def command_encrypt_ami(values):
session_id = util.make_nonce()
aws_svc = aws_service.AWSService(
session_id,
retry_timeout=values.retry_timeout,
retry_initial_sleep_seconds=values.retry_initial_sleep_seconds)
log.debug('Retry timeout=%.02f, initial sleep seconds=%.02f',
aws_svc.retry_timeout, aws_svc.retry_initial_sleep_seconds)
brkt_env = (brkt_cli.brkt_env_from_values(values)
or brkt_cli.get_prod_brkt_env())
if values.validate:
# Validate the region before connecting.
_validate_region(aws_svc, values.region)
if values.token:
brkt_cli.check_jwt_auth(brkt_env, values.token)
aws_svc.connect(values.region, key_name=values.key_name)
if values.validate:
guest_image = _validate_guest_ami(aws_svc, values.ami)
else:
guest_image = aws_svc.get_image(values.ami)
pv = _use_pv_metavisor(values, guest_image)
encryptor_ami = (values.encryptor_ami
or _get_encryptor_ami(values.region, pv=pv))
default_tags = encrypt_ami.get_default_tags(session_id, encryptor_ami)
default_tags.update(brkt_cli.parse_tags(values.tags))
aws_svc.default_tags = default_tags
if values.validate:
_validate(aws_svc, values, encryptor_ami)
brkt_cli.validate_ntp_servers(values.ntp_servers)
encrypted_image_id = encrypt_ami.encrypt(
aws_svc=aws_svc,
enc_svc_cls=encryptor_service.EncryptorService,
image_id=guest_image.id,
encryptor_ami=encryptor_ami,
encrypted_ami_name=values.encrypted_ami_name,
subnet_id=values.subnet_id,
security_group_ids=values.security_group_ids,
guest_instance_type=values.guest_instance_type,
instance_config=make_instance_config(values, brkt_env),
status_port=values.status_port,
save_encryptor_logs=values.save_encryptor_logs)
# Print the AMI ID to stdout, in case the caller wants to process
# the output. Log messages go to stderr.
print(encrypted_image_id)
return 0
def check_args(values, gce_svc):
if not gce_svc.network_exists(values.network):
raise ValidationError("Network provided does not exist")
if values.encryptor_image:
if values.bucket != 'prod':
raise ValidationError("Please provided either an encryptor image or an image bucket")
if not values.token:
raise ValidationError('Must provide a token')
brkt_env = brkt_cli.brkt_env_from_values(values)
brkt_cli.check_jwt_auth(brkt_env, values.token)
def check_args(values, gce_svc):
if not gce_svc.network_exists(values.network):
raise ValidationError("Network provided does not exist")
if values.encryptor_image:
if values.bucket != 'prod':
raise ValidationError(
"Please provided either an encryptor image or an image bucket")
if not values.token:
raise ValidationError('Must provide a token')
brkt_env = brkt_cli.brkt_env_from_values(values)
brkt_cli.check_jwt_auth(brkt_env, values.token)
def check_args(values, gce_svc, cli_config):
if values.encryptor_image:
if values.bucket != 'prod':
raise ValidationError("Please provided either an encryptor image or an image bucket")
if not values.token:
raise ValidationError('Must provide a token')
if values.validate:
if not gce_svc.project_exists(values.project):
raise ValidationError("Project provided does not exist")
if not gce_svc.network_exists(values.network):
raise ValidationError("Network provided does not exist")
brkt_env = brkt_cli.brkt_env_from_values(values)
if brkt_env is None:
_, brkt_env = cli_config.get_current_env()
brkt_cli.check_jwt_auth(brkt_env, values.token)
def command_update_encrypted_ami(values):
nonce = util.make_nonce()
aws_svc = aws_service.AWSService(
nonce,
retry_timeout=values.retry_timeout,
retry_initial_sleep_seconds=values.retry_initial_sleep_seconds)
log.debug('Retry timeout=%.02f, initial sleep seconds=%.02f',
aws_svc.retry_timeout, aws_svc.retry_initial_sleep_seconds)
brkt_env = (brkt_cli.brkt_env_from_values(values)
or brkt_cli.get_prod_brkt_env())
if values.validate:
