def authorize_ip(type, changed, client, group, groupRules,
                 ip, ip_permission, module, rule, ethertype):
    # If rule already exists, don't later delete it
    for this_ip in ip:

        split_addr = this_ip.split('/')
        if len(split_addr) == 2:
            # this_ip is a IPv4 or IPv6 CIDR that may or may not have host bits set
            # Get the network bits.
            try:
                thisip = to_subnet(split_addr[0], split_addr[1])
            except ValueError:
                thisip = to_ipv6_network(split_addr[0]) + "/" + split_addr[1]
            if thisip != this_ip:
                module.warn("One of your CIDR addresses ({0}) has host bits set. To get rid of this warning, "
                            "check the network mask and make sure that only network bits are set: {1}.".format(this_ip, thisip))
        else:
            thisip = this_ip

        rule_id = make_rule_key(type, rule, group['GroupId'], thisip)
        if rule_id in groupRules:

            # update the rule description
            if 'rule_desc' in rule:
                desired_rule_desc = rule.get('rule_desc') or ''
                current_rule = groupRules[rule_id][0].get('IpRanges') or groupRules[rule_id][0].get('Ipv6Ranges')
                if desired_rule_desc != current_rule[0].get('Description', ''):
                    if not module.check_mode:
                        ip_permission = serialize_ip_grant(rule, thisip, ethertype)
                        update_rules_description(module, client, type, group['GroupId'], ip_permission)
                    changed = True

            # remove the rule from groupRules to avoid purging it later
            del groupRules[rule_id]
        else:
            if not module.check_mode:
                ip_permission = serialize_ip_grant(rule, thisip, ethertype)
                if ip_permission:
                    try:
                        if type == "in":
                            client.authorize_security_group_ingress(GroupId=group['GroupId'],
                                                                    IpPermissions=[ip_permission])
                        elif type == "out":
                            client.authorize_security_group_egress(GroupId=group['GroupId'],
                                                                   IpPermissions=[ip_permission])
                    except botocore.exceptions.ClientError as e:
                        module.fail_json(msg="Unable to authorize %s for ip %s security group '%s' - %s" %
                                             (type, thisip, group['GroupName'], e),
                                         exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response))
            changed = True
    return changed, ip_permission
Beispiel #2
0
def validate_ip(module, cidr_ip):
    split_addr = cidr_ip.split('/')
    if len(split_addr) == 2:
        # this_ip is a IPv4 or IPv6 CIDR that may or may not have host bits set
        # Get the network bits.
        try:
            ip = to_subnet(split_addr[0], split_addr[1])
        except ValueError:
            ip = to_ipv6_network(split_addr[0]) + "/" + split_addr[1]
        if ip != cidr_ip:
            module.warn("One of your CIDR addresses ({0}) has host bits set. To get rid of this warning, "
                        "check the network mask and make sure that only network bits are set: {1}.".format(cidr_ip, ip))
        return ip
    return cidr_ip
Beispiel #3
0
def test_to_ipv6_network():
    assert '2001:db8::' == to_ipv6_network('2001:db8::')
    assert '2001:0db8:85a3::' == to_ipv6_network('2001:0db8:85a3:0000:0000:8a2e:0370:7334')
    assert '2001:0db8:85a3::' == to_ipv6_network('2001:0db8:85a3:0:0:8a2e:0370:7334')
def test_to_ipv6_network():
    assert '2001:db8::' == to_ipv6_network('2001:db8::')
    assert '2001:0db8:85a3::' == to_ipv6_network(
        '2001:0db8:85a3:0000:0000:8a2e:0370:7334')
    assert '2001:0db8:85a3::' == to_ipv6_network(
        '2001:0db8:85a3:0:0:8a2e:0370:7334')