# paco.models
An object model for semantic cloud infrastructure.
`paco.models` parses a directory of YAML files that compose an Paco project and loads them
into a complete object model.
## What's in the model?
The model defines common logical cloud infrastructure concepts, such as networks, accounts,
applications and environments.
The model uses network and applications as hierarchical trees of configuration that can
have their values over rode when they are placed into environments. Environments live in a
network and contain applications, and typically represent the stages of the software development
lifecycle (SDLC), such as 'development', 'staging' and 'production'.
The model has a declarative schema that explicitly defines the fields for each object type in the model.
This schema declares not only type (e.g. string, integer) but can also declare defaults, min and max values,
constrain to specific values, and define invariants that ensure that if one field has a specific value, another
fields value is compatabile with that. The model will validates these fields when it loads a Paco project.
## Developing
Install this package with your Python tool of choice. Typically set-up a virtualenv
and pip install the dependencies in there:
python -m venv env
./env/bin/pip install -e .
There are unit tests using PyTest. If you are using VS Code you can turn on the
"Py Test Enabled" setting and run "Discover Unit Tests" command.
## Generated Vocabulary
The module `paco.models.gen_vocabulary` is dynamically generated by the script `paco_update_gen_vocabulary`.
To run this script first install the paco.models (pip install -e .) project. Then create an IAM User in
an active AWS account with read-only access and save them in your `.aws/credentials` file. If you aren't
using the default profile name, you can set the AWS_PROFILE environment variable.
The paco.models will create a handy profile.sh to set this up for you:
$ source profile.sh
Setup your AWS Credentials
$ export AWS_DEFAULT_PROFILE=<aws profile name>
Then simple run the command from the command line after sourcing profile.sh:
$ paco_update_gen_vocabulary
Changelog for paco.models
=========================
7.8.37 (2024-04-08)
------------------
### Added
- Added IAM User default password legacy flag
- Added Static IP support to Network Loadbalancers.
- Added support for ubutnu ARM based ec2 image lookups
7.8.36 (2023-12-21)
------------------
- Removed ECS SErvice tracking policy predefined metric's required flag
7.8.35 (2023-09-26)
------------------
### Added
- Added ECRReplicationConfiguration resource
- Added external_resource to GuardDutyDetectorRegion
- Added secrets_manager_default_2023_03_09 and ecs_tracking_policy_name_2023_08_29 legacy flags.
- ECR Repository Replication
- Changed Amazon Linux live patching Release Version field to required.
- Implemented Live Amazon Linux 2023 OS and Kernel patching and version preservation.
- Initalized command and entry_point lists in ECSContainerDefinition
7.8.34 (2023-07-19)
------------------
### Added
- Added Task role to ECS services
7.8.33 (2023-06-27)
------------------
### Added
- Added CloudWatch Logs resource
- Added CrossZone configuration to ILoadBalancer
- Added EventBridge Resource
- Added LBNetwork to vocabulary file
- Added NACL configuration support to Segments
- Added RuleOverrideAction to WAFWebACL Rules
- Added Sid field to the policy Statement() model object
- Added WebACL support to ALB Listeners
- Added disable_account_delegates to IAMUser to allow users to be created in any account
- Added event_bus field to IEventsRule
- Added get_arn() function to CloudWatchLogGroup model object
- Added managed_policy_arns filed to the IAM User Custom Policy model object
- Added manged_polcies support to IAM users to attach policies directly to the user.
- Added me-central-1 (UAE) to vocabulary file
- Added override_action to WAF Rule
- Added support for Amazon Linux 2023
- Aded Aurora Global Cluster support to RDS
- Began implementing Lambda FunctionURL
- Changed LoadBalacner ListenerRule 'host' field to a list.
- Disabled list merging during dict merge in the loader
### Fixed
- Fixed PacoReference str_ok when used in Lists
- Fixed a bug with lists in the paco model loader that have paco.ref references in them.
### Changed
- Modified SecurityGroupRule cidr_ip type to PacoReference from TextLine
- Regenerated Vocabulary
- Updated vocabulary
7.8.32 ((2023-02-28))
------------------
### Added
- Added ARM support for Amazon linux instance type for t4g instancs
- Added AccessKeys IAM User permissions
- Added AppConfig resource
- Added CloudWatch Resource for Consolidated Monitoring Account configuration
- Added Conditions to AssumeRolePolicy
- Added EC2 Flow Logs for VPC
- Added EC2 Flow Logs for VPC
- Added EIP configuration to EC2 global resource
- Added EIPs to paco ref resolutions
- Added GuardDuty Resource
- Added IAMPolicy Resource
- Added Idenity Provider role to ECR Repositories
- Added Identity Provider Roles to Lambda functions.
- Added Image Scanning supprot to ECRRepository
- Added Inspector Resource
- Added Lifecycle Rules support to S3Buckets
- Added Monitoring to GuardDuty
- Added PacoService IResource
- Added ReadOnly mode to EFS mounts
- Added Reference Outputs lookups
- Added ResponseHeaderPolicy to CloudFront resources.
- Added Roles to resource.iam
- Added Ubuntu 22.04 support to paco.ref ami function
- Added VPCEIP to network.vpc configuration.
- Added VPN Client Endpoint to VPC
- Added a filter to remove Nones from any lists to clean up list merges.
- Added ability for ECS services to override the LogGroup name, and added a boolean to disbale LogGroup creation.
- Added ability for VPC Peering to associate the private hosted zone of the acceptor with the requester
- Added account field to ILambda
- Added assume_role_policies to BaseRole to allow for multi-statement AssumeRole policies.
- Added availability zone field to VPN client endpoint.
- Added codedeploy_stack_name_2022_07_07 as a legacy flag
- Added config_scope arg to the loader
- Added external_repository_arn to ECSRepository resources
- Added externally_managed field to IAM User access keys to allow users to manage their own keys.
- Added federated to Principal schema
- Added full_repository_name to ECRRepository
- Added hash_long_names to get_aws_name() LoadBalancer model object
- Added ignore changes field to Loadbalancer ListenerRule target group
- Added ignore fields to ECSContainer Definitions and individual servics
- Added ignore_image_changes and ignore_capacity_changes to ECSServices config
- Added input_artifact_action to support parallel action runs in CodePipeline
- Added lambda_version to CloudFront lambda function associations
- Added policy_actions, the ability to control Access to IDPRoles
- Added region support to References for CloudWatch Resources
- Added response_headers_policy_id to CloudFront Default cache behavior
- Added support for gloabl EIPs to self-managed EC2 nat gateways
- Added support to set the NAT instance AMI
- Added t4g instance types to vocabulary.
- Added tags field to IEBS
- Added ubuntu-18 AMI function call lookup
- Adding AWSLog config for ECSLogging
- Adding EIPs config to EC2 resource.
- Allowed ARNs in LBApplication listener ssl_certificates lists
- Changed resource.iam.roles account string to accounts list.
### Fixed
- Fixed Outputs cache by separating netenv, server, resource, etc.
- Fixed Outputs cache by separating netenv, server, resource, etc.
- Fixed Route53 HostedZone invariant for private hosted zones when external resource is enabled.
- Fixed amazon-linux-nat ec2 function filter.
- Fixed amazon-linux-nat ec2 function filter.
- Fixed error in loader when filtering out None's from merged lists
- Fixed error in loader when filtering out None's from merged lists
- Fixed model_obj on resource.route53 paths
- Fixed monitoring notification group filtering
### Changed
- Implemented VPC VPN Client Endpoint
- Made ECSASGConfiguration Deployable
- Porting to troposphere 4.x
- Prefix cp- to ECS Capacity provider names if they start with aws, ecs, or fargat
- Removed breakpoint() calls.
- Started adding Identity Provider support to Base Roles
7.8.31 ((2022-07-08))
------------------
### Added
- Added ALB Listener Default Actions
- Added PacoServiceHook to IS3Bucket
- Added Postgres 12.11 to generated vocabulary
- Added S3 Registry Hooks
- Added a feature_flag option to project.yaml
- Added get_object() function to Reference() to return reference's object
- Added paco.ref alias...: key functionality
- Added prefix_environment_name and new logic to ECR Repository name generation and config
- Added resolve_from_outputs to get_resolve_ref_obj() in references
- Added s3_buckets to ILambda for explicit Lambda Permission to InvokeFunction
- Added to_dict() to AlarmNotifications() model object
- Added to_dict() to AlarmNotifications() model object
### Fixed
- Fixed None reference in metrics
- Fixed generated service config to allow paco_service_hooks without a config
7.8.30 ((2022-06-02))
------------------
### Added
- Added build artifacts to .gitignore
- Added build artifacts to .gitignore
- Added netenv helepr functions to Reference()
- Added support for duplicated appliactions to generated service config
- Added windows_2016 to vocabulary
7.8.29 ((2022-05-25))
------------------
### Added
- Added gen_name() to Rerference() for generating a commonly unique name
- Added support to normalize refs in sevice generated configurations.
- Added support to normalize refs in sevice generated configurations.
- Made gp3 the default EBS Volume Type
- New defaults for ALB and CloudFront security Policies
7.8.28 (2022-05-06)
------------------
### Added
- Added LoadBalancer and TargetGroup automated support to Alarms
- Added enable/disbale to ITargetGroup
- Added monitoring to ITargetGroup
7.8.27 (2022-05-01)
------------------
### Changed
- Testing PyPi Build and Upload
7.8.26 (2022-05-01)
------------------
### Changed
- Testing PyPi Build and UPload
7.8.25 (2022-05-01)
-------------------
### Added
- Implemented a default_password field for IAM users to work around password resctriptions.
- Added cost_disabled field to ILoadBalancer to allow ALB's to be disabled
- Added default of 30 days to ICloudWatchLogRetention()
- Added get_aws_name() to LoadBalancers
- Added support for CostDisabled ALBS
- Added project Environment Variables support to CodeBuild.
- Added GitHub CodeStar connection support
- Added DetectChanges to DeploymentPipelines
- Implemented new PacoServiceHook
- Added netenv support to paco.ref alias
- Added resolve_from_outputs boolean to force outputs lookup
- Added more CodeDeploy Service hooks to implement Blue/Green deployments
- Added Service Hook schema for CodeDeploy action in Deployment Pipeliens
### Fixed
- Fixed error with alias and service process callbacks in the loader.
- FIxed LogGroup expiry defaults
### Changed
- Started looking at AWS layers
- Removed requirement for IDeploymentPipelineCodeStarConnectionSourceAction owner and repository fields.
7.8.24 (2022-03-25)
-------------------
### Changed
- Separated FilePermissions for group, owner, and mode configuration
### Added
- Added LifeCycle Policies to ECRRepository resources.
