ufo 5.0.0 → 5.0.5
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +18 -0
- data/docs/_docs/conventions.md +1 -1
- data/docs/_docs/extras/codebuild-iam-role.md +1 -1
- data/docs/_docs/extras/dockerfile-erb.md +1 -1
- data/docs/_docs/extras/ecs-network-mode.md +1 -1
- data/docs/_docs/extras/load-balancer.md +1 -1
- data/docs/_docs/extras/minimal-deploy-iam.md +1 -1
- data/docs/_docs/extras/notification-arns.md +1 -1
- data/docs/_docs/extras/redirection-support.md +9 -9
- data/docs/_docs/extras/route53-support.md +4 -4
- data/docs/_docs/extras/security-groups.md +1 -1
- data/docs/_docs/extras/ssl-support.md +5 -5
- data/docs/_docs/faq.md +1 -1
- data/docs/_docs/helpers.md +1 -1
- data/docs/_docs/iam-roles.md +3 -2
- data/docs/_docs/install.md +0 -10
- data/docs/_docs/more/auto-completion.md +1 -1
- data/docs/_docs/more/automated-cleanup.md +1 -1
- data/docs/_docs/more/customize-cloudformation.md +1 -1
- data/docs/_docs/more/migrations.md +1 -1
- data/docs/_docs/more/run-in-pieces.md +1 -1
- data/docs/_docs/more/single-task.md +1 -1
- data/docs/_docs/more/stuck-cloudformation.md +1 -1
- data/docs/_docs/more/why-cloudformation.md +1 -1
- data/docs/_docs/next-steps.md +1 -1
- data/docs/_docs/secrets.md +27 -4
- data/docs/_docs/settings.md +10 -9
- data/docs/_docs/settings/manage-security-groups.md +24 -0
- data/docs/_docs/settings/network.md +11 -1
- data/docs/_docs/structure.md +10 -9
- data/docs/_docs/tutorial-ufo-init.md +1 -7
- data/docs/_docs/ufo-current.md +1 -1
- data/docs/_docs/ufo-env-extra.md +1 -1
- data/docs/_docs/ufo-env.md +3 -5
- data/docs/_docs/ufo-logs.md +1 -2
- data/docs/_docs/ufo-task-params.md +1 -1
- data/docs/_docs/upgrading.md +1 -1
- data/docs/_docs/upgrading/upgrade4.5.md +2 -2
- data/docs/_docs/upgrading/upgrade4.md +2 -2
- data/docs/_docs/upgrading/upgrade5.md +19 -0
- data/docs/_docs/variables.md +1 -1
- data/docs/_includes/cfn-customize.md +18 -4
- data/docs/_includes/footer.html +6 -5
- data/docs/_reference/ufo-init.md +14 -15
- data/docs/articles.md +1 -1
- data/lib/template/.secrets +5 -3
- data/lib/template/.ufo/iam_roles/execution_role.rb +7 -0
- data/lib/template/.ufo/iam_roles/task_role.rb +21 -0
- data/lib/template/.ufo/templates/fargate.json.erb +0 -1
- data/lib/ufo/dsl/helper.rb +2 -2
- data/lib/ufo/dsl/helper/vars.rb +0 -1
- data/lib/ufo/ecr/auth.rb +10 -21
- data/lib/ufo/init.rb +0 -2
- data/lib/ufo/sequence.rb +0 -16
- data/lib/ufo/setting/profile.rb +12 -1
- data/lib/ufo/stack/builder/base.rb +5 -5
- data/lib/ufo/stack/builder/resources/ecs.rb +16 -8
- data/lib/ufo/stack/builder/resources/security_group/ecs.rb +1 -1
- data/lib/ufo/stack/builder/resources/security_group/ecs_rule.rb +1 -1
- data/lib/ufo/stack/builder/resources/security_group/elb.rb +1 -1
- data/lib/ufo/version.rb +1 -1
- data/spec/lib/ecr_auth_spec.rb +32 -20
- data/ufo.gemspec +1 -1
- metadata +11 -7
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: ac9da556f0438367ebd761b2f0c90e04b175bee2b7c6d9deb7fd06d4d05fa755
|
4
|
+
data.tar.gz: a5ae0d961c966ab386981a81e41e184e9a4821e59c8812ec68052a053372123d
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 6a679e2f13efe4d64f34b66ba7d2f4a859abe560451fdb722f0e41919fecbddb4ed8d3ef4047fbd1745b7a6dd381af6c075fb95f7355f46a751866bfa3e79f07
|
7
|
+
data.tar.gz: 4b550246bf57f094add49eaf7171268c8c20f6f6a13d40f7b72f3834c0aa5f023cbff0802f313b8e7c3821ec51da60638d726a92ab6f8ae241cc7f11dfcb22b1
|
data/CHANGELOG.md
CHANGED
@@ -3,6 +3,24 @@
|
|
3
3
|
All notable changes to this project will be documented in this file.
