def test_create_fortress(enable_github, requests_mock):
if enable_github:
requests_mock.get("https://api.github.com/meta", json=GITHUB_API_RANGE)
requests_mock.get("https://ip-ranges.amazonaws.com/ip-ranges.json",
json=AWS_IP_RANGES)
aws_env = AWSEnv(regions=["us-east-1"], stub=True)
with default_region("us-east-1"):
stub = aws_env.stub("ec2", region="us-east-1")
stub.add_response(
"describe_images",
{
"Images": [{
"ImageId": "ami-1234",
"RootDeviceName": "/dev/sda1",
"Tags": []
}]
},
{"ImageIds": ANY},
)
stub.add_response(
"describe_images",
{
"Images": [{
"ImageId": "ami-1234",
"RootDeviceName": "/dev/sda1",
"Tags": []
}]
},
{"ImageIds": ANY},
)
d = PolicyDocument().append(
Allow(
to="s3:GetObject",
on=["arn:aws:s3:::mybucket", "arn:aws:s3:::mybucket/*"],
))
p = Policy("InternalPolicy", d)
f = Fortress(
"myfortress",
allow_ssh_from="0.0.0.0/0",
bastion_ami=AMI("ami-1234"),
internal_server_policy=p,
)
f += Bucket("Bucket2")
# Allow access to mybucket through a s3 endpoint
f.private_subnet.add_bucket_access(["mybucket", f["Bucket2"]])
# Allow access to a secret throught a secretsmanager endpoint
f.add_secret_access("arn_secret")
# Allow access to lambdas throught lambda endpoints
f.add_secret_access(["arn_lambda_1", "arn_lambda_2"])
# allow https
f.add_network_access("https")
f.add_private_server(AMI("ami-1234"), ["server1", "server2"],
github_access=enable_github)
assert f.body
def test_ls_ami():
"""List AMIS from all regions."""
aws_env = AWSEnv(regions=["us-east-1", "eu-west-1"], stub=True)
stub_us = aws_env.stub("ec2", region="us-east-1")
stub_eu = aws_env.stub("ec2", region="eu-west-1")
stub_eu.add_response(
"describe_images",
{
"Images": [
{"ImageId": "ami-1234", "RootDeviceName": "/dev/sda1", "Tags": []}
]
},
{"Filters": [], "Owners": ["self"]},
)
stub_us.add_response(
"describe_images",
{
"Images": [
{"ImageId": "ami-5678", "RootDeviceName": "/dev/sda1", "Tags": []}
]
},
{"Filters": [], "Owners": ["self"]},
)
assert len(AMI.ls()) == 2
def test_create_instance():
aws_env = AWSEnv(regions=['us-east-1'], stub=True)
with default_region('us-east-1'):
stub = aws_env.stub('ec2', region='us-east-1')
stub.add_response(
'describe_images',
{'Images': [{'ImageId': 'ami-1234',
'RootDeviceName': '/dev/sda1'}]},
{'ImageIds': ANY})
i = Instance('testmachine', AMI('ami-1234'), disk_size=20)
assert i.properties
i.add(EphemeralDisk('/dev/sdb', 0))
assert i.properties
vpc = VPC('VPC', '10.10.0.0/16')
subnet = Subnet('Subnet', vpc, '10.10.10.0/24')
subnet = Subnet('Subnet2', vpc, '10.10.20.0/24')
security_group = SecurityGroup('mysgroup', vpc)
i.add(NetworkInterface(subnet, description='first network interface'))
i.add(NetworkInterface(subnet,
groups=[security_group],
description='2nd network interface'))
i.add(NetworkInterface(subnet,
groups=[security_group],
description='3rd network interface',
device_index=3))
assert i.properties
with pytest.raises(AssertionError):
i.add("non valid ec2 device")
def test_win_user_data_creation():
"""Test creation of windows user data."""
a = WinUserData()
a.add("powershell", 'echo "test powezrshell"')
a.add("script", "echo test script")
assert yaml.dump(a.properties)
aws_env = AWSEnv(regions=["us-east-1"], stub=True)
with default_region("us-east-1"):
stub = aws_env.stub("ec2", region="us-east-1")
stub.add_response(
"describe_images",
{
"Images": [
{
"ImageId": "ami-1234-win",
"RootDeviceName": "/dev/sda1",
"Platform": "windows",
"Tags": [],
}
]
},
{"ImageIds": ANY},
)
i = Instance("testmachine", AMI("ami-1234-win"))
i.add_user_data("persist", "true")
assert i.properties
def test_ls_ami():
"""List AMIS from all regions."""
