def _create_security_group_abort_on_error(name, desc, rules):
ec2 = boto.ec2.connect_to_region(env.ec2_region)
try:
sg = ec2.create_security_group(name, desc, vpc_id=env.ec2_vpc_id)
except boto.exception.EC2ResponseError as e:
if e.error_code == 'InvalidGroup.Duplicate':
abort('\n'
'\n'
' "%s" security group already exists!' % name)
else:
abort('\n'
'\n'
' "%s" security group could not be created!: %s' %
(name, e.message))
for rule in rules:
ec2.authorize_security_group(
group_id=sg.id,
ip_protocol=rule[0],
from_port=rule[1],
to_port=rule[2],
cidr_ip=rule[3])
puts('\n'
' "%s" security group created successfully!' % name)
def authorize_security_group(self, group_id, rule):
"""
@group_id: string, the group id to add the rule to
@rule: dict {
'protocol': tcp | udp | icmp
'from_port': [1-65535]
'to_port': [1-65535]
'rule': string (ex. \
19.38.48.12/32, 0.0.0.0/0, 4328737383:stackdio-group)
}
"""
ec2 = self.connect_ec2()
kwargs = self._security_group_rule_to_kwargs(rule)
kwargs['group_id'] = group_id
logger.debug(kwargs)
try:
ec2.authorize_security_group(**kwargs)
except boto.exception.EC2ResponseError as e:
if e.error_message.startswith('Unable to find group'):
account_id = kwargs['src_security_group_owner_id']
err_msg = e.error_message + ' on account \'{0}\''.format(
account_id)
raise GroupNotFoundException(err_msg)
raise RuleExistsException(e.error_message)
def authorizeIp():
ec2.authorize_security_group(group_name=args.name,
group_id=args.id,
ip_protocol=args.ip_protocol,
from_port=args.from_port,
to_port=args.to_port,
cidr_ip=args.cidr_ip)
def authorize_security_group(self, group_id, rule):
"""
@group_id: string, the group id to add the rule to
@rule: dict {
'protocol': tcp | udp | icmp
'from_port': [1-65535]
'to_port': [1-65535]
'rule': string (ex. \
19.38.48.12/32, 0.0.0.0/0, 4328737383:stackdio-group)
}
"""
ec2 = self.connect_ec2()
kwargs = self._security_group_rule_to_kwargs(rule)
kwargs['group_id'] = group_id
logger.debug(kwargs)
try:
ec2.authorize_security_group(**kwargs)
except boto.exception.EC2ResponseError as e:
if e.error_message.startswith('Unable to find group'):
account_id = kwargs['src_security_group_owner_id']
err_msg = e.error_message + ' on account \'{0}\''.format(
account_id)
raise GroupNotFoundException(err_msg)
raise RuleExistsException(e.error_message)
def authorize_security_group(self, group_id, rule):
'''
@group_id: string, the group id to add the rule to
@rule: dict {
'protocol': tcp | udp | icmp
'from_port': [1-65535]
'to_port': [1-65535]
'rule': string (ex. \
19.38.48.12/32, 0.0.0.0/0, 4328737383:stackdio-group)
}
'''
ec2 = self.connect_ec2()
kwargs = self._security_group_rule_to_kwargs(rule)
kwargs['group_id'] = group_id
try:
ec2.authorize_security_group(**kwargs)
except boto.exception.EC2ResponseError, e:
if e.status == 400:
if e.error_message.startswith('Unable to find group'):
account_id = kwargs['src_security_group_owner_id']
err_msg = e.error_message + ' on account \'{0}\''.format(
account_id)
raise BadRequest(err_msg)
raise BadRequest(e.error_message)
raise InternalServerError(e.error_message)
def authorizeSource():
ec2.authorize_security_group(
group_name=args.name,
group_id=args.id,
ip_protocol=args.ip_protocol,
from_port=args.from_port,
to_port=args.to_port,
src_security_group_name=args.security_group_name,
src_security_group_group_id=args.security_group_id)
def allow_source_traffic(sg=None, src=None):
if sg is None or src is None:
abort('\n'
'\n'
' You must specify the id of a security group as well as the id of the:\n'
' source security group:\n'
' fab allow_source_traffic:sg=sg-xxxxxx,src=sg-yyyyyyyy\n')
ec2 = boto.ec2.connect_to_region(env.ec2_region)
ec2.authorize_security_group(
group_id=sg,
ip_protocol=-1,
from_port=0,
to_port=65535,
src_security_group_group_id=src)
puts('\n'
' "%s" security group updated successfully!' % sg)
def authorizeSource():
ec2.authorize_security_group(group_name=args.name, group_id=args.id, ip_protocol=args.ip_protocol,
from_port=args.from_port, to_port=args.to_port,
src_security_group_name=args.security_group_name, src_security_group_group_id=args.security_group_id)
def authorizeIp():
ec2.authorize_security_group(group_name=args.name, group_id=args.id, ip_protocol=args.ip_protocol,
from_port=args.from_port, to_port=args.to_port, cidr_ip=args.cidr_ip)
def authorize_ports( ec2, proto, ports, sg, src, all_sg ):
### we expect a list of ports. single entry is single
### port. if it's a tuple, it's a range. if it's a *
### it's all
for r in ports:
range = ( None, None )
if r == "*":
range = ( 1, 65535 )
elif type( r ) is tuple:
range = r
else:
range = (r, r)
