terrafying-components 2.4.4 → 2.4.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 23e03608c87c75ba0f94d3062a0c141c8117dd6f96df80a711ee1697de6cd0ec
-  data.tar.gz: 3b4cb879c44f1e263fcc0a43e2c1cad928bfa24a8539438faa178d59306a6f03
+  metadata.gz: 1ac3e2c81fcce31c9eb2a7f055cefa5a8e1ece7497a0bfd46015be371777b373
+  data.tar.gz: 54e8efdb2687a96cf2c9dccdf1c6b74534df8416f0545cbfb0e4359e7a67a4d6
 SHA512:
-  metadata.gz: a3a8a7897c64f9ec6326e1f576a7f97e7f494fad5e1409cb8ce4317950ea183e44063f4ae8b9916411c0b80fc06a69bf7679d7cb52864d05ffa29e80608ea91d
-  data.tar.gz: bfe5e6519f8040f5b31a5988d032b3c23bd6ec2f8e3b12a3412a2b3dc332e13e4336f7a2be94910a3ccebb914dd4529c48cd126ccdfdbf1913a74a939564a5e2
+  metadata.gz: 2617ac149143c69ef6158686906b71ecead34c265ff583883fb8f8ee7c061148df10f161e3a7823c6ed4fa0a0d5b267b690af0567acc827e5db7003aa6ea4ae9
+  data.tar.gz: 7763c6b7fff418dd0e7c3df9c91459db585301334f9e788d8ee1438c899698d7cda56adb0927e4591ae9290a20df385869fee509f406fee240452ce3a85583ee

data/lib/terrafying/components/auditd.rb

@@ -3,11 +3,11 @@
 module Terrafying
   module Components
     class Auditd
-      def self.fluentd_conf(role, tags = [])
-        new.fluentd_conf(role, tags)
+      def self.fluentd_conf(ignition, role, tags = [])
+        new.fluentd_conf(ignition, role, tags)
       end
 
-      def fluentd_conf(role, tags)
+      def fluentd_conf(ignition, role, tags)
         tags = default_tags.merge(
           custom_tags(tags)
         )
@@ -15,8 +15,8 @@ module Terrafying
         {
           files: [
             systemd_input,
-            ec2_filter(tags),
-            s3_output(role)
+            ec2_filter(ignition, tags),
+            s3_output(ignition, role)
           ],
           iam_policy_statements: [
             allow_describe_instances,
@@ -103,7 +103,7 @@ module Terrafying
         )
       end
 
-      def ec2_filter(tags)
+      def ec2_filter(ignition, tags)
         file_of(
           '20_auditd_filter_ec2',
           <<~EC2_FILTER
@@ -111,47 +111,81 @@ module Terrafying
               @type ec2_metadata
               metadata_refresh_seconds 300
               <record>
-                #{map_tags(tags)}
+                #{map_tags(ignition, tags)}
               </record>
             </filter>
           EC2_FILTER
         )
       end
 
-      def map_tags(tags)
-        tags.map { |k, v| "#{k} ${#{v}}" }
-            .reduce { |out, e| +out << "\n    #{e}" }
+      def map_tags(ignition, tags)
+        if ignition == false
+          return tags.map { |k, v| "#{k} $${#{v}}" }
+                  .reduce { |out, e| +out << "\n    #{e}" }
+        end
+        return tags.map { |k, v| "#{k} ${#{v}}" }
+                  .reduce { |out, e| +out << "\n    #{e}" }
       end
 
