def create_security_groups(self):
t = self.template
t.add_resource(
ec2.SecurityGroup(
ELB_SG_NAME,
GroupDescription="Security group for load balancer",
VpcId=Ref("VpcId")))
t.add_resource(
ec2.SecurityGroupIngress(
"ELBPort80FromTrustedNetwork",
IpProtocol="tcp", FromPort="80", ToPort="80",
CidrIp=Ref("TrustedNetwork"),
Condition="UseHTTP",
GroupId=Ref(ELB_SG_NAME)))
t.add_resource(
ec2.SecurityGroupIngress(
"ELBPort443FromTrustedNetwork",
IpProtocol="tcp", FromPort="443", ToPort="443",
CidrIp=Ref("TrustedNetwork"),
Condition="UseHTTPS",
GroupId=Ref(ELB_SG_NAME)))
t.add_resource(
ec2.SecurityGroupIngress(
"ELBPort443GitHub",
IpProtocol="tcp", FromPort="443", ToPort="443",
CidrIp=Ref("GitHubCIDR"),
Condition="UseHTTPS",
GroupId=Ref(ELB_SG_NAME)))
t.add_resource(
ec2.SecurityGroupIngress(
"80ToControllerPort8081",
IpProtocol="tcp", FromPort="8081", ToPort="8081",
SourceSecurityGroupId=Ref(ELB_SG_NAME),
GroupId=Ref("InstanceSecurityGroup")))
def create_db_rules(self):
self.template.add_resource(
ec2.SecurityGroupIngress(
'ClientPsqlPort5432',
IpProtocol="tcp",
FromPort="5432",
ToPort="5432",
SourceSecurityGroupId=Ref(self.CLIENT_SG_NAME),
GroupId=Ref(self.RDS_SG_NAME),
)
)
# If there is a bastion sg, add inbound access from the bastion to RDS.
variables = self.get_variables()
bastion_sg = variables[self.BASTION_SG_NAME]
if bastion_sg:
self.template.add_resource(
ec2.SecurityGroupIngress(
'BastionPsqlPort5432',
IpProtocol="tcp",
FromPort="5432",
ToPort="5432",
SourceSecurityGroupId=bastion_sg,
GroupId=Ref(self.RDS_SG_NAME),
)
)
def create_security_groups(self):
t = self.template
t.add_resource(
ec2.SecurityGroup(CLUSTER_SG_NAME,
GroupDescription='EmpireMinionSecurityGroup',
VpcId=Ref("VpcId")))
t.add_output(Output('EmpireMinionSG', Value=Ref(CLUSTER_SG_NAME)))
# Allow all ports within cluster
t.add_resource(
ec2.SecurityGroupIngress(
"EmpireMinionAllTCPAccess",
IpProtocol='-1',
FromPort='-1',
ToPort='-1',
SourceSecurityGroupId=Ref(CLUSTER_SG_NAME),
GroupId=Ref(CLUSTER_SG_NAME)))
# Application ELB Security Groups
# Internal
for elb in ('public', 'private'):
group_name = "Empire%sAppELBSG" % elb.capitalize()
t.add_resource(
ec2.SecurityGroup(group_name,
GroupDescription=group_name,
VpcId=Ref("VpcId"),
Tags=Tags(Name='%s-app-elb-sg' % elb)))
t.add_output(
Output("%sEmpireAppELBSG" % elb.capitalize(),
Value=Ref(group_name)))
# Allow ELB to talk to cluster on 9000-10000
t.add_resource(
ec2.SecurityGroupIngress("Empire%sAppPort9000To10000" %
elb.capitalize(),
IpProtocol="tcp",
FromPort=9000,
ToPort=10000,
SourceSecurityGroupId=Ref(group_name),
GroupId=Ref(CLUSTER_SG_NAME)))
# Allow anything to talk to the ELB
# If internal only internal hosts will be able to talk to
# the elb
t.add_resource(
ec2.SecurityGroupIngress("Empire%sELBAllow80" %
elb.capitalize(),
IpProtocol="tcp",
FromPort=80,
ToPort=80,
CidrIp="0.0.0.0/0",
GroupId=Ref(group_name)))
t.add_resource(
ec2.SecurityGroupIngress("Empire%sELBAllow443" %
elb.capitalize(),
IpProtocol="tcp",
FromPort=443,
