ufo 4.5.5 → 4.5.10

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d86ea7d84ac2ec056ffd1993b8c83c01fe3c9caea66ec44204efbb70cffb25cb
-  data.tar.gz: 29aba82ec174765fe0d948b2fc5a313065416f9ea0178af90366b8dc769cd2f5
+  metadata.gz: d5f955e0e4404b57b76945b2df72754dbb5d79bf63217a7e969b22e2c56467b6
+  data.tar.gz: 517f856d010af0d59ef4dd11055c7c1fdf207034c6a8f456f8611d89b68f9eb2
 SHA512:
-  metadata.gz: 016d61a18190e0daa866ed7bdf3613d6a0561c6a5221f20348e9dba34797f034882fb1b89af486d5c009068446aa512092596c73b611c88a0a9a3bf8552a8f13
-  data.tar.gz: a2f20498236dc2c205fef1d071a4e766e04e14aa0f2b5f8ac7a76c1676e4b299e70eaae8b3d1e55c83ecc6a5d60ae84213d9449915d773e6850ddb83baa6910b
+  metadata.gz: 724bc8fc6d5417d8509bddcabd22181f4f716903bd57d1ce15b61ff4a47c9f07c49ae1bda9be24b48d62246b636ff2cea19f1b067e4ce838ce9285e3641c4101
+  data.tar.gz: 81803c20b2bcbf2fec0ab978b0086b12843c077a260bf45adf83782492c98c452a5beebbcdffeef158a0e5ad38702bfd8ae66fad2e5d0b76b9fb5aa15363e857

data/CHANGELOG.md

@@ -3,6 +3,23 @@
 All notable changes to this project will be documented in this file.
 This project *tries* to adhere to [Semantic Versioning](http://semver.org/), even before v1.0.
 
+## [4.5.10]
+- fix .ufo/task_definitions help error message
+
+## [4.5.9]
+- fix ufo_env aws_profile tight binding
+
+## [4.5.8]
+- #91 added helper scripts to dianose and resolve the SSL issues - added docs to help explain and save the user time and research
+- improve cancel command
+- update /up check starter example
+
+## [4.5.7]
+- #88 update starter variables template with += example
+
+## [4.5.6]
+- fix outgoing egress rule to allow ping
+
 ## [4.5.5]
 - adjust default health check thresholds in skeleton
 - improve error handling for UPDATE\_ROLLBACK\_FAILED state

data/README.md

@@ -20,7 +20,7 @@ See [ufoships.com](http://ufoships.com) for full documentation.
 
 ## Important
 
-If you are on version 3, you can run `ufo upgrade v3to4` within your project to upgrade it to version 4.  Refer to the [CHANGELOG](CHANGELOG.md) and the [Upgrade 4 Docs](http://ufoships.com/docs/upgrade4/).
+If you are upgrading, please refer to the [Upgrading docs](https://ufoships.com/docs/upgrading/)
 
 ## Installation
 
@@ -42,7 +42,7 @@ Congratulations, you have successfully used ufo to deploy to an ECS service.
 
 ## Load Balancer Support
 
-Ufo can also create a load balancer as part of creating the ECS service if you wish. Underneath the hood, ufo uses CloudFormation to create the load balancer.  More information can be found at the [load balancer support docs](http://ufoships.com/docs/load-balancer/).
+Ufo can also create a load balancer as part of creating the ECS service if you wish. Underneath the hood, ufo uses CloudFormation to create the load balancer.  More information can be found at the [load balancer support docs](https://ufoships.com/docs/extras/load-balancer/).
 
