593 lines
16 KiB
Go
593 lines
16 KiB
Go
package chef
|
|
|
|
import (
|
|
"bytes"
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"log"
|
|
"os"
|
|
"path"
|
|
"regexp"
|
|
"strings"
|
|
"text/template"
|
|
"time"
|
|
|
|
"github.com/hashicorp/terraform/communicator"
|
|
"github.com/hashicorp/terraform/communicator/remote"
|
|
"github.com/hashicorp/terraform/helper/pathorcontents"
|
|
"github.com/hashicorp/terraform/terraform"
|
|
"github.com/mitchellh/go-homedir"
|
|
"github.com/mitchellh/go-linereader"
|
|
"github.com/mitchellh/mapstructure"
|
|
)
|
|
|
|
const (
|
|
clienrb = "client.rb"
|
|
defaultEnv = "_default"
|
|
firstBoot = "first-boot.json"
|
|
logfileDir = "logfiles"
|
|
linuxChefCmd = "chef-client"
|
|
linuxKnifeCmd = "knife"
|
|
linuxConfDir = "/etc/chef"
|
|
secretKey = "encrypted_data_bag_secret"
|
|
validationKey = "validation.pem"
|
|
windowsChefCmd = "cmd /c chef-client"
|
|
windowsKnifeCmd = "cmd /c knife"
|
|
windowsConfDir = "C:/chef"
|
|
)
|
|
|
|
const clientConf = `
|
|
log_location STDOUT
|
|
chef_server_url "{{ .ServerURL }}"
|
|
validation_client_name "{{ .ValidationClientName }}"
|
|
node_name "{{ .NodeName }}"
|
|
{{ if .UsePolicyfile }}
|
|
use_policyfile true
|
|
policy_group "{{ .PolicyGroup }}"
|
|
policy_name "{{ .PolicyName }}"
|
|
{{ end -}}
|
|
|
|
{{ if .HTTPProxy }}
|
|
http_proxy "{{ .HTTPProxy }}"
|
|
ENV['http_proxy'] = "{{ .HTTPProxy }}"
|
|
ENV['HTTP_PROXY'] = "{{ .HTTPProxy }}"
|
|
{{ end -}}
|
|
|
|
{{ if .HTTPSProxy }}
|
|
https_proxy "{{ .HTTPSProxy }}"
|
|
ENV['https_proxy'] = "{{ .HTTPSProxy }}"
|
|
ENV['HTTPS_PROXY'] = "{{ .HTTPSProxy }}"
|
|
{{ end -}}
|
|
|
|
{{ if .NOProxy }}
|
|
no_proxy "{{ join .NOProxy "," }}"
|
|
ENV['no_proxy'] = "{{ join .NOProxy "," }}"
|
|
{{ end -}}
|
|
|
|
{{ if .SSLVerifyMode }}
|
|
ssl_verify_mode {{ .SSLVerifyMode }}
|
|
{{- end -}}
|
|
|
|
{{ if .DisableReporting }}
|
|
enable_reporting false
|
|
{{ end -}}
|
|
|
|
{{ if .ClientOptions }}
|
|
{{ join .ClientOptions "\n" }}
|
|
{{ end }}
|
|
`
|
|
|
|
// Provisioner represents a specificly configured chef provisioner
|
|
type Provisioner struct {
|
|
Attributes interface{} `mapstructure:"attributes"`
|
|
AttributesJSON string `mapstructure:"attributes_json"`
|
|
ClientOptions []string `mapstructure:"client_options"`
|
|
DisableReporting bool `mapstructure:"disable_reporting"`
|
|
Environment string `mapstructure:"environment"`
|
|
FetchChefCertificates bool `mapstructure:"fetch_chef_certificates"`
|
|
LogToFile bool `mapstructure:"log_to_file"`
|
|
UsePolicyfile bool `mapstructure:"use_policyfile"`
|
|
PolicyGroup string `mapstructure:"policy_group"`
|
|
PolicyName string `mapstructure:"policy_name"`
|
|
HTTPProxy string `mapstructure:"http_proxy"`
|
|
HTTPSProxy string `mapstructure:"https_proxy"`
|
|
NOProxy []string `mapstructure:"no_proxy"`
|
|
NodeName string `mapstructure:"node_name"`
|
|
OhaiHints []string `mapstructure:"ohai_hints"`
|
|
OSType string `mapstructure:"os_type"`
|
|
PreventSudo bool `mapstructure:"prevent_sudo"`
|
|
RunList []string `mapstructure:"run_list"`
|
|
SecretKey string `mapstructure:"secret_key"`
|
|
ServerURL string `mapstructure:"server_url"`
|
|
