def test_dhcp_options_get_by_id():
conn = boto.connect_vpc('the_key', 'the_secret')
dhcp1 = conn.create_dhcp_options('test1.com', ['10.0.10.2'])
dhcp1.add_tag('Name', 'TestDhcpOptions1')
dhcp1.add_tag('test-tag', 'test-value')
dhcp1_id = dhcp1.id
dhcp2 = conn.create_dhcp_options('test2.com', ['10.0.20.2'])
dhcp2.add_tag('Name', 'TestDhcpOptions2')
dhcp2.add_tag('test-tag', 'test-value')
dhcp2_id = dhcp2.id
dhcp_options_sets = conn.get_all_dhcp_options()
dhcp_options_sets.should.have.length_of(2)
dhcp_options_sets = conn.get_all_dhcp_options(
filters={'dhcp-options-id': dhcp1_id})
dhcp_options_sets.should.have.length_of(1)
dhcp_options_sets[0].options['domain-name'][0].should.be.equal('test1.com')
dhcp_options_sets[0].options[
'domain-name-servers'][0].should.be.equal('10.0.10.2')
dhcp_options_sets = conn.get_all_dhcp_options(
filters={'dhcp-options-id': dhcp2_id})
dhcp_options_sets.should.have.length_of(1)
dhcp_options_sets[0].options['domain-name'][0].should.be.equal('test2.com')
dhcp_options_sets[0].options[
'domain-name-servers'][0].should.be.equal('10.0.20.2')
def test_detach_vpn_gateway():
conn = boto.connect_vpc('the_key', 'the_secret')
vpc = conn.create_vpc("10.0.0.0/16")
vpn_gateway = conn.create_vpn_gateway('ipsec.1', 'us-east-1a')
conn.attach_vpn_gateway(
vpn_gateway_id=vpn_gateway.id,
vpc_id=vpc.id
)
gateway = conn.get_all_vpn_gateways()[0]
attachments = gateway.attachments
attachments.should.have.length_of(1)
attachments[0].vpc_id.should.equal(vpc.id)
attachments[0].state.should.equal('attached')
conn.detach_vpn_gateway(
vpn_gateway_id=vpn_gateway.id,
vpc_id=vpc.id
)
gateway = conn.get_all_vpn_gateways()[0]
attachments = gateway.attachments
attachments.should.have.length_of(0)
def test_replace_network_acl_entry():
conn = boto.connect_vpc('the_key', 'the secret')
vpc = conn.create_vpc("10.0.0.0/16")
network_acl = conn.create_network_acl(vpc.id)
conn.create_network_acl_entry(
network_acl.id, 110, 6,
'ALLOW', '0.0.0.0/0', False,
port_range_from='443',
port_range_to='443'
)
conn.replace_network_acl_entry(
network_acl.id, 110, -1,
'DENY', '0.0.0.0/0', False,
port_range_from='22',
port_range_to='22'
)
all_network_acls = conn.get_all_network_acls()
test_network_acl = next(na for na in all_network_acls
if na.id == network_acl.id)
entries = test_network_acl.network_acl_entries
entries.should.have.length_of(1)
entries[0].rule_number.should.equal('110')
entries[0].protocol.should.equal('-1')
entries[0].rule_action.should.equal('DENY')
def test_start_vpc_spot_instance(self):
c = self.botoSetup()
vpc_conn = boto.connect_vpc()
vpc = vpc_conn.create_vpc("192.168.0.0/24")
subnet = vpc_conn.create_subnet(vpc.id, "192.168.0.0/24")
amis = c.get_all_images()
sg = c.create_security_group("test_sg", "test_sg", vpc.id)
bs = ec2.EC2LatentWorker('bot1', 'sekrit', 'm1.large',
identifier='publickey',
secret_identifier='privatekey',
keypair_name="test_key",
ami=amis[0].id, spot_instance=True,
max_spot_price=1.5,
security_group_ids=[sg.id],
subnet_id=subnet.id,
)
instance_id, _, _ = bs._start_instance()
instances = [i for i in c.get_only_instances()
if i.state != "terminated"]
self.assertTrue(bs.spot_instance)
self.assertEqual(len(instances), 1)
self.assertEqual(instances[0].id, instance_id)
self.assertEqual(instances[0].subnet_id, subnet.id)
self.assertEqual(len(instances[0].groups), 1)
self.assertEqual(instances[0].groups[0].id, sg.id)
def connect(vpc_region):
access_key, secret_key = read_credentials()
s3_conn = boto.connect_s3(access_key, secret_key)
ec2_conn = boto.ec2.connect_to_region(vpc_region, aws_access_key_id=access_key, aws_secret_access_key=secret_key)
region = boto.ec2.get_region(vpc_region, aws_access_key_id=access_key, aws_secret_access_key=secret_key)
vpc_conn = boto.connect_vpc(access_key, secret_key, region=region)
return Connections(ec2_conn, vpc_conn, s3_conn)
def test_run_instance_with_nic_preexisting():
conn = boto.connect_vpc('the_key', 'the_secret')
vpc = conn.create_vpc("10.0.0.0/16")
subnet = conn.create_subnet(vpc.id, "10.0.0.0/18")
security_group1 = conn.create_security_group('test security group #1', 'this is a test security group')
security_group2 = conn.create_security_group('test security group #2', 'this is a test security group')
private_ip = "54.0.0.1"
eni = conn.create_network_interface(subnet.id, private_ip, groups=[security_group1.id])
# Boto requires NetworkInterfaceCollection of NetworkInterfaceSpecifications...
# annoying, but generates the desired querystring.
from boto.ec2.networkinterface import NetworkInterfaceSpecification, NetworkInterfaceCollection
interface = NetworkInterfaceSpecification(network_interface_id=eni.id, device_index=0)
interfaces = NetworkInterfaceCollection(interface)
# end Boto objects
reservation = conn.run_instances('ami-1234abcd', network_interfaces=interfaces,
security_group_ids=[security_group2.id])
instance = reservation.instances[0]
instance.subnet_id.should.equal(subnet.id)
all_enis = conn.get_all_network_interfaces()
all_enis.should.have.length_of(1)
instance.interfaces.should.have.length_of(1)
instance_eni = instance.interfaces[0]
instance_eni.id.should.equal(eni.id)
instance_eni.subnet_id.should.equal(subnet.id)
instance_eni.groups.should.have.length_of(2)
set([group.id for group in instance_eni.groups]).should.equal(set([security_group1.id,security_group2.id]))
instance_eni.private_ip_addresses.should.have.length_of(1)
instance_eni.private_ip_addresses[0].private_ip_address.should.equal(private_ip)
def test_igw_delete_attached():
""" internet gateway fail to delete attached """
conn = boto.connect_vpc('the_key', 'the_secret')
igw = conn.create_internet_gateway()
vpc = conn.create_vpc(VPC_CIDR)
conn.attach_internet_gateway(igw.id, vpc.id)
conn.delete_internet_gateway.when.called_with(igw.id).should.throw(EC2ResponseError)
def test_default_network_acl_created_with_vpc():
conn = boto.connect_vpc('the_key', 'the secret')
vpc = conn.create_vpc("10.0.0.0/16")
all_network_acls = conn.get_all_network_acls()
all_network_acls.should.have.length_of(1)
def test_route_tables_filters_associations():
conn = boto.connect_vpc('the_key', 'the_secret')
vpc = conn.create_vpc("10.0.0.0/16")
subnet1 = conn.create_subnet(vpc.id, "10.0.0.0/18")
subnet2 = conn.create_subnet(vpc.id, "10.0.1.0/18")
subnet3 = conn.create_subnet(vpc.id, "10.0.2.0/18")
route_table1 = conn.create_route_table(vpc.id)
route_table2 = conn.create_route_table(vpc.id)
association_id1 = conn.associate_route_table(route_table1.id, subnet1.id)
association_id2 = conn.associate_route_table(route_table1.id, subnet2.id)
association_id3 = conn.associate_route_table(route_table2.id, subnet3.id)
all_route_tables = conn.get_all_route_tables()
all_route_tables.should.have.length_of(3)
# Filter by association ID
association1_route_tables = conn.get_all_route_tables(filters={'association.route-table-association-id':association_id1})
association1_route_tables.should.have.length_of(1)
association1_route_tables[0].id.should.equal(route_table1.id)
association1_route_tables[0].associations.should.have.length_of(2)
# Filter by route table ID
route_table2_route_tables = conn.get_all_route_tables(filters={'association.route-table-id':route_table2.id})
route_table2_route_tables.should.have.length_of(1)
route_table2_route_tables[0].id.should.equal(route_table2.id)
route_table2_route_tables[0].associations.should.have.length_of(1)
# Filter by subnet ID
subnet_route_tables = conn.get_all_route_tables(filters={'association.subnet-id':subnet1.id})
subnet_route_tables.should.have.length_of(1)
subnet_route_tables[0].id.should.equal(route_table1.id)
association1_route_tables[0].associations.should.have.length_of(2)
def connect_vpc():
logger.debug('Connecting to the Amazon Virtual Private Cloud (Amazon VPC) service.')
