ufo 4.6.3 → 5.0.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1d21bb7586b951ad481495696dc9c1e9422544dca617a499d732572eb771f980
-  data.tar.gz: e4bb2a216b12b683267700525e5bc91e0d1232c1ce0e2b9a8b770a73a11da6a9
+  metadata.gz: 320bf4465ea909e6aad615ffe8c99402a8e552745e202e54bfb1fa9161f8a06a
+  data.tar.gz: 5fa11f5e7c963e195910423bdb2114c1c9feee76c4951836a51bb7b4ff848851
 SHA512:
-  metadata.gz: 12ec77a43798cc2689e0a73a8403c4b2e5a283b8f91a8fd7201b5a5d5d1811ec392aa345d5f0b23a01a7ad65df51ff726506e8a7d403a0574aedc0f23cb3ec75
-  data.tar.gz: 8ad9032a96b45cf5c79757eb4df295cc4acbb38b51687faa4abde46290bc8eaa901a38de1fd0049284671fddeaa1558b1915c53bf7977d5000dfc8187f519f4f
+  metadata.gz: 76e02045c71f002b9a9adeea046470d03a6b3466fafb9733db71da1a34b73b2565f1a5259e0fa82417965367b4ada63f4b967c92f976d96ef863ce4542053411
+  data.tar.gz: f1761830ab51ee8279fc9ad83bba0e91d9a6cb25499d14af0dcba3b14cf039a3bac2b450b8c2741e6626beae6719abb591bd2e9746abfaa3adaa89792ad59a7b

data/CHANGELOG.md

@@ -3,6 +3,35 @@
 All notable changes to this project will be documented in this file.
 This project *tries* to adhere to [Semantic Versioning](http://semver.org/), even before v1.0.
 
+## [5.0.4] - 2021-01-23
+- [#119](https://github.com/tongueroo/ufo/pull/119) layer base profiles with env-specific or default profile
+
+## [5.0.3] - 2020-12-10
+- [#118](https://github.com/tongueroo/ufo/pull/118) update aws-mfa-secure with require singleton fix
+
+## [5.0.2]
+- #111 Add support of credsStore
+- #112 Add support for bridge network mode
+- #113 Allow custom container name when you try to attach an existing ELB to a service
+
+## [5.0.1]
+- #109 fix fargate
+- #110 adjust and document `managed_security_groups` setting
+
+## [5.0.0]
+- #104 adjust logs default format to detailed
+- #105 major rework: build cfn template with Ruby instead of ERB for new features
+- #106 secrets support
+- Codified iam_role support with .ufo/iam_roles files: custom and managed policy support. The ECS Task definition was moved into CloudFormation to support this.
+- Allow per service security groups
+- Conventional .ufo/settings cfn and network files based on ufo env
+- Managed_security_groups_enabled=false setting.yml
+- Project custom helper methods support
+- Add image-override option for ufo ship
+- Notification ARN stack cloudformation support for compliance reasons
+- update cfn/default to use CamelCase. maintain backward compatibility with underscore. through encourage users to upgrade to CamelCase. There's less mental translation overhead.
+- remove pretty option: always pretty
+
 ## [4.6.3]
 - #101 improve ufo init help
 

data/docs/_docs/conventions.md

@@ -1,6 +1,6 @@
 ---
 title: Conventions
-nav_order: 19
+nav_order: 22
 ---
 
 Ufo uses a set of naming conventions.  This helps enforce some best practices and also allows the ufo commands to be concise.  You can override or bypass the conventions easily.

data/docs/_docs/extras/codebuild-iam-role.md

@@ -1,6 +1,6 @@
 ---
 title: CodeBuild IAM Role
-nav_order: 32
+nav_order: 35
 ---
 
 Note, the `/tmp/ecs-deploy-policy.json` policy is available at [Minimal Deploy IAM]({% link _docs/extras/minimal-deploy-iam.md %}).

data/docs/_docs/extras/dockerfile-erb.md

@@ -1,6 +1,6 @@
 ---
 title: Dynamic Dockerfile.erb
-nav_order: 33
+nav_order: 36
 ---
 
 Sometimes you may need a little more dynamic control of your Dockerfile. For these cases, ufo supports dynamically creating a Dockerfile from a Dockerfile.erb.  If Dockerfile.erb exists, ufo uses it to generate a Dockerfile as a part of the build process.  These means that you should update the source Dockerfile.erb instead, as the Dockerfile will be overwritten.  If Dockerfile.erb does not exist, then ufo will use the Dockerfile instead.

data/docs/_docs/extras/ecs-network-mode.md

@@ -1,6 +1,6 @@
 ---
 title: ECS Network Mode
-nav_order: 27
+nav_order: 30
 ---
 
 ## Pros and Cons: bridge network mode

data/docs/_docs/extras/load-balancer.md

@@ -1,6 +1,6 @@
 ---
 title: Load Balancer Support
-nav_order: 25
+nav_order: 28
 ---
 
