ufo 4.6.2 → 5.0.3

data/spec/lib/role/builder_spec.rb

@@ -0,0 +1,67 @@
+describe Ufo::Role::Builder do
+  let(:builder) { described_class.new(role_type) }
+  let(:role_type) { "task_role" }
+
+  before(:each) do
+    Ufo::Role::Registry.register_policy("task_role",
+      "AmazonS3ReadOnlyAccess",
+      {:Action=>["s3:Get*", "s3:List*"], :Effect=>"Allow", :Resource=>"*"}
+    )
+    Ufo::Role::Registry.register_policy("task_role",
+      "CloudwatchWrite",
+      {:Action=>["cloudwatch:PutMetricData"], :Effect=>"Allow", :Resource=>"*"}
+    )
+    # Called twice on purpose to show that duplicated items in the set wont create doubles.
+    # This allows the DSL evaluate to be ran multiple times.
+    Ufo::Role::Registry.register_policy("task_role",
+      "CloudwatchWrite",
+      {:Action=>["cloudwatch:PutMetricData"], :Effect=>"Allow", :Resource=>"*"}
+    )
+
+
+    Ufo::Role::Registry.register_managed_policy("task_role",
+      "AmazonS3ReadOnlyAccess", "AmazonEC2ReadOnlyAccess"
+    )
+  end
+
+  context "build" do
+    it "builds role" do
+      resource = builder.build
+      expected = <<YAML
+---
+Type: AWS::IAM::Role
+Properties:
+  AssumeRolePolicyDocument:
+    Version: '2012-10-17'
+    Statement:
+    - Effect: Allow
+      Principal:
+        Service: ecs-tasks.amazonaws.com
+      Action: sts:AssumeRole
+  Policies:
+  - PolicyName: AmazonS3ReadOnlyAccess
+    PolicyDocument:
+      Version: '2012-10-17'
+      Statement:
+      - Action:
+        - s3:Get*
+        - s3:List*
+        Effect: Allow
+        Resource: "*"
+  - PolicyName: CloudwatchWrite
+    PolicyDocument:
+      Version: '2012-10-17'
+      Statement:
+      - Action:
+        - cloudwatch:PutMetricData
+        Effect: Allow
+        Resource: "*"
+  ManagedPolicyArns:
+  - arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
+  - arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess
+YAML
+      yaml = YAML.dump(resource)
+      expect(yaml).to eq(expected)
+    end
+  end
+end

data/spec/lib/role/dsl_spec.rb

@@ -0,0 +1,12 @@
+describe Ufo::Role::DSL do
+  let(:dsl) { described_class.new(path) }
+  let(:path) { "spec/fixtures/iam_roles/task_role.rb" }
+
+  context "evaluate" do
+    it "registers policies from role DSL" do
+      dsl.evaluate
+      expect(Ufo::Role::Registry.policies).not_to be_empty
+      expect(Ufo::Role::Registry.managed_policies).not_to be_empty
+    end
+  end
+end

data/ufo.gemspec

@@ -19,13 +19,14 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_dependency "aws-logs"
-  spec.add_dependency "aws-mfa-secure"
+  spec.add_dependency "aws-mfa-secure", "~> 0.4.3"
   spec.add_dependency "aws-sdk-cloudformation"
   spec.add_dependency "aws-sdk-cloudwatchlogs"
   spec.add_dependency "aws-sdk-ec2"
   spec.add_dependency "aws-sdk-ecr"
   spec.add_dependency "aws-sdk-ecs"
   spec.add_dependency "aws-sdk-elasticloadbalancingv2"
+  spec.add_dependency "aws_data"
   spec.add_dependency "rainbow"
   spec.add_dependency "deep_merge"
   spec.add_dependency "memoist"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ufo
 version: !ruby/object:Gem::Version
-  version: 4.6.2
+  version: 5.0.3
 platform: ruby
 authors:
 - Tung Nguyen
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-01-23 00:00:00.000000000 Z
+date: 2020-12-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-logs
@@ -28,16 +28,16 @@ dependencies:
   name: aws-mfa-secure
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.4.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.4.3
 - !ruby/object:Gem::Dependency
   name: aws-sdk-cloudformation