vpc = boto.connect_vpc(aws_access_key_id=config['AWS_ACCESS_KEY_ID'],
aws_secret_access_key=config['AWS_SECRET_ACCESS_KEY'])
logger.debug('Connected to Amazon VPC.')
return vpc
def setUp(self):
self.api = boto.connect_vpc()
vpc = self.api.create_vpc('10.0.0.0/16')
self.addCleanup(self.api.delete_vpc, vpc.id)
self.subnet = self.api.create_subnet(vpc.id, '10.0.0.0/24')
self.addCleanup(self.api.delete_subnet, self.subnet.id)
def assume_service(account_number, service, region='us-east-1'):
conn = boto.connect_sts()
role = conn.assume_role('arn:aws:iam::{0}:role/{1}'.format(
account_number, current_app.config.get('LEMUR_INSTANCE_PROFILE', 'Lemur')), 'blah')
if service in 'iam':
return boto.connect_iam(
aws_access_key_id=role.credentials.access_key,
aws_secret_access_key=role.credentials.secret_key,
security_token=role.credentials.session_token)
elif service in 'elb':
return boto.ec2.elb.connect_to_region(
region,
aws_access_key_id=role.credentials.access_key,
aws_secret_access_key=role.credentials.secret_key,
security_token=role.credentials.session_token)
elif service in 'vpc':
return boto.connect_vpc(
aws_access_key_id=role.credentials.access_key,
aws_secret_access_key=role.credentials.secret_key,
security_token=role.credentials.session_token)
elif service in 's3':
return boto.s3.connect_to_region(
region,
aws_access_key_id=role.credentials.access_key,
aws_secret_access_key=role.credentials.secret_key,
security_token=role.credentials.session_token)
def test_delete_vpn_gateway():
conn = boto.connect_vpc('the_key', 'the_secret')
vpn_gateway = conn.create_vpn_gateway('ipsec.1', 'us-east-1a')
conn.delete_vpn_gateway(vpn_gateway.id)
vgws = conn.get_all_vpn_gateways()
vgws.should.have.length_of(0)
def test_start_vpc_instance(self):
c = self.botoSetup()
vpc_conn = boto.connect_vpc()
vpc = vpc_conn.create_vpc("192.168.0.0/24")
subnet = vpc_conn.create_subnet(vpc.id, "192.168.0.0/24")
amis = c.get_all_images()
sg = c.create_security_group("test_sg", "test_sg", vpc.id)
bs = ec2.EC2LatentWorker(
"bot1",
"sekrit",
"m1.large",
identifier="publickey",
secret_identifier="privatekey",
keypair_name="latent_buildbot_worker",
security_group_ids=[sg.id],
subnet_id=subnet.id,
ami=amis[0].id,
)
instance_id, _, _ = bs._start_instance()
instances = [i for i in c.get_only_instances() if i.state != "terminated"]
self.assertEqual(len(instances), 1)
self.assertEqual(instances[0].id, instance_id)
self.assertEqual(instances[0].subnet_id, subnet.id)
self.assertEqual(len(instances[0].groups), 1)
self.assertEqual(instances[0].groups[0].id, sg.id)
self.assertEqual(instances[0].key_name, "latent_buildbot_worker")
def load_config(show_output=False):
config_filename = path.join(directory, 'config')
aws_dirty = False
if not boto.config.has_option('Credentials', 'aws_access_key_id'):
aws_access_key_id = getpass.getpass('AWS Access Key ID: ')
boto.config.save_user_option('Credentials', 'aws_access_key_id', aws_access_key_id)
aws_dirty = True
if not boto.config.has_option('Credentials', 'aws_secret_access_key'):
aws_secret_access_key = getpass.getpass('AWS Secret Access Key: ')
boto.config.save_user_option('Credentials', 'aws_secret_access_key', aws_secret_access_key)
aws_dirty = True
if aws_dirty:
print "-----> AWS configuration written to {}".format(boto.pyami.config.UserConfigPath)
else:
if show_output: print "-----> AWS configuration unchanged, see `{}`".format(boto.pyami.config.UserConfigPath)
vpc = boto.connect_vpc()
try:
with open(config_filename, 'r') as config_file:
config = json.loads(config_file.read())
except IOError:
config = default_config()
dirty = False
vpc_id = config.get('vpc_id')
if not vpc_id:
vpc_id = raw_input("AWS VPC ID (choose: {}): ".format(', '.join([v.id for v in vpc.get_all_vpcs()])))
config['vpc_id'] = vpc_id
dirty = True
subnet_id = config.get('subnet_id')
if not subnet_id:
def format_subnet(s):
return '{}({})'.format(s.id, s.availability_zone)
possible_subnets = vpc.get_all_subnets(filters=[('vpcId', vpc_id)])
subnet_id = raw_input("AWS VPC Subnet ID (choose: {}): ".format(', '.join(map(format_subnet, possible_subnets))))
config['subnet_id'] = subnet_id
dirty = True
subnet = vpc.get_all_subnets(subnet_ids=[subnet_id])[0]
if config['availability_zone'] != subnet.availability_zone:
config['availability_zone'] = subnet.availability_zone
dirty = True
system_name = config.get('system_name')
if not system_name:
config['system_name'] = raw_input("Name of your \"system\" (press return for a uuid): ") or uuid.uuid1().hex
dirty = True
if dirty:
config_filename = path.join(directory, 'config')
if not path.exists(directory):
os.makedirs(directory)
with open(config_filename, 'w') as config_file:
config_file.write(json.dumps(config, indent=2, separators=(',', ': ')))
print "-----> Riker configuration written to {}".format(config_filename)
else:
if show_output: print "-----> Riker configuration unchanged, see `{}`".format(config_filename)
def create_sgrs(memo, kvp):
name = kvp[0]
rules = kvp[1]
sgrs = [boto_helpers.SecurityGroupRule(*rule) for rule in rules]
memo[name] = sgrs
return memo
config['security_groups'] = reduce(create_sgrs, config['security_groups'].iteritems(), {})
return config
def test_get_vpc_id(self):
conn = boto.connect_vpc('the_key', 'the_secret')
vpc = conn.create_vpc("10.0.0.0/16")
self.assertEqual(1, len(conn.get_all_vpcs()))
test_vpc = VPC('us-east-1', 'the_key', 'the_secret')
self.assertEqual(vpc.id, test_vpc.get_vpc_id("10.0.0.0/16"))
vpc.delete()
def test_route_tables_filters_standard():
conn = boto.connect_vpc('the_key', 'the_secret')
vpc1 = conn.create_vpc("10.0.0.0/16")
route_table1 = conn.create_route_table(vpc1.id)
vpc2 = conn.create_vpc("10.0.0.0/16")
route_table2 = conn.create_route_table(vpc2.id)
all_route_tables = conn.get_all_route_tables()
all_route_tables.should.have.length_of(4)
# Filter by main route table
main_route_tables = conn.get_all_route_tables(filters={'association.main':'true'})
main_route_tables.should.have.length_of(2)
main_route_table_ids = [route_table.id for route_table in main_route_tables]
main_route_table_ids.should_not.contain(route_table1.id)
main_route_table_ids.should_not.contain(route_table2.id)
# Filter by VPC
vpc1_route_tables = conn.get_all_route_tables(filters={'vpc-id':vpc1.id})
vpc1_route_tables.should.have.length_of(2)
vpc1_route_table_ids = [route_table.id for route_table in vpc1_route_tables]
vpc1_route_table_ids.should.contain(route_table1.id)
vpc1_route_table_ids.should_not.contain(route_table2.id)
# Filter by VPC and main route table
vpc2_main_route_tables = conn.get_all_route_tables(filters={'association.main':'true', 'vpc-id':vpc2.id})
vpc2_main_route_tables.should.have.length_of(1)
vpc2_main_route_table_ids = [route_table.id for route_table in vpc2_main_route_tables]
vpc2_main_route_table_ids.should_not.contain(route_table1.id)
vpc2_main_route_table_ids.should_not.contain(route_table2.id)
# Unsupported filter
conn.get_all_route_tables.when.called_with(filters={'not-implemented-filter': 'foobar'}).should.throw(NotImplementedError)
def test_eip_reassociate_nic():
"""reassociate EIP"""
conn = boto.connect_vpc('the_key', 'the_secret')
vpc = conn.create_vpc("10.0.0.0/16")
subnet = conn.create_subnet(vpc.id, "10.0.0.0/18")
eni1 = conn.create_network_interface(subnet.id)
eni2 = conn.create_network_interface(subnet.id)
eip = conn.allocate_address()
conn.associate_address(network_interface_id=eni1.id,
public_ip=eip.public_ip)
# Same ID is idempotent
conn.associate_address(network_interface_id=eni1.id,
public_ip=eip.public_ip)
# Different ID detects resource association
with assert_raises(EC2ResponseError) as cm:
conn.associate_address(
network_interface_id=eni2.id, public_ip=eip.public_ip)
cm.exception.code.should.equal('Resource.AlreadyAssociated')
cm.exception.status.should.equal(400)
