def test_brkt_env_encrypt(self):
""" Test that we parse the brkt_env value and pass the correct
values to user_data when launching the encryptor instance.
"""
api_host_port = 'api.example.com:777'
hsmproxy_host_port = 'hsmproxy.example.com:888'
aws_svc, encryptor_image, guest_image = build_aws_service()
def run_instance_callback(args):
if args.image_id == encryptor_image.id:
brkt_config = self._get_brkt_config_from_mime(args.user_data)
d = json.loads(brkt_config)
self.assertEquals(api_host_port, d['brkt']['api_host'])
self.assertEquals(hsmproxy_host_port,
d['brkt']['hsmproxy_host'])
cli_args = '--brkt-env %s,%s' % (api_host_port, hsmproxy_host_port)
values = instance_config_args_to_values(cli_args)
brkt_env = brkt_cli.brkt_env_from_values(values)
ic = make_instance_config(values, brkt_env)
aws_svc.run_instance_callback = run_instance_callback
encrypt_ami.encrypt(aws_svc=aws_svc,
enc_svc_cls=DummyEncryptorService,
image_id=guest_image.id,
encryptor_ami=encryptor_image.id,
instance_config=ic)
def test_brkt_env_update(self):
""" Test that the Bracket environment is passed through to metavisor
user data.
"""
aws_svc, encryptor_image, guest_image = build_aws_service()
encrypted_ami_id = encrypt_ami.encrypt(
aws_svc=aws_svc,
enc_svc_cls=DummyEncryptorService,
image_id=guest_image.id,
encryptor_ami=encryptor_image.id)
api_host_port = 'api.example.com:777'
hsmproxy_host_port = 'hsmproxy.example.com:888'
cli_args = '--brkt-env %s,%s' % (api_host_port, hsmproxy_host_port)
values = instance_config_args_to_values(cli_args)
brkt_env = brkt_cli.brkt_env_from_values(values)
ic = make_instance_config(values, brkt_env)
def run_instance_callback(args):
if args.image_id == encryptor_image.id:
brkt_config = self._get_brkt_config_from_mime(args.user_data)
d = json.loads(brkt_config)
self.assertEquals(api_host_port, d['brkt']['api_host'])
self.assertEquals(hsmproxy_host_port,
d['brkt']['hsmproxy_host'])
self.assertEquals('updater', d['brkt']['solo_mode'])
aws_svc.run_instance_callback = run_instance_callback
update_ami(aws_svc,
encrypted_ami_id,
encryptor_image.id,
'Test updated AMI',
enc_svc_class=DummyEncryptorService,
instance_config=ic)
def test_brkt_env_encrypt(self):
""" Test that we parse the brkt_env value and pass the correct
values to user_data when launching the encryptor instance.
"""
api_host_port = 'api.example.com:777'
hsmproxy_host_port = 'hsmproxy.example.com:888'
aws_svc, encryptor_image, guest_image = build_aws_service()
def run_instance_callback(args):
if args.image_id == encryptor_image.id:
brkt_config = self._get_brkt_config_from_mime(args.user_data)
d = json.loads(brkt_config)
self.assertEquals(
api_host_port,
d['brkt']['api_host']
)
self.assertEquals(
hsmproxy_host_port,
d['brkt']['hsmproxy_host']
)
cli_args = '--brkt-env %s,%s' % (api_host_port, hsmproxy_host_port)
values = instance_config_args_to_values(cli_args)
brkt_env = brkt_cli.brkt_env_from_values(values)
ic = make_instance_config(values, brkt_env)
