From e719c3ec079e0ee009bb9d54ddd9071e627c976b Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Fri, 31 Jul 2020 10:08:43 +0200 Subject: [PATCH 01/21] Provide a way to configure SFT service discovery --- charts/brig/templates/configmap.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/charts/brig/templates/configmap.yaml b/charts/brig/templates/configmap.yaml index 88b57854c..16f6b213d 100644 --- a/charts/brig/templates/configmap.yaml +++ b/charts/brig/templates/configmap.yaml @@ -150,6 +150,19 @@ data: configTTL: 3600 # 1 hour tokenTTL: 43200 # 12 hours + {{- if .sft }} + {{- with .sft }} + sft: + sftBaseDomain: {{ required "Missing value: .sft.sftBaseDomain" .sftBaseDomain }} + {{- if .sftSRVServiceName }} + sftSRVServiceName: {{ .sftSRVServiceName }} + {{- end }} + {{- if .sftDiscoveryIntervalSeconds }} + sftSRVServiceName: {{ .sftDiscoveryIntervalSeconds }} + {{- end }} + {{- end }} + {{- end }} + {{- with .optSettings }} optSettings: setActivationTimeout: {{ .setActivationTimeout }} From b55453bca49eefdab5bffdba9369efcc64b77d66 Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Fri, 31 Jul 2020 10:09:51 +0200 Subject: [PATCH 02/21] Revert "Provide a way to configure SFT service discovery" This reverts commit e719c3ec079e0ee009bb9d54ddd9071e627c976b. This was a mistake. --- charts/brig/templates/configmap.yaml | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/charts/brig/templates/configmap.yaml b/charts/brig/templates/configmap.yaml index 16f6b213d..88b57854c 100644 --- a/charts/brig/templates/configmap.yaml +++ b/charts/brig/templates/configmap.yaml @@ -150,19 +150,6 @@ data: configTTL: 3600 # 1 hour tokenTTL: 43200 # 12 hours - {{- if .sft }} - {{- with .sft }} - sft: - sftBaseDomain: {{ required "Missing value: .sft.sftBaseDomain" .sftBaseDomain }} - {{- if .sftSRVServiceName }} - sftSRVServiceName: {{ .sftSRVServiceName }} - {{- end }} - {{- if .sftDiscoveryIntervalSeconds }} - sftSRVServiceName: {{ .sftDiscoveryIntervalSeconds }} - {{- end }} - {{- end }} - {{- end }} - {{- with .optSettings }} optSettings: setActivationTimeout: {{ .setActivationTimeout }} From f75ce0c25e353d65356c05c9dbea9d970f91e22c Mon Sep 17 00:00:00 2001 From: Tiago Manuel Ventura Loureiro Date: Fri, 31 Jul 2020 10:14:11 +0200 Subject: [PATCH 03/21] Typo in the CHANGELOG (#321) --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 40b9f3943..595b1da8e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,4 @@ -# 2020-07-39 +# 2020-07-29 ## Features From 8e489f53e99506d9f551910abe7e739ed5dc6a43 Mon Sep 17 00:00:00 2001 From: Lucendio Date: Fri, 31 Jul 2020 17:27:40 +0200 Subject: [PATCH 04/21] [rf-module] Introduce network load balancer (#299) (Commit 1) [tf-module] Introduce network load balancer This module is meant, but not necessarily bound, to facilitate ingress for kubernetes nodes on AWS. It is assumed that TLS termination will happen on the cluster, hence the choice of using a network LB. * Integrate review feedback (Commit 2) [tf-module:nlb] Introduce inputs for subnet & instance IDs; duplicated resources * to allow a explicit dependency, instead of obtaining instances and subnet IDs via data resources, this introduces inputs to provide both * remove port-mapping in favour of additional but very similar resources to increase readability (Commit 3) [tf-module:nlb] Adjust README to be consistent with the latest changes of the module interface * move from instance role to list of IPs * add example for data sources * fix phrasing Co-authored-by: Julia Longtin --- .../aws-network-load-balancer/README.md | 71 ++++++++++++ .../modules/aws-network-load-balancer/data.tf | 6 + .../modules/aws-network-load-balancer/main.tf | 3 + .../aws-network-load-balancer/outputs.tf | 3 + .../aws-network-load-balancer/resources.lb.tf | 107 ++++++++++++++++++ .../aws-network-load-balancer/variables.tf | 27 +++++ 6 files changed, 217 insertions(+) create mode 100644 terraform/modules/aws-network-load-balancer/README.md create mode 100644 terraform/modules/aws-network-load-balancer/data.tf create mode 100644 terraform/modules/aws-network-load-balancer/main.tf create mode 100644 terraform/modules/aws-network-load-balancer/outputs.tf create mode 100644 terraform/modules/aws-network-load-balancer/resources.lb.tf create mode 100644 terraform/modules/aws-network-load-balancer/variables.tf diff --git a/terraform/modules/aws-network-load-balancer/README.md b/terraform/modules/aws-network-load-balancer/README.md new file mode 100644 index 000000000..10f4bcc96 --- /dev/null +++ b/terraform/modules/aws-network-load-balancer/README.md @@ -0,0 +1,71 @@ +Terraform module: Network load balancer +======================================= + +State: __experimental__ + +This module creates a network load balancer for HTTP (port 80) and HTTPS (port 443) traffic. +It uses a *target group* for each port and attaches all instances that share the given *role* +to each group. It furthermore uses the given target ports to check their health. + +Load balancing happens across availability zones. The VPC is determined by the given environment. +The subnets used within the VPC are assumed to + +a) have an internet gateway +b) be attached to the machines referred to by IP via list of `node_ips`` + +*Please note, in order for this to work, ingress has to be allowed on the given target ports on all target machines. +Furthermore, since those target machines - referred to by IP - are not part of an auto-scaling group, the instance of +this module has to be re-applied every time the set of machines changes.* + +AWS resources: lb (type: network) + +#### How to use the module + +```hcl +module "nlb" { + source = "github.com/wireapp/wire-server-deploy.git//terraform/modules/aws-network-load-balancer?ref=CHANGE-ME" + + environment = "staging" + + node_ips = ["10.0.23.17", "10.0.42.78", "10.0.222.171"] + subnet_ids = ["subnet-0001", "subnet-0002", "subnet-0003"] + + http_target_port = 3000 + https_target_port = 3001 +} +``` + +One way to generate the IPs and subnets lists would be to refer to the respective resources, or +attributes of another resource (e.g. VPC). Alternatively, you may want to obtain those lists +with the help of some data sources, e.g. + +```hcl +data "aws_subnet_ids" "public" { + vpc_id = var.vpc_id + + filter { + name = "tag:Environment" + values = ["staging"] + } + + filter { + name = "tag:Routability" + values = ["public"] + } +} + + +data "aws_instances" "nodes" { + filter { + name = "tag:Environment" + values = ["staging"] + } + + filter { + name = "tag:Role" + values = [ "kubenode" ] + } + + instance_state_names = ["running"] +} +``` \ No newline at end of file diff --git a/terraform/modules/aws-network-load-balancer/data.tf b/terraform/modules/aws-network-load-balancer/data.tf new file mode 100644 index 000000000..2a16243c6 --- /dev/null +++ b/terraform/modules/aws-network-load-balancer/data.tf @@ -0,0 +1,6 @@ +data "aws_vpc" "this" { + filter { + name = "tag:Environment" + values = [var.environment] + } +} diff --git a/terraform/modules/aws-network-load-balancer/main.tf b/terraform/modules/aws-network-load-balancer/main.tf new file mode 100644 index 000000000..ec900db26 --- /dev/null +++ b/terraform/modules/aws-network-load-balancer/main.tf @@ -0,0 +1,3 @@ +terraform { + required_version = "~> 0.12" +} diff --git a/terraform/modules/aws-network-load-balancer/outputs.tf b/terraform/modules/aws-network-load-balancer/outputs.tf new file mode 100644 index 000000000..dd14ad914 --- /dev/null +++ b/terraform/modules/aws-network-load-balancer/outputs.tf @@ -0,0 +1,3 @@ +output "fqdn" { + value = aws_lb.nlb.dns_name +} diff --git a/terraform/modules/aws-network-load-balancer/resources.lb.tf b/terraform/modules/aws-network-load-balancer/resources.lb.tf new file mode 100644 index 000000000..60316f14d --- /dev/null +++ b/terraform/modules/aws-network-load-balancer/resources.lb.tf @@ -0,0 +1,107 @@ +resource "aws_lb" "nlb" { + name = "${var.environment}-loadbalancer" + + internal = false + load_balancer_type = "network" + enable_cross_zone_load_balancing = true + + subnets = var.subnet_ids + + tags = { + Environment = var.environment + } +} + + +resource "aws_lb_listener" "ingress-http" { + load_balancer_arn = aws_lb.nlb.arn + + port = 80 + protocol = "TCP" + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.nodes-http.arn + } +} + + +resource "aws_lb_target_group" "nodes-http" { + name = "${var.environment}-nodes-http" + + vpc_id = data.aws_vpc.this.id + + # NOTE: using "instance" - as an alternative type - does not work due to the way security groups are being + # configured (VPC CIDR vs NLB network IP addresses) + # SRC: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/target-group-register-targets.html#target-security-groups + # DOC: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-target-groups.html + target_type = "ip" + port = var.node_port_http + protocol = "TCP" + + # docs: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/target-group-health-checks.html + # + health_check { + protocol = "TCP" + port = var.node_port_http + interval = 30 # NOTE: 10 or 30 seconds + # NOTE: defaults to 10 for TCP and is not allowed to be set when using an NLB + # timeout = 10 + } + + tags = { + Environment = var.environment + } +} + + +resource "aws_lb_target_group_attachment" "each-node-http" { + for_each = { for _, ip in var.node_ips : "http-ip-${replace(ip, ".", "-")}" => ip } + + target_group_arn = aws_lb_target_group.nodes-http.arn + port = aws_lb_target_group.nodes-http.port + target_id = each.value +} + + +resource "aws_lb_listener" "ingress-https" { + load_balancer_arn = aws_lb.nlb.arn + + port = 443 + protocol = "TCP" + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.nodes-https.arn + } +} + + +resource "aws_lb_target_group" "nodes-https" { + name = "${var.environment}-nodes-https" + + vpc_id = data.aws_vpc.this.id + + target_type = "ip" + port = var.node_port_https + protocol = "TCP" + + health_check { + protocol = "TCP" + port = var.node_port_https + interval = 30 + } + + tags = { + Environment = var.environment + } +} + + +resource "aws_lb_target_group_attachment" "each-node-https" { + for_each = { for _, ip in var.node_ips : "https-ip-${replace(ip, ".", "-")}" => ip } + + target_group_arn = aws_lb_target_group.nodes-https.arn + port = aws_lb_target_group.nodes-https.port + target_id = each.value +} diff --git a/terraform/modules/aws-network-load-balancer/variables.tf b/terraform/modules/aws-network-load-balancer/variables.tf new file mode 100644 index 000000000..079bfd153 --- /dev/null +++ b/terraform/modules/aws-network-load-balancer/variables.tf @@ -0,0 +1,27 @@ +variable "environment" { + type = string + description = "name of the environment as a scope for the created resources (default: 'dev'; example: 'prod', 'staging')" + default = "dev" +} + +variable "node_port_http" { + type = number + description = "HTTP port on the target machines that the LB forwards ingress from port 80 to" + default = 8080 +} + +variable "node_port_https" { + type = number + description = "HTTPS port on the target machines that the LB forwards ingress from port 443 to" + default = 8443 +} + +variable "node_ips" { + type = list(string) + description = "a list of private IPs from all nodes the load balancer forwards traffic to" +} + +variable "subnet_ids" { + type = list(string) + description = "a list of IDs from subnets where the nodes are part of, and the load balancer egress is attached to" +} From 22cf43958d5af7363939ce45f3b57a65bcd8b2fe Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Mon, 3 Aug 2020 10:19:03 +0200 Subject: [PATCH 05/21] Drop CBC cipher suites --- charts/nginx-ingress-controller/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/nginx-ingress-controller/values.yaml b/charts/nginx-ingress-controller/values.yaml index 59522b40b..a785cd545 100644 --- a/charts/nginx-ingress-controller/values.yaml +++ b/charts/nginx-ingress-controller/values.yaml @@ -4,7 +4,7 @@ nginx-ingress: controller: config: # NOTE: These are some sane defaults, you may want to overrride them on your own installation - ssl-ciphers: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256" + ssl-ciphers: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256" http2-max-field-size: 16k http2-max-header-size: 32k proxy-buffer-size: 16k From 3be581fb8385b0402c195e8e20dcc9f8466be83f Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Mon, 3 Aug 2020 10:23:33 +0200 Subject: [PATCH 06/21] Update TLS config --- charts/backoffice/templates/configmap.