-      def s3_output(audit_role)
-        file_of(
-          '30_auditd_output_s3',
-          <<~S3_OUTPUT
-            <match auditd>
-              @type s3
-              <assume_role_credentials>
-                role_arn #{audit_role}
-                role_session_name "auditd-logging-\#{Socket.gethostname}"
-              </assume_role_credentials>
-              auto_create_bucket false
-              s3_bucket uswitch-auditd-logs
-              s3_region eu-west-1
-              acl bucket-owner-full-control
-              path auditd/%Y/%m/%d/
-              s3_object_key_format "\%{path}\%{time_slice}_\#{Socket.gethostname}.\%{file_extension}"
-              <buffer time>
-                @type file
-                path /fluent/var/s3
-                timekey 300 # 5 minute partitions
-                timekey_wait 0s
-                timekey_use_utc true
-              </buffer>
-              <format>
-                @type json
-              </format>
-            </match>
-          S3_OUTPUT
-        )
+      def s3_output(ignition, audit_role)
+        if ignition == false
+            return file_of(
+                 '30_auditd_output_s3',
+                 <<~S3_OUTPUT
+                   <match auditd>
+                     @type s3
+                     <assume_role_credentials>
+                       role_arn #{audit_role}
+                       role_session_name "auditd-logging-\#{Socket.gethostname}"
+                     </assume_role_credentials>
+                     auto_create_bucket false
+                     s3_bucket uswitch-auditd-logs
+                     s3_region eu-west-1
+                     acl bucket-owner-full-control
+                     path auditd/%Y/%m/%d/
+                     s3_object_key_format "\%%{path}\%%{time_slice}_\#{Socket.gethostname}.\%%{file_extension}"
+                     <buffer time>
+                       @type file
+                       path /fluent/var/s3
+                       timekey 300 # 5 minute partitions
+                       timekey_wait 0s
+                       timekey_use_utc true
+                     </buffer>
+                     <format>
+                       @type json
+                     </format>
+                   </match>
+                 S3_OUTPUT
+               )
+        end
+          return file_of(
+                 '30_auditd_output_s3',
+                 <<~S3_OUTPUT
+                   <match auditd>
+                     @type s3
+                     <assume_role_credentials>
+                       role_arn #{audit_role}
+                       role_session_name "auditd-logging-\#{Socket.gethostname}"
+                     </assume_role_credentials>
+                     auto_create_bucket false
+                     s3_bucket uswitch-auditd-logs
+                     s3_region eu-west-1
+                     acl bucket-owner-full-control
+                     path auditd/%Y/%m/%d/
+                     s3_object_key_format "\%{path}\%{time_slice}_\#{Socket.gethostname}.\%{file_extension}"
+                     <buffer time>
+                       @type file
+                       path /fluent/var/s3
+                       timekey 300 # 5 minute partitions
+                       timekey_wait 0s
+                       timekey_use_utc true
+                     </buffer>
+                     <format>
+                       @type json
+                     </format>
+                   </match>
+                 S3_OUTPUT
+               )
       end
     end
   end

data/lib/terrafying/components/cloudconfig.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+# this file is copied from ignition.rb: https://github.com/uswitch/terrafying-components/blob/master/lib/terrafying/components/ignition.rb
+
+require 'erb'
+require 'ostruct'
+require 'yaml'
+
+module Terrafying
+  module Components
+    class Cloudconfig
+      UNIT_REQUIRED_KEYS = [:name].freeze
+      FILE_REQUIRED_KEYS = %i[path mode contents].freeze
+      
+      def self.generate(options = {})
+        options = {
+          keypairs: [],
+          volumes: [],
+          files: [],
+          units: [],
+          users: [],
+          networkd_units: [],
+          ssh_group: 'cloud',
+          disable_update_engine: false,
+          region: Terrafying::Generator.aws.region
+        }.merge(options)
+
+        unless options[:units].all? { |u| UNIT_REQUIRED_KEYS.all? { |key| u.key?(key) } }
+          raise "All units require the following keys: #{UNIT_REQUIRED_KEYS}"
+        end
+
+        unless options[:units].all? { |u| u.key?(:contents) || u.key?(:dropins) || u.fetch(:enabled, true) == false || u.fetch(:mask, false) == true }
+          raise 'All enabled unmasked units have to have contents and/or dropins'
+        end
+
+        unless options[:files].all? { |f| FILE_REQUIRED_KEYS.all? { |key| f.key?(key) } }
+          raise "All files require the following keys: #{FILE_REQUIRED_KEYS}"
+        end
+
+        options[:cas] = options[:keypairs].map { |kp| kp[:ca] }.compact.sort.uniq
+
+        # changes apart from ignition.rb
+        # changed template file to cloudconfig.yaml
+        erb_path = File.join(File.dirname(__FILE__), 'templates/cloudconfig.yaml')
+        erb = ERB.new(IO.read(erb_path), nil, '-')
+        # instead of ignition json, we'll output the yaml file
+        erb.result(OpenStruct.new(options).instance_eval { binding })
+
+      end
+    end
+  end
+end

