def _create_security_group_abort_on_error(name, desc, rules):
    ec2 = boto.ec2.connect_to_region(env.ec2_region)
    try:
        sg = ec2.create_security_group(name, desc, vpc_id=env.ec2_vpc_id)
    except boto.exception.EC2ResponseError as e:
        if e.error_code == 'InvalidGroup.Duplicate':
            abort('\n'
                  '\n'
                  '    "%s" security group already exists!' % name)
        else:
            abort('\n'
                  '\n'
                  '    "%s" security group could not be created!: %s' %
                  (name, e.message))

    for rule in rules:
        ec2.authorize_security_group(
            group_id=sg.id,
            ip_protocol=rule[0],
            from_port=rule[1],
            to_port=rule[2],
            cidr_ip=rule[3])

    puts('\n'
         '    "%s" security group created successfully!' % name)
Example #2
0
    def authorize_security_group(self, group_id, rule):
        """
        @group_id: string, the group id to add the rule to
        @rule: dict {
            'protocol': tcp | udp | icmp
            'from_port': [1-65535]
            'to_port': [1-65535]
            'rule': string (ex. \
                19.38.48.12/32, 0.0.0.0/0, 4328737383:stackdio-group)
        }
        """
        ec2 = self.connect_ec2()
        kwargs = self._security_group_rule_to_kwargs(rule)
        kwargs['group_id'] = group_id

        logger.debug(kwargs)

        try:
            ec2.authorize_security_group(**kwargs)
        except boto.exception.EC2ResponseError as e:
            if e.error_message.startswith('Unable to find group'):
                account_id = kwargs['src_security_group_owner_id']
                err_msg = e.error_message + ' on account \'{0}\''.format(
                    account_id)
                raise GroupNotFoundException(err_msg)
            raise RuleExistsException(e.error_message)
def authorizeIp():
    ec2.authorize_security_group(group_name=args.name,
                                 group_id=args.id,
                                 ip_protocol=args.ip_protocol,
                                 from_port=args.from_port,
                                 to_port=args.to_port,
                                 cidr_ip=args.cidr_ip)
Example #4
0
    def authorize_security_group(self, group_id, rule):
        """
        @group_id: string, the group id to add the rule to
        @rule: dict {
            'protocol': tcp | udp | icmp
            'from_port': [1-65535]
            'to_port': [1-65535]
            'rule': string (ex. \
                19.38.48.12/32, 0.0.0.0/0, 4328737383:stackdio-group)
        }
        """
        ec2 = self.connect_ec2()
        kwargs = self._security_group_rule_to_kwargs(rule)
        kwargs['group_id'] = group_id

        logger.debug(kwargs)

        try:
            ec2.authorize_security_group(**kwargs)
        except boto.exception.EC2ResponseError as e:
            if e.error_message.startswith('Unable to find group'):
                account_id = kwargs['src_security_group_owner_id']
                err_msg = e.error_message + ' on account \'{0}\''.format(
                    account_id)
                raise GroupNotFoundException(err_msg)
            raise RuleExistsException(e.error_message)
Example #5
0
    def authorize_security_group(self, group_id, rule):
        '''
        @group_id: string, the group id to add the rule to
        @rule: dict {
            'protocol': tcp | udp | icmp
            'from_port': [1-65535]
            'to_port': [1-65535]
            'rule': string (ex. \
                19.38.48.12/32, 0.0.0.0/0, 4328737383:stackdio-group)
        }
        '''
        ec2 = self.connect_ec2()
        kwargs = self._security_group_rule_to_kwargs(rule)
        kwargs['group_id'] = group_id

        try:
            ec2.authorize_security_group(**kwargs)
        except boto.exception.EC2ResponseError, e:
            if e.status == 400:
                if e.error_message.startswith('Unable to find group'):
                    account_id = kwargs['src_security_group_owner_id']
                    err_msg = e.error_message + ' on account \'{0}\''.format(
                        account_id)
                    raise BadRequest(err_msg)
                raise BadRequest(e.error_message)
            raise InternalServerError(e.error_message)
def authorizeSource():
    ec2.authorize_security_group(
        group_name=args.name,
        group_id=args.id,
        ip_protocol=args.ip_protocol,
        from_port=args.from_port,
        to_port=args.to_port,
        src_security_group_name=args.security_group_name,
        src_security_group_group_id=args.security_group_id)
def allow_source_traffic(sg=None, src=None):
    if sg is None or src is None:
        abort('\n'
              '\n'
              '    You must specify the id of a security group as well as the id of the:\n'
              '    source security group:\n'
              '        fab allow_source_traffic:sg=sg-xxxxxx,src=sg-yyyyyyyy\n')

    ec2 = boto.ec2.connect_to_region(env.ec2_region)
    ec2.authorize_security_group(
        group_id=sg,
        ip_protocol=-1,
        from_port=0,
        to_port=65535,
        src_security_group_group_id=src)

    puts('\n'
         '    "%s" security group updated successfully!' % sg)
def authorizeSource():
    ec2.authorize_security_group(group_name=args.name, group_id=args.id, ip_protocol=args.ip_protocol,
                                 from_port=args.from_port, to_port=args.to_port,
                                 src_security_group_name=args.security_group_name, src_security_group_group_id=args.security_group_id)
def authorizeIp():
    ec2.authorize_security_group(group_name=args.name, group_id=args.id, ip_protocol=args.ip_protocol,
                                 from_port=args.from_port, to_port=args.to_port, cidr_ip=args.cidr_ip)
Example #10
0
def authorize_ports( ec2, proto, ports, sg, src, all_sg ):

