terrafying-components 2.4.4 → 2.4.5
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/terrafying/components/auditd.rb +73 -39
- data/lib/terrafying/components/cloudconfig.rb +52 -0
- data/lib/terrafying/components/prometheus.rb +4 -0
- data/lib/terrafying/components/service.rb +9 -3
- data/lib/terrafying/components/templates/cloudconfig.yaml +62 -0
- data/lib/terrafying/components/version.rb +1 -1
- data/lib/terrafying/components/vpn_oidc.rb +26 -1
- metadata +4 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 1ac3e2c81fcce31c9eb2a7f055cefa5a8e1ece7497a0bfd46015be371777b373
|
4
|
+
data.tar.gz: 54e8efdb2687a96cf2c9dccdf1c6b74534df8416f0545cbfb0e4359e7a67a4d6
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 2617ac149143c69ef6158686906b71ecead34c265ff583883fb8f8ee7c061148df10f161e3a7823c6ed4fa0a0d5b267b690af0567acc827e5db7003aa6ea4ae9
|
7
|
+
data.tar.gz: 7763c6b7fff418dd0e7c3df9c91459db585301334f9e788d8ee1438c899698d7cda56adb0927e4591ae9290a20df385869fee509f406fee240452ce3a85583ee
|
@@ -3,11 +3,11 @@
|
|
3
3
|
module Terrafying
|
4
4
|
module Components
|
5
5
|
class Auditd
|
6
|
-
def self.fluentd_conf(role, tags = [])
|
7
|
-
new.fluentd_conf(role, tags)
|
6
|
+
def self.fluentd_conf(ignition, role, tags = [])
|
7
|
+
new.fluentd_conf(ignition, role, tags)
|
8
8
|
end
|
9
9
|
|
10
|
-
def fluentd_conf(role, tags)
|
10
|
+
def fluentd_conf(ignition, role, tags)
|
11
11
|
tags = default_tags.merge(
|
12
12
|
custom_tags(tags)
|
13
13
|
)
|
@@ -15,8 +15,8 @@ module Terrafying
|
|
15
15
|
{
|
16
16
|
files: [
|
17
17
|
systemd_input,
|
18
|
-
ec2_filter(tags),
|
19
|
-
s3_output(role)
|
18
|
+
ec2_filter(ignition, tags),
|
19
|
+
s3_output(ignition, role)
|
20
20
|
],
|
21
21
|
iam_policy_statements: [
|
22
22
|
allow_describe_instances,
|
@@ -103,7 +103,7 @@ module Terrafying
|
|
103
103
|
)
|
104
104
|
end
|
105
105
|
|
106
|
-
def ec2_filter(tags)
|
106
|
+
def ec2_filter(ignition, tags)
|
107
107
|
file_of(
|
108
108
|
'20_auditd_filter_ec2',
|
109
109
|
<<~EC2_FILTER
|
@@ -111,47 +111,81 @@ module Terrafying
|
|
111
111
|
@type ec2_metadata
|
112
112
|
metadata_refresh_seconds 300
|
113
113
|
<record>
|
114
|
-
#{map_tags(tags)}
|
114
|
+
#{map_tags(ignition, tags)}
|
115
115
|
</record>
|
116
116
|
</filter>
|
117
117
|
EC2_FILTER
|
118
118
|
)
|
119
119
|
end
|
120
120
|
|
121
|
-
def map_tags(tags)
|
122
|
-
|
123
|
-
|
121
|
+
def map_tags(ignition, tags)
|
122
|
+
if ignition == false
|
123
|
+
return tags.map { |k, v| "#{k} $${#{v}}" }
|
124
|
+
.reduce { |out, e| +out << "\n #{e}" }
|
125
|
+
end
|
126
|
+
return tags.map { |k, v| "#{k} ${#{v}}" }
|
127
|
+
.reduce { |out, e| +out << "\n #{e}" }
|
124
128
|
end
|
125
129
|
|
126
|
-
def s3_output(audit_role)
|
127
|
-
|
128
|
-
|
129
|
-
|
130
|
-
|
131
|
-
|
132
|
-
|
133
|
-
|
134
|
-
|
135
|
-
|
136
|
-
|
137
|
-
|
138
|
-
|
139
|
-
|
140
|
-
|
141
|
-
|
142
|
-
|
143
|
-
|
144
|
-
|
145
|
-
|
146
|
-
|
147
|
-
|
148
|
-
|
149
|
-
|
150
|
-
|
151
|
-
|
152
|
-
|
