コード例 #1
0
ファイル: Instances.py プロジェクト: jmvaughn/Cloudefigo
 def attach_new_storage_to_current_instance(self):
     inst = self.get_instance_object_by_instance_id(self.__current_instance_name)
     vol = self.__conn.create_volume(1,self.__conn.region)
     time.sleep(30)
     curr_vol = self.__conn.get_all_volumes([vol.id])[0]
     while curr_vol.status != 'available':
         time.sleep(10)
         Logger.logger("info", "pending to make volume available")
     self.__conn.attach_volume (vol.id, inst.id, "/dev/sdf")
     Logger.log("info", "The volume {} attached to this instance".format(vol.id))
コード例 #2
0
ファイル: AppConfigMgr.py プロジェクト: jmvaughn/Cloudefigo
 def get_parameter(self, scope, param):
     if self.cfg_tree is not None:
         try:
             scopeNode = self.cfg_tree.find(scope)
             return scopeNode.find(param).text
         except:
             error_message = "Cannot find the configuration for the scope {} and parameter {}".format(scope, param)
             Logger.log("error", error_message)
             raise GenericException(error_message)
     return ""
コード例 #3
0
 def create_dynamic_role(self):
     random_id = uuid.uuid4().get_hex()
     with open(self.__iam_basic_policy_path, "r") as policy_file:
         iam_role_name = "{}-{}".format(self.__prefix_name, random_id)
         iam_policy_document = policy_file.read().replace("BUCKETNAME", "{}*".format(self.__prefix_name))
         self.__conn.create_role(iam_role_name)
         self.__conn.create_instance_profile(iam_role_name)
         self.__conn.add_role_to_instance_profile(iam_role_name, iam_role_name)
         self.__conn.put_role_policy(iam_role_name, self.__iam_policy_name, iam_policy_document)
         Logger.log("info", "Created a dynamic role named {}".format(iam_role_name))
         return iam_role_name
コード例 #4
0
ファイル: Storage.py プロジェクト: jmvaughn/Cloudefigo
 def generate_and_store_encryption_key(self):
     bucket = self.__s3.create_bucket(self.__bucket_unique_id)
     bucket.set_policy(self.__get_bucket_policy)
     from boto.s3.key import Key
     key_object = Key(bucket)
     key_object.key = "key"
     encryption_key = self.__generate_encryption_key()
     key_object.set_contents_from_string(encryption_key, {"Referer": self.__get_referer_unique_id()}, True)
     expires_in_seconds = 1800
     key_object.generate_url(expires_in_seconds)
     Logger.log("info", "Encryption key uploaded to S3 bucket named {}".format(self.__bucket_unique_id))
コード例 #5
0
ファイル: AppConfigMgr.py プロジェクト: jmvaughn/Cloudefigo
    def __init__(self,):
        path = self.__get_path()
        import xml.etree.ElementTree as ET
        try:
            self.cfg_tree = ET.parse(path)
        except:
            error_message = "Cannot find the configuration file {}".format(path)
            Logger.log("error", error_message)
            raise GenericException(error_message)

