def test_dhcp_options_get_by_id(): conn = boto.connect_vpc('the_key', 'the_secret') dhcp1 = conn.create_dhcp_options('test1.com', ['10.0.10.2']) dhcp1.add_tag('Name', 'TestDhcpOptions1') dhcp1.add_tag('test-tag', 'test-value') dhcp1_id = dhcp1.id dhcp2 = conn.create_dhcp_options('test2.com', ['10.0.20.2']) dhcp2.add_tag('Name', 'TestDhcpOptions2') dhcp2.add_tag('test-tag', 'test-value') dhcp2_id = dhcp2.id dhcp_options_sets = conn.get_all_dhcp_options() dhcp_options_sets.should.have.length_of(2) dhcp_options_sets = conn.get_all_dhcp_options( filters={'dhcp-options-id': dhcp1_id}) dhcp_options_sets.should.have.length_of(1) dhcp_options_sets[0].options['domain-name'][0].should.be.equal('test1.com') dhcp_options_sets[0].options[ 'domain-name-servers'][0].should.be.equal('10.0.10.2') dhcp_options_sets = conn.get_all_dhcp_options( filters={'dhcp-options-id': dhcp2_id}) dhcp_options_sets.should.have.length_of(1) dhcp_options_sets[0].options['domain-name'][0].should.be.equal('test2.com') dhcp_options_sets[0].options[ 'domain-name-servers'][0].should.be.equal('10.0.20.2')
def test_detach_vpn_gateway(): conn = boto.connect_vpc('the_key', 'the_secret') vpc = conn.create_vpc("10.0.0.0/16") vpn_gateway = conn.create_vpn_gateway('ipsec.1', 'us-east-1a') conn.attach_vpn_gateway( vpn_gateway_id=vpn_gateway.id, vpc_id=vpc.id ) gateway = conn.get_all_vpn_gateways()[0] attachments = gateway.attachments attachments.should.have.length_of(1) attachments[0].vpc_id.should.equal(vpc.id) attachments[0].state.should.equal('attached') conn.detach_vpn_gateway( vpn_gateway_id=vpn_gateway.id, vpc_id=vpc.id ) gateway = conn.get_all_vpn_gateways()[0] attachments = gateway.attachments attachments.should.have.length_of(0)
def test_replace_network_acl_entry(): conn = boto.connect_vpc('the_key', 'the secret') vpc = conn.create_vpc("10.0.0.0/16") network_acl = conn.create_network_acl(vpc.id) conn.create_network_acl_entry( network_acl.id, 110, 6, 'ALLOW', '0.0.0.0/0', False, port_range_from='443', port_range_to='443' ) conn.replace_network_acl_entry( network_acl.id, 110, -1, 'DENY', '0.0.0.0/0', False, port_range_from='22', port_range_to='22' ) all_network_acls = conn.get_all_network_acls() test_network_acl = next(na for na in all_network_acls if na.id == network_acl.id) entries = test_network_acl.network_acl_entries entries.should.have.length_of(1) entries[0].rule_number.should.equal('110') entries[0].protocol.should.equal('-1') entries[0].rule_action.should.equal('DENY')
def test_start_vpc_spot_instance(self): c = self.botoSetup() vpc_conn = boto.connect_vpc() vpc = vpc_conn.create_vpc("192.168.0.0/24") subnet = vpc_conn.create_subnet(vpc.id, "192.168.0.0/24") amis = c.get_all_images() sg = c.create_security_group("test_sg", "test_sg", vpc.id) bs = ec2.EC2LatentWorker('bot1', 'sekrit', 'm1.large', identifier='publickey', secret_identifier='privatekey', keypair_name="test_key", ami=amis[0].id, spot_instance=True, max_spot_price=1.5, security_group_ids=[sg.id], subnet_id=subnet.id, ) instance_id, _, _ = bs._start_instance() instances = [i for i in c.get_only_instances() if i.state != "terminated"] self.assertTrue(bs.spot_instance) self.assertEqual(len(instances), 1) self.assertEqual(instances[0].id, instance_id) self.assertEqual(instances[0].subnet_id, subnet.id) self.assertEqual(len(instances[0].groups), 1) self.assertEqual(instances[0].groups[0].id, sg.id)
def connect(vpc_region): access_key, secret_key = read_credentials() s3_conn = boto.connect_s3(access_key, secret_key) ec2_conn = boto.ec2.connect_to_region(vpc_region, aws_access_key_id=access_key, aws_secret_access_key=secret_key) region = boto.ec2.get_region(vpc_region, aws_access_key_id=access_key, aws_secret_access_key=secret_key) vpc_conn = boto.connect_vpc(access_key, secret_key, region=region) return Connections(ec2_conn, vpc_conn, s3_conn)
def test_run_instance_with_nic_preexisting(): conn = boto.connect_vpc('the_key', 'the_secret') vpc = conn.create_vpc("10.0.0.0/16") subnet = conn.create_subnet(vpc.id, "10.0.0.0/18") security_group1 = conn.create_security_group('test security group #1', 'this is a test security group') security_group2 = conn.create_security_group('test security group #2', 'this is a test security group') private_ip = "54.0.0.1" eni = conn.create_network_interface(subnet.id, private_ip, groups=[security_group1.id]) # Boto requires NetworkInterfaceCollection of NetworkInterfaceSpecifications... # annoying, but generates the desired querystring. from boto.ec2.networkinterface import NetworkInterfaceSpecification, NetworkInterfaceCollection interface = NetworkInterfaceSpecification(network_interface_id=eni.id, device_index=0) interfaces = NetworkInterfaceCollection(interface) # end Boto objects reservation = conn.run_instances('ami-1234abcd', network_interfaces=interfaces, security_group_ids=[security_group2.id]) instance = reservation.instances[0] instance.subnet_id.should.equal(subnet.id) all_enis = conn.get_all_network_interfaces() all_enis.should.have.length_of(1) instance.interfaces.should.have.length_of(1) instance_eni = instance.interfaces[0] instance_eni.id.should.equal(eni.id) instance_eni.subnet_id.should.equal(subnet.id) instance_eni.groups.should.have.length_of(2) set([group.id for group in instance_eni.groups]).should.equal(set([security_group1.id,security_group2.id])) instance_eni.private_ip_addresses.should.have.length_of(1) instance_eni.private_ip_addresses[0].private_ip_address.should.equal(private_ip)
def test_igw_delete_attached(): """ internet gateway fail to delete attached """ conn = boto.connect_vpc('the_key', 'the_secret') igw = conn.create_internet_gateway() vpc = conn.create_vpc(VPC_CIDR) conn.attach_internet_gateway(igw.id, vpc.id) conn.delete_internet_gateway.when.called_with(igw.id).should.throw(EC2ResponseError)
def test_default_network_acl_created_with_vpc(): conn = boto.connect_vpc('the_key', 'the secret') vpc = conn.create_vpc("10.0.0.0/16") all_network_acls = conn.get_all_network_acls() all_network_acls.should.have.length_of(1)
def test_route_tables_filters_associations(): conn = boto.connect_vpc('the_key', 'the_secret') vpc = conn.create_vpc("10.0.0.0/16") subnet1 = conn.create_subnet(vpc.id, "10.0.0.0/18") subnet2 = conn.create_subnet(vpc.id, "10.0.1.0/18") subnet3 = conn.create_subnet(vpc.id, "10.0.2.0/18") route_table1 = conn.create_route_table(vpc.id) route_table2 = conn.create_route_table(vpc.id) association_id1 = conn.associate_route_table(route_table1.id, subnet1.id) association_id2 = conn.associate_route_table(route_table1.id, subnet2.id) association_id3 = conn.associate_route_table(route_table2.id, subnet3.id) all_route_tables = conn.get_all_route_tables() all_route_tables.should.have.length_of(3) # Filter by association ID association1_route_tables = conn.get_all_route_tables(filters={'association.route-table-association-id':association_id1}) association1_route_tables.should.have.length_of(1) association1_route_tables[0].id.should.equal(route_table1.id) association1_route_tables[0].associations.should.have.length_of(2) # Filter by route table ID route_table2_route_tables = conn.get_all_route_tables(filters={'association.route-table-id':route_table2.id}) route_table2_route_tables.should.have.length_of(1) route_table2_route_tables[0].id.should.equal(route_table2.id) route_table2_route_tables[0].associations.should.have.length_of(1) # Filter by subnet ID subnet_route_tables = conn.get_all_route_tables(filters={'association.subnet-id':subnet1.id}) subnet_route_tables.should.have.length_of(1) subnet_route_tables[0].id.should.equal(route_table1.id) association1_route_tables[0].associations.should.have.length_of(2)