aws_env = AWSEnv(regions=['us-east-1', 'eu-west-1'], stub=True)
stub_us = aws_env.stub('ec2', region='us-east-1')
stub_eu = aws_env.stub('ec2', region='eu-west-1')
stub_eu.add_response(
'describe_images', {
'Images': [{
'ImageId': 'ami-1234',
'RootDeviceName': '/dev/sda1',
'Tags': []
}]
}, {
'Filters': [],
'Owners': ['self']
})
stub_us.add_response(
'describe_images', {
'Images': [{
'ImageId': 'ami-5678',
'RootDeviceName': '/dev/sda1',
'Tags': []
}]
}, {
'Filters': [],
'Owners': ['self']
})
assert len(AMI.ls()) == 2
def test_create_fortress_no_bastion():
aws_env = AWSEnv(regions=['us-east-1'], stub=True)
with default_region('us-east-1'):
stub = aws_env.stub('ec2', region='us-east-1')
stub.add_response(
'describe_images', {
'Images': [{
'ImageId': 'ami-1234',
'RootDeviceName': '/dev/sda1',
'Tags': []
}]
}, {'ImageIds': ANY})
stub.add_response(
'describe_images', {
'Images': [{
'ImageId': 'ami-1234',
'RootDeviceName': '/dev/sda1',
'Tags': []
}]
}, {'ImageIds': ANY})
d = PolicyDocument().append(
Allow(to='s3:GetObject',
on=['arn:aws:s3:::mybucket', 'arn:aws:s3:::mybucket/*']))
p = Policy('InternalPolicy', d)
f = Fortress('myfortress', bastion_ami=None, internal_server_policy=p)
f += Bucket('Bucket2')
# Allow access to mybucket through a s3 endpoint
f.private_subnet.add_bucket_access(['mybucket', f['Bucket2']])
# allow https
f.add_network_access('https')
f.add_private_server(AMI('ami-1234'), ['server1', 'server2'])
assert f.body
def test_create_fortress_no_bastion():
aws_env = AWSEnv(regions=["us-east-1"], stub=True)
with default_region("us-east-1"):
stub = aws_env.stub("ec2", region="us-east-1")
stub.add_response(
"describe_images",
{
"Images": [{
"ImageId": "ami-1234",
"RootDeviceName": "/dev/sda1",
"Tags": []
}]
},
{"ImageIds": ANY},
)
stub.add_response(
"describe_images",
{
"Images": [{
"ImageId": "ami-1234",
"RootDeviceName": "/dev/sda1",
"Tags": []
}]
},
{"ImageIds": ANY},
)
d = PolicyDocument().append(
Allow(
to="s3:GetObject",
on=["arn:aws:s3:::mybucket", "arn:aws:s3:::mybucket/*"],
))
p = Policy("InternalPolicy", d)
f = Fortress("myfortress", bastion_ami=None, internal_server_policy=p)
f += Bucket("Bucket2")
# Allow access to mybucket through a s3 endpoint
f.private_subnet.add_bucket_access(["mybucket", f["Bucket2"]])
# Allow access to a secret throught a secretsmanager endpoint
f.add_secret_access("arn_secret")
# allow https
f.add_network_access("https")
f.add_private_server(AMI("ami-1234"), ["server1", "server2"])
assert f.body
def test_create_instance():
aws_env = AWSEnv(regions=["us-east-1"], stub=True)
with default_region("us-east-1"):
stub = aws_env.stub("ec2", region="us-east-1")
stub.add_response(
"describe_images",
{
"Images": [
{"ImageId": "ami-1234", "RootDeviceName": "/dev/sda1", "Tags": []}
]
},
{"ImageIds": ANY},
)
i = Instance("testmachine", AMI("ami-1234"), disk_size=20)
assert i.properties
i.add(EphemeralDisk("/dev/sdb", 0))
assert i.properties
i.add(EBSDisk("/dev/sdc", size=20, encrypted=True))
assert i.properties
vpc = VPC("VPC", "10.10.0.0/16")
subnet = Subnet("Subnet", vpc, "10.10.10.0/24")
subnet = Subnet("Subnet2", vpc, "10.10.20.0/24")
security_group = SecurityGroup("mysgroup", vpc)
i.add(EC2NetworkInterface(subnet, description="first network interface"))
i.add(
EC2NetworkInterface(
subnet, groups=[security_group], description="2nd network interface"
)
)
i.add(
EC2NetworkInterface(
subnet,
groups=[security_group],
description="3rd network interface",
device_index=3,
)
)
assert i.properties
with pytest.raises(AssertionError):
i.add("non valid ec2 device")
def test_cfn_init_set():