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/backoffice/templates/configmap.yaml b/charts/backoffice/templates/configmap.yaml index cfff8fbcc..1973f10b0 100644 --- a/charts/backoffice/templates/configmap.yaml +++ b/charts/backoffice/templates/configmap.yaml @@ -126,8 +126,8 @@ data: ssl_session_cache builtin:1000 shared:SSL:10m; ssl_session_timeout 5m; ssl_prefer_server_ciphers on; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers 'EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS'; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; server { listen {{ .Values.service.internalPort }}; From aae31333844208b86484de0d001de6f170b9a299 Mon Sep 17 00:00:00 2001 From: jschaul Date: Wed, 12 Aug 2020 17:34:42 +0200 Subject: [PATCH 07/21] Add account number to output of terraform gundeck module (#326) --- terraform/modules/aws-gundeck-push-notifications/data.tf | 4 +++- terraform/modules/aws-gundeck-push-notifications/outputs.tf | 4 ++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/terraform/modules/aws-gundeck-push-notifications/data.tf b/terraform/modules/aws-gundeck-push-notifications/data.tf index c090d892c..88c73b496 100644 --- a/terraform/modules/aws-gundeck-push-notifications/data.tf +++ b/terraform/modules/aws-gundeck-push-notifications/data.tf @@ -1,3 +1,5 @@ # NOTE: obtains region that is set in providers.tf by given variable # -data "aws_region" "current" {} \ No newline at end of file +data "aws_region" "current" {} + +data "aws_caller_identity" "current" {} diff --git a/terraform/modules/aws-gundeck-push-notifications/outputs.tf b/terraform/modules/aws-gundeck-push-notifications/outputs.tf index af1b8dec9..fdeeff0eb 100644 --- a/terraform/modules/aws-gundeck-push-notifications/outputs.tf +++ b/terraform/modules/aws-gundeck-push-notifications/outputs.tf @@ -19,3 +19,7 @@ output "gundeck_access_key" { output "gundeck_access_secret" { value = aws_iam_access_key.gundeck.secret } + +output "aws_account_id" { + value = data.aws_caller_identity.current.account_id +} From e6787e6a263d3c1c8a3b45cd82b23f2f9e3ed6ec Mon Sep 17 00:00:00 2001 From: Matthias Heinzel Date: Mon, 17 Aug 2020 12:38:05 +0200 Subject: [PATCH 08/21] Add default AWS region to example values files (#328) For consistency between different services as well as demo-values and prod-values This makes it more obvious that this value might need to be modified if the default is not desired. * add cargohold AWS region to prod-values.example.yaml * demo-values.example.yaml: Add default region here, too --- values/wire-server/demo-values.example.yaml | 6 +++++- values/wire-server/prod-values.example.yaml | 1 + 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/values/wire-server/demo-values.example.yaml b/values/wire-server/demo-values.example.yaml index 537983aa4..a27886719 100644 --- a/values/wire-server/demo-values.example.yaml +++ b/values/wire-server/demo-values.example.yaml @@ -28,6 +28,7 @@ brig: useSES: false aws: # change if using real AWS + region: "eu-west-1" sqsEndpoint: http://fake-aws-sqs:4568 dynamoDBEndpoint: http://fake-aws-dynamodb:4567 # these must match the table names created on fake or real AWS services @@ -81,6 +82,7 @@ cargohold: config: aws: # change if using real AWS + region: "eu-west-1" s3Bucket: dummy-bucket s3Endpoint: http://fake-aws-s3:9000 s3DownloadEndpoint: https://assets.example.com @@ -102,6 +104,8 @@ galley: settings: # prefix URI used when inviting users to a conversation by link conversationCodeURI: https://example.com/join/ # change this + aws: + region: "eu-west-1" # proxy: # httpProxy: "http://proxy.example.com" # httpsProxy: "https://proxy.example.com" @@ -120,7 +124,7 @@ gundeck: aws: # change if using real AWS account: "123456789012" - region: eu-west-1 + region: "eu-west-1" arnEnv: integration queueName: integration-gundeck-events sqsEndpoint: http://fake-aws-sqs:4568 diff --git a/values/wire-server/prod-values.example.yaml b/values/wire-server/prod-values.example.yaml index 0acc8d958..1ae607952 100644 --- a/values/wire-server/prod-values.example.yaml +++ b/values/wire-server/prod-values.example.yaml @@ -110,6 +110,7 @@ cargohold: config: aws: # change if using real AWS + region: "eu-west-1" s3Bucket: assets s3Endpoint: http://minio-external:9000 s3DownloadEndpoint: https://assets.example.com From edab5f51025a19a986dfe2179a2946dbb7b4060c Mon Sep 17 00:00:00 2001 From: jschaul Date: Mon, 24 Aug 2020 12:45:17 +0200 Subject: [PATCH 09/21] Add logrotation of 3 days to all pod logs (#329) * Add logrotation of 3 days to all pod logs * improve logrotate arguments to actually do what we want; add comments * move to its own playbook --- ansible/kubernetes.yml | 2 ++ ansible/kubernetes_logging.yml | 18 ++++++++++++++++++ ansible/requirements.yml | 4 ++++ 3 files changed, 24 insertions(+) create mode 100644 ansible/kubernetes_logging.yml diff --git a/ansible/kubernetes.yml b/ansible/kubernetes.yml index 85298ca1a..b0bb9f253 100644 --- a/ansible/kubernetes.yml +++ b/ansible/kubernetes.yml @@ -7,3 +7,5 @@ environment: "{{ proxy_env | default({}) }}" roles: - etcd-helpers + +- import_playbook: kubernetes_logging.yml diff --git a/ansible/kubernetes_logging.yml b/ansible/kubernetes_logging.yml new file mode 100644 index 000000000..979fb0f3f --- /dev/null +++ b/ansible/kubernetes_logging.yml @@ -0,0 +1,18 @@ +- hosts: k8s-cluster + environment: "{{ proxy_env | default({}) }}" + roles: + - role: logrotate + logrotate_scripts: + # The following will rotate pod logs once per day to keep no more than + # 3 days (maxage 1, rotate 2) of logs for data minimization/protection + # reasons. + - name: podlogs + path: "/var/lib/docker/containers/*/*.log" + options: + - daily + - missingok + - rotate 2 + - maxage 1 + - copytruncate + - nocreate + - nocompress diff --git a/ansible/requirements.yml b/ansible/requirements.yml index bb33deb01..9a7ca2612 100644 --- a/ansible/requirements.yml +++ b/ansible/requirements.yml @@ -59,3 +59,7 @@ - src: git+https://github.com/wireapp/ansible-ntp-verify.git name: ansible-ntp-verify version: v0.0.1 + +- src: git+https://github.com/nickhammond/ansible-logrotate.git + name: logrotate + version: "91d570f68c44261d2051a99a2b3c7d736306bf0d" # 2018-02-16 From 160a0c339408d2a587bf1cc73e8fa5ab1618f52e Mon Sep 17 00:00:00 2001 From: jschaul Date: Tue, 25 Aug 2020 18:58:14 +0200 Subject: [PATCH 10/21] add comment for future maintainers of kubernetes_logging file --- ansible/kubernetes_logging.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ansible/kubernetes_logging.yml b/ansible/kubernetes_logging.yml index 979fb0f3f..e8ab2ada9 100644 --- a/ansible/kubernetes_logging.yml +++ b/ansible/kubernetes_logging.yml @@ -6,6 +6,11 @@ # The following will rotate pod logs once per day to keep no more than # 3 days (maxage 1, rotate 2) of logs for data minimization/protection # reasons. + # + # NOTE for wire-server-deploy maintainers: if you change the following + # options, ensure to also keep the documentation up-to-date, see the + # documentation introduced in + # https://github.com/wireapp/wire-docs/pull/79 - name: podlogs path: "/var/lib/docker/containers/*/*.log" options: From 01b58467fcbc2383024c99b3dac9b852226ee9de Mon Sep 17 00:00:00 2001 From: jschaul Date: Tue, 25 Aug 2020 21:17:20 +0200 Subject: [PATCH 11/21] fix sanitized_request parsing on nginx (#330) --- charts/nginz/templates/conf/_nginx.conf.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/nginz/templates/conf/_nginx.conf.tpl b/charts/nginz/templates/conf/_nginx.conf.tpl index 0a1675615..d8d9c47a0 100644 --- a/charts/nginz/templates/conf/_nginx.conf.tpl +++ b/charts/nginz/templates/conf/_nginx.conf.tpl @@ -229,7 +229,7 @@ http { # remove access_token from logs, see 'Note sanitized_request' above. set $sanitized_request $request; - if ($sanitized_request ~ (.*)access_token=[^&]*(.*)) { + if ($sanitized_request ~ (.*)access_token=[^&\s]*(.*)) { set $sanitized_request $1access_token=****$2; } From e7f081ca744de60bf9d10cb037828b995883d2aa Mon Sep 17 00:00:00 2001 From: Lucendio Date: Wed, 26 Aug 2020 16:29:39 +0200 Subject: [PATCH 12/21] [tf-module:cargohold] Replace subnet IDs input with route table IDs (#331) [tf-module:cargohold] Replace subnet IDs input with route table IDs This removes the 'implicit' data dependency that can cause a race condition between subnets and route tables. It makes it more clear what the module depends on and should make it more easy to `depends_on` in the future (TF v0.13). Co-authored-by: Julia Longtin * shuffle things around so that the aws-cargohold-asset-storage module handles its own security group. --- .../aws-cargohold-asset-storage/outputs.tf | 10 ++++----- .../resources.s3.tf | 16 -------------- .../resources.security_groups.tf | 17 +++++++++++++++ .../aws-cargohold-asset-storage/variables.tf | 5 +---- .../modules/aws-vpc-security-groups/main.tf | 21 ------------------- .../aws-vpc-security-groups/variables.tf | 5 ----- terraform/modules/aws-vpc/outputs.tf | 3 +++ 7 files changed, 26 insertions(+), 51 deletions(-) create mode 100644 terraform/modules/aws-cargohold-asset-storage/resources.security_groups.tf diff --git a/terraform/modules/aws-cargohold-asset-storage/outputs.tf b/terraform/modules/aws-cargohold-asset-storage/outputs.tf index 01ee76ccf..856b68954 100644 --- a/terraform/modules/aws-cargohold-asset-storage/outputs.tf +++ b/terraform/modules/aws-cargohold-asset-storage/outputs.tf @@ -12,10 +12,6 @@ output "s3_endpoint" { value = "https://s3.${aws_s3_bucket.asset_storage.region}.amazonaws.com" } -output "s3_endpoint_CIDRs" { - value = aws_vpc_endpoint.s3.cidr_blocks -} - output "s3_endpoint_id" { value = aws_vpc_endpoint.s3.id } @@ -26,4 +22,8 @@ output "cargohold_access_key" { output "cargohold_access_secret" { value = aws_iam_access_key.cargohold.secret -} \ No newline at end of file +} + +output "talk_to_S3" { + value = aws_security_group.talk_to_S3.id +} diff --git a/terraform/modules/aws-cargohold-asset-storage/resources.s3.tf b/terraform/modules/aws-cargohold-asset-storage/resources.s3.tf index 4fdec1302..0973186d3 100644 --- a/terraform/modules/aws-cargohold-asset-storage/resources.s3.tf +++ b/terraform/modules/aws-cargohold-asset-storage/resources.s3.tf @@ -34,19 +34,3 @@ resource "aws_vpc_endpoint" "s3" { } } -data "aws_route_tables" "private" { - vpc_id = var.vpc_id - - filter { - name = "association.subnet-id" - values = var.subnet_ids - } -} - -# the routing table association that allows nodes to route traffic to the S3 endpoint. -resource "aws_vpc_endpoint_route_table_association" "private_s3" { - for_each = { for k, v in data.aws_route_tables.private.ids : v => v } - - route_table_id = each.value - vpc_endpoint_id = aws_vpc_endpoint.s3.id -} diff --git a/terraform/modules/aws-cargohold-asset-storage/resources.security_groups.tf b/terraform/modules/aws-cargohold-asset-storage/resources.security_groups.tf new file mode 100644 index 000000000..8692f388c --- /dev/null +++ b/terraform/modules/aws-cargohold-asset-storage/resources.security_groups.tf @@ -0,0 +1,17 @@ +resource "aws_security_group" "talk_to_S3" { + name = "talk_to_S3" + description = "hosts that are allowed to talk to S3." + vpc_id = var.vpc_id + + egress { + description = "" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = aws_vpc_endpoint.s3.cidr_blocks + } + + tags = { + Name = "talk_to_S3" + } +} diff --git a/terraform/modules/aws-cargohold-asset-storage/variables.tf b/terraform/modules/aws-cargohold-asset-storage/variables.tf index fef5cc5ea..28bb5afcb 100644 --- a/terraform/modules/aws-cargohold-asset-storage/variables.tf +++ b/terraform/modules/aws-cargohold-asset-storage/variables.tf @@ -21,7 +21,4 @@ variable "vpc_id" { description = "the ID of the VPC to add an S3 endpoint to" } -variable "subnet_ids" { - type = list(string) - description = "list of the subnet IDs of the subnets to make the S3 endpoint available to." -} \ No newline at end of file + diff --git a/terraform/modules/aws-vpc-security-groups/main.tf b/terraform/modules/aws-vpc-security-groups/main.tf index 2e7ca7b60..87ec45794 100644 --- a/terraform/modules/aws-vpc-security-groups/main.tf +++ b/terraform/modules/aws-vpc-security-groups/main.tf @@ -184,17 +184,6 @@ resource "aws_security_group" "talk_to_k8s" { description = "hosts that are allowed to speak to kubernetes." vpc_id = var.vpc_id - # HACK: running out of security groups per instance. - # adding this here since the admin node needs to talk to S3. - # S3 - egress { - description = "" - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = var.s3_CIDRs - } - # kubectl egress { description = "" @@ -288,16 +277,6 @@ resource "aws_security_group" "k8s_private" { cidr_blocks = ["172.17.0.0/20"] } - # HACK: running out of security groups, adding this here since all k8s nodes need to talk to S3. - # S3 - egress { - description = "" - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = var.s3_CIDRs - } - tags = { Name = "k8s_private" } diff --git a/terraform/modules/aws-vpc-security-groups/variables.tf b/terraform/modules/aws-vpc-security-groups/variables.tf index 0f010f23f..106bab921 100644 --- a/terraform/modules/aws-vpc-security-groups/variables.tf +++ b/terraform/modules/aws-vpc-security-groups/variables.tf @@ -3,8 +3,3 @@ variable "vpc_id" { description = "ID of VPC these security groups are for." } -variable "s3_CIDRs" { - type = list(string) - description = "subnets that S3 gateways we are using exist in." -} - diff --git a/terraform/modules/aws-vpc/outputs.tf b/terraform/modules/aws-vpc/outputs.tf index 0b05c6354..decd6540d 100644 --- a/terraform/modules/aws-vpc/outputs.tf +++ b/terraform/modules/aws-vpc/outputs.tf @@ -10,3 +10,6 @@ output "private_subnets" { value = module.vpc.private_subnets } +output "private_route_table_ids" { + value = module.vpc.private_route_table_ids +} From 461e0774409c6b80081d3bd032e677729c6ed6f4 Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Thu, 27 Aug 2020 10:20:10 +0200 Subject: [PATCH 13/21] Provide a way to configure SFT service discovery (#322) --- charts/brig/templates/configmap.