Re-integrate work from 20181205 demo to master

.gitignore

@@ -1,3 +1,5 @@
+*.ini
+*.pyc
 *.retry
 *.tmp
 *~
@@ -7,4 +9,7 @@
 /terraform/.terraform*
 /terraform/terraform.tfstate*
 /terraform/tf.plan
+__pycache__
 build/
+jmeter.log
+venv/

Dockerfile

@@ -0,0 +1,22 @@
+
+FROM centos:latest AS infra-demo
+
+# setup rpm repos, install base packages and create virtual env in a single step
+RUN	yum install -y https://centos7.iuscommunity.org/ius-release.rpm \
+	&& yum update  -y \
+	&& yum install -y \
+		python36u python36u-libs python36u-devel \
+		python36u-pip uwsgi-plugin-python36u uwsgi \
+		gcc make glibc-devel kernel-headers \
+		pcre pcre-devel pcre2 pcre2-devel \
+		postgresql-devel \
+	&& yum clean all \
+	&& mkdir /app \
+	&& python3.6 -m venv --copies --clear /app/venv
+
+# Copy in your requirements file
+ADD src/requirements.txt /app/requirements.txt
+
+# setup python packages
+RUN /app/venv/bin/pip install -U pip \
+	&& /bin/sh -c "/app/venv/bin/pip install --no-cache-dir -r /app/requirements.txt"

Jenkinsfile

@@ -5,7 +5,7 @@
  * Use the Scripted style of Jenkinsfile in order to
  * write more Groovy functions and use variables to
  * control the workflow.
- */ 
+ */
 
 import java.util.Random
 
@@ -18,7 +18,7 @@ def get_captcha(Long hash_const) {
     Random rand = new Random()
     def op1 = rand.nextInt(MAX+1)
     def op2 = rand.nextInt(MAX+1) + MAX
-    def op3 = rand.nextInt(MAX+1) 
+    def op3 = rand.nextInt(MAX+1)
     def captcha_problem = "CAPTCHA problem: What is the answer to this problem: ${op1} + ${op2} - ${op3}"
     Long captcha_answer = op1 + op2 - op3
     Long captcha_hash = captcha_answer ^ hash_const
@@ -46,58 +46,81 @@ final Long XOR_CONST = 3735928559 // 0xdeadbeef
 properties([
     parameters([
         booleanParam(
-            name: 'Run_Packer', 
-            defaultValue: false, 
+            name: 'Run_Packer',
+            defaultValue: false,
             description: 'Run Packer for this build?'
         ),
         booleanParam(
-            name: 'Apply_Terraform', 
-            defaultValue: false, 
+            name: 'Apply_Terraform',
+            defaultValue: false,
             description: 'Apply Terraform plan on this build?'
         ),
         booleanParam(
-            name: 'Destroy_Terraform', 
-            defaultValue: false, 
+            name: 'Destroy_Terraform',
+            defaultValue: false,
             description: 'Destroy Terraform resources?'
         ),
+        string(
+            name: 'Terraform_Targets',
+            defaultValue: '',
+            description: '''Specific Terraform resource or resource names to target
+                            (Use this to modify or delete less than the full set of resources'''
+        ),
+        text(
+            name: 'Extra_Variables',
+            defaultValue: '',
+            description: '''Terraform Variables to define for this run.
+                            Allows you to override declared variables.
+                            Put one variable per line, in JSON or HCL like this:
+                            associate_public_ip_address = "true"'''
+        ),
         booleanParam(
-            name: 'Rotate_Servers', 
-            defaultValue: false, 
+            name: 'Rotate_Servers',
+            defaultValue: false,
             description: """Rotate server instances in Auto Scaling Group?
                             You should do this if you changed ASG size or baked a new AMI.
-                         """
+                        """
+        ),
+        booleanParam(
+            name: 'Run_JMeter',
+            defaultValue: false,
+            description: "Execute a JMeter load test against the stack"
+        ),
+        string(
+            name: 'JMETER_threads',
+            defaultValue: '2',
+            description: """number of jmeter threads. Resulting ASG stable sizes for t2.large instances are:
+            - 2 threads, 3 instances;
+            - 4 threads, 7 instances;
+            """
+        ),
+        string(
+            name: 'JMETER_ramp_duration',
+            defaultValue: '900',
+            description: 'period in seconds of ramp-up time.'
+        ),
+        string(
+            name: 'JMETER_duration',
+            defaultValue: '1800',
+            description: 'time in seconds to the whole Jmeter test'
         ),
         string(
-            name: 'CAPTCHA_Guess', 
-            defaultValue: '', 
+            name: 'CAPTCHA_Guess',
+            defaultValue: '',
             description: captcha_problem
         ),
         string(
             name: 'CAPTCHA_Hash',
             defaultValue: captcha_hash,
             description: 'Hash for CAPTCHA answer (DO NOT modify)'
         ),
-        string(
-            name: 'Terraform_Targets',
-            defaultValue: '',
-            description: '''Specific Terraform resource or resource names to target
-                            (Use this to modify or delete less than the full set of resources'''
-        ),
-        text(
-            name: 'Extra_Variables', 
-            defaultValue: '', 
-            description: '''Terraform Variables to define for this run. 
-                            Allows you to override declared variables.
-                            Put one variable per line, in JSON or HCL like this:
-                            associate_public_ip_address = "true"'''
-        ), 
     ])
 ])
 
