ufo 5.0.0 → 5.0.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/docs/_docs/conventions.md +1 -1
- data/docs/_docs/extras/codebuild-iam-role.md +1 -1
- data/docs/_docs/extras/dockerfile-erb.md +1 -1
- data/docs/_docs/extras/ecs-network-mode.md +1 -1
- data/docs/_docs/extras/load-balancer.md +1 -1
- data/docs/_docs/extras/minimal-deploy-iam.md +1 -1
- data/docs/_docs/extras/notification-arns.md +1 -1
- data/docs/_docs/extras/redirection-support.md +9 -9
- data/docs/_docs/extras/route53-support.md +4 -4
- data/docs/_docs/extras/security-groups.md +1 -1
- data/docs/_docs/extras/ssl-support.md +5 -5
- data/docs/_docs/faq.md +1 -1
- data/docs/_docs/helpers.md +1 -1
- data/docs/_docs/iam-roles.md +3 -2
- data/docs/_docs/install.md +0 -10
- data/docs/_docs/more/auto-completion.md +1 -1
- data/docs/_docs/more/automated-cleanup.md +1 -1
- data/docs/_docs/more/customize-cloudformation.md +1 -1
- data/docs/_docs/more/migrations.md +1 -1
- data/docs/_docs/more/run-in-pieces.md +1 -1
- data/docs/_docs/more/single-task.md +1 -1
- data/docs/_docs/more/stuck-cloudformation.md +1 -1
- data/docs/_docs/more/why-cloudformation.md +1 -1
- data/docs/_docs/next-steps.md +1 -1
- data/docs/_docs/secrets.md +27 -4
- data/docs/_docs/settings.md +10 -9
- data/docs/_docs/settings/manage-security-groups.md +24 -0
- data/docs/_docs/settings/network.md +11 -1
- data/docs/_docs/structure.md +10 -9
- data/docs/_docs/tutorial-ufo-init.md +1 -7
- data/docs/_docs/ufo-current.md +1 -1
- data/docs/_docs/ufo-env-extra.md +1 -1
- data/docs/_docs/ufo-env.md +3 -5
- data/docs/_docs/ufo-logs.md +1 -2
- data/docs/_docs/ufo-task-params.md +1 -1
- data/docs/_docs/upgrading.md +1 -1
- data/docs/_docs/upgrading/upgrade4.5.md +2 -2
- data/docs/_docs/upgrading/upgrade4.md +2 -2
- data/docs/_docs/upgrading/upgrade5.md +19 -0
- data/docs/_docs/variables.md +1 -1
- data/docs/_includes/cfn-customize.md +4 -4
- data/docs/_reference/ufo-init.md +14 -15
- data/docs/articles.md +1 -1
- data/lib/template/.secrets +5 -3
- data/lib/template/.ufo/iam_roles/execution_role.rb +7 -0
- data/lib/template/.ufo/iam_roles/task_role.rb +21 -0
- data/lib/template/.ufo/templates/fargate.json.erb +0 -1
- data/lib/ufo/dsl/helper.rb +2 -2
- data/lib/ufo/dsl/helper/vars.rb +0 -1
- data/lib/ufo/init.rb +0 -2
- data/lib/ufo/sequence.rb +0 -16
- data/lib/ufo/stack/builder/base.rb +5 -5
- data/lib/ufo/stack/builder/resources/ecs.rb +4 -0
- data/lib/ufo/stack/builder/resources/security_group/ecs.rb +1 -1
- data/lib/ufo/stack/builder/resources/security_group/ecs_rule.rb +1 -1
- data/lib/ufo/stack/builder/resources/security_group/elb.rb +1 -1
- data/lib/ufo/version.rb +1 -1
- metadata +6 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 653b01be727b4764ac9c022606359059e6102fe30b202461ffb1ee1665c3d4b6
|
4
|
+
data.tar.gz: 97a8fd6af8b07ea9c213e339dd70c23f98a74186c7ba6cd906ea38e7aba39f10
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: d040994ee8a6b73c151d91a90847dc91ef8c3233b4b9ff65aaf731f9c585ee8093dfb0c2448ce0eddd1b5e823bbafeab5e69495319c3959ac4281b804b404ecf
|
7
|
+
data.tar.gz: 2e64ef5b51b100708154b160a089e118e5e06346dbf68a5a69bdc1c0894ce1762d58f4ceb073c0ec6d1c38947662edb9901cbce16ef15df1255faca06e7c7eeb
|
data/CHANGELOG.md
CHANGED
@@ -3,6 +3,10 @@
|
|
3
3
|
All notable changes to this project will be documented in this file.
|
4
4
|
This project *tries* to adhere to [Semantic Versioning](http://semver.org/), even before v1.0.
|
5
5
|
|
6
|
+
## [5.0.1]
|
7
|
+
- #109 fix fargate
|
8
|
+
- #110 adjust and document `managed_security_groups` setting
|
9
|
+
|
6
10
|
## [5.0.0]
|
7
11
|
- #104 adjust logs default format to detailed
|
8
12
|
- #105 major rework: build cfn template with Ruby instead of ERB for new features
|
data/docs/_docs/conventions.md
CHANGED
@@ -1,6 +1,6 @@
|
|
1
1
|
---
|
2
2
|
title: Dynamic Dockerfile.erb
|
3
|
-
nav_order:
|
3
|
+
nav_order: 36
|
4
4
|
---
|
5
5
|
|
6
6
|
Sometimes you may need a little more dynamic control of your Dockerfile. For these cases, ufo supports dynamically creating a Dockerfile from a Dockerfile.erb. If Dockerfile.erb exists, ufo uses it to generate a Dockerfile as a part of the build process. These means that you should update the source Dockerfile.erb instead, as the Dockerfile will be overwritten. If Dockerfile.erb does not exist, then ufo will use the Dockerfile instead.