# Validate the region before connecting.
_validate_region(aws_svc, values.region)
if values.token:
brkt_cli.check_jwt_auth(brkt_env, values.token)
aws_svc.connect(values.region, key_name=values.key_name)
encrypted_image = _validate_ami(aws_svc, values.ami)
pv = _use_pv_metavisor(values, encrypted_image)
encryptor_ami = (values.encryptor_ami
or _get_encryptor_ami(values.region, pv=pv))
default_tags = encrypt_ami.get_default_tags(nonce, encryptor_ami)
default_tags.update(brkt_cli.parse_tags(values.tags))
aws_svc.default_tags = default_tags
if values.validate:
_validate_guest_encrypted_ami(aws_svc, encrypted_image.id,
encryptor_ami)
brkt_cli.validate_ntp_servers(values.ntp_servers)
_validate(aws_svc, values, encryptor_ami)
_validate_guest_encrypted_ami(aws_svc, encrypted_image.id,
encryptor_ami)
else:
log.info('Skipping AMI validation.')
mv_image = aws_svc.get_image(encryptor_ami)
if (encrypted_image.virtualization_type != mv_image.virtualization_type):
log.error(
'Virtualization type mismatch. %s is %s, but encryptor %s is '
'%s.', encrypted_image.id, encrypted_image.virtualization_type,
mv_image.id, mv_image.virtualization_type)
return 1
encrypted_ami_name = values.encrypted_ami_name
if encrypted_ami_name:
# Check for name collision.
filters = {'name': encrypted_ami_name}
if aws_svc.get_images(filters=filters, owners=['self']):
raise ValidationError('You already own image named %s' %
encrypted_ami_name)
else:
encrypted_ami_name = _get_updated_image_name(encrypted_image.name,
nonce)
log.debug('Image name: %s', encrypted_ami_name)
aws_service.validate_image_name(encrypted_ami_name)
# Initial validation done
log.info('Updating %s with new metavisor %s', encrypted_image.id,
encryptor_ami)
updated_ami_id = update_ami(
aws_svc,
encrypted_image.id,
encryptor_ami,
encrypted_ami_name,
subnet_id=values.subnet_id,
security_group_ids=values.security_group_ids,
guest_instance_type=values.guest_instance_type,
updater_instance_type=values.updater_instance_type,
instance_config=make_instance_config(values, brkt_env),
status_port=values.status_port,
)
print(updated_ami_id)
return 0
def command_update_encrypted_ami(values):
nonce = util.make_nonce()
aws_svc = aws_service.AWSService(
nonce,
retry_timeout=values.retry_timeout,
retry_initial_sleep_seconds=values.retry_initial_sleep_seconds
)
log.debug(
'Retry timeout=%.02f, initial sleep seconds=%.02f',
aws_svc.retry_timeout, aws_svc.retry_initial_sleep_seconds)
brkt_env = (
brkt_cli.brkt_env_from_values(values) or
brkt_cli.get_prod_brkt_env()
)
if values.validate:
# Validate the region before connecting.
_validate_region(aws_svc, values.region)
if values.token:
brkt_cli.check_jwt_auth(brkt_env, values.token)
aws_svc.connect(values.region, key_name=values.key_name)
encrypted_image = _validate_ami(aws_svc, values.ami)
pv = _use_pv_metavisor(values, encrypted_image)
encryptor_ami = (
values.encryptor_ami or
_get_encryptor_ami(values.region, pv=pv)
)
default_tags = encrypt_ami.get_default_tags(nonce, encryptor_ami)
default_tags.update(brkt_cli.parse_tags(values.tags))
aws_svc.default_tags = default_tags
if values.validate:
_validate_guest_encrypted_ami(
aws_svc, encrypted_image.id, encryptor_ami)
brkt_cli.validate_ntp_servers(values.ntp_servers)
_validate(aws_svc, values, encryptor_ami)
_validate_guest_encrypted_ami(
aws_svc, encrypted_image.id, encryptor_ami)
else:
log.info('Skipping AMI validation.')
