def get_vdcm_management_security_group(template,
vpc,
sg_name='vdcmmanagementsecuritygroup',
cidr=CISCO_CIDR):
"""Get a vdcm security group containing the vdcm rules for management
:param name: unique name of the security group.
:param template: the template to add this subnet too.
:param vpc: the vpc to add this subnet too.
:param cidr: the cidr to use to create this security group rule. Defaults to the CISCO_CIDR.
:return: security_group
"""
sg = SecurityGroup(sg_name, template=template)
sg.Tags = Tags(Name=aws_name(sg.title))
sg.GroupDescription = 'vdcm security group for management'
sg.VpcId = Ref(vpc)
rules = Rules()
rs = [
rules.ssh, rules.http, rules.https, rules.influxdb, rules.vnc,
rules.rest, rules.graphana, rules.all_icmp, rules.abr2ts
]
if cidr:
rs = [rules.override_cidr(rule=r, cidr=cidr) for r in rs]
rs.append(rules.all_sn)
sg.SecurityGroupIngress = rs
return sg
def get_private_security_group(template, vpc, cidr, desc):
"""Get a security group containing the rules to allow all protocol on all ports from "CIDR-subnet".
only to be used behind bastion
:param template: the template to add this subnet too.
:param vpc: the vpc to add this subnet too.
:return: security_goup
"""
sg = SecurityGroup('{}securitygroup'.format(desc), template=template)
sg.Tags = Tags(Name=aws_name(sg.title))
sg.GroupDescription = 'security group for {} subnet'.format(desc)
sg.VpcId = Ref(vpc)
rules = Rules()
rs = [rules.all]
if cidr:
rs = [rules.override_cidr(rule=r, cidr=cidr) for r in rs]
sg.SecurityGroupIngress = rs
return sg
def get_vdcm_video_security_group(template, vpc, cidr=None):
"""Get a vdcm security group containing the default vdcm rules for video.
:param template: the template to add this subnet too.
:param vpc: the vpc to add this subnet too.
:param cidr: the cidr to use to create this security group rule.
:return: security_goup
"""
sg = SecurityGroup('vdcmvideosecuritygroup', template=template)
sg.Tags = Tags(Name=aws_name(sg.title))
sg.GroupDescription = 'vdcm security group for video'
sg.VpcId = Ref(vpc)
rules = Rules()
rs = [rules.all_udp, rules.all_icmp, rules.all_sn]
if cidr:
rs = [rules.override_cidr(rule=r, cidr=cidr) for r in rs]
sg.SecurityGroupIngress = rs
return sg
def get_http_security_group(template,
vpc,
sg_name='httpsecuritygroup',
cidr=ALL_CISCO_CIDRS):
"""Get a securty group that fits for plain http"""
sg = SecurityGroup(title=sg_name, template=template)
sg.Tags = Tags(Name=aws_name(sg.title))
sg.GroupDescription = 'security group for http'
sg.VpcId = Ref(vpc)
rules = Rules()
rs = [rules.http]
if cidr:
if not isinstance(cidr, list):
cidr = [cidr]
rs = [
rules.override_cidr(rule=r, cidr=cidr_item) for r in rs
for cidr_item in cidr
]
sg.SecurityGroupIngress = rs
return sg
def get_elb_security_group(template,
vpc,
sg_name='elbsecuritygroup',
cidr="10.0.0.0/16"):
"""Get elb security group containing the elb rules for management
:param template: the template to add this subnet too.
:param vpc: the vpc to add this subnet too.
:param cidr: the cidr to use to create this security group rule. Defaults to the CISCO_CIDR.
:return: security_group
"""
sg = SecurityGroup(sg_name, template=template)
sg.Tags = Tags(Name=aws_name(sg.title))
sg.GroupDescription = 'security group for elb'
sg.VpcId = Ref(vpc)
rules = Rules()
rs = [rules.rest, rules.https]
if cidr:
rs = [rules.override_cidr(rule=r, cidr=cidr) for r in rs]
sg.SecurityGroupIngress = rs
return sg