 Ufo can automatically create a load balancer and associate it with an ECS service.  The options:

data/docs/_docs/extras/minimal-deploy-iam.md

@@ -1,6 +1,6 @@
 ---
 title: Minimal Deploy IAM Policy
-nav_order: 31
+nav_order: 34
 ---
 
 The IAM user you use to run the `ufo ship` command needs a minimal set of IAM policies in order to deploy to ECS. Here is a table of the baseline services needed:

data/docs/_docs/extras/notification-arns.md

@@ -0,0 +1,21 @@
+---
+title: Notification ARNs
+categories: extras
+nav_order: 37
+---
+
+You can specific notification arns for CloudFormation stack related events with [configs/settings.yml]({% link _docs/settings.md %}). This may be useful for compliance purposes.
+
+## Example
+
+configs/settings.yml
+
+```yaml
+base:
+  notification_arns:
+  - arn:aws:sns:us-west-2:112233445566:my-sns-topic1
+```
+
+This will set the `notification_arns` option as the CloudFormation stack created by `ufo ship`.
+
+{% include prev_next.md %}

data/docs/_docs/extras/redirection-support.md

@@ -1,6 +1,6 @@
 ---
 title: Redirection Support
-nav_order: 30
+nav_order: 33
 ---
 
 ## Application Load Balancers
@@ -8,15 +8,15 @@ nav_order: 30
 If you are using an Application Load Balancer you can configure redirection by editing the default actions of the regular listener that is set up by ufo. This assumes you have set up [SSL Support]({% link _docs/extras/ssl-support.md %}).  Here's an example that redirects http to https with a 302 http status code:
 
 ```
-listener:
-  port: 80
+Listener:
+  Port: 80
   # ...
-  default_actions:
-   - type: redirect
-     redirect_config:
-       protocol: HTTPS
-       status_code: HTTP_302 # HTTP_301 and HTTP_302 are valid
-       port: 443
+  DefaultActions:
+   - Type: redirect
+     RedirectConfig:
+       Protocol: HTTPS
+       StatusCode: HTTP_302 # HTTP_301 and HTTP_302 are valid
+       Port: 443
 ```
 
 

data/docs/_docs/extras/route53-support.md

@@ -1,14 +1,14 @@
 ---
 title: Route53 Support
-nav_order: 29
+nav_order: 32
 ---
 
 Ufo can create a "pretty" route53 record and set it's value to the created ELB DNS name. This is done by configuring the `.ufo/settings/cfn/default.yml` file. Example:
 
 ```yaml
-dns:
-  name: "{stack_name}.mydomain.com."
-  hosted_zone_name: mydomain.com. # dont forget the trailing period
+Dns:
+  Name: "{stack_name}.mydomain.com."
+  HostedZoneName: mydomain.com. # dont forget the trailing period
 ```
 
 The `{stack_name}` variable gets substituted with the CloudFormation stack name launched by ufo. So for example:

data/docs/_docs/extras/security-groups.md

@@ -1,6 +1,6 @@
 ---
 title: Security Groups
-nav_order: 26
+nav_order: 29
 ---
 
 Ufo creates and manages two security groups. One for the ELB and one for the ECS tasks.

data/docs/_docs/extras/ssl-support.md

@@ -1,15 +1,15 @@
 ---
 title: SSL Support
-nav_order: 28
+nav_order: 31
 ---
 
 You can configure SSL support by uncomment the `listener_ssl` option in `.ufo/settings/cfn/default.yml`.  Here's an example:
 
 ```
-listener_ssl:
-  port: 443
-  certificates:
-  - certificate_arn: arn:aws:acm:us-east-1:111111111111:certificate/11111111-2222-3333-4444-555555555555
+ListenerSsl:
+  Port: 443
+  Certificates:
+  - CertificateArn: arn:aws:acm:us-east-1:111111111111:certificate/11111111-2222-3333-4444-555555555555
 ```
 
 For the certificate arn, you will need to create a certificate with AWS ACM. To do so, you can follow these instructions: [Request a Public Certificate

data/docs/_docs/faq.md

@@ -1,6 +1,6 @@
 ---
 title: FAQ
-nav_order: 45
+nav_order: 50
 ---
 
 **Q: Is AWS ECS Fargate supported?**

data/docs/_docs/helpers.md

@@ -1,6 +1,6 @@
 ---
 title: Helpers
-nav_order: 18
+nav_order: 19
 ---
 
 The `task_definitions.rb` file has access to helper methods. These helper methods provide useful contextual information about the project.
@@ -9,10 +9,12 @@ For example, one of the helper methods provides the exposed port in the Dockerfi
 