s = Stack(name='teststack')
aws_env = AWSEnv(regions=['us-east-1'], stub=True)
with default_region('us-east-1'):
stub = aws_env.stub('ec2', region='us-east-1')
stub.add_response(
'describe_images', {
'Images': [{
'ImageId': 'ami-1234',
'RootDeviceName': '/dev/sda1',
'Tags': []
}]
}, {'ImageIds': ANY})
s += Instance('server', AMI('ami-1234'))
s['server'].set_cfn_init(s)
assert s.body
def test_cfn_init_set():
s = Stack(name="teststack")
aws_env = AWSEnv(regions=["us-east-1"], stub=True)
with default_region("us-east-1"):
stub = aws_env.stub("ec2", region="us-east-1")
stub.add_response(
"describe_images",
{
"Images": [
{"ImageId": "ami-1234", "RootDeviceName": "/dev/sda1", "Tags": []}
]
},
{"ImageIds": ANY},
)
s += Instance("server", AMI("ami-1234"))
s["server"].set_cfn_init()
assert s.body
def test_user_data_creation():
"""Test creation of user data."""
a = UserData()
a.add('toto.txt', 'x-shellscript', 'Hello')
a.add('url1', 'x-include-url', 'toto.jpg')
assert yaml.dump(a.properties)
aws_env = AWSEnv(regions=['us-east-1'], stub=True)
with default_region('us-east-1'):
stub = aws_env.stub('ec2', region='us-east-1')
stub.add_response(
'describe_images', {
'Images': [{
'ImageId': 'ami-1234',
'RootDeviceName': '/dev/sda1',
'Tags': []
}]
}, {'ImageIds': ANY})
i = Instance('testmachine', AMI('ami-1234'))
i.add_user_data('url1', 'x-include-url', 'http://dummy')
assert i.properties
def test_win_user_data_creation():
"""Test creation of windows user data."""
a = WinUserData()
a.add('powershell', 'echo "test powezrshell"')
a.add('script', 'echo test script')
assert yaml.dump(a.properties)
aws_env = AWSEnv(regions=['us-east-1'], stub=True)
with default_region('us-east-1'):
stub = aws_env.stub('ec2', region='us-east-1')
stub.add_response(
'describe_images', {
'Images': [{
'ImageId': 'ami-1234-win',
'RootDeviceName': '/dev/sda1',
'Platform': 'windows',
'Tags': []
}]
}, {'ImageIds': ANY})
i = Instance('testmachine', AMI('ami-1234-win'))
i.add_user_data('persist', 'true')
assert i.properties
def test_user_data_creation():
"""Test creation of user data."""
a = UserData()
a.add("toto.txt", "x-shellscript", "Hello")
a.add("url1", "x-include-url", "toto.jpg")
assert yaml.dump(a.properties)
aws_env = AWSEnv(regions=["us-east-1"], stub=True)
with default_region("us-east-1"):
stub = aws_env.stub("ec2", region="us-east-1")
stub.add_response(
"describe_images",
{
"Images": [
{"ImageId": "ami-1234", "RootDeviceName": "/dev/sda1", "Tags": []}
]
},
{"ImageIds": ANY},
)
i = Instance("testmachine", AMI("ami-1234"))
i.add_user_data("url1", "x-include-url", "http://dummy")
assert i.properties
def test_create_fortress_with_too_much_sgs():
aws_env = AWSEnv(regions=["us-east-1"], stub=True)
with default_region("us-east-1"):
stub = aws_env.stub("ec2", region="us-east-1")
stub.add_response(
"describe_images",
{
"Images": [{
"ImageId": "ami-1234",
"RootDeviceName": "/dev/sda1",
"Tags": []
}]
},
{"ImageIds": ANY},
)
d = PolicyDocument().append(
Allow(
to="s3:GetObject",
on=["arn:aws:s3:::mybucket", "arn:aws:s3:::mybucket/*"],
))
p = Policy("InternalPolicy", d)
f = Fortress("myfortress", bastion_ami=None, internal_server_policy=p)
# Adding 16 extra security groups should raise an exception (The maximum
# number of security groups is 16 and there is a default InternalSG)
sg_groups = [
SecurityGroup(name=f"sg{id}", vpc=f.vpc.vpc) for id in range(16)
]
with pytest.raises(AWSFortressError):
f.add_private_server(
AMI("ami-1234"),
["server1"],
amazon_access=False,
github_access=False,
extra_groups=sg_groups,
)
def test_select():
"""Test AMI.select."""
