terrafying-components 1.11.15 → 1.11.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (26) hide show
  1. checksums.yaml +4 -4
  2. data/lib/hash/merge_with_arrays.rb +2 -0
  3. data/lib/terrafying/components.rb +1 -0
  4. data/lib/terrafying/components/auditd.rb +7 -7
  5. data/lib/terrafying/components/ca.rb +17 -21
  6. data/lib/terrafying/components/dynamicset.rb +103 -116
  7. data/lib/terrafying/components/endpoint.rb +32 -41
  8. data/lib/terrafying/components/endpointservice.rb +15 -21
  9. data/lib/terrafying/components/ignition.rb +42 -49
  10. data/lib/terrafying/components/instance.rb +56 -55
  11. data/lib/terrafying/components/instanceprofile.rb +35 -44
  12. data/lib/terrafying/components/letsencrypt.rb +60 -71
  13. data/lib/terrafying/components/loadbalancer.rb +43 -43
  14. data/lib/terrafying/components/ports.rb +12 -11
  15. data/lib/terrafying/components/prometheus.rb +124 -95
  16. data/lib/terrafying/components/selfsignedca.rb +90 -104
  17. data/lib/terrafying/components/service.rb +41 -51
  18. data/lib/terrafying/components/staticset.rb +58 -68
  19. data/lib/terrafying/components/subnet.rb +21 -31
  20. data/lib/terrafying/components/templates/ignition.yaml +26 -5
  21. data/lib/terrafying/components/usable.rb +78 -92
  22. data/lib/terrafying/components/version.rb +3 -1
  23. data/lib/terrafying/components/vpc.rb +181 -209
  24. data/lib/terrafying/components/vpn.rb +136 -156
  25. data/lib/terrafying/components/zone.rb +38 -48
  26. metadata +6 -6
data/lib/terrafying/components/vpn.rb CHANGED
@@ -1,3 +1,4 @@
1
+ # frozen_string_literal: true
1
2
 
2
3
  require 'digest'
3
4
  require 'netaddr'
@@ -5,7 +6,6 @@ require 'netaddr'
5
6
  require 'terrafying/components/ignition'
6
7
  require 'terrafying/generator'
7
8
 
8
-
9
9
  IN4MASK = 0xffffffff
10
10
 
11
11
  def cidr_to_split_address(raw_cidr)
@@ -14,34 +14,30 @@ def cidr_to_split_address(raw_cidr)
14
14
  masklen = 32 - cidr.bits
15
15
  maskaddr = ((IN4MASK >> masklen) << masklen)
16
16
 
17
- maskip = (0..3).map { |i|
17
+ maskip = (0..3).map do |i|
18
18
  (maskaddr >> (24 - 8 * i)) & 0xff
19
- }.join('.')
19
+ end.join('.')
20
20
 
21
- return "#{cidr.first} #{maskip}"
21
+ "#{cidr.first} #{maskip}"
22
22
  end
23
23
 
24
-
25
24
  module Terrafying
26
-
27
25
  module Components
28
-
29
26
  class VPN < Terrafying::Context
30
-
31
27
  attr_reader :name, :cidr, :service, :ip_address
32
28
 
33
- def self.create_in(vpc, name, provider, options={})
29
+ def self.create_in(vpc, name, provider, options = {})
34
30
  VPN.new.create_in vpc, name, provider, options
35
31
  end
36
32
 
37
- def initialize()
33
+ def initialize
38
34
  super
39
35
  end
40
36
 
41
- def create_in(vpc, name, oauth2_provider, options={})
37
+ def create_in(vpc, name, oauth2_provider, options = {})
42
38
  options = {
43
- group: "uSwitch Developers",
44
- cidr: "10.8.0.0/24",
39
+ group: 'uSwitch Developers',
40
+ cidr: '10.8.0.0/24',
45
41
  public: true,
46
42
  subnets: vpc.subnets.fetch(:public, []),
47
43
  static: false,
@@ -49,7 +45,7 @@ module Terrafying
49
45
  route_dns_entries: [],
50
46
  units: [],
51
47
  tags: {},
52
- service: {},
48
+ service: {}
53
49
  }.merge(options)
54
50
 