|
4
4
|
This project *tries* to adhere to [Semantic Versioning](http://semver.org/), even before v1.0.
|
5
5
|
|
6
|
+
## [5.0.5] - 2021-01-23
|
7
|
+
- allow base profile without a default profile
|
8
|
+
|
9
|
+
## [5.0.4] - 2021-01-23
|
10
|
+
- [#119](https://github.com/tongueroo/ufo/pull/119) layer base profiles with env-specific or default profile
|
11
|
+
|
12
|
+
## [5.0.3] - 2020-12-10
|
13
|
+
- [#118](https://github.com/tongueroo/ufo/pull/118) update aws-mfa-secure with require singleton fix
|
14
|
+
|
15
|
+
## [5.0.2]
|
16
|
+
- #111 Add support of credsStore
|
17
|
+
- #112 Add support for bridge network mode
|
18
|
+
- #113 Allow custom container name when you try to attach an existing ELB to a service
|
19
|
+
|
20
|
+
## [5.0.1]
|
21
|
+
- #109 fix fargate
|
22
|
+
- #110 adjust and document `managed_security_groups` setting
|
23
|
+
|
6
24
|
## [5.0.0]
|
7
25
|
- #104 adjust logs default format to detailed
|
8
26
|
- #105 major rework: build cfn template with Ruby instead of ERB for new features
|
data/docs/_docs/conventions.md
CHANGED
@@ -1,6 +1,6 @@
|
|
1
1
|
---
|
2
2
|
title: Dynamic Dockerfile.erb
|
3
|
-
nav_order:
|
3
|
+
nav_order: 36
|
4
4
|
---
|
5
5
|
|
6
6
|
Sometimes you may need a little more dynamic control of your Dockerfile. For these cases, ufo supports dynamically creating a Dockerfile from a Dockerfile.erb. If Dockerfile.erb exists, ufo uses it to generate a Dockerfile as a part of the build process. These means that you should update the source Dockerfile.erb instead, as the Dockerfile will be overwritten. If Dockerfile.erb does not exist, then ufo will use the Dockerfile instead.
|
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
title: Notification ARNs
|
3
3
|
categories: extras
|
4
|
-
nav_order:
|
4
|
+
nav_order: 37
|
5
5
|
---
|
6
6
|
|
7
7
|
You can specific notification arns for CloudFormation stack related events with [configs/settings.yml]({% link _docs/settings.md %}). This may be useful for compliance purposes.
|
@@ -1,6 +1,6 @@
|
|
1
1
|
---
|
2
2
|
title: Redirection Support
|
3
|
-
nav_order:
|
3
|
+
nav_order: 33
|
4
4
|
---
|
5
5
|
|
6
6
|
## Application Load Balancers
|
@@ -8,15 +8,15 @@ nav_order: 30
|
|
8
8
|
If you are using an Application Load Balancer you can configure redirection by editing the default actions of the regular listener that is set up by ufo. This assumes you have set up [SSL Support]({% link _docs/extras/ssl-support.md %}). Here's an example that redirects http to https with a 302 http status code:
|
9
9
|
|
10
10
|
```
|
11
|
-
|
12
|
-
|
11
|
+
Listener:
|
12
|
+
Port: 80
|
13
13
|
# ...
|
14
|
-
|
15
|
-
-
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
14
|
+
DefaultActions:
|
15
|
+
- Type: redirect
|
16
|
+
RedirectConfig:
|
17
|
+
Protocol: HTTPS
|
18
|
+
StatusCode: HTTP_302 # HTTP_301 and HTTP_302 are valid
|
19
|
+
Port: 443
|
20
20
|
```
|
21
21
|
|
22
22
|
|
@@ -1,14 +1,14 @@
|
|
1
1
|
---
|
2
2
|
title: Route53 Support
|
3
|
-
nav_order:
|
3
|
+
nav_order: 32
|
4
4
|
---
|
5
5
|
|
6
6
|
Ufo can create a "pretty" route53 record and set it's value to the created ELB DNS name. This is done by configuring the `.ufo/settings/cfn/default.yml` file. Example:
|
7
7
|
|
8
8
|
```yaml
|
9
|
-
|
10
|
-
|
11
|
-
|
9
|
+
Dns:
|
10
|
+
Name: "{stack_name}.mydomain.com."
