diff --git a/CHANGELOG.md b/CHANGELOG.md index 40b9f3943..cb4a4cd53 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,21 @@ -# 2020-07-39 +# 2020-09-28 + +## Features +* Documentation: Add galley feature flags and default AWS region to example values files (#328, #335) +* Privacy: Add logrotation of 3 days to all pod logs (#329) +* Security: Update TLS config: Drop CBC cipher suites (#323, #324) + +## Bug Fixes +* fix sanitized_request parsing on nginx (#330) + +## Internal +* Add automation for deploying SFT servers (#337, #341, #322) +* Add account number to output of terraform gundeck module (#326) +* remove issuance of a default search domain via the AWS dhcp servers. breaks dns lookup inside of k8s. (#338) +* [terraform-module:cargohold] Replace subnet IDs input with route table IDs (#331) +* [terraform-module] Introduce network load balancer (#299) + +# 2020-07-29 ## Features diff --git a/ansible/Makefile b/ansible/Makefile index 6e0608d7a..06a101445 100644 --- a/ansible/Makefile +++ b/ansible/Makefile @@ -1,3 +1,7 @@ +ANSIBLE_DIR:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST)))) +# Please ignore this if you're not a wire employee +CAILLEACH_DIR:=$(abspath ${ANSIBLE_DIR}/../../cailleach) +SHELL:=/usr/bin/env bash -eo pipefail default: download @@ -21,3 +25,38 @@ download-ansible-roles: .PHONY: download-ansible-roles-force download-ansible-roles-force: poetry run ansible-galaxy install -r requirements.yml --force + +.PHONY: provision-sft +provision-sft: check-env + poetry run ansible-playbook ${ANSIBLE_DIR}/provision-sft.yml \ + -i ${ENV_DIR}/gen/terraform-inventory.yml \ + -i ${ENV_DIR}/inventory.yml \ + --private-key ${ENV_DIR}/operator-ssh.dec \ + -vv + +.PHONY: bootstrap +bootstrap: check-env + poetry run ansible-playbook ${ANSIBLE_DIR}/bootstrap.yml \ + -i ${ENV_DIR}/gen/terraform-inventory.yml \ + -i ${ENV_DIR}/inventory.yml \ + --private-key ${ENV_DIR}/operator-ssh.dec \ + -vv + +.PHONY: check-env +check-env: +ifndef ENV_DIR +ifndef ENV + $(error please define either ENV or ENV_DIR) +else +ENV_DIR=${CAILLEACH_DIR}/environments/${ENV} +endif +endif +ifeq ("$(wildcard ${ENV_DIR}/inventory.yml)", "") + $(error please make sure ${ENV_DIR}/inventory.yml exists) +endif +ifeq ("$(wildcard ${ENV_DIR}/gen/terraform-inventory.yml)", "") + $(error please make you have applied terraform for ${ENV_DIR}) +endif +ifeq ("$(wildcard ${ENV_DIR}/operator-ssh.dec)", "") + $(error please make sure ${ENV_DIR}/operator-ssh.dec exists and contains the private key to ssh into servers) +endif diff --git a/ansible/README.md b/ansible/README.md index 0dde82f54..397d831a8 100644 --- a/ansible/README.md +++ b/ansible/README.md @@ -3,3 +3,28 @@ In a production environment, some parts of the wire-server infrastructure (such as e.g. cassandra databases) are best configured outside kubernetes. Additionally, kubernetes can be rapidly set up with a project called kubespray, via ansible. This directory hosts a range of ansible playbooks to install kubernetes and databases necessary for wire-server. For documentation on usage, please refer to the [Administrator's Guide](https://docs.wire.com), notably the production installation. + + +## Bootrap environment created by `terraform/environment` + +An 'environment' is supposed to represent all the setup required for the Wire +backend to function. + +'Bootstrapping' an environment means running a range of idempotent ansible +playbooks against servers specified in an inventory, resulting in a fully +functional environment. This action can be re-run as often as you want (e.g. in +case you change some variables or upgrade to new versions). + +To start with, the environment only has SFT servers; but more will be added here +soon. + +1. Please ensure `ENV_DIR` or `ENV` are exported as specified in the [docs in + the terraform folder](../terraform/README.md) +1. Ensure `$ENV_DIR/operator-ssh.dec` exists and contains an ssh key for the + environment. +1. Ensure that `make apply` has been run for the environment. Please refer to + the [docs in the terraform folder](../terraform/README.md) for details about + how to run this. +1. Ensure all required variables are set in `$ENV_DIR/inventory.yml` +1. Running `make bootstrap` from this directory will bootstrap the + environment. diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg index e969c3ec2..d8d630ac2 100644 --- a/ansible/ansible.cfg +++ b/ansible/ansible.cfg @@ -4,7 +4,7 @@ control_path = /tmp/ansible-%%r@%%h:%%p [defaults] retry_files_enabled = False -roles_path = ./roles-external:./roles +roles_path = ./roles-external:./roles:./roles-external/sft/roles gathering = smart diff --git a/ansible/bootstrap.yml b/ansible/bootstrap.yml new file mode 100644 index 000000000..26f87b2c4 --- /dev/null +++ b/ansible/bootstrap.yml @@ -0,0 +1 @@ +- import_playbook: ./provision-sft.yml diff --git a/ansible/kubernetes.yml b/ansible/kubernetes.yml index 85298ca1a..b0bb9f253 100644 --- a/ansible/kubernetes.yml +++ b/ansible/kubernetes.yml @@ -7,3 +7,5 @@ environment: "{{ proxy_env | default({}) }}" roles: - etcd-helpers + +- import_playbook: kubernetes_logging.yml diff --git a/ansible/kubernetes_logging.yml b/ansible/kubernetes_logging.yml new file mode 100644 index 000000000..e8ab2ada9 --- /dev/null +++ b/ansible/kubernetes_logging.yml @@ -0,0 +1,23 @@ +- hosts: k8s-cluster + environment: "{{ proxy_env | default({}) }}" + roles: + - role: logrotate + logrotate_scripts: + # The following will rotate pod logs once per day to keep no more than + # 3 days (maxage 1, rotate 2) of logs for data minimization/protection + # reasons. + # + # NOTE for wire-server-deploy maintainers: if you change the following + # options, ensure to also keep the documentation up-to-date, see the + # documentation introduced in + # https://github.com/wireapp/wire-docs/pull/79 + - name: podlogs + path: "/var/lib/docker/containers/*/*.log" + options: + - daily + - missingok + - rotate 2 + - maxage 1 + - copytruncate + - nocreate + - nocompress diff --git a/ansible/poetry.lock b/ansible/poetry.lock index 5ab717fbf..a1abaf24c 100644 --- a/ansible/poetry.lock +++ b/ansible/poetry.lock @@ -3,8 +3,8 @@ category = "main" description = "Radically simple IT automation" name = "ansible" optional = false -python-versions = "*" -version = "2.7.11" +python-versions = ">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*" +version = "2.7.18" [[package]] category = "main" @@ -12,11 +12,11 @@ description = "Ansible Modules for Hashicorp Vault" name = "ansible-modules-hashivault" optional = false python-versions = "*" -version = "3.17.7" +version = "4.5.6" [package.dependencies] ansible = ">=2.0.0" -hvac = ">=0.7.0" +hvac = ">=0.9.5" requests = "*" [[package]] @@ -33,12 +33,12 @@ description = "The AWS SDK for Python" name = "boto3" optional = false python-versions = "*" -version = "1.9.181" +version = "1.15.0" [package.dependencies] -botocore = ">=1.12.181,<1.13.0" +botocore = ">=1.18.0,<1.19.0" jmespath = ">=0.7.1,<1.0.0" -s3transfer = ">=0.2.0,<0.3.0" +s3transfer = ">=0.3.0,<0.4.0" [[package]] category = "main" @@ -46,18 +46,14 @@ description = "Low-level, data-driven core of boto 3." name = "botocore" optional = false python-versions = "*" -version = "1.12.181" +version = "1.18.0" [package.dependencies] -docutils = ">=0.10" jmespath = ">=0.7.1,<1.0.0" - -[package.dependencies.python-dateutil] -python = ">=2.7" -version = ">=2.1,<3.0.0" +python-dateutil = ">=2.1,<3.0.0" [package.dependencies.urllib3] -python = ">=2.7,<2.8 || >=3.4" +python = "<3.4.0 || >=3.5.0" version = ">=1.20,<1.26" [[package]] @@ -66,40 +62,57 @@ description = "Python package for providing Mozilla's CA Bundle." name = "certifi" optional = false python-versions = "*" -version = "2019.6.16" +version = "2020.6.20" [[package]] category = "main" -description = "Universal encoding detector for Python 2 and 3" -name = "chardet" +description = "Foreign Function Interface for Python calling C code." +name = "cffi" optional = false python-versions = "*" -version = "3.0.4" +version = "1.14.3" + +[package.dependencies] +pycparser = "*" [[package]] category = "main" -description = "DNS toolkit" -name = "dnspython" +description = "Universal encoding detector for Python 2 and 3" +name = "chardet" optional = false -python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*" -version = "1.16.0" +python-versions = "*" +version = "3.0.4" [[package]] category = "main" -description = "Docutils -- Python Documentation Utilities" -name = "docutils" +description = "cryptography is a package which provides cryptographic recipes and primitives to Python developers." +name = "cryptography" optional = false -python-versions = "*" -version = "0.14" +python-versions = ">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*" +version = "3.1" + +[package.dependencies] +cffi = ">=1.8,<1.11.3 || >1.11.3" +six = ">=1.4.1" + +[package.extras] +docs = ["sphinx (>=1.6.5,<1.8.0 || >1.8.0,<3.1.0 || >3.1.0,<3.1.1 || >3.1.1)", "sphinx-rtd-theme"] +docstest = ["doc8", "pyenchant (>=1.6.11)", "twine (>=1.12.0)", "sphinxcontrib-spelling (>=4.0.1)"] +pep8test = ["black", "flake8", "flake8-import-order", "pep8-naming"] +ssh = ["bcrypt (>=3.1.5)"] +test = ["pytest (>=3.6.0,<3.9.0 || >3.9.0,<3.9.1 || >3.9.1,<3.9.2 || >3.9.2)", "pretend", "iso8601", "pytz", "hypothesis (>=1.11.4,<3.79.2 || >3.79.2)"] [[package]] category = "main" -description = "Backport of the concurrent.futures package from Python 3" -marker = "python_version == \"2.6\" or python_version == \"2.7\"" -name = "futures" +description = "DNS toolkit" +name = "dnspython" optional = false -python-versions = ">=2.6, <3" -version = "3.2.0" +python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*" +version = "1.16.0" + +[package.extras] +DNSSEC = ["pycryptodome", "ecdsa (>=0.13)"] +IDNA = ["idna (>=2.1)"] [[package]] category = "main" @@ -107,10 +120,14 @@ description = "HashiCorp Vault API client" name = "hvac" optional = false python-versions = "*" -version = "0.9.2" +version = "0.10.5" [package.dependencies] requests = ">=2.21.0" +six = ">=1.5.0" + +[package.extras] +parser = ["pyhcl (>=0.3.10)"] [[package]] category = "main" @@ -118,26 +135,46 @@ description = "Internationalized Domain Names in Applications (IDNA)" name = "idna" optional = false python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*" -version = "2.8" +version = "2.10" [[package]] category = "main" -description = "A small but fast and easy to use stand-alone template engine written in pure python." +description = "Read resources from Python packages" +marker = "python_version < \"3.7\"" +name = "importlib-resources" +optional = false +python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,>=2.7" +version = "3.0.0" + +[package.dependencies] +[package.dependencies.zipp] +python = "<3.8" +version = ">=0.4" + +[package.extras] +docs = ["sphinx", "rst.linker", "jaraco.packaging"] + +[[package]] +category = "main" +description = "A very fast and expressive template engine." name = "jinja2" optional = false -python-versions = "*" -version = "2.10.1" +python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*" +version = "2.11.2" [package.dependencies] MarkupSafe = ">=0.23" +[package.extras] +i18n = ["Babel (>=0.8)"] + [[package]] category = "main" description = "JSON Matching Expressions" name = "jmespath" optional = false -python-versions = "*" -version = "0.9.4" +python-versions = ">=2.6, !