|
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
title: Notification ARNs
|
3
3
|
categories: extras
|
4
|
-
nav_order:
|
4
|
+
nav_order: 37
|
5
5
|
---
|
6
6
|
|
7
7
|
You can specific notification arns for CloudFormation stack related events with [configs/settings.yml]({% link _docs/settings.md %}). This may be useful for compliance purposes.
|
@@ -1,6 +1,6 @@
|
|
1
1
|
---
|
2
2
|
title: Redirection Support
|
3
|
-
nav_order:
|
3
|
+
nav_order: 33
|
4
4
|
---
|
5
5
|
|
6
6
|
## Application Load Balancers
|
@@ -8,15 +8,15 @@ nav_order: 30
|
|
8
8
|
If you are using an Application Load Balancer you can configure redirection by editing the default actions of the regular listener that is set up by ufo. This assumes you have set up [SSL Support]({% link _docs/extras/ssl-support.md %}). Here's an example that redirects http to https with a 302 http status code:
|
9
9
|
|
10
10
|
```
|
11
|
-
|
12
|
-
|
11
|
+
Listener:
|
12
|
+
Port: 80
|
13
13
|
# ...
|
14
|
-
|
15
|
-
-
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
14
|
+
DefaultActions:
|
15
|
+
- Type: redirect
|
16
|
+
RedirectConfig:
|
17
|
+
Protocol: HTTPS
|
18
|
+
StatusCode: HTTP_302 # HTTP_301 and HTTP_302 are valid
|
19
|
+
Port: 443
|
20
20
|
```
|
21
21
|
|
22
22
|
|
@@ -1,14 +1,14 @@
|
|
1
1
|
---
|
2
2
|
title: Route53 Support
|
3
|
-
nav_order:
|
3
|
+
nav_order: 32
|
4
4
|
---
|
5
5
|
|
6
6
|
Ufo can create a "pretty" route53 record and set it's value to the created ELB DNS name. This is done by configuring the `.ufo/settings/cfn/default.yml` file. Example:
|
7
7
|
|
8
8
|
```yaml
|
9
|
-
|
10
|
-
|
11
|
-
|
9
|
+
Dns:
|
10
|
+
Name: "{stack_name}.mydomain.com."
|
11
|
+
HostedZoneName: mydomain.com. # dont forget the trailing period
|
12
12
|
```
|
13
13
|
|
14
14
|
The `{stack_name}` variable gets substituted with the CloudFormation stack name launched by ufo. So for example:
|
@@ -1,15 +1,15 @@
|
|
1
1
|
---
|
2
2
|
title: SSL Support
|
3
|
-
nav_order:
|
3
|
+
nav_order: 31
|
4
4
|
---
|
5
5
|
|
6
6
|
You can configure SSL support by uncomment the `listener_ssl` option in `.ufo/settings/cfn/default.yml`. Here's an example:
|
7
7
|
|
8
8
|
```
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
-
|
9
|
+
ListenerSsl:
|
10
|
+
Port: 443
|
11
|
+
Certificates:
|
12
|
+
- CertificateArn: arn:aws:acm:us-east-1:111111111111:certificate/11111111-2222-3333-4444-555555555555
|
13
13
|
```
|
14
14
|
|
15
15
|
For the certificate arn, you will need to create a certificate with AWS ACM. To do so, you can follow these instructions: [Request a Public Certificate
|
data/docs/_docs/faq.md
CHANGED
data/docs/_docs/helpers.md
CHANGED
data/docs/_docs/iam-roles.md
CHANGED
@@ -1,5 +1,6 @@
|
|
1
1
|
---
|
2
2
|
title: Task Definition IAM Roles
|
3
|
+
nav_order: 21
|
3
4
|
---
|
4
5
|
|
5
6
|
## What are ECS IAM Roles?
|
@@ -45,9 +46,7 @@ You then use a DSL to create the IAM roles. Here are examples:
|
|
45
46
|
.ufo/iam_roles/execution_role.rb
|
46
47
|
|
47
48
|
```ruby
|
48
|
-
managed_iam_policy("AmazonEC2ContainerRegistryReadOnly")
|
49
49
|
managed_iam_policy("AmazonSSMReadOnlyAccess")
|
50
|
-
managed_iam_policy("CloudWatchLogsFullAccess")
|
51
50
|
managed_iam_policy("SecretsManagerReadWrite")
|
52
51
|
managed_iam_policy("service-role/AmazonECSTaskExecutionRolePolicy")
|
53
52
|
```
|
@@ -109,3 +108,5 @@ You can also assign the task definition `executionRoleArn` with pre-created IAM
|
|
109
108
|
]
|
110
109
|
}
|
111
110
|
```
|
111
|
+
|
112
|
+
{% include prev_next.md %}
|
data/docs/_docs/install.md
CHANGED
@@ -17,16 +17,6 @@ Or you can add ufo to your Gemfile in your project if you are working with a rub
|
|
17
17
|
gem "ufo"
|
18
18
|
{% endhighlight %}
|
19
19
|
|
20
|
-
## Install with Bolts Toolbelt
|
21
|
-
|
22
|
-
If you want to quickly install ufo without having to worry about ufo's dependencies you can install the Bolts Toolbelt which has ufo included.