- Added ubuntu_20 to instance_ami paco.ref function
- Added support for CIS hardened Ubuntu 18 AMI paco.ref function
- Added event bridge notification access to SNS topcis
- Added Event Pattern support to EventsRules
- Added notifications to EventsRules
- Added CodeStar connection ARN field to CodePipeline source configuration for BitBucket.
7.8.23 (2022-03-04)
-------------------
### Fixed
- Fixed IRDSClusterInstances taggedValue arguments.
### Added
- Added DNS to ElastiCache
- Added Environment Type to CodeBuild DeploymentPipelie configuration
- Added Alias feature for consolidating commonly modified configuration in one location
- Added get_environment_name method to Reference()
7.8.22 (2022-02-09)
-------------------
### Added
- Added Build Batch configuration to CodeBuild
7.8.21 (2022-02-08)
-------------------
### Added
- Added github source configration to CodeBuild
- Added enable_automatic_backups to IEFS
### Fixed
- Fixed the loader's get_all_nodes() from 'if obj:' returning False when it is a valid obj.
### Changed
- Enabled encryption at rest on EFS by default
7.8.20 (2022-01-31)
-------------------
### Added
- Added CodeBuild Artifacts configuration
7.8.19 (2022-01-27)
-------------------
### Added
- Added deployment_branch_name to CodeBuild GitHub source configuration
- Added source_security_group_owner to ISecurityGroup for cross account access
- Added peer_type to Peering config
- Added vpc_config configuration to codebuild
- Added availability_zone to VPC Endpoints configuration.
### Fixed
- Fixed up VPC Peering between netenvs
- Fixed get_resolve_ref_obj if value is an integer
7.8.18 (2021-12-17)
-------------------
### Changed
- Updated generated vocabulary.
### Added
- Implemented IAM Role resources
7.8.17 (2021-11-24)
-------------------
### Added
- Added 'disable_codepipeline' to IDeploymentPipelineConfiguration to allow stage resource to be build independently.
- Added CodeBuild GitHub source configuration
7.8.16 (2021-11-23)
-------------------
### Changed
- Modified IECSService's deployment_minimum_healthy_percent minimum from 1 to 0.
### Added
- Added namespace by metric vocabulary lookup to automate ASG namespaces for CWAgent and AWS/EC2
- Added region to ILambda resource.
- Implemented SystemsManagerSession IAM delegates policy
- Added ManualApproval to isPacoDeploymentPipelinePermissionPolicyValid for IAM permissions.
- Added AAAA to Route53 Record set types
- Added ubuntu_18_cis ami_type to vocabulary
7.8.15 (2021-10-04)
-------------------
### Added
- Added import_from logic for CodeCommit
- Added TLSv1.2_2021 minimum cloudfront protocol version
7.8.14 (2021-09-10)
-------------------
### Changed
- Updated generated vocabulary
### Added
- Added Security Groups service hooks to the registry
- Added SPF Route53 RecordSet type to validation
- Added HealthCheckPort to load balancers
- Added WAFv2 WebACL Resource
7.8.13 (2021-08-26)
-------------------
### Added
- Added bucket_owner_preferred boolean to S3Bucket resources
- Implemented S3 Replication Configuration for destination buckets
- Added a backup_restore_bucket RDS Option field to RDSSQLServerExpress resource.
- Added import_from support for netenvs
- Added ECR Repository field to IASG for automated permissions.
- Adding BitBucket support to deployment pipelines.
- Added IASGPatchManager for automated Windows patching
### Fixed
- Fixed RDSClusterDefaultInstance monitorability
7.8.12 (2021-06-08)
-------------------
### Added
- Implemented SQLServerExpress RDS
- Added redirect_path to IListenerRules
- Updated generated Vocabulary
- Added 'windows' generic AMI type
- Added VPC Endpoints configuration
- Added elb account id map to vocabulary
- Added windows_2019 to ami_types vocabulary
- Added bool to base obj_hash() method.
### Fixed
- Fixed exception in get_formatted_model_context when handling exceptions.
7.8.11 (2021-05-11)
-------------------
### Fixed
- Fixed missing event_notifications field in RDSClusterDefaultInstance
- Fixed uninitialized repo_by_account in CodeCommit model object.
7.8.10 (2021-05-04)
-------------------
### Added
- Added region field to DeploymentPipeline configuration
7.8.9 (2021-04-23)
------------------
### Added
- Added support to disable Target Groups on ASGs
- Added support to disable services in ECSServices
7.8.8 (2021-04-19)
------------------
### Fixed
- Added resolve_ref to ApplicationEngine model object to fix some paco ref lookups.
7.8.7 (2021-04-09)
------------------
### Added
- Added CW_ALARM_DESCRIPTION_HOOK to Paco registry
- Added notification_groups field to CW Alarm descriptions
### Fixed
- Fixed exception for un-initialized value in Parent base class obj_hash method
7.8.6 (2021-04-06)
------------------
### Added
- Added codestar_notification_access boolean to sns topics for access policy
7.8.5 (2021-04-02)
------------------
### Added
- Added monitoring and notification_events to DeploymentPipeline
- Added an ECS utility to the script manager for ASGs
### Changed
- Modified defaults for Load Balancer and CloudFront SSL security policy.
7.8.4 (2021-03-15)
------------------
### Added
- Added ImportFrom functionality.
7.8.3 (2021-03-11)
------------------
### Added
- Additional EC2 instance sizes.
7.8.2 (2021-02-24)
------------------
### Added
- New `cache_policy_id` and `origin_request_policy_id` fields to `ICloudFrontDefaultCacheBehavior` schema.
7.8.1 (2021-02-05)
------------------
### Added
- Add `force_dns_enabled` to `IDNSEnablable`.
7.8.0 (2021-02-04)
------------------
### Changed
- The original deprecated `snstopics` resource has been removed and only the new `sns` resource remains.
7.7.6 (2021-02-03)
------------------
- Add `external_resource` to `ICloudWatchLogGroup`.
7.7.5 (2021-01-29)
------------------
- Add `script_manager` to `IASG` for ECR Deployments.
7.7.4 (2021-01-13)
------------------
### Changed
- EC2 `launch_options.codedeploy_agent` was defaulting to True. It is now False by default.
### Fixed
- Fixed DynamoDB Table resolve_ref.
7.7.3 (2021-01-05)
------------------
### Added
- ECS ASG Capacity Provider has a `managed_instance_protection` field.
7.7.2 (2021-01-05)
------------------
### Added
- ECS Service has a `capacity_providers` field for ECS Capacity Providers.
- ECS Cluster has a `capacity_providers` field that is the default if no `launch_type` is specified.
7.7.1 (2020-12-31)
------------------
### Added
- ReleasePhases for DeploymentPipeline CodeBuild actions.
7.7.0 (2020-12-23)
------------------
### Changed
- Add support for Network Load Balaners. New `IloadBalancer` base class and `IApplicationLoadBalancer` and `INetworkLoadBalancer` classes.
The `LBApplication` class has been renamed to `ApplicationLoadBalancer`.
### Added
- AlarmDescription metadata now includes a 'ref' field, which is the paco.ref parts to the Alarm resource.
- Constraint for `IS3BucketPolicy` and `IStatement` for the `condition` field to check for valid AWS Constraint.
- `IBackupPlan` has new `copy_actions` field.
- Initial schemas for DynamoDB.
### Fixed
- AdminIAMUsers for `IAccount` is now a container with a `name`.
- ListenerRules for `IListener` for load balancers is now a container with a `name`.
- CloudFrontOrigins for `ICloudFront` is now a container with a `name`.
- CloudFrontFactories for `ICloudFront` is now a container with a `name`.
7.6.1 (2020-11-12)
------------------
### Added
- Added `codedeploy_agent` to field to `EC2LaunchOptions`.
7.6.0 (2020-11-07)
------------------
### Fixed
- Cross-account netenv refs are properly detected and don't get munged.
- `add_stack_hooks` can be called before or **after** template initialization and be registred.
- IoTPolicy now works with Services.
### Added
- Add `add_paco_suffix` field to `S3Bucket` resource.
- Lambda Triggers for CognitoUserPool
- Path fields that go to a local path can now use `~/` to expand to the home directory path.
- `IECSServices` has `setting_groups` field.
- `IApiGatewayResource` has `child_resources` and `enable_cors` fields.
- New method `Project.get_all_resources_by_type()` which depends upon a Project resource registry which
contains a dict of all application resources grouped by type. Easily query across applications!
- loader has a `validate_local_paths` to allow loading the model from a CI/CD or other environments
that may not have local paths available.
- New `IBinaryFileReference` to load binary files.
- CloudFront LambdaFunctionAssociation support and Lambda@Edge initial support.
- Initial Cognito support with resource types for `ICognitoUserPool` and `ICognitoIdentityPool`.
- TargetGroup has a `target_type` field.
- ECSServices has Fargate support.
- ECSService has a `target_tracking_scaling_policies` for service scaling.
- Helpful errors for misconfigured AlarmSets.
- Added `monitoring` to `ECSServices` and `ECSCluster`.
- Added `ecr_repositories` to `IDeploymentPipelineBuildCodeBuild` to simplify declaring
ECR Repository permissions.
- Added a `add_stack_hooks` to `paco.models.base.Resource`.
### Changed
- YAML file loading now accounts for case-sensitive filesystems, but allowing for directory names and
filenames to either be lower-case or capitalized.
- Renamed `IApiGatewayMethod` for ApiGatewayRestApi from `resource_id` to `resource_name`
to better reflect the name matches the resources of the gatewway.
- Renamed `IAWSCertificateManager` to `IACM` so that it matches it's Resource Type name.
- ApiGatewayRestApi doesn't supply a name in it's CloudFormation export
7.5.0 (2020-09-17)
------------------
### Added
- Added `paco.models.registry` as a place to contain configuration that extends or changes Paco.
- Added `IIAMUserResource` as an application-level IAMUser resource.
- Minimal `IPinpointApplication` schema for AWS Pinpoint support.
- AlarmSets and CWLogging are loaded into `project.monitor`. These are used by `paco describe` feature.
- Added `extend_base_schema` hook to the loader to allows Services to extend schemas before the loader loads.
- Container loader can load empty objects (objects with no fields, only a name)
### Changed
- `paco.modes.services.list_service_plugins` changed to `list_enabled_services`. Returns ony enabed services
in a dict format.
- `IIAMUserProgrammaticAccess` changed to `IEnablable` and now defaults to True.
- The `ICloudFrontCustomErrorResponse` field `error_caching_min_ttl` has a default of 300.