 stage('Preflight') {
-       
+
     // Check CAPTCHA
-    def should_validate_captcha = params.Run_Packer || params.Apply_Terraform || params.Destroy_Terraform
+    def should_validate_captcha = params.Run_Packer || params.Apply_Terraform || params.Destroy_Terraform || params.Run_JMeter
 
     if (should_validate_captcha) {
         if (params.CAPTCHA_Guess == null || params.CAPTCHA_Guess == "") {
@@ -155,6 +178,15 @@ if (params.Run_Packer) {
     }
 }
 
+stage('Build CodeDeploy Archive') {
+    node {
+        unstash 'src'
+        wrap.call({
+            sh ("./codedeploy/bin/build.sh")
+        })
+    }
+}
+
 def terraform_prompt = 'Should we apply the Terraform plan?'
 
 
@@ -200,11 +232,25 @@ if (params.Rotate_Servers) {
     stage('Rotate Servers') {
         node {
             unstash 'src'
-            ansiColor('xterm') {
-                prepEnv()
+            wrap.call({
                 sh ("./bin/rotate-asg.sh infra-demo-asg")
-            }
+            })
         }
     }
 }
 
+if (params.Run_JMeter) {
+    stage('Run JMeter') {
+        node {
+            unstash 'src'
+            wrap.call({
+                sh ("""
+                    HOST=\$(./bin/terraform.sh output route53-dns)
+                    ./bin/jmeter.sh -Jthreads=${params.JMETER_threads} -Jramp_duration=${params.JMETER_ramp_duration} -Jduration=${params.JMETER_duration} -Jhost=\$HOST
+                    ls -l build
+                    """)
+                archiveArtifacts artifacts: 'build/*.jtl, build/*.xml, build/*.csv, build/*.html', fingerprint: true
+            })
+        }
+    }
+}

README.md

@@ -63,17 +63,9 @@ In order to make developing the Ansible playbooks faster, a Vagrantfile is provi
 
 Install [Vagrant](https://www.vagrantup.com/). Change directory into the root of the repository at the command line and issue the command `vagrant up`. You can add or edit Ansible playbooks and support scripts then re-run the provisioning with `vagrant provision` to refine the remediations. This is more efficient that re-running packer and baking new AMIs for every change.
 