        return
コード例 #6
0
 def get_instance_credentials():
     try:
         role_name = EnvironmentVariables.get_current_instance_profile();
         creds_url = "http://169.254.169.254/latest/meta-data/iam/security-credentials/{}".format(role_name)
         response = urllib2.urlopen(creds_url).read()
         parsed_response = json.loads(response)
         boto_cfg_access_key_value = parsed_response["AccessKeyId"]
         boto_cfg_secret_key_value = parsed_response["SecretAccessKey"]
         boto_cfg_token = parsed_response["Token"]
         return "{} {} {}".format(boto_cfg_access_key_value, boto_cfg_secret_key_value, boto_cfg_token)
     except:
         Logger.log("error","Cannot get instance credentials from {}".format(creds_url))
         raise
コード例 #7
0
ファイル: Storage.py プロジェクト: jmvaughn/Cloudefigo
 def __get_file_contents_list_from_bucket(bucket, prefix, bucket_name):
     json_files_list = []
     for key in bucket.list(prefix=prefix):
         if key.name.endswith('/') or key.name.endswith('-done'):
             continue
         try:
             new_key_name = "{}-done".format(key.name)
             bucket.copy_key(new_key_name=new_key_name, src_bucket_name=bucket_name, src_key_name=key.name)
             bucket.delete_key(key.name)
             new_key = bucket.get_key(new_key_name)
             new_key.get_contents_to_filename(filename="tmp.json.gz")
             f = gzip.open('tmp.json.gz', 'rb')
             json_files_list.append(f.read())
             f.close()
         except Exception as ex:
             Logger.log("warning", "{} FAILED: {}".format(key.name, ex.message))
     return json_files_list
コード例 #8
0
ファイル: Instances.py プロジェクト: jmvaughn/Cloudefigo
 def create_secure_instance(self, image_id, instance_type, instance_name):
     script_path = self.__cfg.get_parameter("Instances", "CloudInitScriptPath")
     production_security_group_id = self.__cfg.get_parameter("Instances", "RemediationSecurityGroupId")
     production_subnet_id = self.__cfg.get_parameter("Instances", "ProductionSubnetId")
     key_name = self.__cfg.get_parameter("Instances", "EC2KeyName")
     with open(script_path, "r") as script_file:
         cloud_init_script = script_file.read()
         iam_role = IAMAdmin()
         instance_profile = iam_role.create_dynamic_role()
         new_reservation = self.__try_create_instance(image_id, key_name, instance_profile, instance_type,
                                                      production_subnet_id, production_security_group_id,
                                                      cloud_init_script)
         instance = new_reservation.instances[0]
         self.__conn.create_tags([instance.id], {"Name": instance_name})
         message = "An instance created with id {}".format(instance.id)
         Logger.log("info", message)
         return message
コード例 #9
0
ファイル: Instances.py プロジェクト: jmvaughn/Cloudefigo
 def __try_create_instance(self, ami_id, key_name, profile_name, instance_type, subnet_id,
                           security_group_id, user_data):
     try:
         new_reservation = self.__conn.run_instances(ami_id, key_name=key_name,
                                                     instance_profile_name=profile_name, instance_type=instance_type,
                                                     subnet_id=subnet_id, security_group_ids=[security_group_id],
                                                     user_data=user_data)
         return new_reservation
     except:
         Logger.log("warning", "Could not create instance first time. Waiting another few seconds before retrying")
         time.sleep(30)
         Logger.log("warning", "Retrying to create instance")
         try:
             new_reservation = self.__conn.run_instances(ami_id, key_name=key_name,
                                                         instance_profile_name=profile_name,
                                                         instance_type=instance_type,
                                                         subnet_id=subnet_id, security_group_ids=[security_group_id],
                                                         user_data=user_data)
             return new_reservation
         except Exception as ex:
             message = "Cannot create new instance: {}".format(ex.message)
             raise GenericException(message)
コード例 #10
0
 def verify_management(self):
     node = Node(self.__get_hostname())
     if node.exists:
         Logger.log("info", "The server is managed by Chef")
         return
     raise RemediationException("The server is not managed by Chef. Please make sure it is managed before promoting to production.")
コード例 #11
0
ファイル: Exceptions.py プロジェクト: jmvaughn/Cloudefigo
 def __init__(self, message):
     super(RemediationException, self).__init__(message)
     Logger.log("critical", message)
コード例 #12
0
ファイル: Exceptions.py プロジェクト: jmvaughn/Cloudefigo
 def __init__(self, message):
     super(GenericException, self).__init__(message)
     Logger.log("error", message)
コード例 #13
0
ファイル: Instances.py プロジェクト: jmvaughn/Cloudefigo
 def strict_current_instance_role_permissions(self):
     iam = IAM()
     current_role_name = EnvironmentVariables.get_current_instance_profile()
     iam.strict_dynamic_role(current_role_name)
     Logger.log("info", "Changed the IAM role to be more strict")
コード例 #14
0
ファイル: Instances.py プロジェクト: jmvaughn/Cloudefigo
 def move_current_instance_to_production_group(self):
     production_group_id = self.__cfg.get_parameter("Instances", "ProductionSecurityGroupId")
     instance = self.get_instance_object_by_instance_id(self.__current_instance_name)
     self.__conn.modify_instance_attribute(self.__current_instance_name,
                                           "groupSet", [production_group_id])
     Logger.log("info", "This instance moved to the production subnet {}".format(production_group_id))
コード例 #15
0
ファイル: Storage.py プロジェクト: jmvaughn/Cloudefigo
 def get_encryption_key(self):
     bucket = self.__s3.get_bucket(self.__bucket_unique_id)
     key = bucket.get_key("key", {"Referer": self.__get_referer_unique_id()})
     response = key.get_contents_as_string({"Referer": self.__get_referer_unique_id()})
     Logger.log("info", "Encryption key downloaded")
     return response
コード例 #16
0
ファイル: Init.py プロジェクト: jmvaughn/Cloudefigo
__author__ = 'nirv'

from Chef.ConfigurationManagement import ChefClient
from NessusScanner.VulnerabilityAssessment import Scanner
from CloudServices.Common.Exceptions import RemediationException,GenericException
from CloudServices.IaaS.Instances import EC2Instance
from CloudServices.Common.Logger import Logger

ec2 = EC2Instance()

try:
    chef_client = ChefClient()
    chef_client.verify_management()

    nessus = Scanner()
    nessus.run_scan()

    ec2.move_current_instance_to_production_group()
    ec2.strict_current_instance_role_permissions()

except RemediationException as re:
    ## ec2.strict_current_instance_role_permissions() ## Depends on the business, it can be added.
    exit()

except GenericException as ge:
    exit()

except Exception as ex:
    Logger.log("error", ex.message)
    exit()