Deprecate aws-vault, aws-okta, warn about M1 chip (#727)

cloudposse · Aug 25, 2021 · fb64a1d · fb64a1d
1 parent 47f0970
commit fb64a1d
Show file tree

Hide file tree

Showing 25 changed files with 294 additions and 176 deletions.
diff --git a/Dockerfile.custom b/Dockerfile.custom
@@ -0,0 +1,67 @@
+#
+# This is an example of a Dockerfile that customizes Geodesic
+# for a customer using the Cloud Posse Reference Architecture.
+# Use it as a basis for your own customizations.
+#
+# Note that the version numbers in this file are not maintained,
+# you will want to update them to current versions when you start
+# and then have a plan for regularly updating them as you go along.
+#
+
+# We always recommend pinning versions where changes are likely to break things.
+# We put the versions up top here so they are easy to find and update.
+ARG VERSION=0.147.0
+# Changing base OS for Geodesic is possible by changing this arg, but
+# unfortunately, the package managers are different, so it is not that simple.
+ARG OS=debian
+
+FROM cloudposse/geodesic:$VERSION-$OS
+
+ENV DOCKER_IMAGE="examplecorp/infrastructure"
+ENV DOCKER_TAG="latest"
+
+# Geodesic banner message
+ENV BANNER="Example Corp"
+# The project "Namespace" used in AWS identifiers and elsewhere
+# to ensure globally unique names are generated.
+ENV NAMESPACE="xamp"
+
+# Default AWS_PROFILE
+ENV AWS_PROFILE="xamp-gbl-identity-admin"
+ENV ASSUME_ROLE_INTERACTIVE_QUERY="xamp-gbl-"
+# Enable advanced AWS assume role chaining for tools using AWS SDK
+# https://docs.aws.amazon.com/sdk-for-go/api/aws/session/
+ENV AWS_SDK_LOAD_CONFIG=1
+# Region abbreviation types are "fixed" (always 3 chars), "short" (4-5 chars), or "long" (the full AWS string)
+# See https://github.com/cloudposse/terraform-aws-utils#introduction
+ENV AWS_REGION_ABBREVIATION_TYPE=fixed
+ENV AWS_DEFAULT_REGION=us-west-2
+ENV AWS_DEFAULT_SHORT_REGION=uw2
+
+# Install specific versions of Terraform.
+# We patch specific patch versions because Terraform will not operate
+# on Terraform "states" that have been touched by later versions.
+ARG TF_014_VERSION=0.14.10
+ARG TF_015_VERSION=0.15.4
+ARG TF_1_VERSION=1.0.4
+RUN apt-get update && apt-get install -y -u \
+  terraform-0.14="${TF_014_VERSION}-*" terraform-0.15="${TF_015_VERSION}-*" \
+  terraform-1="${TF_1_VERSION}-*"
+# Set Terraform 0.14.x as the default `terraform`. You can still use
+# version 0.15.x by calling `terraform-0.15` or version 1.x as terraform-1
+RUN update-alternatives --set terraform /usr/share/terraform/0.14/bin/terraform
+
+# Pin kubectl minor version (must be within 1 minor version of cluster version)
+# Note, however, that due to Docker layer caching and the structure of this
+# particular Dockerfile, the patch version will not automatically update
+# until you change the minor version or change the base Geodesic version.
+# If you want, you can pin the patch level so you can update it when desired.
+ARG KUBECTL_VERSION=1.20
+RUN apt-get update && apt-get install kubectl-${KUBECTL_VERSION}
+
+# Install Atmos CLI (https://github.com/cloudposse/atmos)
+RUN apt-get install atmos
+
+COPY rootfs/ /
+
+WORKDIR /
diff --git a/Dockerfile.options b/Dockerfile.options
@@ -12,6 +12,10 @@ ENV LESS=R
 # Our older Geodesic configurations relied on `direnv`, which we no longer recommend,
 # preferring YAML configuration files instead.
 ENV DIRENV_ENABLED=true
+# When using DIRENV with Terraform, you can enable special prompt support
+ENV GEODESIC_TERRAFORM_WORKSPACE_PROMPT_ENABLED=true
+ENV GEODESIC_TF_PROMPT_ACTIVE=true
+
 # Our older Geodesic configuration uses multiple Makefiles, like Makefile.tasks
 # and depends on this setting, however this setting is set by default by `direnv`
 # due to rootfs/conf/.envrc, but `direnv` is now disabled by default, too.
@@ -21,21 +25,6 @@ ENV DIRENV_ENABLED=true
 # `make` outside of this directory tree.
 ENV MAKE_INCLUDES="Makefile Makefile.*"
 
