def test_update_security_group_rules_authorize_and_revoke_rules(self, vpc=None):
service = self.mock()
sg1, sg2 = FakeSecurityGroup('sg1-id', 'sg1-name'), FakeSecurityGroup('sg2-id', 'sg2-name')
security_group, data_center, vpc, dry_run = 'load-balancer', 'us-east-1', None, False
current_group_rules = frozenset([
Rule(protocol="tcp", from_port=80, to_port=80, address="0.0.0.0/0"),
Rule(protocol="tcp", from_port=443, to_port=443, address="0.0.0.0/0"),
Rule(protocol="tcp", from_port=8000, to_port=8000, address="0.0.0.0/0")
])
required_group_rules = frozenset([
Rule(protocol="tcp", from_port=80, to_port=80, address="0.0.0.0/0"),
Rule(protocol="tcp", from_port=443, to_port=443, address="0.0.0.0/0"),
Rule(protocol="tcp", from_port=22, to_port=22, address="0.0.0.0/0")
])
rules_to_add = frozenset([
Rule(protocol="tcp", from_port=22, to_port=22, address="0.0.0.0/0"),
])
rules_to_remove = frozenset([
Rule(protocol="tcp", from_port=8000, to_port=8000, address="0.0.0.0/0")
])
updater = SecurityGroupUpdater(service)
self.expectAndReturn(service.get_permissions(security_group, data_center, vpc), current_group_rules)
self.expectAndReturn(service.get_all(data_center, vpc), [sg1, sg2])
self.expectAndReturn(service.get_all(data_center, vpc), [sg1, sg2])
service.authorize_ingress_rules(security_group, rules_to_add, data_center, vpc, dry_run)
service.revoke_ingress_rules(security_group, rules_to_remove, data_center, vpc, dry_run)
self.replay()
updater.update_security_group_rules(security_group, required_group_rules, data_center)
self.verify()
class SecurityGroupsConfig(object):
"""
Preserves the original Roadhouse API:
ec2 = boto.vpc.connect_to_region('us-west-2')
vpc = ec2.get_all_vpcs()[0]
config = SecurityGroupsConfig.load('roadhouse.yaml')
config.configure(ec2)
config.apply(vpc)
"""
def __init__(self, security_groups):
self.security_groups = security_groups
@classmethod
def load(cls, filename):
security_groups = YamlFileSecurityGroupsConfigLoader(filename).load()
return SecurityGroupsConfig(security_groups)
def configure(self, ec2):
self.region = ec2.region
self.service = Ec2SecurityGroupService(connection=ec2)
self.updater = SecurityGroupUpdater(self.service)
def apply(self, vpc=None):
rack = vpc if vpc else None
existing_groups = {group.name: group for group in self.service.get_all(self.region, rack)}
security_groups = self.replace_rule_security_group_names_with_ids(self.security_groups, existing_groups)
security_groups = self.index_by_security_group_id(security_groups, existing_groups)
for name, security_group in security_groups.iteritems():
self.updater.update_security_group_rules(security_group, security_group.rules, self.region)
@staticmethod
def replace_rule_security_group_names_with_ids(security_groups, existing_groups):
for _, security_group in security_groups.iteritems():
for rule in security_group.rules:
if rule.security_group_name:
rule.security_group_id = existing_groups[rule.security_group_name].id
rule.security_group_name = None
return security_groups
@staticmethod
def index_by_security_group_id(security_groups, existing_groups):
return {existing_groups[name].id:group for name, group in security_groups.iteritems()}
def main(config_dir, env, region, vpc_id, dry_run):
basicConfig(
level=INFO,
format='%(asctime)s %(levelname)-3s %(name)s (%(funcName)s:%(lineno)d) %(message)s',
datefmt='%Y-%m-%d %H:%M:%S'
)
getLogger('boto').level = CRITICAL
if vpc_id:
security_groups = YamlFileSecurityGroupsConfigLoader("%s/%s/security_groups_%s_%s.yaml" % (config_dir, env, region, vpc_id)).load()
else:
security_groups = YamlFileSecurityGroupsConfigLoader("%s/%s/security_groups_%s.yaml" % (config_dir, env, region)).load()
updater = SecurityGroupUpdater(Ec2SecurityGroupService(yaml.load(open('%s/aws.yaml' % config_dir, 'r').read())[env]))
for name, security_group in security_groups.iteritems():
created_new = updater.create_security_group_if_not_exists(name, security_group.description, region, vpc_id, dry_run)
# Can't dry_run rules creation if the group doesn't actually exist yet
if created_new and dry_run:
continue
updater.update_security_group_rules(name, security_group.rules, region, vpc_id, prune=security_group.prune, dry_run=dry_run)
# Delete any groups that aren't listed in the ruleset config
updater.delete_security_group_if(lambda group: group.name not in security_groups, region, vpc_id, dry_run=dry_run)
def configure(self, ec2): self.region = ec2.region self.service = Ec2SecurityGroupService(connection=ec2) self.updater = SecurityGroupUpdater(self.service)
