terrafying-components 1.4.3 → 1.4.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c445377d251318c7c321d2482081a0fea5d79e47fb09534a584e0560569495d8
-  data.tar.gz: 156972b6c25200b5b0bfc9721e7fe179230a8e61745c39ca0f9c70ced7b879c5
+  metadata.gz: 3577f779cfb8aaaefa37ed0ad43635a37ae154cb34dbc0a6442177dd2abc1786
+  data.tar.gz: 1ed1adf2f61d82697438d1338b99276405d04c6688f84047a297a6ae4bdf8a5e
 SHA512:
-  metadata.gz: 9802e7383383368c37b2df829ee2e79bc34470caab1eabbd447a48a8473d2b8306d9b2d577b39e1559e3fae9bb7a479d144b68a11739de6e50c9323a23292458
-  data.tar.gz: 3866dc90d8e9a0cdf6e5fba8633e76710dd356efd14e4c2a6b50ca8cf3cc57eb57aeab453c0d9d40b3afd3035c74ec02d3c8453bd937012c1facd0619bb1cfae
+  metadata.gz: 9b23eba0da42b8a9bfa34251c545699f8468bb14d16392ae271f032fec6d01399995a8aeef66c52ae58a3f84a2e080e67d2ad46dd38c22445631539681d21bcc
+  data.tar.gz: 3715ab338a9947a5c0697a41011a74b3f91335da4b68148498fd9a0a118457c8d1f15290b4cffbe6285191ebb0f2b4a73f3b88dbc85377eba4173cf10a1740d2

data/lib/hash/merge_with_arrays.rb

@@ -0,0 +1,7 @@
+class ::Hash
+  def merge_with_arrays_merged(newhash)
+    merge(newhash) do |_key, oldval, newval|
+      oldval.is_a?(Array) ? oldval | Array(newval) : newval
+    end
+  end
+end

data/lib/terrafying/components.rb

@@ -0,0 +1,10 @@
+
+require 'terrafying/components/endpoint'
+require 'terrafying/components/endpointservice'
+require 'terrafying/components/selfsignedca'
+require 'terrafying/components/letsencrypt'
+require 'terrafying/components/service'
+require 'terrafying/components/subnet'
+require 'terrafying/components/vpc'
+require 'terrafying/components/vpn'
+require 'terrafying/components/zone'

data/lib/terrafying/components/auditd.rb

@@ -0,0 +1,158 @@
+# frozen_string_literal: true
+
+module Terrafying
+  module Components
+    class Auditd
+      def self.fluentd_conf(role, tags = [])
+        new.fluentd_conf(role, tags)
+      end
+
+      def fluentd_conf(role, tags)
+        tags = default_tags.merge(
+          custom_tags(tags)
+        )
+
+        {
+          files: [
+            systemd_input,
+            ec2_filter(tags),
+            s3_output(role)
+          ],
+          iam_policy_statements: [
+            allow_describe_instances,
+            allow_assume(role)
+          ]
+        }
+      end
+
+      def custom_tags(tags)
+        tags.map { |t| [t, wrap_tag(t)] }.to_h
+      end
+
+      def wrap_tag(t)
+        t = "tagset_#{t}" unless t.start_with? 'tagset_'
+        t.downcase
+      end
+
+      def default_tags
+        {
+          name:          'tagset_name',
+          instance_id:   'instance_id',
+          instance_type: 'instance_type',
+          private_ip:    'private_ip',
+          az:            'availability_zone',
+          vpc_id:        'vpc_id',
+          ami_id:        'image_id',
+          account_id:    'account_id'
+        }
+      end
+
+      def allow_describe_instances
+        {
+          Effect: 'Allow',
+          Action: %w[ec2:DescribeInstances ec2:DescribeTags ec2:DescribeRouteTables],
+          Resource: ['*']
+        }
+      end
+
+      def allow_assume(role)
+        {
+          Effect: 'Allow',
+          Action: ['sts:AssumeRole'],
+          Resource: [role]
+        }
+      end
+
+      def file_of(name, content)
+        {
+          path: "/etc/fluentd/conf.d/#{name}.conf",
+          mode: 0o644,
+          contents: content
+        }
+      end
+
+      def systemd_input
+        file_of(
+          '10_auditd_input_systemd',
+          <<~'SYSTEMD_INPUT'
+            <source>
+              @type systemd
+              tag auditd
+              filters [{ "_TRANSPORT": "audit" }, { "_COMM": "sshd" }]
+              path /fluentd/log/journal
+              read_from_head false
+              <storage>
+                @type local
+                persistent false
+                path /fluentd/var/audit.pos
+              </storage>
+              <entry>
+                field_map {
+                  "MESSAGE": "log",
+                  "_PID": ["process", "pid"],
+                  "_CMDLINE": "process",
+                  "_COMM": "cmd",
+                  "_AUDIT_SESSION": "audit_session",
+                  "_AUDIT_LOGINUID": "audit_loginuid"
+                }
+                fields_strip_underscores true
+                fields_lowercase true
+              </entry>
+            </source>
+          SYSTEMD_INPUT
+        )
+      end
+
+      def ec2_filter(tags)
+        file_of(
+          '20_auditd_filter_ec2',
+          <<~EC2_FILTER
+            <filter auditd>
+              @type ec2_metadata
+              metadata_refresh_seconds 300
+              <record>
+                #{map_tags(tags)}
+              </record>
+            </filter>
+          EC2_FILTER
+        )
+      end
+
+      def map_tags(tags)
+        tags.map { |k, v| "#{k} ${#{v}}" }
+            .reduce { |out, e| +out << "\n    #{e}" }
+      end
+
+      def s3_output(audit_role)
+        file_of(
+          '30_auditd_output_s3',
+          <<~S3_OUTPUT
+            <match auditd>
+              @type s3
+              <assume_role_credentials>
+                role_arn #{audit_role}
+                role_session_name "auditd-logging-\#{Socket.gethostname}"
+              </assume_role_credentials>
+              auto_create_bucket false
+              s3_bucket uswitch-auditd-logs
+              s3_region eu-west-1
+              acl bucket-owner-full-control
+              path auditd/%Y/%m/%d/
+              s3_object_key_format "\%{path}\%{time_slice}_\#{Socket.gethostname}.\%{file_extension}"
+              <buffer time>
+                @type file
+                path /fluent/var/s3
+                timekey 300 # 5 minute partitions
+                timekey_wait 0s
+                timekey_use_utc true
+              </buffer>
+              <format>
+                @type json
+              </format>
+            </match>
+          S3_OUTPUT
+        )
+      end
+    end
+  end
+end