SkipInstall bool `mapstructure:"skip_install"`
|
|
SSLVerifyMode string `mapstructure:"ssl_verify_mode"`
|
|
ValidationClientName string `mapstructure:"validation_client_name"`
|
|
ValidationKey string `mapstructure:"validation_key"`
|
|
Version string `mapstructure:"version"`
|
|
|
|
installChefClient func(terraform.UIOutput, communicator.Communicator) error
|
|
createConfigFiles func(terraform.UIOutput, communicator.Communicator) error
|
|
fetchChefCertificates func(terraform.UIOutput, communicator.Communicator) error
|
|
runChefClient func(terraform.UIOutput, communicator.Communicator) error
|
|
useSudo bool
|
|
|
|
// Deprecated Fields
|
|
SecretKeyPath string `mapstructure:"secret_key_path"`
|
|
ValidationKeyPath string `mapstructure:"validation_key_path"`
|
|
}
|
|
|
|
// ResourceProvisioner represents a generic chef provisioner
|
|
type ResourceProvisioner struct{}
|
|
|
|
// Apply executes the file provisioner
|
|
func (r *ResourceProvisioner) Apply(
|
|
o terraform.UIOutput,
|
|
s *terraform.InstanceState,
|
|
c *terraform.ResourceConfig) error {
|
|
// Decode the raw config for this provisioner
|
|
p, err := r.decodeConfig(c)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if p.OSType == "" {
|
|
switch s.Ephemeral.ConnInfo["type"] {
|
|
case "ssh", "": // The default connection type is ssh, so if the type is empty assume ssh
|
|
p.OSType = "linux"
|
|
case "winrm":
|
|
p.OSType = "windows"
|
|
default:
|
|
return fmt.Errorf("Unsupported connection type: %s", s.Ephemeral.ConnInfo["type"])
|
|
}
|
|
}
|
|
|
|
// Set some values based on the targeted OS
|
|
switch p.OSType {
|
|
case "linux":
|
|
p.installChefClient = p.linuxInstallChefClient
|
|
p.createConfigFiles = p.linuxCreateConfigFiles
|
|
p.fetchChefCertificates = p.fetchChefCertificatesFunc(linuxKnifeCmd, linuxConfDir)
|
|
p.runChefClient = p.runChefClientFunc(linuxChefCmd, linuxConfDir)
|
|
p.useSudo = !p.PreventSudo && s.Ephemeral.ConnInfo["user"] != "root"
|
|
case "windows":
|
|
p.installChefClient = p.windowsInstallChefClient
|
|
p.createConfigFiles = p.windowsCreateConfigFiles
|
|
p.fetchChefCertificates = p.fetchChefCertificatesFunc(windowsKnifeCmd, windowsConfDir)
|
|
p.runChefClient = p.runChefClientFunc(windowsChefCmd, windowsConfDir)
|
|
p.useSudo = false
|
|
default:
|
|
return fmt.Errorf("Unsupported os type: %s", p.OSType)
|
|
}
|
|
|
|
// Get a new communicator
|
|
comm, err := communicator.New(s)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Wait and retry until we establish the connection
|
|
err = retryFunc(comm.Timeout(), func() error {
|
|
err := comm.Connect(o)
|
|
return err
|
|
})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
defer comm.Disconnect()
|
|
|
|
if !p.SkipInstall {
|
|
if err := p.installChefClient(o, comm); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
o.Output("Creating configuration files...")
|
|
if err := p.createConfigFiles(o, comm); err != nil {
|
|
return err
|
|
}
|
|
|
|
if p.FetchChefCertificates {
|
|
o.Output("Fetch Chef certificates...")
|
|
if err := p.fetchChefCertificates(o, comm); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
o.Output("Starting initial Chef-Client run...")
