terrafying-components 1.4.3 → 1.4.4

data/lib/terrafying/components/service.rb

@@ -0,0 +1,148 @@
+
+require 'digest'
+require 'hash/merge_with_arrays'
+require 'terrafying/generator'
+require 'terrafying/util'
+require 'terrafying/components/auditd'
+require 'terrafying/components/dynamicset'
+require 'terrafying/components/endpointservice'
+require 'terrafying/components/ignition'
+require 'terrafying/components/instance'
+require 'terrafying/components/instanceprofile'
+require 'terrafying/components/loadbalancer'
+require 'terrafying/components/selfsignedca'
+require 'terrafying/components/staticset'
+require 'terrafying/components/usable'
+
+module Terrafying
+
+  module Components
+
+    class Service < Terrafying::Context
+
+      attr_reader :name, :domain_names, :ports, :load_balancer, :instance_set
+
+      include Usable
+
+      def self.create_in(vpc, name, options={})
+        Service.new.create_in vpc, name, options
+      end
+
+      def self.find_in(vpc, name)
+        Service.new.find_in vpc, name
+      end
+
+      def initialize()
+        super
+      end
+
+      def find_in(vpc, name)
+        raise 'unimplemented'
+      end
+
+      def create_in(vpc, name, options={})
+        options = {
+          ami: aws.ami("base-image-59a5b709", owners=["136393635417"]),
+          instance_type: "t2.micro",
+          ports: [],
+          instances: [{}],
+          zone: vpc.zone,
+          iam_policy_statements: [],
+          security_groups: [],
+          keypairs: [],
+          volumes: [],
+          units: [],
+          files: [],
+          tags: {},
+          ssh_group: vpc.ssh_group,
+          subnets: vpc.subnets.fetch(:private, []),
+          startup_grace_period: 300,
+          depends_on: [],
+          audit_role: "arn:aws:iam::#{aws.account_id}:role/auditd_logging"
+        }.merge(options)
+
+        unless options[:audit_role].nil?
+          fluentd_conf = Auditd.fluentd_conf(options[:audit_role], options[:tags].keys)
+          options = options.merge_with_arrays_merged(fluentd_conf)
+        end
+
+        if ! options.has_key? :user_data
+          options[:user_data] = Ignition.generate(options)
+        end
+
+        if ! options.has_key?(:loadbalancer_subnets)
+          options[:loadbalancer_subnets] = options[:subnets]
+        end
+
+        unless options[:instances].is_a?(Hash) or options[:instances].is_a?(Array)
+          raise 'Unknown instances option, should be hash or array'
+        end
+
+        ident = "#{tf_safe(vpc.name)}-#{name}"
+
+        @name = ident
+        @ports = enrich_ports(options[:ports])
+        @domain_names = [ options[:zone].qualify(name) ]
+
+        depends_on = options[:depends_on] + options[:keypairs].map{ |kp| kp[:resources] }.flatten
+
+        iam_statements = options[:iam_policy_statements] + options[:keypairs].map { |kp| kp[:iam_statement] }
+        instance_profile = add! InstanceProfile.create(ident, { statements: iam_statements })
+
+        tags = options[:tags].merge({ service_name: name })
+
+        set = options[:instances].is_a?(Hash) ? DynamicSet : StaticSet
+
+        wants_load_balancer = (set == DynamicSet && @ports.count > 0) || options[:loadbalancer]
+
+        instance_set_options = {
+          instance_profile: instance_profile,
+          depends_on: depends_on,
+          tags: tags,
+        }
+
+        if wants_load_balancer && @ports.any? { |p| p.has_key?(:health_check) }
+          instance_set_options[:health_check] = { type: "ELB", grace_period: options[:startup_grace_period] }
+        end
+
+        @instance_set = add! set.create_in(vpc, name, options.merge(instance_set_options))
+        @security_group = @instance_set.security_group
+
+        if wants_load_balancer
+          @load_balancer = add! LoadBalancer.create_in(
+                                  vpc, name, options.merge(
+                                    {
+                                      subnets: options[:loadbalancer_subnets],
+                                      tags: tags,
+                                    }
+                                  ),
+                                )
+
+          @load_balancer.attach(@instance_set)
+
+          if @load_balancer.type == "application"
+            @security_group = @load_balancer.security_group
+            @egress_security_group = @instance_set.security_group
+          end
+
+          vpc.zone.add_alias_in(self, name, @load_balancer.alias_config)
+        elsif set == StaticSet
+          vpc.zone.add_record_in(self, name, @instance_set.instances.map { |i| i.ip_address })
+          @instance_set.instances.each { |i|
+            @domain_names << vpc.zone.qualify(i.name)
+            vpc.zone.add_record_in(self, i.name, [i.ip_address])
+          }
+        end
+\
+        self
+      end
+
+      def with_endpoint_service(options = {})
+        add! EndpointService.create_for(@load_balancer, @name, options)
+      end
+
+    end
+
+  end
+
+end