-#
-# Configure aws-okta to easily assume roles
-#
-ENV AWS_OKTA_ENABLED=true
-
-#
-# Configure aws-vault to easily assume roles (not related to HashiCorp Vault)
-#
-ENV AWS_VAULT_ENABLED=true
-ENV AWS_VAULT_SERVER_ENABLED=true
-ENV AWS_VAULT_BACKEND=file
-ENV AWS_VAULT_ASSUME_ROLE_TTL=1h
-ENV AWS_VAULT_SESSION_TTL=12h
-#ENV AWS_VAULT_FILE_PASSPHRASE=
-
 
 ####################################################################################
 # kops support

diff --git a/Makefile.custom b/Makefile.custom
@@ -0,0 +1,58 @@
+# If you want to customize Geodesic (and we fully support that),
+# use this file as the basis for your own Makefile.
+# Modify the variable settings to create your own version of Geodesic
+# with your own Docker image name and app name.
+#
+# The `make` variables build up to $(DOCKER_IMAGE):$(DOCKER_TAG) being
+# what you would use for `docker run` and `docker push`.
+# You probably want to use either `latest` or `dev` for DOCKER_TAG
+# unless you have a build system that can keep track of version numbers.
+#
+# `make install` will install a script to launch your customized Geodesic
+# with lots of nice things set up for you. APP_NAME is what to call
+# the script. We recommend NOT calling it "geodesic" so you do not
+# get it confused with the standard Geodesic image published by Cloud Posse.
+#
+# After your first `make install`, you can run your customized Geodesic
+# by just the app name you set, and you can update it by just running
+# `make build`.
+
+
+export APP_NAME = what-you-want-to-type-to-run-your-image
+export DOCKER_ORG ?= your-dockerhub-org-name
+export DOCKER_IMAGE ?= $(DOCKER_ORG)/your-desired-docker-image-name
+export DOCKER_TAG ?= latest
+export DOCKER_IMAGE_NAME ?= $(DOCKER_IMAGE):$(DOCKER_TAG)
+GEODESIC_INSTALL_PATH ?= /usr/local/bin
+export INSTALL_PATH ?= $(GEODESIC_INSTALL_PATH)
+export SCRIPT = $(INSTALL_PATH)/$(APP_NAME)
+
+-include $(shell curl -sSL -o .build-harness "https://git.io/build-harness"; echo .build-harness)
+
+## Initialize build-harness, install deps, build docker container, install wrapper script and run shell
+all: init deps build install run
+	@exit 0
+
+## Install dependencies (if any)
+deps:
+	@exit 0
+
+## Build docker image
+build:
+	@make --no-print-directory docker/build
+
+## Push docker image to registry
+push:
+	docker push $(DOCKER_IMAGE)
+
+## Install wrapper script from geodesic container
+install:
+	@docker run --rm $(DOCKER_IMAGE_NAME) | bash -s $(DOCKER_TAG) || (echo "Try: sudo make install"; exit 1)
+
+## Start the geodesic shell by calling wrapper script
+run:
+	$(SCRIPT)
+
+## Rebuild README for all Terraform components
+rebuild-docs: packages/install/terraform-docs
+	@pre-commit run --all-files terraform_docs
diff --git a/README.md b/README.md
@@ -97,10 +97,16 @@ so that we may eventually make it the preferred version, after which point the `
 will maintain the `latest-alpine` and `latest-debian` Docker tags for those who want to commit to using one base OS or
 the other but still want automatic updates.
 
