cookbook 'aws', '= 8.4.1'
aws
(107) Versions
8.4.1
-
-
9.2.0
-
9.1.6
-
9.1.5
-
9.1.4
-
9.1.3
-
9.1.2
-
9.1.1
-
9.1.0
-
9.0.16
-
9.0.15
-
9.0.14
-
9.0.13
-
9.0.12
-
9.0.11
-
9.0.10
-
9.0.9
-
9.0.8
-
9.0.7
-
9.0.6
-
9.0.5
-
9.0.4
-
9.0.3
-
9.0.2
-
9.0.1
-
9.0.0
-
8.4.1
-
8.4.0
-
8.3.1
-
8.3.0
-
8.2.0
-
8.1.1
-
8.1.0
-
8.0.4
-
8.0.3
-
8.0.2
-
8.0.1
-
8.0.0
-
7.5.0
-
7.4.0
-
7.3.1
-
7.3.0
-
7.2.2
-
7.2.1
-
7.2.0
-
7.1.2
-
7.1.1
-
7.1.0
-
7.0.0
-
6.1.1
-
6.1.0
-
6.0.0
-
5.0.1
-
5.0.0
-
4.2.2
-
4.2.1
-
4.2.0
-
4.1.3
-
4.1.2
-
4.1.1
-
4.1.0
-
4.0.0
-
3.4.1
-
3.4.0
-
3.3.3
-
3.3.2
-
3.3.1
-
3.3.0
-
3.2.0
-
3.1.0
-
3.0.0
-
2.9.3
-
2.9.2
-
2.9.1
-
2.9.0
-
2.8.0
-
2.7.2
-
2.7.1
-
2.7.0
-
2.6.6
-
2.6.5
-
2.6.4
-
2.6.3
-
2.6.2
-
2.6.1
-
2.6.0
-
2.5.0
-
2.4.0
-
2.3.0
-
2.2.2
-
2.2.0
-
2.1.1
-
2.1.0
-
2.0.0
-
1.0.0
-
0.101.6
-
0.101.4
-
0.101.2
-
0.101.0
-
0.100.6
-
0.100.4
-
0.100.2
-
0.100.0
-
0.99.1
-
0.99.0
-
0.10.1
-
0.10.0
-
0.9.0
Follow271
- 9.2.0
- 9.1.6
- 9.1.5
- 9.1.4
- 9.1.3
- 9.1.2
- 9.1.1
- 9.1.0
- 9.0.16
- 9.0.15
- 9.0.14
- 9.0.13
- 9.0.12
- 9.0.11
- 9.0.10
- 9.0.9
- 9.0.8
- 9.0.7
- 9.0.6
- 9.0.5
- 9.0.4
- 9.0.3
- 9.0.2
- 9.0.1
- 9.0.0
- 8.4.1
- 8.4.0
- 8.3.1
- 8.3.0
- 8.2.0
- 8.1.1
- 8.1.0
- 8.0.4
- 8.0.3
- 8.0.2
- 8.0.1
- 8.0.0
- 7.5.0
- 7.4.0
- 7.3.1
- 7.3.0
- 7.2.2
- 7.2.1
- 7.2.0
- 7.1.2
- 7.1.1
- 7.1.0
- 7.0.0
- 6.1.1
- 6.1.0
- 6.0.0
- 5.0.1
- 5.0.0
- 4.2.2
- 4.2.1
- 4.2.0
- 4.1.3
- 4.1.2
- 4.1.1
- 4.1.0
- 4.0.0
- 3.4.1
- 3.4.0
- 3.3.3
- 3.3.2
- 3.3.1
- 3.3.0
- 3.2.0
- 3.1.0
- 3.0.0
- 2.9.3
- 2.9.2
- 2.9.1
- 2.9.0
- 2.8.0
- 2.7.2
- 2.7.1
- 2.7.0
- 2.6.6
- 2.6.5
- 2.6.4
- 2.6.3
- 2.6.2
- 2.6.1
- 2.6.0
- 2.5.0
- 2.4.0
- 2.3.0
- 2.2.2
- 2.2.0
- 2.1.1
- 2.1.0
- 2.0.0
- 1.0.0
- 0.101.6
- 0.101.4
- 0.101.2
- 0.101.0
- 0.100.6
- 0.100.4
- 0.100.2
- 0.100.0
- 0.99.1
- 0.99.0
- 0.10.1
- 0.10.0
- 0.9.0
Provides resources for managing AWS resources
cookbook 'aws', '= 8.4.1', :supermarket
knife supermarket install aws
knife supermarket download aws
aws Cookbook
Overview
This cookbook provides resources for configuring and managing nodes running in Amazon Web Services as well as several AWS service offerings.
Included resources:
- CloudFormation Stack Management (
cloudformation_stack
) - CloudWatch (
cloudwatch
) - CloudWatch Instance Monitoring (
instance_monitoring
) - DynamoDB (
dynamodb_table
) - EBS Volumes (
ebs_volume
) - EC2 Instance Role (
instance_role
) - EC2 Instance Termination Protection (
instance_term_protection
) - Elastic IPs (
elastic_ip
) - Elastic Load Balancer (
elastic_lb
) - IAM User, Group, Policy, and Role Management: (
iam_user
,iam_group
,iam_policy
,iam_role
) - Kinesis Stream Management (
kinesis_stream
) - Resource Tags (
resource_tag
) - Route53 DNS Records (
route53_record
) - Route53 DNS Zones (
route53_zone
) - S3 Files (
s3_file
) - S3 Buckets (
s3_bucket
) - Secondary IPs (
secondary_ip
) - Security Groups (
security_group
) - AWS SSM Parameter Store (
ssm_parameter_store
) - Autoscaling (
autoscaling
)
Unsupported AWS resources that have other cookbooks include but are not limited to:
Important - Security Implications
Please review any and all security implications of using any of these resources. This cookbook presents resources which could easily be poorly implemented, abused or exploited.
- They have the ability to perform destructive actions (ex.
delete *
) - They manage sensitive resources (ex.
IAM/SSM
) - They require IAM keys which could be compromised
You will want to understand any and all security implications and architect your implementation accordingly before proceeding.
Some recommendations are below:
- Do not use IAM credentials of the node - pass a separate set of credentials to these resources
- Use IAM to restrict credentials to only the actions required, implementing conditions whenever necessary (follow least privileged principles.)
See iam_restrictions_and_conditions
- Follow any and all aws best practices for managing credentials and security
- Review your cookbook implementation as
cloudformation
or alternative tooling may be a better fit for managing aws infrastructure as code.
Maintainers
This cookbook is maintained by the Sous Chefs. The Sous Chefs are a community of Chef cookbook maintainers working together to maintain important cookbooks. If you’d like to know more please visit sous-chefs.org or come chat with us on the Chef Community Slack in #sous-chefs.
Requirements
Platforms
- Any platform supported by Chef and the AWS-SDK
Chef
- Chef 12.9+
Cookbooks
- None
Credentials
In order to manage AWS components, authentication credentials need to be available to the node. There are 3 ways to handle this:
- Explicitly set the credentials when using the resources
- Use the credentials in the
~/.aws/credentials
file - Let the resource pick up credentials from the IAM role assigned to the instance
Also new resources can now assume an STS role, with support for MFA as well. Instructions are below in the relevant section.
Using resource parameters
In order to pass the credentials to the resource, credentials must be available to the node. There are a number of ways to handle this, such as node attributes applied to the node or via Chef roles/environments.
We recommend storing these in an encrypted databag, and loading them in the recipe where the resources are used.
Example Data Bag:
% knife data bag show aws main { "id": "main", "aws_access_key_id": "YOUR_ACCESS_KEY", "aws_secret_access_key": "YOUR_SECRET_ACCESS_KEY", "aws_session_token": "YOUR_SESSION_TOKEN" }
This can be loaded in a recipe with:
aws = data_bag_item('aws', 'main')
And to access the values:
aws['aws_access_key_id'] aws['aws_secret_access_key'] aws['aws_session_token']
We'll look at specific usage below.
Using local credentials
If credentials are not supplied via parameters, resources will look for the credentials in the ~/.aws/credentials
file:
[default]
aws_access_key_id = ACCESS_KEY_ID
aws_secret_access_key = ACCESS_KEY
Note that this also accepts other profiles if they are supplied via the ENV['AWS_PROFILE']
environment variable.
Using IAM instance role
If your instance has an IAM role, then the credentials can be automatically resolved by the cookbook using Amazon instance metadata API.
You can then omit the authentication properties aws_secret_access_key
and aws_access_key
when using the resource.
