tfrb 0.1.0

data/lib/tfrb/cli.rb

@@ -0,0 +1,68 @@
+require 'tfrb'
+require 'tfrb/version'
+require 'tfrb/config'
+require 'thor'
+require 'mixlib/shellout'
+
+class Tfrb::CLI < Thor
+  map %w[--version -v] => :__print_version
+
+  desc '--version, -v', 'print the version'
+  def __print_version
+    puts Tfrb::VERSION
+  end
+
+  [:init, :plan, :apply].each do |cmd|
+    desc "#{cmd}", "Runs a terraform #{cmd}"
+    method_option :skip_import, aliases: '-s', type: :boolean, desc: 'Skip automatic terraform import', default: false
+    define_method(cmd) do
+      tfrb = load_tfrb(options[:skip_import] || [:init].include?(cmd))
+      tfrb.send("#{cmd}!".to_sym)
+      tfrb.clean! unless cmd == :init
+    end
+  end
+
+  desc 'import TYPE NAME ID', 'Runs a terraform import'
+  def import(resource_type, resource_name, resource_id)
+    tfrb = load_tfrb
+    tfrb.skip_import = false
+    tfrb.import!(resource_type, resource_name, resource_id)
+    tfrb.clean!
+  end
+
+  [:staterm, :taint].each do |cmd|
+    desc "#{cmd} RESOURCE", "Runs a terraform #{cmd}"
+    define_method(cmd) do |resource_id|
+      tfrb = load_tfrb
+      tfrb.send("#{cmd}!".to_sym, resource_id)
+      tfrb.clean!
+    end
+  end
+
+  desc 'unlock LOCK_ID', 'Runs a terraform unlock'
+  def unlock(lock_id)
+    tfrb = load_tfrb
+    tfrb.unlock!(lock_id)
+    tfrb.clean!
+  end
+
+  private
+
+  def load_tfrb(skip_import = true)
+    unless File.exist?('tfrb.rb')
+      puts 'Missing tfrb.rb file'
+      exit(false)
+    end
+
+    require File.expand_path('tfrb.rb')
+
+    unless Tfrb::Config[:files] && Tfrb::Config[:files].size > 0
+      puts 'No tfrb files found'
+      exit(false)
+    end
+
+    require 'tfrb/base'
+
+    Tfrb::Base.load(Tfrb::Config[:environment_name], Tfrb::Config[:files], skip_import)
+  end
+end

data/lib/tfrb/config.rb

@@ -0,0 +1,15 @@
+module Tfrb
+  class Config
+    @@config = {}
+
+    class << self
+      def [](key)
+        @@config[key]
+      end
+
+      def []=(key, value)
+        @@config[key] = value
+      end
+    end
+  end
+end

data/lib/tfrb/provider/aws.rb

@@ -0,0 +1,10 @@
+module Tfrb::Provider::Aws
+  def self.load(base, environment)
+    if environment.has_key?('provider') && environment['provider'].has_key?('aws')
+      unless environment['provider']['aws'].has_key?('access_key') || environment['provider']['aws'].has_key?('secret_key')
+        environment['provider']['aws']['access_key'] = ENV['AWS_ACCESS_KEY_ID']
+        environment['provider']['aws']['secret_key'] = ENV['AWS_SECRET_ACCESS_KEY']
+      end
+    end
+  end
+end

data/lib/tfrb/provider.rb

@@ -0,0 +1,22 @@
+module Tfrb::Provider
+  def self.load(tfrb)
+    tfrb.environments.each do |environment_name, environment|
+      if environment['provider']
+        environment['provider'].keys.each do |provider|
+          self.constants.each do |c|
+            if provider == c.to_s.gsub(/(.)([A-Z])/,'\1_\2').downcase
+              Kernel.const_get("Tfrb::Provider::#{c}").load(tfrb, environment)
+
+              # Inject overrides from Config
+              if Tfrb::Config[:overrides].has_key?('provider') && Tfrb::Config[:overrides]['provider'].has_key?(provider)
+                environment['provider'][provider].merge!(Tfrb::Config[:overrides]['provider'][provider])
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end
+
+Dir[File.join(File.dirname(__FILE__), 'provider', '*.rb')].each { |file| require_relative file }

