ufo 4.5.6 → 4.5.11

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 0b267085b8ce0ec00506e0da5ef7e3d806169819849ca35f362319e8ccf8ef9b
4
- data.tar.gz: 2feba1921dd12e7b44a46b518e6ea34336b9b5a5fc2810fe2ad5be42b9310af0
3
+ metadata.gz: 7a7401ccc5d5e288b485c4eaaf21a4ae14864a23bdc52c4e36ce9bf060f35d55
4
+ data.tar.gz: 2528b31c9fea0c43785a2d1c17c2529c85f3ac85dd431e9cc5de7fbca28cdc53
5
5
  SHA512:
6
- metadata.gz: 5f8ba70c862d2dcdbb4647ae951140bd6db603f8bf92362ec1e7b9abd8752d5079aea1684970b0212a97f5543cc801d697172830078b698ed9ce3df99413d488
7
- data.tar.gz: a0ca47e0887d7a4d45514986f6eb8896e12dd02ab21e49a5ee3db5cae1b5f9b44a02f6615cd6485e47911d16c2866d4be44c48288fbf60f789a635e75c2865cb
6
+ metadata.gz: 890ed4c9715cea6d1c6865e13a3895467d72e266363ea0647111e513299c1e4d3182d68ad8039212bbae2d6c59d16ab53d44629042cde185a173c4fa62f3fbe4
7
+ data.tar.gz: bb31a72b778cb39de850a07cb6ce94dc31c50b2f257d067c77b5fa40dcf5d1dfcc3ce50d05c9980e8a1fa298c4f229bb1d47c6df0d44ae18e24d0b218f1647fc
@@ -3,6 +3,23 @@
3
3
  All notable changes to this project will be documented in this file.
4
4
  This project *tries* to adhere to [Semantic Versioning](http://semver.org/), even before v1.0.
5
5
 
6
+ ## [4.5.11]
7
+ - add mfa support for normal IAM user
8
+
9
+ ## [4.5.10]
10
+ - fix .ufo/task_definitions help error message
11
+
12
+ ## [4.5.9]
13
+ - fix ufo_env aws_profile tight binding
14
+
15
+ ## [4.5.8]
16
+ - #91 added helper scripts to dianose and resolve the SSL issues - added docs to help explain and save the user time and research
17
+ - improve cancel command
18
+ - update /up check starter example
19
+
20
+ ## [4.5.7]
21
+ - #88 update starter variables template with += example
22
+
6
23
  ## [4.5.6]
7
24
  - fix outgoing egress rule to allow ping
8
25
 
data/README.md CHANGED
@@ -20,7 +20,7 @@ See [ufoships.com](http://ufoships.com) for full documentation.
20
20
 
21
21
  ## Important
22
22
 
23
- If you are on version 3, you can run `ufo upgrade v3to4` within your project to upgrade it to version 4. Refer to the [CHANGELOG](CHANGELOG.md) and the [Upgrade 4 Docs](http://ufoships.com/docs/upgrade4/).
23
+ If you are upgrading, please refer to the [Upgrading docs](https://ufoships.com/docs/upgrading/)
24
24
 
25
25
  ## Installation
26
26
 
@@ -42,7 +42,7 @@ Congratulations, you have successfully used ufo to deploy to an ECS service.
42
42
 
43
43
  ## Load Balancer Support
44
44
 
45
- Ufo can also create a load balancer as part of creating the ECS service if you wish. Underneath the hood, ufo uses CloudFormation to create the load balancer. More information can be found at the [load balancer support docs](http://ufoships.com/docs/load-balancer/).
45
+ Ufo can also create a load balancer as part of creating the ECS service if you wish. Underneath the hood, ufo uses CloudFormation to create the load balancer. More information can be found at the [load balancer support docs](https://ufoships.com/docs/extras/load-balancer/).
46
46
 
