Initial Commit

Author: EdKingscote

.gitignore

@@ -0,0 +1,3 @@
+/build/
+.idea
+.gradle

LICENSE

@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright [yyyy] [name of copyright owner]
+   Copyright [2024] [Ed Kingscote]
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

README.md

@@ -1 +1,83 @@
-# rundeck-plugin-aws-ec2-ice-node-execution
+# AWS EC2 Instance Connect Endpoint Node Execution Plugin for Rundeck
+
+This plugin provides node executor and file-copier support to AWS EC2 via the Instance Connect Endpoint. 
+Use this plugin if you must access servers via AWS EC2 Instance Connect Endpoint.
+
+It is based upon the openssh Bastion Node Execution Plugin, and shares similar characteristics. This should make it easier to extend/tweak for more AWS parameters in the future if required.
+
+The AWS CLI v2 must be installed and available to Rundeck. 
+
+## Dry run mode
+You can configure the plugin to just print the invocation string to the console.
+This can be useful when defining the configuration properties.
+
+## Plugin Configuration Properties
+* AWS Access Key
+* AWS Secret Key - set to storage path location in Rundeck Keystore
+* AWS Default Region
+* Node SSH Key  - set to storage path location in Rundeck Keystore
+* SSH Options: Extra options to pass to the ssh command invocation. 
+* Template ssh_config: Customize ProxyCommand and other flags. Consult the reference for [ssh_config(5)](https://linux.die.net/man/5/ssh_config) to learn about posible settings.
+* Dry run? If set true, just print the command invocation that would be used but do not execute the command. This is useful to preview.
+
+## Node Specific Configuration Attributes
+
+* `ssh-key-storage-path` SSH key override - from the Rundeck Keystore.
+* `ssh-ssh-config` - SSH extra options override
+* `ssh-scp-config` - File Copier extra options override
+
+## Configuration 
+
+The plugin can be configured as a default node executor and file copier for a Project. Use the Simple Conguration tab to see the configuration properties. The page has a form with inputs to configure the connection
+
+You can also modify the project.properties or use the API/CLI to define the plugin configuration.
+
+The Plugin List page will describe the key names to set.
+
+#### Customize the ssh_config 
+
+You can define multiple lines using a trailing backslash and an indent on the following line.
+
+Here is an example that defines ssh_config file. 
+
+    project.plugin.NodeExecutor.openssh-bastion-host.node-executor.ssh_config=Host i-* \
+      StrictHostKeyChecking no
+      Port 22
+      ProxyCommand aws ec2-instance-connect open-tunnel --instance-id @instance_id@
+      IdentityFile @plugin.config.identity_file@
+
+Here ssh_options are set.
+
+    project.plugin.NodeExecutor.openssh-bastion-host.node-executor.ssh_options="-q -oCiphers=arcfour -oClearAllForwardings=yes"
+
+Using Dry run, you might see output similar to this:
+
+	[dry-run] +------------------------------------------+
+	[dry-run] | ssh_config                               |
+	[dry-run] +------------------------------------------+
+	[dry-run] | Host i- *
+	[dry-run] |   StrictHostKeyChecking no
+	[dry-run] |   Port 22
+	[dry-run] |   ProxyCommand aws ec2-instance-connect open-tunnel --instance-id i-123455678a01bcdefa
+	[dry-run] |   IdentityFile /tmp/bastion.ssh-keyfile.prWLUyFU
+	[dry-run] +------------------------------------------+
+	[dry-run] ssh -q -oCiphers=arcfour -oClearAllForwardings=yes -F /tmp/ssh_config.zTr9j5KK -i /tmp/host1234.ssh-keyfile.4cjnI2qL ec2user@i-123455678a01bcdefa whoami
+	Begin copy 18 bytes to node host1234: /etc/motd -> /tmp/motd
+	[dry-run] +------------------------------------------+
+	[dry-run] | ssh_config                               |
+	[dry-run] +------------------------------------------+
+	[dry-run] | Host *
+	[dry-run] |   StrictHostKeyChecking no
+	[dry-run] |   Port 22
+	[dry-run] |   ProxyCommand aws ec2-instance-connect open-tunnel --instance-id i-123455678a01bcdefa
+	[dry-run] |   IdentityFile /tmp/bastion.ssh-keyfile.XXXXX.WAlpZLNb
+	[dry-run] | 
+	[dry-run] +------------------------------------------+
+	[dry-run] scp -q -oCiphers=arcfour -oClearAllForwardings=yes -F /tmp/ssh_config.XXXX.cosJ7xQ2 -i /tmp/host1234.ssh-keyfile.XXXXX.BOqYAKRu /etc/motd ec2-user@i-123455678a01bcdefa:/tmp/motd
+	/tmp/motd
+	Copied: /tmp/motd
+
+## Docker
+
+An example Dockerfile is provided to install the AWS CLI v2 on the latest base Rundeck container from Dockerhub.
+