=3.0.*, !=3.1.*, !=3.2.*" +version = "0.10.0" [[package]] category = "main" @@ -153,24 +190,52 @@ description = "A network address manipulation library for Python" name = "netaddr" optional = false python-versions = "*" -version = "0.7.19" +version = "0.8.0" + +[package.dependencies] +[package.dependencies.importlib-resources] +python = "<3.7" +version = "*" [[package]] category = "main" description = "Python Build Reasonableness" name = "pbr" optional = false +python-versions = ">=2.6" +version = "5.5.0" + +[[package]] +category = "main" +description = "C parser in Python" +name = "pycparser" +optional = false +python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*" +version = "2.20" + +[[package]] +category = "main" +description = "Python wrapper module around the OpenSSL library" +name = "pyopenssl" +optional = false python-versions = "*" -version = "5.3.1" +version = "19.1.0" + +[package.dependencies] +cryptography = ">=2.8" +six = ">=1.5.2" + +[package.extras] +docs = ["sphinx", "sphinx-rtd-theme"] +test = ["flaky", "pretend", "pytest (>=3.0.1)"] [[package]] category = "main" description = "Extensions to the standard Python datetime module" -marker = "python_version >= \"2.7\"" name = "python-dateutil" optional = false -python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*" -version = "2.8.0" +python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,>=2.7" +version = "2.8.1" [package.dependencies] six = ">=1.5" @@ -180,8 +245,8 @@ category = "main" description = "YAML parser and emitter for Python" name = "pyyaml" optional = false -python-versions = "*" -version = "5.1.1" +python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*" +version = "5.3.1" [[package]] category = "main" @@ -189,35 +254,17 @@ description = "Python HTTP for Humans." name = "requests" optional = false python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*" -version = "2.22.0" +version = "2.24.0" [package.dependencies] certifi = ">=2017.4.17" -chardet = ">=3.0.2,<3.1.0" -idna = ">=2.5,<2.9" +chardet = ">=3.0.2,<4" +idna = ">=2.5,<3" urllib3 = ">=1.21.1,<1.25.0 || >1.25.0,<1.25.1 || >1.25.1,<1.26" -[[package]] -category = "main" -description = "a version of dict that keeps keys in insertion resp. sorted order" -marker = "platform_python_implementation == \"CPython\" and python_version <= \"2.7\"" -name = "ruamel.ordereddict" -optional = false -python-versions = "*" -version = "0.4.13" - -[[package]] -category = "main" -description = "ruamel.yaml is a YAML parser/emitter that supports roundtrip preservation of comments, seq/map flow style, and map key order" -name = "ruamel.yaml" -optional = false -python-versions = "*" -version = "0.15.97" - -[package.dependencies] -[package.dependencies."ruamel.ordereddict"] -python = "<=2.7" -version = "*" +[package.extras] +security = ["pyOpenSSL (>=0.14)", "cryptography (>=1.3.4)"] +socks = ["PySocks (>=1.5.6,<1.5.7 || >1.5.7)", "win-inet-pton"] [[package]] category = "main" @@ -225,23 +272,18 @@ description = "An Amazon S3 Transfer Manager" name = "s3transfer" optional = false python-versions = "*" -version = "0.2.1" +version = "0.3.3" [package.dependencies] -botocore = ">=1.12.36,<2.0.0" - -[package.dependencies.futures] -python = ">=2.6,<2.8" -version = ">=2.2.0,<4.0.0" +botocore = ">=1.12.36,<2.0a.0" [[package]] category = "main" description = "Python 2 and 3 compatibility utilities" -marker = "python_version >= \"2.7\"" name = "six" optional = false -python-versions = ">=2.6, !=3.0.*, !=3.1.*" -version = "1.12.0" +python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*" +version = "1.15.0" [[package]] category = "main" @@ -251,33 +293,225 @@ optional = false python-versions = "*" version = "1.22" +[package.extras] +secure = ["pyOpenSSL (>=0.14)", "cryptography (>=1.3.4)", "idna (>=2.0.0)", "certifi", "ipaddress"] +socks = ["PySocks (>=1.5.6,<1.5.7 || >1.5.7,<2.0)"] + +[[package]] +category = "main" +description = "Backport of pathlib-compatible object wrapper for zip files" +name = "zipp" +optional = false +python-versions = ">=2.7" +version = "1.2.0" + +[package.extras] +docs = ["sphinx", "jaraco.packaging (>=3.2)", "rst.linker (>=1.9)"] +testing = ["pathlib2", "unittest2", "jaraco.itertools", "func-timeout"] + [metadata] -content-hash = "d523c92dd42556edd2d4bcaa8aeb4701507225f5e492169e7d5f0af854e89253" -python-versions = "^2.7 || >=3.5" - -[metadata.hashes] -ansible = ["e7e6de461b7d07cb4d8b2dd2a32b231af7c56e6bf39b851024671aaa52fd377e"] -ansible-modules-hashivault = ["1d323ba19e2b6459dfb5f14dee2cb79af8103a691c32fd65dc642bbf7eb82f2b"] -boto = ["147758d41ae7240dc989f0039f27da8ca0d53734be0eb869ef16e3adcfa462e8", "ea0d3b40a2d852767be77ca343b58a9e3a4b00d9db440efb8da74b4e58025e5a"] -boto3 = ["5e0e3e2a520cc289a36c053974afdd416292e0e8d2a7220a575cf992d6a890cd", "93625ceb73aa0eaab4fefba733562a6dfa1366b38a056edf5e53aa4fb97e0b3a"] -botocore = ["1a1594258b503adeb3d54b77c0b79151e546d76e8ebc62aa9258693e6cdd0f9b", "6dc20c4766cb0a4ff8b0993effe2550e3b4e4606265da37bcf8949610980da40"] -certifi = ["046832c04d4e752f37383b628bc601a7ea7211496b4638f6514d0e5b9acc4939", "945e3ba63a0b9f577b1395204e13c3a231f9bc0223888be653286534e5873695"] -chardet = ["84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae", "fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691"] -dnspython = ["36c5e8e38d4369a08b6780b7f27d790a292b2b08eea01607865bf0936c558e01", "f69c21288a962f4da86e56c4905b49d11aba7938d3d740e80d9e366ee4f1632d"] -docutils = ["02aec4bd92ab067f6ff27a38a38a41173bf01bed8f89157768c1573f53e474a6", "51e64ef2ebfb29cae1faa133b3710143496eca21c530f3f71424d77687764274", "7a4bd47eaf6596e1295ecb11361139febe29b084a87bf005bf899f9a42edc3c6"] -futures = ["9ec02aa7d674acb8618afb127e27fde7fc68994c0437ad759fa094a574adb265", "ec0a6cb848cc212002b9828c3e34c675e0c9ff6741dc445cab6fdd4e1085d1f1"] -hvac = ["0e558949d55c81550b03f1bef08981d7d3d4be6346f80d587a94eb6bf59b19f1", "bc853edddf6e2bf4f771eeb534e70ff550aa7f1d2976afd52f767e60afbd4679"] -idna = ["c357b3f628cf53ae2c4c05627ecc484553142ca23264e593d327bcde5e9c3407", "ea8b7f6188e6fa117537c3df7da9fc686d485087abf6ac197f9c46432f7e4a3c"] -jinja2 = ["065c4f02ebe7f7cf559e49ee5a95fb800a9e4528727aec6f24402a5374c65013", "14dd6caf1527abb21f08f86c784eac40853ba93edb79552aa1e4b8aef1b61c7b"] -jmespath = ["3720a4b1bd659dd2eecad0666459b9788813e032b83e7ba58578e48254e0a0e6", "bde2aef6f44302dfb30320115b17d030798de8c4110e28d5cf6cf91a7a31074c"] -markupsafe = ["00bc623926325b26bb9605ae9eae8a215691f33cae5df11ca5424f06f2d1f473", "09027a7803a62ca78792ad89403b1b7a73a01c8cb65909cd876f7fcebd79b161", "09c4b7f37d6c648cb13f9230d847adf22f8171b1ccc4d5682398e77f40309235", "1027c282dad077d0bae18be6794e6b6b8c91d58ed8a8d89a89d59693b9131db5", "24982cc2533820871eba85ba648cd53d8623687ff11cbb805be4ff7b4c971aff", "29872e92839765e546828bb7754a68c418d927cd064fd4708fab9fe9c8bb116b", "43a55c2930bbc139570ac2452adf3d70cdbb3cfe5912c71cdce1c2c6bbd9c5d1", "46c99d2de99945ec5cb54f23c8cd5689f6d7177305ebff350a58ce5f8de1669e", "500d4957e52ddc3351cabf489e79c91c17f6e0899158447047588650b5e69183", "535f6fc4d397c1563d08b88e485c3496cf5784e927af890fb3c3aac7f933ec66", "62fe6c95e3ec8a7fad637b7f3d372c15ec1caa01ab47926cfdf7a75b40e0eac1", "6dd73240d2af64df90aa7c4e7481e23825ea70af4b4922f8ede5b9e35f78a3b1", "717ba8fe3ae9cc0006d7c451f0bb265ee07739daf76355d06366154ee68d221e", "79855e1c5b8da654cf486b830bd42c06e8780cea587384cf6545b7d9ac013a0b", "7c1699dfe0cf8ff607dbdcc1e9b9af1755371f92a68f706051cc8c37d447c905", "88e5fcfb52ee7b911e8bb6d6aa2fd21fbecc674eadd44118a9cc3863f938e735", "8defac2f2ccd6805ebf65f5eeb132adcf2ab57aa11fdf4c0dd5169a004710e7d", "98c7086708b163d425c67c7a91bad6e466bb99d797aa64f965e9d25c12111a5e", "9add70b36c5666a2ed02b43b335fe19002ee5235efd4b8a89bfcf9005bebac0d", "9bf40443012702a1d2070043cb6291650a0841ece432556f784f004937f0f32c", "ade5e387d2ad0d7ebf59146cc00c8044acbd863725f887353a10df825fc8ae21", "b00c1de48212e4cc9603895652c5c410df699856a2853135b3967591e4beebc2", "b1282f8c00509d99fef04d8ba936b156d419be841854fe901d8ae224c59f0be5", "b2051432115498d3562c084a49bba65d97cf251f5a331c64a12ee7e04dacc51b", "ba59edeaa2fc6114428f1637ffff42da1e311e29382d81b339c1817d37ec93c6", "c8716a48d94b06bb3b2524c2b77e055fb313aeb4ea620c8dd03a105574ba704f", "cd5df75523866410809ca100dc9681e301e3c27567cf498077e8551b6d20e42f", "e249096428b3ae81b08327a63a485ad0878de3fb939049038579ac0ef61e17e7"] -netaddr = ["38aeec7cdd035081d3a4c306394b19d677623bf76fa0913f6695127c7753aefd", "56b3558bd71f3f6999e4c52e349f38660e54a7a8a9943335f73dfc96883e08ca"] -pbr = ["9181e2a34d80f07a359ff1d0504fad3a47e00e1cf2c475b0aa7dcb030af54c40", "94bdc84da376b3dd5061aa0c3b6faffe943ee2e56fa4ff9bd63e1643932f34fc"] -python-dateutil = ["7e6584c74aeed623791615e26efd690f29817a27c73085b78e4bad02493df2fb", "c89805f6f4d64db21ed966fda138f8a5ed7a4fdbc1a8ee329ce1b74e3c74da9e"] -pyyaml = ["57acc1d8533cbe51f6662a55434f0dbecfa2b9eaf115bede8f6fd00115a0c0d3", "588c94b3d16b76cfed8e0be54932e5729cc185caffaa5a451e7ad2f7ed8b4043", "68c8dd247f29f9a0d09375c9c6b8fdc64b60810ebf07ba4cdd64ceee3a58c7b7", "70d9818f1c9cd5c48bb87804f2efc8692f1023dac7f1a1a5c61d454043c1d265", "86a93cccd50f8c125286e637328ff4eef108400dd7089b46a7be3445eecfa391", "a0f329125a926876f647c9fa0ef32801587a12328b4a3c741270464e3e4fa778", "a3c252ab0fa1bb0d5a3f6449a4826732f3eb6c0270925548cac342bc9b22c225", "b4bb4d3f5e232425e25dda21c070ce05168a786ac9eda43768ab7f3ac2770955", "cd0618c5ba5bda5f4039b9398bb7fb6a317bb8298218c3de25c47c4740e4b95e", "ceacb9e5f8474dcf45b940578591c7f3d960e82f926c707788a570b51ba59190", "fe6a88094b64132c4bb3b631412e90032e8cfe9745a58370462240b8cb7553cd"] -requests = ["11e007a8a2aa0323f5a921e9e6a2d7e4e67d9877e85773fba9ba6419025cbeb4", "9cf5292fcd0f598c671cfc1e0d7d1a7f13bb8085e9a590f48c010551dc6c4b31"] -"ruamel.ordereddict" = ["08b4b19fe518d32251a5338e039c4dc9eb0876f2919f94c9b8d2f9446ea80806", "150ce8e6c514a2a2b62753622a75874962561f8e5eeec81a3172ab952807bf0b", "45541836cbfdde630033cae7bbbe35acbac87a0ceec79f944b7a3bedd940fe78", "854dd4a524811b16111b1107d8a751e4ca064d2bb103d3d91deab75de36b6620", "aee2fa23e884249b4284b728888c553d551e5bfd4de2731f10153fd7813ec55f", "bf0a198c8ce5d973c24e5dba12d3abc254996788ca6ad8448eabc6aa710db149"] -"ruamel.yaml" = ["17dbf6b7362e7aee8494f7a0f5cffd44902a6331fe89ef0853b855a7930ab845", "23731c9efb79f3f5609dedffeb6c5c47a68125fd3d4b157d9fc71b1cd49076a9", "2bbdd598ae57bac20968cf9028cc67d37d83bdb7942a94b9478110bc72193148", "34586084cdd60845a3e1bece2b58f0a889be25450db8cc0ea143ddf0f40557a2", "35957fedbb287b01313bb5c556ffdc70c0277c3500213b5e73dfd8716f748d77", "414cb87a40974a575830b406ffab4ab8c6cbd82eeb73abd2a9d1397c1f0223e1", "428775be75db68d908b17e4e8dda424c410222f170dc173246aa63e972d094b3", "514f670f7d36519bda504d507edfe63e3c20489f86c86d42bc4d9a6dbdf82c7b", "5cb962c1ac6887c5da29138fbbe3b4b7705372eb54e599907fa63d4cd743246d", "5f6e30282cf70fb7754e1a5f101e27b5240009766376e131b31ab49f14fe81be", "86f8e010af6af0b4f42de2d0d9b19cb441e61d3416082186f9dd03c8552d13ad", "8d47ed1e557d546bd2dfe54f504d7274274602ff7a0652cde84c258ad6c2d96d", "98668876720bce1ac08562d8b93a564a80e3397e442c7ea19cebdcdf73da7f74", "9e1f0ddc18d8355dcf5586a5d90417df56074f237812b8682a93b62cca9d2043", "a7bc812a72a79d6b7dbb96fa5bee3950464b65ec055d3abc4db6572f2373a95c", "b72e13f9f206ee103247b07afd5a39c8b1aa98e8eba80ddba184d030337220ba", "bcff8ea9d916789e85e24beed8830c157fb8bc7c313e554733a8151540e66c01", "c76e78b3bab652069b8d6f7889b0e72f3455c2b854b2e0a8818393d149ad0a0d"] -s3transfer = ["6efc926738a3cd576c2a79725fed9afde92378aa5c6a957e3af010cb019fac9d", "b780f2411b824cb541dbcd2c713d0cb61c7d1bcadae204cdddda2b35cef493ba"] -six = ["3350809f0555b11f552448330d0b52d5f24c91a322ea4a15ef22629740f3761c", "d16a0141ec1a18405cd4ce8b4613101da75da0e9a7aec5bdd4fa804d0e0eba73"] -urllib3 = ["06330f386d6e4b195fbfc736b297f58c5a892e4440e54d294d7004e3a9bbea1b", "cc44da8e1145637334317feebd728bd869a35285b93cbb4cca2577da7e62db4f"] +content-hash = "ebbaf43971e69ff35f6df78246be41d3bc2b7b7f0dc3807cbeba4e04291beba9" +lock-version = "1.0" +python-versions = ">=3.5" + +[metadata.files] +ansible = [ + {file = "ansible-2.7.18.tar.gz", hash = "sha256:a1056225ddf53b3878d859aedc610138f39ceb8eb0445f0688034b8f9582fa69"}, +] +ansible-modules-hashivault = [ + {file = "ansible-modules-hashivault-4.5.6.tar.gz", hash = "sha256:070ec222c4a31534efc4429acc2ca001e2429b62c3d1ad704e48162d0959ca50"}, +] +boto = [ + {file = "boto-2.49.0-py2.py3-none-any.whl", hash = "sha256:147758d41ae7240dc989f0039f27da8ca0d53734be0eb869ef16e3adcfa462e8"}, + {file = "boto-2.49.0.tar.gz", hash = "sha256:ea0d3b40a2d852767be77ca343b58a9e3a4b00d9db440efb8da74b4e58025e5a"}, +] +boto3 = [ + {file = "boto3-1.15.0-py2.py3-none-any.whl", hash = "sha256:28bf1bce2979d4d1674d63b1b4d6ac30b6844b5d3604e69d8847b18602588861"}, + {file = "boto3-1.15.0.tar.gz", hash = "sha256:78f3ebcdff149d5327f27a5c461a9e394306b7db9a60e8bd65c9401cc41d99d3"}, +] +botocore = [ + {file = "botocore-1.18.0-py2.py3-none-any.whl", hash = "sha256:f3d509f06201582e60523263d52016b50415461bc6a03afb5434f477a1de3ba0"}, + {file = "botocore-1.18.0.tar.gz", hash = "sha256:1dbd37af06432eda8a5736bd82f92ddd1ae8de74e4faa090bd728f8d58d24849"}, +] +certifi = [ + {file = "certifi-2020.6.20-py2.py3-none-any.whl", hash = "sha256:8fc0819f1f30ba15bdb34cceffb9ef04d99f420f68eb75d901e9560b8749fc41"}, + {file = "certifi-2020.6.20.tar.gz", hash = "sha256:5930595817496dd21bb8dc35dad090f1c2cd0adfaf21204bf6732ca5d8ee34d3"}, +] +cffi = [ + {file = "cffi-1.14.3-cp27-cp27m-macosx_10_9_x86_64.whl", hash = "sha256:485d029815771b9fe4fa7e1c304352fe57df6939afe835dfd0182c7c13d5e92e"}, + {file = "cffi-1.14.3-cp27-cp27m-manylinux1_i686.whl", hash = "sha256:3cb3e1b9ec43256c4e0f8d2837267a70b0e1ca8c4f456685508ae6106b1f504c"}, + {file = "cffi-1.14.3-cp27-cp27m-manylinux1_x86_64.whl", hash = "sha256:f0620511387790860b249b9241c2f13c3a80e21a73e0b861a2df24e9d6f56730"}, + {file = "cffi-1.14.3-cp27-cp27m-win32.whl", hash = "sha256:005f2bfe11b6745d726dbb07ace4d53f057de66e336ff92d61b8c7e9c8f4777d"}, + {file = "cffi-1.14.3-cp27-cp27m-win_amd64.whl", hash = "sha256:2f9674623ca39c9ebe38afa3da402e9326c245f0f5ceff0623dccdac15023e05"}, + {file = "cffi-1.14.3-cp27-cp27mu-manylinux1_i686.whl", hash = "sha256:09e96138280241bd355cd585148dec04dbbedb4f46128f340d696eaafc82dd7b"}, + {file = "cffi-1.14.3-cp27-cp27mu-manylinux1_x86_64.whl", hash = "sha256:3363e77a6176afb8823b6e06db78c46dbc4c7813b00a41300a4873b6ba63b171"}, + {file = "cffi-1.14.3-cp35-cp35m-macosx_10_9_x86_64.whl", hash = "sha256:52bf29af05344c95136df71716bb60508bbd217691697b4307dcae681612db9f"}, + {file = "cffi-1.14.3-cp35-cp35m-manylinux1_i686.whl", hash = "sha256:0ef488305fdce2580c8b2708f22d7785ae222d9825d3094ab073e22e93dfe51f"}, + {file = "cffi-1.14.3-cp35-cp35m-manylinux1_x86_64.whl", hash = "sha256:0b1ad452cc824665ddc682400b62c9e4f5b64736a2ba99110712fdee5f2505c4"}, + {file = "cffi-1.14.3-cp35-cp35m-win32.whl", hash = "sha256:85ba797e1de5b48aa5a8427b6ba62cf69607c18c5d4eb747604b7302f1ec382d"}, + {file = "cffi-1.14.3-cp35-cp35m-win_amd64.whl", hash = "sha256:e66399cf0fc07de4dce4f588fc25bfe84a6d1285cc544e67987d22663393926d"}, + {file = "cffi-1.14.3-cp36-cp36m-macosx_10_9_x86_64.whl", hash = "sha256:c687778dda01832555e0af205375d649fa47afeaeeb50a201711f9a9573323b8"}, + {file = "cffi-1.14.3-cp36-cp36m-manylinux1_i686.whl", hash = "sha256:15f351bed09897fbda218e4db5a3d5c06328862f6198d4fb385f3e14e19decb3"}, + {file = "cffi-1.14.3-cp36-cp36m-manylinux1_x86_64.whl", hash = "sha256:4d7c26bfc1ea9f92084a1d75e11999e97b62d63128bcc90c3624d07813c52808"}, + {file = "cffi-1.14.3-cp36-cp36m-manylinux2014_aarch64.whl", hash = "sha256:23e5d2040367322824605bc29ae8ee9175200b92cb5483ac7d466927a9b3d537"}, + {file = "cffi-1.14.3-cp36-cp36m-win32.whl", hash = "sha256:a624fae282e81ad2e4871bdb767e2c914d0539708c0f078b5b355258293c98b0"}, + {file = "cffi-1.14.3-cp36-cp36m-win_amd64.whl", hash = "sha256:de31b5164d44ef4943db155b3e8e17929707cac1e5bd2f363e67a56e3af4af6e"}, + {file = "cffi-1.14.3-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:03d3d238cc6c636a01cf55b9b2e1b6531a7f2f4103fabb5a744231582e68ecc7"}, + {file = "cffi-1.14.3-cp37-cp37m-manylinux1_i686.whl", hash = "sha256:f92cdecb618e5fa4658aeb97d5eb3d2f47aa94ac6477c6daf0f306c5a3b9e6b1"}, + {file = "cffi-1.14.3-cp37-cp37m-manylinux1_x86_64.whl", hash = "sha256:22399ff4870fb4c7ef19fff6eeb20a8bbf15571913c181c78cb361024d574579"}, + {file = "cffi-1.14.3-cp37-cp37m-manylinux2014_aarch64.whl", hash = "sha256:f4eae045e6ab2bb54ca279733fe4eb85f1effda392666308250714e01907f394"}, + {file = "cffi-1.14.3-cp37-cp37m-win32.whl", hash = "sha256:b0358e6fefc74a16f745afa366acc89f979040e0cbc4eec55ab26ad1f6a9bfbc"}, + {file = "cffi-1.14.3-cp37-cp37m-win_amd64.whl", hash = "sha256:6642f15ad963b5092d65aed022d033c77763515fdc07095208f15d3563003869"}, + {file = "cffi-1.14.3-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:c2a33558fdbee3df370399fe1712d72464ce39c66436270f3664c03f94971aff"}, + {file = "cffi-1.14.3-cp38-cp38-manylinux1_i686.whl", hash = "sha256:2791f68edc5749024b4722500e86303a10d342527e1e3bcac47f35fbd25b764e"}, + {file = "cffi-1.14.3-cp38-cp38-manylinux1_x86_64.whl", hash = "sha256:529c4ed2e10437c205f38f3691a68be66c39197d01062618c55f74294a4a4828"}, + {file = "cffi-1.14.3-cp38-cp38-manylinux2014_aarch64.whl", hash = "sha256:8f0f1e499e4000c4c347a124fa6a27d37608ced4fe9f7d45070563b7c4c370c9"}, + {file = "cffi-1.14.3-cp38-cp38-win32.whl", hash = "sha256:3b8eaf915ddc0709779889c472e553f0d3e8b7bdf62dab764c8921b09bf94522"}, + {file = "cffi-1.14.3-cp38-cp38-win_amd64.whl", hash = "sha256:bbd2f4dfee1079f76943767fce837ade3087b578aeb9f69aec7857d5bf25db15"}, + {file = "cffi-1.14.3-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:5d9a7dc7cf8b1101af2602fe238911bcc1ac36d239e0a577831f5dac993856e9"}, + {file = "cffi-1.14.3-cp39-cp39-manylinux1_i686.whl", hash = "sha256:cc75f58cdaf043fe6a7a6c04b3b5a0e694c6a9e24050967747251fb80d7bce0d"}, + {file = "cffi-1.14.3-cp39-cp39-manylinux1_x86_64.whl", hash = "sha256:bf39a9e19ce7298f1bd6a9758fa99707e9e5b1ebe5e90f2c3913a47bc548747c"}, + {file = "cffi-1.14.3-cp39-cp39-win32.whl", hash = "sha256:d80998ed59176e8cba74028762fbd9b9153b9afc71ea118e63bbf5d4d0f9552b"}, + {file = "cffi-1.14.3-cp39-cp39-win_amd64.whl", hash = "sha256:c150eaa3dadbb2b5339675b88d4573c1be3cb6f2c33a6c83387e10cc0bf05bd3"}, + {file = "cffi-1.14.3.tar.gz", hash = "sha256:f92f789e4f9241cd262ad7a555ca2c648a98178a953af117ef7fad46aa1d5591"}, +] +chardet = [ + {file = "chardet-3.0.4-py2.py3-none-any.whl", hash = "sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691"}, + {file = "chardet-3.0.4.tar.gz", hash = "sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae"}, +] +cryptography = [ + {file = "cryptography-3.1-cp27-cp27m-macosx_10_10_x86_64.whl", hash = "sha256:969ae512a250f869c1738ca63be843488ff5cc031987d302c1f59c7dbe1b225f"}, + {file = "cryptography-3.1-cp27-cp27m-manylinux1_x86_64.whl", hash = "sha256:b45ab1c6ece7c471f01c56f5d19818ca797c34541f0b2351635a5c9fe09ac2e0"}, + {file = "cryptography-3.1-cp27-cp27m-manylinux2010_x86_64.whl", hash = "sha256:247df238bc05c7d2e934a761243bfdc67db03f339948b1e2e80c75d41fc7cc36"}, + {file = "cryptography-3.1-cp27-cp27m-win32.whl", hash = "sha256:10c9775a3f31610cf6b694d1fe598f2183441de81cedcf1814451ae53d71b13a"}, + {file = "cryptography-3.1-cp27-cp27m-win_amd64.whl", hash = "sha256:9f734423eb9c2ea85000aa2476e0d7a58e021bc34f0a373ac52a5454cd52f791"}, + {file = "cryptography-3.1-cp27-cp27mu-manylinux1_x86_64.whl", hash = "sha256:e7563eb7bc5c7e75a213281715155248cceba88b11cb4b22957ad45b85903761"}, + {file = "cryptography-3.1-cp27-cp27mu-manylinux2010_x86_64.whl", hash = "sha256:94191501e4b4009642be21dde2a78bd3c2701a81ee57d3d3d02f1d99f8b64a9e"}, + {file = "cryptography-3.1-cp35-abi3-macosx_10_10_x86_64.whl", hash = "sha256:dc3f437ca6353979aace181f1b790f0fc79e446235b14306241633ab7d61b8f8"}, + {file = "cryptography-3.1-cp35-abi3-manylinux1_x86_64.whl", hash = "sha256:725875681afe50b41aee7fdd629cedbc4720bab350142b12c55c0a4d17c7416c"}, + {file = "cryptography-3.1-cp35-abi3-manylinux2010_x86_64.whl", hash = "sha256:321761d55fb7cb256b771ee4ed78e69486a7336be9143b90c52be59d7657f50f"}, + {file = "cryptography-3.1-cp35-abi3-manylinux2014_aarch64.whl", hash = "sha256:2a27615c965173c4c88f2961cf18115c08fedfb8bdc121347f26e8458dc6d237"}, + {file = "cryptography-3.1-cp35-cp35m-win32.whl", hash = "sha256:e7dad66a9e5684a40f270bd4aee1906878193ae50a4831922e454a2a457f1716"}, + {file = "cryptography-3.1-cp35-cp35m-win_amd64.whl", hash = "sha256:4005b38cd86fc51c955db40b0f0e52ff65340874495af72efabb1bb8ca881695"}, + {file = "cryptography-3.1-cp36-abi3-win32.whl", hash = "sha256:cc6096c86ec0de26e2263c228fb25ee01c3ff1346d3cfc219d67d49f303585af"}, + {file = "cryptography-3.1-cp36-abi3-win_amd64.whl", hash = "sha256:2e26223ac636ca216e855748e7d435a1bf846809ed12ed898179587d0cf74618"}, + {file = "cryptography-3.1-cp36-cp36m-win32.whl", hash = "sha256:7a63e97355f3cd77c94bd98c59cb85fe0efd76ea7ef904c9b0316b5bbfde6ed1"}, + {file = "cryptography-3.1-cp36-cp36m-win_amd64.whl", hash = "sha256:4b9e96543d0784acebb70991ebc2dbd99aa287f6217546bb993df22dd361d41c"}, + {file = "cryptography-3.1-cp37-cp37m-win32.whl", hash = "sha256:eb80a288e3cfc08f679f95da72d2ef90cb74f6d8a8ba69d2f215c5e110b2ca32"}, + {file = "cryptography-3.1-cp37-cp37m-win_amd64.whl", hash = "sha256:180c9f855a8ea280e72a5d61cf05681b230c2dce804c48e9b2983f491ecc44ed"}, + {file = "cryptography-3.1-cp38-cp38-win32.whl", hash = "sha256:fa7fbcc40e2210aca26c7ac8a39467eae444d90a2c346cbcffd9133a166bcc67"}, + {file = "cryptography-3.1-cp38-cp38-win_amd64.whl", hash = "sha256:548b0818e88792318dc137d8b1ec82a0ab0af96c7f0603a00bb94f896fbf5e10"}, + {file = "cryptography-3.1.tar.gz", hash = "sha256:26409a473cc6278e4c90f782cd5968ebad04d3911ed1c402fc86908c17633e08"}, +] +dnspython = [ + {file = "dnspython-1.16.0-py2.py3-none-any.whl", hash = "sha256:f69c21288a962f4da86e56c4905b49d11aba7938d3d740e80d9e366ee4f1632d"}, + {file = "dnspython-1.16.0.zip", hash = "sha256:36c5e8e38d4369a08b6780b7f27d790a292b2b08eea01607865bf0936c558e01"}, +] +hvac = [ + {file = "hvac-0.10.5-py2.py3-none-any.whl", hash = "sha256:9eb929ba0f00f5886f49f31513eb274fd8adf54607864afd6e71b59243a34e0d"}, + {file = "hvac-0.10.5.tar.gz", hash = "sha256:87dc2a3183c1d4595990203e752b430155d7582a60850dfe0756189a233d4b57"}, +] +idna = [ + {file = "idna-2.10-py2.py3-none-any.whl", hash = "sha256:b97d804b1e9b523befed77c48dacec60e6dcb0b5391d57af6a65a312a90648c0"}, + {file = "idna-2.10.tar.gz", hash = "sha256:b307872f855b18632ce0c21c5e45be78c0ea7ae4c15c828c20788b26921eb3f6"}, +] +importlib-resources = [ + {file = "importlib_resources-3.0.0-py2.py3-none-any.whl", hash = "sha256:d028f66b66c0d5732dae86ba4276999855e162a749c92620a38c1d779ed138a7"}, + {file = "importlib_resources-3.0.0.tar.gz", hash = "sha256:19f745a6eca188b490b1428c8d1d4a0d2368759f32370ea8fb89cad2ab1106c3"}, +] +jinja2 = [ + {file = "Jinja2-2.11.2-py2.py3-none-any.whl", hash = "sha256:f0a4641d3cf955324a89c04f3d94663aa4d638abe8f733ecd3582848e1c37035"}, + {file = "Jinja2-2.11.2.tar.gz", hash = "sha256:89aab215427ef59c34ad58735269eb58b1a5808103067f7bb9d5836c651b3bb0"}, +] +jmespath = [ + {file = "jmespath-0.10.0-py2.py3-none-any.whl", hash = "sha256:cdf6525904cc597730141d61b36f2e4b8ecc257c420fa2f4549bac2c2d0cb72f"}, + {file = "jmespath-0.10.0.tar.gz", hash = "sha256:b85d0567b8666149a93172712e68920734333c0ce7e89b78b3e987f71e5ed4f9"}, +] +markupsafe = [ + {file = "MarkupSafe-1.1.1-cp27-cp27m-macosx_10_6_intel.whl", hash = "sha256:09027a7803a62ca78792ad89403b1b7a73a01c8cb65909cd876f7fcebd79b161"}, + {file = "MarkupSafe-1.1.1-cp27-cp27m-manylinux1_i686.whl", hash = "sha256:e249096428b3ae81b08327a63a485ad0878de3fb939049038579ac0ef61e17e7"}, + {file = "MarkupSafe-1.1.1-cp27-cp27m-manylinux1_x86_64.whl", hash = "sha256:500d4957e52ddc3351cabf489e79c91c17f6e0899158447047588650b5e69183"}, + {file = "MarkupSafe-1.1.1-cp27-cp27m-win32.whl", hash = "sha256:b2051432115498d3562c084a49bba65d97cf251f5a331c64a12ee7e04dacc51b"}, + {file = "MarkupSafe-1.1.1-cp27-cp27m-win_amd64.whl", hash = "sha256:98c7086708b163d425c67c7a91bad6e466bb99d797aa64f965e9d25c12111a5e"}, + {file = "MarkupSafe-1.1.1-cp27-cp27mu-manylinux1_i686.whl", hash = "sha256:cd5df75523866410809ca100dc9681e301e3c27567cf498077e8551b6d20e42f"}, + {file = "MarkupSafe-1.1.1-cp27-cp27mu-manylinux1_x86_64.whl", hash = "sha256:43a55c2930bbc139570ac2452adf3d70cdbb3cfe5912c71cdce1c2c6bbd9c5d1"}, + {file = "MarkupSafe-1.1.1-cp34-cp34m-macosx_10_6_intel.whl", hash = "sha256:1027c282dad077d0bae18be6794e6b6b8c91d58ed8a8d89a89d59693b9131db5"}, + {file = "MarkupSafe-1.1.1-cp34-cp34m-manylinux1_i686.whl", hash = "sha256:62fe6c95e3ec8a7fad637b7f3d372c15ec1caa01ab47926cfdf7a75b40e0eac1"}, + {file = "MarkupSafe-1.1.1-cp34-cp34m-manylinux1_x86_64.whl", hash = "sha256:88e5fcfb52ee7b911e8bb6d6aa2fd21fbecc674eadd44118a9cc3863f938e735"}, + {file = "MarkupSafe-1.1.1-cp34-cp34m-win32.whl", hash = "sha256:ade5e387d2ad0d7ebf59146cc00c8044acbd863725f887353a10df825fc8ae21"}, + {file = "MarkupSafe-1.1.1-cp34-cp34m-win_amd64.whl", hash = "sha256:09c4b7f37d6c648cb13f9230d847adf22f8171b1ccc4d5682398e77f40309235"}, + {file = "MarkupSafe-1.1.1-cp35-cp35m-macosx_10_6_intel.whl", hash = "sha256:79855e1c5b8da654cf486b830bd42c06e8780cea587384cf6545b7d9ac013a0b"}, + {file = "MarkupSafe-1.1.1-cp35-cp35m-manylinux1_i686.whl", hash = "sha256:c8716a48d94b06bb3b2524c2b77e055fb313aeb4ea620c8dd03a105574ba704f"}, + {file = "MarkupSafe-1.1.1-cp35-cp35m-manylinux1_x86_64.whl", hash = "sha256:7c1699dfe0cf8ff607dbdcc1e9b9af1755371f92a68f706051cc8c37d447c905"}, + {file = "MarkupSafe-1.1.1-cp35-cp35m-win32.whl", hash = "sha256:6dd73240d2af64df90aa7c4e7481e23825ea70af4b4922f8ede5b9e35f78a3b1"}, + {file = "MarkupSafe-1.1.1-cp35-cp35m-win_amd64.whl", hash = "sha256:9add70b36c5666a2ed02b43b335fe19002ee5235efd4b8a89bfcf9005bebac0d"}, + {file = "MarkupSafe-1.1.1-cp36-cp36m-macosx_10_6_intel.whl", hash = "sha256:24982cc2533820871eba85ba648cd53d8623687ff11cbb805be4ff7b4c971aff"}, + {file = "MarkupSafe-1.1.1-cp36-cp36m-manylinux1_i686.whl", hash = "sha256:00bc623926325b26bb9605ae9eae8a215691f33cae5df11ca5424f06f2d1f473"}, + {file = "MarkupSafe-1.1.1-cp36-cp36m-manylinux1_x86_64.whl", hash = "sha256:717ba8fe3ae9cc0006d7c451f0bb265ee07739daf76355d06366154ee68d221e"}, + {file = "MarkupSafe-1.1.1-cp36-cp36m-win32.whl", hash = "sha256:535f6fc4d397c1563d08b88e485c3496cf5784e927af890fb3c3aac7f933ec66"}, + {file = "MarkupSafe-1.1.1-cp36-cp36m-win_amd64.whl", hash = "sha256:b1282f8c00509d99fef04d8ba936b156d419be841854fe901d8ae224c59f0be5"}, + {file = "MarkupSafe-1.1.1-cp37-cp37m-macosx_10_6_intel.whl", hash = "sha256:8defac2f2ccd6805ebf65f5eeb132adcf2ab57aa11fdf4c0dd5169a004710e7d"}, + {file = "MarkupSafe-1.1.1-cp37-cp37m-manylinux1_i686.whl", hash = "sha256:46c99d2de99945ec5cb54f23c8cd5689f6d7177305ebff350a58ce5f8de1669e"}, + {file = "MarkupSafe-1.1.1-cp37-cp37m-manylinux1_x86_64.whl", hash = "sha256:ba59edeaa2fc6114428f1637ffff42da1e311e29382d81b339c1817d37ec93c6"}, + {file = "MarkupSafe-1.1.1-cp37-cp37m-win32.whl", hash = "sha256:b00c1de48212e4cc9603895652c5c410df699856a2853135b3967591e4beebc2"}, + {file = "MarkupSafe-1.1.1-cp37-cp37m-win_amd64.whl", hash = "sha256:9bf40443012702a1d2070043cb6291650a0841ece432556f784f004937f0f32c"}, + {file = "MarkupSafe-1.1.1-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:6788b695d50a51edb699cb55e35487e430fa21f1ed838122d722e0ff0ac5ba15"}, + {file = "MarkupSafe-1.1.1-cp38-cp38-manylinux1_i686.whl", hash = "sha256:cdb132fc825c38e1aeec2c8aa9338310d29d337bebbd7baa06889d09a60a1fa2"}, + {file = "MarkupSafe-1.1.1-cp38-cp38-manylinux1_x86_64.whl", hash = "sha256:13d3144e1e340870b25e7b10b98d779608c02016d5184cfb9927a9f10c689f42"}, + {file = "MarkupSafe-1.1.1-cp38-cp38-win32.whl", hash = "sha256:596510de112c685489095da617b5bcbbac7dd6384aeebeda4df6025d0256a81b"}, + {file = "MarkupSafe-1.1.1-cp38-cp38-win_amd64.whl", hash = "sha256:e8313f01ba26fbbe36c7be1966a7b7424942f670f38e666995b88d012765b9be"}, + {file = "MarkupSafe-1.1.1.tar.gz", hash = "sha256:29872e92839765e546828bb7754a68c418d927cd064fd4708fab9fe9c8bb116b"}, +] +netaddr = [ + {file = "netaddr-0.8.0-py2.py3-none-any.whl", hash = "sha256:9666d0232c32d2656e5e5f8d735f58fd6c7457ce52fc21c98d45f2af78f990ac"}, + {file = "netaddr-0.8.0.tar.gz", hash = "sha256:d6cc57c7a07b1d9d2e917aa8b36ae8ce61c35ba3fcd1b83ca31c5a0ee2b5a243"}, +] +pbr = [ + {file = "pbr-5.5.0-py2.py3-none-any.whl", hash = "sha256:5adc0f9fc64319d8df5ca1e4e06eea674c26b80e6f00c530b18ce6a6592ead15"}, + {file = "pbr-5.5.0.tar.gz", hash = "sha256:14bfd98f51c78a3dd22a1ef45cf194ad79eee4a19e8e1a0d5c7f8e81ffe182ea"}, +] +pycparser = [ + {file = "pycparser-2.20-py2.py3-none-any.whl", hash = "sha256:7582ad22678f0fcd81102833f60ef8d0e57288b6b5fb00323d101be910e35705"}, + {file = "pycparser-2.20.tar.gz", hash = "sha256:2d475327684562c3a96cc71adf7dc8c4f0565175cf86b6d7a404ff4c771f15f0"}, +] +pyopenssl = [ + {file = "pyOpenSSL-19.1.0-py2.py3-none-any.whl", hash = "sha256:621880965a720b8ece2f1b2f54ea2071966ab00e2970ad2ce11d596102063504"}, + {file = "pyOpenSSL-19.1.0.tar.gz", hash = "sha256:9a24494b2602aaf402be5c9e30a0b82d4a5c67528fe8fb475e3f3bc00dd69507"}, +] +python-dateutil = [ + {file = "python-dateutil-2.8.1.tar.gz", hash = "sha256:73ebfe9dbf22e832286dafa60473e4cd239f8592f699aa5adaf10050e6e1823c"}, + {file = "python_dateutil-2.8.1-py2.py3-none-any.whl", hash = "sha256:75bb3f31ea686f1197762692a9ee6a7550b59fc6ca3a1f4b5d7e32fb98e2da2a"}, +] +pyyaml = [ + {file = "PyYAML-5.3.1-cp27-cp27m-win32.whl", hash = "sha256:74809a57b329d6cc0fdccee6318f44b9b8649961fa73144a98735b0aaf029f1f"}, + {file = "PyYAML-5.3.1-cp27-cp27m-win_amd64.whl", hash = "sha256:240097ff019d7c70a4922b6869d8a86407758333f02203e0fc6ff79c5dcede76"}, + {file = "PyYAML-5.3.1-cp35-cp35m-win32.whl", hash = "sha256:4f4b913ca1a7319b33cfb1369e91e50354d6f07a135f3b901aca02aa95940bd2"}, + {file = "PyYAML-5.3.1-cp35-cp35m-win_amd64.whl", hash = "sha256:cc8955cfbfc7a115fa81d85284ee61147059a753344bc51098f3ccd69b0d7e0c"}, + {file = "PyYAML-5.3.1-cp36-cp36m-win32.whl", hash = "sha256:7739fc0fa8205b3ee8808aea45e968bc90082c10aef6ea95e855e10abf4a37b2"}, + {file = "PyYAML-5.3.1-cp36-cp36m-win_amd64.whl", hash = "sha256:69f00dca373f240f842b2931fb2c7e14ddbacd1397d57157a9b005a6a9942648"}, + {file = "PyYAML-5.3.1-cp37-cp37m-win32.whl", hash = "sha256:d13155f591e6fcc1ec3b30685d50bf0711574e2c0dfffd7644babf8b5102ca1a"}, + {file = "PyYAML-5.3.1-cp37-cp37m-win_amd64.whl", hash = "sha256:73f099454b799e05e5ab51423c7bcf361c58d3206fa7b0d555426b1f4d9a3eaf"}, + {file = "PyYAML-5.3.1-cp38-cp38-win32.whl", hash = "sha256:06a0d7ba600ce0b2d2fe2e78453a470b5a6e000a985dd4a4e54e436cc36b0e97"}, + {file = "PyYAML-5.3.1-cp38-cp38-win_amd64.whl", hash = "sha256:95f71d2af0ff4227885f7a6605c37fd53d3a106fcab511b8860ecca9fcf400ee"}, + {file = "PyYAML-5.3.1.tar.gz", hash = "sha256:b8eac752c5e14d3eca0e6dd9199cd627518cb5ec06add0de9d32baeee6fe645d"}, +] +requests = [ + {file = "requests-2.24.0-py2.py3-none-any.whl", hash = "sha256:fe75cc94a9443b9246fc7049224f75604b113c36acb93f87b80ed42c44cbb898"}, + {file = "requests-2.24.0.tar.gz", hash = "sha256:b3559a131db72c33ee969480840fff4bb6dd111de7dd27c8ee1f820f4f00231b"}, +] +s3transfer = [ + {file = "s3transfer-0.3.3-py2.py3-none-any.whl", hash = "sha256:2482b4259524933a022d59da830f51bd746db62f047d6eb213f2f8855dcb8a13"}, + {file = "s3transfer-0.3.3.tar.gz", hash = "sha256:921a37e2aefc64145e7b73d50c71bb4f26f46e4c9f414dc648c6245ff92cf7db"}, +] +six = [ + {file = "six-1.15.0-py2.py3-none-any.whl", hash = "sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced"}, + {file = "six-1.15.0.tar.gz", hash = "sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259"}, +] +urllib3 = [ + {file = "urllib3-1.22-py2.py3-none-any.whl", hash = "sha256:06330f386d6e4b195fbfc736b297f58c5a892e4440e54d294d7004e3a9bbea1b"}, + {file = "urllib3-1.22.tar.gz", hash = "sha256:cc44da8e1145637334317feebd728bd869a35285b93cbb4cca2577da7e62db4f"}, +] +zipp = [ + {file = "zipp-1.2.0-py2.py3-none-any.whl", hash = "sha256:e0d9e63797e483a30d27e09fffd308c59a700d365ec34e93cc100844168bf921"}, + {file = "zipp-1.2.0.tar.gz", hash = "sha256:c70410551488251b0fee67b460fb9a536af8d6f9f008ad10ac51f615b6a521b1"}, +] diff --git a/ansible/provision-sft.yml b/ansible/provision-sft.yml new file mode 100644 index 000000000..503dbb0e4 --- /dev/null +++ b/ansible/provision-sft.yml @@ -0,0 +1,12 @@ +# This role requires access to s3 buckets and has a few variables that need to +# be set. When run with any variables missing, it will complain about those +# variables. +- hosts: localhost + become: no + roles: + - role: sft-monitoring-certs + +- hosts: sft_servers + roles: + - role: sft-server + - role: srv-announcer diff --git a/ansible/pyproject.toml b/ansible/pyproject.toml index cf2e46100..ca580b16a 100644 --- a/ansible/pyproject.toml +++ b/ansible/pyproject.toml @@ -5,7 +5,7 @@ description = "" authors = ["jschaul "] [tool.poetry.dependencies] -python = "^2.7 || >=3.5" +python = ">=3.5" ansible = "2.7.*" ansible-modules-hashivault = "*" boto = "*" @@ -16,8 +16,11 @@ jinja2 = ">= 2.10.1" pbr = "^5.2" hvac = ">= 0.8" jmespath = ">= 0.9.4" -"ruamel.yaml" = ">= 0.15.96" +# "ruamel.yaml" = ">= 0.15.96" PyYAML = "*" +pyOpenSSL = "*" +zipp = "*" # Not a real dependency, but poetry2nix doesn't work without this, I + # don't understand enough nix to debug this. [tool.poetry.dev-dependencies] diff --git a/ansible/requirements.yml b/ansible/requirements.yml index bb33deb01..40d7d74f2 100644 --- a/ansible/requirements.yml +++ b/ansible/requirements.yml @@ -59,3 +59,11 @@ - src: git+https://github.com/wireapp/ansible-ntp-verify.git name: ansible-ntp-verify version: v0.0.1 + +- src: git+https://github.com/nickhammond/ansible-logrotate.git + name: logrotate + version: "91d570f68c44261d2051a99a2b3c7d736306bf0d" # 2018-02-16 + +- src: git+https://github.com/wireapp/ansible-sft.git + name: sft + version: "369db98e2e1ddf156ea0c9dbd2801c9d83e10a5a" # master (2020-09-25) diff --git a/charts/backoffice/templates/configmap.yaml b/charts/backoffice/templates/configmap.yaml index cfff8fbcc..1973f10b0 100644 --- a/charts/backoffice/templates/configmap.yaml +++ b/charts/backoffice/templates/configmap.yaml @@ -126,8 +126,8 @@ data: ssl_session_cache builtin:1000 shared:SSL:10m; ssl_session_timeout 5m; ssl_prefer_server_ciphers on; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers 'EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS'; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; server { listen {{ .Values.service.internalPort }}; diff --git a/charts/brig/templates/configmap.yaml b/charts/brig/templates/configmap.yaml index 88b57854c..f397f28a3 100644 --- a/charts/brig/templates/configmap.yaml +++ b/charts/brig/templates/configmap.yaml @@ -150,6 +150,19 @@ data: configTTL: 3600 # 1 hour tokenTTL: 43200 # 12 hours + {{- if .sft }} + {{- with .sft }} + sft: + sftBaseDomain: {{ required "Missing value: .sft.sftBaseDomain" .sftBaseDomain }} + {{- if .sftSRVServiceName }} + sftSRVServiceName: {{ .sftSRVServiceName }} + {{- end }} + {{- if .sftDiscoveryIntervalSeconds }} + sftDiscoveryIntervalSeconds: {{ .sftDiscoveryIntervalSeconds }} + {{- end }} + {{- end }} + {{- end }} + {{- with .optSettings }} optSettings: setActivationTimeout: {{ .setActivationTimeout }} diff --git a/charts/nginx-ingress-controller/values.yaml b/charts/nginx-ingress-controller/values.yaml index 59522b40b..a785cd545 100644 --- a/charts/nginx-ingress-controller/values.yaml +++ b/charts/nginx-ingress-controller/values.yaml @@ -4,7 +4,7 @@ nginx-ingress: controller: config: # NOTE: These are some sane defaults, you may want to overrride them on your own installation - ssl-ciphers: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256" + ssl-ciphers: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256" http2-max-field-size: 16k http2-max-header-size: 32k proxy-buffer-size: 16k diff --git a/charts/nginz/templates/conf/_nginx.conf.tpl b/charts/nginz/templates/conf/_nginx.conf.tpl index 0a1675615..d8d9c47a0 100644 --- a/charts/nginz/templates/conf/_nginx.conf.tpl +++ b/charts/nginz/templates/conf/_nginx.conf.tpl @@ -229,7 +229,7 @@ http { # remove access_token from logs, see 'Note sanitized_request' above. set $sanitized_request $request; - if ($sanitized_request ~ (.*)access_token=[^&]*(.*)) { + if ($sanitized_request ~ (.*)access_token=[^&\s]*(.*)) { set $sanitized_request $1access_token=****$2; } diff --git a/nix/sources.json b/nix/sources.json new file mode 100644 index 000000000..bed1841de --- /dev/null +++ b/nix/sources.json @@ -0,0 +1,38 @@ +{ + "niv": { + "branch": "master", + "description": "Easy dependency management for Nix projects", + "homepage": "https://github.com/nmattia/niv", + "owner": "nmattia", + "repo": "niv", + "rev": "fad2a6cbfb2e7cdebb7cb0ad2f5cc91e2c9bc06b", + "sha256": "0mghc1j0rd15spdjx81bayjqr0khc062cs25y5dcfzlxk4ynyc6m", + "type": "tarball", + "url": "https://github.com/nmattia/niv/archive/fad2a6cbfb2e7cdebb7cb0ad2f5cc91e2c9bc06b.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + }, + "nixpkgs": { + "branch": "nixpkgs-unstable", + "description": "A read-only mirror of NixOS/nixpkgs tracking the released channels. Send issues and PRs to", + "homepage": "https://github.com/NixOS/nixpkgs", + "owner": "NixOS", + "repo": "nixpkgs-channels", + "rev": "707bed528c3c8df388175656d441b672fac68942", + "sha256": "11i5iqz513whaq40q391rlqd36fdj6hs86pqbsgdnxfsjasarf3y", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs-channels/archive/707bed528c3c8df388175656d441b672fac68942.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + }, + "poetry2nix": { + "branch": "master", + "description": "Convert poetry projects to nix automagically [maintainer=@adisbladis] ", + "homepage": "", + "owner": "nix-community", + "repo": "poetry2nix", + "rev": "ab40bbdc964b7cc0a69d6f9ce77afbc79bb6e815", + "sha256": "0ysygfhd4w6vh5nz6vm9npshzq00fb9cc7qawrin10lkai2xcgd1", + "type": "tarball", + "url": "https://github.com/nix-community/poetry2nix/archive/ab40bbdc964b7cc0a69d6f9ce77afbc79bb6e815.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + } +} diff --git a/nix/sources.nix b/nix/sources.nix new file mode 100644 index 000000000..8a725cb4e --- /dev/null +++ b/nix/sources.nix @@ -0,0 +1,134 @@ +# This file has been generated by Niv. + +let + + # + # The fetchers. fetch_ fetches specs of type . + # + + fetch_file = pkgs: spec: + if spec.builtin or true then + builtins_fetchurl { inherit (spec) url sha256; } + else + pkgs.fetchurl { inherit (spec) url sha256; }; + + fetch_tarball = pkgs: spec: + if spec.builtin or true then + builtins_fetchTarball { inherit (spec) url sha256; } + else + pkgs.fetchzip { inherit (spec) url sha256; }; + + fetch_git = spec: + builtins.fetchGit { url = spec.repo; inherit (spec) rev ref; }; + + fetch_builtin-tarball = spec: + builtins.trace + '' + WARNING: + The niv type "builtin-tarball" will soon be deprecated. You should + instead use `builtin = true`. + + $ niv modify -a type=tarball -a builtin=true + '' + builtins_fetchTarball { inherit (spec) url sha256; }; + + fetch_builtin-url = spec: + builtins.trace + '' + WARNING: + The niv type "builtin-url" will soon be deprecated. You should + instead use `builtin = true`. + + $ niv modify -a type=file -a builtin=true + '' + (builtins_fetchurl { inherit (spec) url sha256; }); + + # + # Various helpers + # + + # The set of packages used when specs are fetched using non-builtins. + mkPkgs = sources: + let + sourcesNixpkgs = + import (builtins_fetchTarball { inherit (sources.nixpkgs) url sha256; }) {}; + hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath; + hasThisAsNixpkgsPath = == ./.; + in + if builtins.hasAttr "nixpkgs" sources + then sourcesNixpkgs + else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then + import {} + else + abort + '' + Please specify either (through -I or NIX_PATH=nixpkgs=...) or + add a package called "nixpkgs" to your sources.json. + ''; + + # The actual fetching function. + fetch = pkgs: name: spec: + + if ! builtins.hasAttr "type" spec then + abort "ERROR: niv spec ${name} does not have a 'type' attribute" + else if spec.type == "file" then fetch_file pkgs spec + else if spec.type == "tarball" then fetch_tarball pkgs spec + else if spec.type == "git" then fetch_git spec + else if spec.type == "builtin-tarball" then fetch_builtin-tarball spec + else if spec.type == "builtin-url" then fetch_builtin-url spec + else + abort "ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}"; + + # Ports of functions for older nix versions + + # a Nix version of mapAttrs if the built-in doesn't exist + mapAttrs = builtins.mapAttrs or ( + f: set: with builtins; + listToAttrs (map (attr: { name = attr; value = f attr set.