def connect_vpc(): logger.debug('Connecting to the Amazon Virtual Private Cloud (Amazon VPC) service.') vpc = boto.connect_vpc(aws_access_key_id=config['AWS_ACCESS_KEY_ID'], aws_secret_access_key=config['AWS_SECRET_ACCESS_KEY']) logger.debug('Connected to Amazon VPC.') return vpc
def setUp(self): self.api = boto.connect_vpc() vpc = self.api.create_vpc('10.0.0.0/16') self.addCleanup(self.api.delete_vpc, vpc.id) self.subnet = self.api.create_subnet(vpc.id, '10.0.0.0/24') self.addCleanup(self.api.delete_subnet, self.subnet.id)
def assume_service(account_number, service, region='us-east-1'): conn = boto.connect_sts() role = conn.assume_role('arn:aws:iam::{0}:role/{1}'.format( account_number, current_app.config.get('LEMUR_INSTANCE_PROFILE', 'Lemur')), 'blah') if service in 'iam': return boto.connect_iam( aws_access_key_id=role.credentials.access_key, aws_secret_access_key=role.credentials.secret_key, security_token=role.credentials.session_token) elif service in 'elb': return boto.ec2.elb.connect_to_region( region, aws_access_key_id=role.credentials.access_key, aws_secret_access_key=role.credentials.secret_key, security_token=role.credentials.session_token) elif service in 'vpc': return boto.connect_vpc( aws_access_key_id=role.credentials.access_key, aws_secret_access_key=role.credentials.secret_key, security_token=role.credentials.session_token) elif service in 's3': return boto.s3.connect_to_region( region, aws_access_key_id=role.credentials.access_key, aws_secret_access_key=role.credentials.secret_key, security_token=role.credentials.session_token)
def test_delete_vpn_gateway(): conn = boto.connect_vpc('the_key', 'the_secret') vpn_gateway = conn.create_vpn_gateway('ipsec.1', 'us-east-1a') conn.delete_vpn_gateway(vpn_gateway.id) vgws = conn.get_all_vpn_gateways() vgws.should.have.length_of(0)
def test_start_vpc_instance(self): c = self.botoSetup() vpc_conn = boto.connect_vpc() vpc = vpc_conn.create_vpc("192.168.0.0/24") subnet = vpc_conn.create_subnet(vpc.id, "192.168.0.0/24") amis = c.get_all_images() sg = c.create_security_group("test_sg", "test_sg", vpc.id) bs = ec2.EC2LatentWorker( "bot1", "sekrit", "m1.large", identifier="publickey", secret_identifier="privatekey", keypair_name="latent_buildbot_worker", security_group_ids=[sg.id], subnet_id=subnet.id, ami=amis[0].id, ) instance_id, _, _ = bs._start_instance() instances = [i for i in c.get_only_instances() if i.state != "terminated"] self.assertEqual(len(instances), 1) self.assertEqual(instances[0].id, instance_id) self.assertEqual(instances[0].subnet_id, subnet.id) self.assertEqual(len(instances[0].groups), 1) self.assertEqual(instances[0].groups[0].id, sg.id) self.assertEqual(instances[0].key_name, "latent_buildbot_worker")
def load_config(show_output=False): config_filename = path.join(directory, 'config') aws_dirty = False if not boto.config.has_option('Credentials', 'aws_access_key_id'): aws_access_key_id = getpass.getpass('AWS Access Key ID: ') boto.config.save_user_option('Credentials', 'aws_access_key_id', aws_access_key_id) aws_dirty = True if not boto.config.has_option('Credentials', 'aws_secret_access_key'): aws_secret_access_key = getpass.getpass('AWS Secret Access Key: ') boto.config.save_user_option('Credentials', 'aws_secret_access_key', aws_secret_access_key) aws_dirty = True if aws_dirty: print "-----> AWS configuration written to {}".format(boto.pyami.config.UserConfigPath) else: if show_output: print "-----> AWS configuration unchanged, see `{}`".format(boto.pyami.config.UserConfigPath) vpc = boto.connect_vpc() try: with open(config_filename, 'r') as config_file: config = json.loads(config_file.read()) except IOError: config = default_config() dirty = False vpc_id = config.get('vpc_id') if not vpc_id: vpc_id = raw_input("AWS VPC ID (choose: {}): ".format(', '.join([v.id for v in vpc.get_all_vpcs()]))) config['vpc_id'] = vpc_id dirty = True subnet_id = config.get('subnet_id') if not subnet_id: def format_subnet(s): return '{}({})'.format(s.id, s.availability_zone) possible_subnets = vpc.get_all_subnets(filters=[('vpcId', vpc_id)]) subnet_id = raw_input("AWS VPC Subnet ID (choose: {}): ".format(', '.join(map(format_subnet, possible_subnets)))) config['subnet_id'] = subnet_id dirty = True subnet = vpc.get_all_subnets(subnet_ids=[subnet_id])[0] if config['availability_zone'] != subnet.availability_zone: config['availability_zone'] = subnet.availability_zone dirty = True system_name = config.get('system_name') if not system_name: config['system_name'] = raw_input("Name of your \"system\" (press return for a uuid): ") or uuid.uuid1().hex dirty = True if dirty: config_filename = path.join(directory, 'config') if not path.exists(directory): os.makedirs(directory) with open(config_filename, 'w') as config_file: config_file.write(json.dumps(config, indent=2, separators=(',', ': '))) print "-----> Riker configuration written to {}".format(config_filename) else: if show_output: print "-----> Riker configuration unchanged, see `{}`".format(config_filename) def create_sgrs(memo, kvp): name = kvp[0] rules = kvp[1] sgrs = [boto_helpers.SecurityGroupRule(*rule) for rule in rules] memo[name] = sgrs return memo config['security_groups'] = reduce(create_sgrs, config['security_groups'].iteritems(), {}) return config
def test_get_vpc_id(self): conn = boto.connect_vpc('the_key', 'the_secret') vpc = conn.create_vpc("10.0.0.0/16") self.assertEqual(1, len(conn.get_all_vpcs())) test_vpc = VPC('us-east-1', 'the_key', 'the_secret') self.assertEqual(vpc.id, test_vpc.get_vpc_id("10.0.0.0/16")) vpc.delete()
def test_route_tables_filters_standard(): conn = boto.connect_vpc('the_key', 'the_secret') vpc1 = conn.create_vpc("10.0.0.0/16") route_table1 = conn.create_route_table(vpc1.id) vpc2 = conn.create_vpc("10.0.0.0/16") route_table2 = conn.create_route_table(vpc2.id) all_route_tables = conn.get_all_route_tables() all_route_tables.should.have.length_of(4) # Filter by main route table main_route_tables = conn.get_all_route_tables(filters={'association.main':'true'}) main_route_tables.should.have.length_of(2) main_route_table_ids = [route_table.id for route_table in main_route_tables] main_route_table_ids.should_not.contain(route_table1.id) main_route_table_ids.should_not.contain(route_table2.id) # Filter by VPC vpc1_route_tables = conn.get_all_route_tables(filters={'vpc-id':vpc1.id}) vpc1_route_tables.should.have.length_of(2) vpc1_route_table_ids = [route_table.id for route_table in vpc1_route_tables] vpc1_route_table_ids.should.contain(route_table1.id) vpc1_route_table_ids.should_not.contain(route_table2.id) # Filter by VPC and main route table vpc2_main_route_tables = conn.get_all_route_tables(filters={'association.main':'true', 'vpc-id':vpc2.id}) vpc2_main_route_tables.should.have.length_of(1) vpc2_main_route_table_ids = [route_table.id for route_table in vpc2_main_route_tables] vpc2_main_route_table_ids.should_not.contain(route_table1.id) vpc2_main_route_table_ids.should_not.contain(route_table2.id) # Unsupported filter conn.get_all_route_tables.when.called_with(filters={'not-implemented-filter': 'foobar'}).should.throw(NotImplementedError)
def test_eip_reassociate_nic(): """reassociate EIP""" conn = boto.connect_vpc('the_key', 'the_secret') vpc = conn.create_vpc("10.0.0.0/16") subnet = conn.create_subnet(vpc.id, "10.0.0.0/18") eni1 = conn.create_network_interface(subnet.id) eni2 = conn.create_network_interface(subnet.id) eip = conn.allocate_address() conn.associate_address(network_interface_id=eni1.id, public_ip=eip.public_ip) # Same ID is idempotent conn.associate_address(network_interface_id=eni1.id, public_ip=eip.public_ip) # Different ID detects resource association with assert_raises(EC2ResponseError) as cm: conn.associate_address( network_interface_id=eni2.id, public_ip=eip.public_ip) cm.exception.code.should.equal('Resource.AlreadyAssociated') cm.exception.status.should.equal(400) cm.exception.request_id.should_not.be.none conn.associate_address.when.called_with( network_interface_id=eni2.id, public_ip=eip.public_ip, allow_reassociation=True).should_not.throw(EC2ResponseError) eip.release() eip = None