aws_env = AWSEnv(regions=["us-east-1"], stub=True)
stub = aws_env.stub("ec2", region="us-east-1")
stub.add_response(
"describe_images",
{
"Images": [
{
"ImageId": "ami-1",
"RootDeviceName": "/dev/sda1",
"Tags": [
{"Key": "platform", "Value": "x86_64-linux"},
{"Key": "os_version", "Value": "suse11"},
{"Key": "timestamp", "Value": "4"},
],
},
{
"ImageId": "ami-2",
"RootDeviceName": "/dev/sda1",
"Tags": [
{"Key": "platform", "Value": "x86_64-linux"},
{"Key": "os_version", "Value": "suse11"},
{"Key": "timestamp", "Value": "5"},
],
},
{
"ImageId": "ami-3",
"RootDeviceName": "/dev/sda1",
"Tags": [
{"Key": "platform", "Value": "x86_64-linux"},
{"Key": "os_version", "Value": "suse11"},
{"Key": "timestamp", "Value": "1"},
],
},
{
"ImageId": "ami-4",
"RootDeviceName": "/dev/sda1",
"Tags": [
{"Key": "platform", "Value": "x86_64-linux"},
{"Key": "timestamp", "Value": "1"},
],
},
{
"ImageId": "ami-1234",
"RootDeviceName": "/dev/sda1",
"Tags": [
{"Key": "platform", "Value": "x86_64-linux"},
{"Key": "os_version", "Value": "ubuntu16.04"},
{"Key": "timestamp", "Value": "1"},
],
},
]
},
{
"Filters": [
{"Name": "tag-key", "Values": ["platform"]},
{"Name": "tag-key", "Values": ["timestamp"]},
{"Name": "tag-key", "Values": ["os_version"]},
],
"Owners": ["self"],
},
)
with default_region("us-east-1"):
ami = AMI.select(platform="x86_64-linux", os_version="suse11")
assert ami.id == "ami-2"
def test_select():
"""Test AMI.select."""
aws_env = AWSEnv(regions=['us-east-1'], stub=True)
stub = aws_env.stub('ec2', region='us-east-1')
stub.add_response(
'describe_images', {
'Images': [{
'ImageId':
'ami-1',
'RootDeviceName':
'/dev/sda1',
'Tags': [{
'Key': 'platform',
'Value': 'x86_64-linux'
}, {
'Key': 'os_version',
'Value': 'suse11'
}, {
'Key': 'timestamp',
'Value': '4'
}]
}, {
'ImageId':
'ami-2',
'RootDeviceName':
'/dev/sda1',
'Tags': [{
'Key': 'platform',
'Value': 'x86_64-linux'
}, {
'Key': 'os_version',
'Value': 'suse11'
}, {
'Key': 'timestamp',
'Value': '5'
}]
}, {
'ImageId':
'ami-3',
'RootDeviceName':
'/dev/sda1',
'Tags': [{
'Key': 'platform',
'Value': 'x86_64-linux'
}, {
'Key': 'os_version',
'Value': 'suse11'
}, {
'Key': 'timestamp',
'Value': '1'
}]
}, {
'ImageId':
'ami-4',
'RootDeviceName':
'/dev/sda1',
'Tags': [{
'Key': 'platform',
'Value': 'x86_64-linux'
}, {
'Key': 'timestamp',
'Value': '1'
}]
}, {
'ImageId':
'ami-1234',
'RootDeviceName':
'/dev/sda1',
'Tags': [{
'Key': 'platform',
'Value': 'x86_64-linux'
}, {
'Key': 'os_version',
'Value': 'ubuntu16.04'
}, {
'Key': 'timestamp',
'Value': '1'
}]
}]
}, {
'Filters': [{
'Name': 'tag-key',
'Values': ['platform']
}, {
'Name': 'tag-key',
'Values': ['timestamp']
}, {
'Name': 'tag-key',
'Values': ['os_version']
}],
'Owners': ['self']
})
with default_region('us-east-1'):
ami = AMI.select(platform='x86_64-linux', os_version='suse11')
assert ami.id == 'ami-2'