def amazon_security_group(name, vpc):
"""Create a security group authorizing access to aws services.
:param vpc: vpc in which to create the group
:type vpc: VPC
:return: a security group
:rtype: SecurityGroup
"""
ip_ranges = requests.get(IP_RANGES_URL).json()['prefixes']
# Retrieve first the complete list of ipv4 ip ranges for a given region
amazon_ip_ranges = {
k['ip_prefix']
for k in ip_ranges if k['region'] == vpc.region and 'ip_prefix' in k
and k['service'] == 'AMAZON'
}
# Sustract the list of ip ranges corresponding to EC2 instances
ec2_ip_ranges = {
k['ip_prefix']
for k in ip_ranges if k['region'] == vpc.region and 'ip_prefix' in k
and k['service'] == 'EC2'
}
amazon_ip_ranges -= ec2_ip_ranges
# Authorize https on the resulting list of ip ranges
# Note: the limit of rules per security group is set to 50 at AWS.
# In case the number of ip ranges returned by Amazon would be greater
# than that there would be need to split into several security groups
sg = SecurityGroup(name, vpc, description='Allow acces to amazon services')
for ip_range in amazon_ip_ranges:
sg.add_rule(Ipv4EgressRule('https', ip_range))
return sg
def github_security_groups(name, vpc, protocol):
"""Create a dict of security group authorizing access to github services.
As the number of rules per security group is limited to 50,
we create blocks of 50 rules.
:param vpc: vpc in which to create the group
:type vpc: VPC
:param protocol: protocol to allow (https, ssh)
:type protocol: str
:return: a dict of security groups indexed by name
:rtype: dict(str, SecurityGroup)
"""
ip_ranges = requests.get("https://api.github.com/meta").json()["git"]
# Authorize ssh on the resulting list of ip ranges
sgs = {}
i = 0
limit = 50
sg_name = name + str(i)
sg = SecurityGroup(sg_name, vpc, description="Allow access to github")
sgs[sg_name] = sg
for ip_range in ip_ranges:
if len(sg.egress + sg.ingress) == limit:
i += 1
sg_name = name + str(i)
sg = SecurityGroup(
sg_name, vpc, description=f"Allow access to GitHub {protocol}")
sgs[sg_name] = sg
sg.add_rule(Ipv4EgressRule(protocol, ip_range))
return sgs
def amazon_security_groups(name, vpc):
"""Create a dict of security group authorizing access to aws services.
As the number of rules per security group is limited to 60,
we create blocks of 60 rules.
:param vpc: vpc in which to create the group
:type vpc: VPC
:return: a dict of security groups indexed by name
:rtype: dict(str, SecurityGroup)
"""
def select_region(ip_range_record):
"""Select the VPN region and the us-east-1 region.
Note that some global interface (e.g. sts) are only available in
the us-east-1 region.
"""
return ip_range_record["region"] in (vpc.region, "us-east-1")
ip_ranges = requests.get(IP_RANGES_URL).json()["prefixes"]
# Retrieve first the complete list of ipv4 ip ranges for a given region
amazon_ip_ranges = {
k["ip_prefix"]
for k in ip_ranges
if select_region(k) and "ip_prefix" in k and k["service"] == "AMAZON"
}
# Substract the list of ip ranges corresponding to services
# that we do no need to access to or that we access through VPC
# endpoints to limit the number of security groups and rules.
services_used = ("AMAZON", "S3")
removable_ip_ranges = {
k["ip_prefix"]
for k in ip_ranges if select_region(k) and "ip_prefix" in k
and k["service"] not in services_used
}
amazon_ip_ranges -= removable_ip_ranges
# Authorize https on the resulting list of ip ranges
sgs = {}
i = 0
limit = 60
sg_name = name + str(i)
sg = SecurityGroup(sg_name,
vpc,
description="Allow access to amazon services")
sgs[sg_name] = sg
for ip_range in amazon_ip_ranges:
if len(sg.egress + sg.ingress) == limit:
i += 1
sg_name = name + str(i)
sg = SecurityGroup(sg_name,
vpc,
description="Allow acces to amazon services")
sgs[sg_name] = sg
sg.add_rule(Ipv4EgressRule("https", ip_range))
return sgs
def test_security_group():
vpc = VPC("vpc", cidr_block="10.10.0.0/16")
rule1 = IngressRule("ssh", "10.10.1.1/32", description="ssh rule")
rule2 = IngressRule("ip", "10.10.1.1/32", from_port=3389)
rule2 = IngressRule("ip", "10.10.1.1/32", from_port=5000, to_port=5550)
sg = SecurityGroup("SecurityGroup",
vpc,
description="basic security group",
rules=[rule1, rule2])
assert sg.properties
sg.add_rule(EgressRule("ip", "10.10.1.1/32", from_port=80))
assert sg.properties
with pytest.raises(AssertionError):
sg.add_rule("invalid object")
def amazon_security_groups(name, vpc):
"""Create a dict of security group authorizing access to aws services.
As the number of rules per security group is limited to 50,
we create blocks of 50 rules.
:param vpc: vpc in which to create the group
:type vpc: VPC
:return: a dict of security groups indexed by name
:rtype: dict(str, SecurityGroup)
"""
ip_ranges = requests.get(IP_RANGES_URL).json()['prefixes']
# Retrieve first the complete list of ipv4 ip ranges for a given region
amazon_ip_ranges = {
k['ip_prefix']
for k in ip_ranges if k['region'] == vpc.region and 'ip_prefix' in k
and k['service'] == 'AMAZON'
}
# Sustract the list of ip ranges corresponding to EC2 instances
ec2_ip_ranges = {
k['ip_prefix']
for k in ip_ranges if k['region'] == vpc.region and 'ip_prefix' in k
and k['service'] == 'EC2'
}
amazon_ip_ranges -= ec2_ip_ranges
# Authorize https on the resulting list of ip ranges
sgs = {}
i = 0
limit = 50
sg_name = name + str(i)
sg = SecurityGroup(sg_name,
vpc,
description='Allow acces to amazon services')
sgs[sg_name] = sg
for ip_range in amazon_ip_ranges:
if len(sg.egress + sg.ingress) == limit:
i += 1
sg_name = name + str(i)
sg = SecurityGroup(sg_name,
vpc,
description='Allow acces to amazon services')
sgs[sg_name] = sg
sg.add_rule(Ipv4EgressRule('https', ip_range))
return sgs