def test_vpc_state_available_filter(): conn = boto.connect_vpc('the_key', 'the_secret') vpc = conn.create_vpc("10.0.0.0/16") conn.create_vpc("10.1.0.0/16") conn.get_all_vpcs(filters={'state': 'available'}).should.have.length_of(3) vpc.delete() conn.get_all_vpcs(filters={'state': 'available'}).should.have.length_of(2)
def test_get_instances_filtering_by_vpc_id(): conn = boto.connect_vpc('the_key', 'the_secret') vpc1 = conn.create_vpc("10.0.0.0/16") subnet1 = conn.create_subnet(vpc1.id, "10.0.0.0/27") reservation1 = conn.run_instances( 'ami-1234abcd', min_count=1, subnet_id=subnet1.id) instance1 = reservation1.instances[0] vpc2 = conn.create_vpc("10.1.0.0/16") subnet2 = conn.create_subnet(vpc2.id, "10.1.0.0/27") reservation2 = conn.run_instances( 'ami-1234abcd', min_count=1, subnet_id=subnet2.id) instance2 = reservation2.instances[0] reservations1 = conn.get_all_instances(filters={'vpc-id': vpc1.id}) reservations1.should.have.length_of(1) reservations1[0].instances.should.have.length_of(1) reservations1[0].instances[0].id.should.equal(instance1.id) reservations1[0].instances[0].vpc_id.should.equal(vpc1.id) reservations1[0].instances[0].subnet_id.should.equal(subnet1.id) reservations2 = conn.get_all_instances(filters={'vpc-id': vpc2.id}) reservations2.should.have.length_of(1) reservations2[0].instances.should.have.length_of(1) reservations2[0].instances[0].id.should.equal(instance2.id) reservations2[0].instances[0].vpc_id.should.equal(vpc2.id) reservations2[0].instances[0].subnet_id.should.equal(subnet2.id)
def test_routes_additional(): conn = boto.connect_vpc('the_key', 'the_secret') vpc = conn.create_vpc("10.0.0.0/16") main_route_table = conn.get_all_route_tables()[0] local_route = main_route_table.routes[0] igw = conn.create_internet_gateway() ROUTE_CIDR = "10.0.0.4/24" conn.create_route(main_route_table.id, ROUTE_CIDR, gateway_id=igw.id) main_route_table = conn.get_all_route_tables()[0] # Refresh route table main_route_table.routes.should.have.length_of(2) new_routes = [route for route in main_route_table.routes if route.destination_cidr_block != vpc.cidr_block] new_routes.should.have.length_of(1) new_route = new_routes[0] new_route.gateway_id.should.equal(igw.id) new_route.instance_id.should.be.none new_route.state.should.equal('active') new_route.destination_cidr_block.should.equal(ROUTE_CIDR) conn.delete_route(main_route_table.id, ROUTE_CIDR) main_route_table = conn.get_all_route_tables()[0] # Refresh route table main_route_table.routes.should.have.length_of(1) new_routes = [route for route in main_route_table.routes if route.destination_cidr_block != vpc.cidr_block] new_routes.should.have.length_of(0) with assert_raises(EC2ResponseError) as cm: conn.delete_route(main_route_table.id, ROUTE_CIDR) cm.exception.code.should.equal('InvalidRoute.NotFound') cm.exception.status.should.equal(400) cm.exception.request_id.should_not.be.none
def create_network(): vpc_connection = boto.connect_vpc() vpc = vpc_connection.create_vpc("10.0.0.0/24") subnet = vpc_connection.create_subnet(vpc.id, "10.0.0.0/25") gateway = vpc_connection.create_internet_gateway() vpc_connection.attach_internet_gateway(gateway.id, vpc.id) return subnet.id
def get_vpcs(): vpcs_data = {} for region in AWS_REGIONS: region_key = region.replace('-', '_') aws_key = getattr(settings.app, region_key + '_access_key') aws_secret = getattr(settings.app, region_key + '_secret_key') vpc_data = [] vpcs_data[region] = vpc_data if not aws_key or not aws_secret: continue vpc_conn = boto.connect_vpc( aws_access_key_id=aws_key, aws_secret_access_key=aws_secret, region=boto.ec2.get_region(region), ) vpcs = vpc_conn.get_all_vpcs() for vpc in vpcs: vpc_data.append({ 'id': vpc.id, 'network': vpc.cidr_block, }) return vpcs_data
def test_elastic_network_interfaces(): conn = boto.connect_vpc('the_key', 'the_secret') vpc = conn.create_vpc("10.0.0.0/16") subnet = conn.create_subnet(vpc.id, "10.0.0.0/18") with assert_raises(JSONResponseError) as ex: eni = conn.create_network_interface(subnet.id, dry_run=True) ex.exception.reason.should.equal('DryRunOperation') ex.exception.status.should.equal(400) ex.exception.message.should.equal('An error occurred (DryRunOperation) when calling the CreateNetworkInterface operation: Request would have succeeded, but DryRun flag is set') eni = conn.create_network_interface(subnet.id) all_enis = conn.get_all_network_interfaces() all_enis.should.have.length_of(1) eni = all_enis[0] eni.groups.should.have.length_of(0) eni.private_ip_addresses.should.have.length_of(0) with assert_raises(JSONResponseError) as ex: conn.delete_network_interface(eni.id, dry_run=True) ex.exception.reason.should.equal('DryRunOperation') ex.exception.status.should.equal(400) ex.exception.message.should.equal('An error occurred (DryRunOperation) when calling the DeleteNetworkInterface operation: Request would have succeeded, but DryRun flag is set') conn.delete_network_interface(eni.id) all_enis = conn.get_all_network_interfaces() all_enis.should.have.length_of(0) with assert_raises(EC2ResponseError) as cm: conn.delete_network_interface(eni.id) cm.exception.code.should.equal('InvalidNetworkInterfaceID.NotFound') cm.exception.status.should.equal(400) cm.exception.request_id.should_not.be.none
def test_run_instance_with_nic_autocreated(): conn = boto.connect_vpc('the_key', 'the_secret') vpc = conn.create_vpc("10.0.0.0/16") subnet = conn.create_subnet(vpc.id, "10.0.0.0/18") security_group1 = conn.create_security_group('test security group #1', 'this is a test security group') security_group2 = conn.create_security_group('test security group #2', 'this is a test security group') private_ip = "54.0.0.1" reservation = conn.run_instances('ami-1234abcd', subnet_id=subnet.id, security_groups=[security_group1.name], security_group_ids=[security_group2.id], private_ip_address=private_ip) instance = reservation.instances[0] all_enis = conn.get_all_network_interfaces() all_enis.should.have.length_of(1) eni = all_enis[0] instance.interfaces.should.have.length_of(1) instance.interfaces[0].id.should.equal(eni.id) instance.subnet_id.should.equal(subnet.id) instance.groups.should.have.length_of(2) set([group.id for group in instance.groups]).should.equal(set([security_group1.id,security_group2.id])) eni.subnet_id.should.equal(subnet.id) eni.groups.should.have.length_of(2) set([group.id for group in eni.groups]).should.equal(set([security_group1.id,security_group2.id])) eni.private_ip_addresses.should.have.length_of(1) eni.private_ip_addresses[0].private_ip_address.should.equal(private_ip)
def test_eip_associate_network_interface(): """Associate/Disassociate EIP to NIC""" conn = boto.connect_vpc('the_key', 'the_secret') vpc = conn.create_vpc("10.0.0.0/16") subnet = conn.create_subnet(vpc.id, "10.0.0.0/18") eni = conn.create_network_interface(subnet.id) eip = conn.allocate_address(domain='vpc') eip.network_interface_id.should.be.none with assert_raises(EC2ResponseError) as cm: conn.associate_address(network_interface_id=eni.id) cm.exception.code.should.equal('MissingParameter') cm.exception.status.should.equal(400) cm.exception.request_id.should_not.be.none conn.associate_address(network_interface_id=eni.id, allocation_id=eip.allocation_id) # no .update() on address ): eip = conn.get_all_addresses(addresses=[eip.public_ip])[0] eip.network_interface_id.should.be.equal(eni.id) conn.disassociate_address(association_id=eip.association_id) # no .update() on address ): eip = conn.get_all_addresses(addresses=[eip.public_ip])[0] eip.network_interface_id.should.be.equal(u'') eip.association_id.should.be.none eip.release() eip = None