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/charts/brig/templates/configmap.yaml b/charts/brig/templates/configmap.yaml index 88b57854c..f397f28a3 100644 --- a/charts/brig/templates/configmap.yaml +++ b/charts/brig/templates/configmap.yaml @@ -150,6 +150,19 @@ data: configTTL: 3600 # 1 hour tokenTTL: 43200 # 12 hours + {{- if .sft }} + {{- with .sft }} + sft: + sftBaseDomain: {{ required "Missing value: .sft.sftBaseDomain" .sftBaseDomain }} + {{- if .sftSRVServiceName }} + sftSRVServiceName: {{ .sftSRVServiceName }} + {{- end }} + {{- if .sftDiscoveryIntervalSeconds }} + sftDiscoveryIntervalSeconds: {{ .sftDiscoveryIntervalSeconds }} + {{- end }} + {{- end }} + {{- end }} + {{- with .optSettings }} optSettings: setActivationTimeout: {{ .setActivationTimeout }} From 7c842e86e622719eff2757a271b1ec716d010cd6 Mon Sep 17 00:00:00 2001 From: Julia Longtin Date: Thu, 3 Sep 2020 14:00:16 +0100 Subject: [PATCH 14/21] pass in a vpc id, instead of relying on a data statement, and currently existing values. --- terraform/modules/aws-network-load-balancer/data.tf | 6 ------ terraform/modules/aws-network-load-balancer/resources.lb.tf | 4 ++-- terraform/modules/aws-network-load-balancer/variables.tf | 5 +++++ 3 files changed, 7 insertions(+), 8 deletions(-) diff --git a/terraform/modules/aws-network-load-balancer/data.tf b/terraform/modules/aws-network-load-balancer/data.tf index 2a16243c6..e69de29bb 100644 --- a/terraform/modules/aws-network-load-balancer/data.tf +++ b/terraform/modules/aws-network-load-balancer/data.tf @@ -1,6 +0,0 @@ -data "aws_vpc" "this" { - filter { - name = "tag:Environment" - values = [var.environment] - } -} diff --git a/terraform/modules/aws-network-load-balancer/resources.lb.tf b/terraform/modules/aws-network-load-balancer/resources.lb.tf index 60316f14d..fa7a288c4 100644 --- a/terraform/modules/aws-network-load-balancer/resources.lb.tf +++ b/terraform/modules/aws-network-load-balancer/resources.lb.tf @@ -29,7 +29,7 @@ resource "aws_lb_listener" "ingress-http" { resource "aws_lb_target_group" "nodes-http" { name = "${var.environment}-nodes-http" - vpc_id = data.aws_vpc.this.id + vpc_id = var.aws_vpc_id # NOTE: using "instance" - as an alternative type - does not work due to the way security groups are being # configured (VPC CIDR vs NLB network IP addresses) @@ -80,7 +80,7 @@ resource "aws_lb_listener" "ingress-https" { resource "aws_lb_target_group" "nodes-https" { name = "${var.environment}-nodes-https" - vpc_id = data.aws_vpc.this.id + vpc_id = var.aws_vpc_id target_type = "ip" port = var.node_port_https diff --git a/terraform/modules/aws-network-load-balancer/variables.tf b/terraform/modules/aws-network-load-balancer/variables.tf index 079bfd153..3594af862 100644 --- a/terraform/modules/aws-network-load-balancer/variables.tf +++ b/terraform/modules/aws-network-load-balancer/variables.tf @@ -25,3 +25,8 @@ variable "subnet_ids" { type = list(string) description = "a list of IDs from subnets where the nodes are part of, and the load balancer egress is attached to" } + +variable "aws_vpc_id" { + type = string + description = "the ID of the VPC we are adding our targets to." +} From 3a0df5c88e148b0bff82a4ebf4645b37b1f0c7e2 Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Fri, 4 Sep 2020 10:37:16 +0200 Subject: [PATCH 15/21] wire-server/prod-values.example: Add galley feature flags (#335) Co-authored-by: Julia Longtin --- values/wire-server/prod-values.example.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/values/wire-server/prod-values.example.yaml b/values/wire-server/prod-values.example.yaml index 1ae607952..e63d291b9 100644 --- a/values/wire-server/prod-values.example.yaml +++ b/values/wire-server/prod-values.example.yaml @@ -131,6 +131,11 @@ galley: settings: # prefix URI used when inviting users to a conversation by link conversationCodeURI: https://webapp.example.com/join/ # change this + # see #RefConfigOptions in `/docs/reference` (https://github.com/wireapp/wire-server/) + featureFlags: + sso: disabled-by-default + legalhold: disabled-by-default + teamSearchVisibility: disabled-by-default aws: region: "eu-west-1" # proxy: From de328cf6fd661d120760209cb1402d91def5e0d8 Mon Sep 17 00:00:00 2001 From: Julia Longtin Date: Thu, 10 Sep 2020 11:52:37 +0000 Subject: [PATCH 16/21] Use count instead of for_each because it works better (#334) --- .../modules/aws-network-load-balancer/resources.lb.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/terraform/modules/aws-network-load-balancer/resources.lb.tf b/terraform/modules/aws-network-load-balancer/resources.lb.tf index fa7a288c4..d5b65e3bb 100644 --- a/terraform/modules/aws-network-load-balancer/resources.lb.tf +++ b/terraform/modules/aws-network-load-balancer/resources.lb.tf @@ -56,11 +56,11 @@ resource "aws_lb_target_group" "nodes-http" { resource "aws_lb_target_group_attachment" "each-node-http" { - for_each = { for _, ip in var.node_ips : "http-ip-${replace(ip, ".", "-")}" => ip } + count = length(var.node_ips) target_group_arn = aws_lb_target_group.nodes-http.arn port = aws_lb_target_group.nodes-http.port - target_id = each.value + target_id = var.node_ips[count.index] } @@ -99,9 +99,9 @@ resource "aws_lb_target_group" "nodes-https" { resource "aws_lb_target_group_attachment" "each-node-https" { - for_each = { for _, ip in var.node_ips : "https-ip-${replace(ip, ".", "-")}" => ip } + count = length(var.node_ips) target_group_arn = aws_lb_target_group.nodes-https.arn port = aws_lb_target_group.nodes-https.port - target_id = each.value + target_id = var.node_ips[count.index] } From c4827ee08ee44295606219dc72ea47c1e431d376 Mon Sep 17 00:00:00 2001 From: Julia Longtin Date: Mon, 14 Sep 2020 11:27:54 +0000 Subject: [PATCH 17/21] remove issuance of a default search domain via the AWS dhcp servers. breaks dns lookup inside of k8s. (#338) --- terraform/modules/aws-vpc/main.tf | 4 ---- 1 file changed, 4 deletions(-) diff --git a/terraform/modules/aws-vpc/main.tf b/terraform/modules/aws-vpc/main.tf index 9a1c08e79..56365e07b 100644 --- a/terraform/modules/aws-vpc/main.tf +++ b/terraform/modules/aws-vpc/main.tf @@ -21,10 +21,6 @@ module "vpc" { enable_dns_hostnames = false enable_dns_support = true - enable_dhcp_options = true - dhcp_options_domain_name = var.dhcp_options_domain_name - # dhcp_options_domain_name_servers = - # In case we run terraform from within the environment. # VPC endpoint for DynamoDB enable_dynamodb_endpoint = true From ddf967a4a5d4f3e8f6ffbb9a93b47ee2089f60c0 Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Fri, 18 Sep 2020 11:48:52 +0200 Subject: [PATCH 18/21] Add automation for deploying SFT servers (#337) * Add terraform definition of an "environment" with sft servers. Uses terraform-0.13 * Add ansible playbooks to "bootstrap" an "environment with only SFT to start with. * Provide development environment with nix-shell * Add make targets for terraforming and ansibling an environment Co-authored-by: Lucendio Co-authored-by: jschaul --- ansible/Makefile | 39 ++ ansible/README.md | 25 ++ ansible/ansible.cfg | 2 +- ansible/bootstrap.yml | 1 + ansible/poetry.lock | 448 ++++++++++++++++----- ansible/provision-sft.yml | 11 + ansible/pyproject.toml | 7 +- ansible/requirements.yml | 4 + nix/sources.json | 38 ++ nix/sources.nix | 134 ++++++ shell.nix | 32 +- terraform/README.md | 67 +++ terraform/environment/Makefile | 31 ++ terraform/environment/aws.tf | 7 + terraform/environment/hcloud.tf | 20 + terraform/environment/inventory.tf | 28 ++ terraform/environment/main.tf | 11 + terraform/environment/sft.tf | 26 ++ terraform/environment/terraform.tf | 23 ++ terraform/modules/sft/dns.tf | 21 + terraform/modules/sft/outputs.tf | 19 + terraform/modules/sft/server.tf | 9 + terraform/modules/sft/srv-announcer-iam.tf | 60 +++ terraform/modules/sft/variables.tf | 36 ++ terraform/modules/sft/versions.tf | 11 + 25 files changed, 994 insertions(+), 116 deletions(-) create mode 100644 ansible/bootstrap.yml create mode 100644 ansible/provision-sft.yml create mode 100644 nix/sources.json create mode 100644 nix/sources.nix create mode 100644 terraform/README.md create mode 100644 terraform/environment/Makefile create mode 100644 terraform/environment/aws.tf create mode 100644 terraform/environment/hcloud.tf create mode 100644 terraform/environment/inventory.tf create mode 100644 terraform/environment/main.tf create mode 100644 terraform/environment/sft.tf create mode 100644 terraform/environment/terraform.tf create mode 100644 terraform/modules/sft/dns.tf create mode 100644 terraform/modules/sft/outputs.tf create mode 100644 terraform/modules/sft/server.tf create mode 100644 terraform/modules/sft/srv-announcer-iam.tf create mode 100644 terraform/modules/sft/variables.tf create mode 100644 terraform/modules/sft/versions.tf diff --git a/ansible/Makefile b/ansible/Makefile index 6e0608d7a..06a101445 100644 --- a/ansible/Makefile +++ b/ansible/Makefile @@ -1,3 +1,7 @@ +ANSIBLE_DIR:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST)))) +# Please ignore this if you're not a wire employee +CAILLEACH_DIR:=$(abspath ${ANSIBLE_DIR}/../../cailleach) +SHELL:=/usr/bin/env bash -eo pipefail default: download @@ -21,3 +25,38 @@ download-ansible-roles: .PHONY: download-ansible-roles-force download-ansible-roles-force: poetry run ansible-galaxy install -r requirements.yml --force + +.PHONY: provision-sft +provision-sft: check-env + poetry run ansible-playbook ${ANSIBLE_DIR}/provision-sft.yml \ + -i ${ENV_DIR}/gen/terraform-inventory.yml \ + -i ${ENV_DIR}/inventory.yml \ + --private-key ${ENV_DIR}/operator-ssh.dec \ + -vv + +.PHONY: bootstrap +bootstrap: check-env + poetry run ansible-playbook ${ANSIBLE_DIR}/bootstrap.yml \ + -i ${ENV_DIR}/gen/terraform-inventory.yml \ + -i ${ENV_DIR}/inventory.yml \ + --private-key ${ENV_DIR}/operator-ssh.dec \ + -vv + +.PHONY: check-env +check-env: +ifndef ENV_DIR +ifndef ENV + $(error please define either ENV or ENV_DIR) +else +ENV_DIR=${CAILLEACH_DIR}/environments/${ENV} +endif +endif +ifeq ("$(wildcard ${ENV_DIR}/inventory.yml)", "") + $(error please make sure ${ENV_DIR}/inventory.yml exists) +endif +ifeq ("$(wildcard ${ENV_DIR}/gen/terraform-inventory.yml)", "") + $(error please make you have applied terraform for ${ENV_DIR}) +endif +ifeq ("$(wildcard ${ENV_DIR}/operator-ssh.dec)", "") + $(error please make sure ${ENV_DIR}/operator-ssh.dec exists and contains the private key to ssh into servers) +endif diff --git a/ansible/README.md b/ansible/README.md index 0dde82f54..397d831a8 100644 --- a/ansible/README.md +++ b/ansible/README.md @@ -3,3 +3,28 @@ In a production environment, some parts of the wire-server infrastructure (such as e.g. cassandra databases) are best configured outside kubernetes. Additionally, kubernetes can be rapidly set up with a project called kubespray, via ansible. This directory hosts a range of ansible playbooks to install kubernetes and databases necessary for wire-server. For documentation on usage, please refer to the [Administrator's Guide](https://docs.wire.com), notably the production installation. + + +## Bootrap environment created by `terraform/environment` + +An 'environment' is supposed to represent all the setup required for the Wire +backend to function. + +'Bootstrapping' an environment means running a range of idempotent ansible +playbooks against servers specified in an inventory, resulting