-Want to learn more? [Check out our getting started with Geodesic guide!](https://docs.cloudposse.com/tutorials/geodesic-getting-started/)
-
-
+**Note**: Geodesic is a large collection of tools. As such, support for the Apple M1 chip is not under
+Cloud Posse's control, rather it depends on each tool author updating each tool for the M1 chip.
+All of the compiled tools that Cloud Posse has authored and are included in Geodesic are compiled
+for M1 (`darwin_arm64`), and of course all of the scripts work on M1 if the interpreters (e.g.
+`bash`, `python`) are compiled for M1. Unfortunatetly, this is only a small portion of the overall
+toolkit that is assembled in Geodesic. Therefore we do not advise using Geodesic on the M1 at this time
+and do not anticipate M1 will be well supported before 2022. Historically, widespread support for a new
+chip takes several years to establish; we hope we will not have to wait that long.
 
+Want to learn more? [Check out our getting started with Geodesic guide!](https://docs.cloudposse.com/tutorials/geodesic-getting-started/)
 
 ## Usage
 
@@ -115,8 +121,7 @@ ARG OS=debian
 FROM cloudposse/geodesic:$VERSION-$OS
 
 # Add configuration options such as setting a custom BANNER,
-# turning on built-in support for aws-vault or aws-okta,
-# setting kops configuration parameters, etc. here
+# setting the initial AWS_PROFILE and AWS_DEFAULT_REGION, etc. here
 
 ENV BANNER="my-custom-geodesic"
 ```

diff --git a/README.yaml b/README.yaml
@@ -78,6 +78,15 @@ introduction: |-
   will maintain the `latest-alpine` and `latest-debian` Docker tags for those who want to commit to using one base OS or
   the other but still want automatic updates.
   
+  **Note**: Geodesic is a large collection of tools. As such, support for the Apple M1 chip is not under
+  Cloud Posse's control, rather it depends on each tool author updating each tool for the M1 chip.
+  All of the compiled tools that Cloud Posse has authored and are included in Geodesic are compiled
+  for M1 (`darwin_arm64`), and of course all of the scripts work on M1 if the interpreters (e.g.
+  `bash`, `python`) are compiled for M1. Unfortunatetly, this is only a small portion of the overall
+  toolkit that is assembled in Geodesic. Therefore we do not advise using Geodesic on the M1 at this time
+  and do not anticipate M1 will be well supported before 2022. Historically, widespread support for a new
+  chip takes several years to establish; we hope we will not have to wait that long.
+  
   Want to learn more? [Check out our getting started with Geodesic guide!](https://docs.cloudposse.com/tutorials/geodesic-getting-started/)
 
 usage: |-
@@ -90,8 +99,7 @@ usage: |-
   FROM cloudposse/geodesic:$VERSION-$OS
 
   # Add configuration options such as setting a custom BANNER,
-  # turning on built-in support for aws-vault or aws-okta,
-  # setting kops configuration parameters, etc. here
+  # setting the initial AWS_PROFILE and AWS_DEFAULT_REGION, etc. here
 
   ENV BANNER="my-custom-geodesic"
   ```

diff --git a/docs/about.md b/docs/about.md
@@ -11,7 +11,6 @@ about - About the Geodesic Cloud Automation Shell
 
 ## FEATURES
 
-* **Secure** - TLS/PKI, OAuth2, MFA Everywhere, remote access VPN, [ultra secure bastion/jumphost](https://github.com/cloudposse/bastion) with audit capabilities and slack notifications, [IAM assumed roles](https://github.com/99designs/aws-vault/), automatic key rotation, encryption at rest, and VPCs
 * **Repeatable** - 100% Infrastructure-as-Code with change automation and support for scriptable admin tasks in any language, including Terraform
 * **Extensible** - A framework where everything can be extended to work the way you want to
 * **Comprehensive** - our [helm charts library](https://github.com/cloudposse/charts) are designed to tightly integrate your cloud-platform with Github Teams and Slack Notifications and CI/CD systems like TravisCI, CircleCI or Jenkins
@@ -21,14 +20,10 @@ about - About the Geodesic Cloud Automation Shell
 
 At its core, Geodesic is a framework for provisioning cloud infrastructure and the applications that sit on top of it. We leverage as many existing tools as possible to facilitate cloud fabrication and administration. We're like the connective tissue that sits between all of the components of a modern cloud.
 