47
47
  ## Articles
48
48
 
@@ -0,0 +1,41 @@
1
+ ---
2
+ Title: SSL Errors
3
+ # nav_order:
4
+ ---
5
+
6
+ UFO uses the AWS Ruby SDK and the underlying default SSL certificate chain configured in your active Ruby and
7
+ OpenSSL to communicate to your AWS environment. This means that you _must correctly configure_ your Ruby and OpenSSL to have all the needed ROOT certificates for UFO to be able to communicate to AWS - _especially_ if you are behind a proxy or a corporate SSL-Proxy.
8
+
9
+ If you are behind a corporate SSL proxy and you have not updated system, OpenSSL and Ruby certificate chains to include the needed corporate root certificates, you will see errors, such as:
10
+
11
+ ```
12
+ Seahorse::Client::NetworkingError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)
13
+ ~/.rbenv/versions/2.6.0/lib/ruby/2.6.0/net/protocol.rb:44:in `connect_nonblock'
14
+ ~/.rbenv/versions/2.6.0/lib/ruby/2.6.0/net/protocol.rb:44:in `ssl_socket_connect'
15
+ ~/.rbenv/versions/2.6.0/lib/ruby/2.6.0/net/http.rb:996:in `connect'
16
+ ~/.rbenv/versions/2.6.0/lib/ruby/2.6.0/net/http.rb:930:in `do_start'
17
+ ~/.rbenv/versions/2.6.0/lib/ruby/2.6.0/net/http.rb:925:in `start'
18
+ ```
19
+
20
+ ## Helper Scripts
21
+
22
+ The `docs/utils` directory has a few scripts that should be able to help you resolve these issues and track down which certs are giving you problems.
23
+
24
+ - `ssl-doctor.rb` is from the very useful examples at <https://github.com/mislav/ssl-tools>, and it can help you find the missing ROOT cert in your certificate chain and give suggestion on getting OpenSSL working correctly.
25
+ - `update-cert-chains.sh` will help you update your Ruby and OpenSSL chains by adding in the missing ROOT cert and also pulling in the OSX System Root to your rbenv environment.
26
+ - `test-aws-api-access.rb` should now return a list of the S3 buckets for the current AWS profile that is active.
27
+
28
+ ## Trouble-shooting
29
+
30
+ ### Update Brew and OpenSSL
31
+
32
+ - `brew update`
33
+ - `brew upgrade openssl`
34
+
35
+ ### Use the Helper Scripts to find the trouble spot
36
+
37
+ Once you have updated OpenSSL and your `brew` packages, use the helper scripts above to see if you can track down the missing certificate in your certificate chain.
38
+
39
+ The `update-cert-chain.sh` file was created using the suggestions from <https://gemfury.com/help/could-not-verify-ssl-certificate/>. Please review the information at <https://gemfury.com/help/could-not-verify-ssl-certificate/> if the `Helper Scripts` above do not fully resolve your issue.
40
+
41
+ The `test-aws-api-access.rb` uses examples from the <https://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/quick-start-guide.html> for using and configuring the Ruby AWS SDK on your system.
@@ -58,7 +58,7 @@
58
58
  <li><a href="{% link _docs/more/why-cloudformation.md %}">Why CloudFormation</a></li>
59
59
  <li><a href="{% link _docs/more/customize-cloudformation.md %}">Customize CloudFormation</a></li>
60
60
  <li><a href="{% link _docs/more/stuck-cloudformation.md %}">Stuck CloudFormation</a></li>
61
- <li><a href="{% link _docs/more/run-in-pieces.md %}">Run In Pieces</a></li>
61
+ <li><a href="{% link _docs/more/run-in-pieces.md %}">Run In Steps</a></li>
62
62
  <li><a href="{% link _docs/more/single-task.md %}">Run Single Task</a></li>
63
63
  <li><a href="{% link _docs/more/migrations.md %}">Database Migrations</a></li>
64
64
  <li><a href="{% link _docs/more/automated-cleanup.md %}">Automated Cleanup</a></li>
@@ -0,0 +1,89 @@
1
+ # Usage: ruby doctor.rb [HOST=status.github.com[:PORT=443]]
2
+ # see: https://github.com/mislav/ssl-tools
3
+ require 'rbconfig'
4
+ require 'net/https'
5
+
6
+ if ARGV[0] =~ /^[^-]/
7
+ host, port = ARGV[0].split(':', 2)
8
+ else
9
+ host = 'status.github.com'
10
+ end
11
+ port ||= 443
12
+
13
+ ruby = File.join(RbConfig::CONFIG['bindir'], RbConfig::CONFIG['ruby_install_name'])
14
+ ruby_version = RUBY_VERSION
15
+ if patch = RbConfig::CONFIG['PATCHLEVEL']
16
+ ruby_version += "-p#{patch}"
17
+ end
18
+ puts "%s (%s)" % [ruby, ruby_version]
19
+
20
+ openssl_dir = OpenSSL::X509::DEFAULT_CERT_AREA
21
+ mac_openssl = '/System/Library/OpenSSL' == openssl_dir
22
+ puts "%s: %s" % [OpenSSL::OPENSSL_VERSION, openssl_dir]
23
+ [OpenSSL::X509::DEFAULT_CERT_DIR_ENV, OpenSSL::X509::DEFAULT_CERT_FILE_ENV].each do |key|
24
+ puts "%s=%s" % [key, ENV[key].to_s.inspect]
25
+ end
26
+
27