mv_image = aws_svc.get_image(encryptor_ami)
if (encrypted_image.virtualization_type !=
mv_image.virtualization_type):
log.error(
'Virtualization type mismatch. %s is %s, but encryptor %s is '
'%s.',
encrypted_image.id,
encrypted_image.virtualization_type,
mv_image.id,
mv_image.virtualization_type
)
return 1
encrypted_ami_name = values.encrypted_ami_name
if encrypted_ami_name:
# Check for name collision.
filters = {'name': encrypted_ami_name}
if aws_svc.get_images(filters=filters, owners=['self']):
raise ValidationError(
'You already own image named %s' % encrypted_ami_name)
else:
encrypted_ami_name = _get_updated_image_name(
encrypted_image.name, nonce)
log.debug('Image name: %s', encrypted_ami_name)
aws_service.validate_image_name(encrypted_ami_name)
# Initial validation done
log.info(
'Updating %s with new metavisor %s',
encrypted_image.id, encryptor_ami
)
updated_ami_id = update_ami(
aws_svc, encrypted_image.id, encryptor_ami, encrypted_ami_name,
subnet_id=values.subnet_id,
security_group_ids=values.security_group_ids,
guest_instance_type=values.guest_instance_type,
updater_instance_type=values.updater_instance_type,
instance_config=make_instance_config(values, brkt_env),
status_port=values.status_port,
)
print(updated_ami_id)
return 0
def command_encrypt_ami(values):
session_id = util.make_nonce()
aws_svc = aws_service.AWSService(
session_id,
retry_timeout=values.retry_timeout,
retry_initial_sleep_seconds=values.retry_initial_sleep_seconds
)
log.debug(
'Retry timeout=%.02f, initial sleep seconds=%.02f',
aws_svc.retry_timeout, aws_svc.retry_initial_sleep_seconds)
brkt_env = (
brkt_cli.brkt_env_from_values(values) or
brkt_cli.get_prod_brkt_env()
)
if values.validate:
# Validate the region before connecting.
_validate_region(aws_svc, values.region)
if values.token:
brkt_cli.check_jwt_auth(brkt_env, values.token)
aws_svc.connect(values.region, key_name=values.key_name)
if values.validate:
guest_image = _validate_guest_ami(aws_svc, values.ami)
else:
guest_image = aws_svc.get_image(values.ami)
pv = _use_pv_metavisor(values, guest_image)
encryptor_ami = (
values.encryptor_ami or
_get_encryptor_ami(values.region, pv=pv)
)
default_tags = encrypt_ami.get_default_tags(session_id, encryptor_ami)
default_tags.update(brkt_cli.parse_tags(values.tags))
aws_svc.default_tags = default_tags
if values.validate:
_validate(aws_svc, values, encryptor_ami)
brkt_cli.validate_ntp_servers(values.ntp_servers)
encrypted_image_id = encrypt_ami.encrypt(
aws_svc=aws_svc,
enc_svc_cls=encryptor_service.EncryptorService,
image_id=guest_image.id,
encryptor_ami=encryptor_ami,
encrypted_ami_name=values.encrypted_ami_name,
subnet_id=values.subnet_id,
security_group_ids=values.security_group_ids,
guest_instance_type=values.guest_instance_type,
instance_config=make_instance_config(values, brkt_env),
status_port=values.status_port,
save_encryptor_logs=values.save_encryptor_logs
)
# Print the AMI ID to stdout, in case the caller wants to process
# the output. Log messages go to stderr.
print(encrypted_image_id)
return 0
def run_update(values, config, verbose=False):
nonce = util.make_nonce()
aws_svc = aws_service.AWSService(
nonce,
retry_timeout=values.retry_timeout,
retry_initial_sleep_seconds=values.retry_initial_sleep_seconds
)
log.debug(
'Retry timeout=%.02f, initial sleep seconds=%.02f',
aws_svc.retry_timeout, aws_svc.retry_initial_sleep_seconds)
brkt_env = (
brkt_cli.brkt_env_from_values(values) or
brkt_cli.get_prod_brkt_env()
)
if values.validate:
# Validate the region before connecting.
_validate_region(aws_svc, values.region)
if values.token:
brkt_cli.check_jwt_auth(brkt_env, values.token)
aws_svc.connect(values.region, key_name=values.key_name)
encrypted_image = _validate_ami(aws_svc, values.ami)
encryptor_ami = values.encryptor_ami or _get_encryptor_ami(values.region)
default_tags = encrypt_ami.get_default_tags(nonce, encryptor_ami)
default_tags.update(brkt_cli.parse_tags(values.tags))
aws_svc.default_tags = default_tags
if values.validate:
_validate_guest_encrypted_ami(
aws_svc, encrypted_image.id, encryptor_ami)
brkt_cli.validate_ntp_servers(values.ntp_servers)
_validate(aws_svc, values, encryptor_ami)
_validate_guest_encrypted_ami(
aws_svc, encrypted_image.id, encryptor_ami)
else:
log.info('Skipping AMI validation.')