-* [`atlantis`](https://www.runatlantis.io/) - GitOps style operations by Pull Request. Ideal for terraform, helm and helmfile.
-* [`aws-vault`](https://github.com/99designs/aws-vault) for securely storing and accessing AWS credentials in an encrypted vault for the purpose of assuming IAM roles
 * [`aws-cli`](https://github.com/aws/aws-cli/) for interacting directly with the AWS APIs
 * [`chamber`](https://github.com/segmentio/chamber) for managing secrets with AWS SSM+KMS and exposing them as environment variables
-* [`direnv`](https://direnv.net) for managing environment variables per project or globally
 * [`helm`](https://github.com/kubernetes/helm/) for installing packages like Varnish or Apache on the Kubernetes cluster
 * [`helmfile`](https://github.com/roboll/helmfile) for 12-factorizing chart values and installing chart collections
-* [`kops`](https://github.com/kubernetes/kops/) for Kubernetes cluster orchestration
 * [`kubectl`](https://kubernetes.io/docs/user-guide/kubectl-overview/) for controlling kubernetes resources like deployments or load balancers
 * [`gcloud`, `gsutil`](https://cloud.google.com/sdk/) for integration with Google Cloud (e.g. GKE, GCE, Google Storage)
 * [`gomplate`](https://github.com/hairyhenderson/gomplate/) for template rendering configuration files using the GoLang template engine. Supports lots of local and remote datasources

diff --git a/docs/assume_active_aws_role.md b/docs/assume_active_aws_role.md
@@ -7,10 +7,13 @@ date: May 2019
 
 ## NAME
 
-`assume_active_aws_role` - assume a role provided by the `aws-vault` server
+_(Deprecated)_ `assume_active_aws_role` - assume a role provided by the `aws-vault` server
 
 ## SYNOPSIS
 
+_Note: Support for `aws-vault`, including `assume_active_aws_role` has been discontinued.
+Cloud Posse recommends using [Leapp](https://leapp.cloud) instead._
+
 For the case where you have an active `aws-vault` server but the current shell is not using it, 
 you can run `assume_active_aws_role` to assume the role being served by the server.  Normally 
 this is run automatically for you when the shell starts but if you start server later, you can 

diff --git a/os/alpine/Dockerfile.alpine b/os/alpine/Dockerfile.alpine
@@ -1,8 +1,8 @@
 ARG ALPINE_VERSION=3.13.5
 # https://cloud.google.com/sdk/docs/release-notes
-ARG GOOGLE_CLOUD_SDK_VERSION=342.0.0
+ARG GOOGLE_CLOUD_SDK_VERSION=352.0.0
 # https://github.com/ahmetb/kubectx/releases
-ARG KUBECTX_COMPLETION_VERSION=0.9.3
+ARG KUBECTX_COMPLETION_VERSION=0.9.4
 
 #
 # Python Dependencies
@@ -204,19 +204,21 @@ ENV AWS_SHARED_CREDENTIALS_FILE=${GEODESIC_AWS_HOME}/credentials
 ENV AWS_REGION_ABBREVIATION_TYPE=fixed
 
 #
-# Configure aws-vault to easily assume roles (not related to HashiCorp Vault)
+# Support for aws-vault (not related to HashiCorp Vault) is deprecated
+# in favor of Leapp.  https://leapp.cloud
 #
-ENV AWS_VAULT_ENABLED=false
-ENV AWS_VAULT_SERVER_ENABLED=false
-ENV AWS_VAULT_BACKEND=file
+# ENV AWS_VAULT_ENABLED=false
+# ENV AWS_VAULT_SERVER_ENABLED=false
+# ENV AWS_VAULT_BACKEND=file
 # ENV AWS_VAULT_ASSUME_ROLE_TTL=1h
 # ENV AWS_VAULT_SESSION_TTL=12h
 # ENV AWS_VAULT_FILE_PASSPHRASE=
 
 #
-# Configure aws-okta to easily assume roles
+# Support for aws-okta is deprecated
+# in favor of Leapp.  https://leapp.cloud
 #
-ENV AWS_OKTA_ENABLED=false
+# ENV AWS_OKTA_ENABLED=false
 
