terrafying-components 1.9.4 → 1.10.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2ef900e4cc15b61abf78396071e7feffb6c834968d005eddacb23432289e571a
-  data.tar.gz: 2461a717bfdb0b7b173234c4001b088b676f2884f5f27fb01900e856aa741d61
+  metadata.gz: 0e0f9a35d9a157e53bd64710ea50fdf04683b4f89889db941b5986dc69bf99bb
+  data.tar.gz: 1c5a884ed70308bdcc23ad34e26618be3d09a58e80586724247865e5e7fefbd2
 SHA512:
-  metadata.gz: 5d5cc4bbeb7e72852cf93405db825530c6726adf7ffeda1c84b3de9bf01d13dbd63a423604ab6bee3fd3a7364eb80329ab4b441c80e6fcb8f03526d54cc30c04
-  data.tar.gz: 5a7d14501508e4ff6c430faf690ea7f0b87495d17b54490e0cd62613d7251bf5d069719055d2bac3d9c50488bf5d1d77e475ae627e25fadd9bf37e9372a98b54
+  metadata.gz: f73618b804791e70061c0d78688d05efffeebdc775674d6d26aec351746a08acea0cfa2af315f5b7ca766c6514f4ba4944beb5314397020bb22b8584d194193c
+  data.tar.gz: c8cc39bba9ec39f1b784de28450b26d533520f2baf21d760358333a63f19bb76e80d6a36e66c63e93c6acd1cfa568601c54a629897c0e2ef3c5d889e9599227d

data/lib/terrafying/components.rb

@@ -3,6 +3,7 @@ require 'terrafying/components/endpoint'
 require 'terrafying/components/endpointservice'
 require 'terrafying/components/selfsignedca'
 require 'terrafying/components/letsencrypt'
+require 'terrafying/components/prometheus'
 require 'terrafying/components/service'
 require 'terrafying/components/subnet'
 require 'terrafying/components/vpc'

data/lib/terrafying/components/dynamicset.rb

@@ -153,7 +153,6 @@ module Terrafying
           resource :aws_autoscaling_policy, policy_name, {
             name: policy_name,
             autoscaling_group_name: @asg,
-            adjustment_type: 'ChangeInCapacity',
             policy_type: 'TargetTrackingScaling',
             target_tracking_configuration: {
               predefined_metric_specification: {

data/lib/terrafying/components/loadbalancer.rb

@@ -119,12 +119,7 @@ module Terrafying
         @ports.each { |port|
           port_ident = "#{ident}-#{port[:downstream_port]}"
 
-          target_group = resource :aws_lb_target_group, port_ident, {
-                                    name: port_ident,
-                                    port: port[:downstream_port],
-                                    protocol: port[:type].upcase,
-                                    vpc_id: vpc.id,
-                                  }.merge(port.has_key?(:health_check) ? { health_check: port[:health_check] }: {})
+          default_action = port.key?(:action) ? port[:action] : forward_to_tg(port, port_ident, vpc)
 
           ssl_options = alb_certs(port, port_ident)
 
@@ -132,16 +127,10 @@ module Terrafying
                      load_balancer_arn: @id,
                      port: port[:upstream_port],
                      protocol: port[:type].upcase,
-                     default_action: {
-                       target_group_arn: target_group,
-                       type: "forward",
-                     },
+                     default_action: default_action,
                    }.merge(ssl_options)
 
-          @targets << Struct::Target.new(
-            target_group: target_group,
-            listener: listener
-          )
+          register_target(default_action[:target_group_arn], listener) if default_action[:type] == 'forward'
         }
 
         @alias_config = {
@@ -149,10 +138,30 @@ module Terrafying
           zone_id: output_of(:aws_lb, ident, :zone_id),
           evaluate_target_health: true,
         }
-
         self
       end
 