|
23
|
-
|
24
|
-
```sh
|
25
|
-
brew cask install boltopslabs/software/bolts
|
26
|
-
```
|
27
|
-
|
28
|
-
For more information about the Bolts Toolbelt or to get an installer for another operating system visit: [https://boltops.com/toolbelt](https://boltops.com/toolbelt)
|
29
|
-
|
30
20
|
## Dependencies
|
31
21
|
|
32
22
|
* Docker: You will need a working version of [Docker](https://docs.docker.com/engine/installation/) installed as ufo shells out and calls the `docker` command.
|
@@ -1,6 +1,6 @@
|
|
1
1
|
---
|
2
2
|
title: Customize CloudFormation
|
3
|
-
nav_order:
|
3
|
+
nav_order: 43
|
4
4
|
---
|
5
5
|
|
6
6
|
Under the hood, ufo creates most of the required resources with a CloudFormation stack. This includes the ELB, Target Group, Listener, Security Groups, ECS Service, and Route 53 records. You might need to customize these resources. Here are the ways to customize the resources that ufo creates.
|
@@ -1,6 +1,6 @@
|
|
1
1
|
---
|
2
2
|
title: Stuck CloudFormation
|
3
|
-
nav_order:
|
3
|
+
nav_order: 44
|
4
4
|
---
|
5
5
|
|
6
6
|
The CloudFormation stack update or creation can get stuck in a `*_IN_PROGRESS` state for a very long time, like more than an hour. This happens when you deploy an ECS service that fails to stabilize. Usually, this is an error with the Docker container failing to start up successfully.
|
@@ -1,6 +1,6 @@
|
|
1
1
|
---
|
2
2
|
title: Why CloudFormation
|
3
|
-
nav_order:
|
3
|
+
nav_order: 42
|
4
4
|
---
|
5
5
|
|
6
6
|
Version 3 of ufo was a simpler implementation and did not make use of CloudFormation to create the ECS service. In version 4, ufo uses CloudFormation to create the ECS Service. This is because ufo became more powerful. Notably, support for Load Balancers was added. With this power, also came added complexity. So the complexity was push onto CloudFormation. Hence, ECS service is implemented as CloudFormation resource in version 4.
|
data/docs/_docs/next-steps.md
CHANGED
data/docs/_docs/secrets.md
CHANGED
@@ -1,10 +1,11 @@
|
|
1
1
|
---
|
2
2
|
title: Secrets
|
3
|
+
nav_order: 20
|
3
4
|
---
|
4
5
|
|
5
6
|
## What are Secrets?
|
6
7
|
|
7
|
-
[ECS supports injecting secrets or sensitive data](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html) into the the environment as variables. ECS
|
8
|
+
[ECS supports injecting secrets or sensitive data](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html) into the the environment as variables. ECS decrypts the secrets straight from AWS to the ECS task environment. It never passes through the machine calling `ufo ship` IE: your laptop, a deploy server, or CodeBuild, etc.
|
8
9
|
|
9
10
|
ECS supports 2 storage backends for secrets:
|
10
11
|
|
@@ -55,7 +56,7 @@ Ufo supports both forms of secrets. You create a `.secrets` file and can referen
|
|
55
56
|
|
56
57
|
The `.secrets` file is like an env file that will understand a secrets-smart format. Example:
|
57
58
|
|
58
|
-
NAME1=SSM
|
59
|
+
NAME1=SSM:my/parameter_name
|
59
60
|
NAME2=SECRETSMANAGER:/my/secret_name-AbCdEf
|
60
61
|
|
61
62
|
The `SSM:` and `SECRETSMANAGER:` prefix will be expanded to the full ARN. You can also just specify the full ARN.
|
@@ -71,17 +72,29 @@ In turn, this generates:
|
|
71
72
|
"secrets": [
|
72
73
|
{
|
73
74
|
"name": "NAME1",
|
74
|
-
"valueFrom": "arn:aws:ssm:us-west-2:
|
75
|
+
"valueFrom": "arn:aws:ssm:us-west-2:111111111111:parameter/demo/development/foo"
|
75
76
|
},
|
76
77
|
{
|
77
78
|
"name": "NAME2",
|
78
|
-
"valueFrom": "arn:aws:secretsmanager:us-west-2:
|
79
|
+
"valueFrom": "arn:aws:secretsmanager:us-west-2:111111111111:secret:/demo/development/my-secret-test-qRoJel"
|
79
80
|
}
|
80
81
|
]
|
81
82
|
}]
|
82
83
|
}
|
83
84
|
```
|
84
85
|
|
86
|
+
## SSM Parameter Names with Leading Slash
|
87
|
+
|
88
|
+
If your SSM parameter has a leading slash then do **not** include when using it in the .secrets file. Example:
|
89
|
+
|
90
|
+
aws ssm get-parameter --name /demo/development/foo
|
91
|
+
|
92
|
+
So use:
|
93
|
+
|
94
|
+
FOO=SSM:demo/development/foo
|
95
|
+
|
96
|
+
The extra slash seems to confuse ECS. For secretsmanager names, you do include the leading slash.