 #
 # Shell customization

diff --git a/os/alpine/packages-alpine.txt b/os/alpine/packages-alpine.txt
@@ -1,5 +1,6 @@
 # Essential alpine-only packages
 busybox-extras
+diffutils
 drill
 fzf-bash-completion
 iputils

diff --git a/os/debian/Dockerfile.debian b/os/debian/Dockerfile.debian
@@ -1,12 +1,12 @@
-ARG DEBIAN_VERSION=10.9-slim
+ARG DEBIAN_VERSION=10.10-slim
 # https://cloud.google.com/sdk/docs/release-notes
-ARG GOOGLE_CLOUD_SDK_VERSION=342.0.0-0
+ARG GOOGLE_CLOUD_SDK_VERSION=352.0.0-0
 # https://github.com/ahmetb/kubectx/releases
-ARG KUBECTX_COMPLETION_VERSION=0.9.3
+ARG KUBECTX_COMPLETION_VERSION=0.9.4
 
 FROM debian:$DEBIAN_VERSION as python
 # Find the current version of Python at https://www.python.org/downloads/source/
-ARG PYTHON_VERSION=3.8.9
+ARG PYTHON_VERSION=3.8.11
 
 # Debian comes with minimal Locale support. See https://github.com/docker-library/docs/pull/703/files
 # Recommended: LC_ALL=C.UTF-8
@@ -227,13 +227,6 @@ ENV AWS_SHARED_CREDENTIALS_FILE=${GEODESIC_AWS_HOME}/credentials
 # See https://github.com/cloudposse/terraform-aws-utils#introduction
 ENV AWS_REGION_ABBREVIATION_TYPE=short
 
-#
-# Disable aws-vault and okta support by default, enable in child Dockerfile or personal configuration if needed
-#
-ENV AWS_VAULT_ENABLED=false
-ENV AWS_VAULT_SERVER_ENABLED=false
-ENV AWS_OKTA_ENABLED=false
-
 # Shell customization
 # options for `less`. `R` allows ANSI color codes to be displayed while stripping out
 # other control codes that can cause `less` to mess up the screen formatting

diff --git a/packages.txt b/packages.txt
@@ -1,7 +1,6 @@
 # Essential alpine packages
 awless@cloudposse
 aws-iam-authenticator@cloudposse
-aws-vault@cloudposse
 bash
 bash-completion
 bats@community

diff --git a/rootfs/etc/motd b/rootfs/etc/motd
@@ -1,7 +1,10 @@
 
 IMPORTANT:
-* Your $HOME directory has been mounted to `/localhost`
-* Use `aws-vault` to manage your sessions
-* Run `assume-role` to start a session
+* Your host $HOME directory has been mounted to `/localhost`.
+* Your host AWS configuration and credentials should be available.
+* Use Leapp on your host computer to manage your credentials.
+* Leapp is free, open source, and available from https://leapp.cloud
+* Use AWS_PROFILE environment variable to manage your AWS IAM role.
+* You can interactively select AWS profiles via the `assume-role` command.
 
 
diff --git a/rootfs/etc/profile.d/_preferences.sh b/rootfs/etc/profile.d/_preferences.sh
@@ -4,6 +4,17 @@
 # This file has depends on _geodesic-config.sh and should come third.
 # This file loads user preferences/customizations and must load before any user-visible configuration takes place.
 
+# In case this output is being piped into a shell, print a warning message
+# Specifically, this guards against:
+#   docker run -it cloudposse/geodesic:latest-debian  | bash
+printf 'printf "\\nIf piping Geodesic output into a shell, do not attach a terminal (-t flag)\\n" >&2; exit 8;'
+# In case this output is not being piped into a shell, hide the warning message
+printf '\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b'
+printf '\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b'
+printf '                                                                                                    '
+printf '\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b'
+printf '\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b'
+
 # Parse the GEODESIC_TRACE variable and set the internal _GEODESIC_TRACE_CUSTOMIZATION flag if needed
 if [[ $GEODESIC_TRACE =~ custom ]]; then
 	export _GEODESIC_TRACE_CUSTOMIZATION=true
@@ -49,8 +60,8 @@ fi
 if [[ ! -d $GEODESIC_CONFIG_HOME ]]; then
 	if ! df | grep -q /localhost; then
 		if [[ -z $KUBERNETES_PORT ]]; then
-			red "########################################################################################"
-			red "# No filesystem is mounted at $(bold /localhost) which limits Geodesic functionality."
+			red "########################################################################################" >&2
+			red "# No filesystem is mounted at $(bold /localhost) which limits Geodesic functionality." >&2
 			boot install
 		else
 			echo $(green Kubernetes host detected, Geodesic customization disabled.)