terrafying-components 1.4.3 → 1.4.4

data/lib/terrafying/components/letsencrypt.rb

@@ -0,0 +1,146 @@
+
+require 'terrafying/components/ca'
+require 'terrafying/generator'
+require 'open-uri'
+module Terrafying
+
+  module Components
+
+    class LetsEncrypt < Terrafying::Context
+
+      attr_reader :name, :source
+
+      PROVIDERS = {
+        staging: {
+          api_url: 'https://acme-staging.api.letsencrypt.org/directory',
+          ca_cert: 'https://letsencrypt.org/certs/fakeleintermediatex1.pem'
+        },
+        live:    {
+          api_url: 'https://acme-v01.api.letsencrypt.org/directory',
+          ca_cert: 'https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt'
+        }
+      }.freeze
+
+      include CA
+
+      def self.create(name, bucket, options={})
+        LetsEncrypt.new.create name, bucket, options
+      end
+
+      def initialize()
+        super
+      end
+
+      def create(name, bucket, options={})
+        options = {
+          prefix: "",
+          provider: :staging,
+          email_address: "cloud@uswitch.com",
+          public_certificate: false,
+        }.merge(options)
+
+        @name = name
+        @bucket = bucket
+        @prefix = options[:prefix]
+        @provider = PROVIDERS[options[:provider].to_sym]
+
+        provider :acme, {}
+        provider :tls, {}
+
+        resource :tls_private_key, "#{@name}-account", {
+                   algorithm: "ECDSA",
+                   ecdsa_curve: "P384",
+                 }
+
+        @account_key = output_of(:tls_private_key, "#{@name}-account", "private_key_pem")
+
+        @registration_url = resource :acme_registration, "#{@name}-reg", {
+                                       server_url: @provider[:server_url],
+                                       account_key_pem: @account_key,
+                                       email_address: options[:email_address],
+                                     }
+
+        resource :aws_s3_bucket_object, "#{@name}-account", {
+                   bucket: @bucket,
+                   key: File.join(@prefix, @name, "account.key"),
+                   content: @account_key,
+                 }
+
+        @ca_cert_acl = options[:public_certificate] ? 'public-read' : 'private'
+
+        open(@provider[:ca_cert], 'rb') do |cert|
+          resource :aws_s3_bucket_object, "#{@name}-cert", {
+                     bucket: @bucket,
+                     key: File.join(@prefix, @name, "ca.cert"),
+                     source: cert.read,
+                     acl: @ca_cert_acl
+                   }
+        end
+
+        @source = File.join("s3://", @bucket, @prefix, @name, "ca.cert")
+
+        self
+      end
+
+      def create_keypair_in(ctx, name, options={})
+        options = {
+          common_name: name,
+          organization: "uSwitch Limited",
+          validity_in_hours: 24 * 365,
+          allowed_uses: [
+            "nonRepudiation",
+            "digitalSignature",
+            "keyEncipherment"
+          ],
+          dns_names: [],
+          ip_addresses: [],
+          min_days_remaining: 21,
+        }.merge(options)
+
+        key_ident = "#{@name}-#{tf_safe(name)}"
+
+        ctx.resource :tls_private_key, key_ident, {
+                       algorithm: "ECDSA",
+                       ecdsa_curve: "P384",
+                     }
+
+        ctx.resource :tls_cert_request, key_ident, {
+                       key_algorithm: "ECDSA",
+                       private_key_pem: output_of(:tls_private_key, key_ident, :private_key_pem),
+                       subject: {
+                         common_name: options[:common_name],
+                         organization: options[:organization],
+                       },
+                       dns_names: options[:dns_names],
+                       ip_addresses: options[:ip_addresses],
+                     }
+
+        ctx.resource :acme_certificate, key_ident, {
+                       server_url: @provider[:server_url],
+                       account_key_pem: @account_key,
+                       registration_url: @registration_url,
+                       min_days_remaining: options[:min_days_remaining],
+                       dns_challenge: {
+                         provider: "route53",
+                       },
+                       certificate_request_pem: output_of(:tls_cert_request, key_ident, :cert_request_pem),
+                     }
+
+        ctx.resource :aws_s3_bucket_object, "#{key_ident}-key", {
+                       bucket: @bucket,
+                       key: File.join(@prefix, @name, name, "key"),
+                       content: output_of(:tls_private_key, key_ident, :private_key_pem),
+                     }
+
+        ctx.resource :aws_s3_bucket_object, "#{key_ident}-cert", {
+                       bucket: @bucket,
+                       key: File.join(@prefix, @name, name, "cert"),
+                       content: output_of(:acme_certificate, key_ident, :certificate_pem),
+                     }
+
+        reference_keypair(ctx, name)
+      end
+
+    end
+  end
+end