in a fully +functional environment. This action can be re-run as often as you want (e.g. in +case you change some variables or upgrade to new versions). + +To start with, the environment only has SFT servers; but more will be added here +soon. + +1. Please ensure `ENV_DIR` or `ENV` are exported as specified in the [docs in + the terraform folder](../terraform/README.md) +1. Ensure `$ENV_DIR/operator-ssh.dec` exists and contains an ssh key for the + environment. +1. Ensure that `make apply` has been run for the environment. Please refer to + the [docs in the terraform folder](../terraform/README.md) for details about + how to run this. +1. Ensure all required variables are set in `$ENV_DIR/inventory.yml` +1. Running `make bootstrap` from this directory will bootstrap the + environment. diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg index e969c3ec2..d8d630ac2 100644 --- a/ansible/ansible.cfg +++ b/ansible/ansible.cfg @@ -4,7 +4,7 @@ control_path = /tmp/ansible-%%r@%%h:%%p [defaults] retry_files_enabled = False -roles_path = ./roles-external:./roles +roles_path = ./roles-external:./roles:./roles-external/sft/roles gathering = smart diff --git a/ansible/bootstrap.yml b/ansible/bootstrap.yml new file mode 100644 index 000000000..26f87b2c4 --- /dev/null +++ b/ansible/bootstrap.yml @@ -0,0 +1 @@ +- import_playbook: ./provision-sft.yml diff --git a/ansible/poetry.lock b/ansible/poetry.lock index 5ab717fbf..a1abaf24c 100644 --- a/ansible/poetry.lock +++ b/ansible/poetry.lock @@ -3,8 +3,8 @@ category = "main" description = "Radically simple IT automation" name = "ansible" optional = false -python-versions = "*" -version = "2.7.11" +python-versions = ">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*" +version = "2.7.18" [[package]] category = "main" @@ -12,11 +12,11 @@ description = "Ansible Modules for Hashicorp Vault" name = "ansible-modules-hashivault" optional = false python-versions = "*" -version = "3.17.7" +version = "4.5.6" [package.dependencies] ansible = ">=2.0.0" -hvac = ">=0.7.0" +hvac = ">=0.9.5" requests = "*" [[package]] @@ -33,12 +33,12 @@ description = "The AWS SDK for Python" name = "boto3" optional = false python-versions = "*" -version = "1.9.181" +version = "1.15.0" [package.dependencies] -botocore = ">=1.12.181,<1.13.0" +botocore = ">=1.18.0,<1.19.0" jmespath = ">=0.7.1,<1.0.0" -s3transfer = ">=0.2.0,<0.3.0" +s3transfer = ">=0.3.0,<0.4.0" [[package]] category = "main" @@ -46,18 +46,14 @@ description = "Low-level, data-driven core of boto 3." name = "botocore" optional = false python-versions = "*" -version = "1.12.181" +version = "1.18.0" [package.dependencies] -docutils = ">=0.10" jmespath = ">=0.7.1,<1.0.0" - -[package.dependencies.python-dateutil] -python = ">=2.7" -version = ">=2.1,<3.0.0" +python-dateutil = ">=2.1,<3.0.0" [package.dependencies.urllib3] -python = ">=2.7,<2.8 || >=3.4" +python = "<3.4.0 || >=3.5.0" version = ">=1.20,<1.26" [[package]] @@ -66,40 +62,57 @@ description = "Python package for providing Mozilla's CA Bundle." name = "certifi" optional = false python-versions = "*" -version = "2019.6.16" +version = "2020.6.20" [[package]] category = "main" -description = "Universal encoding detector for Python 2 and 3" -name = "chardet" +description = "Foreign Function Interface for Python calling C code." +name = "cffi" optional = false python-versions = "*" -version = "3.0.4" +version = "1.14.3" + +[package.dependencies] +pycparser = "*" [[package]] category = "main" -description = "DNS toolkit" -name = "dnspython" +description = "Universal encoding detector for Python 2 and 3" +name = "chardet" optional = false -python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*" -version = "1.16.0" +python-versions = "*" +version = "3.0.4" [[package]] category = "main" -description = "Docutils -- Python Documentation Utilities" -name = "docutils" +description = "cryptography is a package which provides cryptographic recipes and primitives to Python developers." +name = "cryptography" optional = false -python-versions = "*" -version = "0.14" +python-versions = ">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*" +version = "3.1" + +[package.dependencies] +cffi = ">=1.8,<1.11.3 || >1.11.3" +six = ">=1.4.1" + +[package.extras] +docs = ["sphinx (>=1.6.5,<1.8.0 || >1.8.0,<3.1.0 || >3.1.0,<3.1.1 || >3.1.1)", "sphinx-rtd-theme"] +docstest = ["doc8", "pyenchant (>=1.6.11)", "twine (>=1.12.0)", "sphinxcontrib-spelling (>=4.0.1)"] +pep8test = ["black", "flake8", "flake8-import-order", "pep8-naming"] +ssh = ["bcrypt (>=3.1.5)"] +test = ["pytest (>=3.6.0,<3.9.0 || >3.9.0,<3.9.1 || >3.9.1,<3.9.2 || >3.9.2)", "pretend", "iso8601", "pytz", "hypothesis (>=1.11.4,<3.79.2 || >3.79.2)"] [[package]] category = "main" -description = "Backport of the concurrent.futures package from Python 3" -marker = "python_version == \"2.6\" or python_version == \"2.7\"" -name = "futures" +description = "DNS toolkit" +name = "dnspython" optional = false -python-versions = ">=2.6, <3" -version = "3.2.0" +python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*" +version = "1.16.0" + +[package.extras] +DNSSEC = ["pycryptodome", "ecdsa (>=0.13)"] +IDNA = ["idna (>=2.1)"] [[package]] category = "main" @@ -107,10 +120,14 @@ description = "HashiCorp Vault API client" name = "hvac" optional = false python-versions = "*" -version = "0.9.2" +version = "0.10.5" [package.dependencies] requests = ">=2.21.0" +six = ">=1.5.0" + +[package.extras] +parser = ["pyhcl (>=0.3.10)"] [[package]] category = "main" @@ -118,26 +135,46 @@ description = "Internationalized Domain Names in Applications (IDNA)" name = "idna" optional = false python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*" -version = "2.8" +version = "2.10" [[package]] category = "main" -description = "A small but fast and easy to use stand-alone template engine written in pure python." +description = "Read resources from Python packages" +marker = "python_version < \"3.7\"" +name = "importlib-resources" +optional = false +python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,>=2.7" +version = "3.0.0" + +[package.dependencies] +[package.dependencies.zipp] +python = "<3.8" +version = ">=0.4" + +[package.extras] +docs = ["sphinx", "rst.linker", "jaraco.packaging"] + +[[package]] +category = "main" +description = "A very fast and expressive template engine." name = "jinja2" optional = false -python-versions = "*" -version = "2.10.1" +python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*" +version = "2.11.2" [package.dependencies] MarkupSafe = ">=0.23" +[package.extras] +i18n = ["Babel (>=0.8)"] + [[package]] category = "main" description = "JSON Matching Expressions" name = "jmespath" optional = false -python-versions = "*" -version = "0.9.4" +python-versions = ">=2.6, !=3.0.*, !=3.1.*, !=3.2.*" +version = "0.10.0" [[package]] category = "main" @@ -153,24 +190,52 @@ description = "A network address manipulation library for Python" name = "netaddr" optional = false python-versions = "*" -version = "0.7.19" +version = "0.8.0" + +[package.dependencies] +[package.dependencies.importlib-resources] +python = "<3.7" +version = "*" [[package]] category = "main" description = "Python Build Reasonableness" name = "pbr" optional = false +python-versions = ">=2.6" +version = "5.5.0" + +[[package]] +category = "main" +description = "C parser in Python" +name = "pycparser" +optional = false +python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*" +version = "2.20" + +[[package]] +category = "main" +description = "Python wrapper module around the OpenSSL library" +name = "pyopenssl" +optional = false python-versions = "*" -version = "5.3.1" +version = "19.1.0" + +[package.dependencies] +cryptography = ">=2.8" +six = ">=1.5.2" + +[package.extras] +docs = ["sphinx", "sphinx-rtd-theme"] +test = ["flaky", "pretend", "pytest (>=3.0.1)"] [[package]] category = "main" description = "Extensions to the standard Python datetime module" -marker = "python_version >= \"2.7\"" name = "python-dateutil" optional = false -python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*" -version = "2.8.0" +python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,>=2.7" +version = "2.8.1" [package.dependencies] six = ">=1.5" @@ -180,8 +245,8 @@ category = "main" description = "YAML parser and emitter for Python" name = "pyyaml" optional = false -python-versions = "*" -version = "5.1.1" +python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*" +version = "5.3.1" [[package]] category = "main" @@ -189,35 +254,17 @@ description = "Python HTTP for Humans." name = "requests" optional = false python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*" -version = "2.22.0" +version = "2.24.0" [package.dependencies] certifi = ">=2017.4.17" -chardet = ">=3.0.2,<3.1.0" -idna = ">=2.5,<2.9" +chardet = ">=3.0.2,<4" +idna = ">=2.5,<3" urllib3 = ">=1.21.1,<1.25.0 || >1.25.0,<1.25.1 || >1.25.1,<1.26" -[[package]] -category = "main" -description = "a version of dict that keeps keys in insertion resp. sorted order" -marker = "platform_python_implementation == \"CPython\" and python_version <= \"2.7\"" -name = "ruamel.ordereddict" -optional = false -python-versions = "*" -version = "0.4.13" - -[[package]] -category = "main" -description = "ruamel.yaml is a YAML parser/emitter that supports roundtrip preservation of comments, seq/map flow style, and map key order" -name = "ruamel.yaml" -optional = false -python-versions = "*" -version = "0.15.97" - -[package.dependencies] -[package.dependencies."ruamel.ordereddict"] -python = "<=2.7" -version = "*" +[package.extras] +security = ["pyOpenSSL (>=0.14)", "cryptography (>=1.3.4)"] +socks = ["PySocks (>=1.5.6,<1.5.7 || >1.5.7)", "win-inet-pton"] [[package]] category = "main" @@ -225,23 +272,18 @@ description = "An Amazon S3 Transfer Manager" name = "s3transfer" optional = false python-versions = "*" -version = "0.2.1" +version = "0.3.3" [package.dependencies] -botocore = ">=1.12.36,<2.0.0" - -[package.dependencies.futures] -python = ">=2.6,<2.8" -version = ">=2.2.0,<4.0.0" +botocore = ">=1.12.36,<2.0a.0" [[package]] category = "main" description = "Python 2 and 3 compatibility utilities" -marker = "python_version >= \"2.7\"" name = "six" optional = false -python-versions = ">=2.6, !=3.0.*, !=3.1.*" -version = "1.12.0" +python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*" +version = "1.15.0" [[package]] category = "main" @@ -251,33 +293,225 @@ optional = false python-versions = "*" version = "1.22" +[package.extras] +secure = ["pyOpenSSL (>=0.14)", "cryptography (>=1.3.4)", "idna (>=2.0.0)", "certifi", "ipaddress"] +socks = ["PySocks (>=1.5.6,<1.5.7 || >1.5.7,<2.0)"] + +[[package]] +category = "main" +description = "Backport of pathlib-compatible object wrapper for zip files" +name = "zipp" +optional = false +python-versions = ">=2.7" +version = "1.2.0" + +[package.extras] +docs = ["sphinx", "jaraco.packaging (>=3.2)", "rst.linker (>=1.9)"] +testing = ["pathlib2", "unittest2", "jaraco.itertools", "func-timeout"] + [metadata] -content-hash = "d523c92dd42556edd2d4bcaa8aeb4701507225f5e492169e7d5f0af854e89253" -python-versions = "^2.7 || >=3.5" - -[metadata.hashes] -ansible = ["e7e6de461b7d07cb4d8b2dd2a32b231af7c56e6bf39b851024671aaa52fd377e"] -ansible-modules-hashivault = ["1d323ba19e2b6459dfb5f14dee2cb79af8103a691c32fd65dc642bbf7eb82f2b"] -boto = ["147758d41ae7240dc989f0039f27da8ca0d53734be0eb869ef16e3adcfa462e8", "ea0d3b40a2d852767be77ca343b58a9e3a4b00d9db440efb8da74b4e58025e5a"] -boto3 = ["5e0e3e2a520cc289a36c053974afdd416292e0e8d2a7220a575cf992d6a890cd", "93625ceb73aa0eaab4fefba733562a6dfa1366b38a056edf5e53aa4fb97e0b3a"] -botocore = ["1a1594258b503adeb3d54b77c0b79151e546d76e8ebc62aa9258693e6cdd0f9b", "6dc20c4766cb0a4ff8b0993effe2550e3b4e4606265da37bcf8949610980da40"] -certifi = ["046832c04d4e752f37383b628bc601a7ea7211496b4638f6514d0e5b9acc4939", "945e3ba63a0b9f577b1395204e13c3a231f9bc0223888be653286534e5873695"] -chardet = ["84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae", "fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691"] -dnspython = ["36c5e8e38d4369a08b6780b7f27d790a292b2b08eea01607865bf0936c558e01", "f69c21288a962f4da86e56c4905b49d11aba7938d3d740e80d9e366ee4f1632d"] -docutils = ["02aec4bd92ab067f6ff27a38a38a41173bf01bed8f89157768c1573f53e474a6", "51e64ef2ebfb29cae1faa133b3710143496eca21c530f3f71424d77687764274", "7a4bd47eaf6596e1295ecb11361139febe29b084a87bf005bf899f9a42edc3c6"] -futures = ["9ec02aa7d674acb8618afb127e27fde7fc68994c0437ad759fa094a574adb265", "ec0a6cb848cc212002b9828c3e34c675e0c9ff6741dc445cab6fdd4e1085d1f1"] -hvac = ["0e558949d55c81550b03f1bef08981d7d3d4be6346f80d587a94eb6bf59b19f1", "bc853edddf6e2bf4f771eeb534e70ff550aa7f1d2976afd52f767e60afbd4679"] -idna = ["c357b3f628cf53ae2c4c05627ecc484553142ca23264e593d327bcde5e9c3407", "ea8b7f6188e6fa117537c3df7da9fc686d485087abf6ac197f9c46432f7e4a3c"] -jinja2 = ["065c4f02ebe7f7cf559e49ee5a95fb800a9e4528727aec6f24402a5374c65013", "14dd6caf1527abb21f08f86c784eac40853ba93edb79552aa1e4b8aef1b61c7b"] -jmespath = ["3720a4b1bd659dd2eecad0666459b9788813e032b83e7ba58578e48254e0a0e6", "bde2aef6f44302dfb30320115b17d030798de8c4110e28d5cf6cf91a7a31074c"] -markupsafe = ["00bc623926325b26bb9605ae9eae8a215691f33cae5df11ca5424f06f2d1f473", "09027a7803a62ca78792ad89403b1b7a73a01c8cb65909cd876f7fcebd79b161", "09c4b7f37d6c648cb13f9230d847adf22f8171b1ccc4d5682398e77f40309235", "1027c282dad077d0bae18be6794e6b6b8c91d58ed8a8d89a89d59693b9131db5", "24982cc2533820871eba85ba648cd53d8623687ff11cbb805be4ff7b4c971aff", "29872e92839765e546828bb7754a68c418d927cd064fd4708fab9fe9c8bb116b", "43a55c2930bbc139570ac2452adf3d70cdbb3cfe5912c71cdce1c2c6bbd9c5d1", "46c99d2de99945ec5cb54f23c8cd5689f6d7177305ebff350a58ce5f8de1669e", "500d4957e52ddc3351cabf489e79c91c17f6e0899158447047588650b5e69183", "535f6fc4d397c1563d08b88e485c3496cf5784e927af890fb3c3aac7f933ec66", "62fe6c95e3ec8a7fad637b7f3d372c15ec1caa01ab47926cfdf7a75b40e0eac1", "6dd73240d2af64df90aa7c4e7481e23825ea70af4b4922f8ede5b9e35f78a3b1", "717ba8fe3ae9cc0006d7c451f0bb265ee07739daf76355d06366154ee68d221e", "79855e1c5b8da654cf486b830bd42c06e8780cea587384cf6545b7d9ac013a0b", "7c1699dfe0cf8ff607dbdcc1e9b9af1755371f92a68f706051cc8c37d447c905", "88e5fcfb52ee7b911e8bb6d6aa2fd21fbecc674eadd44118a9cc3863f938e735", "8defac2f2ccd6805ebf65f5eeb132adcf2ab57aa11fdf4c0dd5169a004710e7d", "98c7086708b163d425c67c7a91bad6e466bb99d797aa64f965e9d25c12111a5e", "9add70b36c5666a2ed02b43b335fe19002ee5235efd4b8a89bfcf9005bebac0d", "9bf40443012702a1d2070043cb6291650a0841ece432556f784f004937f0f32c", "ade5e387d2ad0d7ebf59146cc00c8044acbd863725f887353a10df825fc8ae21", "b00c1de48212e4cc9603895652c5c410df699856a2853135b3967591e4beebc2", "b1282f8c00509d99fef04d8ba936b156d419be841854fe901d8ae224c59f0be5", "b2051432115498d3562c084a49bba65d97cf251f5a331c64a12ee7e04dacc51b", "ba59edeaa2fc6114428f1637ffff42da1e311e29382d81b339c1817d37ec93c6", "c8716a48d94b06bb3b2524c2b77e055fb313aeb4ea620c8dd03a105574ba704f", "cd5df75523866410809ca100dc9681e301e3c27567cf498077e8551b6d20e42f", "e249096428b3ae81b08327a63a485ad0878de3fb939049038579ac0ef61e17e7"] -netaddr = ["38aeec7cdd035081d3a4c306394b19d677623bf76fa0913f6695127c7753aefd", "56b3558bd71f3f6999e4c52e349f38660e54a7a8a9943335f73dfc96883e08ca"] -pbr = ["9181e2a34d80f07a359ff1d0504fad3a47e00e1cf2c475b0aa7dcb030af54c40", "94bdc84da376b3dd5061aa0c3b6faffe943ee2e56fa4ff9bd63e1643932f34fc"] -python-dateutil = ["7e6584c74aeed623791615e26efd690f29817a27c73085b78e4bad02493df2fb", "c89805f6f4d64db21ed966fda138f8a5ed7a4fdbc1a8ee329ce1b74e3c74da9e"] -pyyaml = ["57acc1d8533cbe51f6662a55434f0dbecfa2b9eaf115bede8f6fd00115a0c0d3", "588c94b3d16b76cfed8e0be54932e5729cc185caffaa5a451e7ad2f7ed8b4043", "68c8dd247f29f9a0d09375c9c6b8fdc64b60810ebf07ba4cdd64ceee3a58c7b7", "70d9818f1c9cd5c48bb87804f2efc8692f1023dac7f1a1a5c61d454043c1d265", "86a93cccd50f8c125286e637328ff4eef108400dd7089b46a7be3445eecfa391", "a0f329125a926876f647c9fa0ef32801587a12328b4a3c741270464e3e4fa778", "a3c252ab0fa1bb0d5a3f6449a4826732f3eb6c0270925548cac342bc9b22c225", "b4bb4d3f5e232425e25dda21c070ce05168a786ac9eda43768ab7f3ac2770955", "cd0618c5ba5bda5f4039b9398bb7fb6a317bb8298218c3de25c47c4740e4b95e", "ceacb9e5f8474dcf45b940578591c7f3d960e82f926c707788a570b51ba59190", "fe6a88094b64132c4bb3b631412e90032e8cfe9745a58370462240b8cb7553cd"] -requests = ["11e007a8a2aa0323f5a921e9e6a2d7e4e67d9877e85773fba9ba6419025cbeb4", "9cf5292fcd0f598c671cfc1e0d7d1a7f13bb8085e9a590f48c010551dc6c4b31"] -"ruamel.ordereddict" = ["08b4b19fe518d32251a5338e039c4dc9eb0876f2919f94c9b8d2f9446ea80806", "150ce8e6c514a2a2b62753622a75874962561f8e5eeec81a3172ab952807bf0b", "45541836cbfdde630033cae7bbbe35acbac87a0ceec79f944b7a3bedd940fe78", "854dd4a524811b16111b1107d8a751e4ca064d2bb103d3d91deab75de36b6620", "aee2fa23e884249b4284b728888c553d551e5bfd4de2731f10153fd7813ec55f", "bf0a198c8ce5d973c24e5dba12d3abc254996788ca6ad8448eabc6aa710db149"] -"ruamel.yaml" = ["17dbf6b7362e7aee8494f7a0f5cffd44902a6331fe89ef0853b855a7930ab845", "23731c9efb79f3f5609dedffeb6c5c47a68125fd3d4b157d9fc71b1cd49076a9", "2bbdd598ae57bac20968cf9028cc67d37d83bdb7942a94b9478110bc72193148", "34586084cdd60845a3e1bece2b58f0a889be25450db8cc0ea143ddf0f40557a2", "35957fedbb287b01313bb5c556ffdc70c0277c3500213b5e73dfd8716f748d77", "414cb87a40974a575830b406ffab4ab8c6cbd82eeb73abd2a9d1397c1f0223e1", "428775be75db68d908b17e4e8dda424c410222f170dc173246aa63e972d094b3", "514f670f7d36519bda504d507edfe63e3c20489f86c86d42bc4d9a6dbdf82c7b", "5cb962c1ac6887c5da29138fbbe3b4b7705372eb54e599907fa63d4cd743246d", "5f6e30282cf70fb7754e1a5f101e27b5240009766376e131b31ab49f14fe81be", "86f8e010af6af0b4f42de2d0d9b19cb441e61d3416082186f9dd03c8552d13ad", "8d47ed1e557d546bd2dfe54f504d7274274602ff7a0652cde84c258ad6c2d96d", "98668876720bce1ac08562d8b93a564a80e3397e442c7ea19cebdcdf73da7f74", "9e1f0ddc18d8355dcf5586a5d90417df56074f237812b8682a93b62cca9d2043", "a7bc812a72a79d6b7dbb96fa5bee3950464b65ec055d3abc4db6572f2373a95c", "b72e13f9f206ee103247b07afd5a39c8b1aa98e8eba80ddba184d030337220ba", "bcff8ea9d916789e85e24beed8830c157fb8bc7c313e554733a8151540e66c01", "c76e78b3bab652069b8d6f7889b0e72f3455c2b854b2e0a8818393d149ad0a0d"] -s3transfer = ["6efc926738a3cd576c2a79725fed9afde92378aa5c6a957e3af010cb019fac9d", "b780f2411b824cb541dbcd2c713d0cb61c7d1bcadae204cdddda2b35cef493ba"] -six = ["3350809f0555b11f552448330d0b52d5f24c91a322ea4a15ef22629740f3761c", "d16a0141ec1a18405cd4ce8b4613101da75da0e9a7aec5bdd4fa804d0e0eba73"] -urllib3 = ["06330f386d6e4b195fbfc736b297f58c5a892e4440e54d294d7004e3a9bbea1b", "cc44da8e1145637334317feebd728bd869a35285b93cbb4cca2577da7e62db4f"] +content-hash = "ebbaf43971e69ff35f6df78246be41d3bc2b7b7f0dc3807cbeba4e04291beba9" +lock-version = "1.0" +python-versions = ">=3.5" + +[metadata.files] +ansible = [ + {file = "ansible-2.7.18.tar.gz", hash = "sha256:a1056225ddf53b3878d859aedc610138f39ceb8eb0445f0688034b8f9582fa69"}, +] +ansible-modules-hashivault = [ + {file = "ansible-modules-hashivault-4.5.6.tar.gz", hash = "sha256:070ec222c4a31534efc4429acc2ca001e2429b62c3d1ad704e48162d0959ca50"}, +] +boto = [ + {file = "boto-2.49.0-py2.py3-none-any.whl", hash = "sha256:147758d41ae7240dc989f0039f27da8ca0d53734be0eb869ef16e3adcfa462e8"}, + {file = "boto-2.49.0.tar.gz", hash = "sha256:ea0d3b40a2d852767be77ca343b58a9e3a4b00d9db440efb8da74b4e58025e5a"}, +] +boto3 = [ + {file = "boto3-1.15.0-py2.py3-none-any.whl", hash = "sha256:28bf1bce2979d4d1674d63b1b4d6ac30b6844b5d3604e69d8847b18602588861"}, + {file = "boto3-1.15.0.tar.gz", hash = "sha256:78f3ebcdff149d5327f27a5c461a9e394306b7db9a60e8bd65c9401cc41d99d3"}, +] +botocore = [ + {file = "botocore-1.18.0-py2.py3-none-any.whl", hash = "sha256:f3d509f06201582e60523263d52016b50415461bc6a03afb5434f477a1de3ba0"}, + {file = "botocore-1.18.0.tar.gz", hash = "sha256:1dbd37af06432eda8a5736bd82f92ddd1ae8de74e4faa090bd728f8d58d24849"}, +] +certifi = [ + {file = "certifi-2020.6.20-py2.py3-none-any.whl", hash = "sha256:8fc0819f1f30ba15bdb34cceffb9ef04d99f420f68eb75d901e9560b8749fc41"}, + {file = "certifi-2020.6.20.tar.gz", hash = "sha256:5930595817496dd21bb8dc35dad090f1c2cd0adfaf21204bf6732ca5d8ee34d3"}, +] +cffi = [ + {file = "cffi-1.14.3-cp27-cp27m-macosx_10_9_x86_64.whl", hash = "sha256:485d029815771b9fe4fa7e1c304352fe57df6939afe835dfd0182c7c13d5e92e"}, + {file = "cffi-1.14.3-cp27-cp27m-manylinux1_i686.whl", hash = "sha256:3cb3e1b9ec43256c4e0f8d2837267a70b0e1ca8c4f456685508ae6106b1f504c"}, + {file = "cffi-1.14.3-cp27-cp27m-manylinux1_x86_64.whl", hash = "sha256:f0620511387790860b249b9241c2f13c3a80e21a73e0b861a2df24e9d6f56730"}, + {file = "cffi-1.14.3-cp27-cp27m-win32.whl", hash = "sha256:005f2bfe11b6745d726dbb07ace4d53f057de66e336ff92d61b8c7e9c8f4777d"}, + {file = "cffi-1.14.3-cp27-cp27m-win_amd64.whl", hash = "sha256:2f9674623ca39c9ebe38afa3da402e9326c245f0f5ceff0623dccdac15023e05"}, + {file = "cffi-1.14.3-cp27-cp27mu-manylinux1_i686.whl", hash = "sha256:09e96138280241bd355cd585148dec04dbbedb4f46128f340d696eaafc82dd7b"}, + {file = "cffi-1.14.3-cp27-cp27mu-manylinux1_x86_64.whl", hash = "sha256:3363e77a6176afb8823b6e06db78c46dbc4c7813b00a41300a4873b6ba63b171"}, + {file = "cffi-1.14.3-cp35-cp35m-macosx_10_9_x86_64.whl", hash = "sha256:52bf29af05344c95136df71716bb60508bbd217691697b4307dcae681612db9f"}, + {file = "cffi-1.14.3-cp35-cp35m-manylinux1_i686.whl", hash = "sha256:0ef488305fdce2580c8b2708f22d7785ae222d9825d3094ab073e22e93dfe51f"}, + {file = "cffi-1.14.3-cp35-cp35m-manylinux1_x86_64.whl", hash = "sha256:0b1ad452cc824665ddc682400b62c9e4f5b64736a2ba99110712fdee5f2505c4"}, + {file = "cffi-1.14.3-cp35-cp35m-win32.whl", hash = "sha256:85ba797e1de5b48aa5a8427b6ba62cf69607c18c5d4eb747604b7302f1ec382d"}, + {file = "cffi-1.14.3-cp35-cp35m-win_amd64.whl", hash = "sha256:e66399cf0fc07de4dce4f588fc25bfe84a6d1285cc544e67987d22663393926d"}, + {file = "cffi-1.14.3-cp36-cp36m-macosx_10_9_x86_64.whl", hash = "sha256:c687778dda01832555e0af205375d649fa47afeaeeb50a201711f9a9573323b8"}, + {file = "cffi-1.14.3-cp36-cp36m-manylinux1_i686.whl", hash = "sha256:15f351bed09897fbda218e4db5a3d5c06328862f6198d4fb385f3e14e19decb3"}, + {file = "cffi-1.14.3-cp36-cp36m-manylinux1_x86_64.whl", hash = "sha256:4d7c26bfc1ea9f92084a1d75e11999e97b62d63128bcc90c3624d07813c52808"}, + {file = "cffi-1.14.3-cp36-cp36m-manylinux2014_aarch64.whl", hash = "sha256:23e5d2040367322824605bc29ae8ee9175200b92cb5483ac7d466927a9b3d537"}, + {file = "cffi-1.14.3-cp36-cp36m-win32.whl", hash = "sha256:a624fae282e81ad2e4871bdb767e2c914d0539708c0f078b5b355258293c98b0"}, + {file = "cffi-1.14.3-cp36-cp36m-win_amd64.whl", hash = "sha256:de31b5164d44ef4943db155b3e8e17929707cac1e5bd2f363e67a56e3af4af6e"}, + {file = "cffi-1.14.3-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:03d3d238cc6c636a01cf55b9b2e1b6531a7f2f4103fabb5a744231582e68ecc7"}, + {file = "cffi-1.14.3-cp37-cp37m-manylinux1_i686.whl", hash = "sha256:f92cdecb618e5fa4658aeb97d5eb3d2f47aa94ac6477c6daf0f306c5a3b9e6b1"}, + {file = "cffi-1.14.3-cp37-cp37m-manylinux1_x86_64.whl", hash = "sha256:22399ff4870fb4c7ef19fff6eeb20a8bbf15571913c181c78cb361024d574579"}, + {file = "cffi-1.14.3-cp37-cp37m-manylinux2014_aarch64.whl", hash = "sha256:f4eae045e6ab2bb54ca279733fe4eb85f1effda392666308250714e01907f394"}, + {file = "cffi-1.14.3-cp37-cp37m-win32.whl", hash = "sha256:b0358e6fefc74a16f745afa366acc89f979040e0cbc4eec55ab26ad1f6a9bfbc"}, + {file = "cffi-1.14.3-cp37-cp37m-win_amd64.whl", hash = "sha256:6642f15ad963b5092d65aed022d033c77763515fdc07095208f15d3563003869"}, + {file = "cffi-1.14.3-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:c2a33558fdbee3df370399fe1712d72464ce39c66436270f3664c03f94971aff"}, + {file = "cffi-1.14.3-cp38-cp38-manylinux1_i686.whl", hash = "sha256:2791f68edc5749024b4722500e86303a10d342527e1e3bcac47f35fbd25b764e"}, + {file = "cffi-1.14.3-cp38-cp38-manylinux1_x86_64.whl", hash = "sha256:529c4ed2e10437c205f38f3691a68be66c39197d01062618c55f74294a4a4828"}, + {file = "cffi-1.14.3-cp38-cp38-manylinux2014_aarch64.whl", hash = "sha256:8f0f1e499e4000c4c347a124fa6a27d37608ced4fe9f7d45070563b7c4c370c9"}, + {file = "cffi-1.14.3-cp38-cp38-win32.whl", hash = "sha256:3b8eaf915ddc0709779889c472e553f0d3e8b7bdf62dab764c8921b09bf94522"}, + {file = "cffi-1.14.3-cp38-cp38-win_amd64.whl", hash = "sha256:bbd2f4dfee1079f76943767fce837ade3087b578aeb9f69aec7857d5bf25db15"}, + {file = "cffi-1.14.3-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:5d9a7dc7cf8b1101af2602fe238911bcc1ac36d239e0a577831f5dac993856e9"}, + {file = "cffi-1.14.3-cp39-cp39-manylinux1_i686.whl", hash = "sha256:cc75f58cdaf043fe6a7a6c04b3b5a0e694c6a9e24050967747251fb80d7bce0d"}, + {file = "cffi-1.14.3-cp39-cp39-manylinux1_x86_64.whl", hash = "sha256:bf39a9e19ce7298f1bd6a9758fa99707e9e5b1ebe5e90f2c3913a47bc548747c"}, + {file = "cffi-1.14.3-cp39-cp39-win32.whl", hash = "sha256:d80998ed59176e8cba74028762fbd9b9153b9afc71ea118e63bbf5d4d0f9552b"}, + {file = "cffi-1.14.3-cp39-cp39-win_amd64.whl", hash = "sha256:c150eaa3dadbb2b5339675b88d4573c1be3cb6f2c33a6c83387e10cc0bf05bd3"}, + {file = "cffi-1.14.3.tar.gz", hash = "sha256:f92f789e4f9241cd262ad7a555ca2c648a98178a953af117ef7fad46aa1d5591"}, +] +chardet = [ + {file = "chardet-3.0.4-py2.py3-none-any.whl", hash = "sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691"}, + {file = "chardet-3.0.4.tar.gz", hash = "sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae"}, +] +cryptography = [ + {file = "cryptography-3.1-cp27-cp27m-macosx_10_10_x86_64.whl", hash = "sha256:969ae512a250f869c1738ca63be843488ff5cc031987d302c1f59c7dbe1b225f"}, + {file = "cryptography-3.1-cp27-cp27m-manylinux1_x86_64.whl", hash = "sha256:b45ab1c6ece7c471f01c56f5d19818ca797c34541f0b2351635a5c9fe09ac2e0"}, + {file = "cryptography-3.1-cp27-cp27m-manylinux2010_x86_64.whl", hash = "sha256:247df238bc05c7d2e934a761243bfdc67db03f339948b1e2e80c75d41fc7cc36"}, + {file = "cryptography-3.1-cp27-cp27m-win32.whl", hash = "sha256:10c9775a3f31610cf6b694d1fe598f2183441de81cedcf1814451ae53d71b13a"}, + {file = "cryptography-3.1-cp27-cp27m-win_amd64.whl", hash = "sha256:9f734423eb9c2ea85000aa2476e0d7a58e021bc34f0a373ac52a5454cd52f791"}, + {file = "cryptography-3.1-cp27-cp27mu-manylinux1_x86_64.whl", hash = "sha256:e7563eb7bc5c7e75a213281715155248cceba88b11cb4b22957ad45b85903761"}, + {file = "cryptography-3.1-cp27-cp27mu-manylinux2010_x86_64.whl", hash = "sha256:94191501e4b4009642be21dde2a78bd3c2701a81ee57d3d3d02f1d99f8b64a9e"}, + {file = "cryptography-3.1-cp35-abi3-macosx_10_10_x86_64.whl", hash = "sha256:dc3f437ca6353979aace181f1b790f0fc79e446235b14306241633ab7d61b8f8"}, + {file = "cryptography-3.1-cp35-abi3-manylinux1_x86_64.whl", hash = "sha256:725875681afe50b41aee7fdd629cedbc4720bab350142b12c55c0a4d17c7416c"}, + {file = "cryptography-3.1-cp35-abi3-manylinux2010_x86_64.whl", hash = "sha256:321761d55fb7cb256b771ee4ed78e69486a7336be9143b90c52be59d7657f50f"}, + {file = "cryptography-3.1-cp35-abi3-manylinux2014_aarch64.whl", hash = "sha256:2a27615c965173c4c88f2961cf18115c08fedfb8bdc121347f26e8458dc6d237"}, + {file = "cryptography-3.1-cp35-cp35m-win32.whl", hash = "sha256:e7dad66a9e5684a40f270bd4aee1906878193ae50a4831922e454a2a457f1716"}, + {file = "cryptography-3.1-cp35-cp35m-win_amd64.whl", hash = "sha256:4005b38cd86fc51c955db40b0f0e52ff65340874495af72efabb1bb8ca881695"}, + {file = "cryptography-3.1-cp36-abi3-win32.whl", hash = "sha256:cc6096c86ec0de26e2263c228fb25ee01c3ff1346d3cfc219d67d49f303585af"}, + {file = "cryptography-3.1-cp36-abi3-win_amd64.whl", hash = "sha256:2e26223ac636ca216e855748e7d435a1bf846809ed12ed898179587d0cf74618"}, + {file = "cryptography-3.1-cp36-cp36m-win32.whl", hash = "sha256:7a63e97355f3cd77c94bd98c59cb85fe0efd76ea7ef904c9b0316b5bbfde6ed1"}, + {file = "cryptography-3.1-cp36-cp36m-win_amd64.whl", hash = "sha256:4b9e96543d0784acebb70991ebc2dbd99aa287f6217546bb993df22dd361d41c"}, + {file = "cryptography-3.1-cp37-cp37m-win32.whl", hash = "sha256:eb80a288e3cfc08f679f95da72d2ef90cb74f6d8a8ba69d2f215c5e110b2ca32"}, + {file = "cryptography-3.1-cp37-cp37m-win_amd64.whl", hash = "sha256:180c9f855a8ea280e72a5d61cf05681b230c2dce804c48e9b2983f491ecc44ed"}, + {file = "cryptography-3.1-cp38-cp38-win32.whl", hash = "sha256:fa7fbcc40e2210aca26c7ac8a39467eae444d90a2c346cbcffd9133a166bcc67"}, + {file = "cryptography-3.1-cp38-cp38-win_amd64.whl", hash = "sha256:548b0818e88792318dc137d8b1ec82a0ab0af96c7f0603a00bb94f896fbf5e10"}, + {file = "cryptography-3.1.tar.gz", hash = "sha256:26409a473cc6278e4c90f782cd5968ebad04d3911ed1c402fc86908c17633e08"}, +] +dnspython = [ + {file = "dnspython-1.16.0-py2.py3-none-any.whl", hash = "sha256:f69c21288a962f4da86e56c4905b49d11aba7938d3d740e80d9e366ee4f1632d"}, + {file = "dnspython-1.16.0.zip", hash = "sha256:36c5e8e38d4369a08b6780b7f27d790a292b2b08eea01607865bf0936c558e01"}, +] +hvac = [ + {file = "hvac-0.10.5-py2.py3-none-any.whl", hash = "sha256:9eb929ba0f00f5886f49f31513eb274fd8adf54607864afd6e71b59243a34e0d"}, + {file = "hvac-0.10.5.tar.gz", hash = "sha256:87dc2a3183c1d4595990203e752b430155d7582a60850dfe0756189a233d4b57"}, +] +idna = [ + {file = "idna-2.10-py2.py3-none-any.whl", hash = "sha256:b97d804b1e9b523befed77c48dacec60e6dcb0b5391d57af6a65a312a90648c0"}, + {file = "idna-2.10.tar.gz", hash = "sha256:b307872f855b18632ce0c21c5e45be78c0ea7ae4c15c828c20788b26921eb3f6"}, +] +importlib-resources = [ + {file = "importlib_resources-3.0.0-py2.py3-none-any.whl", hash = "sha256:d028f66b66c0d5732dae86ba4276999855e162a749c92620a38c1d779ed138a7"}, + {file = "importlib_resources-3.0.0.tar.gz", hash = "sha256:19f745a6eca188b490b1428c8d1d4a0d2368759f32370ea8fb89cad2ab1106c3"}, +] +jinja2 = [ + {file = "Jinja2-2.11.2-py2.py3-none-any.whl", hash = "sha256:f0a4641d3cf955324a89c04f3d94663aa4d638abe8f733ecd3582848e1c37035"}, + {file = "Jinja2-2.11.2.tar.gz", hash = "sha256:89aab215427ef59c34ad58735269eb58b1a5808103067f7bb9d5836c651b3bb0"}, +] +jmespath = [ + {file = "jmespath-0.10.0-py2.py3-none-any.whl", hash = "sha256:cdf6525904cc597730141d61b36f2e4b8ecc257c420fa2f4549bac2c2d0cb72f"}, + {file = "jmespath-0.10.0.tar.gz", hash = "sha256:b85d0567b8666149a93172712e68920734333c0ce7e89b78b3e987f71e5ed4f9"}, +] +markupsafe = [ + {file = "MarkupSafe-1.1.1-cp27-cp27m-macosx_10_6_intel.whl", hash = "sha256:09027a7803a62ca78792ad89403b1b7a73a01c8cb65909cd876f7fcebd79b161"}, + {file = "MarkupSafe-1.1.1-cp27-cp27m-manylinux1_i686.whl", hash = "sha256:e249096428b3ae81b08327a63a485ad0878de3fb939049038579ac0ef61e17e7"}, + {file = "MarkupSafe-1.1.1-cp27-cp27m-manylinux1_x86_64.whl", hash = "sha256:500d4957e52ddc3351cabf489e79c91c17f6e0899158447047588650b5e69183"}, + {file = "MarkupSafe-1.1.1-cp27-cp27m-win32.whl", hash = "sha256:b2051432115498d3562c084a49bba65d97cf251f5a331c64a12ee7e04dacc51b"}, + {file = "MarkupSafe-1.1.1-cp27-cp27m-win_amd64.whl", hash = "sha256:98c7086708b163d425c67c7a91bad6e466bb99d797aa64f965e9d25c12111a5e"}, + {file = "MarkupSafe-1.1.1-cp27-cp27mu-manylinux1_i686.whl", hash = "sha256:cd5df75523866410809ca100dc9681e301e3c27567cf498077e8551b6d20e42f"}, + {file = "MarkupSafe-1.1.1-cp27-cp27mu-manylinux1_x86_64.whl", hash = "sha256:43a55c2930bbc139570ac2452adf3d70cdbb3cfe5912c71cdce1c2c6bbd9c5d1"}, + {file = "MarkupSafe-1.1.1-cp34-cp34m-macosx_10_6_intel.whl", hash = "sha256:1027c282dad077d0bae18be6794e6b6b8c91d58ed8a8d89a89d59693b9131db5"}, + {file = "MarkupSafe-1.1.1-cp34-cp34m-manylinux1_i686.whl", hash = "sha256:62fe6c95e3ec8a7fad637b7f3d372c15ec1caa01ab47926cfdf7a75b40e0eac1"}, + {file = "MarkupSafe-1.1.1-cp34-cp34m-manylinux1_x86_64.whl", hash = "sha256:88e5fcfb52ee7b911e8bb6d6aa2fd21fbecc674eadd44118a9cc3863f938e735"}, + {file = "MarkupSafe-1.1.1-cp34-cp34m-win32.whl", hash = "sha256:ade5e387d2ad0d7ebf59146cc00c8044acbd863725f887353a10df825fc8ae21"}, + {file = "MarkupSafe-1.1.1-cp34-cp34m-win_amd64.whl", hash = "sha256:09c4b7f37d6c648cb13f9230d847adf22f8171b1ccc4d5682398e77f40309235"}, + {file = "MarkupSafe-1.1.1-cp35-cp35m-macosx_10_6_intel.whl", hash = "sha256:79855e1c5b8da654cf486b830bd42c06e8780cea587384cf6545b7d9ac013a0b"}, + {file = "MarkupSafe-1.1.1-cp35-cp35m-manylinux1_i686.whl", hash = "sha256:c8716a48d94b06bb3b2524c2b77e055fb313aeb4ea620c8dd03a105574ba704f"}, + {file = "MarkupSafe-1.1.1-cp35-cp35m-manylinux1_x86_64.whl", hash = "sha256:7c1699dfe0cf8ff607dbdcc1e9b9af1755371f92a68f706051cc8c37d447c905"}, + {file = "MarkupSafe-1.1.1-cp35-cp35m-win32.whl", hash = "sha256:6dd73240d2af64df90aa7c4e7481e23825ea70af4b4922f8ede5b9e35f78a3b1"}, + {file = "MarkupSafe-1.1.1-cp35-cp35m-win_amd64.whl", hash = "sha256:9add70b36c5666a2ed02b43b335fe19002ee5235efd4b8a89bfcf9005bebac0d"}, + {file = "MarkupSafe-1.1.1-cp36-cp36m-macosx_10_6_intel.whl", hash = "sha256:24982cc2533820871eba85ba648cd53d8623687ff11cbb805be4ff7b4c971aff"}, + {file = "MarkupSafe-1.1.1-cp36-cp36m-manylinux1_i686.whl", hash = "sha256:00bc623926325b26bb9605ae9eae8a215691f33cae5df11ca5424f06f2d1f473"}, + {file = "MarkupSafe-1.1.1-cp36-cp36m-manylinux1_x86_64.whl", hash = "sha256:717ba8fe3ae9cc0006d7c451f0bb265ee07739daf76355d06366154ee68d221e"}, + {file = "MarkupSafe-1.1.1-cp36-cp36m-win32.whl", hash = "sha256:535f6fc4d397c1563d08b88e485c3496cf5784e927af890fb3c3aac7f933ec66"}, + {file = "MarkupSafe-1.1.1-cp36-cp36m-win_amd64.whl", hash = "sha256:b1282f8c00509d99fef04d8ba936b156d419be841854fe901d8ae224c59f0be5"}, + {file = "MarkupSafe-1.1.1-cp37-cp37m-macosx_10_6_intel.whl", hash = "sha256:8defac2f2ccd6805ebf65f5eeb132adcf2ab57aa11fdf4c0dd5169a004710e7d"}, + {file = "MarkupSafe-1.1.1-cp37-cp37m-manylinux1_i686.whl", hash = "sha256:46c99d2de99945ec5cb54f23c8cd5689f6d7177305ebff350a58ce5f8de1669e"}, + {file = "MarkupSafe-1.1.1-cp37-cp37m-manylinux1_x86_64.whl", hash = "sha256:ba59edeaa2fc6114428f1637ffff42da1e311e29382d81b339c1817d37ec93c6"}, + {file = "MarkupSafe-1.1.1-cp37-cp37m-win32.whl", hash = "sha256:b00c1de48212e4cc9603895652c5c410df699856a2853135b3967591e4beebc2"}, + {file = "MarkupSafe-1.1.1-cp37-cp37m-win_amd64.whl", hash = "sha256:9bf40443012702a1d2070043cb6291650a0841ece432556f784f004937f0f32c"}, + {file = "MarkupSafe-1.1.1-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:6788b695d50a51edb699cb55e35487e430fa21f1ed838122d722e0ff0ac5ba15"}, + {file = "MarkupSafe-1.1.1-cp38-cp38-manylinux1_i686.whl", hash = "sha256:cdb132fc825c38e1aeec2c8aa9338310d29d337bebbd7baa06889d09a60a1fa2"}, + {file = "MarkupSafe-1.1.1-cp38-cp38-manylinux1_x86_64.whl", hash = "sha256:13d3144e1e340870b25e7b10b98d779608c02016d5184cfb9927a9f10c689f42"}, + {file = "MarkupSafe-1.1.1-cp38-cp38-win32.whl", hash = "sha256:596510de112c685489095da617b5bcbbac7dd6384aeebeda4df6025d0256a81b"}, + {file = "MarkupSafe-1.1.1-cp38-cp38-win_amd64.whl", hash = "sha256:e8313f01ba26fbbe36c7be1966a7b7424942f670f38e666995b88d012765b9be"}, + {file = "MarkupSafe-1.1.1.tar.gz", hash = "sha256:29872e92839765e546828bb7754a68c418d927cd064fd4708fab9fe9c8bb116b"}, +] +netaddr = [ + {file = "netaddr-0.8.0-py2.py3-none-any.whl", hash = "sha256:9666d0232c32d2656e5e5f8d735f58fd6c7457ce52fc21c98d45f2af78f990ac"}, + {file = "netaddr-0.8.0.tar.gz", hash = "sha256:d6cc57c7a07b1d9d2e917aa8b36ae8ce61c35ba3fcd1b83ca31c5a0ee2b5a243"}, +] +pbr = [ + {file = "pbr-5.5.0-py2.py3-none-any.whl", hash = "sha256:5adc0f9fc64319d8df5ca1e4e06eea674c26b80e6f00c530b18ce6a6592ead15"}, + {file = "pbr-5.5.0.tar.gz", hash = "sha256:14bfd98f51c78a3dd22a1ef45cf194ad79eee4a19e8e1a0d5c7f8e81ffe182ea"}, +] +pycparser = [ + {file = "pycparser-2.20-py2.py3-none-any.whl", hash = "sha256:7582ad22678f0fcd81102833f60ef8d0e57288b6b5fb00323d101be910e35705"}, + {file = "pycparser-2.20.tar.gz", hash = "sha256:2d475327684562c3a96cc71adf7dc8c4f0565175cf86b6d7a404ff4c771f15f0"}, +] +pyopenssl = [ + {file = "pyOpenSSL-19.1.0-py2.py3-none-any.whl", hash = "sha256:621880965a720b8ece2f1b2f54ea2071966ab00e2970ad2ce11d596102063504"}, + {file = "pyOpenSSL-19.1.0.tar.gz", hash = "sha256:9a24494b2602aaf402be5c9e30a0b82d4a5c67528fe8fb475e3f3bc00dd69507"}, +] +python-dateutil = [ + {file = "python-dateutil-2.8.1.tar.gz", hash = "sha256:73ebfe9dbf22e832286dafa60473e4cd239f8592f699aa5adaf10050e6e1823c"}, + {file = "python_dateutil-2.8.1-py2.py3-none-any.whl", hash = "sha256:75bb3f31ea686f1197762692a9ee6a7550b59fc6ca3a1f4b5d7e32fb98e2da2a"}, +] +pyyaml = [ + {file = "PyYAML-5.3.1-cp27-cp27m-win32.whl", hash = "sha256:74809a57b329d6cc0fdccee6318f44b9b8649961fa73144a98735b0aaf029f1f"}, + {file = "PyYAML-5.3.1-cp27-cp27m-win_amd64.whl", hash = "sha256:240097ff019d7c70a4922b6869d8a86407758333f02203e0fc6ff79c5dcede76"}, + {file = "PyYAML-5.3.1-cp35-cp35m-win32.whl", hash = "sha256:4f4b913ca1a7319b33cfb1369e91e50354d6f07a135f3b901aca02aa95940bd2"}, + {file = "PyYAML-5.3.1-cp35-cp35m-win_amd64.whl", hash = "sha256:cc8955cfbfc7a115fa81d85284ee61147059a753344bc51098f3ccd69b0d7e0c"}, + {file = "PyYAML-5.3.1-cp36-cp36m-win32.whl", hash = "sha256:7739fc0fa8205b3ee8808aea45e968bc90082c10aef6ea95e855e10abf4a37b2"}, + {file = "PyYAML-5.3.1-cp36-cp36m-win_amd64.whl", hash = "sha256:69f00dca373f240f842b2931fb2c7e14ddbacd1397d57157a9b005a6a9942648"}, + {file = "PyYAML-5.3.1-cp37-cp37m-win32.whl", hash = "sha256:d13155f591e6fcc1ec3b30685d50bf0711574e2c0dfffd7644babf8b5102ca1a"}, + {file = "PyYAML-5.3.1-cp37-cp37m-win_amd64.whl", hash = "sha256:73f099454b799e05e5ab51423c7bcf361c58d3206fa7b0d555426b1f4d9a3eaf"}, + {file = "PyYAML-5.3.1-cp38-cp38-win32.whl", hash = "sha256:06a0d7ba600ce0b2d2fe2e78453a470b5a6e000a985dd4a4e54e436cc36b0e97"}, + {file = "PyYAML-5.3.1-cp38-cp38-win_amd64.whl", hash = "sha256:95f71d2af0ff4227885f7a6605c37fd53d3a106fcab511b8860ecca9fcf400ee"}, + {file = "PyYAML-5.3.1.tar.gz", hash = "sha256:b8eac752c5e14d3eca0e6dd9199cd627518cb5ec06add0de9d32baeee6fe645d"}, +] +requests = [ + {file = "requests-2.24.0-py2.py3-none-any.whl", hash = "sha256:fe75cc94a9443b9246fc7049224f75604b113c36acb93f87b80ed42c44cbb898"}, + {file = "requests-2.24.0.tar.gz", hash = "sha256:b3559a131db72c33ee969480840fff4bb6dd111de7dd27c8ee1f820f4f00231b"}, +] +s3transfer = [ + {file = "s3transfer-0.3.3-py2.py3-none-any.whl", hash = "sha256:2482b4259524933a022d59da830f51bd746db62f047d6eb213f2f8855dcb8a13"}, + {file = "s3transfer-0.3.3.tar.gz", hash = "sha256:921a37e2aefc64145e7b73d50c71bb4f26f46e4c9f414dc648c6245ff92cf7db"}, +] +six = [ + {file = "six-1.15.0-py2.py3-none-any.whl", hash = "sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced"}, + {file = "six-1.15.0.tar.gz", hash = "sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259"}, +] +urllib3 = [ + {file = "urllib3-1.22-py2.py3-none-any.whl", hash = "sha256:06330f386d6e4b195fbfc736b297f58c5a892e4440e54d294d7004e3a9bbea1b"}, + {file = "urllib3-1.22.tar.gz", hash = "sha256:cc44da8e1145637334317feebd728bd869a35285b93cbb4cca2577da7e62db4f"}, +] +zipp = [ + {file = "zipp-1.2.0-py2.py3-none-any.whl", hash = "sha256:e0d9e63797e483a30d27e09fffd308c59a700d365ec34e93cc100844168bf921"}, + {file = "zipp-1.2.0.tar.gz", hash = "sha256:c70410551488251b0fee67b460fb9a536af8d6f9f008ad10ac51f615b6a521b1"}, +] diff --git a/ansible/provision-sft.yml b/ansible/provision-sft.yml new file mode 100644 index 000000000..f2ec99bfb --- /dev/null +++ b/ansible/provision-sft.yml @@ -0,0 +1,11 @@ +# This role requires access to s3 buckets and has a few variables that need to +# be set. When run with any variables missing, it will complain about those +# variables. +- hosts: localhost + become: no + roles: + - role: sft-monitoring-certs + +- hosts: sft_servers + roles: + - role: sft-server diff --git a/ansible/pyproject.toml b/ansible/pyproject.toml index cf2e46100..ca580b16a 100644 --- a/ansible/pyproject.toml +++ b/ansible/pyproject.toml @@ -5,7 +5,7 @@ description = "" authors = ["jschaul "] [tool.poetry.dependencies] -python = "^2.7 || >=3.5" +python = ">=3.5" ansible = "2.7.