build.gradle

@@ -0,0 +1,38 @@
+buildscript {
+    repositories {
+        mavenCentral()
+    }
+}
+plugins {
+    id 'pl.allegro.tech.build.axion-release' version '1.11.0'
+}
+
+ext.pluginName = 'AWS EC2 ICE"
+ext.pluginDescription = "AWS EC2 Instance Connect Endpoint Node Executor"
+ext.sopsCopyright = "© 2024, Ed Kingscote"
+ext.sopsUrl = "http://rundeck.com"
+ext.buildDateString=new Date().format("yyyy-MM-dd'T'HH:mm:ssX")
+ext.archivesBaseName = "aws-ec2-ice-node-execution"
+ext.pluginBaseFolder = "."
+
+scmVersion {
+    ignoreUncommittedChanges = true
+    tag {
+        prefix = ''
+        versionSeparator = ''
+        def origDeserialize=deserialize
+        //apend .0 to satisfy semver if the tag version is only X.Y
+        deserialize = { config, position, tagName ->
+            def orig = origDeserialize(config, position, tagName)
+            if (orig.split('\\.').length < 3) {
+                orig += ".0"
+            }
+            orig
+        }
+    }
+}
+
+project.version = scmVersion.version
+ext.archiveFilename = ext.archivesBaseName + '-' + version
+
+apply from: 'https://raw.githubusercontent.com/rundeck-plugins/build-zip/master/build.gradle'

contents/file-copier

@@ -0,0 +1,53 @@
+# scp -o ProxyCommand='aws ec2-instance-connect open-tunnel --instance-id i-02940408e08ececbf' testfile kingscoe@i-02940408e08ececbf:testfile
+#!/usr/bin/env bash
+
+set -eu
+
+scp() {
+    if [[ "${RD_CONFIG_DRY_RUN:-}" == "true" ]]
+    then 
+
+      echo >&2 "[dry-run] +------------------------------------------+"
+      echo >&2 "[dry-run] | ssh_config                               |"
+      echo >&2 "[dry-run] +------------------------------------------+"
+      while IFS= read -r line; do 
+        echo >&2 "[dry-run] | $line"
+      done < "$SSH_CONFIG_FILE"
+      echo >&2 "[dry-run] +------------------------------------------+"
+      echo >&2 "[dry-run] scp $*"
+    else 
+        command scp "$@"
+    fi
+}
+
+FILE_SOURCE=$1
+FILE_DESTINATION=$2
+
+SSH_CONFIG_FILE_TMP=$(mktemp -t "ssh_config.XXXX")
+SSH_CONFIG_FILE=$(mktemp -t "ssh_config.XXXX")
+SSH_NODE_KEY_FILE=$(mktemp -t "$RD_NODE_NAME.ssh-keyfile.XXXXX")
+trap 'rm "$SSH_CONFIG_FILE_TMP" "$SSH_CONFIG_FILE" "$SSH_NODE_KEY_FILE"' EXIT
+
+if [[ -n "${RD_CONFIG_SSH_KEY_STORAGE_PATH:-}" ]]
+then
+    echo "$RD_CONFIG_SSH_KEY_STORAGE_PATH" > "$SSH_NODE_KEY_FILE"
+    NODE_IDENTITY_FILE="$SSH_NODE_KEY_FILE"
+fi
+
+echo "$RD_CONFIG_SSH_CONFIG" > "$SSH_CONFIG_FILE_TMP"
+sed -e "s#@instance_id@#$RD_NODE_HOSTNAME#g" < "$SSH_CONFIG_FILE_TMP" > "$SSH_CONFIG_FILE"
+
+SSH_ARGS=($RD_CONFIG_SSH_OPTS -F "$SSH_CONFIG_FILE")
+[[ -n "${NODE_IDENTITY_FILE:-}" ]] && SSH_ARGS=(${SSH_ARGS[@]} -i "$NODE_IDENTITY_FILE")
+
+export AWS_ACCESS_KEY_ID=$RD_CONFIG_AWS_ACCESS_KEY_ID
+export AWS_SECRET_ACCESS_KEY=$RD_CONFIG_AWS_SECRET_ACCESS_KEY_STORAGE_PATH
+export AWS_DEFAULT_REGION=$RD_CONFIG_AWS_DEFAULT_REGION
+
+scp "${SSH_ARGS[@]}"  \
+   "$FILE_SOURCE" \
+   "${RD_NODE_USERNAME}@${RD_NODE_HOSTNAME}:${FILE_DESTINATION}"
+
+echo "$FILE_DESTINATION"
+
+exit $?