  ### we expect a list of ports. single entry is single
  ### port. if it's a tuple, it's a range. if it's a *
  ### it's all
  for r in ports:
    range = ( None, None )
      
    if r == "*":
      range = ( 1, 65535 )
    elif type( r ) is tuple:
      range = r
    else:
      range = (r, r)

    ### what are we authorizing?
    logging.info( "  Authorizing to %s:%s: %s:%s %s-%s" %
                  ( ec2.region.name, sg, proto, src, range[0], range[1] ) )

    ### the target is either a security group or an ip
    if re.search( "^[.\d/]+$", src ): 

      ### if it's an ip, make sure it's in slash notation    
      if not re.search( "/", src ):
        src = "%s/32" % ( src )

      try:
        rv = ec2.authorize_security_group( sg, 
                                      ip_protocol = proto,
                                      from_port   = range[0],
                                      to_port     = range[1],
                                      cidr_ip     = src )
        if not rv:
          logging.error( "  Failed to authorize %s -> %s" % ( src, sg ) ) 
        
          #pass

      except boto.exception.EC2ResponseError as (errstr):  
        ### don't care about InvalidPermission.Duplicate errors
        if not re.search( "InvalidPermission.Duplicate", errstr.body ):
          logging.error( "  Failed: %s" % errstr )

    ### we are authorizing a security group, so just use name 
    ### and and owner ID:
    else:

      ### we only authorize krux labeled security groups
      #if not re.match( "krux|default|ElasticMapReduc", src ):
      #  logging.warn( "  SG %s is not a krux group, skipping" % src )
      #  return None 

      try:
        rv = ec2.authorize_security_group( sg, 
            src_security_group_name     = src,
            ip_protocol                 = proto,
            from_port                   = range[0],
            to_port                     = range[1],
            src_security_group_owner_id = AWS_ACCOUNT_ID )

        if not rv:
          logging.error( "  Failed to authorize %s -> %s" % ( src, sg ) ) 
    
      except boto.exception.EC2ResponseError as (errstr):
        ### don't care about InvalidPermission.Duplicate errors
        if not re.search( "InvalidPermission.Duplicate", errstr.body ):
          logging.error( "  Failed: %s" % errstr )
Example #11
0
def authorize_ports(ec2, proto, ports, sg, src, all_sg):

    ### we expect a list of ports. single entry is single
    ### port. if it's a tuple, it's a range. if it's a *
    ### it's all
    for r in ports:
        range = (None, None)

        if r == "*":
            range = (1, 65535)
        elif type(r) is tuple:
            range = r
        else:
            range = (r, r)

        ### what are we authorizing?
        logging.info("  Authorizing to %s:%s: %s:%s %s-%s" % (ec2.region.name, sg, proto, src, range[0], range[1]))

        ### the target is either a security group or an ip
        if re.search("^[.\d/]+$", src):

            ### if it's an ip, make sure it's in slash notation
            if not re.search("/", src):
                src = "%s/32" % (src)

            try:
                rv = ec2.authorize_security_group(
                    sg, ip_protocol=proto, from_port=range[0], to_port=range[1], cidr_ip=src
                )
                if not rv:
                    logging.error("  Failed to authorize %s -> %s" % (src, sg))

                    # pass

            except boto.exception.EC2ResponseError as (errstr):
                ### don't care about InvalidPermission.Duplicate errors
                if not re.search("InvalidPermission.Duplicate", errstr.body):
                    logging.error("  Failed: %s" % errstr)

        ### we are authorizing a security group, so just use name
        ### and and owner ID:
        else:

            ### we only authorize krux labeled security groups
            # if not re.match( "krux|default|ElasticMapReduc", src ):
            #  logging.warn( "  SG %s is not a krux group, skipping" % src )
            #  return None

            try:
                rv = ec2.authorize_security_group(
                    sg,
                    src_security_group_name=src,
                    ip_protocol=proto,
                    from_port=range[0],
                    to_port=range[1],
                    src_security_group_owner_id=AWS_ACCOUNT_ID,
                )

                if not rv:
                    logging.error("  Failed to authorize %s -> %s" % (src, sg))

            except boto.exception.EC2ResponseError as (errstr):
                ### don't care about InvalidPermission.Duplicate errors
                if not re.search("InvalidPermission.Duplicate", errstr.body):
                    logging.error("  Failed: %s" % errstr)