153
|
-
|
154
|
-
|
130
|
+
def s3_output(ignition, audit_role)
|
131
|
+
if ignition == false
|
132
|
+
return file_of(
|
133
|
+
'30_auditd_output_s3',
|
134
|
+
<<~S3_OUTPUT
|
135
|
+
<match auditd>
|
136
|
+
@type s3
|
137
|
+
<assume_role_credentials>
|
138
|
+
role_arn #{audit_role}
|
139
|
+
role_session_name "auditd-logging-\#{Socket.gethostname}"
|
140
|
+
</assume_role_credentials>
|
141
|
+
auto_create_bucket false
|
142
|
+
s3_bucket uswitch-auditd-logs
|
143
|
+
s3_region eu-west-1
|
144
|
+
acl bucket-owner-full-control
|
145
|
+
path auditd/%Y/%m/%d/
|
146
|
+
s3_object_key_format "\%%{path}\%%{time_slice}_\#{Socket.gethostname}.\%%{file_extension}"
|
147
|
+
<buffer time>
|
148
|
+
@type file
|
149
|
+
path /fluent/var/s3
|
150
|
+
timekey 300 # 5 minute partitions
|
151
|
+
timekey_wait 0s
|
152
|
+
timekey_use_utc true
|
153
|
+
</buffer>
|
154
|
+
<format>
|
155
|
+
@type json
|
156
|
+
</format>
|
157
|
+
</match>
|
158
|
+
S3_OUTPUT
|
159
|
+
)
|
160
|
+
end
|
161
|
+
return file_of(
|
162
|
+
'30_auditd_output_s3',
|
163
|
+
<<~S3_OUTPUT
|
164
|
+
<match auditd>
|
165
|
+
@type s3
|
166
|
+
<assume_role_credentials>
|
167
|
+
role_arn #{audit_role}
|
168
|
+
role_session_name "auditd-logging-\#{Socket.gethostname}"
|
169
|
+
</assume_role_credentials>
|
170
|
+
auto_create_bucket false
|
171
|
+
s3_bucket uswitch-auditd-logs
|
172
|
+
s3_region eu-west-1
|
173
|
+
acl bucket-owner-full-control
|
174
|
+
path auditd/%Y/%m/%d/
|
175
|
+
s3_object_key_format "\%{path}\%{time_slice}_\#{Socket.gethostname}.\%{file_extension}"
|
176
|
+
<buffer time>
|
177
|
+
@type file
|
178
|
+
path /fluent/var/s3
|
179
|
+
timekey 300 # 5 minute partitions
|
180
|
+
timekey_wait 0s
|
181
|
+
timekey_use_utc true
|
182
|
+
</buffer>
|
183
|
+
<format>
|
184
|
+
@type json
|
185
|
+
</format>
|
186
|
+
</match>
|
187
|
+
S3_OUTPUT
|
188
|
+
)
|
155
189
|
end
|
156
190
|
end
|
157
191
|
end
|
@@ -0,0 +1,52 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
# this file is copied from ignition.rb: https://github.com/uswitch/terrafying-components/blob/master/lib/terrafying/components/ignition.rb
|
4
|
+
|
5
|
+
require 'erb'
|
6
|
+
require 'ostruct'
|
7
|
+
require 'yaml'
|
8
|
+
|
9
|
+
module Terrafying
|
10
|
+
module Components
|
11
|
+
class Cloudconfig
|
12
|
+
UNIT_REQUIRED_KEYS = [:name].freeze
|
13
|
+
FILE_REQUIRED_KEYS = %i[path mode contents].freeze
|
14
|
+
|
15
|
+
def self.generate(options = {})
|
16
|
+
options = {
|
17
|
+
keypairs: [],
|
18
|
+
volumes: [],
|
19
|
+
files: [],
|
20
|
+
units: [],
|
21
|
+
users: [],
|
22
|
+
networkd_units: [],
|
23
|
+
ssh_group: 'cloud',
|
24
|
+
disable_update_engine: false,
|
25
|
+
region: Terrafying::Generator.aws.region
|
26
|
+
}.merge(options)
|
27
|
+
|
28
|
+
unless options[:units].all? { |u| UNIT_REQUIRED_KEYS.all? { |key| u.key?(key) } }
|
29
|
+
raise "All units require the following keys: #{UNIT_REQUIRED_KEYS}"
|
30
|
+
end
|
31
|
+
|
32
|
+