data/lib/terrafying/components/loadbalancer.rb

@@ -0,0 +1,159 @@
+
+require 'terrafying/components/usable'
+require 'terrafying/generator'
+
+require_relative './ports'
+
+module Terrafying
+
+  module Components
+
+    class LoadBalancer < Terrafying::Context
+
+      attr_reader :id, :name, :type, :security_group, :ports, :target_groups, :alias_config
+
+      include Usable
+
+      def self.create_in(vpc, name, options={})
+        LoadBalancer.new.create_in vpc, name, options
+      end
+
+      def self.find_in(vpc, name)
+        LoadBalancer.new.find_in vpc, name
+      end
+
+      def initialize()
+        super
+      end
+
+      def find_in(vpc, name)
+        ident = "network-#{tf_safe(vpc.name)}-#{name}"
+        @type = "network"
+
+        begin
+          lb = aws.lb_by_name(ident)
+        rescue
+          ident = "application-#{tf_safe(vpc.name)}-#{name}"
+          @type = "application"
+
+          lb = aws.lb_by_name(ident)
+
+          @security_group = aws.security_group_by_tags({ loadbalancer_name: ident })
+        end
+
+        @id = lb.load_balancer_arn
+        @name = ident
+
+        target_groups = aws.target_groups_by_lb(@id)
+
+        @target_groups = target_groups.map(&:target_group_arn)
+        @ports = enrich_ports(target_groups.map(&:port).sort.uniq)
+
+        @alias_config = {
+          name: lb.dns_name,
+          zone_id: lb.canonical_hosted_zone_id,
+          evaluate_target_health: true,
+        }
+
+        self
+      end
+
+      def create_in(vpc, name, options={})
+        options = {
+          ports: [],
+          public: false,
+          subnets: vpc.subnets.fetch(:private, []),
+          tags: {},
+        }.merge(options)
+
+        @ports = enrich_ports(options[:ports])
+
+        l4_ports = @ports.select{ |p| is_l4_port(p) }
+
+        if l4_ports.count > 0 && l4_ports.count < @ports.count
+          raise 'Ports have to either be all layer 4 or 7'
+        end
+
+        @type = l4_ports.count == 0 ? "application" : "network"
+
+        ident = "#{type}-#{tf_safe(vpc.name)}-#{name}"
+        @name = ident
+
+        if @type == "application"
+          @security_group = resource :aws_security_group, ident, {
+                                       name: "loadbalancer-#{ident}",
+                                       description: "Describe the ingress and egress of the load balancer #{ident}",
+                                       tags: options[:tags].merge(
+                                         {
+                                           loadbalancer_name: ident,
+                                         }
+                                       ),
+                                       vpc_id: vpc.id,
+                                     }
+
+          path_mtu_setup!
+        end
+
+        @id = resource :aws_lb, ident, {
+                         name: ident,
+                         load_balancer_type: type,
+                         internal: !options[:public],
+                         subnets: options[:subnets].map(&:id),
+                         tags: options[:tags],
+                       }.merge(@type == "application" ? { security_groups: [@security_group] } : {})
+
+        @target_groups = []
+
+        @ports.each { |port|
+          port_ident = "#{ident}-#{port[:downstream_port]}"
+
+          target_group = resource :aws_lb_target_group, port_ident, {
+                                    name: port_ident,
+                                    port: port[:downstream_port],
+                                    protocol: port[:type].upcase,
+                                    vpc_id: vpc.id,
+                                  }.merge(port.has_key?(:health_check) ? { health_check: port[:health_check] }: {})
+
+          ssl_options = {}
+          if port.has_key?(:ssl_certificate)
+            ssl_options = {
+              ssl_policy: "ELBSecurityPolicy-2015-05",
+              certificate_arn: port[:ssl_certificate],
+            }
+          end
+
+          resource :aws_lb_listener, port_ident, {
+                     load_balancer_arn: @id,
+                     port: port[:upstream_port],
+                     protocol: port[:type].upcase,
+                     default_action: {
+                       target_group_arn: target_group,
+                       type: "forward",
+                     },
+                   }.merge(ssl_options)
+
+          @target_groups << target_group
+        }
+
+        @alias_config = {
+          name: output_of(:aws_lb, ident, :dns_name),
+          zone_id: output_of(:aws_lb, ident, :zone_id),
+          evaluate_target_health: true,
+        }
+
+        self
+      end
+
+      def attach(set)
+        if set.respond_to?(:attach_load_balancer)
+          set.attach_load_balancer(self)
+        else
+          raise "Dont' know how to attach object to LB"
+        end
+      end
+
+    end
+
+  end
+
+end

