cwebberOps/Berksfile

## _build_db_instance.rb
require 'securerandom'
load_delivery_chef_config

aws_creds = encrypted_data_bag_item_for_environment('cia-creds','chef-cia')

Chef::Log.info('Check to see if the creds data bag exists')
begin
  database_creds = data_bag_item('cia-creds', "#{node['delivery']['change']['project']}-database").to_hash
  Chef::Log.info('Data bag found.')
rescue Net::HTTPServerException => http_e
  raise http_e unless http_e.response.code == "404"
  Chef::Log.info('Data bag wasn\'t found. Creating hash')
  database_creds = {
    'id' => "#{node['delivery']['change']['project']}-database",
    node['delivery']['change']['stage'] => {}
  }
end


# Notes about RDS setup
#######################
#
# As a general rule, we are still managing "network" concerns as a manual step.
# This will change as time goes by but until then, buyer beware, the VPC and SG
# resources are all hand configured...

aws_db_subnet_group = 'subnet_group_name'
aws_sg = ['sg-valid_sg_id']


rds_name = instance_name

if database_creds[node['delivery']['change']['stage']] &&
  database_creds[node['delivery']['change']['stage']][rds_name] &&
  database_creds[node['delivery']['change']['stage']][rds_name]['username']

  username = database_creds[node['delivery']['change']['stage']][rds_name]['username']
  password = database_creds[node['delivery']['change']['stage']][rds_name]['password']
else
  username = instance_name.gsub(/-/, '_')
  password = SecureRandom.hex(32)

  unless database_creds[node['delivery']['change']['stage']]
    database_creds[node['delivery']['change']['stage']] = {}
  end

  database_creds[node['delivery']['change']['stage']][rds_name] = {
    'username' => username,
    'password' => password
  }

  creds_dbag_item = Chef::DataBagItem.new
  creds_dbag_item.data_bag('cia-creds')
  creds_dbag_item.raw_data = Chef::EncryptedDataBagItem.encrypt_data_bag_item(
    database_creds,
    Chef::EncryptedDataBagItem.load_secret
  )
  creds_dbag_item.save
end

# As of the writing of this comment, the aws_rds instance doesn't support update
# actions, just creation.
aws_rds rds_name do
  aws_access_key        aws_creds['access_key_id']
  aws_secret_access_key aws_creds['secret_access_key']
  engine                'postgres'
  db_instance_class     'db.t2.small'
  allocated_storage     20
  master_username       username
  master_user_password  password
  multi_az              aws_multi_az
  db_subnet_group_name  aws_db_subnet_group
  publicly_accessible   false
  tags [
    {key: 'X-Project', value: node['delivery']['change']['project']},
    {key: 'X-Contact', value: 'cia'}
  ]
  vpc_security_group_ids aws_sg
  storage_type 'gp2'
  sensitive true
end

data_bag_prep = {}
ruby_block 'rds info' do
  block do
    require 'pp'
    db_info = node[:aws_rds].to_h[rds_name]
    cred_info = database_creds[node['delivery']['change']['stage']][rds_name]
    data_bag_prep = {rds_name => db_info.merge(cred_info)}
  end
end

ruby_block 'upload data bag' do
  block do
    with_server_config do
      dbag_item = Chef::DataBagItem.new
      dbag_item.data_bag('cia-creds')
      dbag_data = data_bag_item('cia-creds',"#{node['delivery']['change']['project']}-database").to_hash
      dbag_data[node['delivery']['change']['stage']] = data_bag_prep
      dbag_item.raw_data = Chef::EncryptedDataBagItem.encrypt_data_bag_item(
        dbag_data,
        Chef::EncryptedDataBagItem.load_secret
      )
      dbag_item.save
    end
  end
end

## Berksfile
cookbook 'delivery-sugar', github: 'chef-cookbooks/delivery-sugar'
cookbook 'aws-rds', github: 'cwebberOps/aws-rds-cookbook'