+      def forward_to_tg(port, port_ident, vpc)
+        target_group = resource :aws_lb_target_group, port_ident, {
+          name: port_ident,
+          port: port[:downstream_port],
+          protocol: port[:type].upcase,
+          vpc_id: vpc.id,
+        }.merge(port.key?(:health_check) ? { health_check: port[:health_check] }: {})
+
+        {
+          type: 'forward',
+          target_group_arn: target_group
+        }
+      end
+
+      def register_target(target_group, listener)
+        @targets << Struct::Target.new(
+          target_group: target_group,
+          listener: listener
+        )
+      end
+
       def alb_certs(port, port_ident)
         return {} unless port.key? :ssl_certificate
 

data/lib/terrafying/components/ports.rb

@@ -7,25 +7,57 @@ PORT_NAMES = {
 }
 
 def enrich_ports(ports)
-  ports.map { |port|
+  ports = add_upstream_downstream(ports)
+  ports = add_redirects(ports)
+  add_names(ports)
+end
+
+def add_upstream_downstream(ports)
+  ports.map do |port|
     if port.is_a?(Numeric)
       port = { upstream_port: port, downstream_port: port }
     end
 
-    if port.has_key?(:number)
+    if port.key?(:number)
       port[:upstream_port] = port[:number]
       port[:downstream_port] = port[:number]
     end
+    port
+  end
+end
 
-    port = {
-      type: "tcp",
-      name: PORT_NAMES.fetch(port[:upstream_port], port[:upstream_port].to_s),
-    }.merge(port)
-
+def add_redirects(ports)
+  ports.flat_map do |port|
+    if port.key? :redirect_http_from_port
+      redirect_port = redirect_http(port[:redirect_http_from_port], port[:upstream_port])
+      port.delete(:redirect_http_from_port)
+      return [port, redirect_port]
+    end
     port
+  end
+end
+
+def redirect_http(from_port, to_port)
+  {
+    upstream_port: from_port,
+    downstream_port: from_port,
+    type: 'http',
+    action: {
+      type: 'redirect',
+      redirect: { port: to_port, protocol: 'HTTPS', status_code: 'HTTP_301' }
+    }
   }
 end
 
+def add_names(ports)
+  ports.map do |port|
+    {
+      type: 'tcp',
+      name: PORT_NAMES.fetch(port[:upstream_port], port[:upstream_port].to_s),
+    }.merge(port)
+  end
+end
+
 def from_port(port)
   return port unless port_range?(port)
   port.split('-').first.to_i