|
|
if err := p.runChefClient(o, comm); err != nil {
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// Validate checks if the required arguments are configured
|
|
func (r *ResourceProvisioner) Validate(c *terraform.ResourceConfig) (ws []string, es []error) {
|
|
p, err := r.decodeConfig(c)
|
|
if err != nil {
|
|
es = append(es, err)
|
|
return ws, es
|
|
}
|
|
|
|
if p.NodeName == "" {
|
|
es = append(es, fmt.Errorf("Key not found: node_name"))
|
|
}
|
|
if !p.UsePolicyfile && p.RunList == nil {
|
|
es = append(es, fmt.Errorf("Key not found: run_list"))
|
|
}
|
|
if p.ServerURL == "" {
|
|
es = append(es, fmt.Errorf("Key not found: server_url"))
|
|
}
|
|
if p.ValidationClientName == "" {
|
|
es = append(es, fmt.Errorf("Key not found: validation_client_name"))
|
|
}
|
|
if p.ValidationKey == "" && p.ValidationKeyPath == "" {
|
|
es = append(es, fmt.Errorf(
|
|
"One of validation_key or the deprecated validation_key_path must be provided"))
|
|
}
|
|
if p.UsePolicyfile && p.PolicyName == "" {
|
|
es = append(es, fmt.Errorf("Policyfile enabled but key not found: policy_name"))
|
|
}
|
|
if p.UsePolicyfile && p.PolicyGroup == "" {
|
|
es = append(es, fmt.Errorf("Policyfile enabled but key not found: policy_group"))
|
|
}
|
|
if p.ValidationKeyPath != "" {
|
|
ws = append(ws, "validation_key_path is deprecated, please use "+
|
|
"validation_key instead and load the key contents via file()")
|
|
}
|
|
if p.SecretKeyPath != "" {
|
|
ws = append(ws, "secret_key_path is deprecated, please use "+
|
|
"secret_key instead and load the key contents via file()")
|
|
}
|
|
if _, ok := c.Config["attributes"]; ok {
|
|
ws = append(ws, "using map style attribute values is deprecated, "+
|
|
" please use a single raw JSON string instead")
|
|
}
|
|
|
|
return ws, es
|
|
}
|
|
|
|
func (r *ResourceProvisioner) decodeConfig(c *terraform.ResourceConfig) (*Provisioner, error) {
|
|
p := new(Provisioner)
|
|
|
|
decConf := &mapstructure.DecoderConfig{
|
|
ErrorUnused: true,
|
|
WeaklyTypedInput: true,
|
|
Result: p,
|
|
}
|
|
dec, err := mapstructure.NewDecoder(decConf)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// We need to merge both configs into a single map first. Order is
|
|
// important as we need to make sure interpolated values are used
|
|
// over raw values. This makes sure that all values are there even
|
|
// if some still need to be interpolated later on. Without this
|
|
// the validation will fail when using a variable for a required
|
|
// parameter (the node_name for example).
|
|
m := make(map[string]interface{})
|
|
|
|
for k, v := range c.Raw {
|
|
m[k] = v
|
|
}
|
|
|
|
for k, v := range c.Config {
|
|
m[k] = v
|
|
}
|
|
|
|
if err := dec.Decode(m); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if p.Environment == "" {
|
|
p.Environment = defaultEnv
|
|
}
|
|
|
|
for i, hint := range p.OhaiHints {
|
|
hintPath, err := homedir.Expand(hint)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("Error expanding the path %s: %v", hint, err)
|
|
}
|
|
p.OhaiHints[i] = hintPath
|
|
}
|
|
|
|
if p.ValidationKey == "" && p.ValidationKeyPath != "" {
|
|
p.ValidationKey = p.ValidationKeyPath
|
|
}
|
|
|
|
if p.SecretKey == "" && p.SecretKeyPath != "" {
|
|
p.SecretKey = p.SecretKeyPath
|
|
}
|
|
|
|
if attrs, ok := c.Config["attributes"]; ok {
|
|
p.Attributes, err = rawToJSON(attrs)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("Error parsing the attributes: %v", err)
|
|
}
|
|
}
|
|
|
|
if attrs, ok := c.Config["attributes_json"]; ok {
|
|
var m map[string]interface{}
|
|
if err := json.Unmarshal([]byte(attrs.(string)), &m); err != nil {
|
|
return nil, fmt.Errorf("Error parsing the attributes: %v", err)
|
|
}
|
|
p.Attributes = m
|
|
}
|
|
|
|
return p, nil
|
|
}
|
|
|
|
func rawToJSON(raw interface{}) (interface{}, error) {
|
|
switch s := raw.(type) {
|
|
case []map[string]interface{}:
|
|
if len(s) != 1 {
|
|
return nil, errors.New("unexpected input while parsing raw config to JSON")
|
|
}
|
|
|
|
var err error
|
|
for k, v := range s[0] {
|
|
s[0][k], err = rawToJSON(v)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
|
|
return s[0], nil
|
|
default:
|
|
return s, nil
|
|
}
|
|
}
|
|
|
|
// retryFunc is used to retry a function for a given duration
|
|
func retryFunc(timeout time.Duration, f func() error) error {
|
|
finish := time.After(timeout)
|
|
for {
|
|
err := f()
|
|
if err == nil {
|
|
return nil
|
|
}
|
|
log.Printf("Retryable error: %v", err)
|
|
|
|
select {
|
|
case <-finish:
|
|
return err
|
|
case <-time.After(3 * time.Second):
|
|
}
|
|
}
|
|
}
|
|
|
|
func (p *Provisioner) fetchChefCertificatesFunc(
|
|
knifeCmd string,
|
|
confDir string) func(terraform.UIOutput, communicator.Communicator) error {
|
|
return func(o terraform.UIOutput, comm communicator.Communicator) error {
|
|
clientrb := path.Join(confDir, clienrb)
|
|
cmd := fmt.Sprintf("%s ssl fetch -c %s", knifeCmd, clientrb)
|
|
|
|
return p.runCommand(o, comm, cmd)
|
|
}
|
|
}
|
|
|
|
func (p *Provisioner) runChefClientFunc(
|
|
chefCmd string,
|
|
confDir string) func(terraform.UIOutput, communicator.Communicator) error {
|
|
return func(o terraform.UIOutput, comm communicator.Communicator) error {
|
|
fb := path.Join(confDir, firstBoot)
|
|
var cmd string
|
|
|
|
// Policyfiles do not support chef environments, so don't pass the `-E` flag.