unless options[:units].all? { |u| u.key?(:contents) || u.key?(:dropins) || u.fetch(:enabled, true) == false || u.fetch(:mask, false) == true }
|
33
|
+
raise 'All enabled unmasked units have to have contents and/or dropins'
|
34
|
+
end
|
35
|
+
|
36
|
+
unless options[:files].all? { |f| FILE_REQUIRED_KEYS.all? { |key| f.key?(key) } }
|
37
|
+
raise "All files require the following keys: #{FILE_REQUIRED_KEYS}"
|
38
|
+
end
|
39
|
+
|
40
|
+
options[:cas] = options[:keypairs].map { |kp| kp[:ca] }.compact.sort.uniq
|
41
|
+
|
42
|
+
# changes apart from ignition.rb
|
43
|
+
# changed template file to cloudconfig.yaml
|
44
|
+
erb_path = File.join(File.dirname(__FILE__), 'templates/cloudconfig.yaml')
|
45
|
+
erb = ERB.new(IO.read(erb_path), nil, '-')
|
46
|
+
# instead of ignition json, we'll output the yaml file
|
47
|
+
erb.result(OpenStruct.new(options).instance_eval { binding })
|
48
|
+
|
49
|
+
end
|
50
|
+
end
|
51
|
+
end
|
52
|
+
end
|
@@ -24,6 +24,7 @@ module Terrafying
|
|
24
24
|
prom_name: 'prometheus',
|
25
25
|
prom_version: 'v2.25.0',
|
26
26
|
instances: 2,
|
27
|
+
ami:'',
|
27
28
|
instance_type: 't3a.small',
|
28
29
|
thanos_instance_type: 't3a.small',
|
29
30
|
prometheus_tsdb_retention: '1d',
|
@@ -38,6 +39,7 @@ module Terrafying
|
|
38
39
|
@prom_name = prom_name
|
39
40
|
@prom_version = prom_version
|
40
41
|
@instances = instances
|
42
|
+
@ami = ami
|
41
43
|
@prometheus_instance_type = instance_type
|
42
44
|
@thanos_instance_type = thanos_instance_type
|
43
45
|
@prometheus_tsdb_retention = prometheus_tsdb_retention
|
@@ -96,6 +98,7 @@ module Terrafying
|
|
96
98
|
instance_type: @prometheus_instance_type,
|
97
99
|
iam_policy_statements: thanos_store_access,
|
98
100
|
instances: [{}] * @instances,
|
101
|
+
ami: @ami,
|
99
102
|
units: [prometheus_unit, thanos_sidecar_unit],
|
100
103
|
files: [prometheus_conf, thanos_bucket],
|
101
104
|
volumes: [prometheus_data_volume],
|
@@ -129,6 +132,7 @@ module Terrafying
|
|
129
132
|
}
|
130
133
|
],
|
131
134
|
instance_type: @thanos_instance_type,
|
135
|
+
ami: @ami,
|
132
136
|
units: [thanos_unit(prometheus_thanos_sidecar_srv_fqdn)],
|
133
137
|
instances: [{}] * @instances,
|
134
138
|
loadbalancer: true,
|
@@ -5,6 +5,7 @@ require 'hash/merge_with_arrays'
|
|
5
5
|
require 'terrafying/generator'
|
6
6
|
require 'terrafying/util'
|
7
7
|
require 'terrafying/components/auditd'
|
8
|
+
require 'terrafying/components/cloudconfig'
|
8
9
|
require 'terrafying/components/dynamicset'
|
9
10
|
require 'terrafying/components/endpointservice'
|
10
11
|
require 'terrafying/components/ignition'
|
@@ -42,6 +43,7 @@ module Terrafying
|
|
42
43
|
def create_in(vpc, name, options = {})
|
43
44
|
options = {
|
44
45
|
ami: aws.ami('base-image-fc-75aa2aef', owners = ['477284023816']),
|
46
|
+
ignition: true,
|
45
47
|
instance_type: 't3a.micro',
|
46
48
|
ports: [],
|
47
49
|
instances: [{}],
|
@@ -66,12 +68,16 @@ module Terrafying
|
|
66
68
|
}.merge(options)
|
67
69
|
|
68
70
|
unless options[:audit_role].nil?
