ufo 4.5.6 → 4.5.11

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0b267085b8ce0ec00506e0da5ef7e3d806169819849ca35f362319e8ccf8ef9b
-  data.tar.gz: 2feba1921dd12e7b44a46b518e6ea34336b9b5a5fc2810fe2ad5be42b9310af0
+  metadata.gz: 7a7401ccc5d5e288b485c4eaaf21a4ae14864a23bdc52c4e36ce9bf060f35d55
+  data.tar.gz: 2528b31c9fea0c43785a2d1c17c2529c85f3ac85dd431e9cc5de7fbca28cdc53
 SHA512:
-  metadata.gz: 5f8ba70c862d2dcdbb4647ae951140bd6db603f8bf92362ec1e7b9abd8752d5079aea1684970b0212a97f5543cc801d697172830078b698ed9ce3df99413d488
-  data.tar.gz: a0ca47e0887d7a4d45514986f6eb8896e12dd02ab21e49a5ee3db5cae1b5f9b44a02f6615cd6485e47911d16c2866d4be44c48288fbf60f789a635e75c2865cb
+  metadata.gz: 890ed4c9715cea6d1c6865e13a3895467d72e266363ea0647111e513299c1e4d3182d68ad8039212bbae2d6c59d16ab53d44629042cde185a173c4fa62f3fbe4
+  data.tar.gz: bb31a72b778cb39de850a07cb6ce94dc31c50b2f257d067c77b5fa40dcf5d1dfcc3ce50d05c9980e8a1fa298c4f229bb1d47c6df0d44ae18e24d0b218f1647fc

data/CHANGELOG.md

@@ -3,6 +3,23 @@
 All notable changes to this project will be documented in this file.
 This project *tries* to adhere to [Semantic Versioning](http://semver.org/), even before v1.0.
 
+## [4.5.11]
+- add mfa support for normal IAM user
+
+## [4.5.10]
+- fix .ufo/task_definitions help error message
+
+## [4.5.9]
+- fix ufo_env aws_profile tight binding
+
+## [4.5.8]
+- #91 added helper scripts to dianose and resolve the SSL issues - added docs to help explain and save the user time and research
+- improve cancel command
+- update /up check starter example
+
+## [4.5.7]
+- #88 update starter variables template with += example
+
 ## [4.5.6]
 - fix outgoing egress rule to allow ping
 

data/README.md

@@ -20,7 +20,7 @@ See [ufoships.com](http://ufoships.com) for full documentation.
 
 ## Important
 
-If you are on version 3, you can run `ufo upgrade v3to4` within your project to upgrade it to version 4.  Refer to the [CHANGELOG](CHANGELOG.md) and the [Upgrade 4 Docs](http://ufoships.com/docs/upgrade4/).
+If you are upgrading, please refer to the [Upgrading docs](https://ufoships.com/docs/upgrading/)
 
 ## Installation
 
@@ -42,7 +42,7 @@ Congratulations, you have successfully used ufo to deploy to an ECS service.
 
 ## Load Balancer Support
 
-Ufo can also create a load balancer as part of creating the ECS service if you wish. Underneath the hood, ufo uses CloudFormation to create the load balancer.  More information can be found at the [load balancer support docs](http://ufoships.com/docs/load-balancer/).
+Ufo can also create a load balancer as part of creating the ECS service if you wish. Underneath the hood, ufo uses CloudFormation to create the load balancer.  More information can be found at the [load balancer support docs](https://ufoships.com/docs/extras/load-balancer/).
 
