Merge pull request #4 from pmbenjamin/feat/automate-cfn-templates

Refactor & Add new feature

Author: godinezj

docs/CHANGELOG.md renamed to CHANGELOG.md

@@ -1,22 +1,22 @@
-Restacker
-=======
-Restacker is the DevSecOps deployment swiss army knife. You can use it do deploy,
-migrate and/or remove stacks. Although not feature complete yet, you can begin
-using it to deploy or restack your existing apps.
-
-Install it:
---------------
-````
+# Restacker
+
+Restacker is the DevSecOps deployment swiss army knife. You can use it safely & securely deploy, update, migrate, and/or remove AWS stacks.  
+Although not feature complete yet, you can begin using it to deploy or re-stack your existing AWS accounts/instances.
+
+## Install it:
+- Grab the binary from [GitHub Releases](https://github.com/devsecops/restacker/releases)
+- Or build from source:
+```
 git clone https://github.com/devsecops/restacker.git
 cd restacker/source
 gem build restacker.gemspec
-gem install restacker-0.0.11.gem
-rbenv init -
-````
+gem install restacker
+# if you're using rbenv, then: rbenv rehash
+```
 
-Use it:
---------------
-````
+## Use it:
+
+```
 $ restacker
 Please specify an ACTION
 
@@ -60,29 +60,60 @@ Notes:
  - If no template file path is provided when restacking restacker will use the same
    template as if currently deployed.
  - Deployed stack name will be in the form of NAME-DATE using today's date
- ````
+ ```
 
-Configuration
---------------
-Restacker is out of the box configured to use KCP as the master account and KSP
-as the target account (deployment account). To configure another target account
-just add a section to ~/.restacker/restacker.yml listing the master & target
-account properties. The below configuration is an example of KSP and KVP as
-target accounts and KCP as master.
+## Configure it
+- `restacker configure -l <location>`
+- Or copy the `restacker-sample.yml` to `~/.restacker/restacker.yml` & update the configurations
+The below configuration is an example of MyApp1 and MyApp2 as target accounts and CTRL as master.
 
-````
+```
 $ cat ~/.restacker/restacker.yml
----
-:myapp:
+
+:default:
+  :label: myapp1
+
+:ctrl: &ctrl_default
+  :label: ctrlAcct
+  :account_number: '123456789012'
+  :role_name: ctrl-ctrl-DeployAdmin
+  :role_prefix: "/dso/ctrl/ctrl/"
+  :bucket:
+    :name: kaos-installers
+    :prefix: cloudformation
+    :ami_key: latest_amis
+
+:ctrlAcct:
+  :region: us-west-2
+  :ctrl:
+    <<: *ctrl_default
+  :target:
+    <<: *ctrl_default
+
+:myapp1:
   :region: us-west-2
-  :master:
-    :label: control
-    :account_number: '123456789012'
-    :role_name: CTL-my-app-DeploymentAdmin
-    :role_prefix: "/dso/ctrl/my-app/"
+  :ctrl:
+    <<: *ctrl_default
+    :role_name: ctrl-myapp1-DeployAdmin
   :target:
-    :label: target
+    :label: myapp1
     :account_number: '098765432123'
-    :role_name: TGT-dso-DeploymentAdmin
-    :role_prefix: "/human/dso/"
-````
+    :role_name: myapp1-dso-DeployAdmin
+    :role_prefix: "/dso/human/"
+
+:myapp2:
+  :region: us-west-2
+  :ctrl:
+    <<: *ctrl_default
+    :role_name: ctrl-myapp2-DeployAdmin
+  :target:
+    :label: myapp2
+    :account_number: '123098456765'
+    :role_name: myapp2-dso-DeployAdmin
+    :role_prefix: "/dso/human/"
+
+...
+```
+
+## More Info
+Checkout the [docs](./docs/) for detailed information.

README.md

@@ -0,0 +1,18 @@
+# INTRODUCTION
+
+The Control-Plane pattern/architecture is designed to mitigate and limit risk/exposure if an account were to be compromised.  
+In DevSecOps, we call this **Blast Radius**.
+
+## CONTROL PLANE
+In a typical Control-Plane architecture, an account is designated as the Control Plane.  
+It does not have any instances (e.g. EC2, RDS ...etc).  
+The main purpose of this account is to maintain users and roles.
+
+## TARGET PLANE
+The target plane, or account, will host the instances, databases, and any other AWS services needed.  
+The roles in this account trusts roles from the Control Plane/Account
+
+## WORKFLOW
+In a Control-Plane architecture, the workflow for performing operations on the Target Account will look like this:
+ - Authenticate against the Control Account to obtain an AWS STS token.
+ - Pass that STS token to the next Target Account to assume a specific role (e.g. Read-Only, Deploy-Admin, Incident-Response ...etc).