aws_svc.run_instance_callback = run_instance_callback
encrypt_ami.encrypt(
aws_svc=aws_svc,
enc_svc_cls=DummyEncryptorService,
image_id=guest_image.id,
encryptor_ami=encryptor_image.id,
instance_config=ic
)
def _get_brkt_config_for_cli_args(cli_args='', mode=INSTANCE_CREATOR_MODE):
values = instance_config_args_to_values(cli_args)
brkt_env = brkt_cli.brkt_env_from_values(values)
ic = make_instance_config(values, brkt_env, mode=mode)
ud = ic.make_userdata()
brkt_config_json = get_mime_part_payload(ud, BRKT_CONFIG_CONTENT_TYPE)
brkt_config = json.loads(brkt_config_json)['brkt']
return brkt_config
def _get_brkt_config_for_cli_args(cli_args='', mode=INSTANCE_CREATOR_MODE):
values = instance_config_args_to_values(cli_args)
brkt_env = brkt_cli.brkt_env_from_values(values)
ic = make_instance_config(values, brkt_env, mode=mode)
ud = ic.make_userdata()
brkt_config_json = get_mime_part_payload(ud, BRKT_CONFIG_CONTENT_TYPE)
brkt_config = json.loads(brkt_config_json)['brkt']
return brkt_config
def test_ca_cert(self):
domain = 'dummy.foo.com'
# First make sure that you can't use --ca-cert without specifying endpoints
cli_args = '--ca-cert dummy.crt'
values = instance_config_args_to_values(cli_args)
with self.assertRaises(ValidationError):
ic = make_instance_config(values)
# Now specify endpoint args but use a bogus cert
endpoint_args = '--brkt-env api.%s:7777,hsmproxy.%s:8888' % (domain,
domain)
dummy_ca_cert = 'THIS IS NOT A CERTIFICATE'
with tempfile.NamedTemporaryFile() as f:
f.write(dummy_ca_cert)
f.flush()
cli_args = endpoint_args + ' --ca-cert %s' % f.name
values = instance_config_args_to_values(cli_args)
with self.assertRaises(ValidationError):
ic = make_instance_config(values)
# Now use endpoint args and a valid cert
cli_args = endpoint_args + ' --ca-cert %s' % _get_ca_cert_filename()
values = instance_config_args_to_values(cli_args)
brkt_env = brkt_cli.brkt_env_from_values(values)
ic = make_instance_config(values, brkt_env)
ud = ic.make_userdata()
brkt_files = get_mime_part_payload(ud, BRKT_FILES_CONTENT_TYPE)
self.assertTrue(
brkt_files.startswith(
"/var/brkt/ami_config/ca_cert.pem.dummy.foo.com: " +
"{contents: '-----BEGIN CERTIFICATE-----"))
# Make sure the --ca-cert arg is only recognized in 'creator' mode
# prevent stderr message from parse_args
sys.stderr = open(os.devnull, 'w')
try:
values = instance_config_args_to_values(
cli_args, mode=INSTANCE_METAVISOR_MODE)
except SystemExit:
pass
else:
self.assertTrue(False, 'Did not get expected exception')
sys.stderr.close()
sys.stderr = sys.__stderr__
def command_encrypt_ami(values):
session_id = util.make_nonce()
aws_svc = aws_service.AWSService(
session_id,
retry_timeout=values.retry_timeout,
retry_initial_sleep_seconds=values.retry_initial_sleep_seconds)
log.debug('Retry timeout=%.02f, initial sleep seconds=%.02f',
aws_svc.retry_timeout, aws_svc.retry_initial_sleep_seconds)
brkt_env = (brkt_cli.brkt_env_from_values(values)
or brkt_cli.get_prod_brkt_env())
if values.validate:
# Validate the region before connecting.
_validate_region(aws_svc, values.region)
if values.token:
brkt_cli.check_jwt_auth(brkt_env, values.token)
aws_svc.connect(values.region, key_name=values.key_name)
if values.validate:
guest_image = _validate_guest_ami(aws_svc, values.ami)
else:
guest_image = aws_svc.get_image(values.ami)
pv = _use_pv_metavisor(values, guest_image)
encryptor_ami = (values.encryptor_ami
or _get_encryptor_ami(values.region, pv=pv))
default_tags = encrypt_ami.get_default_tags(session_id, encryptor_ami)
default_tags.update(brkt_cli.parse_tags(values.tags))
aws_svc.default_tags = default_tags
if values.validate:
_validate(aws_svc, values, encryptor_ami)
brkt_cli.validate_ntp_servers(values.ntp_servers)
encrypted_image_id = encrypt_ami.encrypt(
aws_svc=aws_svc,
enc_svc_cls=encryptor_service.EncryptorService,
image_id=guest_image.id,
encryptor_ami=encryptor_ami,
encrypted_ami_name=values.encrypted_ami_name,
subnet_id=values.subnet_id,
security_group_ids=values.security_group_ids,
guest_instance_type=values.guest_instance_type,
instance_config=make_instance_config(values, brkt_env),
status_port=values.status_port,
save_encryptor_logs=values.save_encryptor_logs)
# Print the AMI ID to stdout, in case the caller wants to process
# the output. Log messages go to stderr.
print(encrypted_image_id)
return 0
def test_ca_cert(self):
domain = 'dummy.foo.com'
# First make sure that you can't use --ca-cert without specifying endpoints
cli_args = '--ca-cert dummy.crt'
values = instance_config_args_to_values(cli_args)
with self.assertRaises(ValidationError):
ic = make_instance_config(values)
# Now specify endpoint args but use a bogus cert
endpoint_args = '--brkt-env api.%s:7777,hsmproxy.%s:8888' % (domain, domain)
dummy_ca_cert = 'THIS IS NOT A CERTIFICATE'
with tempfile.NamedTemporaryFile() as f:
f.write(dummy_ca_cert)
f.flush()
cli_args = endpoint_args + ' --ca-cert %s' % f.name
values = instance_config_args_to_values(cli_args)
with self.assertRaises(ValidationError):
ic = make_instance_config(values)
# Now use endpoint args and a valid cert
cli_args = endpoint_args + ' --ca-cert %s' % _get_ca_cert_filename()
values = instance_config_args_to_values(cli_args)
brkt_env = brkt_cli.brkt_env_from_values(values)
ic = make_instance_config(values, brkt_env)
ud = ic.make_userdata()
brkt_files = get_mime_part_payload(ud, BRKT_FILES_CONTENT_TYPE)
self.assertTrue(brkt_files.startswith(
"/var/brkt/ami_config/ca_cert.pem.dummy.foo.com: " +
"{contents: '-----BEGIN CERTIFICATE-----"))
# Make sure the --ca-cert arg is only recognized in 'creator' mode
# prevent stderr message from parse_args
sys.stderr = open(os.devnull, 'w')
try:
values = instance_config_args_to_values(cli_args,
mode=INSTANCE_METAVISOR_MODE)
except SystemExit:
pass
else:
self.assertTrue(False, 'Did not get expected exception')
sys.stderr.close()
sys.stderr = sys.__stderr__
def test_brkt_env_update(self):
""" Test that the Bracket environment is passed through to metavisor
user data.
"""
aws_svc, encryptor_image, guest_image = build_aws_service()
encrypted_ami_id = encrypt_ami.encrypt(
aws_svc=aws_svc,
enc_svc_cls=DummyEncryptorService,
image_id=guest_image.id,
encryptor_ami=encryptor_image.id
)
api_host_port = 'api.example.com:777'
hsmproxy_host_port = 'hsmproxy.example.com:888'
cli_args = '--brkt-env %s,%s' % (api_host_port, hsmproxy_host_port)
values = instance_config_args_to_values(cli_args)
brkt_env = brkt_cli.brkt_env_from_values(values)
ic = make_instance_config(values, brkt_env)
def run_instance_callback(args):
if args.image_id == encryptor_image.id:
brkt_config = self._get_brkt_config_from_mime(args.user_data)
d = json.loads(brkt_config)
self.assertEquals(
api_host_port,
d['brkt']['api_host']
)
self.assertEquals(
hsmproxy_host_port,
d['brkt']['hsmproxy_host']
)
self.assertEquals(
'updater',
d['brkt']['solo_mode']
)
