class EC2InstanceAdmin(AbstractBaseInstanceAdmin):
def __init__(self, region = None):
self.__cfg = ConfigMgr()
self.__conn = boto.ec2.connect_to_region(region)
def create_secure_instance(self, image_id, instance_type, instance_name):
script_path = self.__cfg.get_parameter("Instances", "CloudInitScriptPath")
production_security_group_id = self.__cfg.get_parameter("Instances", "RemediationSecurityGroupId")
production_subnet_id = self.__cfg.get_parameter("Instances", "ProductionSubnetId")
key_name = self.__cfg.get_parameter("Instances", "EC2KeyName")
with open(script_path, "r") as script_file:
cloud_init_script = script_file.read()
iam_role = IAMAdmin()
instance_profile = iam_role.create_dynamic_role()
new_reservation = self.__try_create_instance(image_id, key_name, instance_profile, instance_type,
production_subnet_id, production_security_group_id,
cloud_init_script)
instance = new_reservation.instances[0]
self.__conn.create_tags([instance.id], {"Name": instance_name})
message = "An instance created with id {}".format(instance.id)
Logger.log("info", message)
return message
def get_all_running_instance_names(self):
instances_list = []
instances = self.__conn.get_all_instances()
for instance in instances:
if instance.instances[0].state == "running":
instance_hostname = instance.instances[0].private_dns_name.split('.')[0]
instances_list.append(instance_hostname)
return instances_list
def __try_create_instance(self, ami_id, key_name, profile_name, instance_type, subnet_id,
security_group_id, user_data):
try:
new_reservation = self.__conn.run_instances(ami_id, key_name=key_name,
instance_profile_name=profile_name, instance_type=instance_type,
subnet_id=subnet_id, security_group_ids=[security_group_id],
user_data=user_data)
return new_reservation
except:
Logger.log("warning", "Could not create instance first time. Waiting another few seconds before retrying")
time.sleep(30)
Logger.log("warning", "Retrying to create instance")
try:
new_reservation = self.__conn.run_instances(ami_id, key_name=key_name,
instance_profile_name=profile_name,
instance_type=instance_type,
subnet_id=subnet_id, security_group_ids=[security_group_id],
user_data=user_data)
return new_reservation
except Exception as ex:
message = "Cannot create new instance: {}".format(ex.message)
raise GenericException(message)
class IAM(AbstractBaseIDM):
def __init__(self):
self.__cfg = ConfigMgr()
self.__iam_strict_policy_path = self.__cfg.get_parameter("Instances", "IAMStrictPolicyPath")
self.__prefix_name = self.__cfg.get_parameter("Instances", "NamingPrefix")
credentials = EnvironmentVariables.get_instance_credentials().split(" ")
self.__conn = IAMConnection(aws_access_key_id=credentials[0], aws_secret_access_key=credentials[1], security_token=credentials[2])
self.__iam_policy_name = "cloud-sec-policy"
def strict_dynamic_role(self, iam_role_name):
with open(self.__iam_strict_policy_path, "r") as policy_file:
bucket_unique_id = EnvironmentVariables.get_storage_unique_id(self.__prefix_name)
iam_policy_document = policy_file.read().replace("BUCKETNAME", bucket_unique_id)
self.__conn.put_role_policy(iam_role_name, self.__iam_policy_name, iam_policy_document)
class S3Storage(AbstractBaseStorage):
def __init__(self):
self.__cfg = ConfigMgr()
self.__bucket_name = self.__cfg.get_parameter("Instances", "NamingPrefix")
self.__bucket_unique_id = EnvironmentVariables.get_storage_unique_id(self.__bucket_name)
self.__bucket_policy_path = self.__cfg.get_parameter("Instances", "BucketPolicyPath")
self.__current_instance_name = EnvironmentVariables.get_current_instance_name()
credentials = EnvironmentVariables.get_instance_credentials().split(" ")
self.__s3 = S3Connection(aws_access_key_id=credentials[0], aws_secret_access_key=credentials[1], security_token=credentials[2])
def generate_and_store_encryption_key(self):
bucket = self.__s3.create_bucket(self.__bucket_unique_id)
bucket.set_policy(self.__get_bucket_policy)
from boto.s3.key import Key
key_object = Key(bucket)
key_object.key = "key"
encryption_key = self.__generate_encryption_key()
key_object.set_contents_from_string(encryption_key, {"Referer": self.__get_referer_unique_id()}, True)
expires_in_seconds = 1800
key_object.generate_url(expires_in_seconds)
Logger.log("info", "Encryption key uploaded to S3 bucket named {}".format(self.__bucket_unique_id))
def get_encryption_key(self):
bucket = self.__s3.get_bucket(self.__bucket_unique_id)
key = bucket.get_key("key", {"Referer": self.__get_referer_unique_id()})
response = key.get_contents_as_string({"Referer": self.__get_referer_unique_id()})
Logger.log("info", "Encryption key downloaded")
return response
def __get_referer_unique_id(self):
unique_string = "{}{}".format(EnvironmentVariables.get_current_instance_mac(), self.__current_instance_name)
uppercase_result = hashlib.sha512(unique_string).hexdigest()
return uppercase_result.lower()
def __generate_encryption_key(self):
from strgen import StringGenerator as SG
return SG("[\l\d]{100}&[\p]").render()
@property
def __get_bucket_policy(self):
referer_name = self.__get_referer_unique_id()
bucket_name = EnvironmentVariables.get_storage_unique_id(self.__bucket_name)
canonical_user = self.__cfg.get_parameter("Instances", "CanonicalUserId")
with open(self.__bucket_policy_path, "r") as policy_file:
bucket_policy = policy_file.read().replace('\n', '').replace('\t', '').replace('BUCKETNAME',
bucket_name).replace('REFERERNAME', referer_name).replace("CANONICALUSER",canonical_user)
return bucket_policy
def __init__(self):
self.__cfg = ConfigMgr()
self.__iam_strict_policy_path = self.__cfg.get_parameter("Instances", "IAMStrictPolicyPath")
self.__prefix_name = self.__cfg.get_parameter("Instances", "NamingPrefix")
credentials = EnvironmentVariables.get_instance_credentials().split(" ")
self.__conn = IAMConnection(aws_access_key_id=credentials[0], aws_secret_access_key=credentials[1], security_token=credentials[2])
self.__iam_policy_name = "cloud-sec-policy"
def __init__(self):
self.__cfg = ConfigMgr()
self.__bucket_name = self.__cfg.get_parameter("Instances", "NamingPrefix")
self.__bucket_unique_id = EnvironmentVariables.get_storage_unique_id(self.__bucket_name)
self.__bucket_policy_path = self.__cfg.get_parameter("Instances", "BucketPolicyPath")
self.__current_instance_name = EnvironmentVariables.get_current_instance_name()
credentials = EnvironmentVariables.get_instance_credentials().split(" ")
self.__s3 = S3Connection(aws_access_key_id=credentials[0], aws_secret_access_key=credentials[1], security_token=credentials[2])
class IAMAdmin(AbstractBaseIDMAdmin):
def __init__(self):
self.__cfg = ConfigMgr()
self.__iam_basic_policy_path = self.__cfg.get_parameter("Instances", "IAMBasicPolicyPath")
self.__prefix_name = self.__cfg.get_parameter("Instances", "NamingPrefix")
self.__iam_policy_name = "cloud-sec-policy"
self.__conn = boto.connect_iam()
def create_dynamic_role(self):
random_id = uuid.uuid4().get_hex()
with open(self.__iam_basic_policy_path, "r") as policy_file:
iam_role_name = "{}-{}".format(self.__prefix_name, random_id)
iam_policy_document = policy_file.read().replace("BUCKETNAME", "{}*".format(self.__prefix_name))
self.__conn.create_role(iam_role_name)
self.__conn.create_instance_profile(iam_role_name)
self.__conn.add_role_to_instance_profile(iam_role_name, iam_role_name)
self.__conn.put_role_policy(iam_role_name, self.__iam_policy_name, iam_policy_document)
Logger.log("info", "Created a dynamic role named {}".format(iam_role_name))
return iam_role_name
class EC2Instance(AbstractBaseInstance):
def __init__(self):
self.__cfg = ConfigMgr()
credentials = EnvironmentVariables.get_instance_credentials().split(" ")
self.__conn = boto.ec2.EC2Connection(aws_access_key_id=credentials[0], aws_secret_access_key=credentials[1], security_token=credentials[2])
self.__conn.region = EnvironmentVariables.get_current_instance_region()
self.__current_instance_name = EnvironmentVariables.get_current_instance_name()
def attach_new_storage_to_current_instance(self):
inst = self.get_instance_object_by_instance_id(self.__current_instance_name)
vol = self.__conn.create_volume(1,self.__conn.region)
time.sleep(30)
curr_vol = self.__conn.get_all_volumes([vol.id])[0]
while curr_vol.status != 'available':
time.sleep(10)
Logger.logger("info", "pending to make volume available")
self.__conn.attach_volume (vol.id, inst.id, "/dev/sdf")
Logger.log("info", "The volume {} attached to this instance".format(vol.id))
def move_current_instance_to_production_group(self):
production_group_id = self.__cfg.get_parameter("Instances", "ProductionSecurityGroupId")
instance = self.get_instance_object_by_instance_id(self.__current_instance_name)
self.__conn.modify_instance_attribute(self.__current_instance_name,
"groupSet", [production_group_id])
Logger.log("info", "This instance moved to the production subnet {}".format(production_group_id))
def strict_current_instance_role_permissions(self):
iam = IAM()
current_role_name = EnvironmentVariables.get_current_instance_profile()
iam.strict_dynamic_role(current_role_name)
Logger.log("info", "Changed the IAM role to be more strict")
def get_instance_object_by_instance_id(self, instance_id):
reservations = self.__conn.get_all_instances(instance_ids=[instance_id])
for instance in reservations[0].instances:
if instance.id == self.__current_instance_name:
return instance
return None
def __init__(self):
self.__cfg = ConfigMgr()
self.__iam_basic_policy_path = self.__cfg.get_parameter("Instances", "IAMBasicPolicyPath")
self.__prefix_name = self.__cfg.get_parameter("Instances", "NamingPrefix")
self.__iam_policy_name = "cloud-sec-policy"
self.__conn = boto.connect_iam()
def __init__(self):
cfg = ConfigMgr()
url = cfg.get_parameter("Chef","ServerURL")
key_path = cfg.get_parameter("Chef","KeyFilePath")
client_name = cfg.get_parameter("Chef","ValidationClientName")
self.__chef_client = ChefAPI(url,key_path,client_name)
def __init__(self):
self.__cfg = ConfigMgr()
credentials = EnvironmentVariables.get_instance_credentials().split(" ")
self.__conn = boto.ec2.EC2Connection(aws_access_key_id=credentials[0], aws_secret_access_key=credentials[1], security_token=credentials[2])
self.__conn.region = EnvironmentVariables.get_current_instance_region()
self.__current_instance_name = EnvironmentVariables.get_current_instance_name()
def __init__(self, region = None):
self.__cfg = ConfigMgr()
self.__conn = boto.ec2.connect_to_region(region)