55
51
  @name = name
@@ -57,14 +53,14 @@ module Terrafying
57
53
  @cidr = options[:cidr]
58
54
  @fqdn = vpc.zone.qualify(name)
59
55
 
60
- if ! oauth2_provider.is_a?(Hash)
61
- raise "You need to give a provider hash containing a type, client_id and client_secret"
56
+ unless oauth2_provider.is_a?(Hash)
57
+ raise 'You need to give a provider hash containing a type, client_id and client_secret'
62
58
  end
63
59
 
64
- has_provider = oauth2_provider[:type] != "none"
60
+ has_provider = oauth2_provider[:type] != 'none'
65
61
 
66
- if has_provider and ! [:type, :client_id, :client_secret].all? {|k| oauth2_provider.has_key?(k) }
67
- raise "You need to set type, client_id and client_secret"
62
+ if has_provider && !%i[type client_id client_secret].all? { |k| oauth2_provider.key?(k) }
63
+ raise 'You need to set type, client_id and client_secret'
68
64
  end
69
65
 
70
66
  units = [
@@ -88,7 +84,7 @@ module Terrafying
88
84
  units.push(oauth2_proxy_service(oauth2_provider))
89
85
  end
90
86
 
91
- if options.has_key?(:ca)
87
+ if options.key?(:ca)
92
88
  keypairs.push(options[:ca].create_keypair_in(self, @fqdn))
93
89
  end
94
90
 
@@ -101,36 +97,36 @@ module Terrafying
101
97
 
102
98
  @is_public = options[:public]
103
99
  @service = add! Service.create_in(
104
- vpc, name,
105
- {
106
- public: @is_public,
107
- ports: [22, 443, { number: 1194, type: "udp" }],
108
- tags: options[:tags],
109
- units: units + options[:units],
110
- files: files,
111
- keypairs: keypairs,
112
- subnets: options[:subnets],
113
- instances: instances,
114
- iam_policy_statements: [
115
- {
116
- Effect: "Allow",
117
- Action: [
118
- "ec2:DescribeRouteTables",
119
- ],
120
- Resource: [
121
- "*"
122
- ]
123
- }
124
- ],
125
- }.merge(options[:service])
126
- )
100
+ vpc, name,
101
+ {
102
+ public: @is_public,
103
+ ports: [22, 443, { number: 1194, type: 'udp' }],
104
+ tags: options[:tags],
105
+ units: units + options[:units],
106
+ files: files,
107
+ keypairs: keypairs,
108
+ subnets: options[:subnets],
109
+ instances: instances,
110
+ iam_policy_statements: [
111
+ {
112
+ Effect: 'Allow',
113
+ Action: [
114
+ 'ec2:DescribeRouteTables'
115
+ ],
116
+ Resource: [
117
+ '*'
118
+ ]
119
+ }
120
+ ]
121
+ }.merge(options[:service])
122
+ )
127
123
 
128
124
  @ip_address = @service.instance_set.instances[0].ip_address
129
125
 
130
126
  self
131
127
  end
132
128
 
133
- def allow_security_group_in(vpc, name: "")
129
+ def allow_security_group_in(vpc, name: '')
134
130
  name = "allow-#{@vpc.name}-vpn".downcase if name.empty?
135
131
 
136
132
  ingress_rules = [
@@ -138,8 +134,8 @@ module Terrafying
138
134
  from_port: 0,
139
135
  to_port: 0,
140
136
  protocol: -1,
141
- security_groups: [ @service.egress_security_group ],
142
- },
137
+ security_groups: [@service.egress_security_group]
138
+ }
143
139
  ]
144
140
 
145
141
  if @is_public
@@ -147,113 +143,100 @@ module Terrafying
147
143
  from_port: 0,
148
144
  to_port: 0,
149
145
  protocol: -1,
150
- cidr_blocks: [ "#{@ip_address}/32" ],
146
+ cidr_blocks: ["#{@ip_address}/32"]
151
147
  }
152
148
  end
153
149
 