aws_svc.run_instance_callback = run_instance_callback
update_ami(
aws_svc, encrypted_ami_id, encryptor_image.id,
'Test updated AMI',
enc_svc_class=DummyEncryptorService,
instance_config=ic
)
def command_encrypt_gce_image(values, log):
session_id = util.make_nonce()
gce_svc = gce_service.GCEService(values.project, session_id, log)
check_args(values, gce_svc)
encrypted_image_name = gce_service.get_image_name(values.encrypted_image_name, values.image)
gce_service.validate_image_name(encrypted_image_name)
gce_service.validate_images(gce_svc,
encrypted_image_name,
values.encryptor_image,
values.image,
values.image_project)
if not values.verbose:
logging.getLogger('googleapiclient').setLevel(logging.ERROR)
log.info('Starting encryptor session %s', gce_svc.get_session_id())
brkt_env = (
brkt_cli.brkt_env_from_values(values) or
brkt_cli.get_prod_brkt_env()
)
encrypted_image_id = encrypt_gce_image.encrypt(
gce_svc=gce_svc,
enc_svc_cls=encryptor_service.EncryptorService,
image_id=values.image,
encryptor_image=values.encryptor_image,
encrypted_image_name=encrypted_image_name,
zone=values.zone,
instance_config=make_instance_config(
values, brkt_env,mode=INSTANCE_CREATOR_MODE),
image_project=values.image_project,
keep_encryptor=values.keep_encryptor,
image_file=values.image_file,
image_bucket=values.bucket,
network=values.network,
status_port=values.status_port
)
# Print the image name to stdout, in case the caller wants to process
# the output. Log messages go to stderr.
print(encrypted_image_id)
return 0
def command_update_encrypted_gce_image(values, log):
session_id = util.make_nonce()
gce_svc = gce_service.GCEService(values.project, session_id, log)
check_args(values, gce_svc)
encrypted_image_name = gce_service.get_image_name(values.encrypted_image_name, values.image)
gce_service.validate_image_name(encrypted_image_name)
gce_service.validate_images(gce_svc,
encrypted_image_name,
values.encryptor_image,
values.image,
values.image_project)
if not values.verbose:
logging.getLogger('googleapiclient').setLevel(logging.ERROR)
log.info('Starting updater session %s', gce_svc.get_session_id())
brkt_env = (
brkt_cli.brkt_env_from_values(values) or
brkt_cli.get_prod_brkt_env()
)
updated_image_id = update_gce_image.update_gce_image(
gce_svc=gce_svc,
enc_svc_cls=encryptor_service.EncryptorService,
image_id=values.image,
encryptor_image=values.encryptor_image,
encrypted_image_name=encrypted_image_name,
zone=values.zone,
instance_config=make_instance_config(
values, brkt_env,mode=INSTANCE_UPDATER_MODE),
keep_encryptor=values.keep_encryptor,
image_file=values.image_file,
image_bucket=values.bucket,
network=values.network,
status_port=values.status_port
)
print(updated_image_id)
return 0
def command_encrypt_gce_image(values, log):
session_id = util.make_nonce()
gce_svc = gce_service.GCEService(values.project, session_id, log)
check_args(values, gce_svc)
encrypted_image_name = gce_service.get_image_name(
values.encrypted_image_name, values.image)
gce_service.validate_image_name(encrypted_image_name)
gce_service.validate_images(gce_svc, encrypted_image_name,
values.encryptor_image, values.image,
values.image_project)
if not values.verbose:
logging.getLogger('googleapiclient').setLevel(logging.ERROR)
log.info('Starting encryptor session %s', gce_svc.get_session_id())
brkt_env = (brkt_cli.brkt_env_from_values(values)
or brkt_cli.get_prod_brkt_env())
encrypted_image_id = encrypt_gce_image.encrypt(
gce_svc=gce_svc,
enc_svc_cls=encryptor_service.EncryptorService,
image_id=values.image,
encryptor_image=values.encryptor_image,
encrypted_image_name=encrypted_image_name,
zone=values.zone,
instance_config=make_instance_config(values,
brkt_env,
mode=INSTANCE_CREATOR_MODE),
image_project=values.image_project,
keep_encryptor=values.keep_encryptor,
image_file=values.image_file,
image_bucket=values.bucket,
network=values.network,
status_port=values.status_port)
