Merge branch '22392-add-aws-cluster-provider' into 'master'

Add AWS cluster provider See merge request gitlab-org/gitlab!17057

Merge branch '22392-add-aws-cluster-provider' into 'master'
Add AWS cluster provider See merge request gitlab-org/gitlab!17057
d1068ca1 · Lin Jen-Shin · 587fb039 · 8568e729 · d1068ca1 · d1068ca1
Commit d1068ca1 authored Oct 16, 2019 by Lin Jen-Shin
19 changed files
--- a/app/models/aws/role.rb
+++ b/app/models/aws/role.rb
+# frozen_string_literal: true
+
+module Aws
+  class Role < ApplicationRecord
+    self.table_name = 'aws_roles'
+
+    belongs_to :user, inverse_of: :aws_role
+
+    validates :role_external_id, uniqueness: true, length: { in: 1..64 }
+    validates :role_arn,
+      length: 1..2048,
+      format: {
+        with: Gitlab::Regex.aws_arn_regex,
+        message: Gitlab::Regex.aws_arn_regex_message
+      }
+  end
+end
--- a/app/models/clusters/cluster.rb
+++ b/app/models/clusters/cluster.rb
@@ -35,6 +35,7 @@ module Clusters

    # we force autosave to happen when we save `Cluster` model
    has_one :provider_gcp, class_name: 'Clusters::Providers::Gcp', autosave: true
+    has_one :provider_aws, class_name: 'Clusters::Providers::Aws', autosave: true

    has_one :platform_kubernetes, class_name: 'Clusters::Platforms::Kubernetes', inverse_of: :cluster, autosave: true

@@ -96,14 +97,20 @@ module Clusters

    enum provider_type: {
      user: 0,
-      gcp: 1
+      gcp: 1,
+      aws: 2
    }

    scope :enabled, -> { where(enabled: true) }
    scope :disabled, -> { where(enabled: false) }
-    scope :user_provided, -> { where(provider_type: ::Clusters::Cluster.provider_types[:user]) }
-    scope :gcp_provided, -> { where(provider_type: ::Clusters::Cluster.provider_types[:gcp]) }
+
+    scope :user_provided, -> { where(provider_type: :user) }
+    scope :gcp_provided, -> { where(provider_type: :gcp) }
+    scope :aws_provided, -> { where(provider_type: :aws) }
+
    scope :gcp_installed, -> { gcp_provided.joins(:provider_gcp).merge(Clusters::Providers::Gcp.with_status(:created)) }
+    scope :aws_installed, -> { aws_provided.joins(:provider_aws).merge(Clusters::Providers::Aws.with_status(:created)) }
+
    scope :managed, -> { where(managed: true) }

    scope :default_environment, -> { where(environment_scope: DEFAULT_ENVIRONMENT) }
@@ -140,7 +147,11 @@ module Clusters
    end

    def provider
-      return provider_gcp if gcp?
+      if gcp?
+        provider_gcp
+      elsif aws?
+        provider_aws
+      end
    end

    def platform

--- a/app/models/clusters/concerns/provider_status.rb
+++ b/app/models/clusters/concerns/provider_status.rb
@@ -42,6 +42,10 @@ module Clusters
        def on_creation?
          scheduled? || creating?
        end
+
+        def assign_operation_id(_)
+          # Implemented by individual providers if operation ID is supported.
+        end
      end
    end
  end

--- a/app/models/clusters/providers/aws.rb
+++ b/app/models/clusters/providers/aws.rb
+# frozen_string_literal: true
+
+module Clusters
+  module Providers
+    class Aws < ApplicationRecord
+      include Clusters::Concerns::ProviderStatus
+
+      self.table_name = 'cluster_providers_aws'
+
+      belongs_to :cluster, inverse_of: :provider_aws, class_name: 'Clusters::Cluster'
+      belongs_to :created_by_user, class_name: 'User'
+
+      default_value_for :region, 'us-east-1'
+      default_value_for :num_nodes, 3
+      default_value_for :instance_type, 'm5.large'
+
+      attr_encrypted :secret_access_key,
+        mode: :per_attribute_iv,
+        key: Settings.attr_encrypted_db_key_base_truncated,
+        algorithm: 'aes-256-gcm'
+
+      validates :role_arn,
+        length: 1..2048,
+        format: {
+          with: Gitlab::Regex.aws_arn_regex,
+          message: Gitlab::Regex.aws_arn_regex_message
+        }
+
+      validates :num_nodes,
+        numericality: {
+          only_integer: true,
+          greater_than: 0
+        }
+
+      validates :key_name, :region, :instance_type, :security_group_id, length: { in: 1..255 }
+      validates :subnet_ids, presence: true
+
+      def nullify_credentials
+        assign_attributes(
+          access_key_id: nil,
+          secret_access_key: nil,
+          session_token: nil
+        )
+      end
+    end
+  end
+end
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -99,6 +99,7 @@ class User < ApplicationRecord
  has_many :u2f_registrations, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent
  has_many :chat_names, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent
  has_one :user_synced_attributes_metadata, autosave: true
+  has_one :aws_role, class_name: 'Aws::Role'