Of course, the instance role must have the required policies. Here is a sample policy for EBS volume management:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:AttachVolume", "ec2:CreateVolume", "ec2:ModifyInstanceAttribute", "ec2:ModifyVolumeAttribute", "ec2:DescribeVolumeAttribute", "ec2:DescribeVolumeStatus", "ec2:DescribeVolumes", "ec2:DetachVolume", "ec2:EnableVolumeIO" ], "Sid": "Stmt1381536011000", "Resource": [ "*" ], "Effect": "Allow" } ] }
For resource tags:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:CreateTags", "ec2:DescribeTags" ], "Sid": "Stmt1381536708000", "Resource": [ "*" ], "Effect": "Allow" } ] }
Assuming roles via STS and using MFA
The following is an example of how roles can be assumed using MFA. The following can also be used to assumes roles that do not require MFA, just ensure that the MFA arguments (serial_number
and token_code
) are omitted.
This assumes you have also stored the cfn_role_arn
, and mfa_serial
attributes as well, but there are plenty of ways these attributes can be supplied (they could be stored locally in the consuming cookbook, for example).
Note that MFA codes cannot be recycled, hence the importance of creating a single STS session and passing that to resources. If multiple roles need to be assumed using MFA, it is probably prudent that these be broken up into different recipes and chef-client
runs.
require 'aws-sdk-core' require 'securerandom' session_id = SecureRandom.hex(8) sts = ::Aws::AssumeRoleCredentials.new( client: ::Aws::STS::Client.new( credentials: ::Aws::Credentials.new( node['aws']['aws_access_key_id'], node['aws']['aws_secret_access_key'] ), region: 'us-east-1' ), role_arn: node['aws']['cfn_role_arn'], role_session_name: session_id, serial_number: node['aws']['mfa_serial'], token_code: node['aws']['mfa_code'] ) aws_cloudformation_stack 'kitchen-test-stack' do action :create template_source 'kitchen-test-stack.tpl' aws_access_key sts.access_key_id aws_secret_access_key sts.secret_access_key aws_session_token sts.session_token end
When running the cookbook, ensure that an attribute JSON is passed that supplies the MFA code. Example using chef-zero:
echo '{ "aws": { "mfa_code": "123456" } }' > mfa.json && chef-client -z -o 'recipe[aws_test]' -j mfa.json
Running outside of an AWS instance
region
can be specified on each resource if the cookbook is being run outside of an AWS instance. This can prevent some kinds of failures that happen when resources try to detect region.
aws_cloudformation_stack 'kitchen-test-stack' do action :create template_source 'kitchen-test-stack.tpl' region 'us-east-1' end
Resources
aws_cloudformation_stack
Manage CloudFormation stacks.
Actions
-
create
: Creates the stack, or updates it if it already exists. -
delete
: Begins the deletion process for the stack.
Properties
-
template_source
: Required - the location of the CloudFormation template file. The file should be stored in thefiles
directory in the cookbook. -
parameters
: An array ofparameter_key
andparameter_value
pairs for parameters in the template. Follow the syntax in the example above. -
disable_rollback
: Set this totrue
if you want stack rollback to be disabled if creation of the stack fails. Default:false
-
stack_policy_body
: Optionally define a stack policy to apply to the stack, mainly used in protecting stack resources after they are created. For more information, see Prevent Updates to Stack Resources in the CloudFormation user guide. -
iam_capability
: Set totrue
to allow the CloudFormation template to create IAM resources. This is the equivalent of settingCAPABILITY_IAM
When using the SDK or CLI. Default:false
-
named_iam_capability
: Set totrue
to allow the CloudFormation template to create IAM resources with custom names. This is the equivalent of settingCAPABILITY_NAMED_IAM
When using the SDK or CLI. Default:false
Examples
aws_cloudformation_stack 'example-stack' do region 'us-east-1' template_source 'example-stack.tpl' parameters ([ { :parameter_key => 'KeyPair', :parameter_value => 'user@host' }, { :parameter_key => 'SSHAllowIPAddress', :parameter_value => '127.0.0.1/32' } ]) end
aws_cloudwatch
Use this resource to manage CloudWatch alarms.
Actions
-
create
- Create or update CloudWatch alarms. -
delete
- Delete CloudWatch alarms. -
disable_action
- Disable action of the CloudWatch alarms. -
enable_action
- Enable action of the CloudWatch alarms.
Properties
-
aws_secret_access_key
,aws_access_key
and optionallyaws_session_token
- required, unless using IAM roles for authentication. -
alarm_name
- the alarm name. If none is given on assignment, will take the resource name. -
alarm_description
- the description of alarm. Can be blank also. -
actions_enabled
- true for enable action on OK, ALARM or Insufficient data. if true, any of ok_actions, alarm_actions or insufficient_data_actions must be specified. -
ok_actions
- array of action if alarm state is OK. If specified actions_enabled must be true. -
alarm_actions
- array of action if alarm state is ALARM. If specified actions_enabled must be true. -
insufficient_data_actions
- array of action if alarm state is INSUFFICIENT_DATA. If specified actions_enabled must be true. -
metric_name
- CloudWatch metric name of the alarm. eg - CPUUtilization.Required parameter. -
namespace
- namespace of the alarm. eg - AWS/EC2, required parameter. -
statistic
- statistic of the alarm. Value must be in any of SampleCount, Average, Sum, Minimum or Maximum. Required parameter. -
extended_statistic
- extended_statistic of the alarm. Specify a value between p0.0 and p100. Optional parameter. -
dimensions
- dimensions for the metric associated with the alarm. Array of name and value. -
period
- in seconds, over which the specified statistic is applied. Integer type and required parameter. -
unit
- unit of measure for the statistic. Required parameter. -
evaluation_periods
- number of periods over which data is compared to the specified threshold. Required parameter. -
threshold
- value against which the specified statistic is compared. Can be float or integer type. Required parameter. -
comparison_operator
- arithmetic operation to use when comparing the specified statistic and threshold. The specified statistic value is used as the first operand.
For more information about parameters, see CloudWatch Identifiers in the Using CloudWatch guide.
Examples
aws_cloudwatch "kitchen_test_alarm" do period 21600 evaluation_periods 2 threshold 50.0 comparison_operator "LessThanThreshold" metric_name "CPUUtilization" namespace "AWS/EC2" statistic "Maximum" dimensions [{"name" : "InstanceId", "value" : "i-xxxxxxx"}] action :create end
aws_dynamodb_table
Use this resource to create and delete DynamoDB tables. This includes the ability to add global secondary indexes to existing tables.
Actions
-
create
: Creates the table. Will update the following if the table exists: -
global_secondary_indexes
: Will remove non-existent indexes, add new ones, and update throughput for existing ones. All attributes need to be present inattribute_definitions
. No effect if the resource is omitted. -
stream_specification
: Will update as shown. No effect is the resource is omitted. -
provisioned_throughput
: Will update as shown. -
delete
: Deletes the index.
Properties
-
attribute_definitions
: Required. Attributes to create for the table. Mainly this is used to specify attributes that are used in keys, as otherwise one can add any attribute they want to a DynamoDB table. -
key_schema
: Required. Used to create the primary key for the table. Attributes need to be present inattribute_definitions
. -
local_secondary_indexes
: Used to create any local secondary indexes for the table. Attributes need to be present inattribute_definitions
. -
global_secondary_indexes
: Used to create any global secondary indexes. Can be done to an existing table. Attributes need to be present in -
attribute_definitions
. -
provisioned_throughput
: Define the throughput for this table. -
stream_specification
: Specify if there should be a stream for this table.
Several of the attributes shown here take parameters as shown in the AWS Ruby SDK Documentation. Also, the AWS DynamoDB Documentation may be of further help as well.
Examples
aws_dynamodb_table 'example-table' do action :create attribute_definitions [ { attribute_name: 'Id', attribute_type: 'N' }, { attribute_name: 'Foo', attribute_type: 'N' }, { attribute_name: 'Bar', attribute_type: 'N' }, { attribute_name: 'Baz', attribute_type: 'S' } ] key_schema [ { attribute_name: 'Id', key_type: 'HASH' }, { attribute_name: 'Foo', key_type: 'RANGE' } ] local_secondary_indexes [ { index_name: 'BarIndex', key_schema: [ { attribute_name: 'Id', key_type: 'HASH' }, { attribute_name: 'Bar', key_type: 'RANGE' } ], projection: { projection_type: 'ALL' } } ] global_secondary_indexes [ { index_name: 'BazIndex', key_schema: [{ attribute_name: 'Baz', key_type: 'HASH' }], projection: { projection_type: 'ALL' }, provisioned_throughput: { read_capacity_units: 1, write_capacity_units: 1 } } ] provisioned_throughput ({ read_capacity_units: 1, write_capacity_units: 1 }) stream_specification ({ stream_enabled: true, stream_view_type: 'KEYS_ONLY' }) end
aws_ebs_volume
The resource only handles manipulating the EBS volume, additional resources need to be created in the recipe to manage the attached volume as a filesystem or logical volume.