ToPort=443,
CidrIp="0.0.0.0/0",
GroupId=Ref(group_name)))
def vpc_security_rules(inp):
sg_spec = readify(inp)
out = []
for line in sg_spec.splitlines():
if not line or line.startswith('#'):
continue
pieces = re.split('\s+', line)
resource_name = pieces[0]
sg_type = pieces[1]
first = pieces[2]
second = pieces[3]
protocol = pieces[4]
port_range = pieces[5].split(':')
kwargs = {
"FromPort": int(port_range[0]),
"ToPort": int(port_range[1]),
"IpProtocol": protocol
}
if sg_type == 'ingress':
if re.match(r'^[0-9\.\/]*$', first):
kwargs['CidrIp'] = first
else:
kwargs['SourceSecurityGroupId'] = Ref(first)
kwargs['GroupId'] = Ref(second)
out.append(ec2.SecurityGroupIngress(resource_name, **kwargs))
else:
if pieces[0] == 'ingress':
kwargs["SourceSecurityGroupId"] = Ref(pieces[1])
else:
kwargs["DestinationSecurityGroupId"] = Ref(pieces[1])
return out
def add_ingress(self, sender, port):
"""
Add an ingress rule to this SecurityEnabledObject after evaluating if it is a Security group or CIDR tuple
([0] = title, [1] = ip)
Creates a Troposphere SecurityGroupIngress object
AWS Cloud Formation:
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-ingress.html
Troposphere link: https://github.com/cloudtools/troposphere/blob/master/troposphere/ec2.py
:param sender: The SecurityEnabledObject that will be sending traffic to this SecurityEnabledObject,
sender[0] = title, sender[1] = ip
:param port: Port to send, and receive traffic on
"""
sender_title = sender.title if hasattr(sender, 'title') else sender['name']
if port == '-1':
common = {'IpProtocol': 'tcp', 'FromPort': '0', 'ToPort': '65535', 'GroupId': self.security_group}
name = self.title + 'AllFrom' + sender_title + 'All'
else:
common = {'IpProtocol': 'tcp', 'FromPort': port, 'ToPort': port, 'GroupId': self.security_group}
name = self.title + port + 'From' + sender_title + port
ingress = self.template.add_resource(ec2.SecurityGroupIngress(get_cf_friendly_name(name), **common))
if isinstance(sender, SecurityEnabledObject):
ingress.SourceSecurityGroupId = sender.security_group
else:
ingress.CidrIp = sender['cidr']
self.ingress.append(ingress)
def add_resources_and_output(self):
"""Add resources to template."""
template = self.template
variables = self.get_variables()
ec2securitygroup = template.add_resource(
ec2.SecurityGroup('Sg',
GroupName=variables['SgName'].ref,
GroupDescription=variables['SgDescription'].ref,
Tags=Tags(variables['Tags']),
VpcId=variables['VpcId'].ref))
for rule, settings in variables['Rules'].iteritems():
if 'IpProtocol' not in settings.keys():
settings['IpProtocol'] = 'tcp'
template.add_resource(
ec2.SecurityGroupIngress(
'SgIngress{}'.format(sub('[/.-]', '', rule)),
GroupId=GetAtt(ec2securitygroup, 'GroupId'),
**settings))
template.add_output(
Output('{}Id'.format(ec2securitygroup.title),
Description='ID of the Security Group created',
Value=GetAtt(ec2securitygroup, 'GroupId'),
Export=Export(
Sub('${AWS::StackName}-%sId' %
ec2securitygroup.title))))
def configure_security_groups(vpc_subnet, vpc_id):