def test_delete_cluster_subnet_group(): vpc_conn = boto.connect_vpc() vpc = vpc_conn.create_vpc("10.0.0.0/16") subnet = vpc_conn.create_subnet(vpc.id, "10.0.0.0/24") redshift_conn = boto.connect_redshift() redshift_conn.create_cluster_subnet_group( "my_subnet", "This is my subnet group", subnet_ids=[subnet.id], ) subnets_response = redshift_conn.describe_cluster_subnet_groups() subnets = subnets_response['DescribeClusterSubnetGroupsResponse'][ 'DescribeClusterSubnetGroupsResult']['ClusterSubnetGroups'] subnets.should.have.length_of(1) redshift_conn.delete_cluster_subnet_group("my_subnet") subnets_response = redshift_conn.describe_cluster_subnet_groups() subnets = subnets_response['DescribeClusterSubnetGroupsResponse'][ 'DescribeClusterSubnetGroupsResult']['ClusterSubnetGroups'] subnets.should.have.length_of(0) # Delete invalid id redshift_conn.delete_cluster_subnet_group.when.called_with( "not-a-subnet-group").should.throw(ClusterSubnetGroupNotFound)
def test_routes_vpc_peering_connection(): conn = boto.connect_vpc('the_key', 'the_secret') vpc = conn.create_vpc("10.0.0.0/16") main_route_table = conn.get_all_route_tables( filters={'association.main': 'true', 'vpc-id': vpc.id})[0] local_route = main_route_table.routes[0] ROUTE_CIDR = "10.0.0.4/24" peer_vpc = conn.create_vpc("11.0.0.0/16") vpc_pcx = conn.create_vpc_peering_connection(vpc.id, peer_vpc.id) conn.create_route(main_route_table.id, ROUTE_CIDR, vpc_peering_connection_id=vpc_pcx.id) # Refresh route table main_route_table = conn.get_all_route_tables(main_route_table.id)[0] new_routes = [ route for route in main_route_table.routes if route.destination_cidr_block != vpc.cidr_block] new_routes.should.have.length_of(1) new_route = new_routes[0] new_route.gateway_id.should.be.none new_route.instance_id.should.be.none new_route.vpc_peering_connection_id.should.equal(vpc_pcx.id) new_route.state.should.equal('blackhole') new_route.destination_cidr_block.should.equal(ROUTE_CIDR)
def test_elastic_network_interfaces_filtering(): conn = boto.connect_vpc('the_key', 'the_secret') vpc = conn.create_vpc("10.0.0.0/16") subnet = conn.create_subnet(vpc.id, "10.0.0.0/18") security_group1 = conn.create_security_group('test security group #1', 'this is a test security group') security_group2 = conn.create_security_group('test security group #2', 'this is a test security group') eni1 = conn.create_network_interface(subnet.id, groups=[security_group1.id,security_group2.id]) eni2 = conn.create_network_interface(subnet.id, groups=[security_group1.id]) eni3 = conn.create_network_interface(subnet.id) all_enis = conn.get_all_network_interfaces() all_enis.should.have.length_of(3) # Filter by ENI ID enis_by_id = conn.get_all_network_interfaces(filters={'network-interface-id':eni1.id}) enis_by_id.should.have.length_of(1) set([eni.id for eni in enis_by_id]).should.equal(set([eni1.id])) # Filter by Security Group enis_by_group = conn.get_all_network_interfaces(filters={'group-id':security_group1.id}) enis_by_group.should.have.length_of(2) set([eni.id for eni in enis_by_group]).should.equal(set([eni1.id,eni2.id])) # Filter by ENI ID and Security Group enis_by_group = conn.get_all_network_interfaces(filters={'network-interface-id':eni1.id, 'group-id':security_group1.id}) enis_by_group.should.have.length_of(1) set([eni.id for eni in enis_by_group]).should.equal(set([eni1.id])) # Unsupported filter conn.get_all_network_interfaces.when.called_with(filters={'not-implemented-filter': 'foobar'}).should.throw(NotImplementedError)
def test_elastic_network_interfaces_modify_attribute(): conn = boto.connect_vpc('the_key', 'the_secret') vpc = conn.create_vpc("10.0.0.0/16") subnet = conn.create_subnet(vpc.id, "10.0.0.0/18") security_group1 = conn.create_security_group( 'test security group #1', 'this is a test security group') security_group2 = conn.create_security_group( 'test security group #2', 'this is a test security group') conn.create_network_interface(subnet.id, groups=[security_group1.id]) all_enis = conn.get_all_network_interfaces() all_enis.should.have.length_of(1) eni = all_enis[0] eni.groups.should.have.length_of(1) eni.groups[0].id.should.equal(security_group1.id) with assert_raises(EC2ResponseError) as ex: conn.modify_network_interface_attribute( eni.id, 'groupset', [security_group2.id], dry_run=True) ex.exception.error_code.should.equal('DryRunOperation') ex.exception.status.should.equal(400) ex.exception.message.should.equal( 'An error occurred (DryRunOperation) when calling the ModifyNetworkInterface operation: Request would have succeeded, but DryRun flag is set') conn.modify_network_interface_attribute( eni.id, 'groupset', [security_group2.id]) all_enis = conn.get_all_network_interfaces() all_enis.should.have.length_of(1) eni = all_enis[0] eni.groups.should.have.length_of(1) eni.groups[0].id.should.equal(security_group2.id)
def test_create_cluster_with_vpc_security_groups(): vpc_conn = boto.connect_vpc() ec2_conn = boto.connect_ec2() redshift_conn = boto.connect_redshift() vpc = vpc_conn.create_vpc("10.0.0.0/16") security_group = ec2_conn.create_security_group("vpc_security_group", "a group", vpc_id=vpc.id) redshift_conn.create_cluster( "my_cluster", node_type="dw.hs1.xlarge", master_username="******", master_user_password="******", vpc_security_group_ids=[security_group.id], ) cluster_response = redshift_conn.describe_clusters("my_cluster") cluster = cluster_response['DescribeClustersResponse'][ 'DescribeClustersResult']['Clusters'][0] group_ids = [ group['VpcSecurityGroupId'] for group in cluster['VpcSecurityGroups'] ] list(group_ids).should.equal([security_group.id])
def test_delete_network_acl_entry(): conn = boto.connect_vpc("the_key", "the secret") vpc = conn.create_vpc("10.0.0.0/16") network_acl = conn.create_network_acl(vpc.id) conn.create_network_acl_entry( network_acl.id, 110, 6, "ALLOW", "0.0.0.0/0", False, port_range_from="443", port_range_to="443", ) conn.delete_network_acl_entry(network_acl.id, 110, False) all_network_acls = conn.get_all_network_acls() test_network_acl = next(na for na in all_network_acls if na.id == network_acl.id) entries = test_network_acl.network_acl_entries entries.should.have.length_of(0)
def test_dhcp_options_delete_with_vpc(): """Test deletion of dhcp options with vpc""" conn = boto.connect_vpc("the_key", "the_secret") dhcp_options = conn.create_dhcp_options(SAMPLE_DOMAIN_NAME, SAMPLE_NAME_SERVERS) dhcp_options_id = dhcp_options.id vpc = conn.create_vpc("10.0.0.0/16") rval = conn.associate_dhcp_options(dhcp_options_id, vpc.id) rval.should.be.equal(True) with assert_raises(EC2ResponseError) as cm: conn.delete_dhcp_options(dhcp_options_id) cm.exception.code.should.equal("DependencyViolation") cm.exception.status.should.equal(400) cm.exception.request_id.should_not.be.none vpc.delete() with assert_raises(EC2ResponseError) as cm: conn.get_all_dhcp_options([dhcp_options_id]) cm.exception.code.should.equal("InvalidDhcpOptionID.NotFound") cm.exception.status.should.equal(400) cm.exception.request_id.should_not.be.none
