Merge pull request #806 from degica/datadog_security

Add priority to plugin hook
degica · Feb 29, 2024 · db6595f · db6595f
2 parents 53492bf + 24e9954
commit db6595f
Show file tree

Hide file tree

Showing 7 changed files with 61 additions and 3 deletions.
diff --git a/app/models/district.rb b/app/models/district.rb
@@ -149,7 +149,10 @@ def container_instances
   end
 
   def hook_plugins(trigger, origin, arg = nil)
-    plugins.reverse.reduce(arg) do |a, plugin|
+    # call plugin by priority
+    # for same priority, by the reverse order of the registered
+    i = 0
+    plugins.sort_by {|p| [p.hook_priority, i -= 1] }.reduce(arg) do |a, plugin|
       plugin.hook(trigger, origin, a)
     end
   end

diff --git a/app/models/plugin.rb b/app/models/plugin.rb
@@ -30,6 +30,11 @@ def plugin
     klass.new(self)
   end
 
+  def hook_priority
+    attributes = self.plugin_attributes || {}
+    attributes['hook_priority'].to_i
+  end
+
   private
 
   def default_attributes

diff --git a/lib/barcelona/network/bastion_builder.rb b/lib/barcelona/network/bastion_builder.rb
@@ -100,7 +100,7 @@ def build_resources
         add_resource("AWS::AutoScaling::LaunchConfiguration", "BastionLaunchConfiguration") do |j|
           j.IamInstanceProfile ref("BastionProfile")
           j.ImageId AMI_IDS[district.region]
-          j.InstanceType "t3.micro"
+          j.InstanceType "t3.small"
           j.SecurityGroups [ref("SecurityGroupBastion")]
           j.AssociatePublicIpAddress true
           j.UserData user_data

diff --git a/lib/barcelona/plugins/datadog_plugin.rb b/lib/barcelona/plugins/datadog_plugin.rb
@@ -1,6 +1,10 @@
 module Barcelona
   module Plugins
     class DatadogPlugin < Base
+      # This plugin must be the last of the instalation order
+      # Usage sample: 
+      # bcn district put-plugin -a api_key=8e53.... -a hook_priority=10 ec-staging datadog
+
       def on_container_instance_user_data(_instance, user_data)
         add_files!(user_data)
         user_data.run_commands += [

diff --git a/spec/lib/barcelona/network/network_stack_spec.rb b/spec/lib/barcelona/network/network_stack_spec.rb
@@ -374,7 +374,7 @@
       "BastionLaunchConfiguration" => {
         "Type" => "AWS::AutoScaling::LaunchConfiguration",
         "Properties" => {
-          "InstanceType" => "t3.micro",
+          "InstanceType" => "t3.small",
           "MetadataOptions"=>{"HttpTokens"=>"required"},
           "IamInstanceProfile" => {"Ref" => "BastionProfile"},
           "ImageId" => kind_of(String),

diff --git a/spec/models/district_spec.rb b/spec/models/district_spec.rb
@@ -53,6 +53,36 @@
     end
   end
 
+  describe "#hook_plugins" do
+    it "calls hook by the revserse of the registered order" do
+      user_data = InstanceUserData.new
+      district.save!
+      district.plugins.create(name: 'secure_instance')
+      district.plugins.create(name: 'datadog', plugin_attributes: { "api_key": 'abcdefg'})
+      district.plugins.create(name: 'itamae', plugin_attributes: { "recipe_url": "s3://barcelona-district1-12345/itamae_recipes/recipe.tar.gz"})
+      user_data = district.hook_plugins(:container_instance_user_data, self, user_data)
+      user_data_hash = YAML.load(Base64.decode64(user_data.build))
+
+      expect(user_data_hash['runcmd'].first).to include('ruby') # itamae
+      expect(user_data_hash['runcmd'][5]).to include('datadog') # datadog
+      expect(user_data_hash['runcmd'].last).to include('tmout.sh') # secure_instance
+    end
+
+    it "calls hook by the specified order" do
+      user_data = InstanceUserData.new
+      district.save!
+      district.plugins.create(name: 'secure_instance')
+      district.plugins.create(name: 'datadog', plugin_attributes: { "api_key": 'abcdefg', "hook_priority": 10})
+      district.plugins.create(name: 'itamae', plugin_attributes: { "recipe_url": "s3://barcelona-district1-12345/itamae_recipes/recipe.tar.gz"})
+      user_data = district.hook_plugins(:container_instance_user_data, self, user_data)
+      user_data_hash = YAML.load(Base64.decode64(user_data.build))
+
+      expect(user_data_hash['runcmd'].first).to include('ruby') # itamae
+      expect(user_data_hash['runcmd'][6]).to include('clamav') # secure_instance
+      expect(user_data_hash['runcmd'].last).to include('datadog') # datadog
+    end
+  end
+
   describe "#subnets" do
     before do
       allow(district.aws).to receive(:ec2) { ec2_mock }

diff --git a/spec/models/plugin_spec.rb b/spec/models/plugin_spec.rb
@@ -32,4 +32,20 @@
       end
     end
   end
+
+  describe "#hook_priority" do
+    context "when not specified" do
+      let(:plugin) { Plugin.new(name: 'test') }
+      it "should be zero" do
+        expect(plugin.hook_priority).to eq(0)
+      end
+    end
+
+    context "when specified" do
+      let(:plugin) { Plugin.new(name: 'test', plugin_attributes:{ "api_key": 'abcdefg', hook_priority: '10'}) }
+      it "should be the specified value" do
+        expect(plugin.hook_priority).to eq(10)
+      end
+    end
+  end
 end