Ejemplos de Fortress en Python

Ejemplo n.º 1

def test_create_fortress(enable_github, requests_mock):
    if enable_github:
        requests_mock.get("https://api.github.com/meta", json=GITHUB_API_RANGE)
    requests_mock.get("https://ip-ranges.amazonaws.com/ip-ranges.json",
                      json=AWS_IP_RANGES)
    aws_env = AWSEnv(regions=["us-east-1"], stub=True)
    with default_region("us-east-1"):
        stub = aws_env.stub("ec2", region="us-east-1")
        stub.add_response(
            "describe_images",
            {
                "Images": [{
                    "ImageId": "ami-1234",
                    "RootDeviceName": "/dev/sda1",
                    "Tags": []
                }]
            },
            {"ImageIds": ANY},
        )
        stub.add_response(
            "describe_images",
            {
                "Images": [{
                    "ImageId": "ami-1234",
                    "RootDeviceName": "/dev/sda1",
                    "Tags": []
                }]
            },
            {"ImageIds": ANY},
        )
        d = PolicyDocument().append(
            Allow(
                to="s3:GetObject",
                on=["arn:aws:s3:::mybucket", "arn:aws:s3:::mybucket/*"],
            ))
        p = Policy("InternalPolicy", d)
        f = Fortress(
            "myfortress",
            allow_ssh_from="0.0.0.0/0",
            bastion_ami=AMI("ami-1234"),
            internal_server_policy=p,
        )
        f += Bucket("Bucket2")

        # Allow access to mybucket through a s3 endpoint
        f.private_subnet.add_bucket_access(["mybucket", f["Bucket2"]])

        # Allow access to a secret throught a secretsmanager endpoint
        f.add_secret_access("arn_secret")

        # Allow access to lambdas throught lambda endpoints
        f.add_secret_access(["arn_lambda_1", "arn_lambda_2"])

        # allow https
        f.add_network_access("https")
        f.add_private_server(AMI("ami-1234"), ["server1", "server2"],
                             github_access=enable_github)

        assert f.body

Ejemplo n.º 2

Archivo: main_test.py Proyecto: flingure/e3-aws

def test_create_fortress_no_bastion():
    aws_env = AWSEnv(regions=['us-east-1'], stub=True)
    with default_region('us-east-1'):
        stub = aws_env.stub('ec2', region='us-east-1')
        stub.add_response(
            'describe_images', {
                'Images': [{
                    'ImageId': 'ami-1234',
                    'RootDeviceName': '/dev/sda1',
                    'Tags': []
                }]
            }, {'ImageIds': ANY})
        stub.add_response(
            'describe_images', {
                'Images': [{
                    'ImageId': 'ami-1234',
                    'RootDeviceName': '/dev/sda1',
                    'Tags': []
                }]
            }, {'ImageIds': ANY})
        d = PolicyDocument().append(
            Allow(to='s3:GetObject',
                  on=['arn:aws:s3:::mybucket', 'arn:aws:s3:::mybucket/*']))
        p = Policy('InternalPolicy', d)
        f = Fortress('myfortress', bastion_ami=None, internal_server_policy=p)
        f += Bucket('Bucket2')

        # Allow access to mybucket through a s3 endpoint
        f.private_subnet.add_bucket_access(['mybucket', f['Bucket2']])

        # allow https
        f.add_network_access('https')
        f.add_private_server(AMI('ami-1234'), ['server1', 'server2'])

        assert f.body

Ejemplo n.º 3

def test_create_fortress_with_too_much_sgs():
    aws_env = AWSEnv(regions=["us-east-1"], stub=True)
    with default_region("us-east-1"):
        stub = aws_env.stub("ec2", region="us-east-1")
        stub.add_response(
            "describe_images",
            {
                "Images": [{
                    "ImageId": "ami-1234",
                    "RootDeviceName": "/dev/sda1",
                    "Tags": []
                }]
            },
            {"ImageIds": ANY},
        )

        d = PolicyDocument().append(
            Allow(
                to="s3:GetObject",
                on=["arn:aws:s3:::mybucket", "arn:aws:s3:::mybucket/*"],
            ))
        p = Policy("InternalPolicy", d)
        f = Fortress("myfortress", bastion_ami=None, internal_server_policy=p)

        # Adding 16 extra security groups should raise an exception (The maximum
        # number of security groups is 16 and there is a default InternalSG)
        sg_groups = [
            SecurityGroup(name=f"sg{id}", vpc=f.vpc.vpc) for id in range(16)
        ]
        with pytest.raises(AWSFortressError):
            f.add_private_server(
                AMI("ami-1234"),
                ["server1"],
                amazon_access=False,
                github_access=False,
                extra_groups=sg_groups,
            )

Ejemplo n.º 4

def test_create_fortress_no_bastion():
    aws_env = AWSEnv(regions=["us-east-1"], stub=True)
    with default_region("us-east-1"):
        stub = aws_env.stub("ec2", region="us-east-1")
        stub.add_response(
            "describe_images",
            {
                "Images": [{
                    "ImageId": "ami-1234",
                    "RootDeviceName": "/dev/sda1",
                    "Tags": []
                }]
            },
            {"ImageIds": ANY},
        )
        stub.add_response(
            "describe_images",
            {
                "Images": [{
                    "ImageId": "ami-1234",
                    "RootDeviceName": "/dev/sda1",
                    "Tags": []
                }]
            },
            {"ImageIds": ANY},
        )
        d = PolicyDocument().append(
            Allow(
                to="s3:GetObject",
                on=["arn:aws:s3:::mybucket", "arn:aws:s3:::mybucket/*"],
            ))
        p = Policy("InternalPolicy", d)
        f = Fortress("myfortress", bastion_ami=None, internal_server_policy=p)
        f += Bucket("Bucket2")

        # Allow access to mybucket through a s3 endpoint
        f.private_subnet.add_bucket_access(["mybucket", f["Bucket2"]])

        # Allow access to a secret throught a secretsmanager endpoint
        f.add_secret_access("arn_secret")

        # allow https
        f.add_network_access("https")
        f.add_private_server(AMI("ami-1234"), ["server1", "server2"])

        assert f.body