data/lib/terrafying/components/prometheus.rb

@@ -0,0 +1,329 @@
+# frozen_string_literal: true
+
+require 'digest'
+require 'terrafying'
+require 'terrafying/components'
+
+module Terrafying
+  module Components
+    class Prometheus < Terrafying::Context
+      attr_reader :prometheus
+
+      def self.create_in(options)
+        new(**options).tap(&:create)
+      end
+
+      def self.find_in(vpc)
+        new(vpc: vpc).find
+      end
+
+      def initialize(
+        vpc:,
+        thanos_name: 'thanos',
+        thanos_version: 'master-2018-10-29-8f247d6',
+        prom_name: 'prometheus',
+        prom_version: 'v2.4.3'
+      )
+        super()
+        @vpc = vpc
+        @thanos_name = thanos_name
+        @thanos_version = thanos_version
+        @prom_name = prom_name
+        @prom_version = prom_version
+      end
+
+      def find
+        @security_group = aws.security_groups_in_vpc(
+          @vpc.id,
+          "dynamicset-#{@vpc.name}-#{@prom_name}"
+        )
+      end
+
+      def create
+        thanos_peers = @vpc.zone.qualify(@thanos_name)
+
+        @thanos = create_thanos(thanos_peers)
+        create_thanos_cloudwatch_alert(@thanos)
+
+        @prometheus = create_prom(thanos_peers)
+        @security_group = @prometheus.egress_security_group
+        create_prometheus_cloudwatch_alert(@prometheus)
+        allow_thanos_gossip(@prometheus.egress_security_group)
+
+        @prometheus.used_by_cidr(@vpc.cidr)
+        @thanos.used_by_cidr(@vpc.cidr)
+      end
+
+      def create_prom(thanos_peers)
+        add! Terrafying::Components::Service.create_in(
+          @vpc, @prom_name,
+          ports: [
+            {
+              type: 'http',
+              number: 9090,
+              health_check: { path: '/status', protocol: 'HTTP' }
+            }
+          ],
+          instance_type: 'm5.large',
+          iam_policy_statements: thanos_store_access,
+          instances: { max: 3, min: 1, desired: 2 },
+          units: [prometheus_unit, thanos_sidecar_unit(thanos_peers)],
+          files: [prometheus_conf, thanos_bucket]
+        )
+      end
+
+      def allow_thanos_gossip(security_group)
+        rule_ident = Digest::SHA2.hexdigest("#{security_group}-thanos-#{@vpc.name}")[0..24]
+        resource :aws_security_group_rule, rule_ident, {
+          security_group_id: security_group,
+          type:      'ingress',
+          from_port: 10900,
+          to_port:   10902,
+          protocol:  'tcp',
+          cidr_blocks: [@vpc.cidr]
+        }
+      end
+
+      def create_thanos(thanos_peers)
+        add! Terrafying::Components::Service.create_in(
+          @vpc, @thanos_name,
+          ports: [
+            {
+              number: 10902,
+              health_check: {
+                path: '/status',
+                protocol: 'HTTP'
+              }
+            },
+            {
+              number: 10901
+            },
+            {
+              number: 10900
+            }
+          ],
+          instance_type: 't3.medium',
+          units: [thanos_unit(thanos_peers)],
+          instances: { max: 3, min: 1, desired: 2 }
+        )
+      end
+
+      def prometheus_unit
+        {
+          name: 'prometheus.service',
+          contents: <<~PROM_UNIT
+            [Install]
+            WantedBy=multi-user.target
+             [Unit]
+            Description=Prometheus Service
+            After=docker.service
+            Requires=docker.service
+             [Service]
+            ExecStartPre=-/usr/bin/docker network create --driver bridge prom
+            ExecStartPre=-/usr/bin/docker kill prometheus
+            ExecStartPre=-/usr/bin/docker rm prometheus
+            ExecStartPre=/usr/bin/docker pull quay.io/prometheus/prometheus:#{@prom_version}
+            ExecStartPre=-/usr/bin/sed -i "s/{{HOST}}/%H/" /opt/prometheus/prometheus.yml
+            ExecStartPre=/usr/bin/install -d -o nobody -g nobody -m 0755 /opt/prometheus/data
+            ExecStart=/usr/bin/docker run --name prometheus \
+              -p 9090:9090 \
+              --network=prom \
+              -v /opt/prometheus:/opt/prometheus \
+              quay.io/prometheus/prometheus:#{@prom_version} \
+              --storage.tsdb.path=/opt/prometheus/data \
+              --storage.tsdb.retention=1d \
+              --storage.tsdb.min-block-duration=2h \
+              --storage.tsdb.max-block-duration=2h \
+              --config.file=/opt/prometheus/prometheus.yml \
+              --web.enable-lifecycle \
+              --log.level=warn
+            Restart=always
+            RestartSec=30
+          PROM_UNIT
+        }
+      end
+
+      def thanos_sidecar_unit(thanos_peers)
+        {
+          name: 'thanos.service',
+          contents: <<~THANOS_SIDE
+            [Install]
+            WantedBy=multi-user.target
+             [Unit]
+            Description=Thanos Service
+            After=docker.service prometheus.service
+            Requires=docker.service prometheus.service
+             [Service]
+            EnvironmentFile=/run/metadata/coreos
+            ExecStartPre=-/usr/bin/docker kill thanos
+            ExecStartPre=-/usr/bin/docker rm thanos
+            ExecStartPre=/usr/bin/docker pull improbable/thanos:#{@thanos_version}
+            ExecStart=/usr/bin/docker run --name thanos \
+              -p 10900-10902:10900-10902 \
+              -v /opt/prometheus:/opt/prometheus \
+              -v /opt/thanos:/opt/thanos \
+              --network=prom \
+              improbable/thanos:#{@thanos_version} \
+              sidecar \