docs/01-RESTACKER_INTRO.md

@@ -0,0 +1,71 @@
+# RESTACKER.YML
+This is the configuration file for Restacker CLI.  
+See the sample [here](../source/restacker-sample.yml).
+
+## STRUCTURE
+In order for Restacker to work as expected, the following key:value pairs are required:
+- `:default:`: specifies the default location/plane for all Restacker operations. This is intended to save you from having to specify the required `-l <location>` everytime.
+  - `:label:`: the name of the default location.
+- `:ctrl: &ctrl_default`: default configuration for the Control Account
+  - `:label:`: name of the account
+  - `:role-name:`
+  - `:role-prefix:`
+  - `:bucket:`: S3 Bucket configuration to read/consume files from.
+    - `:name:`: Bucket name
+    - `:prefix:`: **optional** bucket prefix/path
+    - `:ami_key:`: **optional** name of object on S3 that contains list of approved AMIs
+- `:Account_Name:`: name of target account
+  - `:region:`: default region to deploy instances in (e.g. `us-west-2`)
+  - `:ctrl:`: control account for this account
+    - `<<: *ctrl_default`: if the control account is the default account specified in `&ctrl_default`, then just insert default configurations here
+  - `:target:`: the target account configuration
+    - `:label:`: name of target account
+    - `:account_number:`: target account number
+    - `:role_name:`: target role name
+    - `:role_prefix:`: target role prefix
+
+## Example Restacker Configuration:
+```
+:default:
+  :label: myapp1
+
+:ctrl: &ctrl_default
+  :label: ctrlAcct
+  :account_number: '123456789012'
+  :role_name: ctrl-ctrl-DeployAdmin
+  :role_prefix: "/dso/ctrl/ctrl/"
+  :bucket:
+    :name: kaos-installers
+    :prefix: cloudformation
+    :ami_key: latest_amis
+
+:ctrlAcct:
+  :region: us-west-2
+  :ctrl:
+    <<: *ctrl_default
+  :target:
+    <<: *ctrl_default
+
+:myapp1:
+  :region: us-west-2
+  :ctrl:
+    <<: *ctrl_default
+    :role_name: ctrl-myapp1-DeployAdmin
+  :target:
+    :label: myapp1
+    :account_number: '098765432123'
+    :role_name: myapp1-dso-DeployAdmin
+    :role_prefix: "/dso/human/"
+
+:myapp2:
+  :region: us-west-2
+  :ctrl:
+    <<: *ctrl_default
+    :role_name: ctrl-myapp2-DeployAdmin
+  :target:
+    :label: myapp2
+    :account_number: '123098456765'
+    :role_name: myapp2-dso-DeployAdmin
+    :role_prefix: "/dso/human/"
+
+```

docs/02-RESTACKER_YML.md

@@ -0,0 +1,6 @@
+# PARAMETERS.YML
+Configurations to be passed to the CloudFormation template.
+
+<!-- Explain each Parameter here -->
+
+**NOTE:** Any Environment variable that you'd like to persist past boot, place them here, **not** in `userdata.sh`

docs/03-PARAMETERS_YML.md

@@ -0,0 +1,2 @@
+# USERDATA.SH
+Configuration needed only during instance-creation stage

docs/04-USERDATA_SH.md

@@ -1,3 +1,4 @@
 source 'https://rubygems.org'
 
 gem 'aws-sdk', '~> 2'
+gem 'rainbow'

source/Gemfile

@@ -14,6 +14,7 @@ ACTIONS = {
     remove: 'Removes the given deployment',
     configure: 'Configure the target account in the restacker.yml file',
     dump: 'Dumps the default configuration for a given template or module',
+    amis: 'Shows latest AMIs in S3 bucket',
     console: 'Opens the AWS Console'
 }
 ACTIONS_HELP = "ACTIONS\n\n" + ACTIONS.to_yaml.sub("---\n", '').gsub(': ', "\t").gsub(':', "    ")
@@ -47,7 +48,7 @@ class Parser
         exit
       end
 
-      o.on('-l LOCATION', '--location=LOCATION', 'Where to deploy, ksp, kvp, kcp...') do |location|
+      o.on('-l LOCATION', '--location=LOCATION', 'Target Location or Plane to deploy to') do |location|
         opts[:location] = location
       end
 
@@ -63,7 +64,7 @@ class Parser
         opts[:options] = options
       end
 
-      o.on('-p PARAMS', '--params=PARAMS', 'Parameters to override current stack parameters in the form of', 'k1=v1,k2=v2. E.g., -p AmiId=ami-a4jd7928') do |params|
+      o.on('-p PARAMS', '--params=PARAMS', 'Parameters to override current stack parameters in the form of', 'k1=v1,k2=v2. E.g., -p AmiId=ami-a1b2c3d4') do |params|
         opts[:params] = params
       end
 