|
11
|
+
HostedZoneName: mydomain.com. # dont forget the trailing period
|
12
12
|
```
|
13
13
|
|
14
14
|
The `{stack_name}` variable gets substituted with the CloudFormation stack name launched by ufo. So for example:
|
@@ -1,15 +1,15 @@
|
|
1
1
|
---
|
2
2
|
title: SSL Support
|
3
|
-
nav_order:
|
3
|
+
nav_order: 31
|
4
4
|
---
|
5
5
|
|
6
6
|
You can configure SSL support by uncomment the `listener_ssl` option in `.ufo/settings/cfn/default.yml`. Here's an example:
|
7
7
|
|
8
8
|
```
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
-
|
9
|
+
ListenerSsl:
|
10
|
+
Port: 443
|
11
|
+
Certificates:
|
12
|
+
- CertificateArn: arn:aws:acm:us-east-1:111111111111:certificate/11111111-2222-3333-4444-555555555555
|
13
13
|
```
|
14
14
|
|
15
15
|
For the certificate arn, you will need to create a certificate with AWS ACM. To do so, you can follow these instructions: [Request a Public Certificate
|
data/docs/_docs/faq.md
CHANGED
data/docs/_docs/helpers.md
CHANGED
data/docs/_docs/iam-roles.md
CHANGED
@@ -1,5 +1,6 @@
|
|
1
1
|
---
|
2
2
|
title: Task Definition IAM Roles
|
3
|
+
nav_order: 21
|
3
4
|
---
|
4
5
|
|
5
6
|
## What are ECS IAM Roles?
|
@@ -45,9 +46,7 @@ You then use a DSL to create the IAM roles. Here are examples:
|
|
45
46
|
.ufo/iam_roles/execution_role.rb
|
46
47
|
|
47
48
|
```ruby
|
48
|
-
managed_iam_policy("AmazonEC2ContainerRegistryReadOnly")
|
49
49
|
managed_iam_policy("AmazonSSMReadOnlyAccess")
|
50
|
-
managed_iam_policy("CloudWatchLogsFullAccess")
|
51
50
|
managed_iam_policy("SecretsManagerReadWrite")
|
52
51
|
managed_iam_policy("service-role/AmazonECSTaskExecutionRolePolicy")
|
53
52
|
```
|
@@ -109,3 +108,5 @@ You can also assign the task definition `executionRoleArn` with pre-created IAM
|
|
109
108
|
]
|
110
109
|
}
|
111
110
|
```
|
111
|
+
|
112
|
+
{% include prev_next.md %}
|
data/docs/_docs/install.md
CHANGED
@@ -17,16 +17,6 @@ Or you can add ufo to your Gemfile in your project if you are working with a rub
|
|
17
17
|
gem "ufo"
|
18
18
|
{% endhighlight %}
|
19
19
|
|
20
|
-
## Install with Bolts Toolbelt
|
21
|
-
|
22
|
-
If you want to quickly install ufo without having to worry about ufo's dependencies you can install the Bolts Toolbelt which has ufo included.
|
23
|
-
|
24
|
-
```sh
|
25
|
-
brew cask install boltopslabs/software/bolts
|
26
|
-
```
|
27
|
-
|
28
|
-
For more information about the Bolts Toolbelt or to get an installer for another operating system visit: [https://boltops.com/toolbelt](https://boltops.com/toolbelt)
|
29
|
-
|
30
20
|
## Dependencies
|
31
21
|
|
32
22
|
* Docker: You will need a working version of [Docker](https://docs.docker.com/engine/installation/) installed as ufo shells out and calls the `docker` command.
|
@@ -1,6 +1,6 @@
|
|
1
1
|
---
|
2
2
|
title: Customize CloudFormation
|
3
|
-
nav_order:
|
3
|
+
nav_order: 43
|
4
4
|
---
|
5
5
|
|
6
6
|
Under the hood, ufo creates most of the required resources with a CloudFormation stack. This includes the ELB, Target Group, Listener, Security Groups, ECS Service, and Route 53 records. You might need to customize these resources. Here are the ways to customize the resources that ufo creates.
|
@@ -1,6 +1,6 @@
|
|
1
1
|
---
|
2
2
|
title: Stuck CloudFormation
|
3
|
-
nav_order:
|
3
|
+
nav_order: 44
|
4
4
|
---
|
5
5
|
|
6
6
|
The CloudFormation stack update or creation can get stuck in a `*_IN_PROGRESS` state for a very long time, like more than an hour. This happens when you deploy an ECS service that fails to stabilize. Usually, this is an error with the Docker container failing to start up successfully.