+              --cluster.peers=#{thanos_peers}:10900 \
+              --cluster.advertise-address=$${COREOS_EC2_IPV4_LOCAL}:10900 \
+              --grpc-advertise-address=$${COREOS_EC2_IPV4_LOCAL}:10901 \
+              --prometheus.url=http://prometheus:9090 \
+              --tsdb.path=/opt/prometheus/data \
+              --objstore.config-file=/opt/thanos/bucket.yml \
+              --log.level=warn
+            Restart=always
+            RestartSec=30
+          THANOS_SIDE
+        }
+      end
+
+      def prometheus_conf
+        {
+          path: '/opt/prometheus/prometheus.yml',
+          mode: 0o644,
+          contents: <<~PROM
+            global:
+              external_labels:
+                monitor: prometheus
+                cluster: "#{@vpc.name}"
+                replica: {{HOST}}
+              scrape_interval: 15s
+            scrape_configs:
+            - job_name: "ec2"
+              params:
+                format: ["prometheus"]
+              ec2_sd_configs:
+              - region: eu-west-1
+                filters:
+                - name: vpc-id
+                  values: ["#{@vpc.id}"]
+                - name: tag-key
+                  values: ["prometheus_port"]
+              relabel_configs:
+              - source_labels: [__meta_ec2_private_ip, __meta_ec2_tag_prometheus_port]
+                replacement: $1:$2
+                regex: ([^:]+)(?::\\\\d+)?;(\\\\d+)
+                target_label: __address__
+              - source_labels: [__meta_ec2_instance_id]
+                target_label: instance_id
+              - source_labels: [__meta_ec2_tag_envoy_cluster]
+                target_label: envoy_cluster
+              - source_labels: [__meta_ec2_tag_prometheus_path]
+                regex: (.+)
+                replacement: $1
+                target_label: __metrics_path__
+          PROM
+        }
+      end
+
+      def thanos_unit(thanos_peers)
+        {
+          name: 'thanos.service',
+          contents: <<~THANOS_UNIT
+            [Install]
+            WantedBy=multi-user.target
+             [Unit]
+            Description=Thanos Service
+            After=docker.service
+            Requires=docker.service
+             [Service]
+            EnvironmentFile=/run/metadata/coreos
+            ExecStartPre=-/usr/bin/docker kill thanos
+            ExecStartPre=-/usr/bin/docker rm thanos
+            ExecStartPre=/usr/bin/docker pull improbable/thanos:#{@thanos_version}
+            ExecStart=/usr/bin/docker run --name thanos \
+              -p 10900-10902:10900-10902 \
+              improbable/thanos:#{@thanos_version} \
+              query \
+              --cluster.peers=#{thanos_peers}:10900 \
+              --cluster.advertise-address=$${COREOS_EC2_IPV4_LOCAL}:10900 \
+              --grpc-advertise-address=$${COREOS_EC2_IPV4_LOCAL}:10901 \
+              --query.replica-label=replica \
+              --log.level=warn
+            Restart=always
+            RestartSec=30
+          THANOS_UNIT
+        }
+      end
+
+      def thanos_bucket
+        {
+          path: '/opt/thanos/bucket.yml',
+          mode: 0o644,
+          contents: <<~S3CONF
+            type: S3
+            config:
+                bucket: uswitch-thanos-store
+                endpoint: s3.eu-west-1.amazonaws.com
+          S3CONF
+        }
+      end
+
+      def thanos_store_access
+        [
+          {
+            Action: ['ec2:DescribeInstances'],
+            Effect: 'Allow',
+            Resource: '*'
+          },
+          {
+            Action: [
+              's3:ListBucket',
+              's3:GetObject',
+              's3:DeleteObject',
+              's3:PutObject'
+            ],
+            Effect: 'Allow',
+            Resource: [
+              'arn:aws:s3:::uswitch-thanos-store/*',
+              'arn:aws:s3:::uswitch-thanos-store'
+            ]
+          }
+        ]
+      end
+
+      def expose_in(vpc)
+        @endpoint_service ||= @thanos.with_endpoint_service(acceptance_required: false)
+
+        options = {}
+        endpoint = add! @endpoint_service.expose_in(vpc, options)
+        endpoint.used_by_cidr(vpc.cidr)
+
+        endpoint
+      end
+
+      def cloudwatch_alarm(name, namespace, dimensions)
+        resource 'aws_cloudwatch_metric_alarm', name, {
+          alarm_name: name,
+          comparison_operator: 'GreaterThanOrEqualToThreshold',
+          evaluation_periods: '1',
+          metric_name: 'UnHealthyHostCount',
+          namespace: namespace,
+          period: '180',
+          threshold: '1',
+          statistic: 'Minimum',
+          alarm_description: "Monitoring #{name} target group host health",
+          dimensions: dimensions,
+          alarm_actions: ['arn:aws:sns:eu-west-1:136393635417:prometheus_cloudwatch_topic']
+        }
+      end
+
+      def create_prometheus_cloudwatch_alert(service)
+        cloudwatch_alarm service.name, 'AWS/ApplicationELB', {
+          LoadBalancer: output_of('aws_lb', service.load_balancer.name, 'arn_suffix'),
+          TargetGroup: service.load_balancer.targets.first.target_group.to_s.gsub(/id/, 'arn_suffix')
+        }
+      end
+
+      def create_thanos_cloudwatch_alert(service)
+        service.load_balancer.targets.each_with_index do |target, i|
+          cloudwatch_alarm "#{service.name}_#{i}", 'AWS/NetworkELB', {
+            LoadBalancer: output_of('aws_lb', service.load_balancer.name, 'arn_suffix'),
+            TargetGroup: target.target_group.to_s.gsub(/id/, 'arn_suffix')
+          }
+        end
+      end
+    end
+  end
+end