node_sec_group = ec2.SecurityGroup('DustNodeSG')
node_sec_group.GroupDescription = "Allow incoming ssh and icmp and all intracluster tcp"
if vpc_subnet:
node_sec_group.VpcId = vpc_id
ssh_in_rule = ec2.SecurityGroupRule()
ssh_in_rule.FromPort = 22
ssh_in_rule.ToPort = 22
ssh_in_rule.CidrIp = "0.0.0.0/0"
ssh_in_rule.IpProtocol = 'tcp'
icmp_in_rule = ec2.SecurityGroupRule()
icmp_in_rule.FromPort = -1
icmp_in_rule.ToPort = -1
icmp_in_rule.CidrIp = "0.0.0.0/0"
icmp_in_rule.IpProtocol = 'icmp'
node_sec_group.SecurityGroupIngress = [ssh_in_rule, icmp_in_rule]
intracluster_sec_group = ec2.SecurityGroupIngress('DustIntraClusterSG')
if vpc_subnet:
intracluster_sec_group.GroupId = Ref(node_sec_group)
else:
intracluster_sec_group.GroupName = Ref(node_sec_group)
intracluster_sec_group.FromPort = 0
intracluster_sec_group.ToPort = 65535
if vpc_subnet:
intracluster_sec_group.SourceSecurityGroupId = Ref(node_sec_group)
else:
intracluster_sec_group.SourceSecurityGroupName = Ref(node_sec_group)
intracluster_sec_group.IpProtocol = "-1"
return node_sec_group, intracluster_sec_group
def create_security_groups(self, template, sg_name):
template.add_resource(
ec2.SecurityGroup(sg_name,
GroupName=sg_name,
GroupDescription=sg_name,
VpcId=Ref("VpcId"),
Tags=[{
'Key': 'Name',
'Value': sg_name
}]))
template.add_output(Output("InternalAlbSG", Value=Ref(sg_name)))
sg_ingress_name = "SecurityGroupIngressTo443"
# TODO: take a list of Cidr's
# Allow Internet to connect to ALB
template.add_resource(
ec2.SecurityGroupIngress(
sg_ingress_name,
IpProtocol="tcp",
FromPort="443",
ToPort="443",
CidrIp="10.0.0.0/0",
GroupId=Ref(sg_name),
))
def create_security_groups(self):
t = self.template
cluster_rules = []
cluster_rules.append(
ec2.SecurityGroupRule(IpProtocol='tcp',
FromPort=22,
ToPort=22,
CidrIp=Ref('OfficeNetwork')))
sg = t.add_resource(
ec2.SecurityGroup(CLUSTER_SG_NAME,
GroupDescription='BastionSecurityGroup',
SecurityGroupIngress=cluster_rules,
VpcId=Ref("VpcId")))
t.add_output(Output('SecurityGroup', Value=Ref(sg)))
# Make it so the bastion hosts can ssh into any other host.
t.add_resource(
ec2.SecurityGroupIngress(
'AllowSSHAnywhere',
IpProtocol='tcp',
FromPort=22,
ToPort=22,
SourceSecurityGroupId=Ref(CLUSTER_SG_NAME),
GroupId=Ref('DefaultSG')))
def create_security_groups(self):
t = self.template
t.add_resource(
ec2.SecurityGroup(CLUSTER_SG_NAME,
GroupDescription=CLUSTER_SG_NAME,
VpcId=Ref("VpcId")))
t.add_output(Output('EmpireControllerSG', Value=Ref(CLUSTER_SG_NAME)))
# Allow access to the DB
t.add_resource(
ec2.SecurityGroupIngress(
"EmpireControllerDBAccess",
IpProtocol='tcp',
FromPort=5432,
ToPort=5432,
SourceSecurityGroupId=Ref(CLUSTER_SG_NAME),
GroupId=Ref('EmpireDBSecurityGroup')))
# Now setup all Empire ELB SG stuff
t.add_resource(
ec2.SecurityGroup(ELB_SG_NAME,
GroupDescription=ELB_SG_NAME,
VpcId=Ref("VpcId")))
t.add_resource(
ec2.SecurityGroupIngress("EmpireControllerELBPort80FromTrusted",
IpProtocol='tcp',
FromPort='80',
ToPort='80',
CidrIp=Ref("TrustedNetwork"),