|
|
if p.UsePolicyfile {
|
|
cmd = fmt.Sprintf("%s -j %q", chefCmd, fb)
|
|
} else {
|
|
cmd = fmt.Sprintf("%s -j %q -E %q", chefCmd, fb, p.Environment)
|
|
}
|
|
|
|
if p.LogToFile {
|
|
if err := os.MkdirAll(logfileDir, 0755); err != nil {
|
|
return fmt.Errorf("Error creating logfile directory %s: %v", logfileDir, err)
|
|
}
|
|
|
|
logFile := path.Join(logfileDir, p.NodeName)
|
|
f, err := os.Create(path.Join(logFile))
|
|
if err != nil {
|
|
return fmt.Errorf("Error creating logfile %s: %v", logFile, err)
|
|
}
|
|
f.Close()
|
|
|
|
o.Output("Writing Chef Client output to " + logFile)
|
|
o = p
|
|
}
|
|
|
|
return p.runCommand(o, comm, cmd)
|
|
}
|
|
}
|
|
|
|
// Output implementation of terraform.UIOutput interface
|
|
func (p *Provisioner) Output(output string) {
|
|
logFile := path.Join(logfileDir, p.NodeName)
|
|
f, err := os.OpenFile(logFile, os.O_APPEND|os.O_WRONLY, 0666)
|
|
if err != nil {
|
|
log.Printf("Error creating logfile %s: %v", logFile, err)
|
|
return
|
|
}
|
|
defer f.Close()
|
|
|
|
// These steps are needed to remove any ANSI escape codes used to colorize
|
|
// the output and to make sure we have proper line endings before writing
|
|
// the string to the logfile.
|
|
re := regexp.MustCompile(`\x1b\[[0-9;]+m`)
|
|
output = re.ReplaceAllString(output, "")
|
|
output = strings.Replace(output, "\r", "\n", -1)
|
|
|
|
if _, err := f.WriteString(output); err != nil {
|
|
log.Printf("Error writing output to logfile %s: %v", logFile, err)
|
|
}
|
|
|
|
if err := f.Sync(); err != nil {
|
|
log.Printf("Error saving logfile %s to disk: %v", logFile, err)
|
|
}
|
|
}
|
|
|
|
func (p *Provisioner) deployConfigFiles(
|
|
o terraform.UIOutput,
|
|
comm communicator.Communicator,
|
|
confDir string) error {
|
|
contents, _, err := pathorcontents.Read(p.ValidationKey)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
f := strings.NewReader(contents)
|
|
|
|
// Copy the validation key to the new instance
|
|
if err := comm.Upload(path.Join(confDir, validationKey), f); err != nil {
|
|
return fmt.Errorf("Uploading %s failed: %v", validationKey, err)
|
|
}
|
|
|
|
if p.SecretKey != "" {
|
|
contents, _, err := pathorcontents.Read(p.SecretKey)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
s := strings.NewReader(contents)
|
|
// Copy the secret key to the new instance
|
|
if err := comm.Upload(path.Join(confDir, secretKey), s); err != nil {
|
|
return fmt.Errorf("Uploading %s failed: %v", secretKey, err)
|
|
}
|
|
}
|
|
|
|
// Make sure the SSLVerifyMode value is written as a symbol
|
|
if p.SSLVerifyMode != "" && !strings.HasPrefix(p.SSLVerifyMode, ":") {
|
|
p.SSLVerifyMode = fmt.Sprintf(":%s", p.SSLVerifyMode)
|
|
}
|
|
|
|
// Make strings.Join available for use within the template
|
|
funcMap := template.FuncMap{
|
|
"join": strings.Join,
|
|
}
|
|
|
|
// Create a new template and parse the client config into it
|
|
t := template.Must(template.New(clienrb).Funcs(funcMap).Parse(clientConf))
|
|
|
|
var buf bytes.Buffer
|
|
err = t.Execute(&buf, p)
|
|
if err != nil {
|
|
return fmt.Errorf("Error executing %s template: %s", clienrb, err)
|
|
}
|
|
|
|
// Copy the client config to the new instance
|
|
if err := comm.Upload(path.Join(confDir, clienrb), &buf); err != nil {
|
|
return fmt.Errorf("Uploading %s failed: %v", clienrb, err)
|
|
}
|
|
|
|
// Create a map with first boot settings
|
|
fb := make(map[string]interface{})
|
|
if p.Attributes != nil {
|
|
fb = p.Attributes.(map[string]interface{})
|
|
}
|
|
|
|
// Check if the run_list was also in the attributes and if so log a warning
|
|
// that it will be overwritten with the value of the run_list argument.