data/lib/terrafying/components/staticset.rb

@@ -0,0 +1,153 @@
+
+require 'xxhash'
+
+require 'terrafying/components/instance'
+require 'terrafying/components/usable'
+
+require_relative './ports'
+
+module Terrafying
+
+  module Components
+
+    class StaticSet < Terrafying::Context
+
+      attr_reader :name, :instances
+
+      include Usable
+
+      def self.create_in(vpc, name, options={})
+        StaticSet.new.create_in vpc, name, options
+      end
+
+      def self.find_in(vpc, name)
+        StaticSet.new.find_in vpc, name
+      end
+
+      def initialize()
+        super
+      end
+
+      def find_in(vpc, name)
+        @name = name
+
+        raise 'unimplemented'
+
+        self
+      end
+
+      def create_in(vpc, name, options={})
+        options = {
+          public: false,
+          ami: aws.ami("base-image-59a5b709", owners=["136393635417"]),
+          instance_type: "t2.micro",
+          subnets: vpc.subnets.fetch(:private, []),
+          ports: [],
+          instances: [{}],
+          instance_profile: nil,
+          security_groups: [],
+          user_data: "",
+          tags: {},
+          ssh_group: vpc.ssh_group,
+          depends_on: [],
+          volumes: [],
+        }.merge(options)
+
+        ident = "#{tf_safe(vpc.name)}-#{name}"
+
+        @name = ident
+        @ports = enrich_ports(options[:ports])
+
+        @security_group = resource :aws_security_group, ident, {
+                                     name: "staticset-#{ident}",
+                                     description: "Describe the ingress and egress of the static set #{ident}",
+                                     tags: options[:tags],
+                                     vpc_id: vpc.id,
+                                     egress: [
+                                       {
+                                         from_port: 0,
+                                         to_port: 0,
+                                         protocol: -1,
+                                         cidr_blocks: ["0.0.0.0/0"],
+                                       }
+                                     ],
+                                   }
+
+        path_mtu_setup!
+
+        @instances = options[:instances].map.with_index do |config, i|
+          instance_ident = "#{name}-#{i}"
+
+          instance = add! Instance.create_in(
+                               vpc, instance_ident, options.merge(
+                                 {
+                                   subnets: options[:subnets],
+                                   security_groups: [@security_group] + options[:security_groups],
+                                   depends_on: options[:depends_on],
+                                   instance_profile: options[:instance_profile],
+                                   tags: {
+                                     staticset_name: ident,
+                                   }.merge(options[:tags])
+                                 }.merge(config)
+                               )
+                             )
+
+          options[:volumes].each.with_index { |volume, vol_i|
+            volume_for("#{instance_ident}-#{vol_i}", instance, volume, options[:tags])
+          }
+
+          instance
+        end
+
+        @ports.each { |port|
+          resource :aws_security_group_rule, "#{@name}-to-self-#{port[:name]}", {
+                     security_group_id: @security_group,
+                     type: "ingress",
+                     from_port: port[:upstream_port],
+                     to_port: port[:upstream_port],
+                     protocol: port[:type],
+                     self: true,
+                   }
+        }
+
+        self
+      end
+
+      def volume_for(name, instance, volume, tags)
+        vol_opts = {
+          availability_zone: instance.subnet.az,
+          size: volume[:size],
+          type: volume[:type] || 'gp2',
+          encrypted:  volume[:encrypted] || false,
+          kms_key_id: volume[:kms_key_id],
+          tags: {
+            Name: name
+          }.merge(tags)
+        }.reject { |_, v| v.nil? }
+
+        volume_id = resource :aws_ebs_volume, name, vol_opts
+
+        resource :aws_volume_attachment, name, {
+          device_name: volume[:device],
+          volume_id:   volume_id,
+          instance_id: instance.id,
+          force_detach: true
+        }
+      end
+
+      def attach_load_balancer(load_balancer)
+        @instances.product(load_balancer.target_groups).each.with_index { |(instance, target_group), i|
+          resource :aws_lb_target_group_attachment, "#{load_balancer.name}-#{@name}-#{i}", {
+                     target_group_arn: target_group,
+                     target_id: instance.id,
+                   }
+        }
+
+        self.used_by(load_balancer) if load_balancer.type == "application"
+      end
+
+    end
+
+  end
+
+end