 ## Articles
 

data/docs/_docs/ssl_errors.md

@@ -0,0 +1,41 @@
+---
+Title: SSL Errors
+# nav_order:
+---
+
+UFO uses the AWS Ruby SDK and the underlying default SSL certificate chain configured in your active Ruby and
+OpenSSL to communicate to your AWS environment. This means that you _must correctly configure_ your Ruby and OpenSSL to have all the needed ROOT certificates for UFO to be able to communicate to AWS - _especially_ if you are behind a proxy or a corporate SSL-Proxy.
+
+If you are behind a corporate SSL proxy and you have not updated system, OpenSSL and Ruby certificate chains to include the needed corporate root certificates, you will see errors, such as:
+
+```
+Seahorse::Client::NetworkingError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)
+  ~/.rbenv/versions/2.6.0/lib/ruby/2.6.0/net/protocol.rb:44:in `connect_nonblock'
+  ~/.rbenv/versions/2.6.0/lib/ruby/2.6.0/net/protocol.rb:44:in `ssl_socket_connect'
+  ~/.rbenv/versions/2.6.0/lib/ruby/2.6.0/net/http.rb:996:in `connect'
+  ~/.rbenv/versions/2.6.0/lib/ruby/2.6.0/net/http.rb:930:in `do_start'
+  ~/.rbenv/versions/2.6.0/lib/ruby/2.6.0/net/http.rb:925:in `start'
+```
+
+## Helper Scripts
+
+The `docs/utils` directory has a few scripts that should be able to help you resolve these issues and track down which certs are giving you problems.
+
+- `ssl-doctor.rb` is from the very useful examples at <https://github.com/mislav/ssl-tools>, and it can help you find the missing ROOT cert in your certificate chain and give suggestion on getting OpenSSL working correctly.
+- `update-cert-chains.sh` will help you update your Ruby and OpenSSL chains by adding in the missing ROOT cert and also pulling in the OSX System Root to your rbenv environment.
+- `test-aws-api-access.rb` should now return a list of the S3 buckets for the current AWS profile that is active.
+
+## Trouble-shooting
+
+### Update Brew and OpenSSL
+
+- `brew update`
+- `brew upgrade openssl`
+
+### Use the Helper Scripts to find the trouble spot
+
+Once you have updated OpenSSL and your `brew` packages, use the helper scripts above to see if you can track down the missing certificate in your certificate chain.
+
+The `update-cert-chain.sh` file was created using the suggestions from <https://gemfury.com/help/could-not-verify-ssl-certificate/>. Please review the information at <https://gemfury.com/help/could-not-verify-ssl-certificate/> if the `Helper Scripts` above do not fully resolve your issue.
+
+The `test-aws-api-access.rb` uses examples from the <https://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/quick-start-guide.html> for using and configuring the Ruby AWS SDK on your system.

data/docs/_includes/subnav.html

@@ -58,7 +58,7 @@
                 <li><a href="{% link _docs/more/why-cloudformation.md %}">Why CloudFormation</a></li>
                 <li><a href="{% link _docs/more/customize-cloudformation.md %}">Customize CloudFormation</a></li>
                 <li><a href="{% link _docs/more/stuck-cloudformation.md %}">Stuck CloudFormation</a></li>
-                <li><a href="{% link _docs/more/run-in-pieces.md %}">Run In Pieces</a></li>
+                <li><a href="{% link _docs/more/run-in-pieces.md %}">Run In Steps</a></li>
                 <li><a href="{% link _docs/more/single-task.md %}">Run Single Task</a></li>
                 <li><a href="{% link _docs/more/migrations.md %}">Database Migrations</a></li>
                 <li><a href="{% link _docs/more/automated-cleanup.md %}">Automated Cleanup</a></li>

