-
Notifications
You must be signed in to change notification settings - Fork 8
Expand file tree
/
Copy pathbootstrap.py
More file actions
261 lines (198 loc) · 8.57 KB
/
bootstrap.py
File metadata and controls
261 lines (198 loc) · 8.57 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
#!/usr/bin/env python
# Copyright (c) 2015 Chris Olstrom <chris@olstrom.com>
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
from subprocess import call
def install_with_pip(packages):
""" Installs packages with pip """
for package in packages:
call('pip install -U ' + package, shell=True)
def detect(setting):
""" Detects a setting in tags, falls back to environment variables """
import os
if setting in resource_tags():
return resource_tags()[setting]
else:
return os.getenv(shell_style(setting))
def shell_style(name):
""" Translates reasonable names into names you would expect for environment
variables. Example: 'ForgeRegion' becomes 'FORGE_REGION' """
import re
return re.sub('(?!^)([A-Z]+)', r'_\1', name).upper()
def download_from_s3(source, destination):
""" Downloads a file from an S3 bucket """
call("aws s3 cp --region {region} s3://{bucket}/{file} {save_to}".format(
region=detect('ForgeRegion'),
bucket=detect('ForgeBucket'),
file=source,
save_to=destination
), shell=True)
def instance_metadata(item):
""" Returns information about the current instance from EC2 Instace API """
import httplib
api = httplib.HTTPConnection('169.254.169.254')
api.request('GET', '/latest/meta-data/' + item)
metadata = api.getresponse().read()
api.close()
return metadata
def instance_id():
""" Returns the ID of the current instance """
return instance_metadata('instance-id')
def region():
""" Returns the region the current instance is located in """
return instance_metadata('placement/availability-zone')[:-1]
def resource_tags():
""" Returns a dictionary of all resource tags for the current instance """
import boto.ec2
api = boto.ec2.connect_to_region(region())
tags = api.get_all_tags(filters={'resource-id': instance_id()})
return {tag.name: tag.value for tag in tags}
def security_groups():
""" Returns a list of sercurity groups for the current instance """
return instance_metadata('security-groups').split('\n')
def infer_tags(security_group):
""" Attempts to infer tags from a security group name """
import re
matches = re.search(r'(?P<Project>[\w-]+)-(?P<Role>\w+)$', security_group)
return matches.groupdict()
def implicit_tags():
""" Returns a list of tags inferred from security groups """
return [infer_tags(name) for name in security_groups()]
def discover(trait):
""" Tries to find a trait in tags, makes a reasonable guess if it fails """
if trait in resource_tags():
return [resource_tags()[trait]]
else:
return [implicit_tags()[trait]]
def project_path():
""" Returns the forge path for the discovered project """
return discover('Project')[0] + '/'
def role_paths():
""" Returns a list of forge paths for all discovered roles """
return [project_path() + role + '/' for role in discover('Role')]
def unique(enumerable):
""" Returns a list without duplicate items """
return list(set(enumerable))
def applicable_playbooks():
""" Returns a list of playbooks that should be applied to this system """
playbooks = [''] # Base Playbook
playbooks.append(project_path()) # Project Playbook
playbooks.extend(role_paths()) # System Roles
return sorted(unique(playbooks), key=len)
def flat_path(path):
""" Flattens a path by substituting dashes for slashes """
import re
return re.sub('/', '-', path)
def get_dependencies(playbook):
""" Downloads and installs all roles required for a playbook to run """
path = '/tmp/' + flat_path(playbook)
download_from_s3(playbook + 'dependencies.yml', path + 'dependencies.yml')
call('ansible-galaxy install -ifr' + path + 'dependencies.yml', shell=True)
def get_vault(playbook):
""" Downloads a vault file, and puts it where Ansible can find it. """
vault_name = flat_path(playbook)[:-1]
if len(vault_name) == 0:
vault_name = 'all'
vault_file = '/etc/ansible/group_vars/' + vault_name + '.yml'
download_from_s3(playbook + 'vault.yml', vault_file)
with open('/etc/ansible/hosts', 'a') as stream:
stream.writelines(["\n[" + vault_name + "]\n", 'localhost\n'])
def configure_environment():
""" Exposes information from Resource Tags in Ansible vars """
get_vault('')
with open('/etc/ansible/group_vars/local.yml', 'w+') as stream:
stream.write("\nproject: " + resource_tags()['Project'])
stream.write("\nenvironment_tier: " + resource_tags()['Environment'])
stream.write("\nsystem_role: " + resource_tags()['Role'])
def execute(playbook):
""" Downloads and executes a playbook. """
path = '/tmp/' + flat_path(playbook)
for hook in ['pre-', '', 'post-']:
filename = hook + 'playbook.yml'
download_from_s3(playbook + filename, path + filename)
call('ansible-playbook ' + path + filename, shell=True)
def ssh_keyscan(host):
""" Get the SSH host key from a remote server by connecting to it """
from paramiko import transport
with transport.Transport(host) as ssh:
ssh.start_client()
return ssh.get_remote_server_key()
def ssh_host_key(host, port=22):
""" Get SSH host key, return string formatted for known_hosts """
if port != 22:
host = "{host}:{port}".format(host=host, port=port)
key = ssh_keyscan(host)
return "{host} {key_name} {key}".format(
host=host,
key_name=key.get_name(),
key=key.get_base64())
def in_known_hosts(host_key):
""" Checks if a key is in known_hosts """
from os import path
if not path.isfile('/etc/ssh/ssh_known_hosts'):
return False
with open('/etc/ssh/ssh_known_hosts', 'r') as known_hosts:
for entry in known_hosts:
if host_key in entry:
return True
return False
def add_to_known_hosts(host_key):
""" Appends line to a file """
if in_known_hosts(host_key):
return
with open('/etc/ssh/ssh_known_hosts', 'a') as known_hosts:
known_hosts.write(host_key + "\n")
def configure_ansible():
""" Fetches ansible configurations from ForgeBucket """
download_from_s3('ansible.hosts', '/etc/ansible/hosts')
download_from_s3('ansible.cfg', '/etc/ansible/ansible.cfg')
download_from_s3('vault.key', '/etc/ansible/vault.key')
files = ['/etc/ansible/ansible.cfg', '/etc/ansible/vault.key']
set_permissions(files, 400)
add_to_known_hosts(ssh_host_key('github.com'))
add_to_known_hosts(ssh_host_key('bitbucket.org'))
def set_permissions(files, mode):
""" Sets permissions on a list of files """
from os import chmod
for filename in files:
try:
chmod(filename, mode)
except OSError:
pass
def get_credentials():
""" Fetches credentials needed for private repositories """
download_from_s3('ssh.ed25519', '/root/.ssh/id_ed25519')
download_from_s3('ssh.rsa', '/root/.ssh/id_rsa')
set_permissions(['/root/.ssh/id_ed25519', '/root/.ssh/id_rsa'], 400)
def preconfigure():
""" Configure everything needed to configure everything else. """
install_with_pip(['ansible', 'awscli', 'boto'])
configure_ansible()
configure_environment()
get_credentials()
download_from_s3('bin/reforge', '/usr/local/sbin/reforge')
set_permissions(['/usr/local/sbin/reforge'], 500)
def self_provision():
""" Bring it all together and follow your dreams, little server! """
preconfigure()
for playbook in applicable_playbooks():
get_dependencies(playbook)
get_vault(playbook)
execute(playbook)
self_provision()