   requirement: !ruby/object:Gem::Requirement
@@ -122,6 +122,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: aws_data
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rainbow
   requirement: !ruby/object:Gem::Requirement
@@ -337,6 +351,7 @@ files:
 - docs/_docs/extras/ecs-network-mode.md
 - docs/_docs/extras/load-balancer.md
 - docs/_docs/extras/minimal-deploy-iam.md
+- docs/_docs/extras/notification-arns.md
 - docs/_docs/extras/redirection-support.md
 - docs/_docs/extras/route53-support.md
 - docs/_docs/extras/security-groups.md
@@ -344,6 +359,7 @@ files:
 - docs/_docs/faq.md
 - docs/_docs/fargate.md
 - docs/_docs/helpers.md
+- docs/_docs/iam-roles.md
 - docs/_docs/install.md
 - docs/_docs/more/auto-completion.md
 - docs/_docs/more/automated-cleanup.md
@@ -355,10 +371,12 @@ files:
 - docs/_docs/more/why-cloudformation.md
 - docs/_docs/next-steps.md
 - docs/_docs/quick-start-ec2.md
+- docs/_docs/secrets.md
 - docs/_docs/settings.md
 - docs/_docs/settings/aws_profile.md
 - docs/_docs/settings/cfn.md
 - docs/_docs/settings/cluster.md
+- docs/_docs/settings/manage-security-groups.md
 - docs/_docs/settings/network.md
 - docs/_docs/ssl_errors.md
 - docs/_docs/structure.md
@@ -377,6 +395,7 @@ files:
 - docs/_docs/upgrading.md
 - docs/_docs/upgrading/upgrade4.5.md
 - docs/_docs/upgrading/upgrade4.md
+- docs/_docs/upgrading/upgrade5.md
 - docs/_docs/variables.md
 - docs/_includes/about.html
 - docs/_includes/cfn-customize.md
@@ -493,8 +512,10 @@ files:
 - docs/utils/test-aws-api-access.rb
 - docs/utils/update-cert-chains.sh
 - exe/ufo
-- lib/cfn/stack.yml
 - lib/template/.env
+- lib/template/.secrets
+- lib/template/.ufo/iam_roles/execution_role.rb
+- lib/template/.ufo/iam_roles/task_role.rb
 - lib/template/.ufo/params.yml.tt
 - lib/template/.ufo/settings.yml.tt
 - lib/template/.ufo/settings/cfn/default.yml.tt
@@ -535,6 +556,7 @@ files:
 - lib/ufo/docker/variables.rb
 - lib/ufo/dsl.rb
 - lib/ufo/dsl/helper.rb
+- lib/ufo/dsl/helper/vars.rb
 - lib/ufo/dsl/outputter.rb
 - lib/ufo/dsl/task_definition.rb
 - lib/ufo/ecr/auth.rb
@@ -586,16 +608,45 @@ files:
 - lib/ufo/ps.rb
 - lib/ufo/ps/task.rb
 - lib/ufo/releases.rb
+- lib/ufo/role/builder.rb
+- lib/ufo/role/dsl.rb
+- lib/ufo/role/registry.rb
 - lib/ufo/rollback.rb
 - lib/ufo/scale.rb
 - lib/ufo/sequence.rb
 - lib/ufo/setting.rb
 - lib/ufo/setting/profile.rb
+- lib/ufo/setting/security_groups.rb
+- lib/ufo/settings.rb
 - lib/ufo/ship.rb
 - lib/ufo/stack.rb
+- lib/ufo/stack/builder.rb
+- lib/ufo/stack/builder/base.rb
+- lib/ufo/stack/builder/conditions.rb
+- lib/ufo/stack/builder/outputs.rb
+- lib/ufo/stack/builder/parameters.rb
+- lib/ufo/stack/builder/resources.rb
+- lib/ufo/stack/builder/resources/base.rb
+- lib/ufo/stack/builder/resources/dns.rb
+- lib/ufo/stack/builder/resources/ecs.rb
+- lib/ufo/stack/builder/resources/elb.rb
+- lib/ufo/stack/builder/resources/listener.rb
+- lib/ufo/stack/builder/resources/listener_ssl.rb
+- lib/ufo/stack/builder/resources/roles/base.rb
+- lib/ufo/stack/builder/resources/roles/execution_role.rb
+- lib/ufo/stack/builder/resources/roles/task_role.rb
+- lib/ufo/stack/builder/resources/security_group/base.rb
+- lib/ufo/stack/builder/resources/security_group/ecs.rb
+- lib/ufo/stack/builder/resources/security_group/ecs_rule.rb
+- lib/ufo/stack/builder/resources/security_group/elb.rb
+- lib/ufo/stack/builder/resources/target_group.rb
+- lib/ufo/stack/builder/resources/task_definition.rb
+- lib/ufo/stack/builder/resources/task_definition/reconstructor.rb
 - lib/ufo/stack/context.rb
+- lib/ufo/stack/custom_properties.rb
 - lib/ufo/stack/helper.rb
 - lib/ufo/stack/status.rb