 ## Articles
 

data/docs/.ruby-version

@@ -1 +1 @@
-2.5.3
+2.6.0

data/docs/_docs/ssl_errors.md

@@ -0,0 +1,41 @@
+---
+Title: SSL Errors
+# nav_order:
+---
+
+UFO uses the AWS Ruby SDK and the underlying default SSL certificate chain configured in your active Ruby and
+OpenSSL to communicate to your AWS environment. This means that you _must correctly configure_ your Ruby and OpenSSL to have all the needed ROOT certificates for UFO to be able to communicate to AWS - _especially_ if you are behind a proxy or a corporate SSL-Proxy.
+
+If you are behind a corporate SSL proxy and you have not updated system, OpenSSL and Ruby certificate chains to include the needed corporate root certificates, you will see errors, such as:
+
+```
+Seahorse::Client::NetworkingError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)
+  ~/.rbenv/versions/2.6.0/lib/ruby/2.6.0/net/protocol.rb:44:in `connect_nonblock'
+  ~/.rbenv/versions/2.6.0/lib/ruby/2.6.0/net/protocol.rb:44:in `ssl_socket_connect'
+  ~/.rbenv/versions/2.6.0/lib/ruby/2.6.0/net/http.rb:996:in `connect'
+  ~/.rbenv/versions/2.6.0/lib/ruby/2.6.0/net/http.rb:930:in `do_start'
+  ~/.rbenv/versions/2.6.0/lib/ruby/2.6.0/net/http.rb:925:in `start'
+```
+
+## Helper Scripts
+
+The `docs/utils` directory has a few scripts that should be able to help you resolve these issues and track down which certs are giving you problems.
+
+- `ssl-doctor.rb` is from the very useful examples at <https://github.com/mislav/ssl-tools>, and it can help you find the missing ROOT cert in your certificate chain and give suggestion on getting OpenSSL working correctly.
+- `update-cert-chains.sh` will help you update your Ruby and OpenSSL chains by adding in the missing ROOT cert and also pulling in the OSX System Root to your rbenv environment.
+- `test-aws-api-access.rb` should now return a list of the S3 buckets for the current AWS profile that is active.
+
+## Trouble-shooting
+
+### Update Brew and OpenSSL
+
+- `brew update`
+- `brew upgrade openssl`
+
+### Use the Helper Scripts to find the trouble spot
+
+Once you have updated OpenSSL and your `brew` packages, use the helper scripts above to see if you can track down the missing certificate in your certificate chain.
+
+The `update-cert-chain.sh` file was created using the suggestions from <https://gemfury.com/help/could-not-verify-ssl-certificate/>. Please review the information at <https://gemfury.com/help/could-not-verify-ssl-certificate/> if the `Helper Scripts` above do not fully resolve your issue.
+
+The `test-aws-api-access.rb` uses examples from the <https://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/quick-start-guide.html> for using and configuring the Ruby AWS SDK on your system.

data/docs/_includes/subnav.html

@@ -58,7 +58,7 @@
                 <li><a href="{% link _docs/more/why-cloudformation.md %}">Why CloudFormation</a></li>
                 <li><a href="{% link _docs/more/customize-cloudformation.md %}">Customize CloudFormation</a></li>
                 <li><a href="{% link _docs/more/stuck-cloudformation.md %}">Stuck CloudFormation</a></li>
-                <li><a href="{% link _docs/more/run-in-pieces.md %}">Run In Pieces</a></li>
+                <li><a href="{% link _docs/more/run-in-pieces.md %}">Run In Steps</a></li>
                 <li><a href="{% link _docs/more/single-task.md %}">Run Single Task</a></li>
                 <li><a href="{% link _docs/more/migrations.md %}">Database Migrations</a></li>
                 <li><a href="{% link _docs/more/automated-cleanup.md %}">Automated Cleanup</a></li>