data/lib/terrafying/components/prometheus.rb

@@ -24,6 +24,7 @@ module Terrafying
         prom_name: 'prometheus',
         prom_version: 'v2.25.0',
         instances: 2,
+        ami:'',
         instance_type: 't3a.small',
         thanos_instance_type: 't3a.small',
         prometheus_tsdb_retention: '1d',
@@ -38,6 +39,7 @@ module Terrafying
         @prom_name = prom_name
         @prom_version = prom_version
         @instances = instances
+        @ami = ami
         @prometheus_instance_type = instance_type
         @thanos_instance_type = thanos_instance_type
         @prometheus_tsdb_retention = prometheus_tsdb_retention
@@ -96,6 +98,7 @@ module Terrafying
           instance_type: @prometheus_instance_type,
           iam_policy_statements: thanos_store_access,
           instances: [{}] * @instances,
+          ami: @ami,
           units: [prometheus_unit, thanos_sidecar_unit],
           files: [prometheus_conf, thanos_bucket],
           volumes: [prometheus_data_volume],
@@ -129,6 +132,7 @@ module Terrafying
             }
           ],
           instance_type: @thanos_instance_type,
+          ami: @ami,
           units: [thanos_unit(prometheus_thanos_sidecar_srv_fqdn)],
           instances: [{}] * @instances,
           loadbalancer: true,

data/lib/terrafying/components/service.rb

@@ -5,6 +5,7 @@ require 'hash/merge_with_arrays'
 require 'terrafying/generator'
 require 'terrafying/util'
 require 'terrafying/components/auditd'
+require 'terrafying/components/cloudconfig'
 require 'terrafying/components/dynamicset'
 require 'terrafying/components/endpointservice'
 require 'terrafying/components/ignition'
@@ -42,6 +43,7 @@ module Terrafying
       def create_in(vpc, name, options = {})
         options = {
           ami: aws.ami('base-image-fc-75aa2aef', owners = ['477284023816']),
+          ignition: true,
           instance_type: 't3a.micro',
           ports: [],
           instances: [{}],
@@ -66,12 +68,16 @@ module Terrafying
         }.merge(options)
 
         unless options[:audit_role].nil?
-          fluentd_conf = Auditd.fluentd_conf(options[:audit_role], options[:tags].keys)
+          fluentd_conf = Auditd.fluentd_conf(options[:ignition], options[:audit_role], options[:tags].keys)
           options = options.merge_with_arrays_merged(fluentd_conf)
         end
 
-        unless options.key? :user_data
-          options[:user_data] = Ignition.generate(options)
+        unless options.key? :user_data 
+          if options[:ignition] == true 
+            options[:user_data] = Ignition.generate(options) 
+          elsif options[:ignition] == false 
+            options[:user_data] = Cloudconfig.generate(options) 
+          end 
         end
 
         unless options.key?(:loadbalancer_subnets)

data/lib/terrafying/components/templates/cloudconfig.yaml

@@ -0,0 +1,62 @@
+#cloud-config
+write_files:
+<% units.each { |unit| %>
+- path: "/etc/systemd/system/<%= unit[:name] %>"
+  content: "<%= unit[:contents].dump[1..-2] %>"
+  owner: "root:root"
+<% } %>
+
+<% files.each { |file| %>
+- path: <%= file[:path] %>
+  permissions: '<%= file[:mode] %>'
+  owner: "root:root"
+  <% if !file[:contents].is_a?(Hash) %>
+  content: "<%= file[:contents].gsub(/\n/, '\\n').gsub(/\"/, '\\"') %>"
+  <% end %>
+<% } %>
+
+<% volumes.each { |volume| %>
+- path: "/etc/systemd/system/<%= volume[:mount].tr('/','-')[1..-1] %>.mount"
+  owner: "root:root"
+  content: |
+    [Install]
+    WantedBy=local-fs.target
+    [Unit]
+    Before=docker.service
+    [Mount]
+    What=<%= volume[:device] %>
+    Where=<%= volume[:mount] %>
+    Type=ext4
+<% } %>
+
+- path:  '/etc/usersync.env'
+  permissions:  0644
+  owner: "root:root"
+  content: |
+    USERSYNC_SSH_GROUP="<%= ssh_group %>"
+
+
+runcmd:
+<% units.each { |unit| %>
+- systemctl restart <%= unit[:name] %>
+- systemctl enable <%= unit[:name] %>
+<% } %>
+<% keypairs.each { |keypair| %>
+- aws s3 cp <%= keypair[:source][:cert] %> <%= keypair[:path][:cert] %>
+- aws s3 cp <%= keypair[:source][:key] %> <%= keypair[:path][:key] %>
+<% } %>
+<% cas.each { |ca| %>
+- aws s3 cp <%= ca.source %> /etc/ssl/<%= ca.name %>/ca.cert
+<% } %>
+
+<% files.each { |file| %>
+  <% if file[:contents].is_a?(Hash) %>
+- aws s3 cp <%= file[:contents][:source] %> <%= file[:path] %>
+  <% end %>
+<% } %>
+
+<% volumes.each { |volume| %>
+- mkfs -t ext4 <%= volume[:device] %>
+- mount <%= volume[:device] %> <%= volume[:mount].tr('/','-')[1..-1] %>
+- systemctl enable <%= volume[:mount].tr('/','-')[1..-1] %>.mount
+<% } %>