|
@@ -1,6 +1,6 @@
|
|
1
1
|
---
|
2
2
|
title: Why CloudFormation
|
3
|
-
nav_order:
|
3
|
+
nav_order: 42
|
4
4
|
---
|
5
5
|
|
6
6
|
Version 3 of ufo was a simpler implementation and did not make use of CloudFormation to create the ECS service. In version 4, ufo uses CloudFormation to create the ECS Service. This is because ufo became more powerful. Notably, support for Load Balancers was added. With this power, also came added complexity. So the complexity was push onto CloudFormation. Hence, ECS service is implemented as CloudFormation resource in version 4.
|
data/docs/_docs/next-steps.md
CHANGED
data/docs/_docs/secrets.md
CHANGED
@@ -1,10 +1,11 @@
|
|
1
1
|
---
|
2
2
|
title: Secrets
|
3
|
+
nav_order: 20
|
3
4
|
---
|
4
5
|
|
5
6
|
## What are Secrets?
|
6
7
|
|
7
|
-
[ECS supports injecting secrets or sensitive data](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html) into the the environment as variables. ECS
|
8
|
+
[ECS supports injecting secrets or sensitive data](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html) into the the environment as variables. ECS decrypts the secrets straight from AWS to the ECS task environment. It never passes through the machine calling `ufo ship` IE: your laptop, a deploy server, or CodeBuild, etc.
|
8
9
|
|
9
10
|
ECS supports 2 storage backends for secrets:
|
10
11
|
|
@@ -55,7 +56,7 @@ Ufo supports both forms of secrets. You create a `.secrets` file and can referen
|
|
55
56
|
|
56
57
|
The `.secrets` file is like an env file that will understand a secrets-smart format. Example:
|
57
58
|
|
58
|
-
NAME1=SSM
|
59
|
+
NAME1=SSM:my/parameter_name
|
59
60
|
NAME2=SECRETSMANAGER:/my/secret_name-AbCdEf
|
60
61
|
|
61
62
|
The `SSM:` and `SECRETSMANAGER:` prefix will be expanded to the full ARN. You can also just specify the full ARN.
|
@@ -71,17 +72,29 @@ In turn, this generates:
|
|
71
72
|
"secrets": [
|
72
73
|
{
|
73
74
|
"name": "NAME1",
|
74
|
-
"valueFrom": "arn:aws:ssm:us-west-2:
|
75
|
+
"valueFrom": "arn:aws:ssm:us-west-2:111111111111:parameter/demo/development/foo"
|
75
76
|
},
|
76
77
|
{
|
77
78
|
"name": "NAME2",
|
78
|
-
"valueFrom": "arn:aws:secretsmanager:us-west-2:
|
79
|
+
"valueFrom": "arn:aws:secretsmanager:us-west-2:111111111111:secret:/demo/development/my-secret-test-qRoJel"
|
79
80
|
}
|
80
81
|
]
|
81
82
|
}]
|
82
83
|
}
|
83
84
|
```
|
84
85
|
|
86
|
+
## SSM Parameter Names with Leading Slash
|
87
|
+
|
88
|
+
If your SSM parameter has a leading slash then do **not** include when using it in the .secrets file. Example:
|
89
|
+
|
90
|
+
aws ssm get-parameter --name /demo/development/foo
|
91
|
+
|
92
|
+
So use:
|
93
|
+
|
94
|
+
FOO=SSM:demo/development/foo
|
95
|
+
|
96
|
+
The extra slash seems to confuse ECS. For secretsmanager names, you do include the leading slash.
|
97
|
+
|
85
98
|
## Substitution
|
86
99
|
|
87
100
|
Ufo also does a simple substition on the value. For example, the `:UFO_ENV` is replaced with the actual value of `UFO_ENV=development`. Example:
|
@@ -109,4 +122,14 @@ managed_iam_policy("SecretsManagerReadWrite")
|
|
109
122
|
|
110
123
|
More info [ECS IAM Roles]({% link _docs/iam-roles.md %})
|
111
124
|
|
125
|
+
## Debugging Tip
|
126
|
+
|
127
|
+
Be sure that the secrets exist. If they do not you will see an error like this in the ecs-agent.log:
|
128
|
+
|
129
|
+
/var/log/ecs/ecs-agent.log
|
130
|
+
|
131
|
+
level=info time=2020-06-26T00:59:46Z msg="Managed task [arn:aws:ecs:us-west-2:111111111111:task/development/91828be6a02b48f982cd9122db5e39b2]: error transitioning resource [ssmsecret] to [CREATED]: fetching secret data from SSM Parameter Store in us-west-2: invalid parameters: /my-parameter-name" module=task_manager.go
|
132
|
+
|
133
|
+
Sometimes there is even no error message in the ecs-agent.log. As a debugging step, try removing all secrets and seeing if that the container will start up.