+- lib/ufo/stack/template_body.rb
 - lib/ufo/status.rb
 - lib/ufo/stop.rb
 - lib/ufo/task.rb
@@ -610,6 +661,7 @@ files:
 - lib/ufo/upgrade/upgrade4.rb
 - lib/ufo/upgrade/upgrade43to45.rb
 - lib/ufo/util.rb
+- lib/ufo/utils/squeezer.rb
 - lib/ufo/version.rb
 - spec/fixtures/apps/describe_services.json
 - spec/fixtures/cfn/stack-events-complete.json
@@ -621,6 +673,7 @@ files:
 - spec/fixtures/dockerfiles/ecr/Dockerfile
 - spec/fixtures/home_existing/.aws/config
 - spec/fixtures/home_existing/.docker/config.json
+- spec/fixtures/iam_roles/task_role.rb
 - spec/fixtures/mocks/logs/awslogs.json
 - spec/fixtures/mocks/logs/no-awslogs.json
 - spec/fixtures/ps/describe_tasks.json
@@ -634,6 +687,8 @@ files:
 - spec/lib/logs_spec.rb
 - spec/lib/ps_spec.rb
 - spec/lib/register_spec.rb
+- spec/lib/role/builder_spec.rb
+- spec/lib/role/dsl_spec.rb
 - spec/lib/setting_spec.rb
 - spec/lib/ship_spec.rb
 - spec/lib/stack/status_spec.rb
@@ -660,7 +715,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.1.4
 signing_key: 
 specification_version: 4
 summary: AWS ECS Deploy Tool
@@ -675,6 +730,7 @@ test_files:
 - spec/fixtures/dockerfiles/ecr/Dockerfile
 - spec/fixtures/home_existing/.aws/config
 - spec/fixtures/home_existing/.docker/config.json
+- spec/fixtures/iam_roles/task_role.rb
 - spec/fixtures/mocks/logs/awslogs.json
 - spec/fixtures/mocks/logs/no-awslogs.json
 - spec/fixtures/ps/describe_tasks.json
@@ -688,6 +744,8 @@ test_files:
 - spec/lib/logs_spec.rb
 - spec/lib/ps_spec.rb
 - spec/lib/register_spec.rb
+- spec/lib/role/builder_spec.rb
+- spec/lib/role/dsl_spec.rb
 - spec/lib/setting_spec.rb
 - spec/lib/ship_spec.rb
 - spec/lib/stack/status_spec.rb

data/lib/cfn/stack.yml

@@ -1,283 +0,0 @@
-Description: "Ufo ECS stack <%= @stack_name %>"
-Parameters:
-  # required
-  Vpc:
-    Description: Existing vpc id
-    Type: AWS::EC2::VPC::Id
-  ElbSubnets:
-    Description: Existing subnet ids for ELB
-    Type: List<AWS::EC2::Subnet::Id>
-  EcsSubnets:
-    Description: Existing subnet ids for ECS
-    Type: List<AWS::EC2::Subnet::Id>
-  EcsSecurityGroups:
-    Description: Existing ecs security group ids
-    Type: String
-    Default: ''
-  ElbSecurityGroups:
-    Description: Existing elb security group ids. List with commas.
-    Type: String
-    Default: ''
-
-  ElbTargetGroup:
-    Description: Existing target group
-    Type: String
-    Default: '' # when blank the automatically created TargetGroup is used
-  CreateElb:
-    Description: Create elb
-    Type: String
-    Default: true
-  EcsDesiredCount:
-    Description: Ecs desired count
-    Type: String
-    Default: 1
-  EcsTaskDefinition:
-    Description: Ecs task definition arn
-    Type: String
-
-  # Using to keep state
-  ElbEipIds:
-    Description: ELB EIP Allocation ids to use for network load balancer
-    Type: String
-    Default: ''
-  EcsSchedulingStrategy:
-    Description: The scheduling strategy to use for the service
-    Type: String
-    Default: 'REPLICA'
-Conditions:
-  CreateElbIsTrue: !Equals [ !Ref CreateElb, true ]
-  ElbTargetGroupIsBlank: !Equals [ !Ref ElbTargetGroup, '' ]
-  CreateTargetGroupIsTrue: !And
-  - !Condition CreateElbIsTrue
-  - !Condition ElbTargetGroupIsBlank
-  ElbSecurityGroupsIsBlank: !Equals [ !Ref ElbSecurityGroups, '' ]
-  EcsSecurityGroupsIsBlank: !Equals [ !Ref EcsSecurityGroups, '' ]
-  EcsDesiredCountIsBlank: !Equals [ !Ref EcsDesiredCount, '' ]
-Resources:
-  Elb:
-    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
-    Condition: CreateElbIsTrue
-    Properties:
-<% if ENV['UFO_FORCE_ELB'] -%>
-# Error: SetSubnets is not supported for load balancers of type 'network'