+ ca_file = ENV[OpenSSL::X509::DEFAULT_CERT_FILE_ENV] || OpenSSL::X509::DEFAULT_CERT_FILE
28
+ ca_path = (ENV[OpenSSL::X509::DEFAULT_CERT_DIR_ENV] || OpenSSL::X509::DEFAULT_CERT_DIR).chomp('/')
29
+
30
+ puts "\nHEAD https://#{host}:#{port}"
31
+ http = Net::HTTP.new(host, port)
32
+ http.use_ssl = true
33
+
34
+ # Explicitly setting cert_store like this is not needed in most cases but it
35
+ # seems necessary in edge cases such as when using `verify_callback` in some
36
+ # combination of Ruby + OpenSSL versions.
37
+ http.cert_store = OpenSSL::X509::Store.new
38
+ http.cert_store.set_default_paths
39
+
40
+ http.verify_mode = OpenSSL::SSL::VERIFY_PEER
41
+ failed_cert = failed_cert_reason = nil
42
+
43
+ if mac_openssl
44
+ warn "warning: will not be able show failed certificate info on OS X's OpenSSL"
45
+ # This drives me absolutely nuts. It seems that on Rubies compiled against OS X's
46
+ # system OpenSSL, the mere fact of defining a `verify_callback` makes the
47
+ # cert verification fail for requests that would otherwise be successful.
48
+ else
49
+ http.verify_callback = lambda { |verify_ok, store_context|
50
+ if !verify_ok
51
+ failed_cert = store_context.current_cert
52
+ failed_cert_reason = "%d: %s" % [ store_context.error, store_context.error_string ]
53
+ end
54
+ verify_ok
55
+ }
56
+ end
57
+
58
+ user_agent = "net/http #{ruby_version}"
59
+ req = Net::HTTP::Head.new('/', 'user-agent' => user_agent)
60
+
61
+ begin
62
+ res = http.start { http.request(req) }
63
+ abort res.inspect if res.code.to_i >= 500
64
+ puts "OK"
65
+ rescue Errno::ECONNREFUSED
66
+ puts "Error: connection refused"
67
+ exit 1
68
+ rescue OpenSSL::SSL::SSLError => e
69
+ puts "#{e.class}: #{e.message}"
70
+
71
+ if failed_cert
72
+ puts "\nThe server presented a certificate that could not be verified:"
73
+ puts " subject: #{failed_cert.subject}"
74
+ puts " issuer: #{failed_cert.issuer}"
75
+ puts " error code %s" % failed_cert_reason
76
+ end
77
+
78
+ ca_file_missing = !File.exist?(ca_file) && !mac_openssl
79
+ ca_path_empty = Dir["#{ca_path}/*"].empty?
80
+
81
+ if ca_file_missing || ca_path_empty
82
+ puts "\nPossible causes:"
83
+ puts " `%s' does not exist" % ca_file if ca_file_missing
84
+ puts " `%s/' is empty" % ca_path if ca_path_empty
85
+ end
86
+
87
+ exit 1
88
+ end
89
+
@@ -0,0 +1,11 @@
1
+ # usage 'ruby s3-cert-chain-test.rb'
2
+ # see: https://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/quick-start-guide.html
3
+
4
+ require 'aws-sdk-s3' # v2: require 'aws-sdk'
5
+ #Aws.use_bundled_cert!
6
+
7
+ s3 = Aws::S3::Resource.new(region: 'us-east-1')
8
+
9
+ s3.buckets.limit(50).each do |b|
10
+ puts "#{b.name}"
11
+ end
@@ -0,0 +1,11 @@
1
+ #!/bin/bash
2
+
3
+ cert_file=$(ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE' 2>/dev/null)
4
+ echo 'What is the uri to your organizations root certificate chain?'
5
+ read -p 'org_root_chain: ' org_root_chain
6
+ echo "$org_root_chain"
7
+ curl "$org_root_chain" -o org_chain.txt
8
+ cat org_chain.txt >> "$cert_file"
9
+ mkdir -p "${cert_file%/*}"
10
+ security find-certificate -a -p /Library/Keychains/System.keychain > "$cert_file"
11
+ security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain >> "$cert_file"
@@ -18,7 +18,7 @@ target_group:
18
18
  # network elb: TCP
19
19
  # so we can keep this commented out, unless we need HTTPS at the app level
20
20
  # Health check settings are supported by application load balancer only:
21
- # health_check_path: /upcheck
21
+ # health_check_path: /up # health check
22
22
  health_check_interval_seconds: 10 # default: 30. Network ELB can only take 10 or 30
23
23
  healthy_threshold_count: 2
24
24
  unhealthy_threshold_count: 2 # default: 10
@@ -1,7 +1,8 @@
1
1
  # Example ufo/variables/development.rb
2
2
  # More info on how variables work: http://ufoships.com/docs/variables/
3
3
  @cpu = 256
4
- @environment = helper.env_vars(%Q[
4
+ # Refer to https://github.com/tongueroo/ufo/issues/87 as to why the += is used
5
+ @environment += helper.env_vars(%Q[
5
6
  RAILS_ENV=development
6
7
  SECRET_KEY_BASE=secret
7
8
  ])
@@ -1,7 +1,7 @@
1
1
  # Example ufo/variables/production.rb
2
2
  # More info on how variables work: http://ufoships.com/docs/variables/
3
3
  @cpu = 256
4
- @environment = helper.env_vars(%Q[
4
+ @environment += helper.env_vars(%Q[
5
5
  RAILS_ENV=production
6
6
  SECRET_KEY_BASE=secret
7
7
  ])
@@ -5,6 +5,8 @@ require "aws-sdk-ecr"
5
5
  require "aws-sdk-ecs"
6
6
  require "aws-sdk-elasticloadbalancingv2"
7
7
 
