Skip to content

Commit

Permalink
initial commit
Browse files Browse the repository at this point in the history
  • Loading branch information
@maafk
maafk committed Aug 30, 2019
0 parents commit bb8bef2
Show file tree
Hide file tree
Showing 4 changed files with 362 additions and 0 deletions.
19 changes: 19 additions & 0 deletions LICENSE.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
MIT License

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
116 changes: 116 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,116 @@
# serverless-private-aws-regions

Let's imagine that aliens got AWS to build them a region in mars for them to train their mind control algorithms. Since they've got deep pockets and don't want anyone else poking around, it's a private region just for them.

They still want to use the [serverless framework](https://serverless.com/framework/) but their endpoints are different, sometimes their service principals are weird, and the [partition](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) is not publicly known.

Let's make a plugin to help!

## Get set up

This made up region for the aliens is called `mars-east-1`. Put this under the `provider` section in the `serverless.yml`, otherwise serverless framework will default to `us-east-1`

```yml
provider:
name: aws
region: mars-east-1
```
### Add this plugin to `serverless.yml`

```yml
plugins:
- serverless-private-aws-regions
```

### Add `customRegion` under `custom` section

In the `custom` block of your `serverless.yml`, add the following

```yml
custom:
customRegion:
```

There are customizations that can be done here.

### Custom endpoint

```yml
custom:
customRegion:
endpoint: "{service}.{region}.amazonmars.space"
```

The aliens want to make sure they're reaching out to the correct region in mars.

This will set the [endpoint](https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Endpoint.html) property on the aws nodejs sdk which it will use when connecting to the private region.

### Custom service principals

```yml
custom:
customRegion:
servicePrincipals:
- service: logs
principal: logs.${self:provider.region}.amazonmars.space
- service: events
principal: events.${self:provider.region}.amazonmars.space
```

In situationas where the private region has different service principals for services, you'll set that here.

If a service isn't included, it will default to the stadard principal for commercial AWS (e.g. `logs.amazonaws.com`, `events.amazonaws.com`)

### Custom logic for getting S3 Endpoints

```yml
custom:
customRegion:
s3Endpoint:
comment: look for amazon mars - currently s3.amazon-mars-1.amazonmars.space
pattern: mars-
return: s3.$\{strRegion\}.amazonmars.space
```

The code for [getS3EndpointForRegion()](https://github.com/serverless/serverless/blob/master/lib/plugins/aws/utils/getS3EndpointForRegion.js) in serverless isn't very configurable, so we can change it to work for the mars region.

Since the private region is called `mars-east-1`, we look for the pattern `mars-`. We want the [getS3EndpointForRegion()](https://github.com/serverless/serverless/blob/master/lib/plugins/aws/utils/getS3EndpointForRegion.js) function to recongnize that pattern and return the appropriate S3 endpoint.

The `comment` is optional, but be sure to include the `pattern` for the special partition (this this case `mars-`), and what should be returned in the function (`return`).

Note the curly braces are escaped in the sample above. This is to avoid serverless framework from thinking this is a variable. The back slashes are removed before the [getS3EndpointForRegion()](https://github.com/serverless/serverless/blob/master/lib/plugins/aws/utils/getS3EndpointForRegion.js) function is updated.

## Usage

## Before you deploy

Before attempting to deploy, or whenever you update the serverless framework, run the `region_setup` command

```bash
sls region_setup
```

This will make any necessary updates to the serverless framework that _can't_ be done in the standard serverless plugin lifecycle hooks

## Deploy

Do a normal deploy, and as long as `serverless-private-aws-regions` is listed as a plugin, all should work as expected

## misc

When using/testing this plugin, make sure `AWS_CA_BUNDLE` environment variable is set.

On mac you can use `/usr/local/etc/openssl/cert.pem`

```bash
export AWS_CA_BUNDLE=/usr/local/etc/openssl/cert.pem
```

## Contributing

Just like the aliens in our fictional scenario, please keep details of your private region private.

## Issues

Feel free to log issues, but please keep details of your private region private.
216 changes: 216 additions & 0 deletions index.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,216 @@
"use strict";
var fs = require("fs");
var https = require("https");

class ServerlessPrivateAWSRegions {
constructor(serverless, options) {
this.serverless = serverless;
this.sdk = this.serverless.providers.aws.sdk;
this.options = options;

this.commands = {
region_setup: {
usage: "Sets up Serverless Framework to work in private AWS regions",
lifecycleEvents: ["setup"]
}
};

this.hooks = {
"region_setup:setup": this.setup.bind(this),
"before:deploy:deploy": this.prepRegion.bind(this),
"before:remove:remove": this.prepRegion.bind(this),
"before:deploy:function:initialize": this.prepRegion.bind(this),
"after:aws:package:finalize:mergeCustomProviderResources": this.updatePrincipals.bind(
this
)
};
}