  # Groups
  has_many :members

--- a/changelogs/unreleased/46686-add-aws-cluster-data-model.yml
+++ b/changelogs/unreleased/46686-add-aws-cluster-data-model.yml
+---
+title: Add database tables to store AWS roles and cluster providers
+merge_request: 17057
+author:
+type: added
--- a/db/migrate/20190821040941_create_cluster_providers_aws.rb
+++ b/db/migrate/20190821040941_create_cluster_providers_aws.rb
+# frozen_string_literal: true
+
+class CreateClusterProvidersAws < ActiveRecord::Migration[5.2]
+  DOWNTIME = false
+
+  def change
+    create_table :cluster_providers_aws do |t|
+      t.references :cluster, null: false, type: :bigint, index: { unique: true }, foreign_key: { on_delete: :cascade }
+      t.references :created_by_user, type: :integer, foreign_key: { on_delete: :nullify, to_table: :users }
+
+      t.integer :num_nodes, null: false
+      t.integer :status, null: false
+
+      t.timestamps_with_timezone null: false
+
+      t.string :key_name, null: false, limit: 255
+      t.string :role_arn, null: false, limit: 2048
+      t.string :region, null: false, limit: 255
+      t.string :vpc_id, null: false, limit: 255
+      t.string :subnet_ids, null: false, array: true, default: [], limit: 255
+      t.string :security_group_id, null: false, limit: 255
+      t.string :instance_type, null: false, limit: 255
+
+      t.string :access_key_id, limit: 255
+      t.string :encrypted_secret_access_key_iv, limit: 255
+      t.text :encrypted_secret_access_key
+      t.text :session_token
+      t.text :status_reason
+
+      t.index [:cluster_id, :status]
+    end
+  end
+end
--- a/db/migrate/20191003064615_create_aws_roles.rb
+++ b/db/migrate/20191003064615_create_aws_roles.rb
+# frozen_string_literal: true
+
+# See http://doc.gitlab.com/ce/development/migration_style_guide.html
+# for more information on how to write migrations for GitLab.
+
+class CreateAwsRoles < ActiveRecord::Migration[5.2]
+  DOWNTIME = false
+
+  def change
+    create_table :aws_roles, id: false do |t|
+      t.references :user, primary_key: true, default: nil, type: :integer, index: { unique: true }, foreign_key: { on_delete: :cascade }
+
+      t.timestamps_with_timezone null: false
+
+      t.string :role_arn, null: false, limit: 2048
+      t.string :role_external_id, null: false, limit: 64
+
+      t.index :role_external_id, unique: true
+    end
+  end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -467,6 +467,15 @@ ActiveRecord::Schema.define(version: 2019_10_16_072826) do
    t.index ["user_id", "name"], name: "index_award_emoji_on_user_id_and_name"
  end

+  create_table "aws_roles", primary_key: "user_id", id: :integer, default: nil, force: :cascade do |t|
+    t.datetime_with_timezone "created_at", null: false
+    t.datetime_with_timezone "updated_at", null: false
+    t.string "role_arn", limit: 2048, null: false
+    t.string "role_external_id", limit: 64, null: false
+    t.index ["role_external_id"], name: "index_aws_roles_on_role_external_id", unique: true
+    t.index ["user_id"], name: "index_aws_roles_on_user_id", unique: true
+  end
+
  create_table "badges", id: :serial, force: :cascade do |t|
    t.string "link_url", null: false
    t.string "image_url", null: false
@@ -968,6 +977,30 @@ ActiveRecord::Schema.define(version: 2019_10_16_072826) do
    t.index ["project_id"], name: "index_cluster_projects_on_project_id"
  end