-### Jenkins
-
-A `Jenkinsfile` is provided that will allow Jenkins to execute Packer and Terraform. In order for Jenkins to do this, it needs to have AWS credentials set up, preferably through an IAM role, granting full control of EC2 and VPC resources in that account. Packer needs this in order to create AMIs, key pairs, etc, and Terraform needs this to create a VPC and EC2 resources. This could be pared down further through some careful logging and role work.
-
-The scripts here assume that Jenkins is running on EC2 and uses instance data from the Jenkins executor to infer what VPC and subnet to launch the new EC2 instance into.  The AWS profile IAM user associated with your Jenkins instance or the Jenkins user's AWS credentials should have full control of EC2 in the account you are using.
-
-This script relies on Jenkins having a secret file containing the Google application credentials in JSON with the id "terraform-demo.json". You will need to add that to your Jenkins server's credentials.
-
 ### Terraform
 
-This Terraform setup stores its state in Amazon S3 and uses DynamoDB for locking. There is a bit of setup required to bootstrap that configuration. Yu can use [this repository](https://github.com/monterail/terraform-bootstrap-example) to use Terraform to do that bootstrap process. The `backend.tfvars` file in that repo should be modified as follows to work with this project:
+This Terraform setup stores its state in Amazon S3 and uses DynamoDB for locking. There is a bit of setup required to bootstrap that configuration. You can use [this repository](https://github.com/monterail/terraform-bootstrap-example) to use Terraform to do that bootstrap process. The `backend.tfvars` file in that repo should be modified as follows to work with this project:
 