data/docs/utils/ssl-doctor.rb

@@ -0,0 +1,89 @@
+# Usage: ruby doctor.rb [HOST=status.github.com[:PORT=443]]
+# see: https://github.com/mislav/ssl-tools
+require 'rbconfig'
+require 'net/https'
+
+if ARGV[0] =~ /^[^-]/
+  host, port = ARGV[0].split(':', 2)
+else
+  host = 'status.github.com'
+end
+port ||= 443
+
+ruby = File.join(RbConfig::CONFIG['bindir'], RbConfig::CONFIG['ruby_install_name'])
+ruby_version = RUBY_VERSION
+if patch = RbConfig::CONFIG['PATCHLEVEL']
+  ruby_version += "-p#{patch}"
+end
+puts "%s (%s)" % [ruby, ruby_version]
+
+openssl_dir = OpenSSL::X509::DEFAULT_CERT_AREA
+mac_openssl = '/System/Library/OpenSSL' == openssl_dir
+puts "%s: %s" % [OpenSSL::OPENSSL_VERSION, openssl_dir]
+[OpenSSL::X509::DEFAULT_CERT_DIR_ENV, OpenSSL::X509::DEFAULT_CERT_FILE_ENV].each do |key|
+  puts "%s=%s" % [key, ENV[key].to_s.inspect]
+end
+
+ca_file = ENV[OpenSSL::X509::DEFAULT_CERT_FILE_ENV] || OpenSSL::X509::DEFAULT_CERT_FILE
+ca_path = (ENV[OpenSSL::X509::DEFAULT_CERT_DIR_ENV] || OpenSSL::X509::DEFAULT_CERT_DIR).chomp('/')
+
+puts "\nHEAD https://#{host}:#{port}"
+http = Net::HTTP.new(host, port)
+http.use_ssl = true
+
+# Explicitly setting cert_store like this is not needed in most cases but it
+# seems necessary in edge cases such as when using `verify_callback` in some
+# combination of Ruby + OpenSSL versions.
+http.cert_store = OpenSSL::X509::Store.new
+http.cert_store.set_default_paths
+
+http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+failed_cert = failed_cert_reason = nil
+
+if mac_openssl
+  warn "warning: will not be able show failed certificate info on OS X's OpenSSL"
+  # This drives me absolutely nuts. It seems that on Rubies compiled against OS X's
+  # system OpenSSL, the mere fact of defining a `verify_callback` makes the
+  # cert verification fail for requests that would otherwise be successful.
+else
+  http.verify_callback = lambda { |verify_ok, store_context|
+    if !verify_ok
+      failed_cert = store_context.current_cert
+      failed_cert_reason = "%d: %s" % [ store_context.error, store_context.error_string ]
+    end
+    verify_ok
+  }
+end
+
+user_agent = "net/http #{ruby_version}"
+req = Net::HTTP::Head.new('/', 'user-agent' => user_agent)
+
+begin
+  res = http.start { http.request(req) }
+  abort res.inspect if res.code.to_i >= 500
+  puts "OK"
+rescue Errno::ECONNREFUSED
+  puts "Error: connection refused"
+  exit 1
+rescue OpenSSL::SSL::SSLError => e
+  puts "#{e.class}: #{e.message}"
+
+  if failed_cert
+    puts "\nThe server presented a certificate that could not be verified:"
+    puts "  subject: #{failed_cert.subject}"
+    puts "  issuer: #{failed_cert.issuer}"
+    puts "  error code %s" % failed_cert_reason
+  end
+
+  ca_file_missing = !File.exist?(ca_file) && !mac_openssl
+  ca_path_empty = Dir["#{ca_path}/*"].empty?
+
+  if ca_file_missing || ca_path_empty
+    puts "\nPossible causes:"
+    puts "  `%s' does not exist" % ca_file if ca_file_missing
+    puts "  `%s/' is empty" % ca_path if ca_path_empty
+  end
+
+  exit 1
+end
+

data/docs/utils/test-aws-api-access.rb

@@ -0,0 +1,11 @@
+# usage 'ruby s3-cert-chain-test.rb'
+# see: https://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/quick-start-guide.html
+
+require 'aws-sdk-s3' # v2: require 'aws-sdk'
+#Aws.use_bundled_cert!
+
+s3 = Aws::S3::Resource.new(region: 'us-east-1')
+
+s3.buckets.limit(50).each do |b|
+  puts "#{b.name}"
+end

data/docs/utils/update-cert-chains.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+cert_file=$(ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE' 2>/dev/null)
+echo 'What is the uri to your organizations root certificate chain?'
+read -p 'org_root_chain: ' org_root_chain
+echo "$org_root_chain"
+curl "$org_root_chain" -o org_chain.txt
+cat org_chain.txt >> "$cert_file"
+mkdir -p "${cert_file%/*}"
+security find-certificate -a -p /Library/Keychains/System.keychain > "$cert_file"
+security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain >> "$cert_file"

data/lib/cfn/stack.yml

@@ -237,9 +237,7 @@ Resources:
       # Outbound access: instance needs access to internet to pull down image
       # or else get CannotPullContainerError
       SecurityGroupEgress:
-      - IpProtocol: tcp
-        FromPort: '0'
-        ToPort: '65535'
+      - IpProtocol: "-1"
         CidrIp: 0.0.0.0/0
         Description: outbound traffic
       Tags:

data/lib/template/.ufo/settings/cfn/default.yml.tt

@@ -18,7 +18,7 @@ target_group:
                   #   network elb: TCP
                   # so we can keep this commented out, unless we need HTTPS at the app level
   # Health check settings are supported by application load balancer only:
-  # health_check_path: /upcheck
+  # health_check_path: /up # health check
   health_check_interval_seconds: 10 # default: 30. Network ELB can only take 10 or 30
   healthy_threshold_count: 2
   unhealthy_threshold_count: 2 # default: 10

