def do_add_rules(args): log.info("Operation: add") rules, errors = read_rules(args.files) if errors: map(log.error, errors) return 1 return change_rules(args, rules, "add", ("InvalidPermission.Duplicate", ))
def do_update_rules(args): log.info("Operation: update") rules, errors = read_rules(args.files) if errors: map(log.error, errors) return 1 log.debug("Collecting active rules") group_args = (args.profile, args.region, args.vpc) remote_groups = groups_for(*group_args) if args.obliterate: log.warning("Obliterate: Updating all groups in {} {} {}".format(*group_args)) else: affected_groups = list(set(args.groups).intersection(set(g['GroupId'] for g in rules))) if not affected_groups: log.warning("No affected groups") return 0 log.debug("Affected groups: {}".format(", ".join(affected_groups))) remote_groups = [g for g in remote_groups if g['GroupId'] in affected_groups] remote_rules = RuleSet().flatten_groups(remote_groups) add_set = rules - remote_rules remove_set = remote_rules - rules if args.add_before_remove: error = change_rules(args, add_set, "add") if error != 0: return error return change_rules(args, remove_set, "remove") else: error = change_rules(args, remove_set, "remove") if error != 0: return error return change_rules(args, add_set, "add")
def do_remove_rules(args): log.info("Operation: remove") rules, errors = read_rules(args.files) if errors: map(log.error, errors) return 1 return change_rules(args, rules, "remove", ("InvalidPermission.NotFound",))
def do_add_rules(args): log.info("Operation: add") rules, errors = read_rules(args.files) if errors: map(log.error, errors) return 1 return change_rules(args, rules, "add", ("InvalidPermission.Duplicate",))
def do_remove_rules(args): log.info("Operation: remove") rules, errors = read_rules(args.files) if errors: map(log.error, errors) return 1 return change_rules(args, rules, "remove", ("InvalidPermission.NotFound", ))
def reverse_rules(args): """Given a variables file and raw rules, try to build a symbolic ruleset""" log = logging.getLogger(__name__) if args.vars_files: try: parser = Parser(args.vars_files, args.account) except IOError as e: log.error(e) return 1 vrev = parser.vars_reverse vfwd = parser.variables else: vrev = {} vfwd = {} account = str(vfwd.get(args.account)) if not account: log.error('Account {} is not defined'.format(args.account)) return 1 try: rules, errors = read_rules(args.input_files) except IOError as e: log.error(e) return 1 if errors: map(log.error, errors) return 1 for rule in rules: owner = vrev.get(rule['GroupId']) if not owner: log.warning("Could not resolve owner: {}".format(rule['GroupId'])) owner = "unknown({})".format(rule['GroupId']) other_raw = rule.get('OtherCidrIp') if not other_raw: other_raw = rule.other() if '/' in other_raw: if other_raw.split('/', 1)[0] == account: other_raw = other_raw.split('/', 1)[1] other = vrev.get(other_raw) if not other: log.warning("Could not resolve other: {}".format(other_raw)) other = "unknown({})".format(other_raw) proto_raw = "{} {} {}".format(rule['IpProtocol'], rule['FromPort'], rule['ToPort']) proto = vrev.get(proto_raw) if not proto: log.warning("Could not resolve protocol: {}".format(proto_raw)) proto = "unknown({}/{}/{})".format(rule['IpProtocol'], rule['FromPort'], rule['ToPort']) print('rule {} {} {} {}'.format(rule['Direction'], owner, other, proto))
def do_update_rules(args): log.info("Operation: update") rules, errors = read_rules(args.files) if errors: map(log.error, errors) return 1 log.debug("Collecting active rules") group_args = (args.profile, args.region, args.vpc) remote_groups = groups_for(*group_args) if args.obliterate: log.warning( "Obliterate: Updating all groups in {} {} {}".format(*group_args)) else: affected_groups = list( set(args.groups).intersection(set(g['GroupId'] for g in rules))) if not affected_groups: log.warning("No affected groups") return 0 log.debug("Affected groups: {}".format(", ".join(affected_groups))) remote_groups = [ g for g in remote_groups if g['GroupId'] in affected_groups ] remote_rules = RuleSet().flatten_groups(remote_groups) add_set = rules - remote_rules remove_set = remote_rules - rules if args.add_before_remove: error = change_rules(args, add_set, "add") if error != 0: return error return change_rules(args, remove_set, "remove") else: error = change_rules(args, remove_set, "remove") if error != 0: return error return change_rules(args, add_set, "add")