cm.exception.request_id.should_not.be.none
conn.associate_address.when.called_with(
network_interface_id=eni2.id, public_ip=eip.public_ip, allow_reassociation=True).should_not.throw(EC2ResponseError)
eip.release()
eip = None
def test_vpc_state_available_filter():
conn = boto.connect_vpc('the_key', 'the_secret')
vpc = conn.create_vpc("10.0.0.0/16")
conn.create_vpc("10.1.0.0/16")
conn.get_all_vpcs(filters={'state': 'available'}).should.have.length_of(3)
vpc.delete()
conn.get_all_vpcs(filters={'state': 'available'}).should.have.length_of(2)
def test_get_instances_filtering_by_vpc_id():
conn = boto.connect_vpc('the_key', 'the_secret')
vpc1 = conn.create_vpc("10.0.0.0/16")
subnet1 = conn.create_subnet(vpc1.id, "10.0.0.0/27")
reservation1 = conn.run_instances(
'ami-1234abcd', min_count=1, subnet_id=subnet1.id)
instance1 = reservation1.instances[0]
vpc2 = conn.create_vpc("10.1.0.0/16")
subnet2 = conn.create_subnet(vpc2.id, "10.1.0.0/27")
reservation2 = conn.run_instances(
'ami-1234abcd', min_count=1, subnet_id=subnet2.id)
instance2 = reservation2.instances[0]
reservations1 = conn.get_all_instances(filters={'vpc-id': vpc1.id})
reservations1.should.have.length_of(1)
reservations1[0].instances.should.have.length_of(1)
reservations1[0].instances[0].id.should.equal(instance1.id)
reservations1[0].instances[0].vpc_id.should.equal(vpc1.id)
reservations1[0].instances[0].subnet_id.should.equal(subnet1.id)
reservations2 = conn.get_all_instances(filters={'vpc-id': vpc2.id})
reservations2.should.have.length_of(1)
reservations2[0].instances.should.have.length_of(1)
reservations2[0].instances[0].id.should.equal(instance2.id)
reservations2[0].instances[0].vpc_id.should.equal(vpc2.id)
reservations2[0].instances[0].subnet_id.should.equal(subnet2.id)
def test_routes_additional():
conn = boto.connect_vpc('the_key', 'the_secret')
vpc = conn.create_vpc("10.0.0.0/16")
main_route_table = conn.get_all_route_tables()[0]
local_route = main_route_table.routes[0]
igw = conn.create_internet_gateway()
ROUTE_CIDR = "10.0.0.4/24"
conn.create_route(main_route_table.id, ROUTE_CIDR, gateway_id=igw.id)
main_route_table = conn.get_all_route_tables()[0] # Refresh route table
main_route_table.routes.should.have.length_of(2)
new_routes = [route for route in main_route_table.routes if route.destination_cidr_block != vpc.cidr_block]
new_routes.should.have.length_of(1)
new_route = new_routes[0]
new_route.gateway_id.should.equal(igw.id)
new_route.instance_id.should.be.none
new_route.state.should.equal('active')
new_route.destination_cidr_block.should.equal(ROUTE_CIDR)
conn.delete_route(main_route_table.id, ROUTE_CIDR)
main_route_table = conn.get_all_route_tables()[0] # Refresh route table
main_route_table.routes.should.have.length_of(1)
new_routes = [route for route in main_route_table.routes if route.destination_cidr_block != vpc.cidr_block]
new_routes.should.have.length_of(0)
with assert_raises(EC2ResponseError) as cm:
conn.delete_route(main_route_table.id, ROUTE_CIDR)
cm.exception.code.should.equal('InvalidRoute.NotFound')
cm.exception.status.should.equal(400)
cm.exception.request_id.should_not.be.none
def create_network():
vpc_connection = boto.connect_vpc()
vpc = vpc_connection.create_vpc("10.0.0.0/24")
subnet = vpc_connection.create_subnet(vpc.id, "10.0.0.0/25")
gateway = vpc_connection.create_internet_gateway()
vpc_connection.attach_internet_gateway(gateway.id, vpc.id)
return subnet.id
def get_vpcs():
vpcs_data = {}
for region in AWS_REGIONS:
region_key = region.replace('-', '_')
aws_key = getattr(settings.app, region_key + '_access_key')
aws_secret = getattr(settings.app, region_key + '_secret_key')
vpc_data = []
vpcs_data[region] = vpc_data
if not aws_key or not aws_secret:
continue
vpc_conn = boto.connect_vpc(
aws_access_key_id=aws_key,
aws_secret_access_key=aws_secret,
region=boto.ec2.get_region(region),
)
vpcs = vpc_conn.get_all_vpcs()
for vpc in vpcs:
vpc_data.append({
'id': vpc.id,
'network': vpc.cidr_block,
})
return vpcs_data
def test_elastic_network_interfaces():
conn = boto.connect_vpc('the_key', 'the_secret')
vpc = conn.create_vpc("10.0.0.0/16")
subnet = conn.create_subnet(vpc.id, "10.0.0.0/18")
with assert_raises(JSONResponseError) as ex:
eni = conn.create_network_interface(subnet.id, dry_run=True)
ex.exception.reason.should.equal('DryRunOperation')
ex.exception.status.should.equal(400)
ex.exception.message.should.equal('An error occurred (DryRunOperation) when calling the CreateNetworkInterface operation: Request would have succeeded, but DryRun flag is set')
eni = conn.create_network_interface(subnet.id)
all_enis = conn.get_all_network_interfaces()
all_enis.should.have.length_of(1)
eni = all_enis[0]
eni.groups.should.have.length_of(0)
eni.private_ip_addresses.should.have.length_of(0)
with assert_raises(JSONResponseError) as ex:
conn.delete_network_interface(eni.id, dry_run=True)
ex.exception.reason.should.equal('DryRunOperation')
ex.exception.status.should.equal(400)
ex.exception.message.should.equal('An error occurred (DryRunOperation) when calling the DeleteNetworkInterface operation: Request would have succeeded, but DryRun flag is set')
conn.delete_network_interface(eni.id)
all_enis = conn.get_all_network_interfaces()
all_enis.should.have.length_of(0)
with assert_raises(EC2ResponseError) as cm:
conn.delete_network_interface(eni.id)
cm.exception.code.should.equal('InvalidNetworkInterfaceID.NotFound')
cm.exception.status.should.equal(400)
cm.exception.request_id.should_not.be.none
def test_run_instance_with_nic_autocreated():
conn = boto.connect_vpc('the_key', 'the_secret')
vpc = conn.create_vpc("10.0.0.0/16")
subnet = conn.create_subnet(vpc.id, "10.0.0.0/18")
security_group1 = conn.create_security_group('test security group #1', 'this is a test security group')
security_group2 = conn.create_security_group('test security group #2', 'this is a test security group')
private_ip = "54.0.0.1"
reservation = conn.run_instances('ami-1234abcd', subnet_id=subnet.id,
security_groups=[security_group1.name],
security_group_ids=[security_group2.id],
private_ip_address=private_ip)
instance = reservation.instances[0]
all_enis = conn.get_all_network_interfaces()
all_enis.should.have.length_of(1)
eni = all_enis[0]
instance.interfaces.should.have.length_of(1)
instance.interfaces[0].id.should.equal(eni.id)
instance.subnet_id.should.equal(subnet.id)
instance.groups.should.have.length_of(2)
set([group.id for group in instance.groups]).should.equal(set([security_group1.id,security_group2.id]))
eni.subnet_id.should.equal(subnet.id)
eni.groups.should.have.length_of(2)
set([group.id for group in eni.groups]).should.equal(set([security_group1.id,security_group2.id]))
eni.private_ip_addresses.should.have.length_of(1)
eni.private_ip_addresses[0].private_ip_address.should.equal(private_ip)
def test_eip_associate_network_interface():
"""Associate/Disassociate EIP to NIC"""
conn = boto.connect_vpc('the_key', 'the_secret')
vpc = conn.create_vpc("10.0.0.0/16")
subnet = conn.create_subnet(vpc.id, "10.0.0.0/18")
eni = conn.create_network_interface(subnet.id)
eip = conn.allocate_address(domain='vpc')
eip.network_interface_id.should.be.none
with assert_raises(EC2ResponseError) as cm:
conn.associate_address(network_interface_id=eni.id)
cm.exception.code.should.equal('MissingParameter')
cm.exception.status.should.equal(400)
cm.exception.request_id.should_not.be.none
conn.associate_address(network_interface_id=eni.id,
allocation_id=eip.allocation_id)
# no .update() on address ):
eip = conn.get_all_addresses(addresses=[eip.public_ip])[0]
eip.network_interface_id.should.be.equal(eni.id)
conn.disassociate_address(association_id=eip.association_id)
# no .update() on address ):
eip = conn.get_all_addresses(addresses=[eip.public_ip])[0]
eip.network_interface_id.should.be.equal(u'')