-# Happens: When changing subnets for an ELB
-# Solution: Rename the ELB to force a replacement of it
-<% random = (0...3).map { (65 + rand(26)).chr }.join.downcase %>
-      Name: <%= "#{@stack_name}-#{random}" %>
-<% end -%>
-      Type: <%= @elb_type %>
-      Tags:
-      - Key: Name
-        Value: <%= @stack_name %>
-<% if @elb_type == "application" -%>
-      # Add additional extra security groups if parameters set
-      SecurityGroups: !Split
-        - ','
-        - !If
-          - ElbSecurityGroupsIsBlank
-          - !Ref ElbSecurityGroup
-          - !Join [',', [!Ref ElbSecurityGroups, !Ref ElbSecurityGroup]]
-<% end -%>
-<% if @elb_type == "network" && @subnet_mappings && !@subnet_mappings.empty? -%>
-      SubnetMappings:
-<% @subnet_mappings.each do |allocation_id, subnet_id| -%>
-        - AllocationId: <%= allocation_id %>
-          SubnetId: <%= subnet_id %>
-<% end -%>
-<% else -%>
-      Subnets: !Ref ElbSubnets
-<% end -%>
-<%= custom_properties(:Elb) %>
-
-  TargetGroup:
-    Type: AWS::ElasticLoadBalancingV2::TargetGroup
-    Condition: CreateTargetGroupIsTrue
-    Properties:
-      VpcId: !Ref Vpc
-      Tags:
-      - Key: Name
-        Value: <%= @stack_name %>
-<% if ENV['UFO_FORCE_TARGET_GROUP'] -%>
-# When adding and removing EIPs
-# Error: TargetGroup cannot be associated with more than one load balancer
-# Solution: https://forums.aws.amazon.com/thread.jspa?threadID=254544
-# Note: we truncate the stack name because target group names can be only 32 chars long
-      Name: !Join
-      - '-'
-      - - <%= @stack_name[0..-6] %>
-        - !Select [ 2, !Split [ '-', !GetAtt Elb.LoadBalancerName]]
-<% end -%>
-      Protocol: <%= @default_target_group_protocol %>
-<% if @container[:network_mode] == "awsvpc" -%>
-      TargetType: ip
-<% end -%>
-<% if @elb_type == "network" && @network_mode == "awsvpc" -%>
-      # target groups with network load balancers need to check the container
-      # port dirtectly and will be using
-      HealthCheckPort: <%= @container[:port] %>
-<% end -%>
-<%= custom_properties(:TargetGroup) %>
-
-  Listener:
-    Type: AWS::ElasticLoadBalancingV2::Listener
-    Condition: CreateElbIsTrue
-    Properties:
-      DefaultActions:
-      - Type: forward
-        TargetGroupArn:
-          !If [ElbTargetGroupIsBlank, !Ref TargetGroup, !Ref ElbTargetGroup]
-      LoadBalancerArn: !Ref Elb
-      Protocol: <%= @default_listener_protocol %>
-<%= custom_properties(:Listener) %>
-
-<% if @create_listener_ssl -%>
-  ListenerSsl:
-    Type: AWS::ElasticLoadBalancingV2::Listener
-    Condition: CreateElbIsTrue
-    Properties:
-      DefaultActions:
-      - Type: forward
-        TargetGroupArn:
-          !If [ElbTargetGroupIsBlank, !Ref TargetGroup, !Ref ElbTargetGroup]
-      LoadBalancerArn: !Ref Elb
-      Protocol: <%= @default_listener_ssl_protocol %>
-<%= custom_properties(:ListenerSsl) %>
-<% end -%>
-
-<% if @elb_type == "application" -%>
-  ElbSecurityGroup:
-    Type: AWS::EC2::SecurityGroup
-    Condition: CreateElbIsTrue
-    Properties:
-      GroupDescription: Allow http to client host
-      VpcId: !Ref Vpc
-      SecurityGroupIngress:
-      - IpProtocol: tcp
-        FromPort: '<%= cfn[:listener][:port] %>'
-        ToPort: '<%= cfn[:listener][:port] %>'
-        CidrIp: 0.0.0.0/0
-<% if @create_listener_ssl -%>
-      - IpProtocol: tcp
-        FromPort: '<%= cfn[:listener_ssl][:port] %>'
-        ToPort: '<%= cfn[:listener_ssl][:port] %>'
-        CidrIp: 0.0.0.0/0
-<% end -%>
-      SecurityGroupEgress:
-      - IpProtocol: tcp