## metadata.rb
depends 'aws-rds'
depends 'delivery-sugar'
	require 'securerandom'
	load_delivery_chef_config

	aws_creds = encrypted_data_bag_item_for_environment('cia-creds','chef-cia')

	Chef::Log.info('Check to see if the creds data bag exists')
	begin
	database_creds = data_bag_item('cia-creds', "#{node['delivery']['change']['project']}-database").to_hash
	Chef::Log.info('Data bag found.')
	rescue Net::HTTPServerException => http_e
	raise http_e unless http_e.response.code == "404"
	Chef::Log.info('Data bag wasn\'t found. Creating hash')
	database_creds = {
	'id' => "#{node['delivery']['change']['project']}-database",
	node['delivery']['change']['stage'] => {}
	}
	end


	# Notes about RDS setup
	#######################
	#
	# As a general rule, we are still managing "network" concerns as a manual step.
	# This will change as time goes by but until then, buyer beware, the VPC and SG
	# resources are all hand configured...

	aws_db_subnet_group = 'subnet_group_name'
	aws_sg = ['sg-valid_sg_id']


	rds_name = instance_name

	if database_creds[node['delivery']['change']['stage']] &&
	database_creds[node['delivery']['change']['stage']][rds_name] &&
	database_creds[node['delivery']['change']['stage']][rds_name]['username']

	username = database_creds[node['delivery']['change']['stage']][rds_name]['username']
	password = database_creds[node['delivery']['change']['stage']][rds_name]['password']
	else
	username = instance_name.gsub(/-/, '_')
	password = SecureRandom.hex(32)

	unless database_creds[node['delivery']['change']['stage']]
	database_creds[node['delivery']['change']['stage']] = {}
	end

	database_creds[node['delivery']['change']['stage']][rds_name] = {
	'username' => username,
	'password' => password
	}

	creds_dbag_item = Chef::DataBagItem.new
	creds_dbag_item.data_bag('cia-creds')
	creds_dbag_item.raw_data = Chef::EncryptedDataBagItem.encrypt_data_bag_item(
	database_creds,
	Chef::EncryptedDataBagItem.load_secret
	)
	creds_dbag_item.save
	end

	# As of the writing of this comment, the aws_rds instance doesn't support update
	# actions, just creation.
	aws_rds rds_name do
	aws_access_key aws_creds['access_key_id']
	aws_secret_access_key aws_creds['secret_access_key']
	engine 'postgres'
	db_instance_class 'db.t2.small'
	allocated_storage 20
	master_username username
	master_user_password password
	multi_az aws_multi_az
	db_subnet_group_name aws_db_subnet_group
	publicly_accessible false
	tags [
	{key: 'X-Project', value: node['delivery']['change']['project']},
	{key: 'X-Contact', value: 'cia'}
	]
	vpc_security_group_ids aws_sg
	storage_type 'gp2'
	sensitive true
	end

	data_bag_prep = {}
	ruby_block 'rds info' do
	block do
	require 'pp'
	db_info = node[:aws_rds].to_h[rds_name]
	cred_info = database_creds[node['delivery']['change']['stage']][rds_name]
	data_bag_prep = {rds_name => db_info.merge(cred_info)}
	end
	end

	ruby_block 'upload data bag' do
	block do
	with_server_config do
	dbag_item = Chef::DataBagItem.new
	dbag_item.data_bag('cia-creds')
	dbag_data = data_bag_item('cia-creds',"#{node['delivery']['change']['project']}-database").to_hash
	dbag_data[node['delivery']['change']['stage']] = data_bag_prep
	dbag_item.raw_data = Chef::EncryptedDataBagItem.encrypt_data_bag_item(
	dbag_data,
	Chef::EncryptedDataBagItem.load_secret
	)
	dbag_item.save
	end
	end
	end
	cookbook 'delivery-sugar', github: 'chef-cookbooks/delivery-sugar'
	cookbook 'aws-rds', github: 'cwebberOps/aws-rds-cookbook'