154
- resource :aws_security_group, tf_safe("#{name}-#{vpc.name}"), {
155
- name: name,
156
- vpc_id: vpc.id,
157
- ingress: ingress_rules,
158
- }
150
+ resource :aws_security_group, tf_safe("#{name}-#{vpc.name}"),
151
+ name: name,
152
+ vpc_id: vpc.id,
153
+ ingress: ingress_rules
159
154
  end
160
155
 
161
156
  def openvpn_service
162
157
  Ignition.container_unit(
163
- "openvpn", "kylemanna/openvpn",
164
- {
165
- host_networking: true,
166
- privileged: true,
167
- volumes: [
168
- "/etc/ssl/openvpn:/etc/ssl/openvpn:ro",
169
- "/etc/openvpn:/etc/openvpn",
170
- ],
171
- required_units: [ "docker.service", "network-online.target", "openvpn-authz.service" ],
172
- }
158
+ 'openvpn', 'kylemanna/openvpn',
159
+ host_networking: true,
160
+ privileged: true,
161
+ volumes: [
162
+ '/etc/ssl/openvpn:/etc/ssl/openvpn:ro',
163
+ '/etc/openvpn:/etc/openvpn'
164
+ ],
165
+ required_units: ['docker.service', 'network-online.target', 'openvpn-authz.service']
173
166
  )
174
167
  end
175
168
 
176
169
  def openvpn_authz_service(route_all_traffic, route_dns_entry)
177
170
  optional_arguments = []
178
171
 
179
- if route_all_traffic
180
- optional_arguments << "--route-all"
181
- end
172
+ optional_arguments << '--route-all' if route_all_traffic
182
173
 
183
174
  if route_dns_entry.count > 0
184
- optional_arguments = optional_arguments + route_dns_entry.map { |entry| "--route-dns-entries #{entry}" }
175
+ optional_arguments += route_dns_entry.map { |entry| "--route-dns-entries #{entry}" }
185
176
  end
186
177
 
187
178
  Ignition.container_unit(
188
- "openvpn-authz", "quay.io/uswitch/openvpn-authz:1.2",
189
- {
190
- host_networking: true,
191
- volumes: [
192
- "/etc/ssl/openvpn:/etc/ssl/openvpn",
193
- "/var/openvpn-authz:/var/openvpn-authz",
194
- ],
195
- environment_variables: [
196
- "AWS_REGION=#{aws.region}",
197
- ],
198
- arguments: optional_arguments + [
199
- "--fqdn #{@fqdn}",
200
- "--cache /var/openvpn-authz",
201
- '--user-header "X-Forwarded-Email"',
202
- "/etc/ssl/openvpn",
203
- ],
204
- }
179
+ 'openvpn-authz', 'quay.io/uswitch/openvpn-authz:1.2',
180
+ host_networking: true,
181
+ volumes: [
182
+ '/etc/ssl/openvpn:/etc/ssl/openvpn',
183
+ '/var/openvpn-authz:/var/openvpn-authz'
184
+ ],
185
+ environment_variables: [
186
+ "AWS_REGION=#{aws.region}"
187
+ ],
188
+ arguments: optional_arguments + [
189
+ "--fqdn #{@fqdn}",
190
+ '--cache /var/openvpn-authz',
191
+ '--user-header "X-Forwarded-Email"',
192
+ '/etc/ssl/openvpn'
193
+ ]
205
194
  )
206
195
  end
207
196
 