eip.association_id.should.be.none
eip.release()
eip = None
def test_delete_cluster_subnet_group():
vpc_conn = boto.connect_vpc()
vpc = vpc_conn.create_vpc("10.0.0.0/16")
subnet = vpc_conn.create_subnet(vpc.id, "10.0.0.0/24")
redshift_conn = boto.connect_redshift()
redshift_conn.create_cluster_subnet_group(
"my_subnet",
"This is my subnet group",
subnet_ids=[subnet.id],
)
subnets_response = redshift_conn.describe_cluster_subnet_groups()
subnets = subnets_response['DescribeClusterSubnetGroupsResponse'][
'DescribeClusterSubnetGroupsResult']['ClusterSubnetGroups']
subnets.should.have.length_of(1)
redshift_conn.delete_cluster_subnet_group("my_subnet")
subnets_response = redshift_conn.describe_cluster_subnet_groups()
subnets = subnets_response['DescribeClusterSubnetGroupsResponse'][
'DescribeClusterSubnetGroupsResult']['ClusterSubnetGroups']
subnets.should.have.length_of(0)
# Delete invalid id
redshift_conn.delete_cluster_subnet_group.when.called_with(
"not-a-subnet-group").should.throw(ClusterSubnetGroupNotFound)
def test_routes_vpc_peering_connection():
conn = boto.connect_vpc('the_key', 'the_secret')
vpc = conn.create_vpc("10.0.0.0/16")
main_route_table = conn.get_all_route_tables(
filters={'association.main': 'true', 'vpc-id': vpc.id})[0]
local_route = main_route_table.routes[0]
ROUTE_CIDR = "10.0.0.4/24"
peer_vpc = conn.create_vpc("11.0.0.0/16")
vpc_pcx = conn.create_vpc_peering_connection(vpc.id, peer_vpc.id)
conn.create_route(main_route_table.id, ROUTE_CIDR,
vpc_peering_connection_id=vpc_pcx.id)
# Refresh route table
main_route_table = conn.get_all_route_tables(main_route_table.id)[0]
new_routes = [
route for route in main_route_table.routes if route.destination_cidr_block != vpc.cidr_block]
new_routes.should.have.length_of(1)
new_route = new_routes[0]
new_route.gateway_id.should.be.none
new_route.instance_id.should.be.none
new_route.vpc_peering_connection_id.should.equal(vpc_pcx.id)
new_route.state.should.equal('blackhole')
new_route.destination_cidr_block.should.equal(ROUTE_CIDR)
def test_elastic_network_interfaces_filtering():
conn = boto.connect_vpc('the_key', 'the_secret')
vpc = conn.create_vpc("10.0.0.0/16")
subnet = conn.create_subnet(vpc.id, "10.0.0.0/18")
security_group1 = conn.create_security_group('test security group #1', 'this is a test security group')
security_group2 = conn.create_security_group('test security group #2', 'this is a test security group')
eni1 = conn.create_network_interface(subnet.id, groups=[security_group1.id,security_group2.id])
eni2 = conn.create_network_interface(subnet.id, groups=[security_group1.id])
eni3 = conn.create_network_interface(subnet.id)
all_enis = conn.get_all_network_interfaces()
all_enis.should.have.length_of(3)
# Filter by ENI ID
enis_by_id = conn.get_all_network_interfaces(filters={'network-interface-id':eni1.id})
enis_by_id.should.have.length_of(1)
set([eni.id for eni in enis_by_id]).should.equal(set([eni1.id]))
# Filter by Security Group
enis_by_group = conn.get_all_network_interfaces(filters={'group-id':security_group1.id})
enis_by_group.should.have.length_of(2)
set([eni.id for eni in enis_by_group]).should.equal(set([eni1.id,eni2.id]))
# Filter by ENI ID and Security Group
enis_by_group = conn.get_all_network_interfaces(filters={'network-interface-id':eni1.id, 'group-id':security_group1.id})
enis_by_group.should.have.length_of(1)
set([eni.id for eni in enis_by_group]).should.equal(set([eni1.id]))
# Unsupported filter
conn.get_all_network_interfaces.when.called_with(filters={'not-implemented-filter': 'foobar'}).should.throw(NotImplementedError)
def test_elastic_network_interfaces_modify_attribute():
conn = boto.connect_vpc('the_key', 'the_secret')
vpc = conn.create_vpc("10.0.0.0/16")
subnet = conn.create_subnet(vpc.id, "10.0.0.0/18")
security_group1 = conn.create_security_group(
'test security group #1', 'this is a test security group')
security_group2 = conn.create_security_group(
'test security group #2', 'this is a test security group')
conn.create_network_interface(subnet.id, groups=[security_group1.id])
all_enis = conn.get_all_network_interfaces()
all_enis.should.have.length_of(1)
eni = all_enis[0]
eni.groups.should.have.length_of(1)
eni.groups[0].id.should.equal(security_group1.id)
with assert_raises(EC2ResponseError) as ex:
conn.modify_network_interface_attribute(
eni.id, 'groupset', [security_group2.id], dry_run=True)
ex.exception.error_code.should.equal('DryRunOperation')
ex.exception.status.should.equal(400)
ex.exception.message.should.equal(
'An error occurred (DryRunOperation) when calling the ModifyNetworkInterface operation: Request would have succeeded, but DryRun flag is set')
conn.modify_network_interface_attribute(
eni.id, 'groupset', [security_group2.id])
all_enis = conn.get_all_network_interfaces()
all_enis.should.have.length_of(1)
eni = all_enis[0]
eni.groups.should.have.length_of(1)
eni.groups[0].id.should.equal(security_group2.id)
def test_create_cluster_with_vpc_security_groups():
vpc_conn = boto.connect_vpc()
ec2_conn = boto.connect_ec2()
redshift_conn = boto.connect_redshift()
vpc = vpc_conn.create_vpc("10.0.0.0/16")
security_group = ec2_conn.create_security_group("vpc_security_group",
"a group",
vpc_id=vpc.id)
redshift_conn.create_cluster(
"my_cluster",
node_type="dw.hs1.xlarge",
master_username="******",
master_user_password="******",
vpc_security_group_ids=[security_group.id],
)
cluster_response = redshift_conn.describe_clusters("my_cluster")
cluster = cluster_response['DescribeClustersResponse'][
'DescribeClustersResult']['Clusters'][0]
group_ids = [
group['VpcSecurityGroupId'] for group in cluster['VpcSecurityGroups']
]
list(group_ids).should.equal([security_group.id])
def test_delete_network_acl_entry():
conn = boto.connect_vpc("the_key", "the secret")
vpc = conn.create_vpc("10.0.0.0/16")
network_acl = conn.create_network_acl(vpc.id)
conn.create_network_acl_entry(
network_acl.id,
110,
6,
"ALLOW",
"0.0.0.0/0",
False,
port_range_from="443",
port_range_to="443",
)
conn.delete_network_acl_entry(network_acl.id, 110, False)
all_network_acls = conn.get_all_network_acls()
test_network_acl = next(na for na in all_network_acls
if na.id == network_acl.id)
entries = test_network_acl.network_acl_entries
entries.should.have.length_of(0)
def test_dhcp_options_delete_with_vpc():
"""Test deletion of dhcp options with vpc"""
conn = boto.connect_vpc("the_key", "the_secret")
dhcp_options = conn.create_dhcp_options(SAMPLE_DOMAIN_NAME,
SAMPLE_NAME_SERVERS)
dhcp_options_id = dhcp_options.id
vpc = conn.create_vpc("10.0.0.0/16")
rval = conn.associate_dhcp_options(dhcp_options_id, vpc.id)
rval.should.be.equal(True)
with assert_raises(EC2ResponseError) as cm:
conn.delete_dhcp_options(dhcp_options_id)
cm.exception.code.should.equal("DependencyViolation")
cm.exception.status.should.equal(400)
cm.exception.request_id.should_not.be.none
vpc.delete()
with assert_raises(EC2ResponseError) as cm:
conn.get_all_dhcp_options([dhcp_options_id])
cm.exception.code.should.equal("InvalidDhcpOptionID.NotFound")
cm.exception.status.should.equal(400)
cm.exception.request_id.should_not.be.none
def test_replace_network_acl_entry():
conn = boto.connect_vpc("the_key", "the secret")
vpc = conn.create_vpc("10.0.0.0/16")
network_acl = conn.create_network_acl(vpc.id)
conn.create_network_acl_entry(
network_acl.id,
110,
6,
"ALLOW",
"0.0.0.0/0",
False,
port_range_from="443",
port_range_to="443",
)
conn.replace_network_acl_entry(
network_acl.id,
110,
-1,
"DENY",
"0.0.0.0/0",
False,
port_range_from="22",
port_range_to="22",
)
all_network_acls = conn.get_all_network_acls()
test_network_acl = next(na for na in all_network_acls
if na.id == network_acl.id)
entries = test_network_acl.network_acl_entries
entries.should.have.length_of(1)
entries[0].rule_number.should.equal("110")
entries[0].protocol.should.equal("-1")