+  create_table "cluster_providers_aws", force: :cascade do |t|
+    t.bigint "cluster_id", null: false
+    t.integer "created_by_user_id"
+    t.integer "num_nodes", null: false
+    t.integer "status", null: false
+    t.datetime_with_timezone "created_at", null: false
+    t.datetime_with_timezone "updated_at", null: false
+    t.string "key_name", limit: 255, null: false
+    t.string "role_arn", limit: 2048, null: false
+    t.string "region", limit: 255, null: false
+    t.string "vpc_id", limit: 255, null: false
+    t.string "subnet_ids", limit: 255, default: [], null: false, array: true
+    t.string "security_group_id", limit: 255, null: false
+    t.string "instance_type", limit: 255, null: false
+    t.string "access_key_id", limit: 255
+    t.string "encrypted_secret_access_key_iv", limit: 255
+    t.text "encrypted_secret_access_key"
+    t.text "session_token"
+    t.text "status_reason"
+    t.index ["cluster_id", "status"], name: "index_cluster_providers_aws_on_cluster_id_and_status"
+    t.index ["cluster_id"], name: "index_cluster_providers_aws_on_cluster_id", unique: true
+    t.index ["created_by_user_id"], name: "index_cluster_providers_aws_on_created_by_user_id"
+  end
+
  create_table "cluster_providers_gcp", id: :serial, force: :cascade do |t|
    t.integer "cluster_id", null: false
    t.integer "status"
@@ -3933,6 +3966,7 @@ ActiveRecord::Schema.define(version: 2019_10_16_072826) do
  add_foreign_key "approval_project_rules_users", "users", on_delete: :cascade
  add_foreign_key "approvals", "merge_requests", name: "fk_310d714958", on_delete: :cascade
  add_foreign_key "approver_groups", "namespaces", column: "group_id", on_delete: :cascade
+  add_foreign_key "aws_roles", "users", on_delete: :cascade
  add_foreign_key "badges", "namespaces", column: "group_id", on_delete: :cascade
  add_foreign_key "badges", "projects", on_delete: :cascade
  add_foreign_key "board_assignees", "boards", on_delete: :cascade
@@ -3996,6 +4030,8 @@ ActiveRecord::Schema.define(version: 2019_10_16_072826) do
  add_foreign_key "cluster_platforms_kubernetes", "clusters", on_delete: :cascade
  add_foreign_key "cluster_projects", "clusters", on_delete: :cascade
  add_foreign_key "cluster_projects", "projects", on_delete: :cascade
+  add_foreign_key "cluster_providers_aws", "clusters", on_delete: :cascade
+  add_foreign_key "cluster_providers_aws", "users", column: "created_by_user_id", on_delete: :nullify
  add_foreign_key "cluster_providers_gcp", "clusters", on_delete: :cascade
  add_foreign_key "clusters", "projects", column: "management_project_id", name: "fk_f05c5e5a42", on_delete: :nullify
  add_foreign_key "clusters", "users", on_delete: :nullify

--- a/lib/gitlab/regex.rb
+++ b/lib/gitlab/regex.rb
@@ -119,6 +119,15 @@ module Gitlab
    def breakline_regex
      @breakline_regex ||= /\r\n|\r|\n/
    end
+
+    # https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
+    def aws_arn_regex
+      /\Aarn:\S+\z/
+    end
+
+    def aws_arn_regex_message
+      "must be a valid Amazon Resource Name"
+    end
  end
 end


--- a/spec/db/schema_spec.rb
+++ b/spec/db/schema_spec.rb
@@ -19,6 +19,7 @@ describe 'Database schema' do
    approver_groups: %w[target_id],
    audit_events: %w[author_id entity_id],
    award_emoji: %w[awardable_id user_id],
+    aws_roles: %w[role_external_id],
    boards: %w[milestone_id],
    chat_names: %w[chat_id service_id team_id user_id],
    chat_teams: %w[team_id],
@@ -26,6 +27,7 @@ describe 'Database schema' do
    ci_pipelines: %w[user_id],
    ci_runner_projects: %w[runner_id],
    ci_trigger_requests: %w[commit_id],
+    cluster_providers_aws: %w[security_group_id vpc_id access_key_id],
    cluster_providers_gcp: %w[gcp_project_id operation_id],
    deploy_keys_projects: %w[deploy_key_id],
    deployments: %w[deployable_id environment_id user_id],