208
197
  def oauth2_proxy_service(oauth2_provider)
209
198
  Ignition.container_unit(
210
199
  'authnz', 'quay.io/uswitch/authnz-http-proxy:0.1',
211
- {
212
- host_networking: true,
213
- arguments: [
214
- '--addr=0.0.0.0:4180',
215
- '--backend-url=http://localhost:8080',
216
- "--oauth-client-id='#{oauth2_provider[:client_id]}'",
217
- "--oauth-client-secret='#{oauth2_provider[:client_secret]}'",
218
- "--cookie-hash-key='#{oauth2_provider[:cookie_hash_key]}'",
219
- "--cookie-block-key='#{oauth2_provider[:cookie_block_key]}'"
220
- ],
221
- volumes: [
222
- '/usr/share/ca-certificates:/etc/ssl/certs:ro'
223
- ]
224
- }
200
+ host_networking: true,
201
+ arguments: [
202
+ '--addr=0.0.0.0:4180',
203
+ '--backend-url=http://localhost:8080',
204
+ "--oauth-client-id='#{oauth2_provider[:client_id]}'",
205
+ "--oauth-client-secret='#{oauth2_provider[:client_secret]}'",
206
+ "--cookie-hash-key='#{oauth2_provider[:cookie_hash_key]}'",
207
+ "--cookie-block-key='#{oauth2_provider[:cookie_block_key]}'"
208
+ ],
209
+ volumes: [
210
+ '/usr/share/ca-certificates:/etc/ssl/certs:ro'
211
+ ]
225
212
  )
226
213
  end
227
214
 
228
215
  def caddy_service(ca)
229
216
  optional_volumes = []
230
217
 
231
- if ca
232
- optional_volumes << "/etc/ssl/#{ca.name}:/etc/ssl/#{ca.name}:ro"
233
- end
218
+ optional_volumes << "/etc/ssl/#{ca.name}:/etc/ssl/#{ca.name}:ro" if ca
234
219
 
235
220
  Ignition.container_unit(
236
- "caddy", "abiosoft/caddy:0.10.10",
237
- {
238
- host_networking: true,
239
- volumes: [
240
- "/etc/ssl/certs:/etc/ssl/cert:ro",
241
- "/etc/caddy/Caddyfile:/etc/Caddyfile",
242
- "/etc/caddy/certs:/etc/caddy/certs",
243
- ] + optional_volumes,
244
- environment_variables: [
245
- "CADDYPATH=/etc/caddy/certs",
246
- ],
247
- }
221
+ 'caddy', 'abiosoft/caddy:0.10.10',
222
+ host_networking: true,
223
+ volumes: [
224
+ '/etc/ssl/certs:/etc/ssl/cert:ro',
225
+ '/etc/caddy/Caddyfile:/etc/Caddyfile',
226
+ '/etc/caddy/certs:/etc/caddy/certs'
227
+ ] + optional_volumes,
228
+ environment_variables: [
229
+ 'CADDYPATH=/etc/caddy/certs'
230
+ ]
248
231
  )
249
232
  end
250
233
 
251
234
  def caddy_conf(ca, has_provider)
252
- port = has_provider ? "4180" : "8080"
253
- tls = ca ? "/etc/ssl/#{ca.name}/#{@fqdn}/cert /etc/ssl/#{ca.name}/#{@fqdn}/key" : "cloud@uswitch.com"
235
+ port = has_provider ? '4180' : '8080'
236
+ tls = ca ? "/etc/ssl/#{ca.name}/#{@fqdn}/cert /etc/ssl/#{ca.name}/#{@fqdn}/key" : 'cloud@uswitch.com'
254
237
  {
255
- path: "/etc/caddy/Caddyfile",
256
- mode: "0644",
238
+ path: '/etc/caddy/Caddyfile',
239
+ mode: '0644',
257
240
  contents: <<~CADDYFILE
258
241
  #{@fqdn}:443
259
242
  tls #{tls}
@@ -266,48 +249,48 @@ module Terrafying
266
249
 