GroupId=Ref(ELB_SG_NAME)))
t.add_resource(
ec2.SecurityGroupIngress("EmpireControllerELBPort443FromTrusted",
IpProtocol='tcp',
FromPort='443',
ToPort='443',
CidrIp=Ref("TrustedNetwork"),
GroupId=Ref(ELB_SG_NAME)))
t.add_resource(
ec2.SecurityGroupIngress("ELBPort80ToControllerPort8080",
IpProtocol='tcp',
FromPort='8080',
ToPort='8080',
SourceSecurityGroupId=Ref(ELB_SG_NAME),
GroupId=Ref(CLUSTER_SG_NAME)))
def instance_security_group_ingress_internal(self):
return ec2.SecurityGroupIngress(
"PilosaInternalIngress",
IpProtocol='tcp',
FromPort='12000',
ToPort='12000',
GroupId=Ref(self.instance_security_group),
SourceSecurityGroupId=Ref(self.instance_security_group),
)
def create_db_rules(self):
self.template.add_resource(
ec2.SecurityGroupIngress(
"MasterAPIDBMinionAccess",
IpProtocol='tcp',
FromPort=3306,
ToPort=3306,
SourceSecurityGroupId=Ref("MinionSecurityGroup"),
GroupId=Ref('MasterAPIDBSecurityGroup')))
def create_security_groups(self):
self.template.add_resource(
ec2.SecurityGroupIngress(
'EmpireMinionRedisAccess',
IpProtocol='TCP',
FromPort=6379,
ToPort=6379,
SourceSecurityGroupId=Ref('MinionSecurityGroup'),
GroupId=Ref('RedisSecurityGroup'),
), )
def ingress_rule(self) -> ec2.SecurityGroupIngress:
"""Return Ingress rule allowing traffic from aws VPC endpoints."""
return ec2.SecurityGroupIngress(
name_to_id(f"{self.name}Ingress"),
CidrIp=self.cidr_block,
FromPort="443",
ToPort="443",
IpProtocol="tcp",
GroupId=Ref(self.security_group),
)
def handle(self, chain_context):
template = chain_context.template
template.add_resource(
ec2.SecurityGroupIngress(
self.name,
IpProtocol="tcp",
FromPort=self.port_to_open,
ToPort=self.port_to_open,
CidrIp=self.cidr,
GroupId=chain_context.metadata[META_SECURITY_GROUP_REF]))
def rule_adder_self(self, group, fromport, toport=None, protocol='TCP'):
""" This function exits to create self-referencing security groups. """
if toport is None:
toport = fromport
rule = ec2.SecurityGroupIngress("IngressRule",
IpProtocol=protocol,
FromPort=fromport,
ToPort=toport,
SourceSecurityGroupId=Ref(group),
GroupId=Ref(group))
self.template.add_resource(rule)
def add_secgroup(t):
sg_in = []
sg_out = []
#Ingress TCP ports
for port in ['21', '80', '111', '443', '445', '2049', '3712', '8000']:
sg_in.append(
ec2.SecurityGroupRule(
Description=
"TCP ports for NFS, SMB, FTP, Management, and Replication",
IpProtocol='tcp',
FromPort=port,
ToPort=port,
CidrIp='0.0.0.0/0'))
#Ingress UDP ports
for port in ['111', '2049']:
sg_in.append(
ec2.SecurityGroupRule(Description="UDP ports for NFS",
IpProtocol='udp',
FromPort=port,
ToPort=port,
CidrIp='0.0.0.0/0'))
#Egress rule for all ports and protocols
sg_out.append(
ec2.SecurityGroupRule(Description="Outbound traffic",
IpProtocol='-1',
FromPort=0,
ToPort=0,
CidrIp='0.0.0.0/0'))
t.add_resource(
ec2.SecurityGroup(
"QumuloSecurityGroup",
GroupDescription=
"Enable ports for NFS/SMB/FTP, Management, Replication, and Clustering.",
SecurityGroupIngress=sg_in,
SecurityGroupEgress=sg_out,
VpcId=Ref("VpcId")))