def test_replace_network_acl_entry(): conn = boto.connect_vpc("the_key", "the secret") vpc = conn.create_vpc("10.0.0.0/16") network_acl = conn.create_network_acl(vpc.id) conn.create_network_acl_entry( network_acl.id, 110, 6, "ALLOW", "0.0.0.0/0", False, port_range_from="443", port_range_to="443", ) conn.replace_network_acl_entry( network_acl.id, 110, -1, "DENY", "0.0.0.0/0", False, port_range_from="22", port_range_to="22", ) all_network_acls = conn.get_all_network_acls() test_network_acl = next(na for na in all_network_acls if na.id == network_acl.id) entries = test_network_acl.network_acl_entries entries.should.have.length_of(1) entries[0].rule_number.should.equal("110") entries[0].protocol.should.equal("-1") entries[0].rule_action.should.equal("DENY")
for resource in self.nodes.keys(): for port in self.nodes[resource].keys(): for source in self.nodes[resource][port]: print "%s,%s,%s " % (resource, port, source) def to_json(self, fname="Foo"): jdump = {} jdump['timestamp'] = time.time() jdump['sources'] = self.get_sources() jdump['protocols'] = self.get_protocols() jdump['dests'] = self.get_dests() print json.dumps(jdump) if __name__ == "__main__": sg_dict = {} if "AWS_DEFAULT_REGION" in os.environ: conn = boto.vpc.connect_to_region(os.environ['AWS_DEFAULT_REGION']) else: conn = boto.connect_vpc() for sg in conn.get_all_security_groups(): asg = AuditGroup(sg) sg_dict[asg.sg.id] = asg d = NetDecorator(conn, False) fg = FlowGraph(sg_dict, d, False) fg.to_grep()
def test_authorize_ip_range_and_revoke(): conn = boto.connect_ec2("the_key", "the_secret") security_group = conn.create_security_group("test", "test") with pytest.raises(EC2ResponseError) as ex: success = security_group.authorize( ip_protocol="tcp", from_port="22", to_port="2222", cidr_ip="123.123.123.123/32", dry_run=True, ) ex.value.error_code.should.equal("DryRunOperation") ex.value.status.should.equal(412) ex.value.message.should.equal( "An error occurred (DryRunOperation) when calling the GrantSecurityGroupIngress operation: Request would have succeeded, but DryRun flag is set" ) success = security_group.authorize(ip_protocol="tcp", from_port="22", to_port="2222", cidr_ip="123.123.123.123/32") assert success.should.be.true security_group = conn.get_all_security_groups(groupnames=["test"])[0] int(security_group.rules[0].to_port).should.equal(2222) security_group.rules[0].grants[0].cidr_ip.should.equal( "123.123.123.123/32") # Wrong Cidr should throw error with pytest.raises(EC2ResponseError) as cm: security_group.revoke( ip_protocol="tcp", from_port="22", to_port="2222", cidr_ip="123.123.123.122/32", ) cm.value.code.should.equal("InvalidPermission.NotFound") cm.value.status.should.equal(400) cm.value.request_id.should_not.be.none # Actually revoke with pytest.raises(EC2ResponseError) as ex: security_group.revoke( ip_protocol="tcp", from_port="22", to_port="2222", cidr_ip="123.123.123.123/32", dry_run=True, ) ex.value.error_code.should.equal("DryRunOperation") ex.value.status.should.equal(412) ex.value.message.should.equal( "An error occurred (DryRunOperation) when calling the RevokeSecurityGroupIngress operation: Request would have succeeded, but DryRun flag is set" ) security_group.revoke(ip_protocol="tcp", from_port="22", to_port="2222", cidr_ip="123.123.123.123/32") security_group = conn.get_all_security_groups()[0] security_group.rules.should.have.length_of(0) # Test for egress as well vpc_conn = boto.connect_vpc() vpc = vpc_conn.create_vpc("10.0.0.0/16") egress_security_group = conn.create_security_group("testegress", "testegress", vpc_id=vpc.id) with pytest.raises(EC2ResponseError) as ex: success = conn.authorize_security_group_egress( egress_security_group.id, "tcp", from_port="22", to_port="2222", cidr_ip="123.123.123.123/32", dry_run=True, ) ex.value.error_code.should.equal("DryRunOperation") ex.value.status.should.equal(412) ex.value.message.should.equal( "An error occurred (DryRunOperation) when calling the GrantSecurityGroupEgress operation: Request would have succeeded, but DryRun flag is set" ) success = conn.authorize_security_group_egress( egress_security_group.id, "tcp", from_port="22", to_port="2222", cidr_ip="123.123.123.123/32", ) assert success.should.be.true egress_security_group = conn.get_all_security_groups( groupnames="testegress")[0] # There are two egress rules associated with the security group: # the default outbound rule and the new one int(egress_security_group.rules_egress[1].to_port).should.equal(2222) actual_cidr = egress_security_group.rules_egress[1].grants[0].cidr_ip actual_cidr.should.equal("123.123.123.123/32") # Wrong Cidr should throw error egress_security_group.revoke.when.called_with( ip_protocol="tcp", from_port="22", to_port="2222", cidr_ip="123.123.123.122/32").should.throw(EC2ResponseError) # Actually revoke with pytest.raises(EC2ResponseError) as ex: conn.revoke_security_group_egress( egress_security_group.id, "tcp", from_port="22", to_port="2222", cidr_ip="123.123.123.123/32", dry_run=True, ) ex.value.error_code.should.equal("DryRunOperation") ex.value.status.should.equal(412) ex.value.message.should.equal( "An error occurred (DryRunOperation) when calling the RevokeSecurityGroupEgress operation: Request would have succeeded, but DryRun flag is set" ) conn.revoke_security_group_egress( egress_security_group.id, "tcp", from_port="22", to_port="2222", cidr_ip="123.123.123.123/32", ) egress_security_group = [ group for group in conn.get_all_security_groups() if group.id == egress_security_group.id ][0] # There is still the default outbound rule egress_security_group.rules_egress.should.have.length_of(1)
def _ssh_config(args): if args.get("vpc"): vpc_id = args.get("<vpc_id>") stack_name = stack_name_for_vpc(vpc_id) elif args.get("stack-name"): stack_name = args.get("<stack_name>") vpc_id = vpc_for_stack_name(stack_name) else: raise Exception("No vpc_id or stack_name provided.") vpc = boto.connect_vpc() identity_file = args.get("<identity_file>") user = args.get("<user>") config_file = args.get("<config_file>") strict_host_check = args.get("<strict_host_check>") if not user: user = DEFAULT_USER if not strict_host_check: strict_host_check = DEFAULT_HOST_CHECK if config_file: config_file = "-F {}".format(config_file) else: config_file = "" jump_box = "{stack_name}-jumpbox".format(stack_name=stack_name) friendly = "{stack_name}-{logical_id}-{instance_number}" id_type_counter = defaultdict(int) reservations = vpc.get_all_instances(filters={'vpc-id': vpc_id}) for reservation in reservations: for instance in reservation.instances: if 'group' in instance.tags: logical_id = instance.tags['group'] else: logical_id = instance.tags['aws:cloudformation:logical-id'] instance_number = id_type_counter[logical_id] id_type_counter[logical_id] += 1 if logical_id == "BastionHost" or logical_id == 'bastion': print JUMPBOX_CONFIG.format( jump_box=jump_box, ip=instance.ip_address, user=user, identity_file=identity_file, strict_host_check=strict_host_check) # Print host config even for the bastion box because that is how # ansible accesses it. print HOST_CONFIG.format(name=instance.private_ip_address, jump_box=jump_box, ip=instance.private_ip_address, user=user, identity_file=identity_file, config_file=config_file, strict_host_check=strict_host_check, instance_id=instance.id) #duplicating for convenience with ansible name = friendly.format(stack_name=stack_name, logical_id=logical_id, instance_number=instance_number) print HOST_CONFIG.format(name=name, jump_box=jump_box, ip=instance.private_ip_address, user=user, identity_file=identity_file, config_file=config_file, strict_host_check=strict_host_check, instance_id=instance.id)
def test_describe_customer_gateways(): conn = boto.connect_vpc("the_key", "the_secret") customer_gateway = conn.create_customer_gateway("ipsec.1", "205.251.242.54", 65534) cgws = conn.get_all_customer_gateways() cgws.should.have.length_of(1) cgws[0].id.should.match(customer_gateway.id)