|
97
|
+
|
85
98
|
## Substitution
|
86
99
|
|
87
100
|
Ufo also does a simple substition on the value. For example, the `:UFO_ENV` is replaced with the actual value of `UFO_ENV=development`. Example:
|
@@ -109,4 +122,14 @@ managed_iam_policy("SecretsManagerReadWrite")
|
|
109
122
|
|
110
123
|
More info [ECS IAM Roles]({% link _docs/iam-roles.md %})
|
111
124
|
|
125
|
+
## Debugging Tip
|
126
|
+
|
127
|
+
Be sure that the secrets exist. If they do not you will see an error like this in the ecs-agent.log:
|
128
|
+
|
129
|
+
/var/log/ecs/ecs-agent.log
|
130
|
+
|
131
|
+
level=info time=2020-06-26T00:59:46Z msg="Managed task [arn:aws:ecs:us-west-2:111111111111:task/development/91828be6a02b48f982cd9122db5e39b2]: error transitioning resource [ssmsecret] to [CREATED]: fetching secret data from SSM Parameter Store in us-west-2: invalid parameters: /my-parameter-name" module=task_manager.go
|
132
|
+
|
133
|
+
Sometimes there is even no error message in the ecs-agent.log. As a debugging step, try removing all secrets and seeing if that the container will start up.
|
134
|
+
|
112
135
|
{% include prev_next.md %}
|
data/docs/_docs/settings.md
CHANGED
@@ -16,8 +16,8 @@ base:
|
|
16
16
|
image: tongueroo/demo-ufo
|
17
17
|
# clean_keep: 30 # cleans up docker images on your docker server.
|
18
18
|
# ecr_keep: 30 # cleans up images on ECR and keeps this remaining amount. Defaults to keep all.
|
19
|
-
network_profile: default # .ufo/settings/network/default.yml file
|
20
|
-
cfn_profile: default # .ufo/settings/cfn/default.yml file
|
19
|
+
# network_profile: default # .ufo/settings/network/default.yml file
|
20
|
+
# cfn_profile: default # .ufo/settings/cfn/default.yml file
|
21
21
|
|
22
22
|
development:
|
23
23
|
# cluster: dev # uncomment if you want the cluster name be other than the default
|
@@ -35,13 +35,14 @@ The table below covers each setting:
|
|
35
35
|
|
36
36
|
Setting | Description
|
37
37
|
------------- | -------------
|
38
|
-
|
39
|
-
|
40
|
-
|
41
|
-
|
42
|
-
|
43
|
-
|
44
|
-
|
38
|
+
aws_profile | If you have the `AWS_PROFILE` environment variable set, this will ensure that you are deploying the right `UFO_ENV` to the right AWS environment. It is explained below.
|
39
|
+
cfn_profile | The name of the cfn profile settings file to use. Maps to .ufo/settings/cfn/NAME.yml file. Will match an `UFO_ENV` file if it exists. IE: .ufo/settings/cfn/development.yml. Otherwise it defaults to .ufo/settings/cfn/default.yml.
|
40
|
+
clean_keep | Docker images generated from ufo are cleaned up automatically for you at the end of `ufo ship`. This controls how many docker images to keep around. The default is 3.
|
41
|
+
cluster | By convention, the ECS cluster that ufo deploys to matches the `UFO_ENV`. If `UFO=development`, then `ufo ship` deploys to the `development` ECS cluster. This is option overrides this convention.
|
42
|
+
ecr_keep | If you are using AWS ECR, then the ECR images can also be automatically cleaned up at the end of `ufo ship`. By default this is set to `nil` and all AWS ECR are kept.
|
43
|
+
image | The `image` value is the name that ufo will use for the Docker image name to be built. Only provide the basename part of the image name without the tag because ufo automatically generates the tag for you. For example, `tongueroo/demo-ufo` is correct and `tongueroo/demo-ufo:my-tag` is incorrect.
|
44
|
+
managed\_security\_groups | Create managed security groups for application ELBs. Defaults to true. If you disable it with false then no managed security groups will be created by UFO.
|
45
|
+
network_profile | The name of the network profile settings file to use. Maps to .ufo/settings/network/NAME.yml file. Will match an `UFO_ENV` file if it exists. IE: .ufo/settings/network/development.yml. Otherwise it defaults to .ufo/settings/network/default.yml.
|
45
46
|
|
46
47
|
## AWS_PROFILE support
|
47
48
|
|
@@ -0,0 +1,24 @@
|
|
1
|
+
---
|
2
|
+
title: Managed Security Groups
|
3
|
+
short_title: Security Groups
|
4
|
+
categories: settings
|
5
|
+
nav_order: 16
|
6
|
+
---
|
7
|
+
|
8
|
+
Ufo creates and manages two security groups. One for the ELB and one for the ECS tasks. Details here: [UFO Security Groups]({% link _docs/extras/security-groups.md %}).
|
9
|
+
|
10
|
+
You can disable the creation of managed security groups with: `managed_security_groups: false`. Example:
|
11
|
+
|
12
|
+
```yaml
|
13
|
+
base:
|
14
|
+
image: tongueroo/demo-ufo
|
15
|
+
managed_security_groups: false
|
16
|
+
```
|
17
|
+
|
18
|
+
## Why?
|
19
|
+
|
20
|
+
Security Groups managed by UFO are transient. If you delete the UFO app and recreate it entirely. Any manual changes to the security groups will be lost.
|
21
|
+
|
22
|
+
You can precreate security groups and add them generated UFO CloudFormation template, see [Settings Network]({% link _docs/settings/network.md %}). So then you won't lose any manual changes. If you're taking this approach, it's nice to have UFO not create any managed security groups at all. This removes security group clutter.