Actions
-
create
- create a new volume. -
attach
- attach the specified volume. -
detach
- detach the specified volume. -
delete
- delete the specified volume. -
snapshot
- create a snapshot of the volume. -
prune
- prune snapshots.
Properties
-
aws_secret_access_key
,aws_access_key
and optionallyaws_session_token
- required, unless using IAM roles for authentication. -
size
- size of the volume in gigabytes. -
snapshot_id
- snapshot to build EBS volume from. -
most_recent_snapshot
- use the most recent snapshot when creating a volume from an existing volume (defaults to false) -
availability_zone
- EC2 region, and is normally automatically detected. -
device
- local block device to attach the volume to, e.g./dev/sdi
but no default value, required. -
volume_id
- specify an ID to attach, cannot be used with action:create
because AWS assigns new volume IDs -
timeout
- connection timeout for EC2 API. -
snapshots_to_keep
- used with action:prune
for number of snapshots to maintain. -
description
- used to set the description of an EBS snapshot -
volume_type
- "standard", "io1", "io2", "gp2" or "gp3" ("standard" is magnetic, "io1" and "io2" are provisioned SSD, "gp2" and "gp3" are general purpose SSD) -
piops
- number of Provisioned IOPS to provision, must be >= 100, or between 3000 and 16000 for the "gp3" volume type -
throughput
- amount of throughput in MB/s for "gp3" volume types, must be between 125 and 1000 if specified -
existing_raid
- whether or not to assume the raid was previously assembled on existing volumes (default no) -
encrypted
- specify if the EBS should be encrypted -
kms_key_id
- the full ARN of the AWS Key Management Service (AWS KMS) master key to use when creating the encrypted volume (defaults to master key if not specified) -
delete_on_termination
- Boolean value to control whether or not the volume should be deleted when the instance it's attached to is terminated (defaults to nil). Only applies to:attach
action. -
tags
- Hash value to tag the new volumes or snapshots. Only applies to:create
and:snapshot
actions.
Examples
Create a 50G volume, attach it to the instance as /dev/sdi
:
aws_ebs_volume 'db_ebs_volume' do size 50 device '/dev/sdi' action [:create, :attach] end
Create a new 50G volume from the snapshot ID provided and attach it as /dev/sdi
.
aws_ebs_volume 'db_ebs_volume_from_snapshot' do size 50 device '/dev/sdi' snapshot_id 'snap-ABCDEFGH' action [:create, :attach] end
aws_elastic_ip
The elastic_ip
resource provider does not support allocating new IPs. This must be done before running a recipe that uses the resource. After allocating a new Elastic IP, we recommend storing it in a databag and loading the item in the recipe.
Actions
-
associate
- Associate an allocated IP to the node -
disassociate
- Disassociate an allocated IP from the node
Properties
-
aws_secret_access_key
,aws_access_key
and optionallyaws_session_token
- required, unless using IAM roles for authentication. -
ip
: String. The IP address to associate or disassociate. -
timeout
: Integer. Default: 180. Time in seconds to wait. 0 for unlimited.
Examples
aws_elastic_ip '34.15.30.10' do action :associate end aws_elastic_ip 'Server public IP' do ip '34.15.30.11' action :associate end
aws_elastic_lb
elastic_lb
handles registering and removing nodes from ELBs. The resource also adds basic support for creating and deleting ELBs. Note that currently this resource is not fully idempotent so it will not update the existing configuration of an ELB.
Actions
-
register
- Add a node to the ELB -
deregister
- Remove a node from the ELB -
create
- Create a new ELB -
delete
- Delete an existing ELB
Properties
-
aws_secret_access_key
,aws_access_key
and optionallyaws_session_token
- required, unless using IAM roles for authentication. -
name
- the name of the ELB, required. -
region
, The region of the ELB. Defaults to the region of the node. -
listeners
, Array or hashes. The ports/protocols the ELB will listen on. See the example for a sample. -
security_groups
, Array. Security groups to apply to the ELB. Only needed when creating ELBs. -
subnets
, Array. The subnets the ELB will listen in. Only needed when creating ELBs and when using VPCs. -
availability_zones
: Array. The availability zones the ELB will listen in. Only needed when creating ELBs and when using classic networking. -
tags
: Array. -
scheme
: Array.
Examples
ELB running in classic networking listening on port 80.
aws_elastic_lb 'Setup the ELB' do name 'example-elb' action :create availability_zones ['us-west-2a'] listeners [ { instance_port: 80, instance_protocol: 'HTTP', load_balancer_port: 80, protocol: 'HTTP', }, ] end
To register the node in the 'QA' ELB:
aws_elastic_lb 'elb_qa' do name 'QA' action :register end
aws_iam_user
Use this resource to manage IAM users.
Actions
-
create
: Creates the user. No effect if the user already exists. -
delete
: Gracefully deletes the user (detaches from all attached entities, and deletes the user).
Properties
The IAM user takes the name of the resource. A path
can be specified as well. For more information about paths, see IAM Identifiers in the Using IAM guide.
Examples
aws_iam_user 'example-user' do action :create path '/' end
aws_iam_group
Use this resource to manage IAM groups. The group takes the name of the resource.
Actions
-
create
: Creates the group, and updates members and attached policies if the group already exists. -
delete
: Gracefully deletes the group (detaches from all attached entities, and deletes the group).
Properties
-
path
: A path can be supplied for the group. For information on paths, see IAM Identifiers in the Using IAM guide. -
members
: An array of IAM users that are a member of this group. -
remove_members
: Set tofalse
to ensure that members are not removed from the group when they are not present in the defined resource. Default:true
-
policy_members
: An array of ARNs of IAM managed policies to attach to this resource. Accepts both user-defined and AWS-defined policy ARNs. -
remove_policy_members
: Set tofalse
to ensure that policies are not detached from the group when they are not present in the defined resource. Default:true
Examples
aws_iam_group 'example-group' do action :create path '/' members [ 'example-user' ] remove_members true policy_members [ 'arn:aws:iam::123456789012:policy/example-policy' ] remove_policy_members true end
aws_iam_policy
Use this resource to create an IAM policy. The policy takes the name of the resource.
Actions
-
create
: Creates or updates the policy. -
delete
: Gracefully deletes the policy (detaches from all attached entities, deletes all non-default policy versions, then deletes the policy).
Properties
-
path
: A path can be supplied for the group. For information on paths, see IAM Identifiers in the Using IAM guide. -
policy_document
: The JSON document for the policy. -
account_id
: The AWS account ID that the policy is going in. Required if using non-user credentials (ie: IAM role through STS or instance role).
Examples
aws_iam_policy 'example-policy' do action :create path '/' account_id '123456789012' policy_document <<-EOH.gsub(/^ {4}/, '') { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1234567890", "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Resource": [ "arn:aws:iam::123456789012:role/example-role" ] } ] } EOH end
aws_iam_role
Use this resource to create an IAM role. The policy takes the name of the resource.
Actions
-
create
: Creates the role if it does not exist. If the role exists, updates attached policies and theassume_role_policy_document
. -
delete
: Gracefully deletes the role (detaches from all attached entities, and deletes the role).
Properties
-
path
: A path can be supplied for the group. For information on paths, see IAM Identifiers in the Using IAM guide. -
policy_members
: An array of ARNs of IAM managed policies to attach to this resource. Accepts both user-defined and AWS-defined policy ARNs. -
remove_policy_members
: Set tofalse
to ensure that policies are not detached from the group when they are not present in the defined resource. Default:true
-
assume_role_policy_document
: The JSON policy document to apply to this role for trust relationships. Dictates what entities can assume this role.
Examples
aws_iam_role 'example-role' do action :create path '/' policy_members [ 'arn:aws:iam::123456789012:policy/example-policy' ] remove_policy_members true assume_role_policy_document <<-EOH.gsub(/^ {4}/, '') { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": "sts:AssumeRole" } ] } EOH end
aws_instance_monitoring
Allows detailed CloudWatch monitoring to be enabled for the current instance.