pluginLog(message) {
this.serverless.cli.log(`serverless-private-aws-regions - ${message}`);
}
getCustomS3Endpoint() {
if (
this.serverless.service.custom &&
this.serverless.service.custom.customRegion &&
this.serverless.service.custom.customRegion.s3Endpoint
) {
return this.serverless.service.custom.customRegion.s3Endpoint;
} else {
return false;
}
}
getCustomPrincipals() {
if (
this.serverless.service.custom &&
this.serverless.service.custom.customRegion &&
this.serverless.service.custom.customRegion.servicePrincipals
) {
return this.serverless.service.custom.customRegion.servicePrincipals;
} else {
return false;
}
}
// @TODO figure out if there is a way to get this from aws nodejs sdk
getCustomEndpoint() {
if (
this.serverless.service.custom &&
this.serverless.service.custom.customRegion &&
this.serverless.service.custom.customRegion.endpoint
) {
return this.serverless.service.custom.customRegion.endpoint;
} else {
return false;
}
}
configureAwsSdk() {
this.pluginLog(`Updating AWS Nodejs SDK`);
const bundle = process.env.AWS_CA_BUNDLE;
if (bundle) {
} else {
throw new this.serverless.classes.Error(
"Make sure to define the AWS_CA_BUNDLE environment variable"
);
}
const certs = [fs.readFileSync(bundle)];
this.sdk.config.region = this.serverless.service.provider.region;
this.sdk.config.signatureVersion = "v4";
var endpoint = this.getCustomEndpoint();
if (endpoint) {
this.sdk.config.endpoint = endpoint;
}
this.sdk.config.httpOptions = {
agent: new https.Agent({
rejectUnauthorized: true,
ca: certs
})
};
}

updatePrincipals() {
var custom_principals = this.getCustomPrincipals();
if (!custom_principals) {
return;
}
const template_resources = this.serverless.service.provider
.compiledCloudFormationTemplate.Resources;
Object.keys(template_resources).forEach(resource => {
if (template_resources[resource].Type == "AWS::Lambda::Permission") {
// now check principal
var principal = template_resources[resource].Properties.Principal;
if (typeof principal == "string") {
service = principal.split(".")[0];

var new_princpial = custom_principals.find(x => x.service === service)
.principal;

if (new_princpial) {
this.pluginLog(
`Changing Principal from ${principal} to ${new_princpial}`
);
principal = new_princpial;
}
} else if ("Fn::Join" in principal) {
// using the join intrinsic function to piece together the principal
var join_principal = principal["Fn::Join"][1][0];
var service = join_principal.replace(/\.+$/, "");
var new_princpial = custom_principals.find(x => x.service === service)
.principal;

if (new_princpial) {
console.log(principal);
this.pluginLog(
`Changing Principal from ${principal} to ${new_princpial}`
);
principal = new_princpial;
}
} else {
console.log("something else");
console.log(typeof principal);
}
template_resources[resource].Properties.Principal = principal;
}
});
}
alterS3EndpointFunction() {
const s3_custom = this.getCustomS3Endpoint();
if (!s3_custom) {
return;
}
if (!s3_custom["pattern"] || !s3_custom["return"]) {
throw new this.serverless.classes.Error(
"For custom regions, define both a `pattern` and `return` value for the S3Endpoint"
);
}
var linesToAdd = [];
if (s3_custom["comment"]) {
linesToAdd.push(`// ${s3_custom["comment"]}`);
}
const custom_endpoint_line = `if (strRegion.match(/${
s3_custom["pattern"]
}/)) return \`${s3_custom["return"]}\`;`.replace(/\\/g, "");

linesToAdd.push(custom_endpoint_line);
const filePath = `${this.serverless.config.serverlessPath}/plugins/aws/utils/getS3EndpointForRegion.js`;
this.addLinesToFile(
filePath,
"const strRegion = region.toLowerCase();",
linesToAdd,
2
);
}

addLinesToFile(filePath, findLine, appendedLines, prepending_spaces = 0) {
this.pluginLog(`Adding \n${appendedLines.join("\n")}\n\nto ${filePath}`);
this.restoreOrig(filePath);
this.backupOrig(filePath);
var file_text = fs
.readFileSync(filePath)
.toString()
.split("\n");
const trimmed = file_text.map(s => s.trim());
var appendedLines = appendedLines.map(s => {
return `${" ".repeat(prepending_spaces)}${s}`;
});
const line_no = trimmed.indexOf(findLine);
if (line_no < 0) {
throw new this.serverless.classes.Error(
`Can't find ${findLine} in ${filePath}`
);
} else {
file_text.splice(line_no + 1, 0, ...appendedLines);
fs.writeFileSync(filePath, file_text.join("\n"), err => {
if (err) throw err;
this.pluginLog(`Updated ${filePath}`);
});
}
}

backupOrig(filePath) {
if (!fs.existsSync(`${filePath}.orig`)) {
fs.copyFileSync(filePath, `${filePath}.orig`);
}
}

restoreOrig(filePath) {
if (fs.existsSync(`${filePath}.orig`)) {
fs.renameSync(`${filePath}.orig`, filePath);
}
}

alterFiles() {
this.alterS3EndpointFunction();
}

setup() {
this.pluginLog("Running setup for private region");
this.alterS3EndpointFunction();
this.configureAwsSdk();
}

prepRegion() {
this.configureAwsSdk();
}
}

module.exports = ServerlessPrivateAWSRegions;
11 changes: 11 additions & 0 deletions package.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{
"name": "serverless-private-aws-regions",
"version": "0.0.1",
"description": "Use serverless framework in private aws regions",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"author": "maafk",
"license": "MIT"
}

0 comments on commit bb8bef2

Please sign in to comment.