Skip to content

Commit

Permalink
Merge pull request #10 from Guslington/develop
Browse files Browse the repository at this point in the history
iam, userdata, tag config options and tests
  • Loading branch information
Guslington authored May 30, 2019
2 parents ae11422 + 767c5dd commit 7a8b028
Show file tree
Hide file tree
Showing 9 changed files with 126 additions and 34 deletions.
10 changes: 7 additions & 3 deletions .travis.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,10 @@
language: ruby
rvm:
- 2.3
- 2.5
install:
- gem install cfhighlander cfn-nag
before_script:
- cfndsl -u 3.2.0
script:
- gem install cfhighlander --prerelease
- if [ "${TRAVIS_PULL_REQUEST}" != "false" ]; then cfhighlander cfcompile ; else cfhighlander cfcompile --validate; fi
- if [ "${TRAVIS_PULL_REQUEST}" != "false" ]; then cfhighlander cftest --no-validate; else cfhighlander cftest; fi
- cfn_nag_scan -i out/tests
57 changes: 40 additions & 17 deletions bastion.cfndsl.rb
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,13 @@
GroupDescription FnJoin(' ', [ Ref('EnvironmentName'), component_name ])
VpcId Ref('VPCId')
SecurityGroupIngress sg_create_rules(securityGroups, ip_blocks) if defined? securityGroups
Metadata({
cfn_nag: {
rules_to_suppress: [
{ id: 'F1000', reason: 'ignore for now' }
]
}
})
end

EIP('BastionIPAddress') do
Expand All @@ -21,22 +28,38 @@
ResourceRecords [ Ref("BastionIPAddress") ]
end

policies = []
iam_policies.each do |name,policy|
policies << iam_policy_allow(name,policy['action'],policy['resource'] || '*')
end if defined? iam_policies

Role('Role') do
AssumeRolePolicyDocument service_role_assume_policy('ec2')
AssumeRolePolicyDocument service_role_assume_policy(iam_services)
Path '/'
Policies(IAMPolicies.new.create_policies([
'associate-address',
'ec2-describe',
'cloudwatch-logs',
'ssm'
]))
Policies(policies)
Metadata({
cfn_nag: {
rules_to_suppress: [
{ id: 'F3', reason: 'ignore describe* for now' }
]
}
})
end

InstanceProfile('InstanceProfile') do
Path '/'
Roles [Ref('Role')]
end

bastion_userdata = [
"#!/bin/bash\n",
"aws --region ", Ref("AWS::Region"), " ec2 associate-address --allocation-id ", FnGetAtt('BastionIPAddress','AllocationId') ," --instance-id $(curl http://169.254.169.254/2014-11-05/meta-data/instance-id -s)\n",
"hostname ", Ref('EnvironmentName') ,"-" ,"bastion-`/opt/aws/bin/ec2-metadata --instance-id|/usr/bin/awk '{print $2}'`\n",
"sed '/HOSTNAME/d' /etc/sysconfig/network > /tmp/network && mv -f /tmp/network /etc/sysconfig/network && echo \"HOSTNAME=", Ref('EnvironmentName') ,"-" ,"bastion-`/opt/aws/bin/ec2-metadata --instance-id|/usr/bin/awk '{print $2}'`\" >>/etc/sysconfig/network && /etc/init.d/network restart\n",
]

bastion_userdata.push(*userdata.split("\n")) if defined? userdata

LaunchConfiguration('LaunchConfig') do
ImageId Ref('Ami')
InstanceType Ref('InstanceType')
Expand All @@ -45,14 +68,17 @@
KeyName Ref('KeyName')
SpotPrice FnIf('SpotPriceSet', Ref('SpotPrice'), Ref('AWS::NoValue'))
SecurityGroups [ Ref('SecurityGroupBastion') ]
UserData FnBase64(FnJoin("",[
"#!/bin/bash\n",
"aws --region ", Ref("AWS::Region"), " ec2 associate-address --allocation-id ", FnGetAtt('BastionIPAddress','AllocationId') ," --instance-id $(curl http://169.254.169.254/2014-11-05/meta-data/instance-id -s)\n",
"hostname ", Ref('EnvironmentName') ,"-" ,"bastion-`/opt/aws/bin/ec2-metadata --instance-id|/usr/bin/awk '{print $2}'`\n",
"sed '/HOSTNAME/d' /etc/sysconfig/network > /tmp/network && mv -f /tmp/network /etc/sysconfig/network && echo \"HOSTNAME=", Ref('EnvironmentName') ,"-" ,"bastion-`/opt/aws/bin/ec2-metadata --instance-id|/usr/bin/awk '{print $2}'`\" >>/etc/sysconfig/network && /etc/init.d/network restart\n",
]))
UserData FnBase64(FnJoin("",bastion_userdata))
end