entries[0].rule_action.should.equal("DENY")
for resource in self.nodes.keys():
for port in self.nodes[resource].keys():
for source in self.nodes[resource][port]:
print "%s,%s,%s " % (resource, port, source)
def to_json(self, fname="Foo"):
jdump = {}
jdump['timestamp'] = time.time()
jdump['sources'] = self.get_sources()
jdump['protocols'] = self.get_protocols()
jdump['dests'] = self.get_dests()
print json.dumps(jdump)
if __name__ == "__main__":
sg_dict = {}
if "AWS_DEFAULT_REGION" in os.environ:
conn = boto.vpc.connect_to_region(os.environ['AWS_DEFAULT_REGION'])
else:
conn = boto.connect_vpc()
for sg in conn.get_all_security_groups():
asg = AuditGroup(sg)
sg_dict[asg.sg.id] = asg
d = NetDecorator(conn, False)
fg = FlowGraph(sg_dict, d, False)
fg.to_grep()
def test_authorize_ip_range_and_revoke():
conn = boto.connect_ec2("the_key", "the_secret")
security_group = conn.create_security_group("test", "test")
with pytest.raises(EC2ResponseError) as ex:
success = security_group.authorize(
ip_protocol="tcp",
from_port="22",
to_port="2222",
cidr_ip="123.123.123.123/32",
dry_run=True,
)
ex.value.error_code.should.equal("DryRunOperation")
ex.value.status.should.equal(412)
ex.value.message.should.equal(
"An error occurred (DryRunOperation) when calling the GrantSecurityGroupIngress operation: Request would have succeeded, but DryRun flag is set"
)
success = security_group.authorize(ip_protocol="tcp",
from_port="22",
to_port="2222",
cidr_ip="123.123.123.123/32")
assert success.should.be.true
security_group = conn.get_all_security_groups(groupnames=["test"])[0]
int(security_group.rules[0].to_port).should.equal(2222)
security_group.rules[0].grants[0].cidr_ip.should.equal(
"123.123.123.123/32")
# Wrong Cidr should throw error
with pytest.raises(EC2ResponseError) as cm:
security_group.revoke(
ip_protocol="tcp",
from_port="22",
to_port="2222",
cidr_ip="123.123.123.122/32",
)
cm.value.code.should.equal("InvalidPermission.NotFound")
cm.value.status.should.equal(400)
cm.value.request_id.should_not.be.none
# Actually revoke
with pytest.raises(EC2ResponseError) as ex:
security_group.revoke(
ip_protocol="tcp",
from_port="22",
to_port="2222",
cidr_ip="123.123.123.123/32",
dry_run=True,
)
ex.value.error_code.should.equal("DryRunOperation")
ex.value.status.should.equal(412)
ex.value.message.should.equal(
"An error occurred (DryRunOperation) when calling the RevokeSecurityGroupIngress operation: Request would have succeeded, but DryRun flag is set"
)
security_group.revoke(ip_protocol="tcp",
from_port="22",
to_port="2222",
cidr_ip="123.123.123.123/32")
security_group = conn.get_all_security_groups()[0]
security_group.rules.should.have.length_of(0)
# Test for egress as well
vpc_conn = boto.connect_vpc()
vpc = vpc_conn.create_vpc("10.0.0.0/16")
egress_security_group = conn.create_security_group("testegress",
"testegress",
vpc_id=vpc.id)
with pytest.raises(EC2ResponseError) as ex:
success = conn.authorize_security_group_egress(
egress_security_group.id,
"tcp",
from_port="22",
to_port="2222",
cidr_ip="123.123.123.123/32",
dry_run=True,
)
ex.value.error_code.should.equal("DryRunOperation")
ex.value.status.should.equal(412)
ex.value.message.should.equal(
"An error occurred (DryRunOperation) when calling the GrantSecurityGroupEgress operation: Request would have succeeded, but DryRun flag is set"
)
success = conn.authorize_security_group_egress(
egress_security_group.id,
"tcp",
from_port="22",
to_port="2222",
cidr_ip="123.123.123.123/32",
)
assert success.should.be.true
egress_security_group = conn.get_all_security_groups(
groupnames="testegress")[0]
# There are two egress rules associated with the security group:
# the default outbound rule and the new one
int(egress_security_group.rules_egress[1].to_port).should.equal(2222)
actual_cidr = egress_security_group.rules_egress[1].grants[0].cidr_ip
actual_cidr.should.equal("123.123.123.123/32")
# Wrong Cidr should throw error
egress_security_group.revoke.when.called_with(
ip_protocol="tcp",
from_port="22",
to_port="2222",
cidr_ip="123.123.123.122/32").should.throw(EC2ResponseError)
# Actually revoke
with pytest.raises(EC2ResponseError) as ex:
conn.revoke_security_group_egress(
egress_security_group.id,
"tcp",
from_port="22",
to_port="2222",
cidr_ip="123.123.123.123/32",
dry_run=True,
)
ex.value.error_code.should.equal("DryRunOperation")
ex.value.status.should.equal(412)
ex.value.message.should.equal(
"An error occurred (DryRunOperation) when calling the RevokeSecurityGroupEgress operation: Request would have succeeded, but DryRun flag is set"
)
conn.revoke_security_group_egress(
egress_security_group.id,
"tcp",
from_port="22",
to_port="2222",
cidr_ip="123.123.123.123/32",
)
egress_security_group = [
group for group in conn.get_all_security_groups()
if group.id == egress_security_group.id
][0]
# There is still the default outbound rule
egress_security_group.rules_egress.should.have.length_of(1)
def _ssh_config(args):
if args.get("vpc"):
vpc_id = args.get("<vpc_id>")
stack_name = stack_name_for_vpc(vpc_id)
elif args.get("stack-name"):
stack_name = args.get("<stack_name>")
vpc_id = vpc_for_stack_name(stack_name)
else:
raise Exception("No vpc_id or stack_name provided.")
vpc = boto.connect_vpc()
identity_file = args.get("<identity_file>")
user = args.get("<user>")
config_file = args.get("<config_file>")
strict_host_check = args.get("<strict_host_check>")
if not user:
user = DEFAULT_USER
if not strict_host_check:
strict_host_check = DEFAULT_HOST_CHECK
if config_file:
config_file = "-F {}".format(config_file)
else:
config_file = ""
jump_box = "{stack_name}-jumpbox".format(stack_name=stack_name)
friendly = "{stack_name}-{logical_id}-{instance_number}"
id_type_counter = defaultdict(int)
reservations = vpc.get_all_instances(filters={'vpc-id': vpc_id})
for reservation in reservations:
for instance in reservation.instances:
if 'group' in instance.tags:
logical_id = instance.tags['group']
else:
logical_id = instance.tags['aws:cloudformation:logical-id']
instance_number = id_type_counter[logical_id]
id_type_counter[logical_id] += 1
if logical_id == "BastionHost" or logical_id == 'bastion':
print JUMPBOX_CONFIG.format(
jump_box=jump_box,
ip=instance.ip_address,
user=user,
identity_file=identity_file,
strict_host_check=strict_host_check)
# Print host config even for the bastion box because that is how
# ansible accesses it.
print HOST_CONFIG.format(name=instance.private_ip_address,
jump_box=jump_box,
ip=instance.private_ip_address,
user=user,
identity_file=identity_file,
config_file=config_file,
strict_host_check=strict_host_check,
instance_id=instance.id)
#duplicating for convenience with ansible
name = friendly.format(stack_name=stack_name,
logical_id=logical_id,
instance_number=instance_number)
print HOST_CONFIG.format(name=name,
jump_box=jump_box,
ip=instance.private_ip_address,
user=user,
identity_file=identity_file,
config_file=config_file,
strict_host_check=strict_host_check,
instance_id=instance.id)
def test_describe_customer_gateways():
conn = boto.connect_vpc("the_key", "the_secret")
customer_gateway = conn.create_customer_gateway("ipsec.1", "205.251.242.54", 65534)
cgws = conn.get_all_customer_gateways()
cgws.should.have.length_of(1)
cgws[0].id.should.match(customer_gateway.id)
def connect(account_name, connection_type, **args):
"""
Examples of use:
ec2 = sts_connect.connect(environment, 'ec2', region=region, validate_certs=False)
ec2 = sts_connect.connect(environment, 'ec2', validate_certs=False, debug=1000)
ec2 = sts_connect.connect(environment, 'ec2')
where environment is ( test, prod, dev )
s3 = sts_connect.connect(environment, 's3')
ses = sts_connect.connect(environment, 'ses')
:param account: Account to connect with (i.e. test, prod, dev)
:raises Exception: RDS Region not valid
AWS Tech not supported.