- PyLance detected fixes: re-arrange `IRDS` schema so it no longer provides `IResource`.
https://github.com/microsoft/pylance-release
7.4.0 (2020-07-14)
------------------
### Added
- DeploymentPipeline now has an `ECR.Source` action.
- Added `IEnablable` that is the same as `IDeployable` except it defaults to true.
- Added `IRDSMysqlAurora` and `IRDSPostgresqlAurora` for Aurora support.
- Added users and groups to `resource/ec2.yaml` and `ssh_access` to IASG.
- ECSSerivce additional fields for deployment_maximum_percent, deployment_minimum_healthy_percent and
health_check_grace_period_seconds.
- ISecretManagerSecret now has an `account` field to specify it belongs to a specific account.
### Changed
- `IDeploymentPipelineStageAction` uses IEnablable so that deployment actions are enabled by default.
- `ISNSTopic` uses IEnablable so that topics are enabled by default.
7.3.0 (2020-06-22)
------------------
### Added
- ICodeCommitUser has a permissions field that can be ReadWrite or ReadOnly.
- IDeploymentPipelineBuildCodeBuild has a `buildspec` field.
- New `paco.models.gen_vocabulary` of vocabularies dynamically generated from AWS API calls. Added vocabulary for
AWS AMI Ids.
- `paco.ref function` now supports a `:` synatx to pass extra context to a function
- New `paco.aws` package with `paco.ref function` calls. First call is `paco.aws.ami_id:latest.amazon-linux-2-ecs`
- ECS Cluster with initial EC2 AutoScalingGroup support.
- New `resource/sns.yaml` fiel with SNS global resource to allow SNS Topics and Subscriptions to be provisioned
across any combination of accounts/regions.
- AWS Config support added in ``resource/config.yaml``.
- ICloudTrail now has a ``kms_users`` field which is a list of IAM Users granted access to encrypted CloudTrail logs.
### Changed
- ISNSTopics has a locations field. This only applies for `resource/sns.yaml`
- The IASG `instance_iam_role` field is no longer a required field.
- The home / config_folder is now a pathlib.Path object.
7.2.0 (2020-05-09)
------------------
### Added
- Added ``IASG.launch_options.ssm_agent`` to indicate if SSM Agent should be installed.
- Added ``IRDSPostgresql`` with RDS for Postgresql support. Added complete list of RDS EngineVerions for
Mysql and Postgresql to vocabulary.
### Changed
- Vocabulary for instance_ami_type expanded to include OS major release or other significant attributes.
- Added ``poll_for_source_changes`` to IDeploymentPipelineSourceGitHub.
- ``Lambda:code:zipfile`` can now be a path to a local directory.
7.1.0 (2020-04-04)
------------------
### Migration
- ASG field's ``update_policy_max_batch_size`` and ``update_policy_min_instances_in_service`` are removed.
Instead use the ASG field ``rolling_update_policy`` and set ``max_batch_size`` and ``min_instances_in_service``.
### Added
- New ``managed_policies`` for IIAMUserPermissionCustomPolicy to allow easily adding AWS Managed Policies.
- IIoTAnalyticsPipeline, IIoTTopicRule and IIoTPolicy schemas and implementation to support core IoT
ingestion and analysis.
- IListener has an ``ssl_policy`` for setting the SslPolicy for a SSL Listener.
7.0.2 (2020-03-14)
------------------
### Fixed
- Restore cfn-init wget command.
7.0.1 (2020-03-14)
------------------
### Added
- IDeploymentPipelineDeployS3 has input_artifacts field for Stages/Actions.
7.0.0 (2020-03-06)
------------------
### Migration
- NotifcationGroups was renamed to SNSTopics.
Migration: git mv resource/NotificationGroups.yaml resource/snstopics.yaml
- IEventsRule now has an IEventTarget instead of just a paco.ref to the target. This
allows you to specify the input_json for the target.
### Added
- IManagedPolicy has a policy_name field which can be used to specify the name of IAM Policy in AWS.
- IDeploymentPipelineSourceGitHub to model GitHub.Source actions for CodePipeline.
- IDeploymentPipeline has a stages field which can be used to create more flexible Stages and Actions
than the pre-baked source/build/deploy fields.
### Changed
- IS3Resource now has an IS3Buckets instead of a dict and references for global buckets
has been cleaned up.
### Fixed
- All IVPC schemas with dicts have been replaced by INamed objects so that they can provide a paco_ref.
6.4.1 (2020-02-19)
------------------
### Added
- New IVersionControl schema for a IProject configuration.
6.4.0 (2020-02-17)
------------------
### Added
- IElasticsearchDomain schema.
- ASG has instance_ami_ignore_changes field to indicate the AMI Id is being updated
externally.
- paco.ref function can now call any arbitrary Python function.
- Add enabled_state for IEventRule.
- Added log_group_names and expire_events_after_days to ILambda to allow it to
manage Log Groups and set a Retention period.
### Changed
- Superflous ICodeCommitRepositoryGroups was removed and ICodeCommit is the container
now for an ICodeCommitRepositoryGroup.
### Fixed
- Fix errors thrown by loader when loading environments with empty config.
6.3.7 (2020-02-05)
------------------
### Added
- Full set of fields for `generate_secret_string` for Secrets.
### Fixed
- Lambda.add_environment_variable was not passing the parent.
6.3.6 (2020-01-29)
------------------
### Added
- Error message when cfn-init files with !Sub and !Join can't be parsed.
6.3.5 (2020-01-23)
------------------
### Fixed
- Ubuntu awscli install had extra whitespace which could stop up UserData.
6.3.4 (2020-01-16)
------------------
### Added
- Added external_resource field for ICodeCommit.
6.3.3 (2020-01-09)
------------------
### Added
- The TextReference class was renamed PacoRefernce and can now be passed `schema_constraint` with the
name or Schema that it must be a reference to.
- Support for `users` and `groups` in cfn-init. Invariant to prevent user name duplicating group name.
### Changed
- Temporarily disable chmod 400 check on .credentials to support filesystems that don't have permissions.
- CodeCommit contains CodeCommitRepositoryGroups and CodeCommitRepostory group objects instead of a two-level dict.
Fixes docs and simplifies loader.
### Fixed
- `Lambad.add_environment_variable` passes parent.
6.3.2 (2020-01-06)
------------------
### Changed
- Schema clean-up, removed IMapping for all schemas that do not actually use it.
- Removed unused managed_udpates field for IApplication.
6.3.1 (2020-01-03)
------------------
### Added
- IRoute53HealthCheck has ip_address field.
- resource/snstopics.yaml is an alias for resource/notificationgroups.yaml
- raise_invalid_reference method to display helpful message when a ref look-up fails.
### Fixed
- cfn-init package sets were only loading for item, now loads all package types.
- ICloudWatchLogSource log_stream_name is a required field, if it's empty the agent won't launch.
6.3.0 (2019-12-03)
------------------
### Added
- ICloudWatchDashboard for CloudWatch Dashboard resources.
- Route53 Health Checks have domain_name and enable_sni fields.
### Changed
- Invariant errors in schema checks have non-confusing error message.
6.2.1 (2019-11-29)
------------------
- Fixes for the AIM to paco rename.
6.2.0 (2019-11-28)
------------------
### Changed
- Package rename: `paco.models` is now `paco.models`, consistent with the tool being
renamed to `paco`.
- Top-level directories have been renamed to be consistent with their names in the model:
NetworkEnvironments --> netenv
Resources --> resource
Services --> service
Accounts --> account
MonitorConfig --> monitor
The loader will look for `NetworkEnvironments` and if it exists use the legacy names.
### Added
- Added support for AWS Backup Vault. There can now be global backup_vaults field in NetworkEnvironment YAML files.
These can be overrode in EnvironmentDefault and EnvironmentRegion configuration sections.
- Added support for block_device_mappings for IASG.
6.1.0 (2019-11-06)
------------------
### Added
- Applications can be provisioned in the same environment more than once with a new
"app{suffix}" syntax for an environments application keys.
- INotificationGroups has a regions field, if it is the default of ['ALL'] it will apply to
all of a project's active regions. Otherwise is will just provision in the selected region(s).
- ICloudFormationInit for modelling AWS::CloudFormation::Init, which can be applied to
the IASG.cfn_init field.
- ICloudWatchLogAlarm schema. ICloudWatchAlarm now has "type: Alarm" and if it is "type: LogAlarm"
an ICloudWatchLogAlarm will be created which can be used to connect an alarm to a MetricFilter
of a LogGroup.
- IDBParameterGrouups resource.
- IElastiCache has `description` and `cache_clusters` fields, while IElastiCacheRedis has `snapshot_retention_limit_days`
and `snapshot_window` fields.
- IRDS has new `license_model`, `cloudwatch_logs_export` and `deletion_protection` fields.
- `global_role_name` field for IAM Role can be set to True and the RoleName
will not be hashed. Can only be used for global Roles, otherwise if these
Roles overlap per-environment, things will break!
- `monitoring.health_checks` which can contain HealthCheck Resources.
IRoute53HealthCheck resource for Route53 health checks.
- `region_name` property can be overrode if a `overrode_region_name` attribute is set.
- Added a CodeBuild IAM Permission for IAM Users
- Added `resolve_ref` method to DeploymentPipelineConfiguration
- Added the EIP Application Resource and a support 'eip' field to the ASG resource for associating an EIP with a single instance ASG.
- Added AWS Cli install commands to vocabulary.
- Added `dns` to EIP Application Resource
- Added `cftemplate_iam_user_delegates_2019_10_02` legacy flag to make user delegate role stack names consistent with others.
- Added `route53_hosted_zone_2019_10_12` legacy flag for Route53 CFTemplate refactor.
- Added `route53_record_set_2019_10_16` legacy flag for the Route53 RecordSet refactor.
- Added `availability_zone` for locking in an ASG to a single Availability Zone.
- Added `parameter_group` to IElastiCache Application Resource
- Added `vpc_associations` to IPrivateHosted.
- Added `vpc_config` to the ILambda Application Resources
- Added `secrets_manager` to IIEnvironmentDefault.
- Added `ttl` to IDNS
- Added caching to instance AMI ID function.ref lookups.
- Added the EBS Application Resources.
Added `ebs_volume_mounts` to IASG to mount volumes to single instance groups.
- Added `launch_options` to IASG as an IEC2LaunchOptions object. The initial option is update_packages which will update the linux distributions packages on launch.
- Added resolve_ref() to Resource in base.py as a catch all.
### Changed
- ISecurityGroupRule `source_security_group` was moved to IIngressRule and IEgressRule (finally!)
has a `destination_security_group` field.