def connect(account_name, connection_type, **args): """ Examples of use: ec2 = sts_connect.connect(environment, 'ec2', region=region, validate_certs=False) ec2 = sts_connect.connect(environment, 'ec2', validate_certs=False, debug=1000) ec2 = sts_connect.connect(environment, 'ec2') where environment is ( test, prod, dev ) s3 = sts_connect.connect(environment, 's3') ses = sts_connect.connect(environment, 'ses') :param account: Account to connect with (i.e. test, prod, dev) :raises Exception: RDS Region not valid AWS Tech not supported. :returns: STS Connection Object for given tech :note: To use this method a SecurityMonkey role must be created in the target account with full read only privledges. """ account = Account.query.filter(Account.name == account_name).first() sts = boto.connect_sts() role = sts.assume_role( 'arn:aws:iam::' + account.number + ':role/SecurityMonkey', 'secmonkey') if connection_type == 'ec2': return boto.connect_ec2(role.credentials.access_key, role.credentials.secret_key, security_token=role.credentials.session_token, **args) if connection_type == 'elb': if 'region' in args: region = args['region'] del args['region'] else: region = 'us-east-1' return boto.ec2.elb.connect_to_region( region, aws_access_key_id=role.credentials.access_key, aws_secret_access_key=role.credentials.secret_key, security_token=role.credentials.session_token, **args) if connection_type == 's3': if 'region' in args: region = args['region'] # drop region key-val pair from args or you'll get an exception del args['region'] return boto.s3.connect_to_region( region, aws_access_key_id=role.credentials.access_key, aws_secret_access_key=role.credentials.secret_key, security_token=role.credentials.session_token, **args) return boto.connect_s3(role.credentials.access_key, role.credentials.secret_key, security_token=role.credentials.session_token, **args) if connection_type == 'ses': return boto.connect_ses(role.credentials.access_key, role.credentials.secret_key, security_token=role.credentials.session_token, **args) if connection_type == 'iam': if 'region' in args: region = args['region'] # drop region key-val pair from args or you'll get an exception del args['region'] return boto.iam.connect_to_region( region, aws_access_key_id=role.credentials.access_key, aws_secret_access_key=role.credentials.secret_key, security_token=role.credentials.session_token, **args) return boto.connect_iam(role.credentials.access_key, role.credentials.secret_key, security_token=role.credentials.session_token, **args) if connection_type == 'route53': return boto.connect_route53( role.credentials.access_key, role.credentials.secret_key, security_token=role.credentials.session_token, **args) if connection_type == 'sns': if 'region' in args: region = args['region'] del args['region'] return boto.sns.connect_to_region( region.name, aws_access_key_id=role.credentials.access_key, aws_secret_access_key=role.credentials.secret_key, security_token=role.credentials.session_token, **args) return boto.connect_sns(role.credentials.access_key, role.credentials.secret_key, security_token=role.credentials.session_token, **args) if connection_type == 'sqs': if 'region' in args: region = args['region'] del args['region'] return boto.sqs.connect_to_region( region.name, aws_access_key_id=role.credentials.access_key, aws_secret_access_key=role.credentials.secret_key, security_token=role.credentials.session_token, **args) return boto.connect_sqs(role.credentials.access_key, role.credentials.secret_key, security_token=role.credentials.session_token, **args) if connection_type == 'vpc': return boto.connect_vpc(role.credentials.access_key, role.credentials.secret_key, security_token=role.credentials.session_token, **args) if connection_type == 'rds': if 'region' in args: reg = args['region'] rds_region = None for boto_region in boto.rds.regions(): if reg.name == boto_region.name: rds_region = boto_region if rds_region is None: raise Exception( 'The supplied region {0} is not in boto.rds.regions. {1}'. format(reg, boto.rds.regions())) return boto.connect_rds(role.credentials.access_key, role.credentials.secret_key, security_token=role.credentials.session_token, **args) err_msg = 'The connection_type supplied (%s) is not implemented.' % connection_type raise Exception(err_msg)
def test_igw_desribe(): """ internet gateway fetch by id """ conn = boto.connect_vpc("the_key", "the_secret") igw = conn.create_internet_gateway() igw_by_search = conn.get_all_internet_gateways([igw.id])[0] igw.id.should.equal(igw_by_search.id)
def all_stack_names(region='us-east-1', aws_id=None, aws_secret=None): vpc_conn = boto.connect_vpc(aws_id, aws_secret) return [ vpc.tags[CFN_TAG_KEY] for vpc in vpc_conn.get_all_vpcs() if CFN_TAG_KEY in vpc.tags.keys() ]
def test_network_acls(): conn = boto.connect_vpc("the_key", "the secret") vpc = conn.create_vpc("10.0.0.0/16") network_acl = conn.create_network_acl(vpc.id) all_network_acls = conn.get_all_network_acls() all_network_acls.should.have.length_of(3)
def test_create_vpn_connections(): conn = boto.connect_vpc('the_key', 'the_secret') vpn_connection = conn.create_vpn_connection('ipsec.1', 'vgw-0123abcd', 'cgw-0123abcd') vpn_connection.should_not.be.none vpn_connection.id.should.match(r'vpn-\w+') vpn_connection.type.should.equal('ipsec.1')
def test_delete_vpn_connections_bad_id(): conn = boto.connect_vpc('the_key', 'the_secret') with assert_raises(EC2ResponseError): conn.delete_vpn_connection('vpn-0123abcd')
def connect_vpc(aws_key, aws_secret, region): return boto.connect_vpc( aws_access_key_id=aws_key, aws_secret_access_key=aws_secret, region=boto.ec2.get_region(region), )
def test_delete_customer_gateways_bad_id(): conn = boto.connect_vpc("the_key", "the_secret") with pytest.raises(EC2ResponseError) as cm: conn.delete_customer_gateway("cgw-0123abcd")
def test_route_table_associations(): conn = boto.connect_vpc('the_key', 'the_secret') vpc = conn.create_vpc("10.0.0.0/16") subnet = conn.create_subnet(vpc.id, "10.0.0.0/18") route_table = conn.create_route_table(vpc.id) all_route_tables = conn.get_all_route_tables() all_route_tables.should.have.length_of(3) # Refresh route_table = conn.get_all_route_tables(route_table.id)[0] route_table.associations.should.have.length_of(0) # Associate association_id = conn.associate_route_table(route_table.id, subnet.id) # Refresh route_table = conn.get_all_route_tables(route_table.id)[0] route_table.associations.should.have.length_of(1) route_table.associations[0].id.should.equal(association_id) route_table.associations[0].main.should.equal(False) route_table.associations[0].route_table_id.should.equal(route_table.id) route_table.associations[0].subnet_id.should.equal(subnet.id) # Associate is idempotent association_id_idempotent = conn.associate_route_table( route_table.id, subnet.id) association_id_idempotent.should.equal(association_id) # Error: Attempt delete associated route table. with assert_raises(EC2ResponseError) as cm: conn.delete_route_table(route_table.id) cm.exception.code.should.equal('DependencyViolation') cm.exception.status.should.equal(400) cm.exception.request_id.should_not.be.none # Disassociate conn.disassociate_route_table(association_id) # Refresh route_table = conn.get_all_route_tables(route_table.id)[0] route_table.associations.should.have.length_of(0) # Error: Disassociate with invalid association ID with assert_raises(EC2ResponseError) as cm: conn.disassociate_route_table(association_id) cm.exception.code.should.equal('InvalidAssociationID.NotFound') cm.exception.status.should.equal(400) cm.exception.request_id.should_not.be.none # Error: Associate with invalid subnet ID with assert_raises(EC2ResponseError) as cm: conn.associate_route_table(route_table.id, "subnet-1234abcd") cm.exception.code.should.equal('InvalidSubnetID.NotFound') cm.exception.status.should.equal(400) cm.exception.request_id.should_not.be.none # Error: Associate with invalid route table ID with assert_raises(EC2ResponseError) as cm: conn.associate_route_table("rtb-1234abcd", subnet.id) cm.exception.code.should.equal('InvalidRouteTableID.NotFound') cm.exception.status.should.equal(400) cm.exception.request_id.should_not.be.none