*" ansible-modules-hashivault = "*" boto = "*" @@ -16,8 +16,11 @@ jinja2 = ">= 2.10.1" pbr = "^5.2" hvac = ">= 0.8" jmespath = ">= 0.9.4" -"ruamel.yaml" = ">= 0.15.96" +# "ruamel.yaml" = ">= 0.15.96" PyYAML = "*" +pyOpenSSL = "*" +zipp = "*" # Not a real dependency, but poetry2nix doesn't work without this, I + # don't understand enough nix to debug this. [tool.poetry.dev-dependencies] diff --git a/ansible/requirements.yml b/ansible/requirements.yml index 9a7ca2612..8bc65623a 100644 --- a/ansible/requirements.yml +++ b/ansible/requirements.yml @@ -63,3 +63,7 @@ - src: git+https://github.com/nickhammond/ansible-logrotate.git name: logrotate version: "91d570f68c44261d2051a99a2b3c7d736306bf0d" # 2018-02-16 + +- src: git+https://github.com/wireapp/ansible-sft.git + name: sft + version: "20d4f19685777ed3f4d11fa100bdbdd4a7e2ce1f" # master (2020-09-16) diff --git a/nix/sources.json b/nix/sources.json new file mode 100644 index 000000000..bed1841de --- /dev/null +++ b/nix/sources.json @@ -0,0 +1,38 @@ +{ + "niv": { + "branch": "master", + "description": "Easy dependency management for Nix projects", + "homepage": "https://github.com/nmattia/niv", + "owner": "nmattia", + "repo": "niv", + "rev": "fad2a6cbfb2e7cdebb7cb0ad2f5cc91e2c9bc06b", + "sha256": "0mghc1j0rd15spdjx81bayjqr0khc062cs25y5dcfzlxk4ynyc6m", + "type": "tarball", + "url": "https://github.com/nmattia/niv/archive/fad2a6cbfb2e7cdebb7cb0ad2f5cc91e2c9bc06b.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + }, + "nixpkgs": { + "branch": "nixpkgs-unstable", + "description": "A read-only mirror of NixOS/nixpkgs tracking the released channels. Send issues and PRs to", + "homepage": "https://github.com/NixOS/nixpkgs", + "owner": "NixOS", + "repo": "nixpkgs-channels", + "rev": "707bed528c3c8df388175656d441b672fac68942", + "sha256": "11i5iqz513whaq40q391rlqd36fdj6hs86pqbsgdnxfsjasarf3y", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs-channels/archive/707bed528c3c8df388175656d441b672fac68942.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + }, + "poetry2nix": { + "branch": "master", + "description": "Convert poetry projects to nix automagically [maintainer=@adisbladis] ", + "homepage": "", + "owner": "nix-community", + "repo": "poetry2nix", + "rev": "ab40bbdc964b7cc0a69d6f9ce77afbc79bb6e815", + "sha256": "0ysygfhd4w6vh5nz6vm9npshzq00fb9cc7qawrin10lkai2xcgd1", + "type": "tarball", + "url": "https://github.com/nix-community/poetry2nix/archive/ab40bbdc964b7cc0a69d6f9ce77afbc79bb6e815.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + } +} diff --git a/nix/sources.nix b/nix/sources.nix new file mode 100644 index 000000000..8a725cb4e --- /dev/null +++ b/nix/sources.nix @@ -0,0 +1,134 @@ +# This file has been generated by Niv. + +let + + # + # The fetchers. fetch_ fetches specs of type . + # + + fetch_file = pkgs: spec: + if spec.builtin or true then + builtins_fetchurl { inherit (spec) url sha256; } + else + pkgs.fetchurl { inherit (spec) url sha256; }; + + fetch_tarball = pkgs: spec: + if spec.builtin or true then + builtins_fetchTarball { inherit (spec) url sha256; } + else + pkgs.fetchzip { inherit (spec) url sha256; }; + + fetch_git = spec: + builtins.fetchGit { url = spec.repo; inherit (spec) rev ref; }; + + fetch_builtin-tarball = spec: + builtins.trace + '' + WARNING: + The niv type "builtin-tarball" will soon be deprecated. You should + instead use `builtin = true`. + + $ niv modify -a type=tarball -a builtin=true + '' + builtins_fetchTarball { inherit (spec) url sha256; }; + + fetch_builtin-url = spec: + builtins.trace + '' + WARNING: + The niv type "builtin-url" will soon be deprecated. You should + instead use `builtin = true`. + + $ niv modify -a type=file -a builtin=true + '' + (builtins_fetchurl { inherit (spec) url sha256; }); + + # + # Various helpers + # + + # The set of packages used when specs are fetched using non-builtins. + mkPkgs = sources: + let + sourcesNixpkgs = + import (builtins_fetchTarball { inherit (sources.nixpkgs) url sha256; }) {}; + hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath; + hasThisAsNixpkgsPath = == ./.; + in + if builtins.hasAttr "nixpkgs" sources + then sourcesNixpkgs + else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then + import {} + else + abort + '' + Please specify either (through -I or NIX_PATH=nixpkgs=...) or + add a package called "nixpkgs" to your sources.json. + ''; + + # The actual fetching function. + fetch = pkgs: name: spec: + + if ! builtins.hasAttr "type" spec then + abort "ERROR: niv spec ${name} does not have a 'type' attribute" + else if spec.type == "file" then fetch_file pkgs spec + else if spec.type == "tarball" then fetch_tarball pkgs spec + else if spec.type == "git" then fetch_git spec + else if spec.type == "builtin-tarball" then fetch_builtin-tarball spec + else if spec.type == "builtin-url" then fetch_builtin-url spec + else + abort "ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}"; + + # Ports of functions for older nix versions + + # a Nix version of mapAttrs if the built-in doesn't exist + mapAttrs = builtins.mapAttrs or ( + f: set: with builtins; + listToAttrs (map (attr: { name = attr; value = f attr set.${attr}; }) (attrNames set)) + ); + + # fetchTarball version that is compatible between all the versions of Nix + builtins_fetchTarball = { url, sha256 }@attrs: + let + inherit (builtins) lessThan nixVersion fetchTarball; + in + if lessThan nixVersion "1.12" then + fetchTarball { inherit url; } + else + fetchTarball attrs; + + # fetchurl version that is compatible between all the versions of Nix + builtins_fetchurl = { url, sha256 }@attrs: + let + inherit (builtins) lessThan nixVersion fetchurl; + in + if lessThan nixVersion "1.12" then + fetchurl { inherit url; } + else + fetchurl attrs; + + # Create the final "sources" from the config + mkSources = config: + mapAttrs ( + name: spec: + if builtins.hasAttr "outPath" spec + then abort + "The values in sources.json should not have an 'outPath' attribute" + else + spec // { outPath = fetch config.pkgs name spec; } + ) config.sources; + + # The "config" used by the fetchers + mkConfig = + { sourcesFile ? ./sources.json + , sources ? builtins.fromJSON (builtins.readFile sourcesFile) + , pkgs ? mkPkgs sources + }: rec { + # The sources, i.e. the attribute set of spec name to spec + inherit sources; + + # The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers + inherit pkgs; + }; +in +mkSources (mkConfig {}) // { __functor = _: settings: mkSources (mkConfig settings); } diff --git a/shell.nix b/shell.nix index 7047a9d83..bedd3e6ef 100644 --- a/shell.nix +++ b/shell.nix @@ -1,8 +1,28 @@ -{ pkgs ? import {}}: -pkgs.mkShell { - buildInputs = [ - pkgs.kubectl - pkgs.kubernetes-helm - pkgs.python27Packages.poetry +let + sources = import ./nix/sources.nix; + + pkgs = import sources.nixpkgs { + overlays = [ (import (sources.poetry2nix + "/overlay.nix")) ]; + }; + + poetryEnv = pkgs.poetry2nix.mkPoetryEnv { + projectDir = ./ansible; + python = pkgs.python37; + overrides = pkgs.poetry2nix.overrides.withDefaults ( self: super: { + psutil = super.psutil.overridePythonAttrs (old: rec { + doCheck = false; + }); + paramiko = super.paramiko.overridePythonAttrs (old: rec { + doCheck = false; + }); + }); + }; +in +pkgs.mkShell{ + name = "wire-server-deploy"; + nativeBuildInputs = [ poetryEnv ] ; + buildInputs = with pkgs; [ + terraform_0_13 + python37Packages.poetry ]; } diff --git a/terraform/README.md b/terraform/README.md new file mode 100644 index 000000000..53bbd7d3c --- /dev/null +++ b/terraform/README.md @@ -0,0 +1,67 @@ +# Terraform for wire-server + +This directory contains (aspires to contain) all the terraform required to setup +wire-server. The `environment` directory is to be considered the "root" +directory of terraform. + +## How to create a new environment + +Recommended: Use nix-shell from the root of this repository to ensure that you +have the right version of terraform. + +Run all commands from `terraform/environment` directory. + +1. Export `ENV_DIR` environment variable to a directory where you want to store + data specific to an environment. Ensure that this directory exists. + + For Wire employees, please create this directory in `cailleach/environments`. + If cailleach is not checked-out as a sibling directory to wire-server-deploy, + please export `CAILLEACH_DIR` as absolute path to the cailleach directory. + Additionally, export `ENV` as the name of the environment. For the rest of + this README, please consider `ENV_DIR` to be + `${CAILLEACH_DIR}/environments/${ENV}`. +1. Create backend-config in `"$ENV_DIR/backend.tfvars` which looks like this: + ```tf + region = "" + bucket = "" + key = "" + dynamodb_table = "" + ``` + + Please refer to [s3 backend + docs](https://www.terraform.io/docs/backends/types/s3.html) for details. +1. Create token from hetzner cloud and put the following contents (including the export) + in a file called `$ENV_DIR/hcloud-token.dec`[1]: + ``` + export HCLOUD_TOKEN= + ``` +1. Create ssh key-pair, put the private key in a file called + `$ENV_DIR/operator-ssh.dec`[1]. Example: + + ```bash + ssh-keygen -o -a 100 -t ed25519 -f "$ENV_DIR/operator-ssh.dec" -C "example@example.com" + # see footnote 2 if you're a wire employee + ``` +1. Create variables for the environment in `$ENV_DIR/terraform.tfvars`, example: + ```tf + environment = + sft_server_names = ["1", "2"] + root_domain = "example.com" + operator_ssh_public_key = + ``` + Delete operator-ssh.dec.pub. +1. Initialiaze terraform + ``` + make init + ``` +1. Apply terraform + ``` + make apply + ``` +1. To bootstrap the nodes, please refer to the [ansible README](../ansible/README.md) + +[1]For wire employees: Encrypt this file using `sops`, it will not +work in the `nix-shell`, so change shell as needed. + +[2]For wire employees: Use "backend+${ENV}-operator@wire.com" as a +convention. diff --git a/terraform/environment/Makefile b/terraform/environment/Makefile new file mode 100644 index 000000000..19c365620 --- /dev/null +++ b/terraform/environment/Makefile @@ -0,0 +1,31 @@ +ROOT_DIR:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST)))) +# Please ignore this if you're not a wire employee +CAILLEACH_DIR:=$(abspath ${ROOT_DIR}/../../../cailleach) +SHELL:=/usr/bin/env bash + +.PHONY: init +init: check-env + cd ${ENV_DIR} && \ + terraform init -backend-config=${ENV_DIR}/backend.tfvars ${ROOT_DIR} + +.PHONY: apply +apply: check-env + cd ${ENV_DIR} && \ + source hcloud-token.dec && \ + terraform apply -var 'inventory_file=./gen/terraform-inventory.yml' ${ROOT_DIR} + +.PHONY: destroy +destroy: check-env + cd ${ENV_DIR} && \ + source hcloud-token.dec && \ + terraform destroy -var 'inventory_file=./gen/terraform-inventory.yml' ${ROOT_DIR} + +.PHONY: check-env +check-env: +ifndef ENV_DIR +ifndef ENV + $(error please define either ENV or ENV_DIR) +else +ENV_DIR=${CAILLEACH_DIR}/environments/${ENV} +endif +endif diff --git a/terraform/environment/aws.tf b/terraform/environment/aws.tf new file mode 100644 index 000000000..46595d608 --- /dev/null +++ b/terraform/environment/aws.tf @@ -0,0 +1,7 @@ +variable "aws_region" { + default = "eu-central-1" +} + +provider "aws" { + region = var.aws_region +} diff --git a/terraform/environment/hcloud.tf b/terraform/environment/hcloud.tf new file mode 100644 index 000000000..a4bf30e21 --- /dev/null +++ b/terraform/environment/hcloud.tf @@ -0,0 +1,20 @@ +variable "hcloud_image" { + default = "ubuntu-18.04" +} + +variable "hcloud_location" { + default = "nbg1" +} + +variable "operator_ssh_public_key" { + type = string +} + +provider "hcloud" { + # NOTE: You must have a HCLOUD_TOKEN environment variable set! +} + +resource "hcloud_ssh_key" "operator_ssh" { + name = "${var.environment}-operator" + public_key = var.operator_ssh_public_key +} diff --git a/terraform/environment/inventory.tf b/terraform/environment/inventory.tf new file mode 100644 index 000000000..104f3042f --- /dev/null +++ b/terraform/environment/inventory.tf @@ -0,0 +1,28 @@ +# Generates an inventory file to be used by ansible. Ideally, we would generate this +# outside terraform using outputs, but it is not possible to use 'terraform +# output' when the init directory is different from the root code directory. +# Terrform Issue: https://github.com/hashicorp/terraform/issues/17300 +resource "local_file" "inventory" { + filename = var.inventory_file + content = jsonencode({ + "sft_servers" = { + "hosts" = { for instance in module.sft[0].sft.instances : instance.hostname => { + "ansible_host" = instance.ipaddress + "ansible_ssh_user" = "root" + "ansible_python_interpreter" = "/usr/bin/python3" + "sft_fqdn" = instance.fqdn + + "announcer_zone_domain" = var.root_domain + "announcer_aws_key_id" = module.sft[0].sft.aws_key_id + "announcer_aws_access_key" = module.sft[0].sft.aws_access_key + "announcer_aws_region" = module.sft[0].sft.aws_region + "announcer_srv_records" = { + "sft" = { + "name" = "_sft._tcp.