def process(self, network_security_groups):
ip_protocol = self.data.get(IP_PROTOCOL, '*')
direction = self.data[DIRECTION]
prefix = self.data.get(PREFIX, 'c7n-policy-')
# Build a list of ports described in the action.
ports = PortsRangeHelper.get_ports_set_from_string(self.data.get(PORTS, '0-65535'))
except_ports = PortsRangeHelper.get_ports_set_from_string(self.data.get(EXCEPT_PORTS, ''))
self.action_ports = ports.difference(except_ports)
for nsg in network_security_groups:
nsg_name = nsg['name']
resource_group = nsg['resourceGroup']
# Get list of ports to Deny or Allow access to.
ports = self._build_ports_strings(nsg, direction, ip_protocol)
if not ports:
# If its empty, it means NSG already blocks/allows access to all ports,
# no need to change.
self.manager.log.info("Network security group %s satisfies provided "
"ports configuration, no actions scheduled.", nsg_name)
continue
rules = nsg['properties']['securityRules']
rules = sorted(rules, key=lambda k: k['properties']['priority'])
rules = [r for r in rules
if StringUtils.equal(r['properties']['direction'], direction)]
lowest_priority = rules[0]['properties']['priority'] if len(rules) > 0 else 4096
# Create new top-priority rule to allow/block ports from the action.
rule_name = prefix + str(uuid.uuid1())
new_rule = {
'name': rule_name,
'properties': {
'access': self.access_action,
'destinationAddressPrefix': '*',
'destinationPortRanges': ports,
'direction': self.data[DIRECTION],
'priority': lowest_priority - PRIORITY_STEP,
'protocol': ip_protocol,
'sourceAddressPrefix': '*',
'sourcePortRange': '*',
}
}
self.manager.log.info("NSG %s. Creating new rule to %s access for ports %s",
nsg_name, self.access_action, ports)
try:
self.manager.get_client().security_rules.create_or_update(
resource_group,
nsg_name,
rule_name,
new_rule
)
except CloudError as e:
self.manager.log.error('Failed to create or update security rule for %s NSG.',
nsg_name)
self.manager.log.error(e)
def process(self, network_security_groups):
ip_protocol = self.data.get(IP_PROTOCOL, '*')
direction = self.data[DIRECTION]
# Build a list of ports described in the action.
ports = PortsRangeHelper.get_ports_set_from_string(self.data.get(PORTS, '0-65535'))
except_ports = PortsRangeHelper.get_ports_set_from_string(self.data.get(EXCEPT_PORTS, ''))
self.action_ports = ports.difference(except_ports)
for nsg in network_security_groups:
nsg_name = nsg['name']
resource_group = nsg['resourceGroup']
# Get list of ports to Deny or Allow access to.
ports = self._build_ports_strings(nsg, direction, ip_protocol)
if not ports:
# If its empty, it means NSG already blocks/allows access to all ports,
# no need to change.
self.manager.log.info("Network security group %s satisfies provided "
"ports configuration, no actions scheduled.", nsg_name)
continue
rules = nsg['properties']['securityRules']
rules = sorted(rules, key=lambda k: k['properties']['priority'])
rules = [r for r in rules
if StringUtils.equal(r['properties']['direction'], direction)]
lowest_priority = rules[0]['properties']['priority'] if len(rules) > 0 else 4096
# Create new top-priority rule to allow/block ports from the action.
rule_name = 'c7n-policy-' + str(uuid.uuid1())
new_rule = {
'name': rule_name,
'properties': {
'access': self.access_action,
'destinationAddressPrefix': '*',
'destinationPortRanges': ports,
'direction': self.data[DIRECTION],
'priority': lowest_priority - PRIORITY_STEP,
'protocol': ip_protocol,
'sourceAddressPrefix': '*',
'sourcePortRange': '*',
}
}
self.manager.log.info("NSG %s. Creating new rule to %s access for ports %s",
nsg_name, self.access_action, ports)
try:
self.manager.get_client().security_rules.create_or_update(
resource_group,
nsg_name,
rule_name,
new_rule
)
except CloudError as e:
self.manager.log.error('Failed to create or update security rule for %s NSG.',
nsg_name)
self.manager.log.error(e)
def process(self, network_security_groups, event=None):
# Get variables
self.ip_protocol = self.data.get(IP_PROTOCOL, '*')
self.IsAllowed = StringUtils.equal(self.data.get(ACCESS), ALLOW_OPERATION)
self.match = self.data.get(MATCH, 'all')
# Calculate ports from the settings:
# If ports not specified -- assuming the entire range
# If except_ports not specifed -- nothing
ports_set = PortsRangeHelper.get_ports_set_from_string(self.data.get(PORTS, '0-65535'))
except_set = PortsRangeHelper.get_ports_set_from_string(self.data.get(EXCEPT_PORTS, ''))
self.ports = ports_set.difference(except_set)
nsgs = [nsg for nsg in network_security_groups if self._check_nsg(nsg)]
return nsgs
def test_get_ports(self):
self.assertEqual(
PortsRangeHelper.get_ports_set_from_string("5, 4-5, 9"), {4, 5, 9})
rule = {'properties': {'destinationPortRange': '10-12'}}
self.assertEqual(PortsRangeHelper.get_ports_set_from_rule(rule),
{10, 11, 12})
rule = {'properties': {'destinationPortRanges': ['80', '10-12']}}
self.assertEqual(PortsRangeHelper.get_ports_set_from_rule(rule),
{10, 11, 12, 80})
def test_get_ports(self):
self.assertEqual(PortsRangeHelper.get_ports_set_from_string("5, 4-5, 9"), set([4, 5, 9]))
rule = {'properties': {'destinationPortRange': '10-12'}}
self.assertEqual(PortsRangeHelper.get_ports_set_from_rule(rule), set([10, 11, 12]))
rule = {'properties': {'destinationPortRanges': ['80', '10-12']}}
self.assertEqual(PortsRangeHelper.get_ports_set_from_rule(rule), set([10, 11, 12, 80]))