mv_image = aws_svc.get_image(encryptor_ami)
if (encrypted_image.virtualization_type != mv_image.virtualization_type):
log.error(
'Virtualization type mismatch. %s is %s, but encryptor %s is '
'%s.',
encrypted_image.id,
encrypted_image.virtualization_type,
mv_image.id,
mv_image.virtualization_type
)
return 1
encrypted_ami_name = values.encrypted_ami_name
if encrypted_ami_name:
# Check for name collision.
filters = {'name': encrypted_ami_name}
if aws_svc.get_images(filters=filters, owners=['self']):
raise ValidationError(
'You already own image named %s' % encrypted_ami_name)
else:
encrypted_ami_name = _get_updated_image_name(
encrypted_image.name, nonce)
log.debug('Image name: %s', encrypted_ami_name)
aws_service.validate_image_name(encrypted_ami_name)
# Initial validation done
log.info(
'Updating %s with new metavisor %s',
encrypted_image.id, encryptor_ami
)
instance_config = instance_config_from_values(
values, mode=INSTANCE_UPDATER_MODE, cli_config=config)
if verbose:
with tempfile.NamedTemporaryFile(
prefix='user-data-',
delete=False
) as f:
log.debug('Writing instance user data to %s', f.name)
f.write(instance_config.make_userdata())
updated_ami_id = update_ami(
aws_svc, encrypted_image.id, encryptor_ami, encrypted_ami_name,
subnet_id=values.subnet_id,
security_group_ids=values.security_group_ids,
guest_instance_type=values.guest_instance_type,
updater_instance_type=values.updater_instance_type,
instance_config=instance_config,
status_port=values.status_port,
)
print(updated_ami_id)
return 0
def run_encrypt(values, config, verbose=False):
session_id = util.make_nonce()
aws_svc = aws_service.AWSService(
session_id,
retry_timeout=values.retry_timeout,
retry_initial_sleep_seconds=values.retry_initial_sleep_seconds
)
log.debug(
'Retry timeout=%.02f, initial sleep seconds=%.02f',
aws_svc.retry_timeout, aws_svc.retry_initial_sleep_seconds)
brkt_env = (
brkt_cli.brkt_env_from_values(values) or
brkt_cli.get_prod_brkt_env()
)
if values.validate:
# Validate the region before connecting.
_validate_region(aws_svc, values.region)
if values.token:
brkt_cli.check_jwt_auth(brkt_env, values.token)
aws_svc.connect(values.region, key_name=values.key_name)
if values.validate:
guest_image = _validate_guest_ami(aws_svc, values.ami)
else:
guest_image = aws_svc.get_image(values.ami)
encryptor_ami = values.encryptor_ami or _get_encryptor_ami(values.region)
default_tags = encrypt_ami.get_default_tags(session_id, encryptor_ami)
default_tags.update(brkt_cli.parse_tags(values.tags))
aws_svc.default_tags = default_tags
if values.validate:
_validate(aws_svc, values, encryptor_ami)
brkt_cli.validate_ntp_servers(values.ntp_servers)
instance_config = instance_config_from_values(
values, mode=INSTANCE_CREATOR_MODE, cli_config=config)
if verbose:
with tempfile.NamedTemporaryFile(
prefix='user-data-',
delete=False
) as f:
log.debug('Writing instance user data to %s', f.name)
f.write(instance_config.make_userdata())
encrypted_image_id = encrypt_ami.encrypt(
aws_svc=aws_svc,
enc_svc_cls=encryptor_service.EncryptorService,
image_id=guest_image.id,
encryptor_ami=encryptor_ami,
encrypted_ami_name=values.encrypted_ami_name,
subnet_id=values.subnet_id,
security_group_ids=values.security_group_ids,
guest_instance_type=values.guest_instance_type,
instance_config=instance_config,
status_port=values.status_port,
save_encryptor_logs=values.save_encryptor_logs,
terminate_encryptor_on_failure=(
values.terminate_encryptor_on_failure)
)
# Print the AMI ID to stdout, in case the caller wants to process
# the output. Log messages go to stderr.
print(encrypted_image_id)
return 0