:returns: STS Connection Object for given tech
:note: To use this method a SecurityMonkey role must be created
in the target account with full read only privledges.
"""
account = Account.query.filter(Account.name == account_name).first()
sts = boto.connect_sts()
role = sts.assume_role(
'arn:aws:iam::' + account.number + ':role/SecurityMonkey', 'secmonkey')
if connection_type == 'ec2':
return boto.connect_ec2(role.credentials.access_key,
role.credentials.secret_key,
security_token=role.credentials.session_token,
**args)
if connection_type == 'elb':
if 'region' in args:
region = args['region']
del args['region']
else:
region = 'us-east-1'
return boto.ec2.elb.connect_to_region(
region,
aws_access_key_id=role.credentials.access_key,
aws_secret_access_key=role.credentials.secret_key,
security_token=role.credentials.session_token,
**args)
if connection_type == 's3':
if 'region' in args:
region = args['region']
# drop region key-val pair from args or you'll get an exception
del args['region']
return boto.s3.connect_to_region(
region,
aws_access_key_id=role.credentials.access_key,
aws_secret_access_key=role.credentials.secret_key,
security_token=role.credentials.session_token,
**args)
return boto.connect_s3(role.credentials.access_key,
role.credentials.secret_key,
security_token=role.credentials.session_token,
**args)
if connection_type == 'ses':
return boto.connect_ses(role.credentials.access_key,
role.credentials.secret_key,
security_token=role.credentials.session_token,
**args)
if connection_type == 'iam':
if 'region' in args:
region = args['region']
# drop region key-val pair from args or you'll get an exception
del args['region']
return boto.iam.connect_to_region(
region,
aws_access_key_id=role.credentials.access_key,
aws_secret_access_key=role.credentials.secret_key,
security_token=role.credentials.session_token,
**args)
return boto.connect_iam(role.credentials.access_key,
role.credentials.secret_key,
security_token=role.credentials.session_token,
**args)
if connection_type == 'route53':
return boto.connect_route53(
role.credentials.access_key,
role.credentials.secret_key,
security_token=role.credentials.session_token,
**args)
if connection_type == 'sns':
if 'region' in args:
region = args['region']
del args['region']
return boto.sns.connect_to_region(
region.name,
aws_access_key_id=role.credentials.access_key,
aws_secret_access_key=role.credentials.secret_key,
security_token=role.credentials.session_token,
**args)
return boto.connect_sns(role.credentials.access_key,
role.credentials.secret_key,
security_token=role.credentials.session_token,
**args)
if connection_type == 'sqs':
if 'region' in args:
region = args['region']
del args['region']
return boto.sqs.connect_to_region(
region.name,
aws_access_key_id=role.credentials.access_key,
aws_secret_access_key=role.credentials.secret_key,
security_token=role.credentials.session_token,
**args)
return boto.connect_sqs(role.credentials.access_key,
role.credentials.secret_key,
security_token=role.credentials.session_token,
**args)
if connection_type == 'vpc':
return boto.connect_vpc(role.credentials.access_key,
role.credentials.secret_key,
security_token=role.credentials.session_token,
**args)
if connection_type == 'rds':
if 'region' in args:
reg = args['region']
rds_region = None
for boto_region in boto.rds.regions():
if reg.name == boto_region.name:
rds_region = boto_region
if rds_region is None:
raise Exception(
'The supplied region {0} is not in boto.rds.regions. {1}'.
format(reg, boto.rds.regions()))
return boto.connect_rds(role.credentials.access_key,
role.credentials.secret_key,
security_token=role.credentials.session_token,
**args)
err_msg = 'The connection_type supplied (%s) is not implemented.' % connection_type
raise Exception(err_msg)
def test_igw_desribe():
""" internet gateway fetch by id """
conn = boto.connect_vpc("the_key", "the_secret")
igw = conn.create_internet_gateway()
igw_by_search = conn.get_all_internet_gateways([igw.id])[0]
igw.id.should.equal(igw_by_search.id)
def all_stack_names(region='us-east-1', aws_id=None, aws_secret=None):
vpc_conn = boto.connect_vpc(aws_id, aws_secret)
return [
vpc.tags[CFN_TAG_KEY] for vpc in vpc_conn.get_all_vpcs()
if CFN_TAG_KEY in vpc.tags.keys()
]
def test_network_acls():
conn = boto.connect_vpc("the_key", "the secret")
vpc = conn.create_vpc("10.0.0.0/16")
network_acl = conn.create_network_acl(vpc.id)
all_network_acls = conn.get_all_network_acls()
all_network_acls.should.have.length_of(3)
def test_create_vpn_connections():
conn = boto.connect_vpc('the_key', 'the_secret')
vpn_connection = conn.create_vpn_connection('ipsec.1', 'vgw-0123abcd', 'cgw-0123abcd')
vpn_connection.should_not.be.none
vpn_connection.id.should.match(r'vpn-\w+')
vpn_connection.type.should.equal('ipsec.1')
def test_delete_vpn_connections_bad_id():
conn = boto.connect_vpc('the_key', 'the_secret')
with assert_raises(EC2ResponseError):
conn.delete_vpn_connection('vpn-0123abcd')
def connect_vpc(aws_key, aws_secret, region):
return boto.connect_vpc(
aws_access_key_id=aws_key,
aws_secret_access_key=aws_secret,
region=boto.ec2.get_region(region),
)
def test_delete_customer_gateways_bad_id():
conn = boto.connect_vpc("the_key", "the_secret")
with pytest.raises(EC2ResponseError) as cm:
conn.delete_customer_gateway("cgw-0123abcd")
def test_route_table_associations():
conn = boto.connect_vpc('the_key', 'the_secret')
vpc = conn.create_vpc("10.0.0.0/16")
subnet = conn.create_subnet(vpc.id, "10.0.0.0/18")
route_table = conn.create_route_table(vpc.id)
all_route_tables = conn.get_all_route_tables()
all_route_tables.should.have.length_of(3)
# Refresh
route_table = conn.get_all_route_tables(route_table.id)[0]
route_table.associations.should.have.length_of(0)
# Associate
association_id = conn.associate_route_table(route_table.id, subnet.id)
# Refresh
route_table = conn.get_all_route_tables(route_table.id)[0]
route_table.associations.should.have.length_of(1)
route_table.associations[0].id.should.equal(association_id)
route_table.associations[0].main.should.equal(False)
route_table.associations[0].route_table_id.should.equal(route_table.id)
route_table.associations[0].subnet_id.should.equal(subnet.id)
# Associate is idempotent
association_id_idempotent = conn.associate_route_table(
route_table.id, subnet.id)
association_id_idempotent.should.equal(association_id)
# Error: Attempt delete associated route table.
with assert_raises(EC2ResponseError) as cm:
conn.delete_route_table(route_table.id)
cm.exception.code.should.equal('DependencyViolation')
cm.exception.status.should.equal(400)
cm.exception.request_id.should_not.be.none
# Disassociate
conn.disassociate_route_table(association_id)
# Refresh
route_table = conn.get_all_route_tables(route_table.id)[0]
route_table.associations.should.have.length_of(0)
# Error: Disassociate with invalid association ID
with assert_raises(EC2ResponseError) as cm:
conn.disassociate_route_table(association_id)
cm.exception.code.should.equal('InvalidAssociationID.NotFound')
cm.exception.status.should.equal(400)
cm.exception.request_id.should_not.be.none
# Error: Associate with invalid subnet ID
with assert_raises(EC2ResponseError) as cm:
conn.associate_route_table(route_table.id, "subnet-1234abcd")
cm.exception.code.should.equal('InvalidSubnetID.NotFound')
cm.exception.status.should.equal(400)
cm.exception.request_id.should_not.be.none
# Error: Associate with invalid route table ID
with assert_raises(EC2ResponseError) as cm:
conn.associate_route_table("rtb-1234abcd", subnet.id)
cm.exception.code.should.equal('InvalidRouteTableID.NotFound')
cm.exception.status.should.equal(400)
cm.exception.request_id.should_not.be.none
DEFAULT_ROUTE = '0.0.0.0/0'
try:
cfn_routetable = os.environ['CFN_ROUTETABLE']
except:
print("CFN_ROUTETABLE environment variable is not set!")