data/docs/utils/ssl-doctor.rb

@@ -0,0 +1,89 @@
+# Usage: ruby doctor.rb [HOST=status.github.com[:PORT=443]]
+# see: https://github.com/mislav/ssl-tools
+require 'rbconfig'
+require 'net/https'
+
+if ARGV[0] =~ /^[^-]/
+  host, port = ARGV[0].split(':', 2)
+else
+  host = 'status.github.com'
+end
+port ||= 443
+
+ruby = File.join(RbConfig::CONFIG['bindir'], RbConfig::CONFIG['ruby_install_name'])
+ruby_version = RUBY_VERSION
+if patch = RbConfig::CONFIG['PATCHLEVEL']
+  ruby_version += "-p#{patch}"
+end
+puts "%s (%s)" % [ruby, ruby_version]
+
+openssl_dir = OpenSSL::X509::DEFAULT_CERT_AREA
+mac_openssl = '/System/Library/OpenSSL' == openssl_dir
+puts "%s: %s" % [OpenSSL::OPENSSL_VERSION, openssl_dir]
+[OpenSSL::X509::DEFAULT_CERT_DIR_ENV, OpenSSL::X509::DEFAULT_CERT_FILE_ENV].each do |key|
+  puts "%s=%s" % [key, ENV[key].to_s.inspect]
+end
+
+ca_file = ENV[OpenSSL::X509::DEFAULT_CERT_FILE_ENV] || OpenSSL::X509::DEFAULT_CERT_FILE
+ca_path = (ENV[OpenSSL::X509::DEFAULT_CERT_DIR_ENV] || OpenSSL::X509::DEFAULT_CERT_DIR).chomp('/')
+
+puts "\nHEAD https://#{host}:#{port}"
+http = Net::HTTP.new(host, port)
+http.use_ssl = true
+
+# Explicitly setting cert_store like this is not needed in most cases but it
+# seems necessary in edge cases such as when using `verify_callback` in some
+# combination of Ruby + OpenSSL versions.
+http.cert_store = OpenSSL::X509::Store.new
+http.cert_store.set_default_paths
+
+http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+failed_cert = failed_cert_reason = nil
+
+if mac_openssl
+  warn "warning: will not be able show failed certificate info on OS X's OpenSSL"
+  # This drives me absolutely nuts. It seems that on Rubies compiled against OS X's
+  # system OpenSSL, the mere fact of defining a `verify_callback` makes the
+  # cert verification fail for requests that would otherwise be successful.
+else
+  http.verify_callback = lambda { |verify_ok, store_context|
+    if !verify_ok
+      failed_cert = store_context.current_cert
+      failed_cert_reason = "%d: %s" % [ store_context.error, store_context.error_string ]
+    end
+    verify_ok
+  }
+end
+
+user_agent = "net/http #{ruby_version}"
+req = Net::HTTP::Head.new('/', 'user-agent' => user_agent)
+
+begin
+  res = http.start { http.request(req) }
+  abort res.inspect if res.code.to_i >= 500
+  puts "OK"
+rescue Errno::ECONNREFUSED
+  puts "Error: connection refused"
+  exit 1
+rescue OpenSSL::SSL::SSLError => e
+  puts "#{e.class}: #{e.message}"
+
+  if failed_cert
+    puts "\nThe server presented a certificate that could not be verified:"
+    puts "  subject: #{failed_cert.subject}"
+    puts "  issuer: #{failed_cert.issuer}"
+    puts "  error code %s" % failed_cert_reason
+  end
+
+  ca_file_missing = !File.exist?(ca_file) && !mac_openssl
+  ca_path_empty = Dir["#{ca_path}/*"].empty?
+
+  if ca_file_missing || ca_path_empty
+    puts "\nPossible causes:"
+    puts "  `%s' does not exist" % ca_file if ca_file_missing
+    puts "  `%s/' is empty" % ca_path if ca_path_empty
+  end
+
+  exit 1
+end
+

data/docs/utils/test-aws-api-access.rb

@@ -0,0 +1,11 @@
+# usage 'ruby s3-cert-chain-test.rb'
+# see: https://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/quick-start-guide.html
+
+require 'aws-sdk-s3' # v2: require 'aws-sdk'
+#Aws.use_bundled_cert!
+
+s3 = Aws::S3::Resource.new(region: 'us-east-1')
+
+s3.buckets.limit(50).each do |b|
+  puts "#{b.name}"
+end

data/docs/utils/update-cert-chains.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+cert_file=$(ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE' 2>/dev/null)
+echo 'What is the uri to your organizations root certificate chain?'
+read -p 'org_root_chain: ' org_root_chain
+echo "$org_root_chain"
+curl "$org_root_chain" -o org_chain.txt
+cat org_chain.txt >> "$cert_file"
+mkdir -p "${cert_file%/*}"
+security find-certificate -a -p /Library/Keychains/System.keychain > "$cert_file"
+security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain >> "$cert_file"

data/lib/template/.ufo/settings/cfn/default.yml.tt

@@ -18,7 +18,7 @@ target_group:
                   #   network elb: TCP
                   # so we can keep this commented out, unless we need HTTPS at the app level
   # Health check settings are supported by application load balancer only:
-  # health_check_path: /upcheck
+  # health_check_path: /up # health check
   health_check_interval_seconds: 10 # default: 30. Network ELB can only take 10 or 30
   healthy_threshold_count: 2
   unhealthy_threshold_count: 2 # default: 10

data/lib/template/.ufo/variables/development.rb

@@ -1,7 +1,8 @@
 # Example ufo/variables/development.rb
 # More info on how variables work: http://ufoships.com/docs/variables/
 @cpu = 256
-@environment = helper.env_vars(%Q[
+# Refer to https://github.com/tongueroo/ufo/issues/87 as to why the += is used
+@environment += helper.env_vars(%Q[
   RAILS_ENV=development
   SECRET_KEY_BASE=secret
 ])

data/lib/template/.ufo/variables/production.rb

@@ -1,7 +1,7 @@
 # Example ufo/variables/production.rb
 # More info on how variables work: http://ufoships.com/docs/variables/
 @cpu = 256
-@environment = helper.env_vars(%Q[
+@environment += helper.env_vars(%Q[
   RAILS_ENV=production
   SECRET_KEY_BASE=secret
 ])

data/lib/ufo/aws_service.rb

@@ -5,6 +5,8 @@ require "aws-sdk-ecr"
 require "aws-sdk-ecs"
 require "aws-sdk-elasticloadbalancingv2"
 
