Initial commit

Thomas Heinen · Thomas Heinen · commit b934267db15f · 2020-01-10T17:36:16.000+01:00
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,5 @@
+Gemfile.local
+Gemfile.local.lock
+Gemfile.lock
+.bundle
+*.gem
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -0,0 +1,5 @@
+# Changelog
+
+## Version 0.1.0
+
+- Initial version
diff --git a/Gemfile b/Gemfile
@@ -0,0 +1,10 @@
+source "https://rubygems.org"
+
+gemspec
+
+group :development do
+  gem "pry"
+  gem "bundler"
+  gem "rake"
+  gem "chefstyle"
+end
diff --git a/README.md b/README.md
@@ -0,0 +1,47 @@
+# train-awsssm - Train Plugin for using AWS Systems Manager Agent
+
+This plugin allows applications that rely on Train to communicate via AWS SSM.
+
+## Requirements
+
+The instance in question must run on AWS and you need to have all AWS credentials
+set up for the shell which executes the command. Please check the [AWS documentation](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html)
+for appropriate configuration files and environment variables.
+
+You need the [SSM agent to be installed](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html) on the machine (most current AMIs already
+have this integrated) and the machine needs to have the managed policy
+`AmazonSSMManagedInstanceCore` or a least privilege equivalent attached as
+IAM profile.
+
+Commands will be executed under the `ssm-user` user.
+
+## Installation
+
+You will have to build this gem yourself to install it as it is not yet on
+Rubygems.Org. For this there is a rake task which makes this a one-liner:
+
+```bash
+rake install:local
+```
+
+## Transport parameters
+
+| Option               | Explanation                                   | Default          |
+| -------------------- | --------------------------------------------- | ---------------- |
+| `host`               | IP or DNS name of instance                    | (required)       |
+| `execution_timeout`  | Maximum time until timeout                    | 60               |
+| `recheck_invocation` | Interval of rechecking AWS command invocation | 1.0              |
+| `recheck_execution`  | Interval of rechecking completion of command  | 1.0              |
+
+## Example use
+
+```ruby
+require "train-awsssm"
+train  = Train.create("awsssm", {
+            host:     '172.16.3.12',
+            logger:   Logger.new($stdout, level: :info)
+         })
+conn   = train.connection
+result = conn.run_command("apt upgrade -y")
+conn.close
+```
diff --git a/Rakefile b/Rakefile
@@ -0,0 +1,43 @@
+# A Rakefile defines tasks to help maintain your project.
+# Rake provides several task templates that are useful.
+
+# require "rspec/core/rake_task"
+require "bump/tasks"
+require "bundler/gem_tasks"
+
+#------------------------------------------------------------------#
+#                    Rake Default Task
+#------------------------------------------------------------------#
+
+# Do not run integration by default
+task default: %I{test:unit test:functional}
+
+#------------------------------------------------------------------#
+#                    Test Runner Tasks
+#------------------------------------------------------------------#
+require "rake/testtask"
+
+namespace :test do
+  {
+    unit: "test/unit/*_test.rb",
+    functional: "test/integration/*_test.rb",
+    integration: "test/function/*_test.rb",
+  }.each do |task_name, glob|
+    Rake::TestTask.new(task_name) do |t|
+      t.libs.push "lib"
+      t.libs.push "test"
+      t.test_files = FileList[glob]
+      t.verbose = true
+      t.warning = false
+    end
+  end
+end
+
+# #------------------------------------------------------------------#
+# #                    Code Style Tasks
+# #------------------------------------------------------------------#
+require "chefstyle"
+require "rubocop/rake_task"
+RuboCop::RakeTask.new(:lint) do |task|
+  task.options << "--display-cop-names"
+end
diff --git a/lib/train-awsssm.rb b/lib/train-awsssm.rb
@@ -0,0 +1,7 @@
+libdir = File.dirname(__FILE__)
+$LOAD_PATH.unshift(libdir) unless $LOAD_PATH.include?(libdir)
+
+require "train-awsssm/version"
+
+require "train-awsssm/transport"
+require "train-awsssm/connection"
diff --git a/lib/train-awsssm/connection.rb b/lib/train-awsssm/connection.rb
@@ -0,0 +1,143 @@
+require "aws-sdk-ec2"
+require "aws-sdk-ssm"
+require "resolv"
+require "train"
+
+module TrainPlugins
+  module AWSSSM
+    class Connection < Train::Plugins::Transport::BaseConnection
+      def initialize(options)
+        super(options)
+
+        @ssm = Aws::SSM::Client.new
+      end
+
+      def close
+        logger.info format("[AWS-SSM] Closed connection to %s", @options[:host])
+      end
+
+      def uri
+        "aws-ssm://#{@options[:host]}/"
+      end
+
+      def run_command_via_connection(cmd, &data_handler)
+        logger.info format("[AWS-SSM] Sending command to %s", @options[:host])
+        exit_status, stdout, stderr = execute_on_channel(cmd, &data_handler)
+
+        CommandResult.new(stdout, stderr, exit_status)
+      end
+
+      def execute_on_channel(cmd, &data_handler)
+        logger.debug format("[AWS-SSM] Command: '%s'", cmd)
+
+        result = execute_command(@options[:host], cmd)
+
+        stdout = result.standard_output_content || ""
+        stderr = result.standard_error_content || ""
+        exit_status = result.response_code
+
+        [exit_status, stdout, stderr]
+      end
+
+      private
+
+      # Check if this is an IP address
+      def ip_address?(address)
+        !!(address =~ Resolv::IPv4::Regex)
+      end
+
+      # Check if this is a DNS name
+      def dns_name?(address)
+        !ip_address?(address)
+      end
+
+      # Check if this is an internal/external AWS DNS entry
+      def amazon_dns?(dns)
+        dns.end_with?(".compute.amazonaws.com") || dns.end_with?(".compute.internal")
+      end
+
+      # Resolve EC2 instance ID associated with a primary IP or a DNS entry
+      def instance_id(address)
+        logger.debug format("[AWS-SSM] Trying to resolve address %s", address)
+
+        ec2 = Aws::EC2::Client.new
+        instances = ec2.describe_instances.reservations.collect { |r| r.instances.first }
+
+        # Resolve, if DNS name and not Amazon default
+        if dns_name?(address) && !amazon_dns?(address)
+          address = Resolv.getaddress(address)
+          logger.debug format("[AWS-SSM] Resolved non-internal AWS address to %s", address)
+        end
+
+        # Check the primary IPs and hostnames for a match
+        id = instances.detect do |i|
+          [
+            i.private_ip_address,
+            i.public_ip_address,
+            i.private_dns_name,
+            i.public_dns_name,
+          ].include?(address)
+        end&.instance_id
+
+        raise format("Could not resolve instance ID for address %s", address) if id.nil?