|
69
|
-
fluentd_conf = Auditd.fluentd_conf(options[:audit_role], options[:tags].keys)
|
71
|
+
fluentd_conf = Auditd.fluentd_conf(options[:ignition], options[:audit_role], options[:tags].keys)
|
70
72
|
options = options.merge_with_arrays_merged(fluentd_conf)
|
71
73
|
end
|
72
74
|
|
73
|
-
unless options.key? :user_data
|
74
|
-
options[:
|
75
|
+
unless options.key? :user_data
|
76
|
+
if options[:ignition] == true
|
77
|
+
options[:user_data] = Ignition.generate(options)
|
78
|
+
elsif options[:ignition] == false
|
79
|
+
options[:user_data] = Cloudconfig.generate(options)
|
80
|
+
end
|
75
81
|
end
|
76
82
|
|
77
83
|
unless options.key?(:loadbalancer_subnets)
|
@@ -0,0 +1,62 @@
|
|
1
|
+
#cloud-config
|
2
|
+
write_files:
|
3
|
+
<% units.each { |unit| %>
|
4
|
+
- path: "/etc/systemd/system/<%= unit[:name] %>"
|
5
|
+
content: "<%= unit[:contents].dump[1..-2] %>"
|
6
|
+
owner: "root:root"
|
7
|
+
<% } %>
|
8
|
+
|
9
|
+
<% files.each { |file| %>
|
10
|
+
- path: <%= file[:path] %>
|
11
|
+
permissions: '<%= file[:mode] %>'
|
12
|
+
owner: "root:root"
|
13
|
+
<% if !file[:contents].is_a?(Hash) %>
|
14
|
+
content: "<%= file[:contents].gsub(/\n/, '\\n').gsub(/\"/, '\\"') %>"
|
15
|
+
<% end %>
|
16
|
+
<% } %>
|
17
|
+
|
18
|
+
<% volumes.each { |volume| %>
|
19
|
+
- path: "/etc/systemd/system/<%= volume[:mount].tr('/','-')[1..-1] %>.mount"
|
20
|
+
owner: "root:root"
|
21
|
+
content: |
|
22
|
+
[Install]
|
23
|
+
WantedBy=local-fs.target
|
24
|
+
[Unit]
|
25
|
+
Before=docker.service
|
26
|
+
[Mount]
|
27
|
+
What=<%= volume[:device] %>
|
28
|
+
Where=<%= volume[:mount] %>
|
29
|
+
Type=ext4
|
30
|
+
<% } %>
|
31
|
+
|
32
|
+
- path: '/etc/usersync.env'
|
33
|
+
permissions: 0644
|
34
|
+
owner: "root:root"
|
35
|
+
content: |
|
36
|
+
USERSYNC_SSH_GROUP="<%= ssh_group %>"
|
37
|
+
|
38
|
+
|
39
|
+
runcmd:
|
40
|
+
<% units.each { |unit| %>
|
41
|
+
- systemctl restart <%= unit[:name] %>
|
42
|
+
- systemctl enable <%= unit[:name] %>
|
43
|
+
<% } %>
|
44
|
+
<% keypairs.each { |keypair| %>
|
45
|
+
- aws s3 cp <%= keypair[:source][:cert] %> <%= keypair[:path][:cert] %>
|
46
|
+
- aws s3 cp <%= keypair[:source][:key] %> <%= keypair[:path][:key] %>
|
47
|
+
<% } %>
|
48
|
+
<% cas.each { |ca| %>
|
49
|
+
- aws s3 cp <%= ca.source %> /etc/ssl/<%= ca.name %>/ca.cert
|
50
|
+
<% } %>
|
51
|
+
|
52
|
+
<% files.each { |file| %>
|
53
|
+
<% if file[:contents].is_a?(Hash) %>
|
54
|
+
- aws s3 cp <%= file[:contents][:source] %> <%= file[:path] %>
|
55
|
+
<% end %>
|
56
|
+
<% } %>
|
57
|
+
|
58
|
+
<% volumes.each { |volume| %>
|
59
|
+
- mkfs -t ext4 <%= volume[:device] %>
|
60
|
+
- mount <%= volume[:device] %> <%= volume[:mount].tr('/','-')[1..-1] %>
|
61
|
+
- systemctl enable <%= volume[:mount].tr('/','-')[1..-1] %>.mount
|
62
|
+
<% } %>
|
@@ -35,6 +35,8 @@ module Terrafying
|
|
35
35
|
def initialize(
|
36
36
|
vpc:,
|
37
37
|
name:,
|
38
|
+
ignition: true,
|
39
|
+
ami: '',
|
38
40
|
client_id:,
|
39
41
|
issuer_url:,
|
40
42
|
ca: nil,
|
@@ -53,6 +55,8 @@ module Terrafying
|
|
53
55
|
super()
|
54
56
|
@vpc = vpc
|
55
57
|
@name = name
|
58
|
+
@ignition = ignition
|
59
|
+