- `load_resources` was removed and you can now simply apply_attributes to
an Application and it will recurse through app.groups.<groupname>.resources.<resourcename>
without any external fiddling.
- Moved deepdiff CLI functions into `aim` project.
- IApplication is now IMonitorable. Alarms at the Application level must
specify their Namespace and Dimensions.
- Changed RDS `primary_domain_name` and `primary_hosted_zone` to an IDNS object
### Fixed
- Alarm overrides are now cast to the schema of the field. Fixes "threshold: 10" loading as in int()
when the schema expects a float().
6.0.0 (2019-09-27)
------------------
### Added
- ICloudWatchAlarms have `enable_ok_actions` and `enable_insufficient_data_actions` booleans
that will send to the notification groups when the alarm enters the OK or INSUFFICIENT_DATA states.
- `references.get_model_obj_ref` will resolve an paco.ref to a model object
and won't attempt to do Stack output lookups.
- Service plug-ins are loaded according to an `initilization_order` integer
that each plug-in can supply. If no integer is supplied, loading for unordered
plug-ins count up from 1000.
- Minimal API Gateway models for Methods, Resources, Models and Stages.
- S3Bucket NotificationConfiguration for Lambdas.
- S3Bucket has `get_bucket_name()` to return the full computed bucket name.
- IGlobalResources for project['resource'] to contain config from the ./Resources/ directory.
Resources such as S3 and EC2 now implement INamed and are loaded into project['resource'].
- ISNSTopic has `cross_account_access` which grants `sns:Publish` to all accounts in the AIM Project.
- IAccountContainer and IRegionContainer are lightweight containers for account and region information.
They can be used by Services that want to set-up Resources in a multi-account, multi-region manner.
### Changed
- CloudTrail defines CloudWatchLogGroup as a sub-object rather than an paco.ref.
- Alarms have `get_alarm_actions_paco_refs` renamed from `get_alarm_actions` as alarms can only provide
paco.refs and need to get the ARNs from the stacks.
- NotificationGroups are now Resources. Now they have regular working paco.ref's.
5.0.0 (2019-08-26)
------------------
### Added
- New field `paco.models.reference.FileReference` which resolves the path and replaces
the original value with the value of the file indicated by the path.
IApiGatewayRestApi.body_file_location uses this new field.
- ApiGatewayRestApi and CloudWatchAlarm have a `cfn_export_dict` property that
returns a new dict that can be used to created Troposphere resources.
- Added external_resource support to the ACM
- Added ReadOnly support to the Administrator IAMUserPermission
### Changed
- Multi-Dimension Alarms now need to specify an `paco.ref` as the Value.
- Added IAMUser schemas and loading for IAM users.
- Added a CommaList() schema type for loading comma separated lists into schema.List()
- Moved aim reference generation into the Model. Model objects now have .paco_ref and
.paco_ref_parts properties which contain their paco.ref reference.
- Renamed project['ne'] to project['netenv']
- Modified NatGateway segments to aim references
### Fixed
- Invariants were not being check for resources. Invariants need to be checked by the
loader if they are not contained in a `zope.schema.Object` field, which will run the
check behind the scenes.
4.0.0 (2019-08-21)
------------------
### Added
- IVPCPeering and IVPCPeeringRoute have been added to the model for VPC Peering support.
- Added a CloudTrail schema configured in `Resources/CloudTrail.yaml`.
- IS3BucketPolicy now has `principal` and `condition` fields.
`principal` can be either a Key-Value dictionary, where the key is either 'AWS', 'Service', etc.
and the value can be either a String or a List. It is an alternate to the `aws` field, which will
remain for setting simpler AWS-only principals.
The `condition` field is a Key-Value dictionary of Key-Value filters.
- Alarm now has 'get_alarm_actions' and 'get_alarm_description' to help construct alarms.
- CloudTrail has a 'get_accounts' which will resolve the CloudTrail.accounts field to a list
of Account objects in the model.
- IAlarm has `description` and `runbook_url` fields.
- CodePipeBuildDeploy.resolve_ref() function covers wider scope of ref lookups
- Added VPCPeering to the model.
- Added IElastiCache and IElastiCacheRedis to the model.
### Changed
- `MonitorConfig/LogSets.yaml` has been renamed to `MonitorConfig/Logging.yaml`. CloudWatch
logging is under the top level `cw_logging` key. The schema has been completely reworked
so that LogGroups and LogSets are properly modelled.
- IAccount.region, IEC2KeyPair.region and ICredentials.aws_default_region no longer have
`us-west-2` as a default. The region needs to be explicity set.
### Fixed
- IAlarm.classification is now a required field.
3.1.0 (2019-08-08)
------------------
### Added
- aim-project-version.txt file in the root directory can now contain the AIM Project YAML
version. IProject now has an paco_project_version field to store this value.
- ICloudWatchAlarm gets a namespace field. Can be used to override the default
Resource namespace, for example, use 'CWAgent' for the CloudWatch agent metrics.
- IResource now has a resource_fullname field. The fullname is the name needed to
specify for a metric in a CloudWatch Alarm.
- ICloudWatchAlarm now has a dimensions field, which is a List of Dimension objects.
- ITargetGroup now inherits from IResource. It loads resource_name from outputs.
3.0.0 (2019-08-06)
------------------
### Added
- New `MonitorConfig/NotificationGroups.yaml` that contains subscription groups for notifications.
- sdb_cache field for Lambda.
- Lambda can have alarms.
- ISNSTopic and ISNSTopicSubscription to model SNS.
### Changed
- All references have been renamed to start with ``paco.ref`` for consistency.
- AlarmSets, AlarmSet and Alarm all now implement INamed and
are locatable in the model
- Service plugins can load their outputs
2.0.0 (2019-07-23)
------------------
### Added
- Schema for Notifications for subscribing to Alarms
- Added S3Resource for Resources/S3.yml configuration
- Added Lambda resolve_ref support
### Changed
- Services are loaded as entry_point plugins named `paco.services`
- Refactored the models applications, resources, and services.
- Renamed IRoute53 to IRoute53Resource.
### Fixed
- CloudWatchAlarms now validate a classification field value of
'performance', 'health' or 'security' is supplied.
1.1.0 (2019-07-06)
------------------
### Added
- Added function.ref to be able to look-up latest AMI IDs
- Added more constraints to the schemas.
- Added default to IS3Bucket.policy
- Added Route53 to schema and model
- Added redirect to Listner rules in the ALB
### Changed
- Description attribute for Fields is now used to describe constraints.
- Ported CodeCommit to schema and model
- Refactored S3 to use Application StackGroup
- CPBD artifacts s3 bucket now uses S3 Resource in NetEnv yaml instead
- Converted the ALB's listener and listener rules to dicts from lists
### Removed
- Removed unused yaml config from pacodemo under fixtures.
1.0.1 (2019-06-19)
------------------
- Improvements to Python packaging metadata.
1.0.0 (2019-06-19)
------------------
- First open source release
Raw data
{
"_id": null,
"home_page": "https://github.com/waterbear-cloud/paco.models",
"name": "paco.models",
"maintainer": null,
"docs_url": null,
"requires_python": null,
"maintainer_email": null,
"keywords": "AWS, Cloud, Infrastructure as Code",
"author": "Waterbear Cloud",
"author_email": "hello@waterbear.cloud",
"download_url": null,
"platform": null,
"description": "# paco.models\n\nAn object model for semantic cloud infrastructure.\n\n`paco.models` parses a directory of YAML files that compose an Paco project and loads them\ninto a complete object model.\n\n\n## What's in the model?\n\nThe model defines common logical cloud infrastructure concepts, such as networks, accounts,\napplications and environments.\n\nThe model uses network and applications as hierarchical trees of configuration that can\nhave their values over rode when they are placed into environments. Environments live in a\nnetwork and contain applications, and typically represent the stages of the software development\nlifecycle (SDLC), such as 'development', 'staging' and 'production'.\n\nThe model has a declarative schema that explicitly defines the fields for each object type in the model.\nThis schema declares not only type (e.g. string, integer) but can also declare defaults, min and max values,\nconstrain to specific values, and define invariants that ensure that if one field has a specific value, another\nfields value is compatabile with that. The model will validates these fields when it loads a Paco project.\n\n\n## Developing\n\nInstall this package with your Python tool of choice. Typically set-up a virtualenv\nand pip install the dependencies in there:\n\n python -m venv env\n\n ./env/bin/pip install -e .\n\nThere are unit tests using PyTest. If you are using VS Code you can turn on the\n\"Py Test Enabled\" setting and run \"Discover Unit Tests\" command.\n\n\n## Generated Vocabulary\n\nThe module `paco.models.gen_vocabulary` is dynamically generated by the script `paco_update_gen_vocabulary`.\n\nTo run this script first install the paco.models (pip install -e .) project. Then create an IAM User in\nan active AWS account with read-only access and save them in your `.aws/credentials` file. If you aren't\nusing the default profile name, you can set the AWS_PROFILE environment variable.\n\nThe paco.models will create a handy profile.sh to set this up for you:\n\n$ source profile.sh\n\nSetup your AWS Credentials\n\n$ export AWS_DEFAULT_PROFILE=<aws profile name>\n\nThen simple run the command from the command line after sourcing profile.sh:\n\n$ paco_update_gen_vocabulary\n\nChangelog for paco.models\n=========================\n\n7.8.37 (2024-04-08)\n------------------\n\n### Added\n\n- Added IAM User default password legacy flag\n\n- Added Static IP support to Network Loadbalancers.