DEFAULT_ROUTE = '0.0.0.0/0' try: cfn_routetable = os.environ['CFN_ROUTETABLE'] except: print("CFN_ROUTETABLE environment variable is not set!") sys.exit(1) try: instance_id = boto.utils.get_instance_metadata()['instance-id'] except: print("Could not get EC2 instance ID!") sys.exit(1) vpc_conn = boto.connect_vpc(aws_access_key_id=aws_access, aws_secret_access_key=aws_secret) ec2_conn = boto.connect_ec2(aws_access_key_id=aws_access, aws_secret_access_key=aws_secret) try: rt = vpc_conn.get_all_route_tables( route_table_ids=os.environ['CFN_ROUTETABLE'])[0] except Exception, e: print("Could not find route table [%s]: %s" % (os.environ['CFN_ROUTETABLE'], e)) sys.exit(1) print("Found the route table: %s" % (rt.id, )) source_dest_check = ec2_conn.get_instance_attribute( instance_id, 'sourceDestCheck')['sourceDestCheck']
def test_delete_vpn_connections_bad_id(): conn = boto.connect_vpc("the_key", "the_secret") with pytest.raises(EC2ResponseError): conn.delete_vpn_connection("vpn-0123abcd")
def test_default_network_acl_created_with_vpc(): conn = boto.connect_vpc("the_key", "the secret") vpc = conn.create_vpc("10.0.0.0/16") all_network_acls = conn.get_all_network_acls() all_network_acls.should.have.length_of(2)
def setup_networking_deprecated(): conn = boto.connect_vpc() vpc = conn.create_vpc("10.11.0.0/16") subnet1 = conn.create_subnet(vpc.id, "10.11.1.0/24") subnet2 = conn.create_subnet(vpc.id, "10.11.2.0/24") return {'vpc': vpc.id, 'subnet1': subnet1.id, 'subnet2': subnet2.id}
def test_sec_group_rule_limit_vpc(): ec2_conn = boto.connect_ec2() vpc_conn = boto.connect_vpc() vpc = vpc_conn.create_vpc("10.0.0.0/16") sg = ec2_conn.create_security_group("test", "test", vpc_id=vpc.id) other_sg = ec2_conn.create_security_group("test_2", "test", vpc_id=vpc.id) # INGRESS with pytest.raises(EC2ResponseError) as cm: ec2_conn.authorize_security_group( group_id=sg.id, ip_protocol="-1", cidr_ip=["{0}.0.0.0/0".format(i) for i in range(110)], ) cm.value.error_code.should.equal("RulesPerSecurityGroupLimitExceeded") sg.rules.should.be.empty # authorize a rule targeting a different sec group (because this count too) success = ec2_conn.authorize_security_group( group_id=sg.id, ip_protocol="-1", src_security_group_group_id=other_sg.id ) success.should.be.true # fill the rules up the limit success = ec2_conn.authorize_security_group( group_id=sg.id, ip_protocol="-1", cidr_ip=["{0}.0.0.0/0".format(i) for i in range(49)], ) # verify that we cannot authorize past the limit for a CIDR IP success.should.be.true with pytest.raises(EC2ResponseError) as cm: ec2_conn.authorize_security_group( group_id=sg.id, ip_protocol="-1", cidr_ip=["100.0.0.0/0"] ) cm.value.error_code.should.equal("RulesPerSecurityGroupLimitExceeded") # verify that we cannot authorize past the limit for a different sec group with pytest.raises(EC2ResponseError) as cm: ec2_conn.authorize_security_group( group_id=sg.id, ip_protocol="-1", src_security_group_group_id=other_sg.id ) cm.value.error_code.should.equal("RulesPerSecurityGroupLimitExceeded") # EGRESS # authorize a rule targeting a different sec group (because this count too) ec2_conn.authorize_security_group_egress( group_id=sg.id, ip_protocol="-1", src_group_id=other_sg.id ) # fill the rules up the limit # remember that by default, when created a sec group contains 1 egress rule # so our other_sg rule + 48 CIDR IP rules + 1 by default == 50 the limit for i in range(48): ec2_conn.authorize_security_group_egress( group_id=sg.id, ip_protocol="-1", cidr_ip="{0}.0.0.0/0".format(i) ) # verify that we cannot authorize past the limit for a CIDR IP with pytest.raises(EC2ResponseError) as cm: ec2_conn.authorize_security_group_egress( group_id=sg.id, ip_protocol="-1", cidr_ip="50.0.0.0/0" ) cm.value.error_code.should.equal("RulesPerSecurityGroupLimitExceeded") # verify that we cannot authorize past the limit for a different sec group with pytest.raises(EC2ResponseError) as cm: ec2_conn.authorize_security_group_egress( group_id=sg.id, ip_protocol="-1", src_group_id=other_sg.id ) cm.value.error_code.should.equal("RulesPerSecurityGroupLimitExceeded")
def test_route_table_replace_route_table_association(): """ Note: Boto has deprecated replace_route_table_assocation (which returns status) and now uses replace_route_table_assocation_with_assoc (which returns association ID). """ conn = boto.connect_vpc('the_key', 'the_secret') vpc = conn.create_vpc("10.0.0.0/16") subnet = conn.create_subnet(vpc.id, "10.0.0.0/18") route_table1 = conn.create_route_table(vpc.id) route_table2 = conn.create_route_table(vpc.id) all_route_tables = conn.get_all_route_tables() all_route_tables.should.have.length_of(4) # Refresh route_table1 = conn.get_all_route_tables(route_table1.id)[0] route_table1.associations.should.have.length_of(0) # Associate association_id1 = conn.associate_route_table(route_table1.id, subnet.id) # Refresh route_table1 = conn.get_all_route_tables(route_table1.id)[0] route_table2 = conn.get_all_route_tables(route_table2.id)[0] # Validate route_table1.associations.should.have.length_of(1) route_table2.associations.should.have.length_of(0) route_table1.associations[0].id.should.equal(association_id1) route_table1.associations[0].main.should.equal(False) route_table1.associations[0].route_table_id.should.equal(route_table1.id) route_table1.associations[0].subnet_id.should.equal(subnet.id) # Replace Association association_id2 = conn.replace_route_table_association_with_assoc( association_id1, route_table2.id) # Refresh route_table1 = conn.get_all_route_tables(route_table1.id)[0] route_table2 = conn.get_all_route_tables(route_table2.id)[0] # Validate route_table1.associations.should.have.length_of(0) route_table2.associations.should.have.length_of(1) route_table2.associations[0].id.should.equal(association_id2) route_table2.associations[0].main.should.equal(False) route_table2.associations[0].route_table_id.should.equal(route_table2.id) route_table2.associations[0].subnet_id.should.equal(subnet.id) # Replace Association is idempotent association_id_idempotent = conn.replace_route_table_association_with_assoc( association_id2, route_table2.id) association_id_idempotent.should.equal(association_id2) # Error: Replace association with invalid association ID with assert_raises(EC2ResponseError) as cm: conn.replace_route_table_association_with_assoc( "rtbassoc-1234abcd", route_table1.id) cm.exception.code.should.equal('InvalidAssociationID.NotFound') cm.exception.status.should.equal(400) cm.exception.request_id.should_not.be.none # Error: Replace association with invalid route table ID with assert_raises(EC2ResponseError) as cm: conn.replace_route_table_association_with_assoc( association_id2, "rtb-1234abcd") cm.exception.code.should.equal('InvalidRouteTableID.NotFound') cm.exception.status.should.equal(400) cm.exception.request_id.should_not.be.none
def test_describe_dhcp_options_invalid_id(): """get error on invalid dhcp_option_id lookup""" conn = boto.connect_vpc('the_key', 'the_secret') conn.get_all_dhcp_options.when.called_with( ["1"]).should.throw(EC2ResponseError)
