitch Limited',
132
126
  validity_in_hours: 24 * 365,
133
- allowed_uses: [
134
- "nonRepudiation",
135
- "digitalSignature",
136
- "keyEncipherment"
127
+ allowed_uses: %w[
128
+ nonRepudiation
129
+ digitalSignature
130
+ keyEncipherment
137
131
  ],
138
132
  dns_names: [],
139
133
  ip_addresses: [],
140
- curve: "P384",
134
+ curve: 'P384'
141
135
  }.merge(options)
142
136
 
143
137
  key_ident = object_ident(name)
144
138
 
145
- ctx.resource :tls_private_key, key_ident, {
146
- algorithm: @algorithm,
147
- ecdsa_curve: options[:curve],
148
- }
149
-
150
- ctx.resource :tls_cert_request, key_ident, {
151
- key_algorithm: @algorithm,
152
- private_key_pem: output_of(:tls_private_key, key_ident, :private_key_pem),
153
- subject: {
154
- common_name: options[:common_name],
155
- organization: options[:organization],
156
- },
157
- dns_names: options[:dns_names],
158
- ip_addresses: options[:ip_addresses],
159
- }
160
-
161
- ctx.resource :tls_locally_signed_cert, key_ident, {
162
- cert_request_pem: output_of(:tls_cert_request, key_ident, :cert_request_pem),
163
- ca_key_algorithm: @algorithm,
164
- ca_private_key_pem: @ca_key,
165
- ca_cert_pem: @ca_cert,
166
- validity_period_hours: options[:validity_in_hours],
167
- allowed_uses: options[:allowed_uses],
168
- }
169
-
170
- ctx.resource :aws_s3_bucket_object, object_name(name, :key), {
171
- bucket: @bucket,
172
- key: object_key(name, :key, "${sha256(tls_private_key.#{key_ident}.private_key_pem)}"),
173
- content: output_of(:tls_private_key, key_ident, :private_key_pem),
174
- }
175
-
176
- ctx.resource :aws_s3_bucket_object, object_name(name, :cert), {
177
- bucket: @bucket,
178
- key: object_key(name, :cert, "${sha256(tls_locally_signed_cert.#{key_ident}.cert_pem)}"),
179
- content: output_of(:tls_locally_signed_cert, key_ident, :cert_pem),
180
- }
139
+ ctx.resource :tls_private_key, key_ident,
140
+ algorithm: @algorithm,
141
+ ecdsa_curve: options[:curve]
142
+
143
+ ctx.resource :tls_cert_request, key_ident,
144
+ key_algorithm: @algorithm,
145
+ private_key_pem: output_of(:tls_private_key, key_ident, :private_key_pem),
146
+ subject: {
147
+ common_name: options[:common_name],
148
+ organization: options[:organization]
149
+ },
150
+ dns_names: options[:dns_names],
151
+ ip_addresses: options[:ip_addresses]
152
+
153
+ ctx.resource :tls_locally_signed_cert, key_ident,
154
+ cert_request_pem: output_of(:tls_cert_request, key_ident, :cert_request_pem),
155
+ ca_key_algorithm: @algorithm,
156
+ ca_private_key_pem: @ca_key,
157
+ ca_cert_pem: @ca_cert,
158
+ validity_period_hours: options[:validity_in_hours],
159
+ allowed_uses: options[:allowed_uses]
160
+
161
+ ctx.resource :aws_s3_bucket_object, object_name(name, :key),
162
+ bucket: @bucket,
163
+ key: object_key(name, :key, "${sha256(tls_private_key.#{key_ident}.private_key_pem)}"),
164
+ content: output_of(:tls_private_key, key_ident, :private_key_pem)
165
+
166
+ ctx.resource :aws_s3_bucket_object, object_name(name, :cert),
167
+ bucket: @bucket,
168
+ key: object_key(name, :cert, "${sha256(tls_locally_signed_cert.#{key_ident}.cert_pem)}"),
169
+ content: output_of(:tls_locally_signed_cert, key_ident, :cert_pem)
181
170
 
182
171
  reference_keypair(ctx, name)
183
172
  end
184
-
185
173
  end
186
-
187
174
  end
188
-
189
175
  end