\n\n- Added support for ubutnu ARM based ec2 image lookups\n\n\n7.8.36 (2023-12-21)\n------------------\n\n- Removed ECS SErvice tracking policy predefined metric's required flag\n\n\n7.8.35 (2023-09-26)\n------------------\n\n### Added\n\n- Added ECRReplicationConfiguration resource\n\n- Added external_resource to GuardDutyDetectorRegion\n\n- Added secrets_manager_default_2023_03_09 and ecs_tracking_policy_name_2023_08_29 legacy flags.\n\n- ECR Repository Replication\n\n- Changed Amazon Linux live patching Release Version field to required.\n\n- Implemented Live Amazon Linux 2023 OS and Kernel patching and version preservation.\n\n- Initalized command and entry_point lists in ECSContainerDefinition\n\n\n7.8.34 (2023-07-19)\n------------------\n\n### Added\n\n- Added Task role to ECS services\n\n\n7.8.33 (2023-06-27)\n------------------\n\n### Added\n\n- Added CloudWatch Logs resource\n\n- Added CrossZone configuration to ILoadBalancer\n\n- Added EventBridge Resource\n\n- Added LBNetwork to vocabulary file\n\n- Added NACL configuration support to Segments\n\n- Added RuleOverrideAction to WAFWebACL Rules\n\n- Added Sid field to the policy Statement() model object\n\n- Added WebACL support to ALB Listeners\n\n- Added disable_account_delegates to IAMUser to allow users to be created in any account\n\n- Added event_bus field to IEventsRule\n\n- Added get_arn() function to CloudWatchLogGroup model object\n\n- Added managed_policy_arns filed to the IAM User Custom Policy model object\n\n- Added manged_polcies support to IAM users to attach policies directly to the user.\n\n- Added me-central-1 (UAE) to vocabulary file\n\n- Added override_action to WAF Rule\n\n- Added support for Amazon Linux 2023\n\n- Aded Aurora Global Cluster support to RDS\n\n- Began implementing Lambda FunctionURL\n\n- Changed LoadBalacner ListenerRule 'host' field to a list.\n\n- Disabled list merging during dict merge in the loader\n\n### Fixed\n\n- Fixed PacoReference str_ok when used in Lists\n\n- Fixed a bug with lists in the paco model loader that have paco.ref references in them.\n\n### Changed\n\n- Modified SecurityGroupRule cidr_ip type to PacoReference from TextLine\n\n- Regenerated Vocabulary\n\n- Updated vocabulary\n\n\n7.8.32 ((2023-02-28))\n------------------\n\n### Added\n\n- Added ARM support for Amazon linux instance type for t4g instancs\n\n- Added AccessKeys IAM User permissions\n\n- Added AppConfig resource\n\n- Added CloudWatch Resource for Consolidated Monitoring Account configuration\n\n- Added Conditions to AssumeRolePolicy\n\n- Added EC2 Flow Logs for VPC\n\n- Added EC2 Flow Logs for VPC\n\n- Added EIP configuration to EC2 global resource\n\n- Added EIPs to paco ref resolutions\n\n- Added GuardDuty Resource\n\n- Added IAMPolicy Resource\n\n- Added Idenity Provider role to ECR Repositories\n\n- Added Identity Provider Roles to Lambda functions.\n\n- Added Image Scanning supprot to ECRRepository\n\n- Added Inspector Resource\n\n- Added Lifecycle Rules support to S3Buckets\n\n- Added Monitoring to GuardDuty\n\n- Added PacoService IResource\n\n- Added ReadOnly mode to EFS mounts\n\n- Added Reference Outputs lookups\n\n- Added ResponseHeaderPolicy to CloudFront resources.\n\n- Added Roles to resource.iam\n\n- Added Ubuntu 22.04 support to paco.ref ami function\n\n- Added VPCEIP to network.vpc configuration.\n\n- Added VPN Client Endpoint to VPC\n\n- Added a filter to remove Nones from any lists to clean up list merges.\n\n- Added ability for ECS services to override the LogGroup name, and added a boolean to disbale LogGroup creation.\n\n- Added ability for VPC Peering to associate the private hosted zone of the acceptor with the requester\n\n- Added account field to ILambda\n\n- Added assume_role_policies to BaseRole to allow for multi-statement AssumeRole policies.\n\n- Added availability zone field to VPN client endpoint.\n\n- Added codedeploy_stack_name_2022_07_07 as a legacy flag\n\n- Added config_scope arg to the loader\n\n- Added external_repository_arn to ECSRepository resources\n\n- Added externally_managed field to IAM User access keys to allow users to manage their own keys.\n\n- Added federated to Principal schema\n\n- Added full_repository_name to ECRRepository\n\n- Added hash_long_names to get_aws_name() LoadBalancer model object\n\n- Added ignore changes field to Loadbalancer ListenerRule target group\n\n- Added ignore fields to ECSContainer Definitions and individual servics\n\n- Added ignore_image_changes and ignore_capacity_changes to ECSServices config\n\n- Added input_artifact_action to support parallel action runs in CodePipeline\n\n- Added lambda_version to CloudFront lambda function associations\n\n- Added policy_actions, the ability to control Access to IDPRoles\n\n- Added region support to References for CloudWatch Resources\n\n- Added response_headers_policy_id to CloudFront Default cache behavior\n\n- Added support for gloabl EIPs to self-managed EC2 nat gateways\n\n- Added support to set the NAT instance AMI\n\n- Added t4g instance types to vocabulary.\n\n- Added tags field to IEBS\n\n- Added ubuntu-18 AMI function call lookup\n\n- Adding AWSLog config for ECSLogging\n\n- Adding EIPs config to EC2 resource.\n\n- Allowed ARNs in LBApplication listener ssl_certificates lists\n\n- Changed resource.iam.roles account string to accounts list.\n\n### Fixed\n\n- Fixed Outputs cache by separating netenv, server, resource, etc.\n\n- Fixed Outputs cache by separating netenv, server, resource, etc.\n\n- Fixed Route53 HostedZone invariant for private hosted zones when external resource is enabled.\n\n- Fixed amazon-linux-nat ec2 function filter.\n\n- Fixed amazon-linux-nat ec2 function filter.\n\n- Fixed error in loader when filtering out None's from merged lists\n\n- Fixed error in loader when filtering out None's from merged lists\n\n- Fixed model_obj on resource.route53 paths\n\n- Fixed monitoring notification group filtering\n\n### Changed\n\n- Implemented VPC VPN Client Endpoint\n\n- Made ECSASGConfiguration Deployable\n\n- Porting to troposphere 4.x\n\n- Prefix cp- to ECS Capacity provider names if they start with aws, ecs, or fargat\n\n- Removed breakpoint() calls.\n\n- Started adding Identity Provider support to Base Roles\n\n\n7.8.31 ((2022-07-08))\n------------------\n\n### Added\n\n- Added ALB Listener Default Actions\n\n- Added PacoServiceHook to IS3Bucket\n\n- Added Postgres 12.11 to generated vocabulary\n\n- Added S3 Registry Hooks\n\n- Added a feature_flag option to project.yaml\n\n- Added get_object() function to Reference() to return reference's object\n\n- Added paco.ref alias...: key functionality\n\n- Added prefix_environment_name and new logic to ECR Repository name generation and config\n\n- Added resolve_from_outputs to get_resolve_ref_obj() in references\n\n- Added s3_buckets to ILambda for explicit Lambda Permission to InvokeFunction\n\n- Added to_dict() to AlarmNotifications() model object\n\n- Added to_dict() to AlarmNotifications() model object\n\n### Fixed\n\n- Fixed None reference in metrics\n\n- Fixed generated service config to allow paco_service_hooks without a config\n\n\n7.8.30 ((2022-06-02))\n------------------\n\n### Added\n\n- Added build artifacts to .gitignore\n\n- Added build artifacts to .gitignore\n\n- Added netenv helepr functions to Reference()\n\n- Added support for duplicated appliactions to generated service config\n\n- Added windows_2016 to vocabulary\n\n7.8.29 ((2022-05-25))\n------------------\n\n### Added\n\n- Added gen_name() to Rerference() for generating a commonly unique name\n\n- Added support to normalize refs in sevice generated configurations.\n\n- Added support to normalize refs in sevice generated configurations.\n\n- Made gp3 the default EBS Volume Type\n\n- New defaults for ALB and CloudFront security Policies\n\n\n7.8.28 (2022-05-06)\n------------------\n\n### Added\n\n- Added LoadBalancer and TargetGroup automated support to Alarms\n\n- Added enable/disbale to ITargetGroup\n\n- Added monitoring to ITargetGroup\n\n7.8.27 (2022-05-01)\n------------------\n\n### Changed\n\n- Testing PyPi Build and Upload\n\n\n7.8.26 (2022-05-01)\n------------------\n\n### Changed\n\n- Testing PyPi Build and UPload\n\n\n7.8.25 (2022-05-01)\n-------------------\n\n### Added\n\n- Implemented a default_password field for IAM users to work around password resctriptions.\n\n- Added cost_disabled field to ILoadBalancer to allow ALB's to be disabled\n\n- Added default of 30 days to ICloudWatchLogRetention()\n\n- Added get_aws_name() to LoadBalancers\n\n- Added support for CostDisabled ALBS\n\n- Added project Environment Variables support to CodeBuild.\n\n- Added GitHub CodeStar connection support\n\n- Added DetectChanges to DeploymentPipelines\n\n- Implemented new PacoServiceHook\n\n- Added netenv support to paco.ref alias\n\n- Added resolve_from_outputs boolean to force outputs lookup\n\n- Added more CodeDeploy Service hooks to implement Blue/Green deployments\n\n- Added Service Hook schema for CodeDeploy action in Deployment Pipeliens\n\n### Fixed\n\n- Fixed error with alias and service process callbacks in the loader.\n\n- FIxed LogGroup expiry defaults\n\n### Changed\n\n- Started looking at AWS layers\n\n- Removed requirement for IDeploymentPipelineCodeStarConnectionSourceAction owner and repository fields.\n\n7.8.24 (2022-03-25)\n-------------------\n\n### Changed\n\n- Separated FilePermissions for group, owner, and mode configuration\n\n### Added\n\n- Added LifeCycle Policies to ECRRepository resources.\n\n- Added ubuntu_20 to instance_ami paco.ref function\n\n- Added support for CIS hardened Ubuntu 18 AMI paco.ref function\n\n- Added event bridge notification access to SNS topcis\n\n- Added Event Pattern support to EventsRules\n\n- Added notifications to EventsRules\n\n- Added CodeStar connection ARN field to CodePipeline source configuration for BitBucket.\n\n7.8.23 (2022-03-04)\n-------------------\n\n### Fixed\n\n- Fixed IRDSClusterInstances taggedValue arguments.