def test_create_fortress(enable_github, requests_mock):
if enable_github:
requests_mock.get("https://api.github.com/meta", json=GITHUB_API_RANGE)
requests_mock.get("https://ip-ranges.amazonaws.com/ip-ranges.json",
json=AWS_IP_RANGES)
aws_env = AWSEnv(regions=["us-east-1"], stub=True)
with default_region("us-east-1"):
stub = aws_env.stub("ec2", region="us-east-1")
stub.add_response(
"describe_images",
{
"Images": [{
"ImageId": "ami-1234",
"RootDeviceName": "/dev/sda1",
"Tags": []
}]
},
{"ImageIds": ANY},
)
stub.add_response(
"describe_images",
{
"Images": [{
"ImageId": "ami-1234",
"RootDeviceName": "/dev/sda1",
"Tags": []
}]
},
{"ImageIds": ANY},
)
d = PolicyDocument().append(
Allow(
to="s3:GetObject",
on=["arn:aws:s3:::mybucket", "arn:aws:s3:::mybucket/*"],
))
p = Policy("InternalPolicy", d)
f = Fortress(
"myfortress",
allow_ssh_from="0.0.0.0/0",
bastion_ami=AMI("ami-1234"),
internal_server_policy=p,
)
f += Bucket("Bucket2")
# Allow access to mybucket through a s3 endpoint
f.private_subnet.add_bucket_access(["mybucket", f["Bucket2"]])
# Allow access to a secret throught a secretsmanager endpoint
f.add_secret_access("arn_secret")
# Allow access to lambdas throught lambda endpoints
f.add_secret_access(["arn_lambda_1", "arn_lambda_2"])
# allow https
f.add_network_access("https")
f.add_private_server(AMI("ami-1234"), ["server1", "server2"],
github_access=enable_github)
assert f.body
def test_create_fortress_no_bastion():
aws_env = AWSEnv(regions=['us-east-1'], stub=True)
with default_region('us-east-1'):
stub = aws_env.stub('ec2', region='us-east-1')
stub.add_response(
'describe_images', {
'Images': [{
'ImageId': 'ami-1234',
'RootDeviceName': '/dev/sda1',
'Tags': []
}]
}, {'ImageIds': ANY})
stub.add_response(
'describe_images', {
'Images': [{
'ImageId': 'ami-1234',
'RootDeviceName': '/dev/sda1',
'Tags': []
}]
}, {'ImageIds': ANY})
d = PolicyDocument().append(
Allow(to='s3:GetObject',
on=['arn:aws:s3:::mybucket', 'arn:aws:s3:::mybucket/*']))
p = Policy('InternalPolicy', d)
f = Fortress('myfortress', bastion_ami=None, internal_server_policy=p)
f += Bucket('Bucket2')
# Allow access to mybucket through a s3 endpoint
f.private_subnet.add_bucket_access(['mybucket', f['Bucket2']])
# allow https
f.add_network_access('https')
f.add_private_server(AMI('ami-1234'), ['server1', 'server2'])
assert f.body
def test_create_fortress_with_too_much_sgs():
aws_env = AWSEnv(regions=["us-east-1"], stub=True)
with default_region("us-east-1"):
stub = aws_env.stub("ec2", region="us-east-1")
stub.add_response(
"describe_images",
{
"Images": [{
"ImageId": "ami-1234",
"RootDeviceName": "/dev/sda1",
"Tags": []
}]
},
{"ImageIds": ANY},
)
d = PolicyDocument().append(
Allow(
to="s3:GetObject",
on=["arn:aws:s3:::mybucket", "arn:aws:s3:::mybucket/*"],
))
p = Policy("InternalPolicy", d)
f = Fortress("myfortress", bastion_ami=None, internal_server_policy=p)
# Adding 16 extra security groups should raise an exception (The maximum
# number of security groups is 16 and there is a default InternalSG)
sg_groups = [
SecurityGroup(name=f"sg{id}", vpc=f.vpc.vpc) for id in range(16)
]
with pytest.raises(AWSFortressError):
f.add_private_server(
AMI("ami-1234"),
["server1"],
amazon_access=False,
github_access=False,
extra_groups=sg_groups,
)
def test_create_fortress_no_bastion():
aws_env = AWSEnv(regions=["us-east-1"], stub=True)
with default_region("us-east-1"):
stub = aws_env.stub("ec2", region="us-east-1")
stub.add_response(
"describe_images",
{
"Images": [{
"ImageId": "ami-1234",
"RootDeviceName": "/dev/sda1",
"Tags": []
}]
},
{"ImageIds": ANY},
)
stub.add_response(
"describe_images",
{
"Images": [{
"ImageId": "ami-1234",
"RootDeviceName": "/dev/sda1",
"Tags": []
}]
},
{"ImageIds": ANY},
)
d = PolicyDocument().append(
Allow(
to="s3:GetObject",
on=["arn:aws:s3:::mybucket", "arn:aws:s3:::mybucket/*"],
))
p = Policy("InternalPolicy", d)
f = Fortress("myfortress", bastion_ami=None, internal_server_policy=p)
f += Bucket("Bucket2")
# Allow access to mybucket through a s3 endpoint
f.private_subnet.add_bucket_access(["mybucket", f["Bucket2"]])
# Allow access to a secret throught a secretsmanager endpoint
f.add_secret_access("arn_secret")
# allow https
f.add_network_access("https")
f.add_private_server(AMI("ami-1234"), ["server1", "server2"])
assert f.body