267
250
  def openvpn_conf
268
251
  {
269
- path: "/etc/openvpn/openvpn.conf",
270
- mode: "0644",
271
- contents: <<EOF
272
- server #{cidr_to_split_address(@cidr)}
273
- verb 3
274
-
275
- iproute /etc/openvpn/ovpn_ip.sh
276
-
277
- key /etc/ssl/openvpn/server/key
278
- ca /etc/ssl/openvpn/ca/cert
279
- cert /etc/ssl/openvpn/server/cert
280
- dh /etc/ssl/openvpn/dh.pem
281
- tls-auth /etc/ssl/openvpn/ta.key
282
-
283
- cipher AES-256-CBC
284
- auth SHA512
285
- tls-version-min 1.2
286
-
287
- key-direction 0
288
- keepalive 10 60
289
- persist-key
290
- persist-tun
291
-
292
- proto udp
293
- # Rely on Docker to do port mapping, internally always 1194
294
- port 1194
295
- dev tun0
296
- status /tmp/openvpn-status.log
297
-
298
- user nobody
299
- group nogroup
300
- EOF
252
+ path: '/etc/openvpn/openvpn.conf',
253
+ mode: '0644',
254
+ contents: <<~EOF
255
+ server #{cidr_to_split_address(@cidr)}
256
+ verb 3
257
+
258
+ iproute /etc/openvpn/ovpn_ip.sh
259
+
260
+ key /etc/ssl/openvpn/server/key
261
+ ca /etc/ssl/openvpn/ca/cert
262
+ cert /etc/ssl/openvpn/server/cert
263
+ dh /etc/ssl/openvpn/dh.pem
264
+ tls-auth /etc/ssl/openvpn/ta.key
265
+
266
+ cipher AES-256-CBC
267
+ auth SHA512
268
+ tls-version-min 1.2
269
+
270
+ key-direction 0
271
+ keepalive 10 60
272
+ persist-key
273
+ persist-tun
274
+
275
+ proto udp
276
+ # Rely on Docker to do port mapping, internally always 1194
277
+ port 1194
278
+ dev tun0
279
+ status /tmp/openvpn-status.log
280
+
281
+ user nobody
282
+ group nogroup
283
+ EOF
301
284
  }
302
285
  end
303
286
 
304
287
  def openvpn_env
305
288
  {
306
- path: "/etc/openvpn/ovpn_env.sh",
307
- mode: "0644",
308
- contents: <<EOF
309
- declare -x OVPN_SERVER=#{@cidr}
310
- EOF
289
+ path: '/etc/openvpn/ovpn_env.sh',
290
+ mode: '0644',
291
+ contents: <<~EOF
292
+ declare -x OVPN_SERVER=#{@cidr}
293
+ EOF
311
294
  }
312
295
  end
313
296
 
@@ -356,9 +339,6 @@ EOF
356
339
  def used_by_cidr(*cidrs)
357
340
  @service.used_by_cidr(*cidrs)
358
341
  end
359
-
360
342
  end
361
-
362
343
  end
363
-
364
344
  end
data/lib/terrafying/components/zone.rb CHANGED
@@ -1,11 +1,10 @@
1
+ # frozen_string_literal: true
2
+
1
3
  require 'terrafying/generator'
2
4
 
3
5
  module Terrafying
4
-
5
6
  module Components
6
-
7
7
  class Zone < Terrafying::Context
8
-
9
8
  attr_reader :id, :fqdn
10
9
 
11
10
  def self.find(fqdn)
@@ -16,15 +15,14 @@ module Terrafying
16
15
  Zone.new.find_by_tag tag
17
16
  end
18
17
 
19
- def self.create(fqdn, options={})
18
+ def self.create(fqdn, options = {})
20
19
  Zone.new.create fqdn, options
21
20
  end
22
21
 
23
- def initialize()
22
+ def initialize
24
23
  super
25
24
  end
26
25
 
27
-
28
26
  def find(fqdn)
29
27
  zone = aws.hosted_zone(fqdn)
30
28
 
@@ -37,21 +35,21 @@ module Terrafying
37
35
  def find_by_tag(tag)
38
36
  zone = aws.hosted_zone_by_tag(tag)
39
37
  @id = zone.id
40
- @fqdn = zone.name.chomp(".")
38
+ @fqdn = zone.name.chomp('.')
41
39
 
42
40
  self
43
41
  end
44
42
 
45
- def create(fqdn, options={})
43
+ def create(fqdn, options = {})
46
44
  options = {
47
- tags: {},
45
+ tags: {}
48
46
  }.merge(options)
49
47
 
50
48
  ident = tf_safe(fqdn)
51
49
 
52
50
  zone_config = {
53
51
  name: fqdn,
54
- tags: options[:tags],
52
+ tags: options[:tags]
55
53
  }
56
54
 
57
55
  if options[:vpc]
@@ -66,35 +64,34 @@ module Terrafying
66
64
  @id = resource :aws_route53_zone, ident, zone_config
67
65
 