${var.environment}" + "target" = instance.fqdn + } + } + }} + } + }) +} diff --git a/terraform/environment/main.tf b/terraform/environment/main.tf new file mode 100644 index 000000000..62edef8f7 --- /dev/null +++ b/terraform/environment/main.tf @@ -0,0 +1,11 @@ +variable "environment" { + type = string +} + +variable "root_domain" { + type = string +} + +variable "inventory_file" { + type = string +} diff --git a/terraform/environment/sft.tf b/terraform/environment/sft.tf new file mode 100644 index 000000000..03602d365 --- /dev/null +++ b/terraform/environment/sft.tf @@ -0,0 +1,26 @@ +variable "sft_server_names" { + default = [] + type = list(string) +} + +variable "sft_a_record_ttl" { + default = 60 +} + +variable "sft_server_type" { + default = "cx11" +} + +module "sft" { + count = min(1, length(var.sft_server_names)) + + source = "../modules/sft" + root_domain = var.root_domain + environment = var.environment + server_names = var.sft_server_names + a_record_ttl = var.sft_a_record_ttl + server_type = var.sft_server_type + image = var.hcloud_image + location = var.hcloud_location + ssh_keys = [hcloud_ssh_key.operator_ssh.name] +} diff --git a/terraform/environment/terraform.tf b/terraform/environment/terraform.tf new file mode 100644 index 000000000..6b34e4be5 --- /dev/null +++ b/terraform/environment/terraform.tf @@ -0,0 +1,23 @@ +terraform { + required_version = "0.13.1" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 2.58" + } + hcloud = { + source = "terraform-providers/hcloud" + version = "~> 1.19" + } + local = { + source = "hashicorp/local" + version = "~> 1.4.0" + } + } + + backend s3 { + encrypt = true + } + +} diff --git a/terraform/modules/sft/dns.tf b/terraform/modules/sft/dns.tf new file mode 100644 index 000000000..3a5db33b0 --- /dev/null +++ b/terraform/modules/sft/dns.tf @@ -0,0 +1,21 @@ +data "aws_route53_zone" "sft_zone" { + name = var.root_domain +} + +resource "aws_route53_record" "sft_a" { + for_each = var.server_names + + zone_id = data.aws_route53_zone.sft_zone.zone_id + name = "sft${each.value}.sft.${var.environment}" + type = "A" + ttl = var.a_record_ttl + records = [hcloud_server.sft[each.key].ipv4_address] +} + +resource "aws_route53_record" "metrics_srv" { + zone_id = data.aws_route53_zone.sft_zone.zone_id + name = "_sft-metrics._tcp.${var.environment}" + type = "SRV" + ttl = var.metrics_srv_record_ttl + records = [for a_record in aws_route53_record.sft_a : "0 10 8443 ${a_record.fqdn}"] +} diff --git a/terraform/modules/sft/outputs.tf b/terraform/modules/sft/outputs.tf new file mode 100644 index 000000000..549172aaa --- /dev/null +++ b/terraform/modules/sft/outputs.tf @@ -0,0 +1,19 @@ +# TODO: It is absurd that srv-announcer requires this. All route53 resources are +# scoped globally, figure out if we really need to do this. +data "aws_region" "current" {} + +output "sft" { + value = { + sft_srv: "_sft._tcp.${var.environment}" + aws_key_id = aws_iam_access_key.srv-announcer.id + aws_access_key = aws_iam_access_key.srv-announcer.secret + aws_region = data.aws_region.current.name + instances = [ for server_name in var.server_names : + { + hostname = hcloud_server.sft[server_name].name + ipaddress = hcloud_server.sft[server_name].ipv4_address + fqdn = aws_route53_record.sft_a[server_name].fqdn + } + ] + } +} diff --git a/terraform/modules/sft/server.tf b/terraform/modules/sft/server.tf new file mode 100644 index 000000000..70e91105c --- /dev/null +++ b/terraform/modules/sft/server.tf @@ -0,0 +1,9 @@ +resource "hcloud_server" "sft" { + for_each = var.server_names + + name = "${var.environment}-sft-${each.value}" + server_type = var.server_type + image = var.image + location = var.location + ssh_keys = var.ssh_keys +} diff --git a/terraform/modules/sft/srv-announcer-iam.tf b/terraform/modules/sft/srv-announcer-iam.tf new file mode 100644 index 000000000..c14045fd2 --- /dev/null +++ b/terraform/modules/sft/srv-announcer-iam.tf @@ -0,0 +1,60 @@ +resource "aws_iam_user" "srv-announcer" { + name = "${var.environment}-srv-announcer" + force_destroy = true # TODO: Add a comment explaining this. Does this mean + # changing this user will make existing srv announcements + # fail? +} + +resource "aws_iam_access_key" "srv-announcer" { + user = aws_iam_user.srv-announcer.name +} + +# NOTE: Does not configure permissions for GeoLocation, because they are not +# needed by the srv-announcer DOCS: +# https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/r53-api-permissions-ref.html#required-permissions-resource-record-sets +# +resource "aws_iam_user_policy" "srv-announcer-recordsets" { + name = "${var.environment}-srv-announcer-route53-recordsets-policy" + user = aws_iam_user.srv-announcer.name + + policy = <<-EOP + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets" + ], + "Resource": [ + "arn:aws:route53:::hostedzone/${data.aws_route53_zone.sft_zone.zone_id}" + ] + } + ] + } + EOP +} + +resource "aws_iam_user_policy" "srv-announcer-getrecordchanges" { + name = "${var.environment}-srv-announcer-route53-getrecordchanges-policy" + user = aws_iam_user.srv-announcer.name + + policy = <<-EOP + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "route53:GetChange", + "route53:ListHostedZonesByName" + ], + "Resource": [ + "*" + ] + } + ] + } + EOP +} diff --git a/terraform/modules/sft/variables.tf b/terraform/modules/sft/variables.tf new file mode 100644 index 000000000..2b5de0cde --- /dev/null +++ b/terraform/modules/sft/variables.tf @@ -0,0 +1,36 @@ +variable "root_domain" { + type = string +} + +variable "environment" { + type = string +} + +variable "server_names" { + description = "List of names of sft servers. The server will be availables at sft.." + type = set(string) +} + +variable "a_record_ttl" { + type = number +} + +variable "metrics_srv_record_ttl" { + default = 60 +} + +variable "server_type" { + default = "cx11" +} + +variable "image" { + default = "ubuntu-18.04" +} + +variable "location" { + default = "nbg1" +} + +variable "ssh_keys" { + type = list +} diff --git a/terraform/modules/sft/versions.tf b/terraform/modules/sft/versions.tf new file mode 100644 index 000000000..218393986 --- /dev/null +++ b/terraform/modules/sft/versions.tf @@ -0,0 +1,11 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + } + hcloud = { + source = "terraform-providers/hcloud" + } + } + required_version = ">= 0.13" +} From 259cd2664a4e4d890be797217cc715499d72acfc Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Thu, 24 Sep 2020 11:31:47 +0200 Subject: [PATCH 19/21] terraform/environments/inventory.tf: Fix typo (#342) --- terraform/environment/inventory.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/environment/inventory.tf b/terraform/environment/inventory.tf index 104f3042f..c3242e7c3 100644 --- a/terraform/environment/inventory.tf +++ b/terraform/environment/inventory.tf @@ -1,7 +1,7 @@ -# Generates an inventory file to be used by ansible. Ideally, we would generate this -# outside terraform using outputs, but it is not possible to use 'terraform +# Generates an inventory file to be used by ansible. Ideally, we would generate +# this outside terraform using outputs, but it is not possible to use 'terraform # output' when the init directory is different from the root code directory. -# Terrform Issue: https://github.com/hashicorp/terraform/issues/17300 +# Terraform Issue: https://github.com/hashicorp/terraform/issues/17300 resource "local_file" "inventory" { filename = var.inventory_file content = jsonencode({ From 199a90bc9e42288976a9c636af3773c759dd8f08 Mon Sep 17 00:00:00 2001 From: Lucendio Date: Fri, 25 Sep 2020 16:15:43 +0200 Subject: [PATCH 20/21] [sft] Add srv-announcer role to the SFT deployment automation (#341) Update variables in the inventory template to match the latest version of the role and pin to the corresponding commit. --- ansible/provision-sft.yml | 1 + ansible/requirements.yml | 2 +- terraform/environment/inventory.tf | 16 ++++++---------- 3 files changed, 8 insertions(+), 11 deletions(-) diff --git a/ansible/provision-sft.yml b/ansible/provision-sft.yml index f2ec99bfb..503dbb0e4 100644 --- a/ansible/provision-sft.yml +++ b/ansible/provision-sft.yml @@ -9,3 +9,4 @@ - hosts: sft_servers roles: - role: sft-server + - role: srv-announcer diff --git a/ansible/requirements.yml b/ansible/requirements.yml index 8bc65623a..40d7d74f2 100644 --- a/ansible/requirements.yml +++ b/ansible/requirements.yml @@ -66,4 +66,4 @@ - src: git+https://github.com/wireapp/ansible-sft.git name: sft - version: "20d4f19685777ed3f4d11fa100bdbdd4a7e2ce1f" # master (2020-09-16) + version: "369db98e2e1ddf156ea0c9dbd2801c9d83e10a5a" # master (2020-09-25) diff --git a/terraform/environment/inventory.tf b/terraform/environment/inventory.tf index c3242e7c3..62686e4f0 100644 --- a/terraform/environment/inventory.tf +++ b/terraform/environment/inventory.tf @@ -12,16 +12,12 @@ resource "local_file" "inventory" { "ansible_python_interpreter" = "/usr/bin/python3" "sft_fqdn" = instance.fqdn - "announcer_zone_domain" = var.root_domain - "announcer_aws_key_id" = module.sft[0].sft.aws_key_id - "announcer_aws_access_key" = module.sft[0].sft.aws_access_key - "announcer_aws_region" = module.sft[0].sft.aws_region - "announcer_srv_records" = { - "sft" = { - "name" = "_sft._tcp.${var.environment}" - "target" = instance.fqdn - } - } + "srv_announcer_zone_domain" = var.root_domain + "srv_announcer_aws_key_id" = module.sft[0].sft.aws_key_id + "srv_announcer_aws_access_key" = module.sft[0].sft.aws_access_key + "srv_announcer_aws_region" = module.sft[0].sft.aws_region + "srv_announcer_record_name": "_sft._tcp.${var.environment}" + "srv_announcer_record_target": instance.fqdn }} } }) From 27952ac89387e4850daf2431742e6200c2648a89 Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Mon, 28 Sep 2020 16:58:05 +0200 Subject: [PATCH 21/21] Add changelog entry for 2020-09-28 --- CHANGELOG.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 595b1da8e..cb4a4cd53 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,20 @@ +# 2020-09-28 + +## Features +* Documentation: Add galley feature flags and default AWS region to example values files (#328, #335) +* Privacy: Add logrotation of 3 days to all pod logs (#329) +* Security: Update TLS config: Drop CBC cipher suites (#323, #324) + +## Bug Fixes +* fix sanitized_request parsing on nginx (#330) + +## Internal +* Add automation for deploying SFT servers (#337, #341, #322) +* Add account number to output of terraform gundeck module (#326) +* remove issuance of a default search domain via the AWS dhcp servers. breaks dns lookup inside of k8s. (#338) +* [terraform-module:cargohold] Replace subnet IDs input with route table IDs (#331) +* [terraform-module] Introduce network load balancer (#299) + # 2020-07-29 ## Features