-        FromPort: '0'
-        ToPort: '65535'
-        CidrIp: 0.0.0.0/0
-      Tags:
-      - Key: Name
-        Value: <%= @stack_name %>-elb
-<%= custom_properties(:ElbSecurityGroup) %>
-<% end -%>
-
-  Ecs:
-    Type: AWS::ECS::Service
-<% if @create_elb -%>
-    DependsOn: Listener
-<% end -%>
-    Properties:
-      Cluster: <%= @cluster %>
-      DesiredCount: !If
-      - EcsDesiredCountIsBlank
-      - !Ref AWS::NoValue
-      - !Ref EcsDesiredCount
-      TaskDefinition: !Ref EcsTaskDefinition
-<% if pretty_name? -%>
-      ServiceName: <%= @stack_name %>
-<% end -%>
-<% if @container[:fargate] -%>
-      LaunchType: FARGATE
-<% end -%>
-<% if @container[:network_mode] == "awsvpc" -%>
-      NetworkConfiguration:
-        AwsvpcConfiguration:
-          Subnets: !Ref EcsSubnets # required
-          SecurityGroups: !Split
-            - ','
-            - !If
-              - EcsSecurityGroupsIsBlank
-              - !Ref EcsSecurityGroup
-              - !Join [',', [!Ref EcsSecurityGroups, !Ref EcsSecurityGroup]]
-<% if @container[:fargate] -%>
-          AssignPublicIp: ENABLED # Works with fargate but doesnt seem to work with non-fargate
-<% end -%>
-<% end -%>
-      # Default to port 80 to get template to validate.  For worker processes
-      # there is no actual port used.
-      LoadBalancers: !If
-      - CreateTargetGroupIsTrue
-      - - ContainerName: <%= @container[:name] %>
-          ContainerPort: <%= @container[:port] || 80 %>
-          TargetGroupArn: !Ref TargetGroup
-      - !If
-        - ElbTargetGroupIsBlank
-        - []
-        - - ContainerName: <%= @container[:name] %>
-            ContainerPort: <%= @container[:port] || 80 %>
-            TargetGroupArn: !Ref ElbTargetGroup
-      SchedulingStrategy: !Ref EcsSchedulingStrategy
-<%= custom_properties(:Ecs) %>
-
-  EcsSecurityGroup:
-    Type: AWS::EC2::SecurityGroup
-    Properties:
-      GroupDescription: Allow http to client host
-      VpcId: !Ref Vpc
-<% if @elb_type == "network" -%>
-      SecurityGroupIngress:
-      - IpProtocol: tcp
-        FromPort: '<%= @container[:port] %>'
-        ToPort: '<%= @container[:port] %>'
-        CidrIp: 0.0.0.0/0
-        Description: docker ephemeral port range for network elb
-<% end -%>
-      # Outbound access: instance needs access to internet to pull down image
-      # or else get CannotPullContainerError
-      SecurityGroupEgress:
-      - IpProtocol: "-1"
-        CidrIp: 0.0.0.0/0
-        Description: outbound traffic
-      Tags:
-      - Key: Name
-        Value: <%= @stack_name %>
-<%= custom_properties(:EcsSecurityGroup) %>
-
-<% if @elb_type == "application" -%>
-  # Allow all traffic from ELB SG to ECS SG
-  EcsSecurityGroupRule:
-    Type: AWS::EC2::SecurityGroupIngress
-    Condition: CreateElbIsTrue
-    Properties:
-      IpProtocol: tcp
-      FromPort: '0'
-      ToPort: '65535'
-      SourceSecurityGroupId: !GetAtt ElbSecurityGroup.GroupId
-      GroupId: !GetAtt EcsSecurityGroup.GroupId
-      Description: application elb access to ecs
-<%= custom_properties(:EcsSecurityGroupRule) %>
-<% end -%>
-<% if @create_route53 -%>
-  Dns:
-    Type: AWS::Route53::RecordSet
-    Properties:
-      Comment: cname to load balancer
-      Type: CNAME
-      TTL: '60' # ttl has special casing
-      ResourceRecords:
-      - !GetAtt Elb.DNSName
-<%= custom_properties(:Dns) %>
-<% end -%>
-
-Outputs:
-  ElbDns:
-    Description: Elb Dns
-    Condition: CreateElbIsTrue
-    Value: !GetAtt Elb.DNSName
-<% if @create_route53 -%>
-  Route53Dns:
-    Description: Route53 Dns
-    Value: !Ref Dns
-<% end -%>