\n\n### Added\n\n- Added DNS to ElastiCache\n- Added Environment Type to CodeBuild DeploymentPipelie configuration\n- Added Alias feature for consolidating commonly modified configuration in one location\n- Added get_environment_name method to Reference()\n\n7.8.22 (2022-02-09)\n-------------------\n\n### Added\n\n- Added Build Batch configuration to CodeBuild\n\n7.8.21 (2022-02-08)\n-------------------\n\n### Added\n\n- Added github source configration to CodeBuild\n\n- Added enable_automatic_backups to IEFS\n\n### Fixed\n\n- Fixed the loader's get_all_nodes() from 'if obj:' returning False when it is a valid obj.\n\n### Changed\n\n- Enabled encryption at rest on EFS by default\n\n7.8.20 (2022-01-31)\n-------------------\n\n### Added\n\n- Added CodeBuild Artifacts configuration\n\n\n7.8.19 (2022-01-27)\n-------------------\n\n### Added\n\n- Added deployment_branch_name to CodeBuild GitHub source configuration\n\n- Added source_security_group_owner to ISecurityGroup for cross account access\n\n- Added peer_type to Peering config\n\n- Added vpc_config configuration to codebuild\n\n- Added availability_zone to VPC Endpoints configuration.\n\n### Fixed\n\n- Fixed up VPC Peering between netenvs\n\n- Fixed get_resolve_ref_obj if value is an integer\n\n7.8.18 (2021-12-17)\n-------------------\n\n### Changed\n\n- Updated generated vocabulary.\n\n### Added\n\n- Implemented IAM Role resources\n\n7.8.17 (2021-11-24)\n-------------------\n\n### Added\n\n- Added 'disable_codepipeline' to IDeploymentPipelineConfiguration to allow stage resource to be build independently.\n\n- Added CodeBuild GitHub source configuration\n\n7.8.16 (2021-11-23)\n-------------------\n\n### Changed\n\n- Modified IECSService's deployment_minimum_healthy_percent minimum from 1 to 0.\n\n### Added\n\n- Added namespace by metric vocabulary lookup to automate ASG namespaces for CWAgent and AWS/EC2\n\n- Added region to ILambda resource.\n\n- Implemented SystemsManagerSession IAM delegates policy\n\n- Added ManualApproval to isPacoDeploymentPipelinePermissionPolicyValid for IAM permissions.\n\n- Added AAAA to Route53 Record set types\n\n- Added ubuntu_18_cis ami_type to vocabulary\n\n7.8.15 (2021-10-04)\n-------------------\n\n### Added\n\n- Added import_from logic for CodeCommit\n\n- Added TLSv1.2_2021 minimum cloudfront protocol version\n\n7.8.14 (2021-09-10)\n-------------------\n\n### Changed\n\n- Updated generated vocabulary\n\n### Added\n\n- Added Security Groups service hooks to the registry\n\n- Added SPF Route53 RecordSet type to validation\n\n- Added HealthCheckPort to load balancers\n\n- Added WAFv2 WebACL Resource\n\n7.8.13 (2021-08-26)\n-------------------\n\n### Added\n\n- Added bucket_owner_preferred boolean to S3Bucket resources\n\n- Implemented S3 Replication Configuration for destination buckets\n\n- Added a backup_restore_bucket RDS Option field to RDSSQLServerExpress resource.\n\n- Added import_from support for netenvs\n\n- Added ECR Repository field to IASG for automated permissions.\n\n- Adding BitBucket support to deployment pipelines.\n\n- Added IASGPatchManager for automated Windows patching\n\n### Fixed\n\n- Fixed RDSClusterDefaultInstance monitorability\n\n\n7.8.12 (2021-06-08)\n-------------------\n\n### Added\n\n- Implemented SQLServerExpress RDS\n\n- Added redirect_path to IListenerRules\n\n- Updated generated Vocabulary\n\n- Added 'windows' generic AMI type\n\n- Added VPC Endpoints configuration\n\n- Added elb account id map to vocabulary\n\n- Added windows_2019 to ami_types vocabulary\n\n- Added bool to base obj_hash() method.\n\n### Fixed\n\n - Fixed exception in get_formatted_model_context when handling exceptions.\n\n7.8.11 (2021-05-11)\n-------------------\n\n### Fixed\n\n- Fixed missing event_notifications field in RDSClusterDefaultInstance\n\n- Fixed uninitialized repo_by_account in CodeCommit model object.\n\n7.8.10 (2021-05-04)\n-------------------\n\n### Added\n\n- Added region field to DeploymentPipeline configuration\n\n7.8.9 (2021-04-23)\n------------------\n\n### Added\n\n- Added support to disable Target Groups on ASGs\n\n- Added support to disable services in ECSServices\n\n7.8.8 (2021-04-19)\n------------------\n\n### Fixed\n\n- Added resolve_ref to ApplicationEngine model object to fix some paco ref lookups.\n\n\n7.8.7 (2021-04-09)\n------------------\n\n### Added\n\n- Added CW_ALARM_DESCRIPTION_HOOK to Paco registry\n- Added notification_groups field to CW Alarm descriptions\n\n### Fixed\n\n- Fixed exception for un-initialized value in Parent base class obj_hash method\n\n7.8.6 (2021-04-06)\n------------------\n\n### Added\n\n- Added codestar_notification_access boolean to sns topics for access policy\n\n7.8.5 (2021-04-02)\n------------------\n\n### Added\n\n- Added monitoring and notification_events to DeploymentPipeline\n- Added an ECS utility to the script manager for ASGs\n\n### Changed\n\n- Modified defaults for Load Balancer and CloudFront SSL security policy.\n\n7.8.4 (2021-03-15)\n------------------\n\n### Added\n\n- Added ImportFrom functionality.\n\n\n7.8.3 (2021-03-11)\n------------------\n\n### Added\n\n- Additional EC2 instance sizes.\n\n\n7.8.2 (2021-02-24)\n------------------\n\n### Added\n\n- New `cache_policy_id` and `origin_request_policy_id` fields to `ICloudFrontDefaultCacheBehavior` schema.\n\n\n7.8.1 (2021-02-05)\n------------------\n\n### Added\n\n- Add `force_dns_enabled` to `IDNSEnablable`.\n\n\n7.8.0 (2021-02-04)\n------------------\n\n### Changed\n\n- The original deprecated `snstopics` resource has been removed and only the new `sns` resource remains.\n\n\n7.7.6 (2021-02-03)\n------------------\n\n- Add `external_resource` to `ICloudWatchLogGroup`.\n\n\n7.7.5 (2021-01-29)\n------------------\n\n- Add `script_manager` to `IASG` for ECR Deployments.\n\n\n7.7.4 (2021-01-13)\n------------------\n\n### Changed\n\n- EC2 `launch_options.codedeploy_agent` was defaulting to True. It is now False by default.\n\n### Fixed\n\n- Fixed DynamoDB Table resolve_ref.\n\n7.7.3 (2021-01-05)\n------------------\n\n### Added\n\n- ECS ASG Capacity Provider has a `managed_instance_protection` field.\n\n7.7.2 (2021-01-05)\n------------------\n\n### Added\n\n- ECS Service has a `capacity_providers` field for ECS Capacity Providers.\n\n- ECS Cluster has a `capacity_providers` field that is the default if no `launch_type` is specified.\n\n7.7.1 (2020-12-31)\n------------------\n\n### Added\n\n- ReleasePhases for DeploymentPipeline CodeBuild actions.\n\n7.7.0 (2020-12-23)\n------------------\n\n### Changed\n\n- Add support for Network Load Balaners. New `IloadBalancer` base class and `IApplicationLoadBalancer` and `INetworkLoadBalancer` classes.\n The `LBApplication` class has been renamed to `ApplicationLoadBalancer`.\n\n### Added\n\n- AlarmDescription metadata now includes a 'ref' field, which is the paco.ref parts to the Alarm resource.\n\n- Constraint for `IS3BucketPolicy` and `IStatement` for the `condition` field to check for valid AWS Constraint.\n\n- `IBackupPlan` has new `copy_actions` field.\n\n- Initial schemas for DynamoDB.\n\n### Fixed\n\n- AdminIAMUsers for `IAccount` is now a container with a `name`.\n\n- ListenerRules for `IListener` for load balancers is now a container with a `name`.\n\n- CloudFrontOrigins for `ICloudFront` is now a container with a `name`.\n\n- CloudFrontFactories for `ICloudFront` is now a container with a `name`.\n\n\n7.6.1 (2020-11-12)\n------------------\n\n### Added\n\n- Added `codedeploy_agent` to field to `EC2LaunchOptions`.\n\n\n7.6.0 (2020-11-07)\n------------------\n\n### Fixed\n\n - Cross-account netenv refs are properly detected and don't get munged.\n\n - `add_stack_hooks` can be called before or **after** template initialization and be registred.\n\n - IoTPolicy now works with Services.\n\n### Added\n\n- Add `add_paco_suffix` field to `S3Bucket` resource.\n\n- Lambda Triggers for CognitoUserPool\n\n- Path fields that go to a local path can now use `~/` to expand to the home directory path.\n\n- `IECSServices` has `setting_groups` field.\n\n- `IApiGatewayResource` has `child_resources` and `enable_cors` fields.\n\n- New method `Project.get_all_resources_by_type()` which depends upon a Project resource registry which\n contains a dict of all application resources grouped by type. Easily query across applications!\n\n- loader has a `validate_local_paths` to allow loading the model from a CI/CD or other environments\n that may not have local paths available.\n\n- New `IBinaryFileReference` to load binary files.\n\n- CloudFront LambdaFunctionAssociation support and Lambda@Edge initial support.\n\n- Initial Cognito support with resource types for `ICognitoUserPool` and `ICognitoIdentityPool`.\n\n- TargetGroup has a `target_type` field.\n\n- ECSServices has Fargate support.\n\n- ECSService has a `target_tracking_scaling_policies` for service scaling.\n\n- Helpful errors for misconfigured AlarmSets.\n\n- Added `monitoring` to `ECSServices` and `ECSCluster`.\n\n- Added `ecr_repositories` to `IDeploymentPipelineBuildCodeBuild` to simplify declaring\n ECR Repository permissions.\n\n- Added a `add_stack_hooks` to `paco.models.base.Resource`.\n\n### Changed\n\n- YAML file loading now accounts for case-sensitive filesystems, but allowing for directory names and\n filenames to either be lower-case or capitalized.\n\n- Renamed `IApiGatewayMethod` for ApiGatewayRestApi from `resource_id` to `resource_name`\n to better reflect the name matches the resources of the gatewway.\n\n- Renamed `IAWSCertificateManager` to `IACM` so that it matches it's Resource Type name.\n\n- ApiGatewayRestApi doesn't supply a name in it's CloudFormation export\n\n\n7.5.0 (2020-09-17)\n------------------\n\n### Added\n\n- Added `paco.models.registry` as a place to contain configuration that extends or changes Paco.\n\n- Added `IIAMUserResource` as an application-level IAMUser resource.\n\n- Minimal `IPinpointApplication` schema for AWS Pinpoint support.\n\n- AlarmSets and CWLogging are loaded into `project.monitor`. These are used by `paco describe` feature.\n\n- Added `extend_base_schema` hook to the loader to allows Services to extend schemas before the loader loads.\n\n- Container loader can load empty objects (objects with no fields, only a name)\n\n### Changed\n\n- `paco.modes.services.list_service_plugins` changed to `list_enabled_services`. Returns ony enabed services\n in a dict format.