def create_sg_policy(sg_id, accesskey_id, accesskey_secret, region_id):
print("Now, we will create safe group policy...")
while True:
clt = client.AcsClient(accesskey_id, accesskey_secret, region_id)
request = AuthorizeSecurityGroupRequest.AuthorizeSecurityGroupRequest()
request.set_SecurityGroupId(sg_id)
ip_protocol = raw_input(
"Please select the protocol, the protocol can be tcp/udp/icmp/gre/all:"
)
## the protocol can be (tcp/uncp/icmp/gre/all)
request.set_IpProtocol(ip_protocol)
## tcp/udcp, the port range can be 1~65535
## icmp, the port range is -1/-1
## gre, the port range is -1/-1
## if choose all, the port range is -1/-1
port_range = raw_input("Please select port range:")
request.set_PortRange(port_range)
## 0.0.0.0/0 means allow world-wide connection
source_ip = raw_input("Please select the source IP segment:")
request.set_SourceCidrIp(source_ip)
## Policy can be (accept/deny), the default is accpet
policy = raw_input("Will this policy be accpet or deny:")
if policy in ['accept', 'deny']:
request.set_Policy(policy)
request.set_accept_format('json')
request.set_Priority('10')
result = clt.do_action_with_exception(request)
print("Do you want to create a new policy?")
selection = upper(raw_input("Y/N:"))
## judge if the loop can be processed
if selection == 'N':
break
return result
def add_sg_rule(self):
# 增加一条安全组入方向规则
request = AuthorizeSecurityGroupRequest.AuthorizeSecurityGroupRequest()
request.set_IpProtocol("tcp")
request.set_PortRange("8880/8888")
request.set_SecurityGroupId(self.SecurityGroupId)
request.set_SourceCidrIp('0.0.0.0/0')
def add_sg_icmp_rule(self):
request = AuthorizeSecurityGroupRequest.AuthorizeSecurityGroupRequest()
request.set_IpProtocol("icmp")
request.set_PortRange("-1/-1")
request.set_SecurityGroupId(self.SecurityGroupId)
request.set_SourceCidrIp('0.0.0.0/0')
result = do_action(self.client, request)
for param_name, param_value in result.items():
print(f"sg-icmp-ipv4-setting: {param_name} - {param_value}")
def add_sg_rule(self):
# Adding SecurityGroup for Jupyter Notebook
request = AuthorizeSecurityGroupRequest.AuthorizeSecurityGroupRequest()
request.set_IpProtocol("tcp")
request.set_PortRange("8888/8888")
request.set_SecurityGroupId(self.SecurityGroupId)
request.set_SourceCidrIp('0.0.0.0/0')
result = do_action(self.client, request)
for param_name, param_value in result.items():
print(f"sg-jupyter-setting: {param_name} - {param_value}")
def create_sg_default_policy(sg_id, accesskey_id, accesskey_secret, region_id):
clt = client.AcsClient(accesskey_id, accesskey_secret, region_id)
request = AuthorizeSecurityGroupRequest.AuthorizeSecurityGroupRequest()
request.set_accept_format('json')
request.set_SecurityGroupId(sg_id)
request.set_IpProtocol("all")
request.set_PortRange("-1/-1")
request.set_SourceCidrIp("116.62.17.198")
request.set_Policy("accept")
request.set_Priority('10')
result = clt.do_action_with_exception(request)
print "prometheus server has been added into new created SafeGroup!"
print result
clt = client.AcsClient(accesskey_id, accesskey_secret, region_id)
request = AuthorizeSecurityGroupRequest.AuthorizeSecurityGroupRequest()
request.set_accept_format('json')
request.set_SecurityGroupId(sg_id)
request.set_IpProtocol("tcp")
request.set_PortRange("22/22")
request.set_SourceCidrIp("222.45.44.102")
request.set_Policy("accept")
request.set_Priority('10')
result = clt.do_action_with_exception_with_exception(request)
print "DiDa Office Unicom IP segement has been added into new created SafeGroup!"
print result
clt = client.AcsClient(accesskey_id, accesskey_secret, region_id)
request = AuthorizeSecurityGroupRequest.AuthorizeSecurityGroupRequest()
request.set_accept_format('json')
request.set_SecurityGroupId(sg_id)
request.set_IpProtocol("all")
request.set_PortRange("-1/-1")
request.set_SourceCidrIp("222.190.106.80/28")
request.set_Policy("accept")
request.set_Priority('10')
result = clt.do_action_with_exception_with_exception(request)
print "DiDa Office IP telcome segement has been added into new created SafeGroup!"
