Merge pull request #159 from base2Services/develop

Release 0.4.0

.github/workflows/build-gem.yml

@@ -0,0 +1,26 @@
+name: test and build gem
+on:
+  push:
+    branches:
+      - master
+      - develop
+      - feature/*
+
+jobs:
+  build:
+    name: test + build
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: set up ruby 2.7
+      uses: actions/setup-ruby@v1
+      with:
+        ruby-version: 2.7.x
+    - name: rspec
+      run: |
+        gem install rspec
+        rspec
+    - name: build gem
+      run: |
+        gem build ciinabox-ecs.gemspec

.github/workflows/release-gem.yml

@@ -0,0 +1,34 @@
+name: release gem
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  build:
+    name: Build + Publish Gem
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Check out the repo
+      uses: actions/checkout@v2
+
+    - name: Set up Ruby 2.7
+      uses: actions/setup-ruby@v1
+      with:
+        ruby-version: 2.7.x
+
+    - name: rspec
+      run: |
+        gem install rspec
+        rspec
+
+    - name: build gem
+      run: |
+        gem build ciinabox-ecs.gemspec
+
+    - name: Publish gem
+      uses: dawidd6/action-publish-gem@v1
+      with:
+        api_key: ${{secrets.RUBYGEMS_API_KEY}}
+        github_token: ${{secrets.GITHUB_TOKEN}}

.github/workflows/release-image.yml

@@ -0,0 +1,33 @@
+name: release docker image
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  build:
+    name: Build + Publish Container Image
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Check out the repo
+      uses: actions/checkout@v2
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v1
+
+    - name: Login to  GitHub Container Repository
+      uses: docker/login-action@v1
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Build and push Container Image to GitHub Container Repository
+      uses: docker/build-push-action@v2
+      with:
+        context: .
+        file: ./Dockerfile
+        push: true
+        tags: ghcr.io/${{ github.repository_owner }}/ciinabox-ecs:${{ github.event.release.tag_name }}
+        build-args: CIINABOX_ECS_VERSION=${{ github.event.release.tag_name }}

Dockerfile

@@ -1,13 +1,15 @@
 FROM ruby:2.5-alpine
 
+LABEL org.opencontainers.image.source = https://github.com/base2Services/ciinabox-ecs
+
 ARG CFNDSL_SPEC_VERSION=${CFNDSL_SPEC_VERSION:-9.0.0}
+ARG CIINABOX_ECS_VERSION='*'
 
 COPY . /src
 
 WORKDIR /src
-RUN rm ciinabox-ecs-*.gem ; \
-    gem build ciinabox-ecs.gemspec && \
-    gem install ciinabox-ecs-*.gem && \
+RUN gem build ciinabox-ecs.gemspec && \
+    gem install ciinabox-ecs-${CIINABOX_ECS_VERSION}.gem && \
     rm -rf /src
 
 RUN adduser -u 1000 -D ciinabox && \

README.md

@@ -234,6 +234,23 @@ A common update would be to lock down ip access to your ciinabox environment
   ....
   ```
 
+  or using AWS IP Prefix Lists
+
+  ```yaml
+  ....
+  #Environment Access
+  #add list of public IP addresses you want to access the environment from
+  #default to public access probably best to change this
+  opsIpPrefixLists:
+    - pl-12345
+    - pl-abcde
+  #add list of public IP addresses for your developers to access the environment
+  #default to public access probably best to change this
+  devIpPrefixLists:
+    - pl-11111
+  ....
+  ```
+
 2. update your ciinabox
   ```bash
   $ ciinabox-ecs generate deploy update [ciinabox_name]

ciinabox-ecs.gemspec

@@ -3,7 +3,7 @@ require 'date'
 
 Gem::Specification.new do |s|
   s.name = 'ciinabox-ecs'
-  s.version = '0.3.2'
+  s.version = '0.4.0'
   s.version = "#{s.version}.alpha.#{Time.now.getutc.to_i}" if ENV['TRAVIS'] and ENV['TRAVIS_BRANCH'] != 'master'
   s.date = Date.today.to_s
   s.summary = 'Manage ciinabox on Aws Ecs'

templates/ecs-services.rb

@@ -137,20 +137,23 @@
     ])
   }
 
-  if defined? webHooks
-    rules = []
-    webHooks.each do |ip|
-      rules << { IpProtocol: 'tcp', FromPort: '443', ToPort: '443', CidrIp: ip }
-    end
-  else
-    rules = [{ IpProtocol: 'tcp', FromPort: '443', ToPort: '443', CidrIp: '192.168.1.1/32' }]
+  webHooks = webHooks || []
+  webHooksIpPrefixLists = webHooksIpPrefixLists || []
+
+  rules = []
+  webHooks.each do |ip|
+    rules << { IpProtocol: 'tcp', FromPort: '443', ToPort: '443', CidrIp: ip }
+  end
+
+  webHooksIpPrefixLists.each do |list|
+    rules << { IpProtocol: 'tcp', FromPort: '443', ToPort: '443', SourcePrefixListId: list }
   end
 
   Resource("SecurityGroupWebHooks") {
     Type 'AWS::EC2::SecurityGroup'
     Property('VpcId', Ref('VPC'))
     Property('GroupDescription', 'WebHooks like github')
-    Property('SecurityGroupIngress', rules)
+    Property('SecurityGroupIngress', rules) if rules.any?
   }
 
   Resource('ToolsSSLCertificate') {
@@ -261,6 +264,14 @@
     end
   end
 
+  log_group_retention = log_group_retention || 90
+
+  Resource("LogGroup") {
+    Type "AWS::Logs::LogGroup"
+    Property("LogGroupName", "/ciinabox/#{ciinabox_name}/proxy")
+    Property("RetentionInDays", log_group_retention)
+  }
+
   volumes = []
   mount_points = []
 
@@ -290,6 +301,14 @@
                 HostPort: 8080,
                 ContainerPort: 80
             }],
+            LogConfiguration: {
+              LogDriver: 'awslogs',
+              Options: {
+                'awslogs-group' => Ref("LogGroup"),
+                "awslogs-region" => Ref("AWS::Region"),
+                "awslogs-stream-prefix" => "proxy"
+              }
+            },
             Essential: true,
             MountPoints: mount_points
         }