+
+        logger.debug format("[AWS-SSM] Resolved address %s to instance ID %s", address, id)
+        id
+      end
+
+      # Request a command invocation and wait until it is registered with an ID
+      def wait_for_invocation(instance_id, command_id)
+        invocation_result(instance_id, command_id)
+
+      # Retry until the invocation was created on AWS
+      rescue Aws::SSM::Errors::InvocationDoesNotExist
+        sleep @options[:recheck_invocation]
+        retry
+      end
+
+      # Return the result of a given command invocation
+      def invocation_result(instance_id, command_id)
+        @ssm.get_command_invocation(instance_id: instance_id, command_id: command_id)
+      end
+
+      # Return if a non-terminal command status was given
+      # @see https://docs.aws.amazon.com/systems-manager/latest/userguide/monitor-commands.html
+      def in_progress?(name)
+        %w{Pending InProgress Delayed}.include? name
+      end
+
+      # Return if a terminal command status was given
+      # @see https://docs.aws.amazon.com/systems-manager/latest/userguide/monitor-commands.html
+      def terminal_state?(name)
+        !in_progress?(name)
+      end
+
+      # Execute a command via SSM
+      def execute_command(address, command)
+        instance_id = instance_id(address)
+
+        cmd = @ssm.send_command(instance_ids: [instance_id], document_name: "AWS-RunShellScript", parameters: { "commands": [command] })
+        cmd_id = cmd.command.command_id
+
+        wait_for_invocation(instance_id, cmd_id)
+        logger.debug format("[AWS-SSM] Execution ID %s", cmd_id)
+
+        start_time = Time.now
+        result = invocation_result(instance_id, cmd.command.command_id)
+
+        until terminal_state?(result.status) || Time.now - start_time > @options[:execution_timeout]
+          result = invocation_result(instance_id, cmd.command.command_id)
+          sleep @options[:recheck_execution]
+        end
+
+        if Time.now - start_time > @options[:execution_timeout]
+          raise format("Timeout waiting for execution")
+        elsif result.status != "Success"
+          raise format('Execution failed with state "%s": %s', result.status, result.standard_error_content || "unknown")
+        end
+
+        result
+      end
+    end
+  end
+end
diff --git a/lib/train-awsssm/transport.rb b/lib/train-awsssm/transport.rb
@@ -0,0 +1,19 @@
+require "train-awsssm/connection"
+
+module TrainPlugins
+  module AWSSSM
+    class Transport < Train.plugin(1)
+      name "awsssm"
+
+      option :host,               required: true
+
+      option :execution_timeout,  default: 60.0
+      option :recheck_invocation, default: 1.0
+      option :recheck_execution,  default: 1.0
+
+      def connection(_instance_opts = nil)
+        @connection ||= TrainPlugins::AWSSSM::Connection.new(@options)
+      end
+    end
+  end
+end
diff --git a/lib/train-awsssm/version.rb b/lib/train-awsssm/version.rb
@@ -0,0 +1,5 @@
+module TrainPlugins
+  module AWSSSM
+    VERSION = "0.1.0".freeze
+  end
+end
diff --git a/train-awsssm.gemspec b/train-awsssm.gemspec
@@ -0,0 +1,27 @@
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "train-awsssm/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "train-awsssm"
+  spec.version       = TrainPlugins::AWSSSM::VERSION
+  spec.authors       = ["Thomas Heinen"]
+  spec.email         = ["theinen@tecracer.de"]
+  spec.summary       = "Train Transport for AWS Systems Manager Agents"
+  spec.description   = "Train plugin to use the AWS Systems Manager Agent to execute commands on machines without SSH/WinRM "
+  spec.homepage      = "https://github.com/tecracer_theinen/train-awsssm"
+  spec.license       = "Apache-2.0"
+
+  spec.files = %w{
+    README.md train-awsssm.gemspec Gemfile
+  } + Dir.glob(
+    "lib/**/*", File::FNM_DOTMATCH
+  ).reject { |f| File.directory?(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "train", "~> 2.0"
+  spec.add_dependency "aws-sdk-ec2", "~> 1.129"
+  spec.add_dependency "aws-sdk-ssm", "~> 1.69"
+
+  spec.add_development_dependency "bump", "~> 0.8"
+end