print result
return
def authorizeSecurityGroupRequest(self,SecurityGroupID,IpProtocol,PortRange,SourceCidrIp,Priority,Description):
'''授权安全组内规则'''
request = AuthorizeSecurityGroupRequest.AuthorizeSecurityGroupRequest()
request.set_SecurityGroupId(SecurityGroupID)
request.add_query_param('RegionId','cn-shenzhen') #需改为华东1(cn-hangzhou
request.set_IpProtocol(IpProtocol)
request.set_PortRange(PortRange)
request.set_SourceCidrIp(SourceCidrIp)
request.set_Priority(Priority)
request.set_Description(Description)
request.set_accept_format('json')
return request
def authIngress(groupId, ip):
requestAuth = AuthorizeSecurityGroupRequest.AuthorizeSecurityGroupRequest()
requestAuth.set_SecurityGroupId(groupId)
requestAuth.set_PortRange('-1/-1')
requestAuth.set_Policy('Accept')
requestAuth.set_NicType('internet')
requestAuth.set_Priority(1)
requestAuth.set_SourceCidrIp(ip)
requestAuth.set_IpProtocol("ALL")
requestAuth.set_SourcePortRange('-1/-1')
responseAuth = client.do_action_with_exception(requestAuth)
return json.loads(responseAuth)
def set_security_group_inner_rule(self, region_code: str,
sec_group_id: str, source_cidr_ip: str,
ip_protocol: str, port_range: str,
nic_type: str, policy: str):
request = AuthorizeSecurityGroupRequest.AuthorizeSecurityGroupRequest()
request.set_SecurityGroupId(sec_group_id)
request.set_SourceCidrIp(source_cidr_ip)
request.set_IpProtocol(ip_protocol)
request.set_PortRange(port_range)
request.set_NicType(nic_type)
request.set_Policy(policy)
self.handle_request(request, region_id=region_code)
def assign_rule_to_secur_group(region, sgid, protocol, port_rage, src_cidr_ip):
client = create_acs_client(region=region)
request = AuthorizeSecurityGroupRequest.AuthorizeSecurityGroupRequest()
request.set_action_name('AuthorizeSecurityGroup')
request.add_query_param('RegionId', region)
request.set_SecurityGroupId(sgid)
request.set_IpProtocol(protocol)
request.set_PortRange(port_rage)
request.set_SourceCidrIp(src_cidr_ip)
response = client.do_action_with_exception(request)
r = json.loads(response.decode())
log.debug(r)
return r
def addnewRULE(func):
global clt
# 设置参数
for port in ['3000/3000', '34872/34872']: #具体的端口号
request = AuthorizeSecurityGroupRequest.AuthorizeSecurityGroupRequest()
request.set_accept_format('json')
request.add_query_param('RegionId', 'cn-hangzhou')
request.add_query_param('SecurityGroupId', '目标安全组ID')
request.add_query_param('IpProtocol', 'tcp')
request.add_query_param('PortRange', port)
request.add_query_param('SourceCidrIp',func())
request.add_query_param('NicType', 'intranet') #如果不加这句话就是公网添加
if port == '3000/3000':
request.add_query_param('Description', 'Grafana使用端口')
else:
request.add_query_param('Description', 'Zabbix和堡垒机使用端口')
# 发起请求
response = clt.do_action(request)
print (response)
def authorizeSecurityGroupRequest(self,
SecurityGroupId,
IpProtocol,
PortRange,
SourceCidrIp,
NicType='internet',
Policy='accept',
Priority='1',
Description=None):
"""增加一条安全组入方向规则
"""
request = AuthorizeSecurityGroupRequest.AuthorizeSecurityGroupRequest()
request.set_SecurityGroupId(SecurityGroupId)
request.set_NicType(NicType)
request.set_IpProtocol(IpProtocol)
request.set_PortRange(PortRange)
request.set_SourceCidrIp(SourceCidrIp)
request.set_Policy(Policy)
request.set_Priority(Priority)
request.set_Description(Description)
request.set_accept_format('json')
return request