\n\n- `IIAMUserProgrammaticAccess` changed to `IEnablable` and now defaults to True.\n\n- The `ICloudFrontCustomErrorResponse` field `error_caching_min_ttl` has a default of 300.\n\n- PyLance detected fixes: re-arrange `IRDS` schema so it no longer provides `IResource`.\n https://github.com/microsoft/pylance-release\n\n\n7.4.0 (2020-07-14)\n------------------\n\n### Added\n\n- DeploymentPipeline now has an `ECR.Source` action.\n\n- Added `IEnablable` that is the same as `IDeployable` except it defaults to true.\n\n- Added `IRDSMysqlAurora` and `IRDSPostgresqlAurora` for Aurora support.\n\n- Added users and groups to `resource/ec2.yaml` and `ssh_access` to IASG.\n\n- ECSSerivce additional fields for deployment_maximum_percent, deployment_minimum_healthy_percent and\n health_check_grace_period_seconds.\n\n- ISecretManagerSecret now has an `account` field to specify it belongs to a specific account.\n\n### Changed\n\n- `IDeploymentPipelineStageAction` uses IEnablable so that deployment actions are enabled by default.\n\n- `ISNSTopic` uses IEnablable so that topics are enabled by default.\n\n7.3.0 (2020-06-22)\n------------------\n\n### Added\n\n- ICodeCommitUser has a permissions field that can be ReadWrite or ReadOnly.\n\n- IDeploymentPipelineBuildCodeBuild has a `buildspec` field.\n\n- New `paco.models.gen_vocabulary` of vocabularies dynamically generated from AWS API calls. Added vocabulary for\n AWS AMI Ids.\n\n- `paco.ref function` now supports a `:` synatx to pass extra context to a function\n\n- New `paco.aws` package with `paco.ref function` calls. First call is `paco.aws.ami_id:latest.amazon-linux-2-ecs`\n\n- ECS Cluster with initial EC2 AutoScalingGroup support.\n\n- New `resource/sns.yaml` fiel with SNS global resource to allow SNS Topics and Subscriptions to be provisioned\n across any combination of accounts/regions.\n\n- AWS Config support added in ``resource/config.yaml``.\n\n- ICloudTrail now has a ``kms_users`` field which is a list of IAM Users granted access to encrypted CloudTrail logs.\n\n### Changed\n\n- ISNSTopics has a locations field. This only applies for `resource/sns.yaml`\n\n- The IASG `instance_iam_role` field is no longer a required field.\n\n- The home / config_folder is now a pathlib.Path object.\n\n\n7.2.0 (2020-05-09)\n------------------\n\n### Added\n\n- Added ``IASG.launch_options.ssm_agent`` to indicate if SSM Agent should be installed.\n\n- Added ``IRDSPostgresql`` with RDS for Postgresql support. Added complete list of RDS EngineVerions for\n Mysql and Postgresql to vocabulary.\n\n### Changed\n\n- Vocabulary for instance_ami_type expanded to include OS major release or other significant attributes.\n\n- Added ``poll_for_source_changes`` to IDeploymentPipelineSourceGitHub.\n\n- ``Lambda:code:zipfile`` can now be a path to a local directory.\n\n7.1.0 (2020-04-04)\n------------------\n\n### Migration\n\n- ASG field's ``update_policy_max_batch_size`` and ``update_policy_min_instances_in_service`` are removed.\n Instead use the ASG field ``rolling_update_policy`` and set ``max_batch_size`` and ``min_instances_in_service``.\n\n### Added\n\n- New ``managed_policies`` for IIAMUserPermissionCustomPolicy to allow easily adding AWS Managed Policies.\n\n- IIoTAnalyticsPipeline, IIoTTopicRule and IIoTPolicy schemas and implementation to support core IoT\n ingestion and analysis.\n\n- IListener has an ``ssl_policy`` for setting the SslPolicy for a SSL Listener.\n\n7.0.2 (2020-03-14)\n------------------\n\n### Fixed\n\n- Restore cfn-init wget command.\n\n\n7.0.1 (2020-03-14)\n------------------\n\n### Added\n\n- IDeploymentPipelineDeployS3 has input_artifacts field for Stages/Actions.\n\n7.0.0 (2020-03-06)\n------------------\n\n### Migration\n\n- NotifcationGroups was renamed to SNSTopics.\n Migration: git mv resource/NotificationGroups.yaml resource/snstopics.yaml\n\n- IEventsRule now has an IEventTarget instead of just a paco.ref to the target. This\n allows you to specify the input_json for the target.\n\n### Added\n\n- IManagedPolicy has a policy_name field which can be used to specify the name of IAM Policy in AWS.\n\n- IDeploymentPipelineSourceGitHub to model GitHub.Source actions for CodePipeline.\n\n- IDeploymentPipeline has a stages field which can be used to create more flexible Stages and Actions\n than the pre-baked source/build/deploy fields.\n\n### Changed\n\n- IS3Resource now has an IS3Buckets instead of a dict and references for global buckets\n has been cleaned up.\n\n### Fixed\n\n- All IVPC schemas with dicts have been replaced by INamed objects so that they can provide a paco_ref.\n\n6.4.1 (2020-02-19)\n------------------\n\n### Added\n\n- New IVersionControl schema for a IProject configuration.\n\n\n6.4.0 (2020-02-17)\n------------------\n\n### Added\n\n- IElasticsearchDomain schema.\n\n- ASG has instance_ami_ignore_changes field to indicate the AMI Id is being updated\n externally.\n\n- paco.ref function can now call any arbitrary Python function.\n\n- Add enabled_state for IEventRule.\n\n- Added log_group_names and expire_events_after_days to ILambda to allow it to\n manage Log Groups and set a Retention period.\n\n### Changed\n\n- Superflous ICodeCommitRepositoryGroups was removed and ICodeCommit is the container\n now for an ICodeCommitRepositoryGroup.\n\n### Fixed\n\n- Fix errors thrown by loader when loading environments with empty config.\n\n6.3.7 (2020-02-05)\n------------------\n\n### Added\n\n- Full set of fields for `generate_secret_string` for Secrets.\n\n### Fixed\n\n- Lambda.add_environment_variable was not passing the parent.\n\n\n6.3.6 (2020-01-29)\n------------------\n\n### Added\n\n- Error message when cfn-init files with !Sub and !Join can't be parsed.\n\n\n6.3.5 (2020-01-23)\n------------------\n\n### Fixed\n\n- Ubuntu awscli install had extra whitespace which could stop up UserData.\n\n\n6.3.4 (2020-01-16)\n------------------\n\n### Added\n\n- Added external_resource field for ICodeCommit.\n\n\n6.3.3 (2020-01-09)\n------------------\n\n### Added\n\n- The TextReference class was renamed PacoRefernce and can now be passed `schema_constraint` with the\n name or Schema that it must be a reference to.\n\n- Support for `users` and `groups` in cfn-init. Invariant to prevent user name duplicating group name.\n\n### Changed\n\n- Temporarily disable chmod 400 check on .credentials to support filesystems that don't have permissions.\n\n- CodeCommit contains CodeCommitRepositoryGroups and CodeCommitRepostory group objects instead of a two-level dict.\n Fixes docs and simplifies loader.\n\n### Fixed\n\n- `Lambad.add_environment_variable` passes parent.\n\n6.3.2 (2020-01-06)\n------------------\n\n### Changed\n\n- Schema clean-up, removed IMapping for all schemas that do not actually use it.\n\n- Removed unused managed_udpates field for IApplication.\n\n\n6.3.1 (2020-01-03)\n------------------\n\n### Added\n\n- IRoute53HealthCheck has ip_address field.\n\n- resource/snstopics.yaml is an alias for resource/notificationgroups.yaml\n\n- raise_invalid_reference method to display helpful message when a ref look-up fails.\n\n### Fixed\n\n- cfn-init package sets were only loading for item, now loads all package types.\n\n- ICloudWatchLogSource log_stream_name is a required field, if it's empty the agent won't launch.\n\n\n6.3.0 (2019-12-03)\n------------------\n\n### Added\n\n- ICloudWatchDashboard for CloudWatch Dashboard resources.\n\n- Route53 Health Checks have domain_name and enable_sni fields.\n\n### Changed\n\n- Invariant errors in schema checks have non-confusing error message.\n\n\n6.2.1 (2019-11-29)\n------------------\n\n- Fixes for the AIM to paco rename.\n\n\n6.2.0 (2019-11-28)\n------------------\n\n### Changed\n\n- Package rename: `paco.models` is now `paco.models`, consistent with the tool being\n renamed to `paco`.\n\n- Top-level directories have been renamed to be consistent with their names in the model:\n NetworkEnvironments --> netenv\n Resources --> resource\n Services --> service\n Accounts --> account\n MonitorConfig --> monitor\n The loader will look for `NetworkEnvironments` and if it exists use the legacy names.\n\n### Added\n\n- Added support for AWS Backup Vault. There can now be global backup_vaults field in NetworkEnvironment YAML files.\n These can be overrode in EnvironmentDefault and EnvironmentRegion configuration sections.\n\n- Added support for block_device_mappings for IASG.\n\n6.1.0 (2019-11-06)\n------------------\n\n### Added\n\n- Applications can be provisioned in the same environment more than once with a new\n \"app{suffix}\" syntax for an environments application keys.\n\n- INotificationGroups has a regions field, if it is the default of ['ALL'] it will apply to\n all of a project's active regions. Otherwise is will just provision in the selected region(s).\n\n- ICloudFormationInit for modelling AWS::CloudFormation::Init, which can be applied to\n the IASG.cfn_init field.\n\n- ICloudWatchLogAlarm schema. ICloudWatchAlarm now has \"type: Alarm\" and if it is \"type: LogAlarm\"\n an ICloudWatchLogAlarm will be created which can be used to connect an alarm to a MetricFilter\n of a LogGroup.\n\n- IDBParameterGrouups resource.\n\n- IElastiCache has `description` and `cache_clusters` fields, while IElastiCacheRedis has `snapshot_retention_limit_days`\n and `snapshot_window` fields.\n\n- IRDS has new `license_model`, `cloudwatch_logs_export` and `deletion_protection` fields.\n\n- `global_role_name` field for IAM Role can be set to True and the RoleName\n will not be hashed. Can only be used for global Roles, otherwise if these\n Roles overlap per-environment, things will break!\n\n- `monitoring.health_checks` which can contain HealthCheck Resources.\n IRoute53HealthCheck resource for Route53 health checks.\n\n- `region_name` property can be overrode if a `overrode_region_name` attribute is set.\n\n- Added a CodeBuild IAM Permission for IAM Users\n\n- Added `resolve_ref` method to DeploymentPipelineConfiguration\n\n- Added the EIP Application Resource and a support 'eip' field to the ASG resource for associating an EIP with a single instance ASG.\n\n- Added AWS Cli install commands to vocabulary.