### what are we authorizing?
logging.info( " Authorizing to %s:%s: %s:%s %s-%s" %
( ec2.region.name, sg, proto, src, range[0], range[1] ) )
### the target is either a security group or an ip
if re.search( "^[.\d/]+$", src ):
### if it's an ip, make sure it's in slash notation
if not re.search( "/", src ):
src = "%s/32" % ( src )
try:
rv = ec2.authorize_security_group( sg,
ip_protocol = proto,
from_port = range[0],
to_port = range[1],
cidr_ip = src )
if not rv:
logging.error( " Failed to authorize %s -> %s" % ( src, sg ) )
#pass
except boto.exception.EC2ResponseError as (errstr):
### don't care about InvalidPermission.Duplicate errors
if not re.search( "InvalidPermission.Duplicate", errstr.body ):
logging.error( " Failed: %s" % errstr )
### we are authorizing a security group, so just use name
### and and owner ID:
else:
### we only authorize krux labeled security groups
#if not re.match( "krux|default|ElasticMapReduc", src ):
# logging.warn( " SG %s is not a krux group, skipping" % src )
# return None
try:
rv = ec2.authorize_security_group( sg,
src_security_group_name = src,
ip_protocol = proto,
from_port = range[0],
to_port = range[1],
src_security_group_owner_id = AWS_ACCOUNT_ID )
if not rv:
logging.error( " Failed to authorize %s -> %s" % ( src, sg ) )
except boto.exception.EC2ResponseError as (errstr):
### don't care about InvalidPermission.Duplicate errors
if not re.search( "InvalidPermission.Duplicate", errstr.body ):
logging.error( " Failed: %s" % errstr )
def authorize_ports(ec2, proto, ports, sg, src, all_sg):
### we expect a list of ports. single entry is single
### port. if it's a tuple, it's a range. if it's a *
### it's all
for r in ports:
range = (None, None)
if r == "*":
range = (1, 65535)
elif type(r) is tuple:
range = r
else:
range = (r, r)
### what are we authorizing?
logging.info(" Authorizing to %s:%s: %s:%s %s-%s" % (ec2.region.name, sg, proto, src, range[0], range[1]))
### the target is either a security group or an ip
if re.search("^[.\d/]+$", src):
### if it's an ip, make sure it's in slash notation
if not re.search("/", src):
src = "%s/32" % (src)
try:
rv = ec2.authorize_security_group(
sg, ip_protocol=proto, from_port=range[0], to_port=range[1], cidr_ip=src
)
if not rv:
logging.error(" Failed to authorize %s -> %s" % (src, sg))
# pass
except boto.exception.EC2ResponseError as (errstr):
### don't care about InvalidPermission.Duplicate errors
if not re.search("InvalidPermission.Duplicate", errstr.body):
logging.error(" Failed: %s" % errstr)
### we are authorizing a security group, so just use name
### and and owner ID:
else:
### we only authorize krux labeled security groups
# if not re.match( "krux|default|ElasticMapReduc", src ):
# logging.warn( " SG %s is not a krux group, skipping" % src )
# return None
try:
rv = ec2.authorize_security_group(
sg,
src_security_group_name=src,
ip_protocol=proto,
from_port=range[0],
to_port=range[1],
src_security_group_owner_id=AWS_ACCOUNT_ID,
)
if not rv:
logging.error(" Failed to authorize %s -> %s" % (src, sg))
except boto.exception.EC2ResponseError as (errstr):
### don't care about InvalidPermission.Duplicate errors
if not re.search("InvalidPermission.Duplicate", errstr.body):
logging.error(" Failed: %s" % errstr)