8
+ require "aws_mfa_secure/ext/aws" # add MFA support
9
+
8
10
  module Ufo
9
11
  module AwsService
10
12
  def cloudformation
@@ -12,7 +12,7 @@ module Ufo
12
12
  if stack.stack_status == "CREATE_IN_PROGRESS"
13
13
  cloudformation.delete_stack(stack_name: @stack_name)
14
14
  puts "Canceling stack creation."
15
- elsif stack.stack_status =~ /_IN_PROGRESS$/
15
+ elsif stack.stack_status == "UPDATE_IN_PROGRESS"
16
16
  cloudformation.cancel_update_stack(stack_name: @stack_name)
17
17
  puts "Canceling stack update."
18
18
  else
@@ -9,7 +9,7 @@ module Ufo
9
9
  task_definition_path = "#{Ufo.root}/.ufo/output/#{task_definition}.json"
10
10
  unless File.exist?(task_definition_path)
11
11
  puts "ERROR: Unable to find the task definition at #{task_definition_path}.".color(:red)
12
- puts "Are you sure you have defined it in ufo/template_definitions.rb and it has been generated correctly in .ufo/output?".color(:red)
12
+ puts "Are you sure you have defined it in .ufo/task_definitions.rb and it has been generated correctly in .ufo/output?".color(:red)
13
13
  puts "If you are calling `ufo deploy` directly, you might want to generate the task definition first with `ufo tasks build`."
14
14
  exit 1
15
15
  end
@@ -42,10 +42,10 @@ module Ufo
42
42
  return if ENV['TEST']
43
43
  return unless File.exist?("#{Ufo.root}/.ufo/settings.yml") # for rake docs
44
44
  return unless settings # Only load if within Ufo project and there's a settings.yml
45
- data = settings[Ufo.env] || {}
46
- if data["aws_profile"]
47
- puts "Using AWS_PROFILE=#{data["aws_profile"]} from UFO_ENV=#{Ufo.env} in config/settings.yml"
48
- ENV['AWS_PROFILE'] = data["aws_profile"]
45
+ data = settings || {}
46
+ if data[:aws_profile]
47
+ puts "Using AWS_PROFILE=#{data[:aws_profile]} from UFO_ENV=#{Ufo.env} in config/settings.yml"
48
+ ENV['AWS_PROFILE'] = data[:aws_profile]
49
49
  end
50
50
  end
51
51
 