 Helper  | Description
 ------------- | -------------
-full\_image\_name | The full docker image name that ufo builds. The "base" portion of the docker image name is defined in `settings.yml`. For example, the base portion is `tongueroo/demo-ufo` and the full image name is `tongueroo/demo-ufo:ufo-[timestamp]-[sha]`. The base name does not include the generated Docker tag, which contains a timestamp and git sha of the project.
-dockerfile\_port | Exposed port extracted from the Dockerfile of the project. 
-env_vars(text) | This method takes a block of text that contains the env values in `key=value` format and converts that block of text to the proper task definition JSON format.
-env_file(path) | This method takes a `.env` file which contains a simple key-value list of environment variables and converts the list to the proper task definition JSON format.
+full\_image\_name | The full docker image name that ufo builds. The "base" portion of the docker image name is defined in `settings.yml`. For example, the base portion is `tongueroo/demo-ufo` and the full image name is `tongueroo/demo-ufo:ufo-[timestamp]-[sha]`. The base name does not include the generated Docker tag, which contains a timestamp and git sha of the project.
+dockerfile\_port | Exposed port extracted from the Dockerfile of the project.
+env_vars(text) | This method takes a block of text that contains the env values in `key=value` format and converts that block of text to the proper task definition JSON format.
+env_file(path) | This method takes a `.env` file which contains a simple key-value list of environment variables and converts the list to the proper task definition JSON format.
+secrets_vars(text) | This method takes a block of text that contains the secrets values in `key=value` format and converts that block of text to the proper task definition JSON format.
+secrets_file(path) | This method takes a `.secrets` file which contains a simple key-value list of environment variables and converts the list to the proper task definition JSON format.
 task_definition_name | The name of the task_definition.  So if the code looks like this `task_definition "demo-web" do`, the task_definition_name is "demo-web".
 
 To call the helper in task_definitions.rb you must add `helper.` in front.  So `full_image_name` is called via `helper.full_image_name`.

data/docs/_docs/iam-roles.md

@@ -0,0 +1,112 @@
+---
+title: Task Definition IAM Roles
+nav_order: 21
+---
+
+## What are ECS IAM Roles?
+
+For ECS Task Definitions, you can assign it 2 IAM roles: 1) taskRoleArn and 2) executionRoleArn. It's usually defined in the JSON structure like so:
+
+```json
+{
+  "family": "..",
+  "taskRoleArn": "...",
+  "executionRoleArn": "...",
+  "containerDefinitions": [
+    ...
+  ]
+}
+```
+
+Here's a table that explains the difference between the 2 IAM roles.
+
+Name | Purpose
+--- | ---
+taskRoleArn | This is the role that the ECS task itself uses. So this is what IAM permissions your application has access to. Think about it as the "container role".
+executionRoleArn | This is the role that the EC2 instance host uses. This allows the EC2 instance to pull from the ECR registry. Think about it as the "host role".
+
+## How to Assign IAM Roles with UFO
+
+You can assign an IAM role to the ECS Task definition in ways:
+
+1. IAM Role with Code (UFO Managed)
+2. Precreated IAM Role
+
+## IAM Role with Code (UFO Managed)
+
+UFO can automatically create the IAM and assign it to the task definition. You create these files so UFO will know to create and manage the IAM roles.
+
+    .ufo/iam_roles/execution_role.rb
+    .ufo/iam_roles/task_role.rb
+
+### Example 1
+
+You then use a DSL to create the IAM roles. Here are examples:
+
+.ufo/iam_roles/execution_role.rb
+
+```ruby
+managed_iam_policy("AmazonSSMReadOnlyAccess")
+managed_iam_policy("SecretsManagerReadWrite")
+managed_iam_policy("service-role/AmazonECSTaskExecutionRolePolicy")
+```
+
+.ufo/iam_roles/task_role.rb
+
+```ruby
+iam_policy("AmazonS3ReadOnlyAccess",
+  Action: [
+    "s3:Get*",
+    "s3:List*"
+  ],
+  Effect: "Allow",
+  Resource: "*"
+)
+iam_policy("CloudwatchWrite",
+  Action: [
+    "cloudwatch:PutMetricData",
+  ],
+  Effect: "Allow",
+  Resource: "*"
+)
+```
+
+### Example 2
+
+You can use the `managed_iam_policy` and `iam_policy` together. You can also group multiple statements in the `iam_policy` declaration.
+
+.ufo/iam_roles/task_role.rb
+
+```ruby
+managed_iam_policy("AmazonSSMManagedInstanceCore")
+
+iam_policy("custom-policy", [
+  {
+    Action: "ecs:UpdateContainerInstancesState",
+    Resource: "*",
+    Effect: "Allow"
+  },
+  {
+    Action: "sns:Publish",
+    Resource: "*",
+    Effect: "Allow"
+  }
+])
+```
+
+## Pre-Created IAM Role
+
+You can also assign the task definition `executionRoleArn` with pre-created IAM roles. It looks something like this in the `.ufo/templates/main.json.erb` file:
+
+```json
+{
+  "family": "<%= @family %>",
+  "taskRoleArn": "arn:aws:iam::112233445566:role/pre-created-iam-role",
+  "executionRoleArn": "arn:aws:iam::112233445566:role/pre-created-iam-role",
+  "containerDefinitions": [
+    ...
+  ]
+}
+```
+
+{% include prev_next.md %}