|
23
|
+
|
24
|
+
{% include prev_next.md %}
|
@@ -2,7 +2,7 @@
|
|
2
2
|
title: Settings Network
|
3
3
|
short_title: Network
|
4
4
|
categories: settings
|
5
|
-
nav_order:
|
5
|
+
nav_order: 17
|
6
6
|
---
|
7
7
|
|
8
8
|
The settings.yml file references a network settings file with the `network_profile` option. This file has configurations that are related to the network. The source code for the starter template file is at [network/default.yml.tt](https://github.com/tongueroo/ufo/blob/master/lib/template/.ufo/settings/network/default.yml.tt) Here's an example network settings file.
|
@@ -22,6 +22,16 @@ elb_subnets: # defaults to same subnets as ecs_subnets when not set
|
|
22
22
|
# - sg-aaa
|
23
23
|
# ecs_security_groups:
|
24
24
|
# - sg-bbb
|
25
|
+
|
26
|
+
# Also supports extra security groups specific to each ECS service.
|
27
|
+
# So you can target security groups on a per-role basis.
|
28
|
+
# ecs_security_groups:
|
29
|
+
# demo-web:
|
30
|
+
# - sg-bbb
|
31
|
+
# - sg-ccc
|
32
|
+
# demo-worker:
|
33
|
+
# - sg-bbb
|
34
|
+
# - sg-ccc
|
25
35
|
```
|
26
36
|
|
27
37
|
Option | Description
|
data/docs/_docs/structure.md
CHANGED
@@ -25,15 +25,16 @@ The table below covers the purpose of each folder and file.
|
|
25
25
|
|
26
26
|
File / Directory | Description
|
27
27
|
------------- | -------------
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
|
28
|
+
iam_roles/ | Where ufo managed iam roles associated with the task definition can be defined. For more details see: [IAM Roles]({% link _docs/iam-roles.md %}).
|
29
|
+
output/ | The folder where the generated task definitions are written to. The way the task definitions are generated is covered in [ufo tasks build]({% link _docs/tutorial-ufo-tasks-build.md %}).
|
30
|
+
params | This is where you can adjust the params that get send to the aws-sdk api calls for the [ufo task](https://ufoships.com/reference/ufo-task/) command. More info at [Params]({% link _docs/ufo-task-params.md %}).
|
31
|
+
settings.yml | Ufo's general settings file, where you adjust the default [settings]({% link _docs/settings.md %}).
|
32
|
+
settings/cfn/default.yml | Ufo's cfn settings. You can customize the CloudFormation resource properties here.
|
33
|
+
settings/network/default.yml | Ufo's network settings. You can customize the vpc and subnets to used here.
|
34
|
+
task_definitions.rb | This is where you define the task definitions and specify the variables to be used by the ERB templates.
|
35
|
+
templates/ | The ERB templates with the task definition json code. The templates are covered in more detail in [ufo tasks build]({% link _docs/tutorial-ufo-tasks-build.md %}).
|
36
|
+
templates/main.json.erb | This is the main and starter template task definition json file that ufo initially generates.
|
37
|
+
variables | This is where you can define shared variables that are made available to the `template_definitions.rb` and your templates. More info at [Variables]({% link _docs/variables.md %}).
|
37
38
|
|
38
39
|
Now that you know where the ufo configurations are located and what they look like, let’s use ufo!
|
39
40
|
|
@@ -65,8 +65,6 @@ base:
|
|
65
65
|
# clean_keep: 30 # cleans up docker images on your docker server.
|
66
66
|
# ecr_keep: 30 # cleans up images on ECR and keeps this remaining amount. Defaults to keep all.
|
67
67
|
# defaults when an new ECS service is created by ufo ship
|
68
|
-
network_profile: default # .ufo/settings/network/default.yml file
|
69
|
-
cfn_profile: default # .ufo/settings/cfn/default.yml file
|
70
68
|
|
71
69
|
development:
|
72
70
|
# cluster: dev # uncomment if you want the cluster name be other than the default
|
@@ -75,14 +73,10 @@ development:
|
|
75
73
|
# When you have AWS_PROFILE set to one of these values, ufo will switch to the desired
|
76
74
|
# environment. This prevents you from switching AWS_PROFILE, forgetting to
|
77
75
|
# also switch UFO_ENV, and accidentally deploying to production vs development.
|
78
|
-
#
|
79
|
-
# - dev_profile1
|
80
|
-
# - dev_profile2
|
76
|
+
# aws_profile: dev_profile1
|
81
77
|
|
82
78
|
production:
|
83
79
|
# cluster: prod
|
84
|
-
# aws_profiles:
|
85
|
-
# - prod_profile
|
86
80
|
```
|
87
81
|
|
88
82
|
The `image` value is the name that ufo will use as a base portion of the name to generate a Docker image name, it should not include the tag portion.
|
data/docs/_docs/ufo-current.md
CHANGED
data/docs/_docs/ufo-env-extra.md
CHANGED
data/docs/_docs/ufo-env.md
CHANGED
@@ -1,6 +1,6 @@
|
|
1
1
|
---
|
2
2
|
title: UFO_ENV
|
3
|
-
nav_order:
|
3
|
+
nav_order: 24
|
4
4
|
---
|
5
5
|
|
6
6
|
Ufo's behavior is controlled by the `UFO_ENV` environment variable. For example, the `UFO_ENV` variable is used to layer different ufo variable files together to make it easy to specify settings for different environments like production and development. This is covered thoroughly in the [Variables]({% link _docs/variables.md %}) section. `UFO_ENV` defaults to `development` when not set.