Actions
-
enable
- Enable detailed CloudWatch monitoring for this instance (Default). -
disable
- Disable detailed CloudWatch monitoring for this instance.
Properties
-
aws_secret_access_key
,aws_access_key
and optionallyaws_session_token
- required, unless using IAM roles for authentication. -
region
- The AWS region containing the instance. Default: The current region of the node when running in AWS or us-east-1 if the node is not in AWS.
Examples
aws_instance_monitoring "enable detailed monitoring"
aws_instance_role
Used to associate an IAM role (by way of an IAM instance profile) with an instance. Replaces the instance's current role association if one already exists.
Actions
-
associate
- Associate role with the instance (Default).
Properties
-
aws_secret_access_key
,aws_access_key
and optionallyaws_session_token
- required, unless using IAM roles for authentication. -
region
- The AWS region containing the instance. Default: The current region of the node when running in AWS or us-east-1 if the node is not in AWS. -
instance_id
- The id of the instance to modify. Default: The current instance. -
profile_arn
- The IAM instance profile to associate with the instance
Requirements
IAM permisions:
ec2:DescribeIamInstanceProfileAssociations
-
ec2:AssociateIamInstanceProfile
- Only needed if the instance is not already associated with an IAM role
-
ec2:ReplaceIamInstanceProfileAssociation
- Only needed if the instance is already associated with an IAM role
-
iam:PassRole
- This can be restricted to the resource of the IAM role being associated
Examples
aws_instance_role "change to example role" do profile_arn 'arn:aws:iam::123456789012:instance-profile/ExampleInstanceProfile' end
aws_instance_term_protection
Allows termination protection (AKA DisableApiTermination
) to be enabled for an instance.
Actions
-
enable
- Enable termination protection for this instance (Default). -
disable
- Disable termination protection for this instance.
Properties
-
aws_secret_access_key
,aws_access_key
and optionallyaws_session_token
- required, unless using IAM roles for authentication. -
region
- The AWS region containing the instance. Default: The current region of the node when running in AWS or us-east-1 if the node is not in AWS. -
instance_id
- The id of the instance to modify. Default: The current instance.
Examples
aws_instance_term_protection "enable termination protection"
aws_kinesis_stream
Use this resource to create and delete Kinesis streams. Note that this resource cannot be used to modify the shard count as shard splitting is a somewhat complex operation (for example, even CloudFormation replaces streams upon update).
Actions
-
create
: Creates the stream. No effect if the stream already exists. -
delete
: Deletes the stream.
Properties
-
starting_shard_count
: The number of shards the stream starts with
Examples
aws_kinesis_stream 'example-stream' do action :create starting_shard_count 1 end
aws_resource_tag
resource_tag
can be used to manipulate the tags assigned to one or more AWS resources, i.e. ec2 instances, EBS volumes or EBS volume snapshots.
Actions
-
add
- Add tags to a resource. -
update
- Add or modify existing tags on a resource -- this is the default action. -
remove
- Remove tags from a resource, but only if the specified values match the existing ones. -
force_remove
- Remove tags from a resource, regardless of their values.
Properties
-
aws_secret_access_key
,aws_access_key
and optionallyaws_session_token
- required, unless using IAM roles for authentication. -
tags
- a hash of key value pairs to be used as resource tags, (e.g.{ "Name" => "foo", "Environment" => node.chef_environment }
,) required. -
resource_id
- resources whose tags will be modified. The value may be a single ID as a string or multiple IDs in an array. If noresource_id
is specified the name attribute will be used.
Examples
Assigning tags to a node to reflect its role and environment:
aws_resource_tag node['ec2']['instance_id'] do tags('Name' => 'www.example.com app server', 'Environment' => node.chef_environment) action :update end
Assigning a set of tags to multiple resources, e.g. ebs volumes in a disk set:
aws_resource_tag 'my awesome raid set' do resource_id ['vol-d0518cb2', 'vol-fad31a9a', 'vol-fb106a9f', 'vol-74ed3b14'] tags('Name' => 'My awesome RAID disk set', 'Environment' => node.chef_environment) end
aws_resource_tag 'db_ebs_volume' do resource_id lazy { node['aws']['ebs_volume']['db_ebs_volume']['volume_id'] } tags ({ 'Service' => 'Frontend' }) end
aws_route53_record
Actions
-
create
- Create a Route53 record -
delete
- Remove a Route53 record
Properties
-
aws_secret_access_key
,aws_access_key
and optionallyaws_session_token
- required, unless using IAM roles for authentication. -
name
Required. String. - name of the domain or subdomain. -
record_name
Optional. String. - name of the domain or subdomain overrides thename
. Useful property to use when the resource was called with the samename
and different values, like in Split view DNS structure. -
value
String Array - value appropriate to thetype
.. for type 'A' value would be an IP address in IPv4 format for example. -
type
Required. String DNS record type -
ttl
Integer default: 3600 - time to live, the amount of time in seconds to cache information about the record -
weight
Optional. String. - a value that determines the proportion of DNS queries that will use this record for the response. Valid options are between 0-255. NOT CURRENTLY IMPLEMENTED -
set_identifier
Optional . String. - a value that uniquely identifies record in the group of weighted record sets -
geo_location
String. -
geo_location_country
String -
geo_location_continent
String -
geo_location_subdivision
String -
zone_id
String -
region
String -
overwrite
[true, false] default: true -
alias_target
Optional. Hash. - Associated with Amazon 'alias' type records. The hash contents varies depending on the type of target the alias points to. -
mock
[true, false] default: false -
fail_on_error
[true, false] default: false
Examples
Create a simple record
route53_record "create a record" do name "test" value "16.8.4.2" type "A" weight "1" set_identifier "my-instance-id" zone_id "ID VALUE" overwrite true fail_on_error false action :create end
Delete an existing record. Note that value is still necessary even though we're deleting. This is a limitation in the AWS SDK.
aws_route53_record "delete a record" do name "test" value "16.8.4.2" type 'A' value '123' action :delete end
aws_route53_zone
Actions
-
create
- Create a Route53 zone -
delete
- Remove a Route53 zone
Properties
-
aws_secret_access_key
,aws_access_key
and optionallyaws_session_token
- required, unless using IAM roles for authentication. -
name
Required. String. - name of the zone. -
description
String. - Description shown in the Route53 UI -
private
[true, false]. default: false - Should this be a private zone for use in your VPCs or a Public zone -
vpc_id
String. If creating a Private zone this is the VPC to associate the zone with.
Examples
aws_route53_zone 'testkitchen.dmz' do description 'My super important zone' action :create end
aws_secondary_ip.rb
This feature is available only to instances within VPCs. It allows you to assign multiple private IP addresses to a network interface.
Actions
-
assign
- Assign a private IP to the instance. -
unassign
- Unassign a private IP from the instance.
Properties
-
aws_secret_access_key
,aws_access_key
and optionallyaws_session_token
- required, unless using IAM roles for authentication. -
ip
- the private IP address. - required. -
interface
- the network interface to assign the IP to. If none is given, uses the default interface. -
timeout
- connection timeout for EC2 API.
aws_s3_file
s3_file
can be used to download a file from s3 that requires aws authorization. This is a wrapper around the core chef remote_file
resource and supports the same resource attributes as remote_file
. See remote_file Chef Docs for a complete list of available attributes.
Properties
-
aws_secret_access_key
,aws_access_key
and optionallyaws_session_token
- required, unless using IAM roles for authentication. -
region
- The AWS region containing the file. Default: The current region of the node when running in AWS or us-east-1 if the node is not in AWS. -
virtual_host
- set to true will use bucket name as a virtual host (defaults to false). See.
Actions
-
create
: Downloads a file from s3 -
create_if_missing
: Downloads a file from S3 only if it doesn't exist locally -
delete
: Deletes a local file -
touch
: Touches a local file
Examples
aws_s3_file '/tmp/foo' do bucket 'i_haz_an_s3_buckit' remote_path 'path/in/s3/bukket/to/foo' region 'us-west-1' end
aws_s3_file '/tmp/bar' do bucket 'i_haz_another_s3_buckit' remote_path 'path/in/s3/buckit/to/foo' region 'us-east-1' requester_pays true end
aws_s3_bucket
s3_bucket
can be used to create or delete S3 buckets. Note that buckets can only be deleted if they are empty unless you specify delete_all_objects
true, which will delete EVERYTHING in your bucket first.