sys.exit(1)
try:
instance_id = boto.utils.get_instance_metadata()['instance-id']
except:
print("Could not get EC2 instance ID!")
sys.exit(1)
vpc_conn = boto.connect_vpc(aws_access_key_id=aws_access,
aws_secret_access_key=aws_secret)
ec2_conn = boto.connect_ec2(aws_access_key_id=aws_access,
aws_secret_access_key=aws_secret)
try:
rt = vpc_conn.get_all_route_tables(
route_table_ids=os.environ['CFN_ROUTETABLE'])[0]
except Exception, e:
print("Could not find route table [%s]: %s" %
(os.environ['CFN_ROUTETABLE'], e))
sys.exit(1)
print("Found the route table: %s" % (rt.id, ))
source_dest_check = ec2_conn.get_instance_attribute(
instance_id, 'sourceDestCheck')['sourceDestCheck']
def test_delete_vpn_connections_bad_id():
conn = boto.connect_vpc("the_key", "the_secret")
with pytest.raises(EC2ResponseError):
conn.delete_vpn_connection("vpn-0123abcd")
def test_default_network_acl_created_with_vpc():
conn = boto.connect_vpc("the_key", "the secret")
vpc = conn.create_vpc("10.0.0.0/16")
all_network_acls = conn.get_all_network_acls()
all_network_acls.should.have.length_of(2)
def setup_networking_deprecated():
conn = boto.connect_vpc()
vpc = conn.create_vpc("10.11.0.0/16")
subnet1 = conn.create_subnet(vpc.id, "10.11.1.0/24")
subnet2 = conn.create_subnet(vpc.id, "10.11.2.0/24")
return {'vpc': vpc.id, 'subnet1': subnet1.id, 'subnet2': subnet2.id}
def test_sec_group_rule_limit_vpc():
ec2_conn = boto.connect_ec2()
vpc_conn = boto.connect_vpc()
vpc = vpc_conn.create_vpc("10.0.0.0/16")
sg = ec2_conn.create_security_group("test", "test", vpc_id=vpc.id)
other_sg = ec2_conn.create_security_group("test_2", "test", vpc_id=vpc.id)
# INGRESS
with pytest.raises(EC2ResponseError) as cm:
ec2_conn.authorize_security_group(
group_id=sg.id,
ip_protocol="-1",
cidr_ip=["{0}.0.0.0/0".format(i) for i in range(110)],
)
cm.value.error_code.should.equal("RulesPerSecurityGroupLimitExceeded")
sg.rules.should.be.empty
# authorize a rule targeting a different sec group (because this count too)
success = ec2_conn.authorize_security_group(
group_id=sg.id, ip_protocol="-1", src_security_group_group_id=other_sg.id
)
success.should.be.true
# fill the rules up the limit
success = ec2_conn.authorize_security_group(
group_id=sg.id,
ip_protocol="-1",
cidr_ip=["{0}.0.0.0/0".format(i) for i in range(49)],
)
# verify that we cannot authorize past the limit for a CIDR IP
success.should.be.true
with pytest.raises(EC2ResponseError) as cm:
ec2_conn.authorize_security_group(
group_id=sg.id, ip_protocol="-1", cidr_ip=["100.0.0.0/0"]
)
cm.value.error_code.should.equal("RulesPerSecurityGroupLimitExceeded")
# verify that we cannot authorize past the limit for a different sec group
with pytest.raises(EC2ResponseError) as cm:
ec2_conn.authorize_security_group(
group_id=sg.id, ip_protocol="-1", src_security_group_group_id=other_sg.id
)
cm.value.error_code.should.equal("RulesPerSecurityGroupLimitExceeded")
# EGRESS
# authorize a rule targeting a different sec group (because this count too)
ec2_conn.authorize_security_group_egress(
group_id=sg.id, ip_protocol="-1", src_group_id=other_sg.id
)
# fill the rules up the limit
# remember that by default, when created a sec group contains 1 egress rule
# so our other_sg rule + 48 CIDR IP rules + 1 by default == 50 the limit
for i in range(48):
ec2_conn.authorize_security_group_egress(
group_id=sg.id, ip_protocol="-1", cidr_ip="{0}.0.0.0/0".format(i)
)
# verify that we cannot authorize past the limit for a CIDR IP
with pytest.raises(EC2ResponseError) as cm:
ec2_conn.authorize_security_group_egress(
group_id=sg.id, ip_protocol="-1", cidr_ip="50.0.0.0/0"
)
cm.value.error_code.should.equal("RulesPerSecurityGroupLimitExceeded")
# verify that we cannot authorize past the limit for a different sec group
with pytest.raises(EC2ResponseError) as cm:
ec2_conn.authorize_security_group_egress(
group_id=sg.id, ip_protocol="-1", src_group_id=other_sg.id
)
cm.value.error_code.should.equal("RulesPerSecurityGroupLimitExceeded")
def test_route_table_replace_route_table_association():
"""
Note: Boto has deprecated replace_route_table_assocation (which returns status)
and now uses replace_route_table_assocation_with_assoc (which returns association ID).
"""
conn = boto.connect_vpc('the_key', 'the_secret')
vpc = conn.create_vpc("10.0.0.0/16")
subnet = conn.create_subnet(vpc.id, "10.0.0.0/18")
route_table1 = conn.create_route_table(vpc.id)
route_table2 = conn.create_route_table(vpc.id)
all_route_tables = conn.get_all_route_tables()
all_route_tables.should.have.length_of(4)
# Refresh
route_table1 = conn.get_all_route_tables(route_table1.id)[0]
route_table1.associations.should.have.length_of(0)
# Associate
association_id1 = conn.associate_route_table(route_table1.id, subnet.id)
# Refresh
route_table1 = conn.get_all_route_tables(route_table1.id)[0]
route_table2 = conn.get_all_route_tables(route_table2.id)[0]
# Validate
route_table1.associations.should.have.length_of(1)
route_table2.associations.should.have.length_of(0)
route_table1.associations[0].id.should.equal(association_id1)
route_table1.associations[0].main.should.equal(False)
route_table1.associations[0].route_table_id.should.equal(route_table1.id)
route_table1.associations[0].subnet_id.should.equal(subnet.id)
# Replace Association
association_id2 = conn.replace_route_table_association_with_assoc(
association_id1, route_table2.id)
# Refresh
route_table1 = conn.get_all_route_tables(route_table1.id)[0]
route_table2 = conn.get_all_route_tables(route_table2.id)[0]
# Validate
route_table1.associations.should.have.length_of(0)
route_table2.associations.should.have.length_of(1)
route_table2.associations[0].id.should.equal(association_id2)
route_table2.associations[0].main.should.equal(False)
route_table2.associations[0].route_table_id.should.equal(route_table2.id)
route_table2.associations[0].subnet_id.should.equal(subnet.id)
# Replace Association is idempotent
association_id_idempotent = conn.replace_route_table_association_with_assoc(
association_id2, route_table2.id)
association_id_idempotent.should.equal(association_id2)
# Error: Replace association with invalid association ID
with assert_raises(EC2ResponseError) as cm:
conn.replace_route_table_association_with_assoc(
"rtbassoc-1234abcd", route_table1.id)
cm.exception.code.should.equal('InvalidAssociationID.NotFound')
cm.exception.status.should.equal(400)
cm.exception.request_id.should_not.be.none
# Error: Replace association with invalid route table ID
with assert_raises(EC2ResponseError) as cm:
conn.replace_route_table_association_with_assoc(
association_id2, "rtb-1234abcd")
cm.exception.code.should.equal('InvalidRouteTableID.NotFound')
cm.exception.status.should.equal(400)
cm.exception.request_id.should_not.be.none
def test_describe_dhcp_options_invalid_id():
"""get error on invalid dhcp_option_id lookup"""
conn = boto.connect_vpc('the_key', 'the_secret')
conn.get_all_dhcp_options.when.called_with(
["1"]).should.throw(EC2ResponseError)
def test_sec_group_rule_limit_vpc():
ec2_conn = boto.connect_ec2()
vpc_conn = boto.connect_vpc()
vpc = vpc_conn.create_vpc('10.0.0.0/8')
sg = ec2_conn.create_security_group('test', 'test', vpc_id=vpc.id)
other_sg = ec2_conn.create_security_group('test_2', 'test', vpc_id=vpc.id)
# INGRESS
with assert_raises(EC2ResponseError) as cm:
ec2_conn.authorize_security_group(
group_id=sg.id,
ip_protocol='-1',
cidr_ip=['{0}.0.0.0/0'.format(i) for i in range(110)])