--- a/spec/factories/aws/roles.rb
+++ b/spec/factories/aws/roles.rb
+# frozen_string_literal: true
+
+FactoryBot.define do
+  factory :aws_role, class: Aws::Role do
+    user
+
+    role_arn { 'arn:aws:iam::123456789012:role/role-name' }
+    sequence(:role_external_id) { |n| "external-id-#{n}" }
+  end
+end
--- a/spec/factories/clusters/clusters.rb
+++ b/spec/factories/clusters/clusters.rb
@@ -53,6 +53,14 @@ FactoryBot.define do
      platform_kubernetes factory: [:cluster_platform_kubernetes, :configured]
    end

+    trait :provided_by_aws do
+      provider_type { :aws }
+      platform_type { :kubernetes }
+
+      provider_aws factory: [:cluster_provider_aws, :created]
+      platform_kubernetes factory: [:cluster_platform_kubernetes, :configured]
+    end
+
    trait :providing_by_gcp do
      provider_type { :gcp }
      provider_gcp factory: [:cluster_provider_gcp, :creating]

--- a/spec/factories/clusters/providers/aws.rb
+++ b/spec/factories/clusters/providers/aws.rb
+# frozen_string_literal: true
+
+FactoryBot.define do
+  factory :cluster_provider_aws, class: Clusters::Providers::Aws do
+    cluster
+    created_by_user factory: :user
+
+    role_arn { 'arn:aws:iam::123456789012:role/role-name' }
+    vpc_id { 'vpc-00000000000000000' }
+    subnet_ids { %w(subnet-00000000000000000 subnet-11111111111111111) }
+    security_group_id { 'sg-00000000000000000' }
+    key_name { 'user' }
+
+    trait :scheduled do
+      access_key_id { 'access_key_id' }
+      secret_access_key { 'secret_access_key' }
+      session_token { 'session_token' }
+    end
+
+    trait :creating do
+      after(:build) do |provider|
+        provider.make_creating
+      end
+    end
+
+    trait :created do
+      after(:build) do |provider|
+        provider.make_created
+      end
+    end
+
+    trait :errored do
+      after(:build) do |provider|
+        provider.make_errored('An error occurred')
+      end
+    end
+  end
+end
--- a/spec/lib/gitlab/regex_spec.rb
+++ b/spec/lib/gitlab/regex_spec.rb
@@ -64,4 +64,15 @@ describe Gitlab::Regex do
    it { is_expected.not_to match('.my/image') }
    it { is_expected.not_to match('my/image.') }
  end
+
+  describe '.aws_account_id_regex' do
+    subject { described_class.aws_arn_regex }
+
+    it { is_expected.to match('arn:aws:iam::123456789012:role/role-name') }
+    it { is_expected.to match('arn:aws:s3:::bucket/key') }
+    it { is_expected.to match('arn:aws:ec2:us-east-1:123456789012:volume/vol-1') }
+    it { is_expected.to match('arn:aws:rds:us-east-1:123456789012:pg:prod') }
+    it { is_expected.not_to match('123456789012') }
+    it { is_expected.not_to match('role/role-name') }
+  end
 end
--- a/spec/models/aws/role_spec.rb
+++ b/spec/models/aws/role_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Aws::Role do
+  it { is_expected.to belong_to(:user) }
+  it { is_expected.to validate_length_of(:role_external_id).is_at_least(1).is_at_most(64) }
+
+  describe 'custom validations' do
+    subject { role.valid? }
+
+    context ':role_arn' do
+      let(:role) { build(:aws_role, role_arn: role_arn) }
+
+      context 'length is zero' do
+        let(:role_arn) { '' }
+
+        it { is_expected.to be_falsey }
+      end
+
+      context 'length is longer than 2048' do
+        let(:role_arn) { '1' * 2049 }
+
+        it { is_expected.to be_falsey }
+      end
+
+      context 'ARN is valid' do
+        let(:role_arn) { 'arn:aws:iam::123456789012:role/test-role' }
+
+        it { is_expected.to be_truthy }
+      end
+    end
+  end
+end
--- a/spec/models/clusters/cluster_spec.rb
+++ b/spec/models/clusters/cluster_spec.rb
@@ -17,6 +17,7 @@ describe Clusters::Cluster, :use_clean_rails_memory_store_caching do
  it { is_expected.to have_many(:cluster_groups) }
  it { is_expected.to have_many(:groups) }
  it { is_expected.to have_one(:provider_gcp) }
+  it { is_expected.to have_one(:provider_aws) }
  it { is_expected.to have_one(:platform_kubernetes) }
  it { is_expected.to have_one(:application_helm) }
  it { is_expected.to have_one(:application_ingress) }
@@ -108,6 +109,31 @@ describe Clusters::Cluster, :use_clean_rails_memory_store_caching do
    it { is_expected.to contain_exactly(cluster) }
  end