Actions
-
create
: Creates the bucket -
delete
: Deletes the bucket
Properties
-
aws_secret_access_key
,aws_access_key
and optionallyaws_session_token
- required, unless using IAM roles for authentication. -
region
- The AWS region containing the bucket. Default: The current region of the node when running in AWS or us-east-1 if the node is not in AWS. -
versioning
- Enable or disable S3 bucket versioning. Default: false -
delete_all_objects
- Used with the:delete
action to delete all objects before deleting a bucket. Use with EXTREME CAUTION. default: false (for a reason)
Examples
aws_s3_bucket 'some-unique-name' do aws_access_key aws['aws_access_key_id'] aws_secret_access_key aws['aws_secret_access_key'] versioning true region 'us-west-1' action :create end
aws_s3_bucket 'another-unique-name' do aws_access_key aws['aws_access_key_id'] aws_secret_access_key aws['aws_secret_access_key'] region 'us-west-1' action :delete end
aws_secondary_ip
The secondary_ip
resource provider allows one to assign/un-assign multiple private secondary IPs on an instance within a VPC. The number of secondary IP addresses that you can assign to an instance varies by instance type. If no ip address is provided on assign, a random one from within the subnet will be assigned. If no interface is provided, the default interface as determined by Ohai will be used.
Examples
aws_secondary_ip 'assign_additional_ip' do aws_access_key aws['aws_access_key_id'] aws_secret_access_key aws['aws_secret_access_key'] ip ip_info['private_ip'] interface 'eth0' action :assign end
aws_security_group
security_group
can be used to create or update security groups and associated rules.
Actions
-
create
: Creates the security group
Properties
-
aws_secret_access_key
,aws_access_key
and optionallyaws_session_token
- required, unless using IAM roles for authentication. -
region
- The AWS region containing the group. Default: The current region of the node when running in AWS or us-east-1 if the node is not in AWS. -
name
- The name of the security group to manage -
description
- The security group description -
vpc_id
- The vpc_id where the security group should be created
Tags
-
tags
- Security Group tags. Default: []
Ingress/Egress rules
Note - this manages ALL rules on the security group. Any exist rules not included in these definitions will be removed.
-
ip_permissions
- Ingress rules. Default: [] -
ip_permissions_egress
- Egress rules. Default []
Examples
aws_security_group 'some-unique-name' do aws_access_key aws['aws_access_key_id'] aws_secret_access_key aws['aws_secret_access_key'] description 'some-unique-description' vpc_id 'vpc-000000000' ip_permissions [] ip_permissions_egress [] tags [] action :create end
Manages tags
aws_security_group 'some-unique-name' do aws_access_key aws['aws_access_key_id'] aws_secret_access_key aws['aws_secret_access_key'] description 'some-unique-description' vpc_id 'vpc-000000000' ip_permissions [] ip_permissions_egress [] tags [{ key: 'tag_key', value: 'tag_value' }] action :create end
Manages ingress/egress rules
aws_security_group 'some-unique-name' do aws_access_key aws['aws_access_key_id'] aws_secret_access_key aws['aws_secret_access_key'] description 'some-unique-description' vpc_id 'vpc-000000000' ip_permissions [{ from_port: 22, ip_protocol: 'tcp', ip_ranges: [ { cidr_ip: '10.10.10.10/24', description: 'SSH access from the office', }, ], to_port: 22, }] ip_permissions_egress [{ from_port: 123, ip_protocol: 'udp', ip_ranges: [ { cidr_ip: '10.10.10.10/24', description: 'ntp from the office', }, ], to_port: 123, }] action :create end
Alternatively you can use the class definitions for a more strongly typed object
aws_security_group 'some-unique-name' do aws_access_key aws['aws_access_key_id'] aws_secret_access_key aws['aws_secret_access_key'] description 'some-unique-description' vpc_id 'vpc-000000000' ip_permissions [Aws::EC2::Types::IpPermission.new.to_h] ip_permissions_egress [Aws::EC2::Types::IpPermission.new.to_h] action :create end
aws_ssm_parameter_store
The ssm_parameter_store
resource provider allows one to get, create and delete keys and values in the AWS Systems Manager Parameter Store. Values can be stored as plain text or as an encrypted string. In order to use the paramater store resource your ec2 instance role must have the proper policy. This sample policy allows get, creating and deleting parameters. You can adjust the policy to your needs. It is recommended that you have one role with the ability to create secrets and another that can only read the secrets. It is important to set sensitive true in the resources where the secrets are used so that secrets are not exposed in log files.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ssm:PutParameter", "ssm:DeleteParameter", "ssm:RemoveTagsFromResource", "ssm:GetParameterHistory", "ssm:AddTagsToResource", "ssm:GetParametersByPath", "ssm:GetParameters", "ssm:GetParameter", "ssm:DeleteParameters" ], "Resource": [ "arn:aws:ssm:*:*:document/*", "arn:aws:ssm:*:*:parameter/*" ] }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "ssm:DescribeParameters", "Resource": "*" } ] }
Actions
-
get
- Retrieve a key/value from the AWS Systems Manager Parameter Store. -
get_parameters
- Retrieve multiple key/values by name from the AWS Systems Manager Parameter Store. Values are stored in a hash indexed by the corresponding path value. -
get_parameters_by_path
- Retrieve multiple key/values by path from the AWS Systems Manager Parameter Store. Values are stored in a hash indexed by the key's name. If recursive is set to true, it will retrieve all parameters in the path hierarchy, constructing a representative hash structure with nested keys/values. -
create
- Create a key/value in the AWS Systems Manager Parameter Store. -
delete
- Remove the key/value from the AWS Systems Manager Parameter Store.
Properties
-
aws_secret_access_key
,aws_access_key
and optionallyaws_session_token
- required, unless using IAM roles for authentication. -
path
- Specify the target parameter (String) or parameters (Array -:get_parameters
). (required) -
recursive
- If set totrue
the code will retrieve all parameters in the hierarchy (get_parameters_by_path, optional defaults to false) -
description
- Type a description to help identify parameters and their intended use. (create, optional) -
value
- Item stored in AWS Systems Manager Parameter Store (create, required) -
type
- Describes the value that is stored. Can be a String, StringList or SecureString (create, required) -
key_id
- The value after key/ in the ARN of the KSM key which is used with a SecureString. If SecureString is chosen and no key_id is specified AWS Systems Manager Parameter Store uses the default AWS KMS key assigned to your AWS account (create, optional) -
overwrite
- Indicates if create should overwrite an existing parameters with a new value. AWS Systems Manager Parameter Store versions new values (create, optional defaults to true) -
with_decryption
- Indicates if AWS Systems Manager Parameter Store should decrypt the value. Note that it must have access to the encryption key for this to succeed (get, optional, defaults to false) -
allowed_pattern
- A regular expression used to validate the parameter value (create, optional) -
return_key
- The key name to set the returned value into. This can then be used by callingnode.run_state['returnkeyname']
in other resources (get, optional)
Examples
Create String Parameter
aws_ssm_parameter_store 'create testkitchen record' do path 'testkitchen' description 'testkitchen' value 'testkitchen' type 'String' action :create aws_access_key node['aws_test']['key_id'] aws_secret_access_key node['aws_test']['access_key'] end
Create Encrypted String Parameter with Custom KMS Key
aws_ssm_parameter_store "create encrypted test kitchen record" do path '/testkitchen/EncryptedStringCustomKey' description 'Test Kitchen Encrypted Parameter - Custom' value 'Encrypted Test Kitchen Custom' type 'SecureString' key_id '5d888999-5fca-3c71-9929-014a529236e1' action :create aws_access_key node['aws_test']['key_id'] aws_secret_access_key node['aws_test']['access_key'] end
Delete Parameter
aws_ssm_parameter_store 'delete testkitchen record' do path 'testkitchen' aws_access_key node['aws_test']['key_id'] aws_secret_access_key node['aws_test']['access_key'] action :delete end
Get Parameters and Populate Template
aws_ssm_parameter_store 'get clear_value' do path '/testkitchen/ClearTextString' return_key 'clear_value' action :get aws_access_key node['aws_test']['key_id'] aws_secret_access_key node['aws_test']['access_key'] end aws_ssm_parameter_store 'get decrypted_value' do path '/testkitchen/EncryptedStringDefaultKey' return_key 'decrypted_value' with_decryption true action :get aws_access_key node['aws_test']['key_id'] aws_secret_access_key node['aws_test']['access_key'] end aws_ssm_parameter_store 'get decrypted_custom_value' do path '/testkitchen/EncryptedStringCustomKey' return_key 'decrypted_custom_value' with_decryption true action :get aws_access_key node['aws_test']['key_id'] aws_secret_access_key node['aws_test']['access_key'] end aws_ssm_parameter_store 'getParameters' do path ['/testkitchen/ClearTextString', '/testkitchen'] return_key 'parameter_values' action :get_parameters aws_access_key node['aws_test']['key_id'] aws_secret_access_key node['aws_test']['access_key'] end aws_ssm_parameter_store 'getParametersbypath' do path '/pathtest/' recursive true with_decryption true return_key 'path_values' action :get_parameters_by_path aws_access_key node['aws_test']['key_id'] aws_secret_access_key node['aws_test']['access_key'] end
Get bucket name and retrieve file
aws_ssm_parameter_store 'get bucketname' do path 'bucketname' return_key 'bucketname' action :get aws_access_key node['aws_test']['key_id'] aws_secret_access_key node['aws_test']['access_key'] end aws_s3_file "/tmp/test.txt" do bucket lazy {node.run_state['bucketname']} remote_path "test.txt" sensitive true aws_access_key_id node[:custom_access_key] aws_secret_access_key node[:custom_secret_key] end
aws_autoscale
autoscale
can be used to attach and detach EC2 instances to/from an AutoScaling Group (ASG). Once the instance is attached autoscale allows one to move the instance into and out of standby mode. Standby mode temporarily takes the instance out of rotation so that maintenance can be performed.