@ami = ami
|
56
60
|
@client_id = client_id
|
57
61
|
@issuer_url = issuer_url
|
58
62
|
@ca = ca
|
@@ -74,6 +78,7 @@ module Terrafying
|
|
74
78
|
def create_in
|
75
79
|
units = [
|
76
80
|
openvpn_service,
|
81
|
+
add_iptables_rules_service,
|
77
82
|
openvpn_authz_service(@ca, @fqdn, @route_all_traffic, @route_dns_entries, @groups, @client_id, @issuer_url),
|
78
83
|
]
|
79
84
|
|
@@ -100,10 +105,12 @@ module Terrafying
|
|
100
105
|
@service = add! Service.create_in(
|
101
106
|
@vpc, @name,
|
102
107
|
{
|
108
|
+
ignition: @ignition,
|
103
109
|
eip: @public,
|
104
110
|
public: @public,
|
105
111
|
ports: [22, 443, { number: 1194, type: 'udp' }],
|
106
112
|
tags:@tags,
|
113
|
+
ami:@ami,
|
107
114
|
units: units + @units,
|
108
115
|
files: files,
|
109
116
|
keypairs: keypairs,
|
@@ -243,6 +250,24 @@ module Terrafying
|
|
243
250
|
}
|
244
251
|
end
|
245
252
|
|
253
|
+
# these iptables rules are needed in order to get VPN working
|
254
|
+
def add_iptables_rules_service
|
255
|
+
{
|
256
|
+
name: 'add-iptables-rules.service',
|
257
|
+
enabled: false,
|
258
|
+
contents: <<~ADD_IPTABLES_RULE
|
259
|
+
[Install]
|
260
|
+
WantedBy=multi-user.target
|
261
|
+
[Unit]
|
262
|
+
Description=Add Iptables rules
|
263
|
+
[Service]
|
264
|
+
Type=oneshot
|
265
|
+
ExecStartPre=/sbin/iptables -A FORWARD -i tun+ -j ACCEPT
|
266
|
+
ExecStart=/sbin/iptables -A FORWARD -o tun+ -j ACCEPT
|
267
|
+
ADD_IPTABLES_RULE
|
268
|
+
}
|
269
|
+
end
|
270
|
+
|
246
271
|
def openvpn_service
|
247
272
|
Ignition.container_unit(
|
248
273
|
'openvpn', @openvpn_image,
|
@@ -252,7 +277,7 @@ module Terrafying
|
|
252
277
|
'/etc/ssl/openvpn:/etc/ssl/openvpn:ro',
|
253
278
|
'/etc/openvpn:/etc/openvpn'
|
254
279
|
],
|
255
|
-
required_units: ['docker.service', 'network-online.target', 'openvpn-authz.service']
|
280
|
+
required_units: ['docker.service', 'network-online.target', 'openvpn-authz.service', 'add-iptables-rules.service']
|
256
281
|
)
|
257
282
|
end
|
258
283
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: terrafying-components
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.4.
|
4
|
+
version: 2.4.5
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- uSwitch Limited
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2022-
|
11
|
+
date: 2022-02-24 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rake
|
@@ -91,6 +91,7 @@ files:
|
|
91
91
|
- lib/terrafying/components.rb
|
92
92
|
- lib/terrafying/components/auditd.rb
|
93
93
|
- lib/terrafying/components/ca.rb
|
94
|
+
- lib/terrafying/components/cloudconfig.rb
|
94
95
|
- lib/terrafying/components/dynamicset.rb
|
95
96
|
- lib/terrafying/components/endpoint.rb
|
96
97
|
- lib/terrafying/components/endpointservice.rb
|
@@ -114,6 +115,7 @@ files:
|
|
114
115
|
- lib/terrafying/components/service.rb
|
115
116
|
- lib/terrafying/components/staticset.rb
|
116
117
|
- lib/terrafying/components/subnet.rb
|
118
|
+
- lib/terrafying/components/templates/cloudconfig.yaml
|
117
119
|
- lib/terrafying/components/templates/ignition.yaml
|
118
120
|
- lib/terrafying/components/usable.rb
|
119
121
|
- lib/terrafying/components/version.rb
|