data/lib/terrafying/components/ca.rb

@@ -0,0 +1,55 @@
+
+module Terrafying
+
+  module Components
+
+    module CA
+
+      def create_keypair(name, options={})
+        create_keypair_in(self, name, options)
+      end
+
+      def reference_keypair(ctx, name)
+        key_ident = "#{@name}-#{tf_safe(name)}"
+
+        ref = {
+          name: name,
+          ca: self,
+          source: {
+            cert: File.join("s3://", @bucket, @prefix, @name, name, "cert"),
+            key: File.join("s3://", @bucket, @prefix, @name, name, "key"),
+          },
+          resources: [
+            "aws_s3_bucket_object.#{key_ident}-key",
+            "aws_s3_bucket_object.#{key_ident}-cert"
+          ],
+          iam_statement: {
+            Effect: "Allow",
+            Action: [
+              "s3:GetObjectAcl",
+              "s3:GetObject",
+            ],
+            Resource: [
+              "arn:aws:s3:::#{File.join(@bucket, @prefix, @name, "ca.cert")}",
+              "arn:aws:s3:::#{File.join(@bucket, @prefix, @name, name, "cert")}",
+              "arn:aws:s3:::#{File.join(@bucket, @prefix, @name, name, "key")}",
+            ]
+          }
+        }
+
+        if self == ctx
+          ref[:resources] << "aws_s3_bucket_object.#{@name}-cert"
+        end
+
+        ref
+      end
+
+      def <=>(other)
+        @name <=> other.name
+      end
+
+    end
+
+  end
+
+end