68
66
  if options[:parent_zone]
69
- ns = (0..3).map{ |i| output_of(:aws_route53_zone, ident, "name_servers.#{i}") }
67
+ ns = (0..3).map { |i| output_of(:aws_route53_zone, ident, "name_servers.#{i}") }
70
68
 
71
- resource :aws_route53_record, "#{ident}-ns", {
72
- zone_id: options[:parent_zone].id,
73
- name: fqdn,
74
- type: "NS",
75
- ttl: "30",
76
- records: ns,
77
- }
69
+ resource :aws_route53_record, "#{ident}-ns",
70
+ zone_id: options[:parent_zone].id,
71
+ name: fqdn,
72
+ type: 'NS',
73
+ ttl: '30',
74
+ records: ns
78
75
  end
79
76
 
80
77
  self
81
78
  end
82
79
 
83
- def add_record(name, records, options={})
80
+ def add_record(name, records, options = {})
84
81
  add_record_in(self, name, records, options)
85
82
  end
86
83
 
87
- def add_record_in(ctx, name, records, options={})
84
+ def add_record_in(ctx, name, records, options = {})
88
85
  options = {
89
- type: "A",
86
+ type: 'A',
90
87
  ttl: 300,
91
- name: qualify(name),
88
+ name: qualify(name)
92
89
  }.merge(options)
93
90
 
94
91
  ctx.resource :aws_route53_record, options[:resource_name] || tf_safe(options[:name]), {
95
- zone_id: @id,
96
- records: records,
97
- }.merge(options.slice(:type, :ttl, :name, :records, :zone_id, :weight))
92
+ zone_id: @id,
93
+ records: records
94
+ }.merge(options.slice(:type, :ttl, :name, :records, :zone_id, :weight))
98
95
  end
99
96
 
100
97
  def add_alias(name, config)
@@ -103,12 +100,11 @@ module Terrafying
103
100
 
104
101
  def add_alias_in(ctx, name, config)
105
102
  fqdn = qualify(name)
106
- ctx.resource :aws_route53_record, tf_safe(fqdn), {
107
- zone_id: @id,
108
- name: fqdn,
109
- type: "A",
110
- alias: config,
111
- }
103
+ ctx.resource :aws_route53_record, tf_safe(fqdn),
104
+ zone_id: @id,
105
+ name: fqdn,
106
+ type: 'A',
107
+ alias: config
112
108
  end
113
109
 
114
110
  def add_srv(name, service_name, port, type, hosts)
@@ -119,13 +115,12 @@ module Terrafying
119
115
  fqdn = qualify(name)
120
116
  ident = tf_safe(fqdn)
121
117
 
122
- ctx.resource :aws_route53_record, "srv-#{ident}-#{service_name}", {
123
- zone_id: @id,
124
- name: "_#{service_name}._#{type}.#{fqdn}",
125
- type: "SRV",
126
- ttl: "60",
127
- records: hosts.map { |host| "0 0 #{port} #{host}" }
128
- }
118
+ ctx.resource :aws_route53_record, "srv-#{ident}-#{service_name}",
119
+ zone_id: @id,
120
+ name: "_#{service_name}._#{type}.#{fqdn}",
121
+ type: 'SRV',
122
+ ttl: '60',
123
+ records: hosts.map { |host| "0 0 #{port} #{host}" }
129
124
  end
130
125
 
131
126
  def add_cname(name, *records)
@@ -136,21 +131,16 @@ module Terrafying
136
131
  fqdn = qualify(name)
137
132
  ident = fqdn.tr('.', '-')
138
133
  ctx.resource :aws_route53_record, ident,
139
- {
140
- zone_id: @id,
141
- name: fqdn,
142
- type: 'CNAME',
143
- ttl: 300,
144
- records: records
145
- }
134
+ zone_id: @id,
135
+ name: fqdn,
136
+ type: 'CNAME',
137
+ ttl: 300,
138
+ records: records
146
139
  end
147
140
 
148
141
  def qualify(name)
149
142
  "#{name}.#{@fqdn}"
150
143
  end
151
-
152
144
  end
153
-
154
145
  end
155
-
156
146
  end