 (Replace us-east-1 and XXXXXXXXXXXX with the AWS region and your account ID)
 ```
@@ -97,10 +89,34 @@ These commands will then set up cloud resources using terraform:
     # check to see if everything worked - use the same variables here as above
     terraform destroy -var 'domain=example.net'
 
+Alternatively, use the wrapper script in `bin/terraform.sh` which will work interactively or from CI:
+
+   bin/terraform.sh plan
+   bin/terraform.sh apply
+   bin/terraform.sh plan-destroy
+   bin/terraform.sh destroy
+
 This assumes that you already have a Route 53 domain in your AWS account created.
 You need to either edit variables.tf to match your domain and AWS zone or specify these values as command line `var` parameters.
 
-The application loads an image from Google storage. To get it loading correctly, look in the X file and replace `example-media-website-storage.storage.googleapis.com` with a DNS reference for your Google storage location.
+The application loads an image from Google storage. To get it loading correctly, edit the `application/assets/css/main.css` file and replace `example-media-website-storage.storage.googleapis.com` with a DNS reference for your Google storage location.
+
+### CodeDeploy
+
+The application enclosed in this demo is packaged and deployed using [AWS CodeDeploy](https://aws.amazon.com/codedeploy/). The script `codedeploy/bin/build.sh` will package the application so that it can be deployed on the AMI built with Ansible and Packer.
+
+The application contains both a simple HTML web site, and a Python app that has an API endpoint of `/api/spin` that spins the CPU of the server, in order to more easily test CPU-sensing auto scaling scale-out operations.
+
+### JMeter
+
+A JMeter test harness that will allow testing of a the application 
+### Jenkins
+
+A `Jenkinsfile` is provided that will allow Jenkins to execute Packer and Terraform, package a CodeDeploy application, and even run JMeter performance tests. In order for Jenkins to do this, it needs to have AWS credentials set up, preferably through an IAM role, granting full control of EC2 and VPC resources in that account, and write access to the S3 bucket used for storing CodeDeploy applications. Packer needs this in order to create AMIs, key pairs, etc, Terraform needs this to create a VPC and EC2 resources, and CodeDeploy needs this to store the artifact it creates. This could be pared down further through some careful logging and role work.
+
+The scripts here assume that Jenkins is running on EC2 and uses instance data from the Jenkins executor to infer what VPC and subnet to launch the new EC2 instance into.  The AWS profile IAM user associated with your Jenkins instance or the Jenkins user's AWS credentials should have full control of EC2 in the account you are using.
+
+This script relies on Jenkins having a secret file containing the Google application credentials in JSON with the id "terraform-demo.json". You will need to add that to your Jenkins server's credentials.
 
 # Modus Create
 

Vagrantfile

@@ -2,6 +2,6 @@ Vagrant.configure("2") do |config|
   config.vm.box = "bento/centos-7.5"
   config.vm.synced_folder ".", "/app"
   config.vm.provision "shell", inline: "/app/bin/install-ansible.sh", upload_path: "/home/vagrant/install-ansible.sh"
-  config.vm.provision "shell", inline: "ansible-playbook  -l localhost /app/ansible/local.yml", upload_path: "/home/vagrant/apl.sh"
+  config.vm.provision "shell", inline: "cd /app/ansible && ansible-playbook  -l localhost bakery.yml app-AfterInstall.yml app-StartServer.yml", upload_path: "/home/vagrant/apl.sh"
   config.vm.network "forwarded_port", guest: 80, host: 6080, auto_correct: true
 end

ansible/app-AfterInstall.yml

@@ -0,0 +1,15 @@
+---
+# Use ansible to install the codedeploy agent at boot time through cloudinit
+
+# Because AWS updates the CodeDeploy agent somewhat frequently, baking it into
+# the image is an antipattern. It can cause instances to fail to register with
+# a CodeDeploy deployment group if the version of CodeDeploy is too old.
+
+# Thanks https://www.tricksofthetrades.net/2017/10/02/ansible-local-playbooks/ for
+# the trick on installing locally using "hosts: 127.0.0.1" and "connection:local"
+- name: Perform CodeDeploy AfterInstall hook
+  hosts: 127.0.0.1
+  connection: local
+  become: yes
+  roles:
+    - app-AfterInstall

ansible/app-StartServer.yml

@@ -0,0 +1,10 @@
+---
+
+# Thanks https://www.tricksofthetrades.net/2017/10/02/ansible-local-playbooks/ for
+# the trick on installing locally using "hosts: 127.0.0.1" and "connection:local"
+- name: Perform CodeDeploy StartServer hook
+  hosts: 127.0.0.1
+  connection: local
+  become: yes
+  roles:
+    - app-StartServer

ansible/local.yml → ansible/bakery.yml

@@ -10,12 +10,13 @@
   roles:
     - nginxinc.nginx
     - prepare-web-content
+    - prepare-codedeploy
 
 - name: Harden Server
   hosts: 127.0.0.1
   connection: local
   become: yes
   roles:
     - extra-cis-remediation
-    - MindPointGroup.RHEL7-CIS
+    #- MindPointGroup.RHEL7-CIS
     - scan-openscap

ansible/cloudinit.yml

@@ -0,0 +1,15 @@
+---
+# Use ansible to install the codedeploy agent at boot time through cloudinit
+
+# Because AWS updates the CodeDeploy agent somewhat frequently, baking it into
+# the image is an antipattern. It can cause instances to fail to register with
+# a CodeDeploy deployment group if the version of CodeDeploy is too old.
+
+# Thanks https://www.tricksofthetrades.net/2017/10/02/ansible-local-playbooks/ for
+# the trick on installing locally using "hosts: 127.0.0.1" and "connection:local"
+- name: Install CodeDeploy agent
+  hosts: 127.0.0.1
+  connection: local
+  become: yes
+  roles:
+    - ansible-aws-codedeploy-agent

ansible/codedeploy.yml

@@ -0,0 +1,15 @@
+---
+# Use ansible to install the codedeploy agent at boot time through cloudinit
+
+# Because AWS updates the CodeDeploy agent somewhat frequently, baking it into
+# the image is an antipattern. It can cause instances to fail to register with
+# a CodeDeploy deployment group if the version of CodeDeploy is too old.
+
+# Thanks https://www.tricksofthetrades.net/2017/10/02/ansible-local-playbooks/ for
+# the trick on installing locally using "hosts: 127.0.0.1" and "connection:local"
+- name: Install CodeDeploy agent
+  hosts: 127.0.0.1
+  connection: local
+  become: yes
+  roles:
+    - ansible-aws-codedeploy-agent

ansible/requirements.yml

@@ -6,3 +6,12 @@
 # NGINX web server
 - src: nginxinc.nginx
 
+# AWS CodeDeploy agent
+# The original version of this role in Ansible Galaxy
+# is telus/ansible-aws-codedeploy-agent
+#
+# It has not been updated for Ansible 2.7            :(
+# However CareerBuilder's fork of it works with 2.7  :)
+# And the ModusCreateOrg fork has been fixed to avoid running stuff from /tmp
+- src: https://github.com/ModusCreateOrg/ansible-aws-codedeploy-agent
+