Properties
-
aws_secret_access_key
,aws_access_key
and optionallyaws_session_token
- required, unless using IAM roles for authentication. -
asg_name
- The instance will be attached to this AutoScaling Group. The name is case sensitive. (attach_instance, required) - 'should_decrement_desired_capacity' - Indicates whether the Auto Scaling group decrements the desired capacity value by the number of instances moved to standby or detached. (enter_standby and detach_instance, optional, defaults to true)
Actions
-
attach_instance
: Attach an instance to an ASG. If the instance is already attached it will generate an error. -
detach_instance
: Detach an instance from an ASG. If the instance is not already attached and in service it will generate an error. -
enter_standby
: Put ths instance into standby mode. Will generate an error if already in standby mode -
exit_standby
: Remove the instance from standby mode. Will generate an error if not in standby mode
Examples
aws_autoscaling 'attach_instance' do action :attach_instance asg_name 'Test' end
aws_autoscaling 'enter_standby' do should_decrement_desired_capacity true action :enter_standby end
aws_autoscaling 'exit_standby' do action :exit_standby end
aws_autoscaling 'detach_instance' do should_decrement_desired_capacity true action :detach_instance end
Contributors
This project exists thanks to all the people who contribute.
Backers
Thank you to all our backers!
Sponsors
Support this project by becoming a sponsor. Your logo will show up here with a link to your website.
Dependent cookbooks
This cookbook has no specified dependencies.
Contingent cookbooks
aws Cookbook CHANGELOG
This file is used to list changes made in each version of the aws cookbook.
8.4.1 - 2021-08-26
8.4.0 - 2021-01-24
- Sous Chefs Adoption
- Standardise files with files in sous-chefs/repo-management
- Cookstyle fixes
- feat(volume-type): add gp3 and io2 volume types to allowed types
- fix(ebs): update the ec2 gem and correct array membership test
- Update aws-sdk-kms to latest
8.3.1 (2020-12-04)
- Resolve cookstyle warnings - @cookstyle
- Update AWS S3 gem dependency - @arothian
8.3.0 (2020-08-06)
- Cookstyle 6.2.9 Fixes - @xorimabot
- Ensure we have resource_name in addition to provides in resources - @tas50
- Avoid resource overloading for aws_route53_record - @chakri-pd
- Avoid assigning a value only to return it - @tas50
8.2.0 (2020-02-11)
- Add documentation for return_key - @mbaitelman
- Ignore tags with prefix aws: instead of aws - @tamimkh
- Remove unnecessary Foodcritic comments - @tas50
- Require Chef 12.15+ - @tas50
8.1.1 (2019-11-10)
- bump aws-partitions for aws-sdk-core fix - @scalp42
8.1.0 (2019-11-08)
- Add Security group functionality (#379) - @smcavallo
- Adding support for virtualHost on s3
- Remove the long_description and if respond_to? in metadata.rb - @tas50
- Remove the ChefSpec matchers - @tas50
- Remove use_inline_resources in the provider - @tas50
- Remove the why-run check in the dynamo provider - @tas50
- Use platform? helpers where we can - @tas50
- Attempt to fix gem install issues with aws gems - @majormoses
8.0.4 (2019-05-16)
- Added a basic chefspec test - @dualbus
- Add code owners file - @tas50
- Rename the kitchen config - @tas50
- Cookstyle fixes - @tas50
- Add security section to the readme - @smcavallo
- mark all secret_access_key/session_token parameters as sensitive - @smcavallo
- account for timezone in setting s3 presigned url expiration - @majormoses
- bump aws-sdk-* gems for aws-sigv4 compatibility - @scalp42
8.0.3 (2018-12-21)
- Use the right alias - @majormoses
- remove refs to
return_keys
- @majormoses
8.0.2 (2018-12-18)
- add
alias_method
forreutrn_key
andreturn_keys
- @majormoses
8.0.1 (2018-12-14)
- Fix the gem metadata to prevent failurs to install the gems - @majormoses
8.0.0 (2018-12-14)
- Switch to aws-sdk-v3 gems and only install the minimum required gems - @bdwyertech
- s3_file: Fixed local ETag calculation to handle file originally uploaded as multi part. - @joshs85
- s3_file: Created s3_url property to be able to retrieve the pre signed url. - @joshs85
- s3_file: Made secret access key and token sensitive properties so they don't show up in logs. - @joshs85
- ssm_parameter_store: Fix namespacing issues and clean up the ssm_parameter_store resource parameters. This is a
BREAKING CHANGE
as it removes the parameters path from the key returned to the run_state. If you had a path such as/creds-path/
, a credential calledsome_token
, and areturn_keys
ofsome-app
:node.run_state['some-app']
will contain{"some_token"=>"token_value"}
where previously it returned{"/creds-path/some_token"=>"token_value"}
. As such you will need to update all refrences that use this. - @bdwyertech - ssm_parameter_store: add proper handling of pagination for path-based queries - @bdwyertech
- Lock aws gems to their latest minor version to prevent installing every updated gem Amazon releases - @majormoses
7.5.0 (2018-07-18)
- Fixing getting Route53 record when geo location is set
- added autoscaling resource
- Adds
http_proxy
to the AWS client options so the Seahorse client traverses the proxy if the environment variable is defined - Cleanup tests so they can be more easily run outside Chef
7.4.1 (2018-05-17)
- Rescue Aws::EC2::Errors::InvalidSnapshotInUse with a friendly message
7.4.0 (2018-05-17)
- Allow installation of either aws-sdk v2 or v3
- Add support for STS assumed roles
- Add default empty hashes to several properties
- Resolve a few more Chef 14 incompatibilities
- Fix a failure when deleting ebs volumes
7.3.1 (2018-03-21)
- Check for nil as well as empty tags in ebs_volume
7.3.0 (2018-03-20)
- add aws_instance_role
- Add option to tag the new volumes and snapshots
- Added basic functionality for parameter store
- add
requester_pays
option tos3_file
- fix etag request via head_object when requester_pays
- Remove name property that isn't necessary
- Added SSM Parameter Store get functionality
- Chef 14: Avoid passing nils to remote_file in aws_s3_file resource
7.2.2 (2017-11-14)
- Resolve FC108 warning
- Make sure ip is listed as required for elastic_ip in the readme
7.2.1 (2017-09-08)
- Add missing aws_instance_term_protection matcher. Rename kinetic to kinesis matcher.
7.2.0 (2017-09-06)
- Add instance_term_protection resource
- Added named_iam_capability option to the cloudformation_stack resource
7.1.2 (2017-06-19)
- Multiple fixes to issues with the elastic_ip resource that prevented converges
7.1.1 (2017-06-16)
- Use the correct region value to prevent converge failures introduced in 7.0 with the ebs_volume resource
- Better handle snapshots when the user passes a volume_id instead of a snapshot ID
- Reload Ohai data when a ebs volume in attached or detached so the node data is correct
- Properly error if the user does not pass device to ebs_volume when its needed
7.1.0 (2017-06-16)
- Refactor and fix the secondary_ip resource
- Fix failures that occured when assigning IPs via the resource (aka make it actually work)
- Move all helpers out of the EC2 libary and into the resource itself
- Instead of using open-uri to query the metadata endpoint use EC2 data from Ohai
- Make IP a required property since we need that to run
- Refactor the wait loop that broke notification when the resources updated
- Reload Ohai data in the resource so downstream recipes will know about the new IP
7.0.0 (2017-06-15)
- The route53_record resource from the route53 resource has been moved into this cookbook. The resource is now named aws_route53_record, but can be referenced by the old name: route53_record. The resource now accepts all authentication methods supported by this cookbook and a new zone_name property can be used in place of the zone_id property so you now only need to know the name of the zone the record is placed into.
