def authorize_ip(type, changed, client, group, groupRules, ip, ip_permission, module, rule, ethertype): # If rule already exists, don't later delete it for this_ip in ip: split_addr = this_ip.split('/') if len(split_addr) == 2: # this_ip is a IPv4 or IPv6 CIDR that may or may not have host bits set # Get the network bits. try: thisip = to_subnet(split_addr[0], split_addr[1]) except ValueError: thisip = to_ipv6_network(split_addr[0]) + "/" + split_addr[1] if thisip != this_ip: module.warn("One of your CIDR addresses ({0}) has host bits set. To get rid of this warning, " "check the network mask and make sure that only network bits are set: {1}.".format(this_ip, thisip)) else: thisip = this_ip rule_id = make_rule_key(type, rule, group['GroupId'], thisip) if rule_id in groupRules: # update the rule description if 'rule_desc' in rule: desired_rule_desc = rule.get('rule_desc') or '' current_rule = groupRules[rule_id][0].get('IpRanges') or groupRules[rule_id][0].get('Ipv6Ranges') if desired_rule_desc != current_rule[0].get('Description', ''): if not module.check_mode: ip_permission = serialize_ip_grant(rule, thisip, ethertype) update_rules_description(module, client, type, group['GroupId'], ip_permission) changed = True # remove the rule from groupRules to avoid purging it later del groupRules[rule_id] else: if not module.check_mode: ip_permission = serialize_ip_grant(rule, thisip, ethertype) if ip_permission: try: if type == "in": client.authorize_security_group_ingress(GroupId=group['GroupId'], IpPermissions=[ip_permission]) elif type == "out": client.authorize_security_group_egress(GroupId=group['GroupId'], IpPermissions=[ip_permission]) except botocore.exceptions.ClientError as e: module.fail_json(msg="Unable to authorize %s for ip %s security group '%s' - %s" % (type, thisip, group['GroupName'], e), exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) changed = True return changed, ip_permission
def validate_ip(module, cidr_ip): split_addr = cidr_ip.split('/') if len(split_addr) == 2: # this_ip is a IPv4 or IPv6 CIDR that may or may not have host bits set # Get the network bits. try: ip = to_subnet(split_addr[0], split_addr[1]) except ValueError: ip = to_ipv6_network(split_addr[0]) + "/" + split_addr[1] if ip != cidr_ip: module.warn("One of your CIDR addresses ({0}) has host bits set. To get rid of this warning, " "check the network mask and make sure that only network bits are set: {1}.".format(cidr_ip, ip)) return ip return cidr_ip
def get_cidr_network_bits(module, cidr_block): fixed_cidrs = [] for cidr in cidr_block: split_addr = cidr.split('/') if len(split_addr) == 2: # this_ip is a IPv4 CIDR that may or may not have host bits set # Get the network bits. valid_cidr = to_subnet(split_addr[0], split_addr[1]) if cidr != valid_cidr: module.warn("One of your CIDR addresses ({0}) has host bits set. To get rid of this warning, " "check the network mask and make sure that only network bits are set: {1}.".format(cidr, valid_cidr)) fixed_cidrs.append(valid_cidr) else: # let AWS handle invalid CIDRs fixed_cidrs.append(cidr) return fixed_cidrs
def test_to_subnet_invalid(): with pytest.raises(ValueError): to_subnet('foo', 'bar')
def test_to_subnet(): result = to_subnet('192.168.1.1', 24) assert '192.168.1.0/24' == result result = to_subnet('192.168.1.1', 24, dotted_notation=True) assert '192.168.1.0 255.255.255.0' == result