data/lib/terrafying/components/version.rb

@@ -2,6 +2,6 @@
 
 module Terrafying
   module Components
-    VERSION = '2.4.4'
+    VERSION = '2.4.5'
   end
 end

data/lib/terrafying/components/vpn_oidc.rb

@@ -35,6 +35,8 @@ module Terrafying
       def initialize(
         vpc:,
         name:,
+        ignition: true,
+        ami: '',
         client_id:,
         issuer_url:,
         ca: nil,
@@ -53,6 +55,8 @@ module Terrafying
         super()
         @vpc = vpc
         @name = name
+        @ignition = ignition
+        @ami = ami
         @client_id = client_id
         @issuer_url = issuer_url
         @ca = ca
@@ -74,6 +78,7 @@ module Terrafying
       def create_in
         units = [
           openvpn_service,
+          add_iptables_rules_service,
           openvpn_authz_service(@ca, @fqdn, @route_all_traffic, @route_dns_entries, @groups, @client_id, @issuer_url),
         ]
 
@@ -100,10 +105,12 @@ module Terrafying
         @service = add! Service.create_in(
           @vpc, @name,
           {
+            ignition: @ignition,
             eip: @public,
             public: @public,
             ports: [22, 443, { number: 1194, type: 'udp' }],
             tags:@tags,
+            ami:@ami,
             units: units + @units,
             files: files,
             keypairs: keypairs,
@@ -243,6 +250,24 @@ module Terrafying
           }
       end
 
+      # these iptables rules are needed in order to get VPN working
+      def add_iptables_rules_service
+        {
+          name: 'add-iptables-rules.service',
+          enabled: false,
+          contents: <<~ADD_IPTABLES_RULE
+              [Install]
+              WantedBy=multi-user.target
+              [Unit]
+              Description=Add Iptables rules
+              [Service]
+              Type=oneshot
+              ExecStartPre=/sbin/iptables -A FORWARD -i tun+ -j ACCEPT
+              ExecStart=/sbin/iptables -A FORWARD -o tun+ -j ACCEPT
+          ADD_IPTABLES_RULE
+          }
+      end
+
       def openvpn_service
         Ignition.container_unit(
           'openvpn', @openvpn_image,
@@ -252,7 +277,7 @@ module Terrafying
             '/etc/ssl/openvpn:/etc/ssl/openvpn:ro',
             '/etc/openvpn:/etc/openvpn'
           ],
-          required_units: ['docker.service', 'network-online.target', 'openvpn-authz.service']
+          required_units: ['docker.service', 'network-online.target', 'openvpn-authz.service', 'add-iptables-rules.service']
         )
       end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: terrafying-components
 version: !ruby/object:Gem::Version
-  version: 2.4.4
+  version: 2.4.5
 platform: ruby
 authors:
 - uSwitch Limited
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-01-28 00:00:00.000000000 Z
+date: 2022-02-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -91,6 +91,7 @@ files:
 - lib/terrafying/components.rb
 - lib/terrafying/components/auditd.rb
 - lib/terrafying/components/ca.rb
+- lib/terrafying/components/cloudconfig.rb
 - lib/terrafying/components/dynamicset.rb
 - lib/terrafying/components/endpoint.rb
 - lib/terrafying/components/endpointservice.rb
@@ -114,6 +115,7 @@ files:
 - lib/terrafying/components/service.rb
 - lib/terrafying/components/staticset.rb
 - lib/terrafying/components/subnet.rb
+- lib/terrafying/components/templates/cloudconfig.yaml
 - lib/terrafying/components/templates/ignition.yaml
 - lib/terrafying/components/usable.rb
 - lib/terrafying/components/version.rb