data/lib/tfrb/resource/aws_db_instance.rb

@@ -0,0 +1,32 @@
+require 'aws-sdk'
+
+module Tfrb::Resource::AwsDbInstance
+  extend Tfrb::Resource
+
+  def self.preload(base, environment_name, resource_type, new_resources)
+    new_resources.each do |resource_name, resource|
+      set_default(resource, 'identifier', resource_name)
+      set_default(resource, 'backup_window', '07:00-08:00')
+      set_default(resource, 'backup_retention_period', 30)
+      set_default(resource, 'deletion_protection', true)
+      set_default(resource, 'maintenance_window', 'sat:08:00-sat:09:00')
+      set_default(resource, 'multi_az', false)
+      set_default(resource, 'publicly_accessible', false)
+    end
+  end
+
+  def self.load(base, environment_name, resource_type, new_resources)
+    new_resources.each do |resource_name, resource|
+      client = ::Aws::RDS::Client.new(aws_options(base, resource))
+      begin
+        response = client.describe_db_instances({
+          db_instance_identifier: resource_name
+        })
+        id = response.db_instances.first.db_instance_identifier
+        import!(base, resource_type, resource_name, id)
+      rescue ::Aws::RDS::Errors::DBInstanceNotFound
+        # Does not exist to import
+      end
+    end
+  end
+end

data/lib/tfrb/resource/aws_db_subnet_group.rb

@@ -0,0 +1,28 @@
+require 'aws-sdk'
+
+module Tfrb::Resource::AwsDbSubnetGroup
+  extend Tfrb::Resource
+
+  def self.preload(base, environment_name, resource_type, new_resources)
+    new_resources.each do |resource_name, resource|
+      resource['tags'] = {} unless resource.has_key?('tags')
+      resource['tags']['Name'] = resource_name unless resource['tags'].has_key?('Name')
+      set_default(resource, 'name', resource_name)
+    end
+  end
+
+  def self.load(base, environment_name, resource_type, new_resources)
+    new_resources.each do |resource_name, resource|
+      client = ::Aws::RDS::Client.new(aws_options(base, resource))
+      begin
+        response = client.describe_db_subnet_groups({
+          db_subnet_group_name: resource_name
+        })
+        id = response.db_subnet_groups.first.db_subnet_group_name
+        import!(base, resource_type, resource_name, id)
+      rescue ::Aws::RDS::Errors::DBSubnetGroupNotFoundFault
+        # Does not exist to import
+      end
+    end
+  end
+end

data/lib/tfrb/resource/aws_dynamodb_table.rb

@@ -0,0 +1,26 @@
+require 'aws-sdk'
+
+module Tfrb::Resource::AwsDynamodbTable
+  extend Tfrb::Resource
+
+  def self.preload(base, environment_name, resource_type, new_resources)
+    new_resources.each do |resource_name, resource|
+      set_default(resource, 'name', resource_name)
+    end
+  end
+
+  def self.load(base, environment_name, resource_type, new_resources)
+    new_resources.each do |resource_name, resource|
+      client = ::Aws::DynamoDB::Client.new(aws_options(base, resource))
+      begin
+        response = client.describe_table({
+          table_name: resource_name
+        })
+        id = response.table.table_name
+        import!(base, resource_type, resource_name, id)
+      rescue ::Aws::DynamoDB::Errors::TableNotFoundException, ::Aws::DynamoDB::Errors::ResourceNotFoundException
+        # Does not exist to import
+      end
+    end
+  end
+end

data/lib/tfrb/resource/aws_ebs_volume.rb

@@ -0,0 +1,32 @@
+require 'aws-sdk'
+
+module Tfrb::Resource::AwsEbsVolume
+  extend Tfrb::Resource
+
+  def self.preload(base, environment_name, resource_type, new_resources)
+    new_resources.each do |resource_name, resource|
+      resource['tags'] = {} unless resource.has_key?('tags')
+      resource['tags']['Name'] = resource_name unless resource['tags'].has_key?('Name')
+    end
+  end
+
+  def self.load(base, environment_name, resource_type, new_resources)
+    new_resources.each do |resource_name, resource|
+      client = ::Aws::EC2::Client.new(aws_options(base, resource))
+      response = client.describe_volumes({
+        filters: [
+          {
+            name: "tag:Name",
+            values: [
+              resource_name,
+            ],
+          },
+        ],
+      })
+      if response.volumes && response.volumes.size >= 1
+        id = response.volumes.first.volume_id
+        import!(base, resource_type, resource_name, id)
+      end
+    end
+  end
+end