${attr}; }) (attrNames set)) + ); + + # fetchTarball version that is compatible between all the versions of Nix + builtins_fetchTarball = { url, sha256 }@attrs: + let + inherit (builtins) lessThan nixVersion fetchTarball; + in + if lessThan nixVersion "1.12" then + fetchTarball { inherit url; } + else + fetchTarball attrs; + + # fetchurl version that is compatible between all the versions of Nix + builtins_fetchurl = { url, sha256 }@attrs: + let + inherit (builtins) lessThan nixVersion fetchurl; + in + if lessThan nixVersion "1.12" then + fetchurl { inherit url; } + else + fetchurl attrs; + + # Create the final "sources" from the config + mkSources = config: + mapAttrs ( + name: spec: + if builtins.hasAttr "outPath" spec + then abort + "The values in sources.json should not have an 'outPath' attribute" + else + spec // { outPath = fetch config.pkgs name spec; } + ) config.sources; + + # The "config" used by the fetchers + mkConfig = + { sourcesFile ? ./sources.json + , sources ? builtins.fromJSON (builtins.readFile sourcesFile) + , pkgs ? mkPkgs sources + }: rec { + # The sources, i.e. the attribute set of spec name to spec + inherit sources; + + # The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers + inherit pkgs; + }; +in +mkSources (mkConfig {}) // { __functor = _: settings: mkSources (mkConfig settings); } diff --git a/shell.nix b/shell.nix index 7047a9d83..bedd3e6ef 100644 --- a/shell.nix +++ b/shell.nix @@ -1,8 +1,28 @@ -{ pkgs ? import {}}: -pkgs.mkShell { - buildInputs = [ - pkgs.kubectl - pkgs.kubernetes-helm - pkgs.python27Packages.poetry +let + sources = import ./nix/sources.nix; + + pkgs = import sources.nixpkgs { + overlays = [ (import (sources.poetry2nix + "/overlay.nix")) ]; + }; + + poetryEnv = pkgs.poetry2nix.mkPoetryEnv { + projectDir = ./ansible; + python = pkgs.python37; + overrides = pkgs.poetry2nix.overrides.withDefaults ( self: super: { + psutil = super.psutil.overridePythonAttrs (old: rec { + doCheck = false; + }); + paramiko = super.paramiko.overridePythonAttrs (old: rec { + doCheck = false; + }); + }); + }; +in +pkgs.mkShell{ + name = "wire-server-deploy"; + nativeBuildInputs = [ poetryEnv ] ; + buildInputs = with pkgs; [ + terraform_0_13 + python37Packages.poetry ]; } diff --git a/terraform/README.md b/terraform/README.md new file mode 100644 index 000000000..53bbd7d3c --- /dev/null +++ b/terraform/README.md @@ -0,0 +1,67 @@ +# Terraform for wire-server + +This directory contains (aspires to contain) all the terraform required to setup +wire-server. The `environment` directory is to be considered the "root" +directory of terraform. + +## How to create a new environment + +Recommended: Use nix-shell from the root of this repository to ensure that you +have the right version of terraform. + +Run all commands from `terraform/environment` directory. + +1. Export `ENV_DIR` environment variable to a directory where you want to store + data specific to an environment. Ensure that this directory exists. + + For Wire employees, please create this directory in `cailleach/environments`. + If cailleach is not checked-out as a sibling directory to wire-server-deploy, + please export `CAILLEACH_DIR` as absolute path to the cailleach directory. + Additionally, export `ENV` as the name of the environment. For the rest of + this README, please consider `ENV_DIR` to be + `${CAILLEACH_DIR}/environments/${ENV}`. +1. Create backend-config in `"$ENV_DIR/backend.tfvars` which looks like this: + ```tf + region = "" + bucket = "" + key = "" + dynamodb_table = "" + ``` + + Please refer to [s3 backend + docs](https://www.terraform.io/docs/backends/types/s3.html) for details. +1. Create token from hetzner cloud and put the following contents (including the export) + in a file called `$ENV_DIR/hcloud-token.dec`[1]: + ``` + export HCLOUD_TOKEN= + ``` +1. Create ssh key-pair, put the private key in a file called + `$ENV_DIR/operator-ssh.dec`[1]. Example: + + ```bash + ssh-keygen -o -a 100 -t ed25519 -f "$ENV_DIR/operator-ssh.dec" -C "example@example.com" + # see footnote 2 if you're a wire employee + ``` +1. Create variables for the environment in `$ENV_DIR/terraform.tfvars`, example: + ```tf + environment = + sft_server_names = ["1", "2"] + root_domain = "example.com" + operator_ssh_public_key = + ``` + Delete operator-ssh.dec.pub. +1. Initialiaze terraform + ``` + make init + ``` +1. Apply terraform + ``` + make apply + ``` +1. To bootstrap the nodes, please refer to the [ansible README](../ansible/README.md) + +[1]For wire employees: Encrypt this file using `sops`, it will not +work in the `nix-shell`, so change shell as needed. + +[2]For wire employees: Use "backend+${ENV}-operator@wire.com" as a +convention. diff --git a/terraform/environment/Makefile b/terraform/environment/Makefile new file mode 100644 index 000000000..19c365620 --- /dev/null +++ b/terraform/environment/Makefile @@ -0,0 +1,31 @@ +ROOT_DIR:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST)))) +# Please ignore this if you're not a wire employee +CAILLEACH_DIR:=$(abspath ${ROOT_DIR}/../../../cailleach) +SHELL:=/usr/bin/env bash + +.PHONY: init +init: check-env + cd ${ENV_DIR} && \ + terraform init -backend-config=${ENV_DIR}/backend.tfvars ${ROOT_DIR} + +.PHONY: apply +apply: check-env + cd ${ENV_DIR} && \ + source hcloud-token.dec && \ + terraform apply -var 'inventory_file=./gen/terraform-inventory.yml' ${ROOT_DIR} + +.PHONY: destroy +destroy: check-env + cd ${ENV_DIR} && \ + source hcloud-token.dec && \ + terraform destroy -var 'inventory_file=./gen/terraform-inventory.yml' ${ROOT_DIR} + +.PHONY: check-env +check-env: +ifndef ENV_DIR +ifndef ENV + $(error please define either ENV or ENV_DIR) +else +ENV_DIR=${CAILLEACH_DIR}/environments/${ENV} +endif +endif diff --git a/terraform/environment/aws.tf b/terraform/environment/aws.tf new file mode 100644 index 000000000..46595d608 --- /dev/null +++ b/terraform/environment/aws.tf @@ -0,0 +1,7 @@ +variable "aws_region" { + default = "eu-central-1" +} + +provider "aws" { + region = var.aws_region +} diff --git a/terraform/environment/hcloud.tf b/terraform/environment/hcloud.tf new file mode 100644 index 000000000..a4bf30e21 --- /dev/null +++ b/terraform/environment/hcloud.tf @@ -0,0 +1,20 @@ +variable "hcloud_image" { + default = "ubuntu-18.04" +} + +variable "hcloud_location" { + default = "nbg1" +} + +variable "operator_ssh_public_key" { + type = string +} + +provider "hcloud" { + # NOTE: You must have a HCLOUD_TOKEN environment variable set! +} + +resource "hcloud_ssh_key" "operator_ssh" { + name = "${var.environment}-operator" + public_key = var.operator_ssh_public_key +} diff --git a/terraform/environment/inventory.tf b/terraform/environment/inventory.tf new file mode 100644 index 000000000..62686e4f0 --- /dev/null +++ b/terraform/environment/inventory.tf @@ -0,0 +1,24 @@ +# Generates an inventory file to be used by ansible. Ideally, we would generate +# this outside terraform using outputs, but it is not possible to use 'terraform +# output' when the init directory is different from the root code directory. +# Terraform Issue: https://github.com/hashicorp/terraform/issues/17300 +resource "local_file" "inventory" { + filename = var.inventory_file + content = jsonencode({ + "sft_servers" = { + "hosts" = { for instance in module.sft[0].sft.instances : instance.hostname => { + "ansible_host" = instance.ipaddress + "ansible_ssh_user" = "root" + "ansible_python_interpreter" = "/usr/bin/python3" + "sft_fqdn" = instance.fqdn + + "srv_announcer_zone_domain" = var.root_domain + "srv_announcer_aws_key_id" = module.sft[0].sft.aws_key_id + "srv_announcer_aws_access_key" = module.sft[0].sft.aws_access_key + "srv_announcer_aws_region" = module.sft[0].sft.aws_region + "srv_announcer_record_name": "_sft._tcp.${var.environment}" + "srv_announcer_record_target": instance.fqdn + }} + } + }) +} diff --git a/terraform/environment/main.tf b/terraform/environment/main.tf new file mode 100644 index 000000000..62edef8f7 --- /dev/null +++ b/terraform/environment/main.tf @@ -0,0 +1,11 @@ +variable "environment" { + type = string +} + +variable "root_domain" { + type = string +} + +variable "inventory_file" { + type = string +} diff --git a/terraform/environment/sft.tf b/terraform/environment/sft.tf new file mode 100644 index 000000000..03602d365 --- /dev/null +++ b/terraform/environment/sft.tf @@ -0,0 +1,26 @@ +variable "sft_server_names" { + default = [] + type = list(string) +} + +variable "sft_a_record_ttl" { + default = 60 +} + +variable "sft_server_type" { + default = "cx11" +} + +module "sft" { + count = min(1, length(var.sft_server_names)) + + source = "../modules/sft" + root_domain = var.root_domain + environment = var.environment + server_names = var.sft_server_names + a_record_ttl = var.sft_a_record_ttl + server_type = var.sft_server_type + image = var.hcloud_image + location = var.hcloud_location + ssh_keys = [hcloud_ssh_key.operator_ssh.name] +} diff --git a/terraform/environment/terraform.tf b/terraform/environment/terraform.tf new file mode 100644 index 000000000..6b34e4be5 --- /dev/null +++ b/terraform/environment/terraform.tf @@ -0,0 +1,23 @@ +terraform { + required_version = "0.13.1" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 2.58" + } + hcloud = { + source = "terraform-providers/hcloud" + version = "~> 1.19" + } + local = { + source = "hashicorp/local" + version = "~> 1.4.0" + } + } + + backend s3 { + encrypt = true + } + +} diff --git a/terraform/modules/aws-cargohold-asset-storage/outputs.tf b/terraform/modules/aws-cargohold-asset-storage/outputs.tf index 01ee76ccf..856b68954 100644 --- a/terraform/modules/aws-cargohold-asset-storage/outputs.tf +++ b/terraform/modules/aws-cargohold-asset-storage/outputs.tf @@ -12,10 +12,6 @@ output "s3_endpoint" { value = "https://s3.