data/lib/terrafying/components/ports.rb

@@ -0,0 +1,35 @@
+
+PORT_NAMES = {
+  22 => "ssh",
+  80 => "http",
+  443 => "https",
+  1194 => "openvpn",
+}
+
+def enrich_ports(ports)
+  ports.map { |port|
+    if port.is_a?(Numeric)
+      port = { upstream_port: port, downstream_port: port }
+    end
+
+    if port.has_key?(:number)
+      port[:upstream_port] = port[:number]
+      port[:downstream_port] = port[:number]
+    end
+
+    port = {
+      type: "tcp",
+      name: PORT_NAMES.fetch(port[:upstream_port], port[:upstream_port].to_s),
+    }.merge(port)
+
+    port
+  }
+end
+
+def is_l4_port(port)
+  port[:type] == "tcp" || port[:type] == "udp"
+end
+
+def is_l7_port(port)
+  port[:type] == "http" || port[:type] == "https"
+end

data/lib/terrafying/components/selfsignedca.rb

@@ -0,0 +1,171 @@
+
+require 'terrafying/components/ca'
+require 'terrafying/generator'
+
+module Terrafying
+
+  module Components
+
+    class SelfSignedCA < Terrafying::Context
+
+      attr_reader :name, :source, :ca_key
+
+      include CA
+
+      def self.create(name, bucket, options={})
+        SelfSignedCA.new.create name, bucket, options
+      end
+
+      def initialize()
+        super
+      end
+
+      def create(name, bucket, options={})
+        options = {
+          prefix: "",
+          common_name: name,
+          organization: "uSwitch Limited",
+          public_certificate: false,
+        }.merge(options)
+
+        @name = name
+        @bucket = bucket
+        @prefix = options[:prefix]
+
+        @ident = "#{name}-ca"
+
+        provider :tls, {}
+
+        resource :tls_private_key, @ident, {
+                   algorithm: "ECDSA",
+                   ecdsa_curve: "P384",
+                 }
+
+        resource :tls_self_signed_cert, @ident, {
+                   key_algorithm: "ECDSA",
+                   private_key_pem: output_of(:tls_private_key, @ident, :private_key_pem),
+                   subject: {
+                     common_name: options[:common_name],
+                     organization: options[:organization],
+                   },
+                   is_ca_certificate: true,
+                   validity_period_hours: 24 * 365,
+                   allowed_uses: [
+                     "certSigning",
+                     "digitalSignature",
+                   ],
+                 }
+
+        @source = File.join("s3://", @bucket, @prefix, @name, "ca.cert")
+
+        @ca_key = output_of(:tls_private_key, @ident, :private_key_pem)
+        @ca_cert = output_of(:tls_self_signed_cert, @ident, :cert_pem)
+
+        if options[:public_certificate]
+          cert_acl = "public-read"
+        else
+          cert_acl = "private"
+        end
+
+        resource :aws_s3_bucket_object, "#{@name}-cert", {
+                   bucket: @bucket,
+                   key: File.join(@prefix, @name, "ca.cert"),
+                   content: @ca_cert,
+                   acl: cert_acl,
+                 }
+
+        self
+      end
+
+      def keypair
+        resource :aws_s3_bucket_object, "#{@name}-key", {
+                   bucket: @bucket,
+                   key: File.join(@prefix, @name, "ca.key"),