data/lib/tfrb/resource/aws_elasticache_replication_group.rb

@@ -0,0 +1,30 @@
+require 'aws-sdk'
+
+module Tfrb::Resource::AwsElasticacheReplicationGroup
+  extend Tfrb::Resource
+
+  def self.preload(base, environment_name, resource_type, new_resources)
+    new_resources.each do |resource_name, resource|
+      set_default(resource, 'snapshot_window', '07:00-08:00')
+      set_default(resource, 'snapshot_retention_limit', '30')
+      set_default(resource, 'maintenance_window', 'sat:08:00-sat:09:00')
+    end
+  end
+
+  def self.load(base, environment_name, resource_type, new_resources)
+    new_resources.each do |resource_name, resource|
+      client = ::Aws::ElastiCache::Client.new(aws_options(base, resource))
+      begin
+        response = client.describe_replication_groups({
+          replication_group_id: resource['replication_group_id']
+        })
+        if response.replication_groups.size >= 1
+          id = response.replication_groups.first.replication_group_id
+          import!(base, resource_type, resource_name, id)
+        end
+      rescue ::Aws::ElastiCache::Errors::ReplicationGroupNotFoundFault
+        # Does not exist to import
+      end
+    end
+  end
+end

data/lib/tfrb/resource/aws_elasticache_subnet_group.rb

@@ -0,0 +1,24 @@
+require 'aws-sdk'
+
+module Tfrb::Resource::AwsElasticacheSubnetGroup
+  extend Tfrb::Resource
+
+  def self.preload(base, environment_name, resource_type, new_resources)
+    new_resources.each do |resource_name, resource|
+      set_default(resource, 'name', resource_name.gsub('_', ' '))
+    end
+  end
+
+  def self.load(base, environment_name, resource_type, new_resources)
+    new_resources.each do |resource_name, resource|
+      client = ::Aws::ElastiCache::Client.new(aws_options(base, resource))
+      response = client.describe_cache_subnet_groups({
+        cache_subnet_group_name: resource_name
+      })
+      if response.cache_subnet_groups.size >= 1
+        id = response.cache_subnet_groups.first.cache_subnet_group_name
+        import!(base, resource_type, resource_name, id)
+      end
+    end
+  end
+end

data/lib/tfrb/resource/aws_iam_policy.rb

@@ -0,0 +1,142 @@
+require 'aws-sdk'
+
+module Tfrb::Resource::AwsIamPolicy
+  extend Tfrb::Resource
+
+  Tfrb::Block.send(:define_method, :s3_replication_policy) do |bucket|
+    policy = <<-POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:ListAllMyBuckets"
+      ],
+      "Resource": "arn:aws:s3:::*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:ListBucket",
+        "s3:GetBucketLocation"
+      ],
+      "Resource": [
+        "arn:aws:s3:::#{bucket}"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:PutObject",
+        "s3:PutObjectAcl",
+        "s3:GetObject",
+        "s3:GetObjectAcl",
+        "s3:DeleteObject"
+      ],
+      "Resource": [
+        "arn:aws:s3:::#{bucket}/*"
+      ]
+    }
+  ]
+}
+    POLICY
+    policy
+  end
+
+  Tfrb::Block.send(:define_method, :s3_replication_policy) do |source_bucket, destination_bucket|
+    policy = <<-POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "s3:GetReplicationConfiguration",
+        "s3:ListBucket"
+      ],
+      "Effect": "Allow",
+      "Resource": [
+        "arn:aws:s3:::#{source_bucket}"
+      ]
+    },
+    {
+      "Action": [
+        "s3:GetObjectVersion",
+        "s3:GetObjectVersionAcl"
+      ],
+      "Effect": "Allow",
+      "Resource": [
+        "arn:aws:s3:::#{source_bucket}/*"
+      ]
+    },
+    {
+      "Action": [
+        "s3:ReplicateObject",
+        "s3:ReplicateDelete"
+      ],
+      "Effect": "Allow",
+      "Resource": "arn:aws:s3:::#{destination_bucket}/*"
+    }
+  ]
+}
+    POLICY
+    policy
+  end
+
+  Tfrb::Block.send(:define_method, :sgw_bucket_access_policy) do |bucket|
+    policy = <<-POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "s3:GetAccelerateConfiguration",
+        "s3:GetBucketLocation",
+        "s3:GetBucketVersioning",
+        "s3:ListBucket",
+        "s3:ListBucketVersions",
+        "s3:ListBucketMultipartUploads"
+      ],
+      "Resource": "arn:aws:s3:::#{bucket}",
+      "Effect": "Allow"
+    },
+    {
+      "Action": [
+        "s3:AbortMultipartUpload",
+        "s3:DeleteObject",
+        "s3:DeleteObjectVersion",
+        "s3:GetObject",
+        "s3:GetObjectAcl",
+        "s3:GetObjectVersion",
+        "s3:ListMultipartUploadParts",
+        "s3:PutObject",
+        "s3:PutObjectAcl"
+      ],
+      "Resource": "arn:aws:s3:::#{bucket}/*",
+      "Effect": "Allow"
+    }
+  ]
+}
+    POLICY
+    policy
+  end
+
+  def self.load(base, environment_name, resource_type, new_resources)
+    new_resources.each do |resource_name, resource|
+      client = ::Aws::IAM::Client.new(aws_options(base, resource))
+      begin
+        response = client.list_policies({
+          scope: 'Local',
+          path_prefix: '/',
+          max_items: 1000
+        })
+        if policy = response.policies.find { |p| p.arn =~ /policy\/#{resource_name}$/ }
+          id = policy.arn
+          import!(base, resource_type, resource_name, id)
+        end
+      rescue ::Aws::IAM::Errors::NoSuchEntity
+        # Does not exist to import
+      end
+    end
+  end
+end