+require "aws_mfa_secure/ext/aws" # add MFA support
+
 module Ufo
   module AwsService
     def cloudformation

data/lib/ufo/cancel.rb

@@ -12,7 +12,7 @@ module Ufo
       if stack.stack_status == "CREATE_IN_PROGRESS"
         cloudformation.delete_stack(stack_name: @stack_name)
         puts "Canceling stack creation."
-      elsif stack.stack_status =~ /_IN_PROGRESS$/
+      elsif stack.stack_status == "UPDATE_IN_PROGRESS"
         cloudformation.cancel_update_stack(stack_name: @stack_name)
         puts "Canceling stack update."
       else

data/lib/ufo/core.rb

@@ -9,7 +9,7 @@ module Ufo
       task_definition_path = "#{Ufo.root}/.ufo/output/#{task_definition}.json"
       unless File.exist?(task_definition_path)
         puts "ERROR: Unable to find the task definition at #{task_definition_path}.".color(:red)
-        puts "Are you sure you have defined it in ufo/template_definitions.rb and it has been generated correctly in .ufo/output?".color(:red)
+        puts "Are you sure you have defined it in .ufo/task_definitions.rb and it has been generated correctly in .ufo/output?".color(:red)
         puts "If you are calling `ufo deploy` directly, you might want to generate the task definition first with `ufo tasks build`."
         exit 1
       end
@@ -42,10 +42,10 @@ module Ufo
       return if ENV['TEST']
       return unless File.exist?("#{Ufo.root}/.ufo/settings.yml") # for rake docs
       return unless settings # Only load if within Ufo project and there's a settings.yml
-      data = settings[Ufo.env] || {}
-      if data["aws_profile"]
-        puts "Using AWS_PROFILE=#{data["aws_profile"]} from UFO_ENV=#{Ufo.env} in config/settings.yml"
-        ENV['AWS_PROFILE'] = data["aws_profile"]
+      data = settings || {}
+      if data[:aws_profile]
+        puts "Using AWS_PROFILE=#{data[:aws_profile]} from UFO_ENV=#{Ufo.env} in config/settings.yml"
+        ENV['AWS_PROFILE'] = data[:aws_profile]
       end
     end
 

data/lib/ufo/version.rb

@@ -1,3 +1,3 @@
 module Ufo
-  VERSION = "4.5.6"
+  VERSION = "4.5.11"
 end

data/ufo.gemspec

@@ -18,6 +18,7 @@ Gem::Specification.new do |spec|
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ["lib"]
 
+  spec.add_dependency "aws-mfa-secure"
   spec.add_dependency "aws-sdk-cloudformation"
   spec.add_dependency "aws-sdk-cloudwatchlogs"
   spec.add_dependency "aws-sdk-ec2"

metadata

@@ -1,15 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: ufo
 version: !ruby/object:Gem::Version
-  version: 4.5.6
+  version: 4.5.11
 platform: ruby
 authors:
 - Tung Nguyen
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-09-17 00:00:00.000000000 Z
+date: 2019-11-10 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: aws-mfa-secure
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: aws-sdk-cloudformation
   requirement: !ruby/object:Gem::Requirement
@@ -333,6 +347,7 @@ files:
 - docs/_docs/settings/cfn.md
 - docs/_docs/settings/cluster.md
 - docs/_docs/settings/network.md
+- docs/_docs/ssl_errors.md
 - docs/_docs/structure.md
 - docs/_docs/tutorial-ufo-docker-build.md
 - docs/_docs/tutorial-ufo-init.md
@@ -459,6 +474,9 @@ files:
 - docs/quick-start.md
 - docs/reference.md
 - docs/style.css
+- docs/utils/ssl-doctor.rb
+- docs/utils/test-aws-api-access.rb
+- docs/utils/update-cert-chains.sh
 - exe/ufo
 - lib/cfn/stack.yml
 - lib/template/.env