+                   content: @ca_key,
+                 }
+
+        {
+          ca: self,
+          source: {
+            cert: File.join("s3://", @bucket, @prefix, @name, "ca.cert"),
+            key: File.join("s3://", @bucket, @prefix, @name, "ca.key"),
+          },
+          resources: [
+            "aws_s3_bucket_object.#{@name}-key",
+            "aws_s3_bucket_object.#{@name}-cert"
+          ],
+          iam_statement: {
+            Effect: "Allow",
+            Action: [
+              "s3:GetObjectAcl",
+              "s3:GetObject",
+            ],
+            Resource: [
+              "arn:aws:s3:::#{File.join(@bucket, @prefix, @name, "ca.cert")}",
+              "arn:aws:s3:::#{File.join(@bucket, @prefix, @name, "ca.key")}",
+            ]
+          }
+        }
+      end
+
+      def create_keypair_in(ctx, name, options={})
+        options = {
+          common_name: name,
+          organization: "uSwitch Limited",
+          validity_in_hours: 24 * 365,
+          allowed_uses: [
+            "nonRepudiation",
+            "digitalSignature",
+            "keyEncipherment"
+          ],
+          dns_names: [],
+          ip_addresses: [],
+        }.merge(options)
+
+        key_ident = "#{@name}-#{tf_safe(name)}"
+
+        ctx.resource :tls_private_key, key_ident, {
+                       algorithm: "ECDSA",
+                       ecdsa_curve: "P384",
+                     }
+
+        ctx.resource :tls_cert_request, key_ident, {
+                       key_algorithm: "ECDSA",
+                       private_key_pem: output_of(:tls_private_key, key_ident, :private_key_pem),
+                       subject: {
+                         common_name: options[:common_name],
+                         organization: options[:organization],
+                       },
+                       dns_names: options[:dns_names],
+                       ip_addresses: options[:ip_addresses],
+                     }
+
+        ctx.resource :tls_locally_signed_cert, key_ident, {
+                       cert_request_pem: output_of(:tls_cert_request, key_ident, :cert_request_pem),
+                       ca_key_algorithm: "ECDSA",
+                       ca_private_key_pem: @ca_key,
+                       ca_cert_pem: @ca_cert,
+                       validity_period_hours: options[:validity_in_hours],
+                       allowed_uses: options[:allowed_uses],
+                     }
+
+        ctx.resource :aws_s3_bucket_object, "#{key_ident}-key", {
+                       bucket: @bucket,
+                       key: File.join(@prefix, @name, name, "key"),
+                       content: output_of(:tls_private_key, key_ident, :private_key_pem),
+                     }
+
+        ctx.resource :aws_s3_bucket_object, "#{key_ident}-cert", {
+                       bucket: @bucket,
+                       key: File.join(@prefix, @name, name, "cert"),
+                       content: output_of(:tls_locally_signed_cert, key_ident, :cert_pem),
+                     }
+
+        reference_keypair(ctx, name)
+      end
+
+    end
+
+  end
+
+end