|
|
if _, found := fb["run_list"]; found {
|
|
log.Printf("[WARNING] Found a 'run_list' specified in the configured attributes! " +
|
|
"This value will be overwritten by the value of the `run_list` argument!")
|
|
}
|
|
|
|
// Add the initial runlist to the first boot settings
|
|
if !p.UsePolicyfile {
|
|
fb["run_list"] = p.RunList
|
|
}
|
|
|
|
// Marshal the first boot settings to JSON
|
|
d, err := json.Marshal(fb)
|
|
if err != nil {
|
|
return fmt.Errorf("Failed to create %s data: %s", firstBoot, err)
|
|
}
|
|
|
|
// Copy the first-boot.json to the new instance
|
|
if err := comm.Upload(path.Join(confDir, firstBoot), bytes.NewReader(d)); err != nil {
|
|
return fmt.Errorf("Uploading %s failed: %v", firstBoot, err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (p *Provisioner) deployOhaiHints(
|
|
o terraform.UIOutput,
|
|
comm communicator.Communicator,
|
|
hintDir string) error {
|
|
for _, hint := range p.OhaiHints {
|
|
// Open the hint file
|
|
f, err := os.Open(hint)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
defer f.Close()
|
|
|
|
// Copy the hint to the new instance
|
|
if err := comm.Upload(path.Join(hintDir, path.Base(hint)), f); err != nil {
|
|
return fmt.Errorf("Uploading %s failed: %v", path.Base(hint), err)
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// runCommand is used to run already prepared commands
|
|
func (p *Provisioner) runCommand(
|
|
o terraform.UIOutput,
|
|
comm communicator.Communicator,
|
|
command string) error {
|
|
var err error
|
|
|
|
// Unless prevented, prefix the command with sudo
|
|
if p.useSudo {
|
|
command = "sudo " + command
|
|
}
|
|
|
|
outR, outW := io.Pipe()
|
|
errR, errW := io.Pipe()
|
|
outDoneCh := make(chan struct{})
|
|
errDoneCh := make(chan struct{})
|
|
go p.copyOutput(o, outR, outDoneCh)
|
|
go p.copyOutput(o, errR, errDoneCh)
|
|
|
|
cmd := &remote.Cmd{
|
|
Command: command,
|
|
Stdout: outW,
|
|
Stderr: errW,
|
|
}
|
|
|
|
if err := comm.Start(cmd); err != nil {
|
|
return fmt.Errorf("Error executing command %q: %v", cmd.Command, err)
|
|
}
|
|
|
|
cmd.Wait()
|
|
if cmd.ExitStatus != 0 {
|
|
err = fmt.Errorf(
|
|
"Command %q exited with non-zero exit status: %d", cmd.Command, cmd.ExitStatus)
|
|
}
|
|
|
|
// Wait for output to clean up
|
|
outW.Close()
|
|
errW.Close()
|
|
<-outDoneCh
|
|
<-errDoneCh
|
|
|
|
// If we have an error, return it out now that we've cleaned up
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (p *Provisioner) copyOutput(o terraform.UIOutput, r io.Reader, doneCh chan<- struct{}) {
|
|
defer close(doneCh)
|
|
lr := linereader.New(r)
|
|
for line := range lr.Ch {
|
|
o.Output(line)
|
|
}
|
|
}
|