def test_sec_group_rule_limit_vpc(): ec2_conn = boto.connect_ec2() vpc_conn = boto.connect_vpc() vpc = vpc_conn.create_vpc('10.0.0.0/8') sg = ec2_conn.create_security_group('test', 'test', vpc_id=vpc.id) other_sg = ec2_conn.create_security_group('test_2', 'test', vpc_id=vpc.id) # INGRESS with assert_raises(EC2ResponseError) as cm: ec2_conn.authorize_security_group( group_id=sg.id, ip_protocol='-1', cidr_ip=['{0}.0.0.0/0'.format(i) for i in range(110)]) cm.exception.error_code.should.equal('RulesPerSecurityGroupLimitExceeded') sg.rules.should.be.empty # authorize a rule targeting a different sec group (because this count too) success = ec2_conn.authorize_security_group( group_id=sg.id, ip_protocol='-1', src_security_group_group_id=other_sg.id) success.should.be.true # fill the rules up the limit success = ec2_conn.authorize_security_group( group_id=sg.id, ip_protocol='-1', cidr_ip=['{0}.0.0.0/0'.format(i) for i in range(49)]) # verify that we cannot authorize past the limit for a CIDR IP success.should.be.true with assert_raises(EC2ResponseError) as cm: ec2_conn.authorize_security_group(group_id=sg.id, ip_protocol='-1', cidr_ip=['100.0.0.0/0']) cm.exception.error_code.should.equal('RulesPerSecurityGroupLimitExceeded') # verify that we cannot authorize past the limit for a different sec group with assert_raises(EC2ResponseError) as cm: ec2_conn.authorize_security_group( group_id=sg.id, ip_protocol='-1', src_security_group_group_id=other_sg.id) cm.exception.error_code.should.equal('RulesPerSecurityGroupLimitExceeded') # EGRESS # authorize a rule targeting a different sec group (because this count too) ec2_conn.authorize_security_group_egress(group_id=sg.id, ip_protocol='-1', src_group_id=other_sg.id) # fill the rules up the limit # remember that by default, when created a sec group contains 1 egress rule # so our other_sg rule + 48 CIDR IP rules + 1 by default == 50 the limit for i in range(48): ec2_conn.authorize_security_group_egress( group_id=sg.id, ip_protocol='-1', cidr_ip='{0}.0.0.0/0'.format(i)) # verify that we cannot authorize past the limit for a CIDR IP with assert_raises(EC2ResponseError) as cm: ec2_conn.authorize_security_group_egress(group_id=sg.id, ip_protocol='-1', cidr_ip='50.0.0.0/0') cm.exception.error_code.should.equal('RulesPerSecurityGroupLimitExceeded') # verify that we cannot authorize past the limit for a different sec group with assert_raises(EC2ResponseError) as cm: ec2_conn.authorize_security_group_egress(group_id=sg.id, ip_protocol='-1', src_group_id=other_sg.id) cm.exception.error_code.should.equal('RulesPerSecurityGroupLimitExceeded')
def test_delete_dhcp_options_invalid_id(): conn = boto.connect_vpc('the_key', 'the_secret') dhcp_option = conn.create_dhcp_options() conn.delete_dhcp_options.when.called_with("1").should.throw( EC2ResponseError)
def test_vpc_isdefault_filter(): conn = boto.connect_vpc("the_key", "the_secret") vpc = conn.create_vpc("10.0.0.0/16") conn.get_all_vpcs(filters={"isDefault": "true"}).should.have.length_of(1) vpc.delete() conn.get_all_vpcs(filters={"isDefault": "true"}).should.have.length_of(1)
def _connect(self): """Connects to the ec2 cloud provider :return: :py:class:`boto.ec2.connection.EC2Connection` :raises: Generic exception on error """ # check for existing connection if self._ec2_connection: return self._ec2_connection try: log.debug("Connecting to ec2 host %s", self._ec2host) region = ec2.regioninfo.RegionInfo(name=self._region_name, endpoint=self._ec2host) # connect to webservice ec2_connection = boto.connect_ec2( aws_access_key_id=self._access_key, aws_secret_access_key=self._secret_key, is_secure=self._secure, host=self._ec2host, port=self._ec2port, path=self._ec2path, region=region) log.debug("EC2 connection has been successful.") if self._vpc: vpc_connection = boto.connect_vpc( aws_access_key_id=self._access_key, aws_secret_access_key=self._secret_key, is_secure=self._secure, host=self._ec2host, port=self._ec2port, path=self._ec2path, region=region) log.debug("VPC connection has been successful.") for vpc in vpc_connection.get_all_vpcs(): log.debug("Checking whether %s matches %s/%s" % (self._vpc, vpc.tags['Name'], vpc.id)) if self._vpc in [vpc.tags['Name'], vpc.id]: self._vpc_id = vpc.id if self._vpc != self._vpc_id: log.debug("VPC %s matches %s" % (self._vpc, self._vpc_id)) break else: raise VpcError('VPC %s does not exist.' % self._vpc) # list images to see if the connection works # images = self._ec2_connection.get_all_images() # log.debug("%d images found on cloud %s", # len(images), self._ec2host) except Exception as e: log.error( "connection to ec2 could not be " "established: message=`%s`", str(e)) raise self._ec2_connection, self._vpc_connection = (ec2_connection, vpc_connection) return self._ec2_connection
def test_vpc_isdefault_filter(): conn = boto.connect_vpc('the_key', 'the_secret') vpc = conn.create_vpc("10.0.0.0/16") conn.get_all_vpcs(filters={'isDefault': 'true'}).should.have.length_of(1) vpc.delete() conn.get_all_vpcs(filters={'isDefault': 'true'}).should.have.length_of(1)
def test_instance_with_nic_attach_detach(): conn = boto.connect_vpc('the_key', 'the_secret') vpc = conn.create_vpc("10.0.0.0/16") subnet = conn.create_subnet(vpc.id, "10.0.0.0/18") security_group1 = conn.create_security_group( 'test security group #1', 'this is a test security group') security_group2 = conn.create_security_group( 'test security group #2', 'this is a test security group') reservation = conn.run_instances('ami-1234abcd', security_group_ids=[security_group1.id]) instance = reservation.instances[0] eni = conn.create_network_interface(subnet.id, groups=[security_group2.id]) # Check initial instance and ENI data instance.interfaces.should.have.length_of(1) eni.groups.should.have.length_of(1) set([group.id for group in eni.groups]).should.equal(set([security_group2.id])) # Attach with assert_raises(EC2ResponseError) as ex: conn.attach_network_interface(eni.id, instance.id, device_index=1, dry_run=True) ex.exception.error_code.should.equal('DryRunOperation') ex.exception.status.should.equal(400) ex.exception.message.should.equal( 'An error occurred (DryRunOperation) when calling the AttachNetworkInterface operation: Request would have succeeded, but DryRun flag is set' ) conn.attach_network_interface(eni.id, instance.id, device_index=1) # Check attached instance and ENI data instance.update() instance.interfaces.should.have.length_of(2) instance_eni = instance.interfaces[1] instance_eni.id.should.equal(eni.id) instance_eni.groups.should.have.length_of(2) set([group.id for group in instance_eni.groups ]).should.equal(set([security_group1.id, security_group2.id])) eni = conn.get_all_network_interfaces( filters={'network-interface-id': eni.id})[0] eni.groups.should.have.length_of(2) set([group.id for group in eni.groups ]).should.equal(set([security_group1.id, security_group2.id])) # Detach with assert_raises(EC2ResponseError) as ex: conn.detach_network_interface(instance_eni.attachment.id, dry_run=True) ex.exception.error_code.should.equal('DryRunOperation') ex.exception.status.should.equal(400) ex.exception.message.should.equal( 'An error occurred (DryRunOperation) when calling the DetachNetworkInterface operation: Request would have succeeded, but DryRun flag is set' ) conn.detach_network_interface(instance_eni.attachment.id) # Check detached instance and ENI data instance.update() instance.interfaces.should.have.length_of(1) eni = conn.get_all_network_interfaces( filters={'network-interface-id': eni.id})[0] eni.groups.should.have.length_of(1) set([group.id for group in eni.groups]).should.equal(set([security_group2.id])) # Detach with invalid attachment ID with assert_raises(EC2ResponseError) as cm: conn.detach_network_interface('eni-attach-1234abcd') cm.exception.code.should.equal('InvalidAttachmentID.NotFound') cm.exception.status.should.equal(400) cm.exception.request_id.should_not.be.none