instance_tags = {}
instance_tags["Name"] = FnJoin("",[Ref('EnvironmentName'), "-#{instance_name}-xx"])
instance_tags["Environment"] = Ref('EnvironmentName')
instance_tags["EnvironmentName"] = Ref('EnvironmentName')
instance_tags["EnvironmentType"] = Ref('EnvironmentType')
instance_tags["Role"] = "bastion"
tags.each { |k,v| instance_tags[k] = v } if defined? tags and tags.any?

AutoScalingGroup('AutoScaleGroup') do
UpdatePolicy('AutoScalingRollingUpdate', {
"MinInstancesInService" => "0",
Expand All @@ -64,10 +90,7 @@
MinSize Ref('AsgMin')
MaxSize Ref('AsgMax')
VPCZoneIdentifier Ref('SubnetIds')
addTag("Name", FnJoin("",[Ref('EnvironmentName'), "-#{instance_name}-xx"]), true)
addTag("Environment",Ref('EnvironmentName'), true)
addTag("EnvironmentType", Ref('EnvironmentType'), true)
addTag("Role", "bastion", true)
instance_tags.each { |k,v| addTag(k,v,true) }
end

Output('SecurityGroupBastion', Ref('SecurityGroupBastion'))
Expand Down
32 changes: 18 additions & 14 deletions bastion.config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,17 +3,21 @@ instance_name: bastion

dns_format: ${EnvironmentName}.${DnsDomain}

# Set `ip_blocks` here or export from vpc component
# ip_blocks:
# local:
# - 127.0.0.1/32
#
# securityGroups:
# -
# rules:
# -
# IpProtocol: tcp
# FromPort: 22
# ToPort: 22
# ips:
# - local
iam_services: ec2

iam_policies:
associate-address:
action:
- ec2:AssociateAddress
ec2-describe:
action:
- ec2:Describe*
cloudwatch-logs:
action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
- logs:DescribeLogStreams
- logs:DescribeLogGroups
resource:
- arn:aws:logs:*:*:*
6 changes: 6 additions & 0 deletions tests/default.test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
test_metadata:
type: config
name: default
description: with default configuration

# Insert your tests here
15 changes: 15 additions & 0 deletions tests/iam.test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
test_metadata:
type: config
name: iam
description: override iam policies

iam_services:
- ec2
- ssm

iam_policies:
get-bastion-secrets:
action:
- ssm:GetParameters
resource:
- Fn::Sub: arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${EnvironmentName}/bastion/*
6 changes: 6 additions & 0 deletions tests/instance_name.test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
test_metadata:
type: config
name: instance_name
description: set the bastion name and dns record

instance_name: someotherbastion
18 changes: 18 additions & 0 deletions tests/security_groups.test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
test_metadata:
type: config
name: security_groups
description: test security group rules

ip_blocks:
local:
- 127.0.0.1/32

securityGroups:
-
rules:
-
IpProtocol: tcp
FromPort: 22
ToPort: 22
ips:
- local
8 changes: 8 additions & 0 deletions tests/tags.test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
test_metadata:
type: config
name: tags
description: overide an existing tag and create a new one

tags:
Name: overide
Project: MyApp
8 changes: 8 additions & 0 deletions tests/userdata.test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
test_metadata:
type: config
name: userdata
description: add extra userdata

userdata: |
/usr/bin/bootstrap
echo "userdata complete"

0 comments on commit 7a8b028

Please sign in to comment.