|
@@ -27,12 +27,10 @@ The most interesting way to set `UFO_ENV` is with the `aws_profiles` setting in
|
|
27
27
|
|
28
28
|
```yaml
|
29
29
|
development:
|
30
|
-
|
31
|
-
- my-dev-profile
|
30
|
+
aws_profile: my-dev-profile
|
32
31
|
|
33
32
|
production:
|
34
|
-
|
35
|
-
- my-prod-profile
|
33
|
+
aws_profile: my-prod-profile
|
36
34
|
```
|
37
35
|
|
38
36
|
In this case, when you set `AWS_PROFILE` to switch AWS profiles, ufo picks this up and maps the `AWS_PROFILE` value to the specified `UFO_ENV` using the `aws_profiles` lookup. Example:
|
data/docs/_docs/ufo-logs.md
CHANGED
@@ -1,6 +1,6 @@
|
|
1
1
|
---
|
2
2
|
title: ufo logs command
|
3
|
-
nav_order:
|
3
|
+
nav_order: 23
|
4
4
|
---
|
5
5
|
|
6
6
|
The ufo logs command will tail the logs of the ecs service if you are using the awslogs driver.
|
@@ -46,5 +46,4 @@ The generated .ufo task definition defaults to the awslogs driver. If you need i
|
|
46
46
|
}
|
47
47
|
```
|
48
48
|
|
49
|
-
|
50
49
|
{% include prev_next.md %}
|
data/docs/_docs/upgrading.md
CHANGED
@@ -1,9 +1,9 @@
|
|
1
1
|
---
|
2
2
|
title: Upgrading to Version 4.0
|
3
3
|
short_title: Version 4.0
|
4
|
-
order:
|
4
|
+
order: 3
|
5
5
|
categories: upgrading
|
6
|
-
nav_order:
|
6
|
+
nav_order: 41
|
7
7
|
---
|
8
8
|
|
9
9
|
A major change in ufo from version 3 to 4 is that the ECS service is now created by CloudFormation. If you have an existing ECS service deployed by ufo version 3, when you deploy your app again with ufo version 4, there will be a new additional ECS service created. Here is the recommended upgrade path.
|
@@ -0,0 +1,19 @@
|
|
1
|
+
---
|
2
|
+
title: Upgrading to Version 5
|
3
|
+
short_title: Version 5
|
4
|
+
order: 1
|
5
|
+
categories: upgrading
|
6
|
+
nav_order: 39
|
7
|
+
---
|
8
|
+
|
9
|
+
In ufo v5, the ufo went from underscore key names in the [cfn settings files]({% link _docs/settings/cfn.md %}) to camelized key names. So the auto_camelize behavior is disabled for newly `ufo init` projects. This mean ufo is backwards compatiable. You can enable the v5 behavior with `auto_camelize: false`. If you have not adjusted this setting, then ufo should still work with your current `.ufo` files.
|
10
|
+
|
11
|
+
## Upgrading Instructions
|
12
|
+
|
13
|
+
If you want to upgrade to the latest ufo v5 default behavior.
|
14
|
+
|
15
|
+
1. Adjust your .ufo/settings/cfn files so that the keys are camelized
|
16
|
+
2. Add to your .ufo/settings.yml `auto_camelize: false`
|
17
|
+
3. Deploy and verify that your ECS app stil works
|
18
|
+
|
19
|
+
{% include prev_next.md %}
|
data/docs/_docs/variables.md
CHANGED
@@ -1,6 +1,6 @@
|
|
1
1
|
---
|
2
2
|
title: Shared Variables
|
3
|
-
nav_order:
|
3
|
+
nav_order: 18
|
4
4
|
---
|
5
5
|
|
6
6
|
Often, you end up using the set of common variables across your task definitions for a project. Ufo supports a shared variables concept to support this. You specify variables files in the `.ufo/variables` folder and they are made available to your `.ufo/task_definitions.rb` as well as your `.ufo/templates` files.
|
@@ -5,11 +5,11 @@ The properties in the file `.ufo/settings/cfn/default.yml` map directly to ufo's
|
|
5
5
|
Let's customize the `AWS::ElasticLoadBalancingV2::TargetGroup` resource created by CloudFormation. We'll adjust the `deregistration_delay.timeout_seconds` to `8`. Here's the relevant section of the `.ufo/settings/cfn/default.yml`
|
6
6
|
|
7
7
|
```
|
8
|
-
|
8
|
+
TargetGroup:
|
9
9
|
...
|
10
|
-
|
11
|
-
-
|
12
|
-
|
10
|
+
TargetGroupAttributes:
|
11
|
+
- Key: deregistration_delay.timeout_seconds
|
12
|
+
Value: 8
|
13
13
|
```
|
14
14
|
|
15
15
|
The value will be injected to the generated CloudFormation template under the corresponding "TargetGroup Properties". The generated template looks something like this:
|
data/docs/_reference/ufo-init.md
CHANGED
@@ -107,20 +107,19 @@ If you would like to use a local template that is not on GitHub, then created a
|
|
107
107
|
## Options
|
108
108
|
|
109
109
|
```
|
110
|
-
[--force]
|
111
|
-
--image=IMAGE
|
112
|
-
[--app=APP]
|
113
|
-
[--launch-type=LAUNCH_TYPE]
|
114
|
-
|
115
|
-
[--
|
116
|
-
[--template=
|
117
|
-
[--
|
118
|
-
[--
|
119
|
-
[--
|
120
|
-
[--
|
121
|
-
[--
|
122
|
-
[--
|
123
|
-
[--
|
124
|
-
[--cluster=CLUSTER] # Cluster. Overrides .ufo/settings.yml.