@@ -1,3 +1,3 @@
1
1
  module Ufo
2
- VERSION = "4.5.6"
2
+ VERSION = "4.5.11"
3
3
  end
@@ -18,6 +18,7 @@ Gem::Specification.new do |spec|
18
18
  spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
19
19
  spec.require_paths = ["lib"]
20
20
 
21
+ spec.add_dependency "aws-mfa-secure"
21
22
  spec.add_dependency "aws-sdk-cloudformation"
22
23
  spec.add_dependency "aws-sdk-cloudwatchlogs"
23
24
  spec.add_dependency "aws-sdk-ec2"
metadata CHANGED
@@ -1,15 +1,29 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: ufo
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.5.6
4
+ version: 4.5.11
5
5
  platform: ruby
6
6
  authors:
7
7
  - Tung Nguyen
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2019-09-17 00:00:00.000000000 Z
11
+ date: 2019-11-10 00:00:00.000000000 Z
12
12
  dependencies:
13
+ - !ruby/object:Gem::Dependency
14
+ name: aws-mfa-secure
15
+ requirement: !ruby/object:Gem::Requirement
16
+ requirements:
17
+ - - ">="
18
+ - !ruby/object:Gem::Version
19
+ version: '0'
20
+ type: :runtime
21
+ prerelease: false
22
+ version_requirements: !ruby/object:Gem::Requirement
23
+ requirements:
24
+ - - ">="
25
+ - !ruby/object:Gem::Version
26
+ version: '0'
13
27
  - !ruby/object:Gem::Dependency
14
28
  name: aws-sdk-cloudformation
15
29
  requirement: !ruby/object:Gem::Requirement
@@ -333,6 +347,7 @@ files:
333
347
  - docs/_docs/settings/cfn.md
334
348
  - docs/_docs/settings/cluster.md
335
349
  - docs/_docs/settings/network.md
350
+ - docs/_docs/ssl_errors.md
336
351
  - docs/_docs/structure.md
337
352
  - docs/_docs/tutorial-ufo-docker-build.md
338
353
  - docs/_docs/tutorial-ufo-init.md
@@ -459,6 +474,9 @@ files:
459
474
  - docs/quick-start.md
460
475
  - docs/reference.md
461
476
  - docs/style.css
477
+ - docs/utils/ssl-doctor.rb
478
+ - docs/utils/test-aws-api-access.rb
479
+ - docs/utils/update-cert-chains.sh
462
480
  - exe/ufo
463
481
  - lib/cfn/stack.yml
464
482
  - lib/template/.env