@@ -116,36 +117,32 @@ begin
   action = unparsed.pop
   puts(VERSION) || exit(0) if options[:version]
   usage("Please specify an ACTION") && exit(0) if action.nil?
+  plane = RestackerConfig.get_plane(options)
 
   if action == 'configure'
-    plane = options[:location] ? options[:location] : DEFAULT_PLANE
-    if !plane
-      puts "Location not specified, plane is set to default: [#{DEFAULT_PLANE}]"
-    end
-    puts "Configuring target plane [#{plane}]: "
-    RestackerConfig.load_config(plane.to_sym)
-    Restacker.configure(plane.to_sym)
+    printf "%-30s : %s\n", Rainbow("CONFIGURING PLANE").white.bright.underline, plane
+    RestackerConfig.configure(plane)
     exit(0)
   end
 
   if ACTIONS.keys.push(:aws).include?(action.to_sym)
-    restacker = Restacker.new(options.to_h) unless ['dump'].include?(action)
+    restacker = Restacker.new(options.to_h) unless ['dump', 'amis'].include?(action)
     case action
     when 'list'
-      puts "Listing stacks"
+      printf "%-30s : %s\n", Rainbow("LISTING STACKS").white.bright.underline, plane
       restacker.list_stacks
     when 'desc', 'describe'
       if options[:name]
-        puts "Describing #{options[:name]}"
+        puts Rainbow("DESCRIBING STACK").white.bright.underline
         restacker.describe_stack(options[:name])
       else
         usage "Please specify a stack name (-n) to describe"
       end
     when 'restack'
       if options[:name]
-        puts "Restacking #{options[:name]}"
+        printf "%-30s : %s\n", Rainbow("RESTACKING").white.bright.underline, options[:name]
         restacker.restack_by_name(options[:name])
-        puts "Now run migrate followed by remove"
+        puts Rainbow("Now run migrate followed by remove").white.bright
       else
         usage "Please specify a stack name (-n) to restack"
       end
@@ -165,28 +162,20 @@ begin
       end
     when 'remove'
       if options[:name]
-        puts "Removing stack"
+        printf "%-30s : %s\n", Rainbow("REMOVING STACK").white.bright.underline, options[:name]
         restacker.delete_stack(options[:name])
       else
         usage "Please specify a stack name (-n) to remove"
       end
-    # when 'configure'
-    #   plane = ""
-    #   if !options[:location]
-    #     puts "Location not specified, default plane #{DEFAULT_PLANE} used."
-    #     plane = DEFAULT_PLANE
-    #   else
-    #     plane = options[:location]
-    #   end
-    #   puts "Configuring target account for plane [#{plane}]:\n"
-    #   RestackerConfig.rc_configure(options[:location])
     when 'dump'
       if options[:template]
-        # puts "Dumping stack parameters"
         Restacker.dump_stack_params(options)
       else
         usage "Please specify a stack template (-t) or module (-m)"
       end
+    when 'amis'
+      puts Rainbow("SHOWING AMIS").white.bright.underline
+      Restacker.amis
     when 'console'
       AwsCli.new(options).console(options)
     when 'aws'

source/bin/restacker

@@ -5,26 +5,26 @@
 class Auth
 
   def self.get_mfa_code
-    print "Enter MFA: "
+    print Rainbow("Enter MFA: ").yellow
     STDOUT.flush
     STDIN.gets(7).chomp
   end
 
   def self.get_creds(username, defaults)
     region = defaults.fetch(:region)
-    master = defaults.fetch(:master)
-    master_account_number = master.fetch(:account_number)
-    master_role_prefix = master.fetch(:role_prefix)
-    master_role_name = master.fetch(:role_name)
+    ctrl = defaults.fetch(:ctrl)
+    ctrl_account_number = ctrl.fetch(:account_number)
+    ctrl_role_prefix = ctrl.fetch(:role_prefix)
+    ctrl_role_name = ctrl.fetch(:role_name)
 
     target = defaults.fetch(:target)
     target_account_number = target.fetch(:account_number)
     target_role_prefix = target.fetch(:role_prefix)
     target_role_name = target.fetch(:role_name)
-
-    serial_number = "arn:aws:iam::#{master_account_number}:mfa/#{username}"
-    puts "Logging into #{target.fetch(:label).upcase} using MFA: #{serial_number} (#{region})"
-    role_arn = "arn:aws:iam::#{master_account_number}:role#{master_role_prefix}#{master_role_name}"
+    target_label = target.fetch(:label)
+    serial_number = "arn:aws:iam::#{ctrl_account_number}:mfa/#{username}"
+    puts "Logging into #{Rainbow(target_label.upcase).yellow} using MFA: #{serial_number} (#{region})"
+    role_arn = "arn:aws:iam::#{ctrl_account_number}:role#{ctrl_role_prefix}#{ctrl_role_name}"
     session_name = username[0..31]
 
     sts_client = Aws::STS::Client.new(region: region)
@@ -53,7 +53,12 @@ def self.login(options, defaults, plane)
         Aws.config[:credentials] = Aws::SharedCredentials.new(profile_name: profile_name)
         creds = get_creds(options.fetch(:username), defaults)
       rescue KeyError => e
-        raise "Error parsing #{CONFIG_FILE}, (#{e.message}), please ensure it is properly formatted"
+        error = Rainbow("Error parsing #{CONFIG_FILE}, (#{e.message}), please ensure it is properly formatted").red
+        raise error
+      rescue => err
+        error = Rainbow(err.message).red
+        raise error
+        exit
       end
       # now save to yaml
       File.open(auth_file, 'w') do |f|