data/docs/_docs/install.md

@@ -17,16 +17,6 @@ Or you can add ufo to your Gemfile in your project if you are working with a rub
 gem "ufo"
 {% endhighlight %}
 
-## Install with Bolts Toolbelt
-
-If you want to quickly install ufo without having to worry about ufo's dependencies you can install the Bolts Toolbelt which has ufo included.
-
-```sh
-brew cask install boltopslabs/software/bolts
-```
-
-For more information about the Bolts Toolbelt or to get an installer for another operating system visit: [https://boltops.com/toolbelt](https://boltops.com/toolbelt)
-
 ## Dependencies
 
 * Docker: You will need a working version of [Docker](https://docs.docker.com/engine/installation/) installed as ufo shells out and calls the `docker` command.

data/docs/_docs/more/auto-completion.md

@@ -1,6 +1,6 @@
 ---
 title: Auto Completion
-nav_order: 44
+nav_order: 49
 ---
 
 Ufo supports bash auto-completion.  To set it up add the following to your `~/.profile` or `.bashrc`:

data/docs/_docs/more/automated-cleanup.md

@@ -1,6 +1,6 @@
 ---
 title: Automated Clean Up
-nav_order: 43
+nav_order: 48
 ---
 
 Ufo can be configured to automatically clean old images from the ECR registry after the deploy completes by configuring your [settings.yml]({% link _docs/settings.md %}) file like so:

data/docs/_docs/more/customize-cloudformation.md

@@ -1,6 +1,6 @@
 ---
 title: Customize CloudFormation
-nav_order: 38
+nav_order: 43
 ---
 
 Under the hood, ufo creates most of the required resources with a CloudFormation stack.  This includes the ELB, Target Group, Listener, Security Groups, ECS Service, and Route 53 records.  You might need to customize these resources.  Here are the ways to customize the resources that ufo creates.

data/docs/_docs/more/migrations.md

@@ -1,6 +1,6 @@
 ---
 title: Database Migrations
-nav_order: 42
+nav_order: 47
 ---
 
 A common task is to run database migrations with newer code before deploying the code. This is easily achieved with the `ufo task` command. Here's an example:

data/docs/_docs/more/run-in-pieces.md

@@ -1,6 +1,6 @@
 ---
 title: Run in Pieces
-nav_order: 40
+nav_order: 45
 ---
 
 The `ufo ship` command goes through a few stages:

data/docs/_docs/more/single-task.md

@@ -1,6 +1,6 @@
 ---
 title: Run Single Task
-nav_order: 41
+nav_order: 46
 ---
 
 Sometimes you do not want to run a long running `service` but a one time task. Running Rails migrations are an example of a one off task.  Here is an example of how you would run a one time task.

data/docs/_docs/more/stuck-cloudformation.md

@@ -1,6 +1,6 @@
 ---
 title: Stuck CloudFormation
-nav_order: 39
+nav_order: 44
 ---
 
 The CloudFormation stack update or creation can get stuck in a `*_IN_PROGRESS` state for a very long time, like more than an hour.  This happens when you deploy an ECS service that fails to stabilize. Usually, this is an error with the Docker container failing to start up successfully.

data/docs/_docs/more/why-cloudformation.md

@@ -1,6 +1,6 @@
 ---
 title: Why CloudFormation
-nav_order: 37
+nav_order: 42
 ---
 
 Version 3 of ufo was a simpler implementation and did not make use of CloudFormation to create the ECS service. In version 4, ufo uses CloudFormation to create the ECS Service.  This is because ufo became more powerful. Notably, support for Load Balancers was added. With this power, also came added complexity. So the complexity was push onto CloudFormation.  Hence, ECS service is implemented as CloudFormation resource in version 4.

data/docs/_docs/next-steps.md

@@ -1,6 +1,6 @@
 ---
 title: Next Steps
-nav_order: 47
+nav_order: 52
 ---
 
 This concludes the tutorial guide for ufo. Hopefully you are now more comfortable with ufo's basic usage, concepts, and have a feel for the workflow.