data/lib/terrafying/components/service.rb

@@ -58,7 +58,8 @@ module Terrafying
           subnets: vpc.subnets.fetch(:private, []),
           startup_grace_period: 300,
           depends_on: [],
-          audit_role: "arn:aws:iam::#{aws.account_id}:role/auditd_logging"
+          audit_role: "arn:aws:iam::#{aws.account_id}:role/auditd_logging",
+          metrics_ports: [],
         }.merge(options)
 
         unless options[:audit_role].nil?
@@ -117,6 +118,10 @@ module Terrafying
         @instance_set = add! set.create_in(vpc, name, options.merge(instance_set_options))
         @security_group = @instance_set.security_group
 
+        if options[:metrics_ports] && !options[:metrics_ports].empty?
+          allow_scrape(vpc, options[:metrics_ports], @security_group)
+        end
+
         if wants_load_balancer
           @load_balancer = add! LoadBalancer.create_in(
                                   vpc, name, options.merge(
@@ -146,6 +151,21 @@ module Terrafying
         self
       end
 
+      def allow_scrape(vpc, ports, security_group)
+        prom = Prometheus.find_in(vpc)
+        ports.each do |port|
+          sg_rule_ident = Digest::SHA256.hexdigest("#{vpc.name}-#{port}-#{security_group}-#{prom.security_group}")
+          resource :aws_security_group_rule, sg_rule_ident, {
+            security_group_id: security_group,
+            type: 'ingress',
+            from_port: port,
+            to_port: port,
+            protocol: 'tcp',
+            source_security_group_id: prom.security_group
+          }
+        end
+      end
+
       def with_endpoint_service(options = {})
         add! EndpointService.create_for(@load_balancer, @name, {
                                           fqdn: @domain_names[0],

data/lib/terrafying/components/version.rb

@@ -1,5 +1,5 @@
 module Terrafying
   module Components
-    VERSION = "1.9.4"
+    VERSION = "1.10.0"
   end
 end

data/lib/terrafying/components/zone.rb

@@ -55,7 +55,9 @@ module Terrafying
         }
 
         if options[:vpc]
-          zone_config[:vpc_id] = options[:vpc].id
+          zone_config[:vpc] = {
+            vpc_id: options[:vpc].id
+          }
 
           ident = tf_safe("#{options[:vpc].name}-#{ident}")
         end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: terrafying-components
 version: !ruby/object:Gem::Version
-  version: 1.9.4
+  version: 1.10.0
 platform: ruby
 authors:
 - uSwitch Limited
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-11-26 00:00:00.000000000 Z
+date: 2018-12-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -114,6 +114,7 @@ files:
 - lib/terrafying/components/letsencrypt.rb
 - lib/terrafying/components/loadbalancer.rb
 - lib/terrafying/components/ports.rb
+- lib/terrafying/components/prometheus.rb
 - lib/terrafying/components/selfsignedca.rb
 - lib/terrafying/components/service.rb
 - lib/terrafying/components/staticset.rb