|
134
|
+
|
112
135
|
{% include prev_next.md %}
|
data/docs/_docs/settings.md
CHANGED
@@ -16,8 +16,8 @@ base:
|
|
16
16
|
image: tongueroo/demo-ufo
|
17
17
|
# clean_keep: 30 # cleans up docker images on your docker server.
|
18
18
|
# ecr_keep: 30 # cleans up images on ECR and keeps this remaining amount. Defaults to keep all.
|
19
|
-
network_profile: default # .ufo/settings/network/default.yml file
|
20
|
-
cfn_profile: default # .ufo/settings/cfn/default.yml file
|
19
|
+
# network_profile: default # .ufo/settings/network/default.yml file
|
20
|
+
# cfn_profile: default # .ufo/settings/cfn/default.yml file
|
21
21
|
|
22
22
|
development:
|
23
23
|
# cluster: dev # uncomment if you want the cluster name be other than the default
|
@@ -35,13 +35,14 @@ The table below covers each setting:
|
|
35
35
|
|
36
36
|
Setting | Description
|
37
37
|
------------- | -------------
|
38
|
-
|
39
|
-
|
40
|
-
|
41
|
-
|
42
|
-
|
43
|
-
|
44
|
-
|
38
|
+
aws_profile | If you have the `AWS_PROFILE` environment variable set, this will ensure that you are deploying the right `UFO_ENV` to the right AWS environment. It is explained below.
|
39
|
+
cfn_profile | The name of the cfn profile settings file to use. Maps to .ufo/settings/cfn/NAME.yml file. Will match an `UFO_ENV` file if it exists. IE: .ufo/settings/cfn/development.yml. Otherwise it defaults to .ufo/settings/cfn/default.yml.
|
40
|
+
clean_keep | Docker images generated from ufo are cleaned up automatically for you at the end of `ufo ship`. This controls how many docker images to keep around. The default is 3.
|
41
|
+
cluster | By convention, the ECS cluster that ufo deploys to matches the `UFO_ENV`. If `UFO=development`, then `ufo ship` deploys to the `development` ECS cluster. This is option overrides this convention.
|
42
|
+
ecr_keep | If you are using AWS ECR, then the ECR images can also be automatically cleaned up at the end of `ufo ship`. By default this is set to `nil` and all AWS ECR are kept.
|
43
|
+
image | The `image` value is the name that ufo will use for the Docker image name to be built. Only provide the basename part of the image name without the tag because ufo automatically generates the tag for you. For example, `tongueroo/demo-ufo` is correct and `tongueroo/demo-ufo:my-tag` is incorrect.
|
44
|
+
managed\_security\_groups | Create managed security groups for application ELBs. Defaults to true. If you disable it with false then no managed security groups will be created by UFO.
|
45
|
+
network_profile | The name of the network profile settings file to use. Maps to .ufo/settings/network/NAME.yml file. Will match an `UFO_ENV` file if it exists. IE: .ufo/settings/network/development.yml. Otherwise it defaults to .ufo/settings/network/default.yml.
|
45
46
|
|
46
47
|
## AWS_PROFILE support
|
47
48
|
|
@@ -0,0 +1,24 @@
|
|
1
|
+
---
|
2
|
+
title: Managed Security Groups
|
3
|
+
short_title: Security Groups
|
4
|
+
categories: settings
|
5
|
+
nav_order: 16
|
6
|
+
---
|
7
|
+
|
8
|
+
Ufo creates and manages two security groups. One for the ELB and one for the ECS tasks. Details here: [UFO Security Groups]({% link _docs/extras/security-groups.md %}).
|
9
|
+
|
10
|
+
You can disable the creation of managed security groups with: `managed_security_groups: false`. Example:
|
11
|
+
|
12
|
+
```yaml
|
13
|
+
base:
|
14
|
+
image: tongueroo/demo-ufo
|
15
|
+
managed_security_groups: false
|
16
|
+
```
|
17
|
+
|
18
|
+
## Why?
|
19
|
+
|
20
|
+
Security Groups managed by UFO are transient. If you delete the UFO app and recreate it entirely. Any manual changes to the security groups will be lost.
|
21
|
+
|
22
|
+
You can precreate security groups and add them generated UFO CloudFormation template, see [Settings Network]({% link _docs/settings/network.md %}). So then you won't lose any manual changes. If you're taking this approach, it's nice to have UFO not create any managed security groups at all. This removes security group clutter.
|
23
|
+
|
24
|
+
{% include prev_next.md %}
|