- Added a new aws_route53_zone resource for adding zones to Route53
- Added new aws_s3_bucket resource. This is a very simple resource at the moment, but it lays the groundwork for a more complex resource for adding buckets with ACLs and other features
- Converted all resources except for dynamodb_table to be custom resources. Logging and converging of resources has been updated and code has been cleaned up
- Simplified the cookbook libraries by collapsing most of the libraries into the individual resources. For the most part these just added unnecessary complexity to the cookbook
- Reworked how aws region information is determined and how the connection to AWS is initialized to work with some the new resources and the existing route53 resources
- Moved the libraries from the Opscode::Aws namespace to the AwsCookbook namespace.
- Large scale readme cleanup. There were multiple resources missing and some resources documented in 2 places. The documentation for resources is now ordered alphabetically and contains all actions and properties.
- Updated elastic_ip resource to reload ohai after changes so ohai data reflects the current node state
- Remove storage of IP information on the node when using the elastic_ip resource. This is a bad practice in general as node data can be changed or deleted by users or chef itself. This is potentially a breaking change for users that relied on this behavior.
- Updated resource_tag to properly support why-run mode
6.1.1 (2017-06-05)
- Resolve frozen string warning on Chef 13 in the s3_file rsource
- Resolve useless assignment cookstyle warning in the EC2 library
- Make the ELB deletion messaging consistent with the create messaging
6.1.0 (2017-05-01)
- Converted aws_cloudwath and aws_elb to custom resources with code cleanup
- Add create/delete actions to the aws_elb resource. This resource is currently not able to update the state of the ELB and does not setup health checks. It's mostly used to allow us to test the existing attach/detach actions, but it will be expanded in the future to allow for full ELB management
- Cleanup of the EC2 helper and removal of a few unnecessary helpers
6.0.0 (2017-04-27)
- Resolve deprecation warning in the chefspecs
- Remove the EBS Raid resource, which did not work on modern EC2 instance types and only worked on select Linux systems. We highly recommend users utilize provisioned IOPS on EBS volumes as they offer far greater reliability. If that's not an option you may want to pin to the 5.X release of this cookbook.
- Remove the ec2_hints recipe as newer Chef releases auto detect EC2 and don't require hints to be applied
- Use Chef's gem install in the metadata to handle gem installation. This increases the minimum required Chef release to 12.9
- Convert instance_monitoring to a custom resource with improved logging and converge notification
- Consider pending to be enabled as well within instance_monitoring to avoid enabling again
5.0.1 (2017-04-18)
- Fix for Issue #283 (error on aws_resource_tag): Updated deprecated Chef::Resource call with valid Chef::ResourceResolver drop-in
5.0.0 (2017-04-11)
- Calculate the presigned url after the md5 check as it may timeout when the existing file is very large
- Update testing for Chef 13 and use local delivery
- Update apache2 license string
- Require the latest ohai cookbook which fixes Chef 13 compatibility. With this change this cookbook now requires Chef 12.6 or later
4.2.2 (2017-02-24)
- Let the API decide what the default volume type is for EBS volumes. This doesn't actually change anything at the moment, but keeps us up to date with the defaults of the aws-sdk
4.2.1 (2017-02-24)
- Tweaks to the readme for clarity
- Remove Ubuntu 12.04 and openSUSE 13.2 from Test Kitchen matrix as these are both on the way to EOL
- Remove the sensitive, retries, and retry_delay from the s3_file resource for Chef 13 compatibility since chef itself defines these
4.2.0 (2017-01-21)
- README: Add ec2:ModifyInstanceAttribute to sample IAM policy (fixes #241)
- Added a new resource for managing CloudWatch alarms
4.1.3 (2016-11-01)
- Dont declare region twice in S3_file
4.1.2 (2016-10-04)
- Add matcher definitions for ChefSpec
4.1.1 (2016-09-19)
- Fix false "volume no longer exists" errors.
- Use alias_method to cleanup backwards compatibility in s3_file
4.1.0 (2016-09-19)
- Pass through retry_delay to remote_file
- Require ohai 4.0+ cookbook and use new compile_time method for ohai_hint resource
- Remove Chef 11 compatibility code in the aws-sdk gem install
4.0.0 (2016-09-15)
- Testing updates
- Require Chef 12.1 or later
- Use node.normal instead of node.set to avoid deprecation notices
- Warn in the logs if the default recipe is included
- Remove the ohai reload on every run in the hint recipe
- Remove chef 11 compat in the metadata
3.4.1 (2016-08-09)
- Modified find_snapshot_id method to make it work as intended
- Testing framework updates
v3.4.0 (2016-06-30)
- Added retries property to s3_file
- Switched docker based test kitchen testing to kitchen-dokken
- Added chef_version support metadata
- Added suse, opensuse, and opensuseleap as supported platforms
- Fixed Assume role credentials bug
v3.3.3 (2016-05-10)
- Add support for new ebs volume types: sc1 st1
v3.3.2 (2016-04-13)
- Resolved no method error when using the elb resource
- Fixed a bug in the md5 check in the s3_file resource
v3.3.1 (2016-03-25)
- Only install the aws-sdk gem at compile_time if chef-client supports that
v3.3.0 (2016-03-25)
- The AWS gem is now automatically installed as needed by the providers
- Added ChefSpec matchers for: cloudformation_stack, dynamodb_table, elastic_lb, iam_*, kinetic_stream, scondary_ip.
v3.2.0 (2016-03-23)
- Add the :delete action to the ebs_volume provider
v3.1.0 (2016-03-22)
- Added the sensitive attribute to the s3_file provider
- s3_file provider now compares md5sums of local files against those in S3 to determine if the file should be downloaded during the chef-client run
- s3_file provider now properly handles region by defaulting to us-east-1 unless a region is provided in the resource
- An inspec test suite has been added for the s3_file provider
- s3 connection objects are no longer stored in a per-region hash as this is longer necessary with the changes to how connection objects are stored
- The region method in the S3 module has been removed as it wasn't being used after region handling refactoring in the 3.0 release
v3.0.0 (2016-03-20)
Breaking changes
- Removed the ability to use databags for credentials with the ebs_raid provider. You must now pass the credentials in via the resource, @tas50
- #218 Remove support for Chef < 11.6.0, @tas50
- Switched to Ohai to gather information on the AWS instance instead of direct AWS metadata calls. This also removes the node['region'] attribute, which is no longer necessary. If you would like to mock the region for some reason in local testing set
node['ec2']['placement_availability_zone']
to the AZ, as this is used to determine the region, @tas50 - aws-sdk gem is no longer loaded in default recipe
Other Changes
- #172 Several new features (AWS CloudFormation Support, IAM Support, Kinesis, DynamoDB, and local auth options) @vancluever
- Changes the AWS connect to not be shared accross resources. This allows each resource to run against a different region or use different credentials, @tas50
- #63 Add xfs support for ebs_raid filesystem, @bazbremner
- Fixed nil default value deprecation warnings in the providers, @tas50
- Fixed errors in the ebs_raid provider, @tas50
- Fixed missing values in the converge messaging in the ebs_volume provider, @tas50
- Fixed a failure when detaching ebs volumes, @dhui
- Added use_inline_resources to all providers, @tas50
v2.9.3 (2016-03-07)
- Resolved a default value warning in ebs_raid when running Chef 12.7.2+
- Updated development and testing Gem dependencies
- Resolved the latest rubocop warnings
v2.9.2 (2016-01-26)
- Fix a missing space in the ohai dependency
v2.9.1 (2016-01-26)
- Require ohai 2.1.0 or later due to a bug in previous releases that prevented ohai hints from being created
- Added inspec tests for the ohai hint file creation
- Added supported platforms to the metadata so the platform badges will display on the Supermarket
v2.9.0 (2016-01-26)
- #191 Add region attribute to s3_file provider, @zl4bv
- #203 Create the ec2 hint using the ohai provider for Windows compatibility, @tas50
- #205 Fix elb register/deregister, @obazoud
v2.8.0 (2016-01-21)
- #192 Fix secondary_ip failure, add windows support, and document in the readme, @Scythril
- #185 Update the aws-sdk dependency to the 2.2.X release, @tas50
- #189 Loosen the dependency on the aws-sdk to bring in current releases, @philoserf
- #183 Load the aws-sdk gem directly in the providers, @shortdudey123
- #165 Fix encryption support in ebs_raid provider, @DrMerlin
- #190 Add support for AssumeRole granted credentials using the either provided key or an instance profile, @knorby
- #160 Add an attribute to define the region if you're not running in AWS @ubiquitousthey
- #162 Update the Berksfile syntax, @miketheman
- Added testing in Travis CI
- Added a Gemfile with testing dependencies
- Added cookbook version and Travis CI status badges to the readme
- Test on the latest Chef releases instead of 11.16.0
- Update contributing and testing documentation
- Add Rakefile for simplified testing
- Add maintainers.md/maintainers.toml files and a Rake task for managing the MD file
- Update provider resources to use the Chef 11+ default_action format
v2.7.2 (2015-06-29)
- #124 Retain compatibility with Chef 11, @dhui
-
#128 Use correct pageable response from
aws-sdk
v2 update, @drywheat - #133 Fix ELB registration to detect correctly, deregister fix, @purgatorio
- #154 Update the contributing guide, @miketheman
-
#156 Fix
ebs_raid
behavior without asnapshot_id
, @mkantor - Updates for ignores, use correct supermarket url, @tas50
v2.7.1 (2015-06-04)
- Adding support for aws_session_token
v2.7.0 (2015-04-06)
- Support for encrypted EBS volumes
- secondary_ip resource and provider
- Improvement of resource_tag id regex
- Add ChefSpec matchers for aws cookbook resources
v2.6.6 (2015-05-06)
- #123 Cleans up README and adds more metadata
v2.6.5 (2015-03-19)
-
#110 Fix
chef_gem
compile time usage, also in conjunction withchef-sugar
and Chef 11
v2.6.4 (2015-02-18)
- Reverting all
chef_gem
compile_time
edits
v2.6.3 (2015-02-18)
- Fixing
chef_gem
withChef::Resource::ChefGem.method_defined?(:compile_time)
v2.6.2 (2015-02-18)
- Fixing
chef_gem
for Chef below 12.1.0
v2.6.1 (2015-02-17)
- Being explicit about usage of the
chef_gem
'scompile_time
property. - Eliminating future deprecation warnings in Chef 12.1.0.