# Print the image name to stdout, in case the caller wants to process
# the output. Log messages go to stderr.
print(encrypted_image_id)
return 0
def command_update_encrypted_gce_image(values, log):
session_id = util.make_nonce()
gce_svc = gce_service.GCEService(values.project, session_id, log)
check_args(values, gce_svc)
encrypted_image_name = gce_service.get_image_name(
values.encrypted_image_name, values.image)
gce_service.validate_image_name(encrypted_image_name)
gce_service.validate_images(gce_svc, encrypted_image_name,
values.encryptor_image, values.image,
values.image_project)
if not values.verbose:
logging.getLogger('googleapiclient').setLevel(logging.ERROR)
log.info('Starting updater session %s', gce_svc.get_session_id())
brkt_env = (brkt_cli.brkt_env_from_values(values)
or brkt_cli.get_prod_brkt_env())
updated_image_id = update_gce_image.update_gce_image(
gce_svc=gce_svc,
enc_svc_cls=encryptor_service.EncryptorService,
image_id=values.image,
encryptor_image=values.encryptor_image,
encrypted_image_name=encrypted_image_name,
zone=values.zone,
instance_config=make_instance_config(values,
brkt_env,
mode=INSTANCE_UPDATER_MODE),
keep_encryptor=values.keep_encryptor,
image_file=values.image_file,
image_bucket=values.bucket,
network=values.network,
status_port=values.status_port)
print(updated_image_id)
return 0
def command_launch_gce_image(values, log):
gce_svc = gce_service.GCEService(values.project, None, log)
brkt_env = brkt_cli.brkt_env_from_values(values)
instance_config = make_instance_config(values,
brkt_env,
mode=INSTANCE_METAVISOR_MODE)
if values.startup_script:
extra_items = [{
'key': 'startup-script',
'value': values.startup_script
}]
else:
extra_items = None
brkt_userdata = instance_config.make_userdata()
metadata = gce_service.gce_metadata_from_userdata(brkt_userdata,
extra_items=extra_items)
if not values.verbose:
logging.getLogger('googleapiclient').setLevel(logging.ERROR)
launch_gce_image.launch(log, gce_svc, values.image, values.instance_name,
values.zone, values.delete_boot,
values.instance_type, metadata)
return 0
def command_launch_gce_image(values, log):
gce_svc = gce_service.GCEService(values.project, None, log)
brkt_env = brkt_cli.brkt_env_from_values(values)
instance_config = make_instance_config(values, brkt_env,
mode=INSTANCE_METAVISOR_MODE)
if values.startup_script:
extra_items = [{'key': 'startup-script', 'value': values.startup_script}]
else:
extra_items = None
brkt_userdata = instance_config.make_userdata()
metadata = gce_service.gce_metadata_from_userdata(brkt_userdata,
extra_items=extra_items)
if not values.verbose:
logging.getLogger('googleapiclient').setLevel(logging.ERROR)
launch_gce_image.launch(log,
gce_svc,
values.image,
values.instance_name,
values.zone,
values.delete_boot,
values.instance_type,
metadata)
return 0
def test_proxy_config(self):
cli_args = '--proxy %s' % (proxy_host_port)
values = instance_config_args_to_values(cli_args)
ic = make_instance_config(values)
_verify_proxy_config_in_userdata(self, ic.make_userdata())
def run(self, values):
instance_cfg = make_instance_config(values)
print instance_cfg.make_userdata()
return 0
def command_update_encrypted_ami(values):
nonce = util.make_nonce()
aws_svc = aws_service.AWSService(
nonce,
retry_timeout=values.retry_timeout,
retry_initial_sleep_seconds=values.retry_initial_sleep_seconds)
log.debug('Retry timeout=%.02f, initial sleep seconds=%.02f',
aws_svc.retry_timeout, aws_svc.retry_initial_sleep_seconds)
brkt_env = (brkt_cli.brkt_env_from_values(values)
or brkt_cli.get_prod_brkt_env())
if values.validate:
# Validate the region before connecting.
_validate_region(aws_svc, values.region)
if values.token:
brkt_cli.check_jwt_auth(brkt_env, values.token)
aws_svc.connect(values.region, key_name=values.key_name)
encrypted_image = _validate_ami(aws_svc, values.ami)
pv = _use_pv_metavisor(values, encrypted_image)
encryptor_ami = (values.encryptor_ami
or _get_encryptor_ami(values.region, pv=pv))
default_tags = encrypt_ami.get_default_tags(nonce, encryptor_ami)
default_tags.update(brkt_cli.parse_tags(values.tags))
aws_svc.default_tags = default_tags
if values.validate:
_validate_guest_encrypted_ami(aws_svc, encrypted_image.id,
encryptor_ami)
brkt_cli.validate_ntp_servers(values.ntp_servers)
_validate(aws_svc, values, encryptor_ami)
_validate_guest_encrypted_ami(aws_svc, encrypted_image.id,
encryptor_ami)
else:
log.info('Skipping AMI validation.')
mv_image = aws_svc.get_image(encryptor_ami)
if (encrypted_image.virtualization_type != mv_image.virtualization_type):
log.error(
'Virtualization type mismatch. %s is %s, but encryptor %s is '
'%s.', encrypted_image.id, encrypted_image.virtualization_type,
mv_image.id, mv_image.virtualization_type)
return 1
encrypted_ami_name = values.encrypted_ami_name
if encrypted_ami_name:
# Check for name collision.
filters = {'name': encrypted_ami_name}
if aws_svc.get_images(filters=filters, owners=['self']):
raise ValidationError('You already own image named %s' %
encrypted_ami_name)
else:
encrypted_ami_name = _get_updated_image_name(encrypted_image.name,
nonce)
log.debug('Image name: %s', encrypted_ami_name)
aws_service.validate_image_name(encrypted_ami_name)
# Initial validation done
log.info('Updating %s with new metavisor %s', encrypted_image.id,
encryptor_ami)
updated_ami_id = update_ami(
aws_svc,
encrypted_image.id,
encryptor_ami,
encrypted_ami_name,
subnet_id=values.subnet_id,
security_group_ids=values.security_group_ids,
guest_instance_type=values.guest_instance_type,
updater_instance_type=values.updater_instance_type,
instance_config=make_instance_config(values, brkt_env),
status_port=values.status_port,
)
print(updated_ami_id)
return 0
def test_proxy_config(self):
cli_args = '--proxy %s' % (proxy_host_port)
values = instance_config_args_to_values(cli_args)
ic = make_instance_config(values)
_verify_proxy_config_in_userdata(self, ic.make_userdata())
def command_update_encrypted_ami(values):
nonce = util.make_nonce()
aws_svc = aws_service.AWSService(
nonce,
retry_timeout=values.retry_timeout,
retry_initial_sleep_seconds=values.retry_initial_sleep_seconds
)
log.debug(
'Retry timeout=%.02f, initial sleep seconds=%.02f',
aws_svc.retry_timeout, aws_svc.retry_initial_sleep_seconds)
brkt_env = (
brkt_cli.brkt_env_from_values(values) or
brkt_cli.get_prod_brkt_env()
)
if values.validate:
# Validate the region before connecting.
_validate_region(aws_svc, values.region)
if values.token:
brkt_cli.check_jwt_auth(brkt_env, values.token)
aws_svc.connect(values.region, key_name=values.key_name)
encrypted_image = _validate_ami(aws_svc, values.ami)
pv = _use_pv_metavisor(values, encrypted_image)
encryptor_ami = (
values.encryptor_ami or
_get_encryptor_ami(values.region, pv=pv)
)
default_tags = encrypt_ami.get_default_tags(nonce, encryptor_ami)
default_tags.update(brkt_cli.parse_tags(values.tags))
aws_svc.default_tags = default_tags
if values.validate:
_validate_guest_encrypted_ami(
aws_svc, encrypted_image.id, encryptor_ami)
brkt_cli.validate_ntp_servers(values.ntp_servers)
_validate(aws_svc, values, encryptor_ami)
_validate_guest_encrypted_ami(
aws_svc, encrypted_image.id, encryptor_ami)
else:
log.info('Skipping AMI validation.')
mv_image = aws_svc.get_image(encryptor_ami)
if (encrypted_image.virtualization_type !=
mv_image.virtualization_type):
log.error(
'Virtualization type mismatch. %s is %s, but encryptor %s is '
'%s.',
encrypted_image.id,
encrypted_image.virtualization_type,
mv_image.id,
mv_image.virtualization_type
)
return 1
encrypted_ami_name = values.encrypted_ami_name
if encrypted_ami_name:
# Check for name collision.
filters = {'name': encrypted_ami_name}
if aws_svc.get_images(filters=filters, owners=['self']):
raise ValidationError(
'You already own image named %s' % encrypted_ami_name)
else:
encrypted_ami_name = _get_updated_image_name(
encrypted_image.name, nonce)
log.debug('Image name: %s', encrypted_ami_name)
aws_service.validate_image_name(encrypted_ami_name)
# Initial validation done
log.info(
'Updating %s with new metavisor %s',
encrypted_image.id, encryptor_ami
)
updated_ami_id = update_ami(
aws_svc, encrypted_image.id, encryptor_ami, encrypted_ami_name,
subnet_id=values.subnet_id,
security_group_ids=values.security_group_ids,
guest_instance_type=values.guest_instance_type,
updater_instance_type=values.updater_instance_type,
instance_config=make_instance_config(values, brkt_env),
status_port=values.status_port,
)
print(updated_ami_id)
return 0
def command_encrypt_ami(values):
session_id = util.make_nonce()
aws_svc = aws_service.AWSService(
session_id,
retry_timeout=values.retry_timeout,
retry_initial_sleep_seconds=values.retry_initial_sleep_seconds
)
log.debug(
'Retry timeout=%.02f, initial sleep seconds=%.02f',
aws_svc.retry_timeout, aws_svc.retry_initial_sleep_seconds)
brkt_env = (
brkt_cli.brkt_env_from_values(values) or
brkt_cli.get_prod_brkt_env()
)
if values.validate:
# Validate the region before connecting.
_validate_region(aws_svc, values.region)
if values.token:
brkt_cli.check_jwt_auth(brkt_env, values.token)
aws_svc.connect(values.region, key_name=values.key_name)
if values.validate:
guest_image = _validate_guest_ami(aws_svc, values.ami)
else:
guest_image = aws_svc.get_image(values.ami)
pv = _use_pv_metavisor(values, guest_image)
encryptor_ami = (
values.encryptor_ami or
_get_encryptor_ami(values.region, pv=pv)
)
default_tags = encrypt_ami.get_default_tags(session_id, encryptor_ami)
default_tags.update(brkt_cli.parse_tags(values.tags))
aws_svc.default_tags = default_tags
if values.validate:
_validate(aws_svc, values, encryptor_ami)
brkt_cli.validate_ntp_servers(values.ntp_servers)
encrypted_image_id = encrypt_ami.encrypt(
aws_svc=aws_svc,
enc_svc_cls=encryptor_service.EncryptorService,
image_id=guest_image.id,
encryptor_ami=encryptor_ami,
encrypted_ami_name=values.encrypted_ami_name,
subnet_id=values.subnet_id,
security_group_ids=values.security_group_ids,
guest_instance_type=values.guest_instance_type,
instance_config=make_instance_config(values, brkt_env),
status_port=values.status_port,
save_encryptor_logs=values.save_encryptor_logs
)
# Print the AMI ID to stdout, in case the caller wants to process
# the output. Log messages go to stderr.
print(encrypted_image_id)
return 0
def run(self, values):
instance_cfg = make_instance_config(values)
print instance_cfg.make_userdata()
return 0