data/lib/terrafying/components/dynamicset.rb

@@ -0,0 +1,229 @@
+
+require 'terrafying/components/usable'
+
+require_relative './ports'
+
+module Terrafying
+
+  module Components
+
+    class DynamicSet < Terrafying::Context
+
+      attr_reader :name, :asg
+
+      include Usable
+
+      def self.create_in(vpc, name, options={})
+        DynamicSet.new.create_in vpc, name, options
+      end
+
+      def self.find_in(vpc, name)
+        DynamicSet.new.find_in vpc, name
+      end
+
+      def initialize()
+        super
+      end
+
+      def find_in(vpc, name)
+        @name = "#{vpc.name}-#{name}"
+
+        self
+      end
+
+      def create_in(vpc, name, options={})
+        options = {
+          public: false,
+          ami: aws.ami("base-image-59a5b709", owners=["136393635417"]),
+          instance_type: "t2.micro",
+          instances: { min: 1, max: 1, desired: 1, tags: {} },
+          ports: [],
+          instance_profile: nil,
+          security_groups: [],
+          tags: {},
+          ssh_group: vpc.ssh_group,
+          subnets: vpc.subnets.fetch(:private, []),
+          depends_on: [],
+          rolling_update: :simple,
+        }.merge(options)
+
+        ident = "#{tf_safe(vpc.name)}-#{name}"
+
+        @name = ident
+        @ports = enrich_ports(options[:ports])
+
+        @security_group = resource :aws_security_group, ident, {
+                                     name: "dynamicset-#{ident}",
+                                     description: "Describe the ingress and egress of the service #{ident}",
+                                     tags: options[:tags],
+                                     vpc_id: vpc.id,
+                                     egress: [
+                                       {
+                                         from_port: 0,
+                                         to_port: 0,
+                                         protocol: -1,
+                                         cidr_blocks: ["0.0.0.0/0"],
+                                       }
+                                     ],
+                                   }
+
+        path_mtu_setup!
+
+        launch_config = resource :aws_launch_configuration, ident, {
+                                   name_prefix: "#{ident}-",
+                                   image_id: options[:ami],
+                                   instance_type: options[:instance_type],
+                                   user_data: options[:user_data],
+                                   iam_instance_profile: options[:instance_profile] && options[:instance_profile].id,
+                                   associate_public_ip_address: options[:public],
+                                   root_block_device: {
+                                     volume_type: 'gp2',
+                                     volume_size: 32,
+                                   },
+                                   security_groups: [
+                                     vpc.internal_ssh_security_group,
+                                     @security_group,
+                                   ].push(*options[:security_groups]),
+                                   lifecycle: {
+                                     create_before_destroy: true,
+                                   },
+                                   depends_on: options[:instance_profile] ? options[:instance_profile].resource_names : [],
+                                 }
+
+        if options[:instances][:track]
+          instances = instances_by_tags(Name: ident)
+          if instances
+            options[:instances] = options[:instances].merge(instances)
+          end
+        end
+
+        if options.has_key?(:health_check)
+          raise 'Health check needs a type and grace_period' if ! options[:health_check].has_key?(:type) and ! options[:health_check].has_key?(:grace_period)
+        else
+          options = {
+            health_check: {
+              type: "EC2",
+              grace_period: 0
+            },
+          }.merge(options)
+        end
+        tags = { Name: ident, service_name: name,}.merge(options[:tags]).merge(options[:instances][:tags]).map { |k,v| { Key: k, Value: v, PropagateAtLaunch: true }}
+
+        asg = resource :aws_cloudformation_stack, ident, {
+                         name: ident,
+                         disable_rollback: true,
+                         template_body: generate_template(
+                           options[:health_check], options[:instances], launch_config,
+                           options[:subnets].map(&:id), tags, options[:rolling_update]
+                         ),
+                       }
+
+        @asg = output_of(:aws_cloudformation_stack, ident, 'outputs["AsgName"]')
+
+        self
+      end
+
+      def attach_load_balancer(load_balancer)
+        load_balancer.target_groups.each.with_index { |target_group, i|
+          resource :aws_autoscaling_attachment, "#{load_balancer.name}-#{@name}-#{i}", {
+                     autoscaling_group_name: @asg,
+                     alb_target_group_arn: target_group
+                   }
+        }
+
+        self.used_by(load_balancer) if load_balancer.type == "application"
+      end
+
+      def generate_template(health_check, instances, launch_config, subnets,tags, rolling_update)
+        template = {
+          Resources: {
+            AutoScalingGroup: {
+              Type: "AWS::AutoScaling::AutoScalingGroup",
+              Properties: {
+                Cooldown: "300",
+                HealthCheckType: "#{health_check[:type]}",
+                HealthCheckGracePeriod: health_check[:grace_period],
+                LaunchConfigurationName: "#{launch_config}",
+                MaxSize: "#{instances[:max]}",
+                MetricsCollection: [
+                  {
+                    Granularity: "1Minute",
+                    Metrics: [
+                      "GroupMinSize",
+                      "GroupMaxSize",
+                      "GroupDesiredCapacity",
+                      "GroupInServiceInstances",
+                      "GroupPendingInstances",
+                      "GroupStandbyInstances",
+                      "GroupTerminatingInstances",
+                      "GroupTotalInstances"
+                    ]
+                  },
+                ],
+                MinSize: "#{instances[:min]}",
+                DesiredCapacity: "#{instances[:desired]}",
+                Tags: tags,
+                TerminationPolicies: [
+                  "Default"
+                ],
+                VPCZoneIdentifier: subnets
+              }
+            }
+          },
+          Outputs: {
+            AsgName: {
+              Description: "The name of the auto scaling group",
+              Value: {
+                Ref: "AutoScalingGroup",
+              },
+            },
+          },
+        }
+
+        if rolling_update == :signal
+          template[:Resources][:AutoScalingGroup][:UpdatePolicy] = {
+            AutoScalingRollingUpdate: {
+              MinInstancesInService: "#{instances[:desired]}",
+              MaxBatchSize: "#{instances[:desired]}",
+              PauseTime: "PT10M",
+              WaitOnResourceSignals: true,
+            }
+          }
+        elsif rolling_update
+          template[:Resources][:AutoScalingGroup][:UpdatePolicy] = {
+            AutoScalingRollingUpdate: {
+              MinInstancesInService: "#{instances[:min]}",
+              MaxBatchSize: "1",
+              PauseTime: "PT0S"
+            }
+          }
+        end
+
+        JSON.pretty_generate(template)
+      end
+
+      def instances_by_tags(tags = {})
+        begin
+          asgs = aws.asgs_by_tags(tags)
+
+          if asgs.count != 1
+            raise "Didn't find only one ASG :("
+          end
+
+          instances = {
+            min: asgs[0].min_size,
+            max: asgs[0].max_size,
+            desired: asgs[0].desired_capacity,
+          }
+        rescue RuntimeError => err
+          $stderr.puts("instances_by_tags: #{err}")
+          instances = nil
+        end
+
+        instances
+      end
+    end
+
+  end
+
+end