# Self referencing security rules need to be added after the group is created.
# This rule is enabling all traffic between members of the security group for
# clustering.
t.add_resource(
ec2.SecurityGroupIngress(
"QumuloSecurityGroupNodeRule",
DependsOn="QumuloSecurityGroup",
Description="Qumulo Internode Communication",
GroupId=Ref("QumuloSecurityGroup"),
IpProtocol='-1',
FromPort=0,
ToPort=0,
SourceSecurityGroupId=Ref("QumuloSecurityGroup")))
def create_reciprocal_sg(self,
source_group,
source_group_name,
destination_group,
destination_group_name,
from_port,
to_port=None,
ip_protocol='tcp'):
'''
Helper method creates reciprocal ingress and egress rules given two existing security groups and a set of ports
@param source_group [Troposphere.ec2.SecurityGroup] Object reference to the source security group
@param source_group_name [string] friendly name of the source security group used for labels
@param destination_group [Troposphere.ec2.SecurityGroup] Object reference to the destination security group
@param destination_group_name [string] friendly name of the destination security group used for labels
@param from_port [string] lower boundary of the port range to set for the secuirty group rules
@param to_port [string] upper boundary of the port range to set for the security group rules
@param ip_protocol [string] name of the IP protocol to set this rule for
'''
if to_port == None:
to_port = from_port
if isinstance(from_port, unicode):
from_port = from_port.encode('ascii', 'ignore')
if isinstance(to_port, unicode):
to_port = to_port.encode('ascii', 'ignore')
if from_port == to_port:
if isinstance(from_port, str):
label_suffix = ip_protocol.capitalize() + from_port
else:
label_suffix = ip_protocol.capitalize() + 'Mapped'
else:
if isinstance(from_port, str) and isinstance(to_port, str):
label_suffix = ip_protocol.capitalize(
) + from_port + 'To' + to_port
else:
label_suffix = ip_protocol.capitalize() + 'MappedPorts'
self.template.add_resource(
ec2.SecurityGroupIngress(destination_group_name + 'Ingress' +
source_group_name + label_suffix,
SourceSecurityGroupId=Ref(source_group),
GroupId=Ref(destination_group),
FromPort=from_port,
ToPort=to_port,
IpProtocol=ip_protocol))
self.template.add_resource(
ec2.SecurityGroupEgress(
source_group_name + 'Egress' + destination_group_name +
label_suffix,
DestinationSecurityGroupId=Ref(destination_group),
GroupId=Ref(source_group),
FromPort=from_port,
ToPort=to_port,
IpProtocol=ip_protocol))
def create_security_groups(self):
t = self.template
asg_sg = CLUSTER_SG_NAME % self.name
elb_sg = ELB_SG_NAME % self.name
t.add_resource(
ec2.SecurityGroup(asg_sg,
GroupDescription=asg_sg,
VpcId=Ref("VpcId")))
# ELB Security group, if ELB is used
t.add_resource(
ec2.SecurityGroup(elb_sg,
GroupDescription=elb_sg,
VpcId=Ref("VpcId"),
Condition="CreateELB"))
# Add SG rules here
# Allow ELB to connect to ASG on port 80
t.add_resource(
ec2.SecurityGroupIngress("%sElbToASGPort80" % self.name,
IpProtocol="tcp",
FromPort="80",
ToPort="80",
SourceSecurityGroupId=Ref(elb_sg),
GroupId=Ref(asg_sg),
Condition="CreateELB"))
# Allow Internet to connect to ELB on port 80
t.add_resource(
ec2.SecurityGroupIngress("InternetTo%sElbPort80" % self.name,
IpProtocol="tcp",
FromPort="80",
ToPort="80",
CidrIp="0.0.0.0/0",
GroupId=Ref(elb_sg),
Condition="CreateELB"))
t.add_resource(
ec2.SecurityGroupIngress("InternetTo%sElbPort443" % self.name,
IpProtocol="tcp",
FromPort="443",
ToPort="443",
CidrIp="0.0.0.0/0",