data/lib/tfrb/resource/aws_iam_role.rb

@@ -0,0 +1,39 @@
+require 'aws-sdk'
+
+module Tfrb::Resource::AwsIamRole
+  extend Tfrb::Resource
+
+  Tfrb::Block.send(:define_method, :sts_assume_role) do |service|
+    role = <<-ROLE
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "",
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "#{service}.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+    ROLE
+    role
+  end
+
+  def self.load(base, environment_name, resource_type, new_resources)
+    new_resources.each do |resource_name, resource|
+      client = ::Aws::IAM::Client.new(aws_options(base, resource))
+      begin
+        response = client.get_role({
+          role_name: resource['name']
+        })
+        id = response.role.role_name
+        import!(base, resource_type, resource_name, id)
+      rescue ::Aws::IAM::Errors::NoSuchEntity
+        # Does not exist to import
+      end
+    end
+  end
+end

data/lib/tfrb/resource/aws_iam_role_policy_attachment.rb

@@ -0,0 +1,27 @@
+require 'aws-sdk'
+
+module Tfrb::Resource::AwsIamRolePolicyAttachment
+  extend Tfrb::Resource
+
+  def self.load(base, environment_name, resource_type, new_resources)
+    new_resources.each do |resource_name, resource|
+      client = ::Aws::IAM::Client.new(aws_options(base, resource))
+      role_name = resolve_tfvar(base, resource_type, resource_name, 'role')
+      next if role_name.empty?
+      begin
+        response = client.list_attached_role_policies({
+          role_name: role_name
+        })
+        if response.attached_policies
+          response.attached_policies.each do |attached_policy|
+            next unless attached_policy.policy_arn == resolve_tfvar(base, resource_type, resource_name, 'policy_arn')
+            id = "#{role_name}/#{attached_policy.policy_arn}"
+            import!(base, resource_type, resource_name, id)
+          end
+        end
+      rescue ::Aws::IAM::Errors::NoSuchEntity, NoMethodError
+        # Does not exist to import
+      end
+    end
+  end
+end

data/lib/tfrb/resource/aws_instance.rb

@@ -0,0 +1,46 @@
+require 'aws-sdk'
+
+module Tfrb::Resource::AwsInstance
+  extend Tfrb::Resource
+
+  def self.preload(base, environment_name, resource_type, new_resources)
+    new_resources.each do |resource_name, resource|
+      resource['tags'] = {} unless resource.has_key?('tags')
+      resource['tags']['Name'] = resource_name unless resource['tags'].has_key?('Name')
+      resource['root_block_device'] = {} unless resource.has_key?('root_block_device')
+      resource['root_block_device']['volume_type'] = 'gp2' unless resource['root_block_device'].has_key?('volume_type')
+      resource['root_block_device']['volume_size'] = 8 unless resource['root_block_device'].has_key?('volume_size')
+    end
+  end
+
+  def self.load(base, environment_name, resource_type, new_resources)
+    new_resources.each do |resource_name, resource|
+      client = ::Aws::EC2::Client.new(aws_options(base, resource))
+      response = client.describe_instances({
+        filters: [
+          {
+            name: 'tag:Name',
+            values: [
+              resource_name,
+            ],
+          },
+          {
+            name: 'instance-state-name',
+            values: [
+              'pending',
+              'running',
+              'stopping',
+              'stopped'
+            ],
+          },
+        ],
+      })
+      if response.reservations && response.reservations.size >= 1
+        if response.reservations.first.instances && response.reservations.first.instances.size >= 1
+          id = response.reservations.first.instances.first.instance_id
+          import!(base, resource_type, resource_name, id)
+        end
+      end
+    end
+  end
+end