|
110
|
+
[--force] # Bypass overwrite are you sure prompt for existing files.
|
111
|
+
--image=IMAGE # Docker image name without the tag. Example: tongueroo/demo-ufo. Configures ufo/settings.yml
|
112
|
+
[--app=APP] # App name. Preferably one word. Used in the generated ufo/task_definitions.rb. If not specified then the app name is inferred as the folder name.
|
113
|
+
[--launch-type=LAUNCH_TYPE] # ec2 or fargate.
|
114
|
+
# Default: ec2
|
115
|
+
[--template=TEMPLATE] # Custom template to use.
|
116
|
+
[--template-mode=TEMPLATE_MODE] # Template mode: replace or additive.
|
117
|
+
[--vpc-id=VPC_ID] # Vpc id. For settings/network/default.yml.
|
118
|
+
[--ecs-subnets=one two three] # Subnets for ECS tasks, defaults to --elb-subnets set to. For settings/network/default.yml
|
119
|
+
[--elb-subnets=one two three] # Subnets for ELB. For settings/network/default.yml
|
120
|
+
[--verbose], [--no-verbose]
|
121
|
+
[--mute], [--no-mute]
|
122
|
+
[--noop], [--no-noop]
|
123
|
+
[--cluster=CLUSTER] # Cluster. Overrides .ufo/settings.yml.
|
125
124
|
```
|
126
125
|
|
data/docs/articles.md
CHANGED
data/lib/template/.secrets
CHANGED
@@ -1,3 +1,5 @@
|
|
1
|
-
#
|
2
|
-
|
3
|
-
|
1
|
+
# Example starter secrets file. Be sure that the SSM parameters or Secrets exist.
|
2
|
+
# Docs: https://ufoships.com/docs/secrets/
|
3
|
+
#
|
4
|
+
# NAME1=SSM:parameter_name
|
5
|
+
# NAME2=SECRETSMANAGER:secret_name-AbCdEf
|
@@ -0,0 +1,7 @@
|
|
1
|
+
# Example starter execution role. Add the iam role permissions that the host needs here:
|
2
|
+
#
|
3
|
+
# More docs: https://ufoships.com/docs/iam-roles/
|
4
|
+
#
|
5
|
+
managed_iam_policy("AmazonSSMReadOnlyAccess")
|
6
|
+
managed_iam_policy("SecretsManagerReadWrite")
|
7
|
+
managed_iam_policy("service-role/AmazonECSTaskExecutionRolePolicy")
|
@@ -0,0 +1,21 @@
|
|
1
|
+
# Example starter task role. Add the iam role permissions that the container needs here:
|
2
|
+
#
|
3
|
+
# More docs: https://ufoships.com/docs/iam-roles/
|
4
|
+
#
|
5
|
+
# Examples:
|
6
|
+
#
|
7
|
+
# iam_policy("AmazonS3ReadOnlyAccess",
|
8
|
+
# Action: [
|
9
|
+
# "s3:Get*",
|
10
|
+
# "s3:List*"
|
11
|
+
# ],
|
12
|
+
# Effect: "Allow",
|
13
|
+
# Resource: "*"
|
14
|
+
# )
|
15
|
+
# iam_policy("CloudwatchWrite",
|
16
|
+
# Action: [
|
17
|
+
# "cloudwatch:PutMetricData",
|
18
|
+
# ],
|
19
|
+
# Effect: "Allow",
|
20
|
+
# Resource: "*"
|
21
|
+
# )
|
@@ -2,7 +2,6 @@
|
|
2
2
|
"family": "<%= @family %>",
|
3
3
|
"requiresCompatibilities": ["FARGATE"],
|
4
4
|
"networkMode": "awsvpc",
|
5
|
-
"executionRoleArn": "<%= @execution_role_arn || raise("@execution_role_arn needs to be set") %>",
|
6
5
|
"cpu": "<%= @cpu %>",
|
7
6
|
"memory": "<%= @memory %>",
|
8
7
|
"containerDefinitions": [
|
data/lib/ufo/dsl/helper.rb
CHANGED
@@ -46,11 +46,11 @@ module Ufo
|
|
46
46
|
end
|
47
47
|
|
48
48
|
def secrets(text)
|
49
|
-
Vars.new(text: text
|
49
|
+
Vars.new(text: text).secrets
|
50
50
|
end
|
51
51
|
|
52
52
|
def secrets_file(path)
|
53
|
-
Vars.new(file: path
|
53
|
+
Vars.new(file: path).secrets
|
54
54
|
end
|
55
55
|
|
56
56
|
def current_region
|
data/lib/ufo/dsl/helper/vars.rb
CHANGED
data/lib/ufo/init.rb
CHANGED
@@ -9,7 +9,6 @@ module Ufo
|
|
9
9
|
[:image, required: true, desc: "Docker image name without the tag. Example: tongueroo/demo-ufo. Configures ufo/settings.yml"],
|
10
10
|
[:app, desc: "App name. Preferably one word. Used in the generated ufo/task_definitions.rb. If not specified then the app name is inferred as the folder name."],
|
11
11
|
[:launch_type, default: "ec2", desc: "ec2 or fargate."],
|
12
|
-
[:execution_role_arn, desc: "execution role arn used by tasks, required for fargate."],
|
13
12
|
[:template, desc: "Custom template to use."],
|
14
13
|
[:template_mode, desc: "Template mode: replace or additive."],
|
15
14
|
[:vpc_id, desc: "Vpc id. For settings/network/default.yml."],
|
@@ -56,7 +55,6 @@ module Ufo
|
|
56
55
|
# map variables
|
57
56
|
@app = options[:app] || inferred_app
|
58
57
|
@image = options[:image]
|
59
|
-
@execution_role_arn_input = get_execution_role_arn_input
|
60
58
|
# copy the files
|
61
59
|
puts "Setting up ufo project..."