cm.exception.error_code.should.equal('RulesPerSecurityGroupLimitExceeded')
sg.rules.should.be.empty
# authorize a rule targeting a different sec group (because this count too)
success = ec2_conn.authorize_security_group(
group_id=sg.id,
ip_protocol='-1',
src_security_group_group_id=other_sg.id)
success.should.be.true
# fill the rules up the limit
success = ec2_conn.authorize_security_group(
group_id=sg.id,
ip_protocol='-1',
cidr_ip=['{0}.0.0.0/0'.format(i) for i in range(49)])
# verify that we cannot authorize past the limit for a CIDR IP
success.should.be.true
with assert_raises(EC2ResponseError) as cm:
ec2_conn.authorize_security_group(group_id=sg.id,
ip_protocol='-1',
cidr_ip=['100.0.0.0/0'])
cm.exception.error_code.should.equal('RulesPerSecurityGroupLimitExceeded')
# verify that we cannot authorize past the limit for a different sec group
with assert_raises(EC2ResponseError) as cm:
ec2_conn.authorize_security_group(
group_id=sg.id,
ip_protocol='-1',
src_security_group_group_id=other_sg.id)
cm.exception.error_code.should.equal('RulesPerSecurityGroupLimitExceeded')
# EGRESS
# authorize a rule targeting a different sec group (because this count too)
ec2_conn.authorize_security_group_egress(group_id=sg.id,
ip_protocol='-1',
src_group_id=other_sg.id)
# fill the rules up the limit
# remember that by default, when created a sec group contains 1 egress rule
# so our other_sg rule + 48 CIDR IP rules + 1 by default == 50 the limit
for i in range(48):
ec2_conn.authorize_security_group_egress(
group_id=sg.id, ip_protocol='-1', cidr_ip='{0}.0.0.0/0'.format(i))
# verify that we cannot authorize past the limit for a CIDR IP
with assert_raises(EC2ResponseError) as cm:
ec2_conn.authorize_security_group_egress(group_id=sg.id,
ip_protocol='-1',
cidr_ip='50.0.0.0/0')
cm.exception.error_code.should.equal('RulesPerSecurityGroupLimitExceeded')
# verify that we cannot authorize past the limit for a different sec group
with assert_raises(EC2ResponseError) as cm:
ec2_conn.authorize_security_group_egress(group_id=sg.id,
ip_protocol='-1',
src_group_id=other_sg.id)
cm.exception.error_code.should.equal('RulesPerSecurityGroupLimitExceeded')
def test_delete_dhcp_options_invalid_id():
conn = boto.connect_vpc('the_key', 'the_secret')
dhcp_option = conn.create_dhcp_options()
conn.delete_dhcp_options.when.called_with("1").should.throw(
EC2ResponseError)
def test_vpc_isdefault_filter():
conn = boto.connect_vpc("the_key", "the_secret")
vpc = conn.create_vpc("10.0.0.0/16")
conn.get_all_vpcs(filters={"isDefault": "true"}).should.have.length_of(1)
vpc.delete()
conn.get_all_vpcs(filters={"isDefault": "true"}).should.have.length_of(1)
def _connect(self):
"""Connects to the ec2 cloud provider
:return: :py:class:`boto.ec2.connection.EC2Connection`
:raises: Generic exception on error
"""
# check for existing connection
if self._ec2_connection:
return self._ec2_connection
try:
log.debug("Connecting to ec2 host %s", self._ec2host)
region = ec2.regioninfo.RegionInfo(name=self._region_name,
endpoint=self._ec2host)
# connect to webservice
ec2_connection = boto.connect_ec2(
aws_access_key_id=self._access_key,
aws_secret_access_key=self._secret_key,
is_secure=self._secure,
host=self._ec2host,
port=self._ec2port,
path=self._ec2path,
region=region)
log.debug("EC2 connection has been successful.")
if self._vpc:
vpc_connection = boto.connect_vpc(
aws_access_key_id=self._access_key,
aws_secret_access_key=self._secret_key,
is_secure=self._secure,
host=self._ec2host,
port=self._ec2port,
path=self._ec2path,
region=region)
log.debug("VPC connection has been successful.")
for vpc in vpc_connection.get_all_vpcs():
log.debug("Checking whether %s matches %s/%s" %
(self._vpc, vpc.tags['Name'], vpc.id))
if self._vpc in [vpc.tags['Name'], vpc.id]:
self._vpc_id = vpc.id
if self._vpc != self._vpc_id:
log.debug("VPC %s matches %s" %
(self._vpc, self._vpc_id))
break
else:
raise VpcError('VPC %s does not exist.' % self._vpc)
# list images to see if the connection works
# images = self._ec2_connection.get_all_images()
# log.debug("%d images found on cloud %s",
# len(images), self._ec2host)
except Exception as e:
log.error(
"connection to ec2 could not be "
"established: message=`%s`", str(e))
raise
self._ec2_connection, self._vpc_connection = (ec2_connection,
vpc_connection)
return self._ec2_connection
def test_vpc_isdefault_filter():
conn = boto.connect_vpc('the_key', 'the_secret')
vpc = conn.create_vpc("10.0.0.0/16")
conn.get_all_vpcs(filters={'isDefault': 'true'}).should.have.length_of(1)
vpc.delete()
conn.get_all_vpcs(filters={'isDefault': 'true'}).should.have.length_of(1)
def test_instance_with_nic_attach_detach():
conn = boto.connect_vpc('the_key', 'the_secret')
vpc = conn.create_vpc("10.0.0.0/16")
subnet = conn.create_subnet(vpc.id, "10.0.0.0/18")
security_group1 = conn.create_security_group(
'test security group #1', 'this is a test security group')
security_group2 = conn.create_security_group(
'test security group #2', 'this is a test security group')
reservation = conn.run_instances('ami-1234abcd',
security_group_ids=[security_group1.id])
instance = reservation.instances[0]
eni = conn.create_network_interface(subnet.id, groups=[security_group2.id])
# Check initial instance and ENI data
instance.interfaces.should.have.length_of(1)
eni.groups.should.have.length_of(1)
set([group.id
for group in eni.groups]).should.equal(set([security_group2.id]))
# Attach
with assert_raises(EC2ResponseError) as ex:
conn.attach_network_interface(eni.id,
instance.id,
device_index=1,
dry_run=True)
ex.exception.error_code.should.equal('DryRunOperation')
ex.exception.status.should.equal(400)
ex.exception.message.should.equal(
'An error occurred (DryRunOperation) when calling the AttachNetworkInterface operation: Request would have succeeded, but DryRun flag is set'
)
conn.attach_network_interface(eni.id, instance.id, device_index=1)
# Check attached instance and ENI data
instance.update()
instance.interfaces.should.have.length_of(2)
instance_eni = instance.interfaces[1]
instance_eni.id.should.equal(eni.id)
instance_eni.groups.should.have.length_of(2)
set([group.id for group in instance_eni.groups
]).should.equal(set([security_group1.id, security_group2.id]))
eni = conn.get_all_network_interfaces(
filters={'network-interface-id': eni.id})[0]
eni.groups.should.have.length_of(2)
set([group.id for group in eni.groups
]).should.equal(set([security_group1.id, security_group2.id]))
# Detach
with assert_raises(EC2ResponseError) as ex:
conn.detach_network_interface(instance_eni.attachment.id, dry_run=True)
ex.exception.error_code.should.equal('DryRunOperation')
ex.exception.status.should.equal(400)
ex.exception.message.should.equal(
'An error occurred (DryRunOperation) when calling the DetachNetworkInterface operation: Request would have succeeded, but DryRun flag is set'
)
conn.detach_network_interface(instance_eni.attachment.id)
# Check detached instance and ENI data
instance.update()
instance.interfaces.should.have.length_of(1)
eni = conn.get_all_network_interfaces(
filters={'network-interface-id': eni.id})[0]
eni.groups.should.have.length_of(1)
set([group.id
for group in eni.groups]).should.equal(set([security_group2.id]))
# Detach with invalid attachment ID
with assert_raises(EC2ResponseError) as cm:
conn.detach_network_interface('eni-attach-1234abcd')
cm.exception.code.should.equal('InvalidAttachmentID.NotFound')
cm.exception.status.should.equal(400)
cm.exception.request_id.should_not.be.none