data/lib/tfrb/resource/aws_kms_key.rb

@@ -0,0 +1,26 @@
+require 'aws-sdk'
+
+module Tfrb::Resource::AwsKmsKey
+  extend Tfrb::Resource
+
+  def self.preload(base, environment_name, resource_type, new_resources)
+    new_resources.each do |resource_name, resource|
+      set_default(resource, 'enable_key_rotation', true)
+    end
+  end
+
+  def self.load(base, environment_name, resource_type, new_resources)
+    new_resources.each do |resource_name, resource|
+      client = ::Aws::KMS::Client.new(aws_options(base, resource))
+      begin
+        response = client.describe_key({
+          key_id: "alias/#{resource_name}"
+        })
+        id = response.key_metadata.key_id
+        import!(base, resource_type, resource_name, id)
+      rescue ::Aws::KMS::Errors::NotFoundException
+        # Does not exist to import
+      end
+    end
+  end
+end

data/lib/tfrb/resource/aws_s3_bucket.rb

@@ -0,0 +1,20 @@
+require 'aws-sdk'
+
+module Tfrb::Resource::AwsS3Bucket
+  extend Tfrb::Resource
+
+  def self.load(base, environment_name, resource_type, new_resources)
+    new_resources.each do |resource_name, resource|
+      client = ::Aws::S3::Client.new(aws_options(base, resource))
+      begin
+        response = client.head_bucket({
+          bucket: resource['bucket']
+        })
+        id = resource['bucket']
+        import!(base, resource_type, resource_name, id)
+      rescue ::Aws::S3::Errors::NoSuchBucket, ::Aws::S3::Errors::NotFound
+        # Does not exist to import
+      end
+    end
+  end
+end

data/lib/tfrb/resource/aws_security_group.rb

@@ -0,0 +1,39 @@
+require 'aws-sdk'
+
+module Tfrb::Resource::AwsSecurityGroup
+  extend Tfrb::Resource
+
+  def self.preload(base, environment_name, resource_type, new_resources)
+    new_resources.each do |resource_name, resource|
+      set_default(resource, 'name', resource_name.gsub('_', ' '))
+      resource['lifecycle'] = {} unless resource.has_key?('lifecycle')
+      resource['lifecycle']['create_before_destroy'] = true unless resource['lifecycle'].has_key?('create_before_destroy')
+      resource['tags'] = {} unless resource.has_key?('tags')
+      resource['tags']['Name'] = resource_name.gsub('_', ' ') unless resource['tags'].has_key?('Name')
+    end
+  end
+
+  def self.load(base, environment_name, resource_type, new_resources)
+    new_resources.each do |resource_name, resource|
+      client = ::Aws::EC2::Client.new(aws_options(base, resource))
+      vpc_id = resolve_tfvar(base, resource_type, resource_name, 'vpc_id')
+      next if vpc_id.empty?
+      response = client.describe_security_groups({
+        filters: [
+          {
+            name: 'vpc-id',
+            values: [vpc_id]
+          },
+          {
+            name: 'group-name',
+            values: [resource['name']]
+          }
+        ]
+      })
+      if response.security_groups.size >= 1
+        id = response.security_groups.first.group_id
+        import!(base, resource_type, resource_name, id)
+      end
+    end
+  end
+end

data/lib/tfrb/resource/aws_storagegateway_cache.rb

@@ -0,0 +1,21 @@
+require 'aws-sdk'
+
+module Tfrb::Resource::AwsStoragegatewayCache
+  extend Tfrb::Resource
+
+  def self.load(base, environment_name, resource_type, new_resources)
+    new_resources.each do |resource_name, resource|
+      client = ::Aws::StorageGateway::Client.new(aws_options(base, resource))
+      disk_id = resolve_tfvar(base, resource_type, resource_name, 'disk_id')
+      gateway_arn = resolve_tfvar(base, resource_type, resource_name, 'gateway_arn')
+      next if disk_id.empty? || gateway_arn.empty?
+      response = client.describe_cache({
+        gateway_arn: gateway_arn
+      })
+      if response.disk_ids && response.disk_ids.include?(disk_id)
+        id = "#{gateway_arn}:#{disk_id}"
+        import!(base, resource_type, resource_name, id)
+      end
+    end
+  end
+end