\n\n- Added `dns` to EIP Application Resource\n\n- Added `cftemplate_iam_user_delegates_2019_10_02` legacy flag to make user delegate role stack names consistent with others.\n\n- Added `route53_hosted_zone_2019_10_12` legacy flag for Route53 CFTemplate refactor.\n\n- Added `route53_record_set_2019_10_16` legacy flag for the Route53 RecordSet refactor.\n\n- Added `availability_zone` for locking in an ASG to a single Availability Zone.\n\n- Added `parameter_group` to IElastiCache Application Resource\n\n- Added `vpc_associations` to IPrivateHosted.\n\n- Added `vpc_config` to the ILambda Application Resources\n\n- Added `secrets_manager` to IIEnvironmentDefault.\n\n- Added `ttl` to IDNS\n\n- Added caching to instance AMI ID function.ref lookups.\n\n- Added the EBS Application Resources.\n Added `ebs_volume_mounts` to IASG to mount volumes to single instance groups.\n\n- Added `launch_options` to IASG as an IEC2LaunchOptions object. The initial option is update_packages which will update the linux distributions packages on launch.\n\n- Added resolve_ref() to Resource in base.py as a catch all.\n\n### Changed\n\n- ISecurityGroupRule `source_security_group` was moved to IIngressRule and IEgressRule (finally!)\n has a `destination_security_group` field.\n\n- `load_resources` was removed and you can now simply apply_attributes to\n an Application and it will recurse through app.groups.<groupname>.resources.<resourcename>\n without any external fiddling.\n\n- Moved deepdiff CLI functions into `aim` project.\n\n- IApplication is now IMonitorable. Alarms at the Application level must\n specify their Namespace and Dimensions.\n\n- Changed RDS `primary_domain_name` and `primary_hosted_zone` to an IDNS object\n\n### Fixed\n\n- Alarm overrides are now cast to the schema of the field. Fixes \"threshold: 10\" loading as in int()\n when the schema expects a float().\n\n6.0.0 (2019-09-27)\n------------------\n\n### Added\n\n- ICloudWatchAlarms have `enable_ok_actions` and `enable_insufficient_data_actions` booleans\n that will send to the notification groups when the alarm enters the OK or INSUFFICIENT_DATA states.\n\n- `references.get_model_obj_ref` will resolve an paco.ref to a model object\n and won't attempt to do Stack output lookups.\n\n- Service plug-ins are loaded according to an `initilization_order` integer\n that each plug-in can supply. If no integer is supplied, loading for unordered\n plug-ins count up from 1000.\n\n- Minimal API Gateway models for Methods, Resources, Models and Stages.\n\n- S3Bucket NotificationConfiguration for Lambdas.\n\n- S3Bucket has `get_bucket_name()` to return the full computed bucket name.\n\n- IGlobalResources for project['resource'] to contain config from the ./Resources/ directory.\n Resources such as S3 and EC2 now implement INamed and are loaded into project['resource'].\n\n- ISNSTopic has `cross_account_access` which grants `sns:Publish` to all accounts in the AIM Project.\n\n- IAccountContainer and IRegionContainer are lightweight containers for account and region information.\n They can be used by Services that want to set-up Resources in a multi-account, multi-region manner.\n\n### Changed\n\n- CloudTrail defines CloudWatchLogGroup as a sub-object rather than an paco.ref.\n\n- Alarms have `get_alarm_actions_paco_refs` renamed from `get_alarm_actions` as alarms can only provide\n paco.refs and need to get the ARNs from the stacks.\n\n- NotificationGroups are now Resources. Now they have regular working paco.ref's.\n\n5.0.0 (2019-08-26)\n------------------\n\n### Added\n\n- New field `paco.models.reference.FileReference` which resolves the path and replaces\n the original value with the value of the file indicated by the path.\n IApiGatewayRestApi.body_file_location uses this new field.\n\n- ApiGatewayRestApi and CloudWatchAlarm have a `cfn_export_dict` property that\n returns a new dict that can be used to created Troposphere resources.\n\n- Added external_resource support to the ACM\n\n- Added ReadOnly support to the Administrator IAMUserPermission\n\n### Changed\n\n - Multi-Dimension Alarms now need to specify an `paco.ref` as the Value.\n\n- Added IAMUser schemas and loading for IAM users.\n\n- Added a CommaList() schema type for loading comma separated lists into schema.List()\n\n- Moved aim reference generation into the Model. Model objects now have .paco_ref and\n .paco_ref_parts properties which contain their paco.ref reference.\n\n- Renamed project['ne'] to project['netenv']\n\n- Modified NatGateway segments to aim references\n\n### Fixed\n\n- Invariants were not being check for resources. Invariants need to be checked by the\n loader if they are not contained in a `zope.schema.Object` field, which will run the\n check behind the scenes.\n\n\n4.0.0 (2019-08-21)\n------------------\n\n### Added\n\n - IVPCPeering and IVPCPeeringRoute have been added to the model for VPC Peering support.\n\n - Added a CloudTrail schema configured in `Resources/CloudTrail.yaml`.\n\n - IS3BucketPolicy now has `principal` and `condition` fields.\n `principal` can be either a Key-Value dictionary, where the key is either 'AWS', 'Service', etc.\n and the value can be either a String or a List. It is an alternate to the `aws` field, which will\n remain for setting simpler AWS-only principals.\n The `condition` field is a Key-Value dictionary of Key-Value filters.\n\n - Alarm now has 'get_alarm_actions' and 'get_alarm_description' to help construct alarms.\n\n - CloudTrail has a 'get_accounts' which will resolve the CloudTrail.accounts field to a list\n of Account objects in the model.\n\n - IAlarm has `description` and `runbook_url` fields.\n\n - CodePipeBuildDeploy.resolve_ref() function covers wider scope of ref lookups\n\n - Added VPCPeering to the model.\n\n - Added IElastiCache and IElastiCacheRedis to the model.\n\n### Changed\n\n - `MonitorConfig/LogSets.yaml` has been renamed to `MonitorConfig/Logging.yaml`. CloudWatch\n logging is under the top level `cw_logging` key. The schema has been completely reworked\n so that LogGroups and LogSets are properly modelled.\n\n - IAccount.region, IEC2KeyPair.region and ICredentials.aws_default_region no longer have\n `us-west-2` as a default. The region needs to be explicity set.\n\n### Fixed\n\n - IAlarm.classification is now a required field.\n\n\n3.1.0 (2019-08-08)\n------------------\n\n### Added\n\n- aim-project-version.txt file in the root directory can now contain the AIM Project YAML\n version. IProject now has an paco_project_version field to store this value.\n\n- ICloudWatchAlarm gets a namespace field. Can be used to override the default\n Resource namespace, for example, use 'CWAgent' for the CloudWatch agent metrics.\n\n- IResource now has a resource_fullname field. The fullname is the name needed to\n specify for a metric in a CloudWatch Alarm.\n\n- ICloudWatchAlarm now has a dimensions field, which is a List of Dimension objects.\n\n- ITargetGroup now inherits from IResource. It loads resource_name from outputs.\n\n\n3.0.0 (2019-08-06)\n------------------\n\n### Added\n\n- New `MonitorConfig/NotificationGroups.yaml` that contains subscription groups for notifications.\n\n- sdb_cache field for Lambda.\n\n- Lambda can have alarms.\n\n- ISNSTopic and ISNSTopicSubscription to model SNS.\n\n### Changed\n\n- All references have been renamed to start with ``paco.ref`` for consistency.\n\n- AlarmSets, AlarmSet and Alarm all now implement INamed and\n are locatable in the model\n\n- Service plugins can load their outputs\n\n\n2.0.0 (2019-07-23)\n------------------\n\n### Added\n\n- Schema for Notifications for subscribing to Alarms\n\n- Added S3Resource for Resources/S3.yml configuration\n\n- Added Lambda resolve_ref support\n\n### Changed\n\n- Services are loaded as entry_point plugins named `paco.services`\n\n- Refactored the models applications, resources, and services.\n\n- Renamed IRoute53 to IRoute53Resource.\n\n### Fixed\n\n - CloudWatchAlarms now validate a classification field value of\n 'performance', 'health' or 'security' is supplied.\n\n\n1.1.0 (2019-07-06)\n------------------\n\n### Added\n\n- Added function.ref to be able to look-up latest AMI IDs\n\n- Added more constraints to the schemas.\n\n- Added default to IS3Bucket.policy\n\n- Added Route53 to schema and model\n\n- Added redirect to Listner rules in the ALB\n\n### Changed\n\n- Description attribute for Fields is now used to describe constraints.\n\n- Ported CodeCommit to schema and model\n\n- Refactored S3 to use Application StackGroup\n\n- CPBD artifacts s3 bucket now uses S3 Resource in NetEnv yaml instead\n\n- Converted the ALB's listener and listener rules to dicts from lists\n\n### Removed\n\n- Removed unused yaml config from pacodemo under fixtures.\n\n\n1.0.1 (2019-06-19)\n------------------\n\n- Improvements to Python packaging metadata.\n\n\n1.0.0 (2019-06-19)\n------------------\n\n- First open source release\n\n\n",
"bugtrack_url": null,
"license": null,
"summary": "paco.models: Semantic cloud infrastructure configuration file format and object model",
"version": "7.8.37",
"project_urls": {
"Homepage": "https://github.com/waterbear-cloud/paco.models"
},
"split_keywords": [
"aws",
" cloud",
" infrastructure as code"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "690d34694a0beb32b164145ee809f371cce6b4ecabfd2301a883885a302132bf",
"md5": "cc750b9b97cd1b82476669504d915df3",
"sha256": "8a2bd1b105b624322eb0d20fc15384a6d704e6280cdd07ed5fad58d417881f2d"
},
"downloads": -1,
"filename": "paco.models-7.8.37-py3-none-any.whl",
"has_sig": false,
"md5_digest": "cc750b9b97cd1b82476669504d915df3",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": null,
"size": 247164,
"upload_time": "2024-04-08T19:33:55",
"upload_time_iso_8601": "2024-04-08T19:33:55.353099Z",
"url": "https://files.pythonhosted.org/packages/69/0d/34694a0beb32b164145ee809f371cce6b4ecabfd2301a883885a302132bf/paco.models-7.8.37-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-04-08 19:33:55",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "waterbear-cloud",
"github_project": "paco.models",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "paco.models"
}
JSON