+  describe '.aws_provided' do
+    subject { described_class.aws_provided }
+
+    let!(:cluster) { create(:cluster, :provided_by_aws) }
+
+    before do
+      create(:cluster, :provided_by_user)
+    end
+
+    it { is_expected.to contain_exactly(cluster) }
+  end
+
+  describe '.aws_installed' do
+    subject { described_class.aws_installed }
+
+    let!(:cluster) { create(:cluster, :provided_by_aws) }
+
+    before do
+      errored_cluster = create(:cluster, :provided_by_aws)
+      errored_cluster.provider.make_errored!("Error message")
+    end
+
+    it { is_expected.to contain_exactly(cluster) }
+  end
+
  describe '.managed' do
    subject do
      described_class.managed
@@ -398,7 +424,14 @@ describe Clusters::Cluster, :use_clean_rails_memory_store_caching do

      it 'returns a provider' do
        is_expected.to eq(cluster.provider_gcp)
-        expect(subject.class.name.deconstantize).to eq(Clusters::Providers.to_s)
+      end
+    end
+
+    context 'when provider is aws' do
+      let(:cluster) { create(:cluster, :provided_by_aws) }
+
+      it 'returns a provider' do
+        is_expected.to eq(cluster.provider_aws)
      end
    end


--- a/spec/models/clusters/providers/aws_spec.rb
+++ b/spec/models/clusters/providers/aws_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Clusters::Providers::Aws do
+  it { is_expected.to belong_to(:cluster) }
+  it { is_expected.to belong_to(:created_by_user) }
+
+  it { is_expected.to validate_length_of(:key_name).is_at_least(1).is_at_most(255) }
+  it { is_expected.to validate_length_of(:region).is_at_least(1).is_at_most(255) }
+  it { is_expected.to validate_length_of(:instance_type).is_at_least(1).is_at_most(255) }
+  it { is_expected.to validate_length_of(:security_group_id).is_at_least(1).is_at_most(255) }
+  it { is_expected.to validate_presence_of(:subnet_ids) }
+
+  include_examples 'provider status', :cluster_provider_aws
+
+  describe 'default_value_for' do
+    let(:provider) { build(:cluster_provider_aws) }
+
+    it "sets default values" do
+      expect(provider.region).to eq('us-east-1')
+      expect(provider.num_nodes).to eq(3)
+      expect(provider.instance_type).to eq('m5.large')
+    end
+  end
+
+  describe 'custom validations' do
+    subject { provider.valid? }
+
+    context ':num_nodes' do
+      let(:provider) { build(:cluster_provider_aws, num_nodes: num_nodes) }
+
+      context 'contains non-digit characters' do
+        let(:num_nodes) { 'A3' }
+
+        it { is_expected.to be_falsey }
+      end
+
+      context 'is blank' do
+        let(:num_nodes) { nil }
+
+        it { is_expected.to be_falsey }
+      end
+
+      context 'is less than 1' do
+        let(:num_nodes) { 0 }
+
+        it { is_expected.to be_falsey }
+      end
+
+      context 'is a positive integer' do
+        let(:num_nodes) { 3 }
+
+        it { is_expected.to be_truthy }
+      end
+    end
+  end
+
+  describe '#nullify_credentials' do
+    let(:provider) { create(:cluster_provider_aws, :scheduled) }
+
+    subject { provider.nullify_credentials }
+
+    before do
+      expect(provider.access_key_id).to be_present
+      expect(provider.secret_access_key).to be_present
+    end
+
+    it 'removes access_key_id and secret_access_key' do
+      subject
+
+      expect(provider.access_key_id).to be_nil
+      expect(provider.secret_access_key).to be_nil
+    end
+  end
+end
--- a/spec/support/shared_examples/models/clusters/providers/provider_status.rb
+++ b/spec/support/shared_examples/models/clusters/providers/provider_status.rb
@@ -17,7 +17,7 @@ shared_examples 'provider status' do |factory|
      let(:provider) { build(factory) }
      let(:operation_id) { 'operation-xxx' }

-      it 'calls #operation_id on the provider' do
+      it 'calls #assign_operation_id on the provider' do
        expect(provider).to receive(:assign_operation_id).with(operation_id).and_call_original

        provider.make_creating(operation_id)