data/lib/template/.ufo/variables/development.rb

@@ -1,7 +1,8 @@
 # Example ufo/variables/development.rb
 # More info on how variables work: http://ufoships.com/docs/variables/
 @cpu = 256
-@environment = helper.env_vars(%Q[
+# Refer to https://github.com/tongueroo/ufo/issues/87 as to why the += is used
+@environment += helper.env_vars(%Q[
   RAILS_ENV=development
   SECRET_KEY_BASE=secret
 ])

data/lib/template/.ufo/variables/production.rb

@@ -1,7 +1,7 @@
 # Example ufo/variables/production.rb
 # More info on how variables work: http://ufoships.com/docs/variables/
 @cpu = 256
-@environment = helper.env_vars(%Q[
+@environment += helper.env_vars(%Q[
   RAILS_ENV=production
   SECRET_KEY_BASE=secret
 ])

data/lib/ufo/cancel.rb

@@ -12,7 +12,7 @@ module Ufo
       if stack.stack_status == "CREATE_IN_PROGRESS"
         cloudformation.delete_stack(stack_name: @stack_name)
         puts "Canceling stack creation."
-      elsif stack.stack_status =~ /_IN_PROGRESS$/
+      elsif stack.stack_status == "UPDATE_IN_PROGRESS"
         cloudformation.cancel_update_stack(stack_name: @stack_name)
         puts "Canceling stack update."
       else

data/lib/ufo/core.rb

@@ -9,7 +9,7 @@ module Ufo
       task_definition_path = "#{Ufo.root}/.ufo/output/#{task_definition}.json"
       unless File.exist?(task_definition_path)
         puts "ERROR: Unable to find the task definition at #{task_definition_path}.".color(:red)
-        puts "Are you sure you have defined it in ufo/template_definitions.rb and it has been generated correctly in .ufo/output?".color(:red)
+        puts "Are you sure you have defined it in .ufo/task_definitions.rb and it has been generated correctly in .ufo/output?".color(:red)
         puts "If you are calling `ufo deploy` directly, you might want to generate the task definition first with `ufo tasks build`."
         exit 1
       end
@@ -36,16 +36,16 @@ module Ufo
     end
     memoize :env_extra
 
-    # Overrides AWS_PROFILE based on the Ufo.env if set in configs/settings.yml
+    # Overrides AWS_PROFILE based on the Ufo.env if set in .ufo/settings.yml
     # 2-way binding.
     def set_aws_profile!
       return if ENV['TEST']
       return unless File.exist?("#{Ufo.root}/.ufo/settings.yml") # for rake docs
       return unless settings # Only load if within Ufo project and there's a settings.yml
-      data = settings[Ufo.env] || {}
-      if data["aws_profile"]
-        puts "Using AWS_PROFILE=#{data["aws_profile"]} from UFO_ENV=#{Ufo.env} in config/settings.yml"
-        ENV['AWS_PROFILE'] = data["aws_profile"]
+      data = settings || {}
+      if data[:aws_profile]
+        puts "Using AWS_PROFILE=#{data[:aws_profile]} from UFO_ENV=#{Ufo.env} in config/settings.yml"
+        ENV['AWS_PROFILE'] = data[:aws_profile]
       end
     end
 

data/lib/ufo/version.rb

@@ -1,3 +1,3 @@
 module Ufo
-  VERSION = "4.5.5"
+  VERSION = "4.5.10"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ufo
 version: !ruby/object:Gem::Version
-  version: 4.5.5
+  version: 4.5.10
 platform: ruby
 authors:
 - Tung Nguyen
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-08-29 00:00:00.000000000 Z
+date: 2019-11-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-cloudformation
@@ -333,6 +333,7 @@ files:
 - docs/_docs/settings/cfn.md
 - docs/_docs/settings/cluster.md
 - docs/_docs/settings/network.md
+- docs/_docs/ssl_errors.md
 - docs/_docs/structure.md
 - docs/_docs/tutorial-ufo-docker-build.md
 - docs/_docs/tutorial-ufo-init.md
@@ -459,6 +460,9 @@ files:
 - docs/quick-start.md
 - docs/reference.md
 - docs/style.css
+- docs/utils/ssl-doctor.rb
+- docs/utils/test-aws-api-access.rb
+- docs/utils/update-cert-chains.sh
 - exe/ufo
 - lib/cfn/stack.yml
 - lib/template/.env
@@ -622,7 +626,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.0.6
 signing_key: 
 specification_version: 4
 summary: AWS ECS Deploy Tool