|
62
60
|
exclude_pattern = File.exist?("#{Ufo.root}/Dockerfile") ?
|
data/lib/ufo/sequence.rb
CHANGED
@@ -17,22 +17,6 @@ module Ufo
|
|
17
17
|
File.basename(Dir.pwd)
|
18
18
|
end
|
19
19
|
|
20
|
-
def get_execution_role_arn_input
|
21
|
-
return @execution_role_arn if @execution_role_arn
|
22
|
-
|
23
|
-
if @options[:execution_role_arn]
|
24
|
-
@execution_role_arn = @options[:execution_role_arn]
|
25
|
-
return @execution_role_arn
|
26
|
-
end
|
27
|
-
|
28
|
-
return unless @options[:launch_type] == "fargate"
|
29
|
-
# execution role arn required for fargate
|
30
|
-
puts "For fargate ECS tasks an ECS Task Execution IAM Role is required. "
|
31
|
-
puts "More details here: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_execution_IAM_role.html"
|
32
|
-
print "Please provide a execution role arn role for the ecs task: "
|
33
|
-
@execution_role_arn = $stdin.gets.strip
|
34
|
-
end
|
35
|
-
|
36
20
|
def override_source_paths(*paths)
|
37
21
|
# Using string with instance_eval because block doesnt have access to
|
38
22
|
# path at runtime.
|
@@ -33,21 +33,21 @@ class Ufo::Stack::Builder
|
|
33
33
|
settings_key = "#{type}_security_groups".to_sym
|
34
34
|
group_ids = Ufo::Setting::SecurityGroups.new(@service, settings_key).load
|
35
35
|
# no security groups at all
|
36
|
-
return if !
|
36
|
+
return if !managed_security_groups? && group_ids.blank?
|
37
37
|
|
38
38
|
groups = []
|
39
39
|
groups += group_ids
|
40
|
-
groups += [managed_security_group(type.to_s.camelize)] if
|
40
|
+
groups += [managed_security_group(type.to_s.camelize)] if managed_security_groups?
|
41
41
|
groups
|
42
42
|
end
|
43
43
|
|
44
44
|
def managed_security_group(type)
|
45
|
-
logical_id =
|
45
|
+
logical_id = managed_security_groups? ? "#{type.camelize}SecurityGroup" : "AWS::NoValue"
|
46
46
|
{Ref: logical_id}
|
47
47
|
end
|
48
48
|
|
49
|
-
def
|
50
|
-
managed = settings[:
|
49
|
+
def managed_security_groups?
|
50
|
+
managed = settings[:managed_security_groups]
|
51
51
|
managed.nil? ? true : managed
|
52
52
|
end
|
53
53
|
end
|
@@ -56,6 +56,10 @@ class Ufo::Stack::Builder::Resources
|
|
56
56
|
}
|
57
57
|
|
58
58
|
props[:TaskDefinition] = @rollback_definition_arn ? @rollback_definition_arn : {Ref: "TaskDefinition"}
|
59
|
+
if @container[:fargate]
|
60
|
+
props[:LaunchType] = "FARGATE"
|
61
|
+
props[:NetworkConfiguration][:AwsvpcConfiguration][:AssignPublicIp] = "ENABLED" # Works with fargate but doesnt seem to work with non-fargate
|
62
|
+
end
|
59
63
|
|
60
64
|
props
|
61
65
|
end
|
data/lib/ufo/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: ufo
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 5.0.
|
4
|
+
version: 5.0.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Tung Nguyen
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2020-
|
11
|
+
date: 2020-06-28 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: aws-logs
|
@@ -376,6 +376,7 @@ files:
|
|
376
376
|
- docs/_docs/settings/aws_profile.md
|
377
377
|
- docs/_docs/settings/cfn.md
|
378
378
|
- docs/_docs/settings/cluster.md
|
379
|
+
- docs/_docs/settings/manage-security-groups.md
|
379
380
|
- docs/_docs/settings/network.md
|
380
381
|
- docs/_docs/ssl_errors.md
|
381
382
|
- docs/_docs/structure.md
|
@@ -394,6 +395,7 @@ files:
|
|
394
395
|
- docs/_docs/upgrading.md
|
395
396
|
- docs/_docs/upgrading/upgrade4.5.md
|
396
397
|
- docs/_docs/upgrading/upgrade4.md
|
398
|
+
- docs/_docs/upgrading/upgrade5.md
|
397
399
|
- docs/_docs/variables.md
|
398
400
|
- docs/_includes/about.html
|
399
401
|
- docs/_includes/cfn-customize.md
|
@@ -512,6 +514,8 @@ files:
|
|
512
514
|
- exe/ufo
|
513
515
|
- lib/template/.env
|
514
516
|
- lib/template/.secrets
|
517
|
+
- lib/template/.ufo/iam_roles/execution_role.rb
|
518
|
+
- lib/template/.ufo/iam_roles/task_role.rb
|
515
519
|
- lib/template/.ufo/params.yml.tt
|
516
520
|
- lib/template/.ufo/settings.yml.tt
|
517
521
|
- lib/template/.ufo/settings/cfn/default.yml.tt
|