data/lib/terrafying/components/subnet.rb

@@ -0,0 +1,105 @@
+
+require 'netaddr'
+
+require 'terrafying/generator'
+
+module Terrafying
+
+  module Components
+
+    CIDR_PADDING = 5
+
+    class Subnet < Terrafying::Context
+
+      attr_reader :id, :cidr, :az, :public, :route_table
+
+      def self.create_in(vpc, name, az, cidr, options={})
+        Subnet.new.create_in vpc, name, az, cidr, options
+      end
+
+      def self.find(id)
+        Subnet.new.find(id)
+      end
+
+      def initialize()
+        super
+      end
+
+      def find(id)
+        subnet = aws.subnet_by_id(id)
+
+        @id = id
+        @cidr = subnet.cidr_block
+        @az = subnet.availability_zone
+
+        begin
+          route_table = aws.route_table_for_subnet(id)
+        rescue
+          # fallback to main route table if ones not explicitly associated
+          route_table = aws.route_table_for_vpc(subnet.vpc_id)
+        end
+
+        @route_table = route_table.route_table_id
+        @public = route_table.routes.select { |r| r.destination_cidr_block == "0.0.0.0/0" }.first.gateway_id != nil
+
+        self
+      end
+
+      def create_in(vpc, name, az, cidr, options={})
+        options = {
+          tags: {},
+        }.merge(options)
+
+        ident = "#{tf_safe(vpc.name)}-#{name}-#{az}"
+
+        @cidr = cidr
+        @az = az
+        @id = resource :aws_subnet, ident, {
+                         vpc_id: vpc.id,
+                         cidr_block: cidr,
+                         availability_zone: az,
+                         tags: { Name: ident }.merge(options[:tags]),
+                       }
+
+        @route_table = resource :aws_route_table, ident, {
+                                  vpc_id: vpc.id,
+                                  tags: { Name: ident }.merge(options[:tags]),
+                                }
+
+
+
+        if options[:nat_gateway]
+          gateway = { nat_gateway_id: options[:nat_gateway] }
+          @public = false
+        elsif options[:gateway]
+          gateway = { gateway_id: options[:gateway] }
+          @public = true
+        else
+          gateway = nil
+          @public = false
+        end
+
+        if gateway
+          resource :aws_route, "#{ident}-default", {
+                     route_table_id: @route_table,
+                     destination_cidr_block: "0.0.0.0/0",
+                   }.merge(gateway)
+        end
+
+        resource :aws_route_table_association, ident, {
+                   subnet_id: @id,
+                   route_table_id: @route_table,
+                 }
+
+        self
+      end
+
+      def ip_addresses
+        NetAddr::CIDR.create(@cidr).enumerate.drop(CIDR_PADDING)
+      end
+
+    end
+
+  end
+
+end

data/lib/terrafying/components/support/deregister-vpn

@@ -0,0 +1,48 @@
+#!/bin/bash
+
+set -euo pipefail
+
+app_id="${1}"
+tenant_id="${2}"
+new_fqdn="${3}"
+
+set +u
+if [[ ! -z $AZURE_USER ]] && [[ ! -z $AZURE_PASSWORD ]]
+then
+    set -u
+    az login --service-principal \
+       --allow-no-subscriptions \
+       -t "${tenant_id}" \
+       -u "${AZURE_USER}" \
+       -p "${AZURE_PASSWORD}" >/dev/null
+
+    function finish {
+        exit_code=$?
+        az logout
+        exit $exit_code
+    }
+    trap finish EXIT
+else
+    set -u
+fi
+
+app="$(az ad app show --id ${app_id})"
+
+function urls() {
+    echo ${app} | jq -r '.replyUrls | join("\n")'
+}
+
+if [[ $? == 0 ]]
+then
+  if urls | grep "${new_fqdn}" &>/dev/null
+  then
+      new_reply_urls="$(urls | grep -v "${new_fqdn}" | tr '\n' ' ')"
+
+      az ad app update --id ${app_id} --reply-urls ${new_reply_urls}
+  else
+    echo "Already doesn't contain a reply url for '${new_fqdn}'"
+  fi
+else
+  echo "App wasn't found"
+  exit 1
+fi