contents/node-executor

@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+set -eu
+
+ssh() {
+    if [[ "${RD_CONFIG_DRY_RUN:-}" == "true" ]]
+    then 
+
+      echo >&2 "[dry-run] +------------------------------------------+"
+      echo >&2 "[dry-run] | ssh_config                               |"
+      echo >&2 "[dry-run] +------------------------------------------+"
+      while IFS= read -r line; do 
+        echo >&2 "[dry-run] | $line"
+      done < "$SSH_CONFIG_FILE"
+      echo >&2 "[dry-run] +------------------------------------------+"
+      echo >&2 "[dry-run] ssh $*"
+    else 
+        command ssh "$@"
+    fi
+}
+
+SSH_CONFIG_FILE_TMP=$(mktemp -t "ssh_config.XXXX")
+SSH_CONFIG_FILE=$(mktemp -t "ssh_config.XXXX")
+SSH_NODE_KEY_FILE=$(mktemp -t "$RD_NODE_NAME.ssh-keyfile.XXXXX")
+trap 'rm "$SSH_CONFIG_FILE_TMP" "$SSH_CONFIG_FILE" "$SSH_NODE_KEY_FILE"' EXIT
+
+if [[ -n "${RD_CONFIG_SSH_KEY_STORAGE_PATH:-}" ]]
+then
+    echo "$RD_CONFIG_SSH_KEY_STORAGE_PATH" > "$SSH_NODE_KEY_FILE"
+    NODE_IDENTITY_FILE="$SSH_NODE_KEY_FILE"
+fi
+
+echo "$RD_CONFIG_SSH_CONFIG" > "$SSH_CONFIG_FILE_TMP"
+sed -e "s#@instance_id@#$RD_NODE_HOSTNAME#g" < "$SSH_CONFIG_FILE_TMP" > "$SSH_CONFIG_FILE"
+
+SSH_ARGS=($RD_CONFIG_SSH_OPTS -F "$SSH_CONFIG_FILE")
+[[ -n "${NODE_IDENTITY_FILE:-}" ]] && SSH_ARGS=(${SSH_ARGS[@]} -i "$NODE_IDENTITY_FILE")
+
+export AWS_ACCESS_KEY_ID=$RD_CONFIG_AWS_ACCESS_KEY_ID
+export AWS_SECRET_ACCESS_KEY=$RD_CONFIG_AWS_SECRET_ACCESS_KEY_STORAGE_PATH
+export AWS_DEFAULT_REGION=$RD_CONFIG_AWS_DEFAULT_REGION
+
+ssh "${SSH_ARGS[@]}" \
+   "${RD_NODE_USERNAME}@${RD_NODE_HOSTNAME}" \
+   "$@"
+
+exit $?

gradle/wrapper/gradle-wrapper.jar

@@ -0,0 +1,5 @@
+distributionBase=GRADLE_USER_HOME
+distributionPath=wrapper/dists
+zipStoreBase=GRADLE_USER_HOME
+zipStorePath=wrapper/dists
+distributionUrl=https\://services.gradle.org/distributions/gradle-4.5.1-bin.zip