${aws_s3_bucket.asset_storage.region}.amazonaws.com" } -output "s3_endpoint_CIDRs" { - value = aws_vpc_endpoint.s3.cidr_blocks -} - output "s3_endpoint_id" { value = aws_vpc_endpoint.s3.id } @@ -26,4 +22,8 @@ output "cargohold_access_key" { output "cargohold_access_secret" { value = aws_iam_access_key.cargohold.secret -} \ No newline at end of file +} + +output "talk_to_S3" { + value = aws_security_group.talk_to_S3.id +} diff --git a/terraform/modules/aws-cargohold-asset-storage/resources.s3.tf b/terraform/modules/aws-cargohold-asset-storage/resources.s3.tf index 4fdec1302..0973186d3 100644 --- a/terraform/modules/aws-cargohold-asset-storage/resources.s3.tf +++ b/terraform/modules/aws-cargohold-asset-storage/resources.s3.tf @@ -34,19 +34,3 @@ resource "aws_vpc_endpoint" "s3" { } } -data "aws_route_tables" "private" { - vpc_id = var.vpc_id - - filter { - name = "association.subnet-id" - values = var.subnet_ids - } -} - -# the routing table association that allows nodes to route traffic to the S3 endpoint. -resource "aws_vpc_endpoint_route_table_association" "private_s3" { - for_each = { for k, v in data.aws_route_tables.private.ids : v => v } - - route_table_id = each.value - vpc_endpoint_id = aws_vpc_endpoint.s3.id -} diff --git a/terraform/modules/aws-cargohold-asset-storage/resources.security_groups.tf b/terraform/modules/aws-cargohold-asset-storage/resources.security_groups.tf new file mode 100644 index 000000000..8692f388c --- /dev/null +++ b/terraform/modules/aws-cargohold-asset-storage/resources.security_groups.tf @@ -0,0 +1,17 @@ +resource "aws_security_group" "talk_to_S3" { + name = "talk_to_S3" + description = "hosts that are allowed to talk to S3." + vpc_id = var.vpc_id + + egress { + description = "" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = aws_vpc_endpoint.s3.cidr_blocks + } + + tags = { + Name = "talk_to_S3" + } +} diff --git a/terraform/modules/aws-cargohold-asset-storage/variables.tf b/terraform/modules/aws-cargohold-asset-storage/variables.tf index fef5cc5ea..28bb5afcb 100644 --- a/terraform/modules/aws-cargohold-asset-storage/variables.tf +++ b/terraform/modules/aws-cargohold-asset-storage/variables.tf @@ -21,7 +21,4 @@ variable "vpc_id" { description = "the ID of the VPC to add an S3 endpoint to" } -variable "subnet_ids" { - type = list(string) - description = "list of the subnet IDs of the subnets to make the S3 endpoint available to." -} \ No newline at end of file + diff --git a/terraform/modules/aws-gundeck-push-notifications/data.tf b/terraform/modules/aws-gundeck-push-notifications/data.tf index c090d892c..88c73b496 100644 --- a/terraform/modules/aws-gundeck-push-notifications/data.tf +++ b/terraform/modules/aws-gundeck-push-notifications/data.tf @@ -1,3 +1,5 @@ # NOTE: obtains region that is set in providers.tf by given variable # -data "aws_region" "current" {} \ No newline at end of file +data "aws_region" "current" {} + +data "aws_caller_identity" "current" {} diff --git a/terraform/modules/aws-gundeck-push-notifications/outputs.tf b/terraform/modules/aws-gundeck-push-notifications/outputs.tf index af1b8dec9..fdeeff0eb 100644 --- a/terraform/modules/aws-gundeck-push-notifications/outputs.tf +++ b/terraform/modules/aws-gundeck-push-notifications/outputs.tf @@ -19,3 +19,7 @@ output "gundeck_access_key" { output "gundeck_access_secret" { value = aws_iam_access_key.gundeck.secret } + +output "aws_account_id" { + value = data.aws_caller_identity.current.account_id +} diff --git a/terraform/modules/aws-network-load-balancer/README.md b/terraform/modules/aws-network-load-balancer/README.md new file mode 100644 index 000000000..10f4bcc96 --- /dev/null +++ b/terraform/modules/aws-network-load-balancer/README.md @@ -0,0 +1,71 @@ +Terraform module: Network load balancer +======================================= + +State: __experimental__ + +This module creates a network load balancer for HTTP (port 80) and HTTPS (port 443) traffic. +It uses a *target group* for each port and attaches all instances that share the given *role* +to each group. It furthermore uses the given target ports to check their health. + +Load balancing happens across availability zones. The VPC is determined by the given environment. +The subnets used within the VPC are assumed to + +a) have an internet gateway +b) be attached to the machines referred to by IP via list of `node_ips`` + +*Please note, in order for this to work, ingress has to be allowed on the given target ports on all target machines. +Furthermore, since those target machines - referred to by IP - are not part of an auto-scaling group, the instance of +this module has to be re-applied every time the set of machines changes.* + +AWS resources: lb (type: network) + +#### How to use the module + +```hcl +module "nlb" { + source = "github.com/wireapp/wire-server-deploy.git//terraform/modules/aws-network-load-balancer?ref=CHANGE-ME" + + environment = "staging" + + node_ips = ["10.0.23.17", "10.0.42.78", "10.0.222.171"] + subnet_ids = ["subnet-0001", "subnet-0002", "subnet-0003"] + + http_target_port = 3000 + https_target_port = 3001 +} +``` + +One way to generate the IPs and subnets lists would be to refer to the respective resources, or +attributes of another resource (e.g. VPC). Alternatively, you may want to obtain those lists +with the help of some data sources, e.g. + +```hcl +data "aws_subnet_ids" "public" { + vpc_id = var.vpc_id + + filter { + name = "tag:Environment" + values = ["staging"] + } + + filter { + name = "tag:Routability" + values = ["public"] + } +} + + +data "aws_instances" "nodes" { + filter { + name = "tag:Environment" + values = ["staging"] + } + + filter { + name = "tag:Role" + values = [ "kubenode" ] + } + + instance_state_names = ["running"] +} +``` \ No newline at end of file diff --git a/terraform/modules/aws-network-load-balancer/data.tf b/terraform/modules/aws-network-load-balancer/data.tf new file mode 100644 index 000000000..e69de29bb diff --git a/terraform/modules/aws-network-load-balancer/main.tf b/terraform/modules/aws-network-load-balancer/main.tf new file mode 100644 index 000000000..ec900db26 --- /dev/null +++ b/terraform/modules/aws-network-load-balancer/main.tf @@ -0,0 +1,3 @@ +terraform { + required_version = "~> 0.12" +} diff --git a/terraform/modules/aws-network-load-balancer/outputs.tf b/terraform/modules/aws-network-load-balancer/outputs.tf new file mode 100644 index 000000000..dd14ad914 --- /dev/null +++ b/terraform/modules/aws-network-load-balancer/outputs.tf @@ -0,0 +1,3 @@ +output "fqdn" { + value = aws_lb.nlb.dns_name +} diff --git a/terraform/modules/aws-network-load-balancer/resources.lb.tf b/terraform/modules/aws-network-load-balancer/resources.lb.tf new file mode 100644 index 000000000..d5b65e3bb --- /dev/null +++ b/terraform/modules/aws-network-load-balancer/resources.lb.tf @@ -0,0 +1,107 @@ +resource "aws_lb" "nlb" { + name = "${var.environment}-loadbalancer" + + internal = false + load_balancer_type = "network" + enable_cross_zone_load_balancing = true + + subnets = var.subnet_ids + + tags = { + Environment = var.environment + } +} + + +resource "aws_lb_listener" "ingress-http" { + load_balancer_arn = aws_lb.nlb.arn + + port = 80 + protocol = "TCP" + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.nodes-http.arn + } +} + + +resource "aws_lb_target_group" "nodes-http" { + name = "${var.environment}-nodes-http" + + vpc_id = var.aws_vpc_id + + # NOTE: using "instance" - as an alternative type - does not work due to the way security groups are being + # configured (VPC CIDR vs NLB network IP addresses) + # SRC: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/target-group-register-targets.html#target-security-groups + # DOC: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-target-groups.html + target_type = "ip" + port = var.node_port_http + protocol = "TCP" + + # docs: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/target-group-health-checks.html + # + health_check { + protocol = "TCP" + port = var.node_port_http + interval = 30 # NOTE: 10 or 30 seconds + # NOTE: defaults to 10 for TCP and is not allowed to be set when using an NLB + # timeout = 10 + } + + tags = { + Environment = var.environment + } +} + + +resource "aws_lb_target_group_attachment" "each-node-http" { + count = length(var.node_ips) + + target_group_arn = aws_lb_target_group.nodes-http.arn + port = aws_lb_target_group.nodes-http.port + target_id = var.node_ips[count.index] +} + + +resource "aws_lb_listener" "ingress-https" { + load_balancer_arn = aws_lb.nlb.arn + + port = 443 + protocol = "TCP" + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.nodes-https.arn + } +} + + +resource "aws_lb_target_group" "nodes-https" { + name = "${var.environment}-nodes-https" + + vpc_id = var.aws_vpc_id + + target_type = "ip" + port = var.node_port_https + protocol = "TCP" + + health_check { + protocol = "TCP" + port = var.node_port_https + interval = 30 + } + + tags = { + Environment = var.environment + } +} + + +resource "aws_lb_target_group_attachment" "each-node-https" { + count = length(var.node_ips) + + target_group_arn = aws_lb_target_group.nodes-https.arn + port = aws_lb_target_group.nodes-https.port + target_id = var.node_ips[count.index] +} diff --git a/terraform/modules/aws-network-load-balancer/variables.tf b/terraform/modules/aws-network-load-balancer/variables.tf new file mode 100644 index 000000000..3594af862 --- /dev/null +++ b/terraform/modules/aws-network-load-balancer/variables.tf @@ -0,0 +1,32 @@ +variable "environment" { + type = string + description = "name of the environment as a scope for the created resources (default: 'dev'; example: 'prod', 'staging')" + default = "dev" +} + +variable "node_port_http" { + type = number + description = "HTTP port on the target machines that the LB forwards ingress from port 80 to" + default = 8080 +} + +variable "node_port_https" { + type = number + description = "HTTPS port on the target machines that the LB forwards ingress from port 443 to" + default = 8443 +} + +variable "node_ips" { + type = list(string) + description = "a list of private IPs from all nodes the load balancer forwards traffic to" +} + +variable "subnet_ids" { + type = list(string) + description = "a list of IDs from subnets where the nodes are part of, and the load balancer egress is attached to" +} + +variable "aws_vpc_id" { + type = string + description = "the ID of the VPC we are adding our targets to." +} diff --git a/terraform/modules/aws-vpc-security-groups/main.tf b/terraform/modules/aws-vpc-security-groups/main.tf index 2e7ca7b60..87ec45794 100644 --- a/terraform/modules/aws-vpc-security-groups/main.tf +++ b/terraform/modules/aws-vpc-security-groups/main.tf @@ -184,17 +184,6 @@ resource "aws_security_group" "talk_to_k8s" { description = "hosts that are allowed to speak to kubernetes." vpc_id = var.vpc_id - # HACK: running out of security groups per instance. - # adding this here since the admin node needs to talk to S3. - # S3 - egress { - description = "" - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = var.s3_CIDRs - } - # kubectl egress { description = "" @@ -288,16 +277,6 @@ resource "aws_security_group" "k8s_private" { cidr_blocks = ["172.17.0.0/20"] } - # HACK: running out of security groups, adding this here since all k8s nodes need to talk to S3. - # S3 - egress { - description = "" - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = var.s3_CIDRs - } - tags = { Name = "k8s_private" } diff --git a/terraform/modules/aws-vpc-security-groups/variables.tf b/terraform/modules/aws-vpc-security-groups/variables.tf index 0f010f23f..106bab921 100644 --- a/terraform/modules/aws-vpc-security-groups/variables.tf +++ b/terraform/modules/aws-vpc-security-groups/variables.tf @@ -3,8 +3,3 @@ variable "vpc_id" { description = "ID of VPC these security groups are for." } -variable "s3_CIDRs" { - type = list(string) - description = "subnets that S3 gateways we are using exist in." -} - diff --git a/terraform/modules/aws-vpc/main.tf b/terraform/modules/aws-vpc/main.tf index 9a1c08e79..56365e07b 100644 --- a/terraform/modules/aws-vpc/main.tf +++ b/terraform/modules/aws-vpc/main.tf @@ -21,10 +21,6 @@ module "vpc" { enable_dns_hostnames = false enable_dns_support = true - enable_dhcp_options = true - dhcp_options_domain_name = var.dhcp_options_domain_name - # dhcp_options_domain_name_servers = - # In case we run terraform from within the environment. # VPC endpoint for DynamoDB enable_dynamodb_endpoint = true diff --git a/terraform/modules/aws-vpc/outputs.tf b/terraform/modules/aws-vpc/outputs.tf index 0b05c6354..decd6540d 100644 --- a/terraform/modules/aws-vpc/outputs.tf +++ b/terraform/modules/aws-vpc/outputs.tf @@ -10,3 +10,6 @@ output "private_subnets" { value = module.vpc.private_subnets } +output "private_route_table_ids" { + value = module.vpc.private_route_table_ids +} diff --git a/terraform/modules/sft/dns.tf b/terraform/modules/sft/dns.tf new file mode 100644 index 000000000..3a5db33b0 --- /dev/null +++ b/terraform/modules/sft/dns.tf @@ -0,0 +1,21 @@ +data "aws_route53_zone" "sft_zone" { + name = var.root_domain +} + +resource "aws_route53_record" "sft_a" { + for_each = var.server_names + + zone_id = data.aws_route53_zone.sft_zone.zone_id + name = "sft${each.value}.sft.${var.environment}" + type = "A" + ttl = var.a_record_ttl + records = [hcloud_server.sft[each.key].ipv4_address] +} + +resource "aws_route53_record" "metrics_srv" { + zone_id = data.aws_route53_zone.sft_zone.zone_id + name = "_sft-metrics._tcp.${var.environment}" + type = "SRV" + ttl = var.metrics_srv_record_ttl + records = [for a_record in aws_route53_record.sft_a : "0 10 8443 ${a_record.fqdn}"] +} diff --git a/terraform/modules/sft/outputs.tf b/terraform/modules/sft/outputs.tf new file mode 100644 index 000000000..549172aaa --- /dev/null +++ b/terraform/modules/sft/outputs.tf @@ -0,0 +1,19 @@ +# TODO: It is absurd that srv-announcer requires this. All route53 resources are +# scoped globally, figure out if we really need to do this. +data "aws_region" "current" {} + +output "sft" { + value = { + sft_srv: "_sft._tcp.${var.environment}" + aws_key_id = aws_iam_access_key.srv-announcer.id + aws_access_key = aws_iam_access_key.srv-announcer.secret + aws_region = data.aws_region.current.name + instances = [ for server_name in var.server_names : + { + hostname = hcloud_server.sft[server_name].name + ipaddress = hcloud_server.sft[server_name].ipv4_address + fqdn = aws_route53_record.sft_a[server_name].fqdn + } + ] + } +} diff --git a/terraform/modules/sft/server.tf b/terraform/modules/sft/server.tf new file mode 100644 index 000000000..70e91105c --- /dev/null +++ b/terraform/modules/sft/server.tf @@ -0,0 +1,9 @@ +resource "hcloud_server" "sft" { + for_each = var.server_names + + name = "${var.environment}-sft-${each.value}" + server_type = var.server_type + image = var.image + location = var.location + ssh_keys = var.ssh_keys +} diff --git a/terraform/modules/sft/srv-announcer-iam.tf b/terraform/modules/sft/srv-announcer-iam.tf new file mode 100644 index 000000000..c14045fd2 --- /dev/null +++ b/terraform/modules/sft/srv-announcer-iam.tf @@ -0,0 +1,60 @@ +resource "aws_iam_user" "srv-announcer" { + name = "${var.environment}-srv-announcer" + force_destroy = true # TODO: Add a comment explaining this. Does this mean + # changing this user will make existing srv announcements + # fail? +} + +resource "aws_iam_access_key" "srv-announcer" { + user = aws_iam_user.srv-announcer.name +} + +# NOTE: Does not configure permissions for GeoLocation, because they are not +# needed by the srv-announcer DOCS: +# https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/r53-api-permissions-ref.html#required-permissions-resource-record-sets +# +resource "aws_iam_user_policy" "srv-announcer-recordsets" { + name = "${var.environment}-srv-announcer-route53-recordsets-policy" + user = aws_iam_user.srv-announcer.name + + policy = <<-EOP + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets" + ], + "Resource": [ + "arn:aws:route53:::hostedzone/${data.aws_route53_zone.sft_zone.zone_id}" + ] + } + ] + } + EOP +} + +resource "aws_iam_user_policy" "srv-announcer-getrecordchanges" { + name = "${var.environment}-srv-announcer-route53-getrecordchanges-policy" + user = aws_iam_user.srv-announcer.name + + policy = <<-EOP + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "route53:GetChange", + "route53:ListHostedZonesByName" + ], + "Resource": [ + "*" + ] + } + ] + } + EOP +} diff --git a/terraform/modules/sft/variables.tf b/terraform/modules/sft/variables.tf new file mode 100644 index 000000000..2b5de0cde --- /dev/null +++ b/terraform/modules/sft/variables.tf @@ -0,0 +1,36 @@ +variable "root_domain" { + type = string +} + +variable "environment" { + type = string +} + +variable "server_names" { + description = "List of names of sft servers. The server will be availables at sft.." + type = set(string) +} + +variable "a_record_ttl" { + type = number +} + +variable "metrics_srv_record_ttl" { + default = 60 +} + +variable "server_type" { + default = "cx11" +} + +variable "image" { + default = "ubuntu-18.04" +} + +variable "location" { + default = "nbg1" +} + +variable "ssh_keys" { + type = list +} diff --git a/terraform/modules/sft/versions.tf b/terraform/modules/sft/versions.tf new file mode 100644 index 000000000..218393986 --- /dev/null +++ b/terraform/modules/sft/versions.tf @@ -0,0 +1,11 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + } + hcloud = { + source = "terraform-providers/hcloud" + } + } + required_version = ">= 0.13" +} diff --git a/values/wire-server/demo-values.example.yaml b/values/wire-server/demo-values.example.yaml index 537983aa4..a27886719 100644 --- a/values/wire-server/demo-values.example.yaml +++ b/values/wire-server/demo-values.example.yaml @@ -28,6 +28,7 @@ brig: useSES: false aws: # change if using real AWS + region: "eu-west-1" sqsEndpoint: http://fake-aws-sqs:4568 dynamoDBEndpoint: http://fake-aws-dynamodb:4567 # these must match the table names created on fake or real AWS services @@ -81,6 +82,7 @@ cargohold: config: aws: # change if using real AWS + region: "eu-west-1" s3Bucket: dummy-bucket s3Endpoint: http://fake-aws-s3:9000 s3DownloadEndpoint: https://assets.example.com @@ -102,6 +104,8 @@ galley: settings: # prefix URI used when inviting users to a conversation by link conversationCodeURI: https://example.com/join/ # change this + aws: + region: "eu-west-1" # proxy: # httpProxy: "http://proxy.example.com" # httpsProxy: "https://proxy.example.com" @@ -120,7 +124,7 @@ gundeck: aws: # change if using real AWS account: "123456789012" - region: eu-west-1 + region: "eu-west-1" arnEnv: integration queueName: integration-gundeck-events sqsEndpoint: http://fake-aws-sqs:4568 diff --git a/values/wire-server/prod-values.example.yaml b/values/wire-server/prod-values.example.yaml index 0acc8d958..e63d291b9 100644 --- a/values/wire-server/prod-values.example.yaml +++ b/values/wire-server/prod-values.example.yaml @@ -110,6 +110,7 @@ cargohold: config: aws: # change if using real AWS + region: "eu-west-1" s3Bucket: assets s3Endpoint: http://minio-external:9000 s3DownloadEndpoint: https://assets.example.com @@ -130,6 +131,11 @@ galley: settings: # prefix URI used when inviting users to a conversation by link conversationCodeURI: https://webapp.example.com/join/ # change this + # see #RefConfigOptions in `/docs/reference` (https://github.com/wireapp/wire-server/) + featureFlags: + sso: disabled-by-default + legalhold: disabled-by-default + teamSearchVisibility: disabled-by-default aws: region: "eu-west-1" # proxy: