def test_elastic_network_interfaces_modify_attribute_boto3():
ec2 = boto3.resource("ec2", region_name="us-east-1")
client = boto3.client("ec2", "us-east-1")
vpc = ec2.create_vpc(CidrBlock="10.0.0.0/16")
subnet = ec2.create_subnet(VpcId=vpc.id, CidrBlock="10.0.0.0/18")
sec_group1 = ec2.create_security_group(GroupName=str(uuid4()),
Description="n/a")
sec_group2 = ec2.create_security_group(GroupName=str(uuid4()),
Description="n/a")
eni_id = subnet.create_network_interface(Groups=[sec_group1.id]).id
my_eni = client.describe_network_interfaces(
NetworkInterfaceIds=[eni_id])["NetworkInterfaces"][0]
my_eni["Groups"].should.have.length_of(1)
my_eni["Groups"][0]["GroupId"].should.equal(sec_group1.id)
with pytest.raises(ClientError) as ex:
client.modify_network_interface_attribute(NetworkInterfaceId=eni_id,
Groups=[sec_group2.id],
DryRun=True)
ex.value.response["Error"]["Code"].should.equal("DryRunOperation")
ex.value.response["ResponseMetadata"]["HTTPStatusCode"].should.equal(412)
ex.value.response["Error"]["Message"].should.equal(
"An error occurred (DryRunOperation) when calling the ModifyNetworkInterface operation: Request would have succeeded, but DryRun flag is set"
)
client.modify_network_interface_attribute(NetworkInterfaceId=eni_id,
Groups=[sec_group2.id])
my_eni = client.describe_network_interfaces(
NetworkInterfaceIds=[eni_id])["NetworkInterfaces"][0]
my_eni["Groups"].should.have.length_of(1)
my_eni["Groups"][0]["GroupId"].should.equal(sec_group2.id)
def security_group(name, description):
try:
group = ec2.get_all_security_groups(groupnames=[name])[0]
except boto.exception.EC2ResponseError:
group = None
if group is None:
ec2.create_security_group(name, description)
group = ec2.get_all_security_groups(groupnames=[name])[0]
return group
def test_security_group_ingress_separate_from_security_group_by_id():
ec2 = boto3.client("ec2", region_name="us-west-1")
sg_name = str(uuid4())
ec2.create_security_group(GroupName=sg_name,
Description="test security group")
sg_2 = str(uuid4())[0:6]
template = {
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"test-security-group2": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "test security group",
"Tags": [{
"Key": "sg-name",
"Value": sg_2
}],
},
},
"test-sg-ingress": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupName": sg_name,
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "8080",
"SourceSecurityGroupId": {
"Ref": "test-security-group2"
},
},
},
},
}
template_json = json.dumps(template)
cf = boto3.client("cloudformation", region_name="us-west-1")
cf.create_stack(StackName=str(uuid4())[0:6], TemplateBody=template_json)
security_group1 = ec2.describe_security_groups(
GroupNames=[sg_name])["SecurityGroups"][0]
security_group2 = get_secgroup_by_tag(ec2, sg_2)
security_group1["IpPermissions"].should.have.length_of(1)
security_group1["IpPermissions"][0][
"UserIdGroupPairs"].should.have.length_of(1)
security_group1["IpPermissions"][0]["UserIdGroupPairs"][0][
"GroupId"].should.equal(security_group2["GroupId"])
security_group1["IpPermissions"][0]["IpProtocol"].should.equal("tcp")
security_group1["IpPermissions"][0]["FromPort"].should.equal(80)
security_group1["IpPermissions"][0]["ToPort"].should.equal(8080)
def create_security_group(self,
security_group_name,
description,
delete_if_exists=False):
"""
Returns the identifier of the group.
"""
if delete_if_exists:
try:
self.delete_security_group(security_group_name)
logger.info(
'create_security_group has deleted existing group '
'{0} prior to re-creating it.'.format(security_group_name))
except DeleteGroupException:
logger.debug('security group did not already exist')
# create the group in the VPC or classic
kwargs = {}
if self.account.vpc_id:
kwargs['vpc_id'] = self.account.vpc_id
ec2 = self.connect_ec2()
try:
group = ec2.create_security_group(security_group_name, description,
**kwargs)
return group.id
except boto.exception.EC2ResponseError as e:
raise GroupExistsException(e.message)
def create_security_group(self,
security_group_name,
description,
delete_if_exists=False):
'''
Returns the identifier of the group.
'''
if not description:
description = 'Default description provided by stackd.io'
if delete_if_exists:
try:
self.delete_security_group(security_group_name)
logger.warn('create_security_group has deleted existing group '
'{0} prior to creating it.'.format(
security_group_name))
except BadRequest:
logger.debug('security group did not already exist')
# create the group in the VPC or classic
kwargs = {}
if self.obj.vpc_id:
kwargs['vpc_id'] = self.obj.vpc_id
ec2 = self.connect_ec2()
group = ec2.create_security_group(security_group_name,
description,
**kwargs)
return group.id
def _create_security_group_abort_on_error(name, desc, rules):
ec2 = boto.ec2.connect_to_region(env.ec2_region)
try:
sg = ec2.create_security_group(name, desc, vpc_id=env.ec2_vpc_id)
except boto.exception.EC2ResponseError as e:
if e.error_code == 'InvalidGroup.Duplicate':
abort('\n'
'\n'
' "%s" security group already exists!' % name)
else:
abort('\n'
'\n'
' "%s" security group could not be created!: %s' %
(name, e.message))
for rule in rules:
ec2.authorize_security_group(
group_id=sg.id,
ip_protocol=rule[0],
from_port=rule[1],
to_port=rule[2],
cidr_ip=rule[3])
puts('\n'
' "%s" security group created successfully!' % name)
def createSG(ec2, name, rules):
"""
Create a new SecurityGroup
"""
# check if the security group exists
group = None
sgGroups = [sg for sg in ec2.get_all_security_groups() if sg.name == name]
if sgGroups:
group = sgGroups[0]
ec2.delete_security_group(name=name, group_id=group)
print "Creating %s Security Group" % name
group = ec2.create_security_group(name, 'group for %s' % name)
if group:
# Set the inbound rules
for rule in rules:
if rule.src_group_name:
group.authorize(ip_protocol=rule.ip_protocol,
from_port=rule.from_port,
to_port=rule.to_port,
cidr_ip=rule.cidr_ip,
src_group=group)
else:
group.authorize(ip_protocol=rule.ip_protocol,
from_port=rule.from_port,
to_port=rule.to_port,
cidr_ip=rule.cidr_ip,
src_group=None)
return True
else:
logError('Error during ' + name + ' Security Group update')
return False
def create_security_group(self, security_group_name, description, delete_if_exists=False):
"""
Returns the identifier of the group.
"""
if delete_if_exists:
try:
self.delete_security_group(security_group_name)
logger.info('create_security_group has deleted existing group '
'{0} prior to re-creating it.'.format(security_group_name))
except DeleteGroupException:
logger.debug('security group did not already exist')
# create the group in the VPC or classic
kwargs = {}
if self.account.vpc_id:
kwargs['vpc_id'] = self.account.vpc_id
ec2 = self.connect_ec2()
try:
group = ec2.create_security_group(
security_group_name,
description,
**kwargs
)
return group.id
except boto.exception.EC2ResponseError as e:
raise GroupExistsException(e.message)
def test_elastic_network_interfaces_with_groups_boto3():
ec2 = boto3.resource("ec2", region_name="us-east-1")
client = boto3.client("ec2", "us-east-1")
vpc = ec2.create_vpc(CidrBlock="10.0.0.0/16")
subnet = ec2.create_subnet(VpcId=vpc.id, CidrBlock="10.0.0.0/18")
sec_group1 = ec2.create_security_group(GroupName=str(uuid4()), Description="n/a")
sec_group2 = ec2.create_security_group(GroupName=str(uuid4()), Description="n/a")
my_eni = subnet.create_network_interface(Groups=[sec_group1.id, sec_group2.id])
all_enis = client.describe_network_interfaces()["NetworkInterfaces"]
[eni["NetworkInterfaceId"] for eni in all_enis].should.contain(my_eni.id)
my_eni = [eni for eni in all_enis if eni["NetworkInterfaceId"] == my_eni.id][0]
my_eni["Groups"].should.have.length_of(2)
set([group["GroupId"] for group in my_eni["Groups"]]).should.equal(
set([sec_group1.id, sec_group2.id])
)
def get_target_from_rule(module, ec2, rule, name, group, groups, vpc_id):
"""
Returns tuple of (group_id, ip) after validating rule params.
rule: Dict describing a rule.
name: Name of the security group being managed.
groups: Dict of all available security groups.
AWS accepts an ip range or a security group as target of a rule. This
function validate the rule specification and return either a non-None
group_id or a non-None ip range.
"""
FOREIGN_SECURITY_GROUP_REGEX = '^(\S+)/(sg-\S+)/(\S+)'
group_id = None
group_name = None
ip = None
target_group_created = False
if 'group_id' in rule and 'cidr_ip' in rule:
module.fail_json(msg="Specify group_id OR cidr_ip, not both")
elif 'group_name' in rule and 'cidr_ip' in rule:
module.fail_json(msg="Specify group_name OR cidr_ip, not both")
elif 'group_id' in rule and 'group_name' in rule:
module.fail_json(msg="Specify group_id OR group_name, not both")
elif 'group_id' in rule and re.match(FOREIGN_SECURITY_GROUP_REGEX, rule['group_id']):
# this is a foreign Security Group. Since you can't fetch it you must create an instance of it
owner_id, group_id, group_name = re.match(FOREIGN_SECURITY_GROUP_REGEX, rule['group_id']).groups()
group_instance = SecurityGroup(owner_id=owner_id, name=group_name, id=group_id)
groups[group_id] = group_instance
groups[group_name] = group_instance
elif 'group_id' in rule:
group_id = rule['group_id']
elif 'group_name' in rule:
group_name = rule['group_name']
if group_name == name:
group_id = group.id
groups[group_id] = group
groups[group_name] = group
elif group_name in groups:
group_id = groups[group_name].id
else:
if not rule.get('group_desc', '').strip():
module.fail_json(msg="group %s will be automatically created by rule %s and no description was provided" % (group_name, rule))
if not module.check_mode:
auto_group = ec2.create_security_group(group_name, rule['group_desc'], vpc_id=vpc_id)
group_id = auto_group.id
groups[group_id] = auto_group
groups[group_name] = auto_group
target_group_created = True
elif 'cidr_ip' in rule:
ip = rule['cidr_ip']
return group_id, ip, target_group_created
def get_or_create_security_group(region ,group_name):
"""
Search by group_name, if doesn't exits, it is created
"""
try:
ec2 = boto.ec2.connect_to_region(region)
group = ec2.get_all_security_groups(groupnames=[group_name])[0]
except ec2.ResponseError, e:
if e.code == 'InvalidGroup.NotFound':
group = ec2.create_security_group(
group_name, 'group {} for region {}'.format(group_name, region))
else:
raise
def create_security_group(group_name="mqlibtest"):
"""
Instances are pretty locked down by default. We can assign them to
security groups to give access rights. This group allows us to access
our instances over SSH
"""
ec2 = boto.ec2.connect_to_region(AWS_REGION)
for g in ec2.get_all_security_groups():
if g.name == group_name:
return # We already have this group setup
group = ec2.create_security_group(group_name, "MQLib SSH access group")
group.authorize("tcp", 22, 22, "0.0.0.0/0") # SSH is on port 22, all IPs
print "Created new security group"
def get_target_from_rule(module, ec2, rule, name, group, groups, vpc_id):
"""
Returns tuple of (group_id, ip) after validating rule params.
rule: Dict describing a rule.
name: Name of the security group being managed.
groups: Dict of all available security groups.
AWS accepts an ip range or a security group as target of a rule. This
function validate the rule specification and return either a non-None
group_id or a non-None ip range.
"""
group_id = None
group_name = None
ip = None
target_group_created = False
if 'group_id' in rule and 'cidr_ip' in rule:
module.fail_json(msg="Specify group_id OR cidr_ip, not both")
elif 'group_name' in rule and 'cidr_ip' in rule:
module.fail_json(msg="Specify group_name OR cidr_ip, not both")
elif 'group_id' in rule and 'group_name' in rule:
module.fail_json(msg="Specify group_id OR group_name, not both")
elif 'group_id' in rule:
group_id = rule['group_id']
elif 'group_name' in rule:
group_name = rule['group_name']
if group_name in groups:
group_id = groups[group_name].id
elif group_name == name:
group_id = group.id
groups[group_id] = group
groups[group_name] = group
else:
if not rule.get('group_desc', '').strip():
module.fail_json(
msg=
"group %s will be automatically created by rule %s and no description was provided"
% (group_name, rule))
if not module.check_mode:
auto_group = ec2.create_security_group(group_name,
rule['group_desc'],
vpc_id=vpc_id)
group_id = auto_group.id
groups[group_id] = auto_group
groups[group_name] = auto_group
target_group_created = True
elif 'cidr_ip' in rule:
ip = rule['cidr_ip']
return group_id, ip, target_group_created
def get_or_create_security_group(region, group_name):
"""
Search by group_name, if doesn't exits, it is created
"""
try:
ec2 = boto.ec2.connect_to_region(region)
group = ec2.get_all_security_groups(groupnames=[group_name])[0]
except ec2.ResponseError, e:
if e.code == 'InvalidGroup.NotFound':
group = ec2.create_security_group(
group_name,
'group {} for region {}'.format(group_name, region))
else:
raise
def security_group_ssh():
# If the demo security group exists, purge so it's known to be clean.
groups = ec2.get_all_security_groups()
for group in groups:
if group.name == DEMO_SECURITY_GROUP:
ec2.delete_security_group(DEMO_SECURITY_GROUP)
# create new security group opening up ssh and tomcat7 ports
group = ec2.create_security_group(DEMO_SECURITY_GROUP, 'Security group for demonstration')
my_cidr = get_external_ip() + '/32'
group.authorize('tcp', 22, 22, my_cidr)
group.authorize('tcp', 8080, 8080, my_cidr)
return;
def create_security_group(group_name="mqlibtest"):
"""
Instances are pretty locked down by default. We can assign them to
security groups to give access rights. This group allows us to access
our instances over SSH
"""
ec2 = boto.ec2.connect_to_region(AWS_REGION)
for g in ec2.get_all_security_groups():
if g.name == group_name:
return # We already have this group setup
group = ec2.create_security_group(
group_name, "MQLib SSH access group")
group.authorize("tcp", 22, 22, "0.0.0.0/0") # SSH is on port 22, all IPs
print "Created new security group"
def create_security_rule(ec2,vpc,group,protocol,start,end,cidr):
# Check to see if specified security group already exists.
# If we get an InvalidGroup.NotFound error back from EC2,
# it means that it doesn't exist and we need to create it.
print 'Creating security rule %s:%s[%s,%s]->%s'%(group,protocol,start,end,cidr)
try:
ec2_group = ec2.get_all_security_groups(groupnames=[group])[0]
except ec2.ResponseError, e:
if e.code == 'InvalidGroup.NotFound':
print 'Creating Security Group: %s' % group
# Create a security group to control access to instance via SSH.
ec2_group = ec2.create_security_group(group, group, vpc_id=vpc)
else:
raise
def create_security_group(group_name):
"""
Instances are pretty locked down by default. We can assign them to
security groups to give access rights.
"""
ec2 = boto.ec2.connect_to_region(AWS_REGION)
for g in ec2.get_all_security_groups():
if g.name == group_name:
return # We already have this group setup
group = ec2.create_security_group(group_name,
"%s SSH access group" % group_name)
group.authorize("tcp", 22, 22, "0.0.0.0/0") # SSH is on port 22, all IPs
group.authorize("tcp", 80, 80, "0.0.0.0/0")
group.authorize("tcp", 61000, 65000, "0.0.0.0/0")
print "Created new security group"
def get_target_from_rule(module, ec2, rule, name, group, groups, vpc_id):
"""
Returns tuple of (group_id, ip) after validating rule params.
rule: Dict describing a rule.
name: Name of the security group being managed.
groups: Dict of all available security groups.
AWS accepts an ip range or a security group as target of a rule. This
function validate the rule specification and return either a non-None
group_id or a non-None ip range.
"""
group_id = None
group_name = None
ip = None
target_group_created = False
if 'group_id' in rule and 'cidr_ip' in rule:
module.fail_json(msg="Specify group_id OR cidr_ip, not both")
elif 'group_name' in rule and 'cidr_ip' in rule:
module.fail_json(msg="Specify group_name OR cidr_ip, not both")
elif 'group_id' in rule and 'group_name' in rule:
module.fail_json(msg="Specify group_id OR group_name, not both")
elif 'group_id' in rule:
group_id = rule['group_id']
elif 'group_name' in rule:
group_name = rule['group_name']
if group_name in groups:
group_id = groups[group_name].id
elif group_name == name:
group_id = group.id
groups[group_id] = group
groups[group_name] = group
else:
if not rule.get('group_desc', '').strip():
module.fail_json(msg="group %s will be automatically created by rule %s and no description was provided" % (group_name, rule))
if not module.check_mode:
auto_group = ec2.create_security_group(group_name, rule['group_desc'], vpc_id=vpc_id)
group_id = auto_group.id
groups[group_id] = auto_group
groups[group_name] = auto_group
target_group_created = True
elif 'cidr_ip' in rule:
ip = rule['cidr_ip']
return group_id, ip, target_group_created
def main(config_path, name_prefix, tag):
with open(config_path) as f:
config = json.load(f)
ec2 = boto.ec2.connect_to_region(
INSTANCE_CONFIG['region'],
aws_access_key_id=config['access_key_id'],
aws_secret_access_key=config['secret_access_key'])
name = name_prefix + "-" + datetime.utcnow().isoformat()
# Assume that ssh key is uploaded
group = ec2.create_security_group(name, 'A group that allows SSH access')
group.authorize('tcp', 22, 22, "0.0.0.0/0")
reservation = ec2.run_instances(
INSTANCE_CONFIG['ami'],
key_name=os.path.basename(config['certificate_path']).split(".")[0],
instance_type=INSTANCE_CONFIG['type'],
security_groups=[name])
# Find the actual Instance object inside the Reservation object
# returned by EC2.
instance = reservation.instances[0]
# The instance has been launched but it's not yet up and
# running. Let's wait for it's state to change to 'running'.
print 'waiting for instance'
while instance.state != 'running':
print '.',
time.sleep(1)
instance.update()
print 'done'
instance.add_tag(tag)
print "DoNe! To connect use:"
print "ssh -i {} ubuntu@{}".format(config['certificate_path'],
instance.public_dns_name)
def auto_vpn(ami=ami,
instance_type=instance_type,
key_name=keyname,
group_name="vpn_2",
ssh_port="22",
vpn_port="1194",
cidr="0.0.0.0/0",
tag="auto_vpn",
user_data=None):
ec2 = conn_region
try:
group = ec2.get_all_security_groups(groupnames=[group_name])[0]
except ec2.ResponseError, e:
if e.code == 'InvalidGroup.NotFound':
group = ec2.create_security_group(
group_name, 'A group that allows VPN access')
else:
raise
def auto_vpn(ami=ami,
instance_type=instance_type,
key_name=keyname,
group_name="vpn_2",
ssh_port="22",
vpn_port="1194",
cidr="0.0.0.0/0",
tag="auto_vpn",
user_data=None):
ec2 = conn_region
try:
group = ec2.get_all_security_groups(groupnames=[group_name])[0]
except ec2.ResponseError, e:
if e.code == 'InvalidGroup.NotFound':
group = ec2.create_security_group(group_name,
'A group that allows VPN access')
else:
raise
def createSG(ec2,name,rules):
"""
Create a new SecurityGroup
"""
# check if the security group exists
group = None
sgGroups = [sg for sg in ec2.get_all_security_groups() if sg.name == name]
if sgGroups:
group = sgGroups[0]
ec2.delete_security_group(name=name, group_id=group)
print "Creating %s Security Group" % name
group = ec2.create_security_group(name, 'group for %s' % name)
if group:
# Set the inbound rules
for rule in rules:
if rule.src_group_name:
group.authorize(ip_protocol=rule.ip_protocol,from_port=rule.from_port,to_port=rule.to_port,cidr_ip=rule.cidr_ip,src_group=group)
else:
group.authorize(ip_protocol=rule.ip_protocol,from_port=rule.from_port,to_port=rule.to_port,cidr_ip=rule.cidr_ip,src_group=None)
return True
else:
logError('Error during '+name+' Security Group update')
return False
outfile = open('keypair.pem', 'w')
key_pair = ec2.create_key_pair(KeyName='keypair')
KeyPairOut = str(key_pair.key_material)
outfile.write(KeyPairOut)
except ClientError as e:
print("Key Pair Already Exist")
''' Creating Security Group '''
ec2 = boto3.client('ec2')
response = ec2.describe_vpcs()
vpc_id = response.get('Vpcs', [{}])[0].get('VpcId', '')
try:
response = ec2.create_security_group(
GroupName='SECURITYGROUP',
Description='security group for ec2 instance',
VpcId=vpc_id)
security_group_id = response['GroupId']
print('Security Group Created %s in vpc %s.' % (security_group_id, vpc_id))
data = ec2.authorize_security_group_ingress(GroupId=security_group_id,
IpPermissions=[{
'IpProtocol':
'tcp',
'FromPort':
80,
'ToPort':
80,
'IpRanges': [{
'CidrIp':
'0.0.0.0/0'
ec2 = boto.ec2.connect_to_region(region_name=region_name,
aws_access_key_id=aws_access_key_id,
aws_secret_access_key=aws_secret_access_key)
print(u"Establishing security group voodoovpn")
voodoovpngroup_name = u'voodoovpn'
matching_security_groups = [
sg for sg in ec2.get_all_security_groups()
if sg.name == voodoovpngroup_name
]
if len(matching_security_groups) > 0:
print(u"Found security group voodoovpn")
voodoovpngroup = matching_security_groups[0]
else:
print(u"Creating security group voodoovpn")
voodoovpngroup = ec2.create_security_group(voodoovpngroup_name,
'Voodoo VPN access')
voodoovpngroup.authorize('tcp', 500, 500, '0.0.0.0/0')
voodoovpngroup.authorize('udp', 500, 500, '0.0.0.0/0')
voodoovpngroup.authorize('udp', 4500, 4500, '0.0.0.0/0')
if key_name is not None:
# open an ssh port, if we provided an ssh key
voodoovpngroup.authorize('tcp', 22, 22, '0.0.0.0/0')
voodoovpngroup.authorize('udp', 22, 22, '0.0.0.0/0')
print(u"Generating VPN credentials")
# generate IPSEC_PSK,
VPN_USER = '******'
IPSEC_PSK = ''.join(
random.choice(string.ascii_lowercase + string.ascii_uppercase +
string.digits) for x in range(32))
VPN_PASSWORD = ''.join(
# The save method will also chmod the file to protect
# your private key.
key.save(key_dir)
else:
raise
# Check to see if specified security group already exists.
# If we get an InvalidGroup.NotFound error back from EC2,
# it means that it doesn't exist and we need to create it.
try:
group = ec2.get_all_security_groups(groupnames=[group_name])[0]
except ec2.ResponseError, e:
if e.code == 'InvalidGroup.NotFound':
print 'Creating Security Group: %s' % group_name
# Create a security group to control access to instance via SSH.
group = ec2.create_security_group(group_name,
'A group that allows SSH access')
else:
raise
# Add a rule to the security group to authorize SSH traffic
# on the specified port.
try:
group.authorize('tcp', ssh_port, ssh_port, "0.0.0.0/0")
except ec2.ResponseError, e:
if e.code == 'InvalidPermission.Duplicate':
print 'Security Group: %s already authorized' % group_name
else:
raise
@task
def create_instance(name, ami=ubuntu_lts_ami,
instance_type='t1.micro',
net3 = vpcCon.create_subnet(vpcid, "10.0.3.0/24")
net4 = vpcCon.create_subnet(vpcid, "10.0.4.0/24")
print "subnet ", net1.id, " was created"
print "subnet ", net2.id, " was created"
print "subnet ", net3.id, " was created"
print "subnet ", net4.id, " was created"
import boto.ec2
print "begin create security group"
ec2 = boto.ec2.connect_to_region(region, aws_access_key_id= aws_access_key, aws_secret_access_key =aws_secret_key)
net1_group = ec2.create_security_group('net1', 'Our net1 Group', vpc_id=vpcid)
net2_group = ec2.create_security_group('net2', 'Our net2 Group', vpc_id=vpcid)
net3_group = ec2.create_security_group('net3', 'Our net3 Group', vpc_id=vpcid)
net4_group = ec2.create_security_group('net4', 'Our net3 Group', vpc_id=vpcid)
print "begin add authorize to security"
b = net1_group.authorize("tcp", from_port=0,to_port=65535, cidr_ip="0.0.0.0/0")
b = net1_group.authorize("udp", from_port=0,to_port=65535, cidr_ip="0.0.0.0/0")
b = net2_group.authorize("tcp", from_port=0,to_port=65535, cidr_ip="0.0.0.0/0")
b = net2_group.authorize("udp", from_port=0,to_port=65535, cidr_ip="0.0.0.0/0")
b = net3_group.authorize("tcp", from_port=0,to_port=65535, cidr_ip="0.0.0.0/0")
b = net3_group.authorize("udp", from_port=0,to_port=65535, cidr_ip="0.0.0.0/0")
tag="instance test", cidr = "0.0.0.0/0",
user_data="None", login_usr="******"):
ec2 = boto.connect_ec2()
try:
key = ec2.get_all_key_pairs(keynames=[key_name])[0]
except ec2.ResponseError, e:
if e.code == 'InvalidKeyPair.NotFound':
print 'Creating keypair: %s' % key_name
key = ec2.create_key_pair(key_name)
key.save(key_dir)
try:
group = ec2.get_all_security_groups( groupnames=[group_name])[0]
except ec2.ResponseError, e:
if e.code == "InvalidGroup.NotFound" :
print "Creating Security Group: %s" % group_name
group = ec2.create_security_group(group_name, "A group that allows ssh access")
group.authorize("tcp", ssh_port, ssh_port, cidr)
group.authorize("tcp", solr_port, solr_port, cidr)
group.authorize("tcp", http_port, http_port, cidr)
else:
raise
reservation = ec2.run_instances(ami, key_name=key_name,
security_groups=[group_name],
instance_type=instance_type,
user_data=user_data)
instance = reservation.instances[0]
print 'waiting for instance to start'
while instance.state != 'running':
print "Instance state =" + str(instance.state)
time.sleep(5)
def test_elastic_network_interfaces_filtering_boto3():
ec2 = boto3.resource("ec2", region_name="us-east-1")
client = boto3.client("ec2", "us-east-1")
vpc = ec2.create_vpc(CidrBlock="10.0.0.0/16")
subnet = ec2.create_subnet(VpcId=vpc.id, CidrBlock="10.0.0.0/18")
sec_group1 = ec2.create_security_group(GroupName=str(uuid4()),
Description="n/a")
sec_group2 = ec2.create_security_group(GroupName=str(uuid4()),
Description="n/a")
eni1 = subnet.create_network_interface(
Groups=[sec_group1.id, sec_group2.id])
eni2 = subnet.create_network_interface(Groups=[sec_group1.id])
eni3 = subnet.create_network_interface(Description=str(uuid4()))
all_enis = client.describe_network_interfaces()["NetworkInterfaces"]
[eni["NetworkInterfaceId"] for eni in all_enis].should.contain(eni1.id)
[eni["NetworkInterfaceId"] for eni in all_enis].should.contain(eni2.id)
[eni["NetworkInterfaceId"] for eni in all_enis].should.contain(eni3.id)
# Filter by NetworkInterfaceId
enis_by_id = client.describe_network_interfaces(
NetworkInterfaceIds=[eni1.id])["NetworkInterfaces"]
enis_by_id.should.have.length_of(1)
set([eni["NetworkInterfaceId"]
for eni in enis_by_id]).should.equal(set([eni1.id]))
# Filter by ENI ID
enis_by_id = client.describe_network_interfaces(
Filters=[{
"Name": "network-interface-id",
"Values": [eni1.id]
}])["NetworkInterfaces"]
enis_by_id.should.have.length_of(1)
set([eni["NetworkInterfaceId"]
for eni in enis_by_id]).should.equal(set([eni1.id]))
# Filter by Security Group
enis_by_group = client.describe_network_interfaces(
Filters=[{
"Name": "group-id",
"Values": [sec_group1.id]
}])["NetworkInterfaces"]
enis_by_group.should.have.length_of(2)
set([eni["NetworkInterfaceId"]
for eni in enis_by_group]).should.equal(set([eni1.id, eni2.id]))
# Filter by ENI ID and Security Group
enis_by_group = client.describe_network_interfaces(Filters=[
{
"Name": "network-interface-id",
"Values": [eni1.id]
},
{
"Name": "group-id",
"Values": [sec_group1.id]
},
])["NetworkInterfaces"]
enis_by_group.should.have.length_of(1)
set([eni["NetworkInterfaceId"]
for eni in enis_by_group]).should.equal(set([eni1.id]))
# Filter by Description
enis_by_description = client.describe_network_interfaces(
Filters=[{
"Name": "description",
"Values": [eni3.description]
}])["NetworkInterfaces"]
enis_by_description.should.have.length_of(1)
enis_by_description[0]["Description"].should.equal(eni3.description)
# Unsupported filter
if not settings.TEST_SERVER_MODE:
# ServerMode will just throw a generic 500
filters = [{"Name": "not-implemented-filter", "Values": ["foobar"]}]
client.describe_network_interfaces.when.called_with(
Filters=filters).should.throw(NotImplementedError)
# your private key.
key.save(key_dir)
else:
raise
# Check to see if specified security group already exists.
# If we get an InvalidGroup.NotFound error back from EC2,
# it means that it doesn't exist and we need to create it.
try:
group = ec2.get_all_security_groups(
groupnames=[aws_cfg["group_name"]])[0]
except ec2.ResponseError, e:
if e.code == 'InvalidGroup.NotFound':
print 'Creating Security Group: %s' % aws_cfg["group_name"]
# Create a security group to control access to instance via SSH.
group = ec2.create_security_group(
aws_cfg["group_name"], 'A group that allows SSH access')
else:
raise
# Add a rule to the security group to authorize SSH traffic
# on the specified port.
for port in ["80", aws_cfg["ssh_port"]]:
try:
group.authorize('tcp', port, port, "0.0.0.0/0")
except ec2.ResponseError, e:
if e.code == 'InvalidPermission.Duplicate':
print 'Security Group: %s already authorized' % aws_cfg[
"group_name"]
else:
raise
def main():
argument_spec = ec2_argument_spec()
argument_spec.update(dict(
name=dict(type='str', required=True),
description=dict(type='str', required=True),
vpc_id=dict(type='str'),
rules=dict(type='list'),
rules_egress=dict(type='list'),
state = dict(default='present', type='str', choices=['present', 'absent']),
purge_rules=dict(default=True, required=False, type='bool'),
purge_rules_egress=dict(default=True, required=False, type='bool'),
)
)
module = AnsibleModule(
argument_spec=argument_spec,
supports_check_mode=True,
)
if not HAS_BOTO:
module.fail_json(msg='boto required for this module')
name = module.params['name']
description = module.params['description']
vpc_id = module.params['vpc_id']
rules = module.params['rules']
rules_egress = module.params['rules_egress']
state = module.params.get('state')
purge_rules = module.params['purge_rules']
purge_rules_egress = module.params['purge_rules_egress']
changed = False
ec2 = ec2_connect(module)
# find the group if present
group = None
groups = {}
for curGroup in ec2.get_all_security_groups():
groups[curGroup.id] = curGroup
if curGroup.name in groups:
# Prioritise groups from the current VPC
if vpc_id is None or curGroup.vpc_id == vpc_id:
groups[curGroup.name] = curGroup
else:
groups[curGroup.name] = curGroup
if curGroup.name == name and (vpc_id is None or curGroup.vpc_id == vpc_id):
group = curGroup
# Ensure requested group is absent
if state == 'absent':
if group:
'''found a match, delete it'''
try:
if not module.check_mode:
group.delete()
except Exception as e:
module.fail_json(msg="Unable to delete security group '%s' - %s" % (group, e))
else:
group = None
changed = True
else:
'''no match found, no changes required'''
# Ensure requested group is present
elif state == 'present':
if group:
'''existing group found'''
# check the group parameters are correct
group_in_use = False
rs = ec2.get_all_instances()
for r in rs:
for i in r.instances:
group_in_use |= reduce(lambda x, y: x | (y.name == 'public-ssh'), i.groups, False)
if group.description != description:
if group_in_use:
module.fail_json(msg="Group description does not match, but it is in use so cannot be changed.")
# if the group doesn't exist, create it now
else:
'''no match found, create it'''
if not module.check_mode:
group = ec2.create_security_group(name, description, vpc_id=vpc_id)
# When a group is created, an egress_rule ALLOW ALL
# to 0.0.0.0/0 is added automatically but it's not
# reflected in the object returned by the AWS API
# call. We re-read the group for getting an updated object
# amazon sometimes takes a couple seconds to update the security group so wait till it exists
while len(ec2.get_all_security_groups(filters={ 'group_id': group.id, })) == 0:
time.sleep(0.1)
group = ec2.get_all_security_groups(group_ids=(group.id,))[0]
changed = True
else:
module.fail_json(msg="Unsupported state requested: %s" % state)
# create a lookup for all existing rules on the group
if group:
# Manage ingress rules
groupRules = {}
addRulesToLookup(group.rules, 'in', groupRules)
# Now, go through all provided rules and ensure they are there.
if rules is not None:
for rule in rules:
validate_rule(module, rule)
group_id, ip, target_group_created = get_target_from_rule(module, ec2, rule, name, group, groups, vpc_id)
if target_group_created:
changed = True
if rule['proto'] in ('all', '-1', -1):
rule['proto'] = -1
rule['from_port'] = None
rule['to_port'] = None
# Convert ip to list we can iterate over
if not isinstance(ip, list):
ip = [ip]
# If rule already exists, don't later delete it
for thisip in ip:
ruleId = make_rule_key('in', rule, group_id, thisip)
if ruleId in groupRules:
del groupRules[ruleId]
# Otherwise, add new rule
else:
grantGroup = None
if group_id:
grantGroup = groups[group_id]
if not module.check_mode:
group.authorize(rule['proto'], rule['from_port'], rule['to_port'], thisip, grantGroup)
changed = True
# Finally, remove anything left in the groupRules -- these will be defunct rules
if purge_rules:
for (rule, grant) in groupRules.itervalues() :
grantGroup = None
if grant.group_id:
if grant.owner_id != group.owner_id:
# this is a foreign Security Group. Since you can't fetch it you must create an instance of it
group_instance = SecurityGroup(owner_id=grant.owner_id, name=grant.name, id=grant.group_id)
groups[grant.group_id] = group_instance
groups[grant.name] = group_instance
grantGroup = groups[grant.group_id]
if not module.check_mode:
group.revoke(rule.ip_protocol, rule.from_port, rule.to_port, grant.cidr_ip, grantGroup)
changed = True
# Manage egress rules
groupRules = {}
addRulesToLookup(group.rules_egress, 'out', groupRules)
# Now, go through all provided rules and ensure they are there.
if rules_egress is not None:
for rule in rules_egress:
validate_rule(module, rule)
group_id, ip, target_group_created = get_target_from_rule(module, ec2, rule, name, group, groups, vpc_id)
if target_group_created:
changed = True
if rule['proto'] in ('all', '-1', -1):
rule['proto'] = -1
rule['from_port'] = None
rule['to_port'] = None
# Convert ip to list we can iterate over
if not isinstance(ip, list):
ip = [ip]
# If rule already exists, don't later delete it
for thisip in ip:
ruleId = make_rule_key('out', rule, group_id, thisip)
if ruleId in groupRules:
del groupRules[ruleId]
# Otherwise, add new rule
else:
grantGroup = None
if group_id:
grantGroup = groups[group_id].id
if not module.check_mode:
ec2.authorize_security_group_egress(
group_id=group.id,
ip_protocol=rule['proto'],
from_port=rule['from_port'],
to_port=rule['to_port'],
src_group_id=grantGroup,
cidr_ip=thisip)
changed = True
elif vpc_id:
# when using a vpc, but no egress rules are specified,
# we add in a default allow all out rule, which was the
# default behavior before egress rules were added
default_egress_rule = 'out--1-None-None-None-0.0.0.0/0'
if default_egress_rule not in groupRules:
if not module.check_mode:
ec2.authorize_security_group_egress(
group_id=group.id,
ip_protocol=-1,
from_port=None,
to_port=None,
src_group_id=None,
cidr_ip='0.0.0.0/0'
)
changed = True
else:
# make sure the default egress rule is not removed
del groupRules[default_egress_rule]
# Finally, remove anything left in the groupRules -- these will be defunct rules
if purge_rules_egress:
for (rule, grant) in groupRules.itervalues():
grantGroup = None
if grant.group_id:
grantGroup = groups[grant.group_id].id
if not module.check_mode:
ec2.revoke_security_group_egress(
group_id=group.id,
ip_protocol=rule.ip_protocol,
from_port=rule.from_port,
to_port=rule.to_port,
src_group_id=grantGroup,
cidr_ip=grant.cidr_ip)
changed = True
if group:
module.exit_json(changed=changed, group_id=group.id)
else:
module.exit_json(changed=changed, group_id=None)
def main():
argument_spec = ec2_argument_spec()
argument_spec.update(
dict(
name=dict(),
group_id=dict(),
description=dict(),
vpc_id=dict(),
rules=dict(type='list'),
rules_egress=dict(type='list'),
state=dict(default='present',
type='str',
choices=['present', 'absent']),
purge_rules=dict(default=True, required=False, type='bool'),
purge_rules_egress=dict(default=True, required=False, type='bool'),
))
module = AnsibleModule(
argument_spec=argument_spec,
supports_check_mode=True,
required_one_of=[['name', 'group_id']],
required_if=[['state', 'present', ['name']]],
)
if not HAS_BOTO:
module.fail_json(msg='boto required for this module')
name = module.params['name']
group_id = module.params['group_id']
description = module.params['description']
vpc_id = module.params['vpc_id']
rules = deduplicate_rules_args(
rules_expand_sources(rules_expand_ports(module.params['rules'])))
rules_egress = deduplicate_rules_args(
rules_expand_sources(rules_expand_ports(
module.params['rules_egress'])))
state = module.params.get('state')
purge_rules = module.params['purge_rules']
purge_rules_egress = module.params['purge_rules_egress']
if state == 'present' and not description:
module.fail_json(msg='Must provide description when state is present.')
changed = False
ec2 = ec2_connect(module)
# find the group if present
group = None
groups = {}
try:
security_groups = ec2.get_all_security_groups()
except BotoServerError as e:
module.fail_json(msg="Error in get_all_security_groups: %s" %
e.message,
exception=traceback.format_exc())
for curGroup in security_groups:
groups[curGroup.id] = curGroup
if curGroup.name in groups:
# Prioritise groups from the current VPC
if vpc_id is None or curGroup.vpc_id == vpc_id:
groups[curGroup.name] = curGroup
else:
groups[curGroup.name] = curGroup
if group_id:
if curGroup.id == group_id:
group = curGroup
else:
if curGroup.name == name and (vpc_id is None
or curGroup.vpc_id == vpc_id):
group = curGroup
# Ensure requested group is absent
if state == 'absent':
if group:
# found a match, delete it
try:
if not module.check_mode:
group.delete()
except BotoServerError as e:
module.fail_json(
msg="Unable to delete security group '%s' - %s" %
(group, e.message),
exception=traceback.format_exc())
else:
group = None
changed = True
else:
# no match found, no changes required
pass
# Ensure requested group is present
elif state == 'present':
if group:
# existing group
if group.description != description:
module.fail_json(
msg=
"Group description does not match existing group. ec2_group does not support this case."
)
# if the group doesn't exist, create it now
else:
# no match found, create it
if not module.check_mode:
group = ec2.create_security_group(name,
description,
vpc_id=vpc_id)
# When a group is created, an egress_rule ALLOW ALL
# to 0.0.0.0/0 is added automatically but it's not
# reflected in the object returned by the AWS API
# call. We re-read the group for getting an updated object
# amazon sometimes takes a couple seconds to update the security group so wait till it exists
while len(
ec2.get_all_security_groups(
filters={'group_id': group.id})) == 0:
time.sleep(0.1)
group = ec2.get_all_security_groups(group_ids=(group.id, ))[0]
changed = True
else:
module.fail_json(msg="Unsupported state requested: %s" % state)
# create a lookup for all existing rules on the group
if group:
# Manage ingress rules
groupRules = {}
addRulesToLookup(group.rules, 'in', groupRules)
# Now, go through all provided rules and ensure they are there.
if rules is not None:
for rule in rules:
validate_rule(module, rule)
group_id, ip, target_group_created = get_target_from_rule(
module, ec2, rule, name, group, groups, vpc_id)
if target_group_created:
changed = True
if rule['proto'] in ('all', '-1', -1):
rule['proto'] = -1
rule['from_port'] = None
rule['to_port'] = None
# Convert ip to list we can iterate over
if not isinstance(ip, list):
ip = [ip]
# If rule already exists, don't later delete it
for thisip in ip:
ruleId = make_rule_key('in', rule, group_id, thisip)
if ruleId not in groupRules:
grantGroup = None
if group_id:
grantGroup = groups[group_id]
if not module.check_mode:
group.authorize(rule['proto'], rule['from_port'],
rule['to_port'], thisip,
grantGroup)
changed = True
else:
del groupRules[ruleId]
# Finally, remove anything left in the groupRules -- these will be defunct rules
if purge_rules:
for (rule, grant) in groupRules.values():
grantGroup = None
if grant.group_id:
if grant.owner_id != group.owner_id:
# this is a foreign Security Group. Since you can't fetch it you must create an instance of it
group_instance = SecurityGroup(owner_id=grant.owner_id,
name=grant.name,
id=grant.group_id)
groups[grant.group_id] = group_instance
groups[grant.name] = group_instance
grantGroup = groups[grant.group_id]
if not module.check_mode:
group.revoke(rule.ip_protocol, rule.from_port,
rule.to_port, grant.cidr_ip, grantGroup)
changed = True
# Manage egress rules
groupRules = {}
addRulesToLookup(group.rules_egress, 'out', groupRules)
# Now, go through all provided rules and ensure they are there.
if rules_egress is not None:
for rule in rules_egress:
validate_rule(module, rule)
group_id, ip, target_group_created = get_target_from_rule(
module, ec2, rule, name, group, groups, vpc_id)
if target_group_created:
changed = True
if rule['proto'] in ('all', '-1', -1):
rule['proto'] = -1
rule['from_port'] = None
rule['to_port'] = None
# Convert ip to list we can iterate over
if not isinstance(ip, list):
ip = [ip]
# If rule already exists, don't later delete it
for thisip in ip:
ruleId = make_rule_key('out', rule, group_id, thisip)
if ruleId in groupRules:
del groupRules[ruleId]
# Otherwise, add new rule
else:
grantGroup = None
if group_id:
grantGroup = groups[group_id].id
if not module.check_mode:
ec2.authorize_security_group_egress(
group_id=group.id,
ip_protocol=rule['proto'],
from_port=rule['from_port'],
to_port=rule['to_port'],
src_group_id=grantGroup,
cidr_ip=thisip)
changed = True
else:
# when no egress rules are specified,
# we add in a default allow all out rule, which was the
# default behavior before egress rules were added
default_egress_rule = 'out--1-None-None-None-0.0.0.0/0'
if default_egress_rule not in groupRules:
if not module.check_mode:
ec2.authorize_security_group_egress(group_id=group.id,
ip_protocol=-1,
from_port=None,
to_port=None,
src_group_id=None,
cidr_ip='0.0.0.0/0')
changed = True
else:
# make sure the default egress rule is not removed
del groupRules[default_egress_rule]
# Finally, remove anything left in the groupRules -- these will be defunct rules
if purge_rules_egress:
for (rule, grant) in groupRules.values():
grantGroup = None
if grant.group_id:
grantGroup = groups[grant.group_id].id
if not module.check_mode:
ec2.revoke_security_group_egress(
group_id=group.id,
ip_protocol=rule.ip_protocol,
from_port=rule.from_port,
to_port=rule.to_port,
src_group_id=grantGroup,
cidr_ip=grant.cidr_ip)
changed = True
if group:
module.exit_json(changed=changed, group_id=group.id)
else:
module.exit_json(changed=changed, group_id=None)
def deploy():
ec2 = boto.ec2.connect_to_region('us-east-1',
aws_access_key_id='',
aws_secret_access_key='')
ec2_key_pair = ec2.get_key_pair("key_pair")
print ec2_key_pair
if ec2_key_pair == None:
ec2_key_pair = ec2.create_key_pair("key_pair")
ec2_key_pair.save(".")
group = ec2.get_all_security_groups(filters={'group-name': 'group'})
if not group:
group = ec2.create_security_group("csc326-groupg326-2-006",
"a group for ec2")
group.authorize("icmp", -1, -1, "0.0.0.0/0")
group.authorize("tcp", 22, 22, "0.0.0.0/0")
group.authorize("tcp", 80, 80, "0.0.0.0/0")
group.authorize('tcp', 8080, 8080, '0.0.0.0/0')
else:
group = group[0]
instances = ec2.get_only_instances()
runninginstances = [i for i in instances if i.state == 'running']
instance = None
if not instances or (instances and not runninginstances):
instances = ec2.run_instances(
image_id='ami-8caa1ce4',
key_name='key_pair',
security_groups=['csc326-groupg326-2-006'],
instance_type='t1.micro')
instances = instances.instances[0]
else:
instances = instances[0]
instance = instances
print "Waiting for instance to be ready to run.."
while instance.update() != 'running':
time.sleep(10)
print "Instance is ready and running"
os.system("ssh -i key_pair.pem ubuntu@%s sudo apt-get update" %
(instance.ip_address))
os.system(
"ssh -i key_pair.pem ubuntu@%s sudo apt-get install -y python-pip" %
(instance.ip_address))
os.system("ssh -i key_pair.pem ubuntu@%s sudo pip install bottle" %
(instance.ip_address))
os.system("ssh -i key_pair.pem ubuntu@%s sudo pip install beaker" %
(instance.ip_address))
os.system(
"ssh -i key_pair.pem ubuntu@%s sudo pip install google-api-python-client"
% (instance.ip_address))
os.system("ssh -i key_pair.pem ubuntu@%s sudo pip install oauth2client" %
(instance.ip_address))
os.system("ssh -i key_pair.pem ubuntu@%s sudo pip install BeautifulSoup4" %
(instance.ip_address))
os.system("ssh -i key_pair.pem ubuntu@%s sudo pip install BeautifulSoup4" %
(instance.ip_address))
os.system("ssh -i key_pair.pem ubuntu@%s mkdir app" %
(instance.ip_address))
os.system("scp -i key_pair.pem ~/RandomSearch/Lab2/* ubuntu@%s:~/app" %
(instance.ip_address))
os.system(
"ssh -i key_pair.pem ubuntu@%s sudo nohup python app/frontEnd.py" %
(instance.ip_address))
#elasticIPaddr = ec2.allocate_address()
#elasticIPaddr.associate(instance.id)
return instance.ip_address
def launch_spot_instance(id,
profile,
spot_wait_sleep=5,
instance_wait_sleep=3):
ec2 = boto.ec2.connect_to_region(profile['region'])
if not 'key_pair' in profile:
print('key pair {0} does not exist'.format(profile['key_pair'][0]))
profile['key_pair'] = ('KP-' + id, 'KP-' + id + '.pem')
try:
print >> sys.stderr, 'Creating key pair...',
keypair = ec2.create_key_pair('KP-' + id)
keypair.save('.')
print >> sys.stderr, 'created'
except boto.exception.EC2ResponseError as e:
if e.code == 'InvalidKeyPair.Duplicate':
print >> sys.stderr, 'already exists'
else:
raise e
if not 'security_group' in profile:
try:
print >> sys.stderr, 'Creating security group...',
sc = ec2.create_security_group('SG-' + id,
'Security Group for ' + id)
for proto, fromport, toport, ip in profile['firewall']:
sc.authorize(proto, fromport, toport, ip)
profile['security_group'] = (sc.id, sc.name)
print >> sys.stderr, 'created'
except boto.exception.EC2ResponseError as e:
if e.code == 'InvalidGroup.Duplicate':
print >> sys.stderr, 'already exists'
sc = ec2.get_all_security_groups(groupnames=['SG-' + id])[0]
profile['security_group'] = (sc.id, sc.name)
else:
raise e
existing_requests = ec2.get_all_spot_instance_requests(
filters={
'launch.group-id': profile['security_group'][0],
'state': ['open', 'active']
})
if existing_requests:
if len(existing_requests) > 1:
raise Exception('Too many existing spot requests')
print >> sys.stderr, 'Reusing existing spot request'
spot_req_id = existing_requests[0].id
else:
bdm = boto.ec2.blockdevicemapping.BlockDeviceMapping()
bdm['/dev/sda1'] = boto.ec2.blockdevicemapping.BlockDeviceType(
volume_type='gp2',
size=profile['disk_size'],
delete_on_termination=profile['disk_delete_on_termination'])
bdm['/dev/sdb'] = boto.ec2.blockdevicemapping.BlockDeviceType(
ephemeral_name='ephemeral0')
print >> sys.stderr, 'Requesting spot instance'
spot_reqs = ec2.request_spot_instances(
price=profile['price'],
image_id=profile['image_id'],
instance_type=profile['type'],
placement=profile['region'] + profile['availability_zone'],
security_groups=[profile['security_group'][1]],
key_name=profile['key_pair'][0],
block_device_map=bdm,
instance_profile_arn=
'arn:aws:iam::720533437540:instance-profile/ec2_ml')
spot_req_id = spot_reqs[0].id
print >> sys.stderr, 'Waiting for launch',
instance_id = None
spot_tag_added = False
while not instance_id:
spot_req = ec2.get_all_spot_instance_requests(
request_ids=[spot_req_id])[0]
if not spot_tag_added:
spot_req.add_tag('Name', id)
spot_tag_added = True
if spot_req.state == 'failed':
# print(dir(spot_req))
raise Exception('spto request failed')
print('Spot request failed - {0}'.format(spot_req.status))
sys.exit(0)
instance_id = spot_req.instance_id
if not instance_id:
print >> sys.stderr, '.',
time.sleep(spot_wait_sleep)
print >> sys.stderr
print >> sys.stderr, 'Retrieving instance by id'
reservations = ec2.get_all_instances(instance_ids=[instance_id])
instance = reservations[0].instances[0]
instance.add_tag('Name', id)
print >> sys.stderr, 'Got instance: ' + str(
instance.id) + ' [' + instance.state + ']'
print >> sys.stderr, 'Waiting for instance to boot',
while not instance.state in ['running', 'terminated', 'shutting-down']:
print >> sys.stderr, '.',
time.sleep(instance_wait_sleep)
instance.update()
print >> sys.stderr
if instance.state != 'running':
raise Exception('Instance was terminated')
return instance
key = ec2.get_all_key_pairs(keynames=[key_name])[0]
except ec2.ResponseError, e:
if e.code == 'InvalidKeyPair.NotFound':
print e.code
else:
raise
# Check to see if specified security group already exists.
# If we get an InvalidGroup.NotFound error back from EC2,
# it means that it doesn't exist and we need to create it.
try:
group = ec2.get_all_security_groups(groupnames=[group_name])[0]
except ec2.ResponseError, e:
if e.code == 'InvalidGroup.NotFound':
print e.code
group = ec2.create_security_group(group_name, group_description)
else:
raise
# Add a rule to the security group to authorize SSH traffic
# on the specified port.
try:
group.authorize(ip_protocol='icmp',from_port=-1, to_port=-1, cidr_ip='0.0.0.0/0')
group.authorize(ip_protocol='tcp',from_port=22, to_port=22, cidr_ip='0.0.0.0/0')
group.authorize(ip_protocol='tcp',from_port=80, to_port=80, cidr_ip='0.0.0.0/0')
except ec2.ResponseError, e:
if e.code == 'InvalidPermission.Duplicate':
print e.code
else:
raise
# check the group parameters are correct
group_in_use = False
rs = ec2.get_all_instances()
for r in rs:
for i in r.instances:
group_in_use |= reduce(lambda x, y: x | (y.name == 'public-ssh'), i.groups, False)
if group.description != description:
if group_in_use:
module.fail_json(msg="Group description does not match, but it is in use so cannot be changed.")
# if the group doesn't exist, create it now
else:
'''no match found, create it'''
if not module.check_mode:
group = ec2.create_security_group(name, description, vpc_id=vpc_id)
# When a group is created, an egress_rule ALLOW ALL
# to 0.0.0.0/0 is added automatically but it's not
# reflected in the object returned by the AWS API
# call. We re-read the group for getting an updated object
# amazon sometimes takes a couple seconds to update the security group so wait till it exists
while len(ec2.get_all_security_groups(filters={ 'group_id': group.id, })) == 0:
time.sleep(0.1)
group = ec2.get_all_security_groups(group_ids=(group.id,))[0]
changed = True
else:
module.fail_json(msg="Unsupported state requested: %s" % state)
# create a lookup for all existing rules on the group
except ec2.ResponseError, e:
if e.code == 'InvalidKeyPair.NotFound':
print 'Creating keypair %s' %key_name
key = ec2.create_key_pair(key_name)
key.save(key_dir)
else:
raise
# Check to see if specified security group already exists.
# If we get an InvalidGroup.NotFound error back from EC2,
# it means that it doesn't exist and we need to create it.
try:
group = ec2.get_all_security_groups(groupnames=[group_name])[0]
except ec2.ResponseError, e:
if e.code == "InvalidGroup.NotFound":
print 'Creating Security group: %s' %group_name
group = ec2.create_security_group(group_name, "Allow SSH")
else:
raise
#Add SSH rule to Security group
try:
group.authorize('tcp',ssh_port,ssh_port, cidr)
except ec2.ResponseError, e:
if e.code == 'InvalidPermission.Duplicate':
print 'Security group %s already authorized' % group_name
else:
raise
# Now start up the instance. The run_instances method
# has many, many parameters but these are all we need
# for now.
reservation = ec2.run_instances(ami,
key_name=key_name,
key.save(directory_path=env.ssh_directory)
else:
raise
# Check to see if specified security group already exists.
# If we get an InvalidGroup.NotFound error back from EC2,
# it means that it doesn't exist and we need to create it.
try:
ec2_group = ec2.get_all_security_groups(
groupnames=[env.aws_ec2_security_group_name])[0] # noqa
except ec2.ResponseError, e:
if e.code == 'InvalidGroup.NotFound':
print 'Creating EC2 Security Group: %s' % env.aws_ec2_security_group_name
# Create a security group to control access to instance via SSH.
ec2_group = ec2.create_security_group(
env.aws_ec2_security_group_name,
'A group that allows SSH and HTTP access')
else:
raise
# Add a rule to the security group to authorize SSH traffic
# on the specified port.
for port in ["80", env.aws_ssh_port]:
try:
ec2_group.authorize('tcp', port, port, "0.0.0.0/0")
except ec2.ResponseError, e:
if e.code == 'InvalidPermission.Duplicate':
print 'Security Group: %s already authorized' % env.aws_ec2_security_group_name # noqa
else:
raise
"-d",
"--description",
help=
"Override the groups description [default: group name + 'security group']")
parser.add_argument(
"--vpc_id",
help="The ID of the VPC to create the security group in, if any.")
args = parser.parse_args()
# process common command line arguments
log = logging.getLogger('botocross')
bc.configure_logging(log, args.log_level)
credentials = bc.parse_credentials(args)
regions = bc.filter_regions(boto.ec2.regions(), args.region)
# execute business logic
log.info("Creating EC2 security groups named '" + args.group + "':")
description = args.description if args.description else args.group + " security group"
for region in regions:
pprint(region.name, indent=2)
try:
ec2 = boto.connect_ec2(region=region, **credentials)
group = ec2.create_security_group(args.group,
description=description,
vpc_id=args.vpc_id)
print group.id
except boto.exception.BotoServerError, e:
log.error(e.error_message)
"""
for region in boto.ec2.regions():
print 'Creating Security Group in %s region' %region.name
ec2 = region.connect()
# Check to see if specified security group already exists in this region
# If we get an InvalidGroup.NotFound error back from EC2,
# it means that it doesn't exist and we need to create it.
try:
group = ec2.get_all_security_groups(groupnames=
[args.security_group_name])[0]
except ec2.ResponseError, e:
if e.code == 'InvalidGroup.NotFound':
print 'Creating Security Group: %s' % args.security_group_name
# Create a security group to control access to instance via SSH.
group = ec2.create_security_group(args.security_group_name,
'Lakitu First Server Security Group')
else:
raise
# Add a rule to the security group to authorize SSH traffic
# on the specified port.
try:
group.authorize('tcp', ssh_port, ssh_port, cidr)
except ec2.ResponseError, e:
if e.code == 'InvalidPermission.Duplicate':
print 'Security Group: %s already authorized' \
%args.security_group_name
else:
raise
# The save method will also chmod the file to protect
# your private key.
key.save(directory_path=env.ssh_directory)
else:
raise
# Check to see if specified security group already exists.
# If we get an InvalidGroup.NotFound error back from EC2,
# it means that it doesn't exist and we need to create it.
try:
ec2_group = ec2.get_all_security_groups(groupnames=[env.aws_ec2_security_group_name])[0] # noqa
except ec2.ResponseError, e:
if e.code == 'InvalidGroup.NotFound':
print 'Creating EC2 Security Group: %s' % env.aws_ec2_security_group_name
# Create a security group to control access to instance via SSH.
ec2_group = ec2.create_security_group(env.aws_ec2_security_group_name,
'A group that allows SSH and HTTP access')
else:
raise
# Add a rule to the security group to authorize SSH traffic
# on the specified port.
for port in ["80", env.aws_ssh_port]:
try:
ec2_group.authorize('tcp', port, port, "0.0.0.0/0")
except ec2.ResponseError, e:
if e.code == 'InvalidPermission.Duplicate':
print 'Security Group: %s already authorized' % env.aws_ec2_security_group_name # noqa
else:
raise
@task
# The save method will also chmod the file to protect
# your private key.
key.save(key_dir)
else:
raise
# Check to see if specified security group already exists.
# If we get an InvalidGroup.NotFound error back from EC2,
# it means that it doesn't exist and we need to create it.
try:
group = ec2.get_all_security_groups(groupnames=[aws_cfg["group_name"]])[0]
except ec2.ResponseError, e:
if e.code == 'InvalidGroup.NotFound':
print 'Creating Security Group: %s' % aws_cfg["group_name"]
# Create a security group to control access to instance via SSH.
group = ec2.create_security_group(aws_cfg["group_name"],
'A group that allows SSH access')
else:
raise
# Add a rule to the security group to authorize SSH traffic
# on the specified port.
for port in ["80", aws_cfg["ssh_port"]]:
try:
group.authorize('tcp', port, port, "0.0.0.0/0")
except ec2.ResponseError, e:
if e.code == 'InvalidPermission.Duplicate':
print 'Security Group: %s already authorized' % aws_cfg["group_name"]
else:
raise
# postgres authorization
net2 = vpcCon.create_subnet(vpcid, "10.0.2.0/24")
net3 = vpcCon.create_subnet(vpcid, "10.0.3.0/24")
net4 = vpcCon.create_subnet(vpcid, "10.0.4.0/24")
print "subnet ", net1.id, " was created"
print "subnet ", net2.id, " was created"
print "subnet ", net3.id, " was created"
print "subnet ", net4.id, " was created"
import boto.ec2
print "begin create security group"
ec2 = boto.ec2.connect_to_region(region,
aws_access_key_id=aws_access_key,
aws_secret_access_key=aws_secret_key)
net1_group = ec2.create_security_group('net1', 'Our net1 Group', vpc_id=vpcid)
net2_group = ec2.create_security_group('net2', 'Our net2 Group', vpc_id=vpcid)
net3_group = ec2.create_security_group('net3', 'Our net3 Group', vpc_id=vpcid)
net4_group = ec2.create_security_group('net4', 'Our net3 Group', vpc_id=vpcid)
print "begin add authorize to security"
b = net1_group.authorize("tcp",
from_port=0,
to_port=65535,
cidr_ip="0.0.0.0/0")
b = net1_group.authorize("udp",
from_port=0,
to_port=65535,
cidr_ip="0.0.0.0/0")
b = net2_group.authorize("tcp",
# The save method will also chmod the file to protect
# your private key.
key.save(directory_path=env.ssh_directory)
else:
raise
# Check to see if specified security group already exists.
# If we get an InvalidGroup.NotFound error back from EC2,
# it means that it doesn't exist and we need to create it.
try:
group = ec2.get_all_security_groups(groupnames=[env.aws_security_group_name])[0] # noqa
except ec2.ResponseError, e:
if e.code == "InvalidGroup.NotFound":
print "Creating Security Group: %s" % env.aws_security_group_name
# Create a security group to control access to instance via SSH.
group = ec2.create_security_group(env.aws_security_group_name, "A group that allows SSH access")
else:
raise
# Add a rule to the security group to authorize SSH traffic
# on the specified port.
for port in ["80", env.aws_ssh_port]:
try:
group.authorize("tcp", port, port, "0.0.0.0/0")
except ec2.ResponseError, e:
if e.code == "InvalidPermission.Duplicate":
print "Security Group: %s already authorized" % env.aws_security_group_name # noqa
else:
raise
# postgres authorization
# AWS will store the public key but the private key is
# generated and returned and needs to be stored locally.
# The save method will also chmod the file to protect # your private key.
key.save(key_dir)
else:
raise
# Check to see if specified security group already exists.
# If we get an InvalidGroup.NotFound error back from EC2,
# it means that it doesn't exist and we need to create it.
try:
group = ec2.get_all_security_groups(groupnames=[group_name])[0]
except ec2.ResponseError, e:
if e.code == 'InvalidGroup.NotFound':
print 'Creating Security Group: %s' % group_name
# Create a security group to control access to instance via SSH.
group = ec2.create_security_group(
group_name, 'A group that allows SSH access')
else:
raise
# Add a rule to the security group to authorize SSH traffic
# on the specified port.
try:
group.authorize('tcp', ssh_port, ssh_port, cidr)
except ec2.ResponseError, e:
if e.code == 'InvalidPermission.Duplicate':
print 'Security Group: %s already authorized' % group_name
else:
raise
# Now start up the instance. The run_instances method # has many, many parameters but these are all we need # for now.
reservation = ec2.run_instances(ami,
key_name=key_name,
image_id = regionToAMIs[region_name]
print(u"Connecting to EC2 in region %s" % region_name)
ec2 = boto.ec2.connect_to_region(region_name=region_name,
aws_access_key_id=aws_access_key_id,
aws_secret_access_key=aws_secret_access_key)
print(u"Establishing security group voodoovpn")
voodoovpngroup_name = u'voodoovpn'
matching_security_groups = [sg for sg in ec2.get_all_security_groups() if sg.name==voodoovpngroup_name]
if len(matching_security_groups) > 0:
print(u"Found security group voodoovpn")
voodoovpngroup = matching_security_groups[0]
else:
print(u"Creating security group voodoovpn")
voodoovpngroup = ec2.create_security_group(voodoovpngroup_name,'Voodoo VPN access')
voodoovpngroup.authorize('tcp',500,500,'0.0.0.0/0')
voodoovpngroup.authorize('udp',500,500,'0.0.0.0/0')
voodoovpngroup.authorize('udp',4500,4500,'0.0.0.0/0')
if key_name is not None:
# open an ssh port, if we provided an ssh key
voodoovpngroup.authorize('tcp',22,22,'0.0.0.0/0')
voodoovpngroup.authorize('udp',22,22,'0.0.0.0/0')
print(u"Generating VPN credentials")
# generate IPSEC_PSK,
VPN_USER = '******'
IPSEC_PSK = ''.join(random.choice(string.ascii_lowercase + string.ascii_uppercase + string.digits ) for x in range(32))
VPN_PASSWORD = ''.join(random.choice(string.ascii_lowercase + string.ascii_uppercase + string.digits ) for x in range(32))
parser.add_argument("--vpc_id", help="The ID of the VPC to create the security group in, if any.")
parser.add_argument("-r", "--region", help="A region substring selector (e.g. 'us-west')")
parser.add_argument("--access_key_id", dest='aws_access_key_id', help="Your AWS Access Key ID")
parser.add_argument("--secret_access_key", dest='aws_secret_access_key', help="Your AWS Secret Access Key")
args = parser.parse_args()
credentials = {'aws_access_key_id': args.aws_access_key_id, 'aws_secret_access_key': args.aws_secret_access_key}
def isSelected(region):
return True if region.name.find(args.region) != -1 else False
# execute business logic
heading = "Creating EC2 security groups named '" + args.group + "'"
regions = boto.ec2.regions()
if args.region:
heading += " (filtered by region '" + args.region + "')"
regions = filter(isSelected, regions)
description = args.description if args.description else args.group + " security group"
print heading + ":"
for region in regions:
pprint(region.name, indent=2)
try:
ec2 = boto.connect_ec2(region=region, **credentials)
print 'Creating security group ' + args.group
group = ec2.create_security_group(args.group, description=description, vpc_id=args.vpc_id)
print('... group ID is ' + group.id)
except boto.exception.BotoServerError, e:
print e.error_message
# it means that it doesn't exist and we need to create it.
try:
print ec2.get_all_security_groups()
group = ec2.get_all_security_groups(filters={'group-name': group_name})[0]
except IndexError:
create_group = True
except ec2.ResponseError, e:
if e.code == 'InvalidGroup.NotFound':
create_group = True
else:
raise
if create_group:
print 'Creating Security Group: %s' % group_name
# Create a security group to control access to instance via SSH.
group = ec2.create_security_group(group_name,
'A group that allows SSH access',
vpc_id="vpc-9b04b5fe")
# Add a rule to the security group to authorize SSH traffic
# on the specified port.
try:
group.authorize('tcp', ssh_port, ssh_port, cidr)
# Add a range of ports for MongoDB
group.authorize('tcp', 27010, 27050, cidr)
except ec2.ResponseError, e:
if e.code == 'InvalidPermission.Duplicate':
print 'Security Group: %s already authorized' % group_name
else:
raise
# Now start up the instance. The run_instances and spot_instances
# methods have many, many parameters but these are all we need
key.save(static.KEY_DIR)
else:
raise
# Check to see if specified security group already exists.
# If we get an InvalidGroup.NotFound error back from EC2,
# it means that it doesn't exist and we need to create it.
try:
group = ec2.get_all_security_groups(groupnames=[static.SECURITY_GROUP_NAME])[0]
except ec2.ResponseError, e:
if e.code == "InvalidGroup.NotFound":
output = "Creating Security Group: %s" % static.SECURITY_GROUP_NAME
print output
logger.info(output)
# Create a security group to control access to instance via SSH.
group = ec2.create_security_group(static.SECURITY_GROUP_NAME, "A group that allows SSH and HTTP access")
else:
raise
# Add a rule to the security group to authorize SSH traffic on the specified port.
try:
group.authorize("tcp", static.SSH_PORT, static.SSH_PORT, static.CIDR_ANYONE)
group.authorize("tcp", static.HTTPD_PORT, static.HTTPD_PORT, static.CIDR_ANYONE)
except ec2.ResponseError, e:
if e.code == "InvalidPermission.Duplicate":
# print 'Security Group %s already authorized' % static.SECURITY_GROUP_NAME
pass
else:
raise
# Now start up the instance. The run_instances method