v2.6.0 (2015-02-10)
- Convert to use aws-sdk instead of right_aws
v2.5.0 (2014-10-22)
- #60 Updates to CHANGELOG
- #85 Lots of testing harness goodness
- #89 Add a recipe to setup ec2 hints in ohai
- #74 README and CHANGELOG updates
- #65 Add a resource for enabling CloudWatch Detailed Monitoring
- #90 Add tests for aws_instance_monitoring
v2.4.0 (2014-08-07)
- #64 - force proxy off for metadata queries
v2.3.0 (2014-07-02)
- Added support for provisioning General Purpose (SSD) volumes (gp2)
v2.2.2 (2014-05-19)
- [COOK-4655] - Require ec2 gem
v2.2.0 (2014-04-23)
- [COOK-4500] Support IAM roles for ELB
v2.1.1 (2014-03-18)
- [COOK-4415] disk_existing_raid resource name inconsistency
v2.1.0 (2014-02-25)
Improvement
- COOK-4008 - Add name property for aws_elastic_ip LWRP
v2.0.0 (2014-02-19)
- [COOK-2755] Add allocate action to the elastic ip resource
- [COOK-2829] Expose AWS credentials for ebs_raid LWRP as parameters
- [COOK-2935]
- [COOK-4213] Use use_inline_resources
- [COOK-3467] Support IAM role
- [COOK-4344] Add support for mounting existing raids and reusing volume
- [COOK-3859] Add VPC support (allocation_id) to AWS elastic_ip LWRPJoseph Smith
v1.0.0
Improvement
- [COOK-2829] - Expose AWS credentials for ebs_raid LWRP as parameters
- Changing attribute defaults begs a major version bump
v0.101.6
Bug
-
COOK-3475 - Fix an issue where invoking action detach in the
ebs_volume
provider when the volume is already detached resulted in a failure
v0.101.4
Improvement
-
COOK-3345 - Add
aws_s3_file
LWRP -
COOK-3264 - Allow specifying of file ownership for
ebs_raid
resourcemount_point
Bug
- COOK-3308 - Ensure mdadm properly allocates the device number
v0.101.2
Bug
- [COOK-2951]: aws cookbook has foodcritic failures
Improvement
- [COOK-1471]: aws cookbook should mention the route53 cookbook
v0.101.0
Bug
- [COOK-1355]: AWS::ElasticIP recipe uses an old RightAWS API to associate an elastic ip address to an EC2 instance
- [COOK-2659]:
volume_compatible_with_resource_definition
fails on validsnapshot_id
configurations - [COOK-2670]: AWS cookbook doesn't use
node[:aws][:databag_name]
, etc. increate_raid_disks
- [COOK-2693]: exclude AWS reserved tags from tag update
- [COOK-2914]: Foodcritic failures in Cookbooks
Improvement
- [COOK-2587]: Resource attribute for using most recent snapshot instead of earliest
- [COOK-2605]: "WARN: Missing gem '
right_aws
'" always prints when including 'aws' in metadata
New Feature
- [COOK-2503]: add EBS raid volumes and provisioned IOPS support for AWS
v0.100.6
- [COOK-2148] -
aws_ebs_volume
attach action saves nilvolume_id
in node
v0.100.4
- Support why-run mode in LWRPs
- [COOK-1836] - make
aws_elastic_lb
idempotent
v0.100.2
- [COOK-1568] - switch to chef_gem resource
- [COOK-1426] - declare default actions for LWRPs
v0.100.0
- [COOK-1221] - convert node attribute accessors to strings
- [COOK-1195] - manipulate AWS resource tags (instances, volumes, snapshots
- [COOK-627] - add aws_elb (elastic load balancer) LWRP
v0.99.1
- [COOK-530] - aws cookbook doesn't save attributes with chef 0.10.RC.0
- [COOK-600] - In AWS Cookbook specifying just the device doesn't work
- [COOK-601] - in aws cookbook :prune action keeps 1 less snapshot than snapshots_to_keep
- [COOK-610] - Create Snapshot action in aws cookbook should allow description attribute
- [COOK-819] - fix documentation bug in aws readme
- [COOK-829] - AWS cookbook does not work with most recent right_aws gem but no version is locked in the recipe
Collaborator Number Metric
8.4.1 passed this metric
Contributing File Metric
8.4.1 passed this metric
Foodcritic Metric
8.4.1 failed this metric
FC075: Cookbook uses node.save to save partial node data to the chef-server mid-run: aws/resources/ebs_volume.rb:51
FC075: Cookbook uses node.save to save partial node data to the chef-server mid-run: aws/resources/ebs_volume.rb:70
FC075: Cookbook uses node.save to save partial node data to the chef-server mid-run: aws/resources/ebs_volume.rb:97
Run with Foodcritic Version 16.3.0 with tags metadata,correctness ~FC031 ~FC045 and failure tags any
No Binaries Metric
8.4.1 passed this metric
Testing File Metric
8.4.1 passed this metric
Version Tag Metric
8.4.1 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
8.4.1 passed this metric
8.4.1 passed this metric
Foodcritic Metric
8.4.1 failed this metric
FC075: Cookbook uses node.save to save partial node data to the chef-server mid-run: aws/resources/ebs_volume.rb:51
FC075: Cookbook uses node.save to save partial node data to the chef-server mid-run: aws/resources/ebs_volume.rb:70
FC075: Cookbook uses node.save to save partial node data to the chef-server mid-run: aws/resources/ebs_volume.rb:97
Run with Foodcritic Version 16.3.0 with tags metadata,correctness ~FC031 ~FC045 and failure tags any
No Binaries Metric
8.4.1 passed this metric
Testing File Metric
8.4.1 passed this metric
Version Tag Metric
8.4.1 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
8.4.1 failed this metric
FC075: Cookbook uses node.save to save partial node data to the chef-server mid-run: aws/resources/ebs_volume.rb:70
FC075: Cookbook uses node.save to save partial node data to the chef-server mid-run: aws/resources/ebs_volume.rb:97
Run with Foodcritic Version 16.3.0 with tags metadata,correctness ~FC031 ~FC045 and failure tags any
8.4.1 passed this metric
Testing File Metric
8.4.1 passed this metric
Version Tag Metric
8.4.1 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
8.4.1 passed this metric
8.4.1 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number