GroupId=Ref(elb_sg),
Condition="CreateSSLELB"))
def create_security_groups(self):
# Add rules to access RDS and Redis databases from the empire minions
# that will run the API
self.template.add_resource(
ec2.SecurityGroupIngress(
'EmpireMinionDatabaseAccess',
IpProtocol='TCP',
FromPort=5432,
ToPort=5432,
SourceSecurityGroupId=Ref('MinionSecurityGroup'),
GroupId=Ref('RDSSecurityGroup'),
), )
def buildMySQL(t, args):
t.add_resource(
ec2.SecurityGroup('DBSecurityGroup',
GroupDescription='Patient Records',
VpcId=Ref('VPC'),
Tags=Tags(Name='MySQL Access')))
t.add_resource(
ec2.SecurityGroupIngress(
'DBSGIngress',
GroupId=Ref('DBSecurityGroup'),
IpProtocol='-1',
SourceSecurityGroupId=Ref('ApplicationSecurityGroup')))
t.add_resource(
rds.DBSubnetGroup(
'RDSSubnetGroup',
DBSubnetGroupDescription='MySQL node locations',
SubnetIds=[Ref('PrivateSubnet1'),
Ref('PrivateSubnet2')]))
if (args.recovery):
t.add_resource(
rds.DBInstance('RDSInstance',
DeletionPolicy='Delete' if args.dev else 'Snapshot',
DBSnapshotIdentifier=Ref('RecoveryRDSSnapshotARN'),
DBInstanceClass=Ref('RDSInstanceSize'),
PubliclyAccessible=False,
DBSubnetGroupName=Ref('RDSSubnetGroup'),
VPCSecurityGroups=[Ref('DBSecurityGroup')],
MultiAZ=not args.dev,
Tags=Tags(Name='Patient Records')))
else:
t.add_resource(
rds.DBInstance('RDSInstance',
DeletionPolicy='Delete' if args.dev else 'Snapshot',
DBName='openemr',
AllocatedStorage=Ref('PatientRecords'),
DBInstanceClass=Ref('RDSInstanceSize'),
Engine='MySQL',
EngineVersion=FindInMap('RegionData', ref_region,
'MySQLVersion'),
MasterUsername='******',
MasterUserPassword=Ref('RDSPassword'),
PubliclyAccessible=False,
DBSubnetGroupName=Ref('RDSSubnetGroup'),
VPCSecurityGroups=[Ref('DBSecurityGroup')],
KmsKeyId=OpenEMRKeyID,
StorageEncrypted=True,
MultiAZ=not args.dev,
Tags=Tags(Name='Patient Records')))
return t
def add_resources(self):
"""Add resources to template."""
template = self.template
variables = self.get_variables()
for rule, settings in variables['Rules'].iteritems():
if 'IpProtocol' not in settings.keys():
settings['IpProtocol'] = 'tcp'
template.add_resource(
ec2.SecurityGroupIngress('SgIngress{}'.format(
sub('[/.-]', '', rule)),
GroupId=variables['GroupId'].ref,
**settings))
def handle(self, chain_context):
template = chain_context.template
clean_cidr = re.compile('[\W_]+').sub('', self.cidr)
template.add_resource(ec2.SecurityGroupIngress(
"Cidr%sToASGPort%s" % (clean_cidr, self.port_to_open),
IpProtocol="tcp",
FromPort=self.port_to_open,
ToPort=self.port_to_open,
CidrIp=self.cidr,
GroupId=chain_context.metadata[META_SECURITY_GROUP_REF]
))
def add_resources(self):
"""Add resources to template."""
template = self.template
variables = self.get_variables()
for rule in variables['Rules']:
if 'IpProtocol' in rule.keys():
ipprotocol = rule['IpProtocol']
else:
ipprotocol = 'tcp'
if 'FromCidr' in rule.keys():
template.add_resource(
ec2.SecurityGroupIngress(
'SgIngress{}To{}{}FromCidr{}'.format(
rule['FromPort'], rule['ToPort'],
ipprotocol, sub('[/.]', '', rule['FromCidr'])
),
FromPort=rule['FromPort'],
ToPort=rule['ToPort'],
IpProtocol=ipprotocol,
CidrIp=rule['FromCidr'],
GroupId=variables['GroupId'].ref,
)
)
if 'FromSgId' in rule.keys():
template.add_resource(
ec2.SecurityGroupIngress(
'SgIngress{}To{}{}FromSg{}'.format(
rule['FromPort'], rule['ToPort'],
ipprotocol, sub('-', '', rule['FromSgId'])
),
FromPort=rule['FromPort'],
ToPort=rule['ToPort'],
IpProtocol=ipprotocol,
SourceSecurityGroupId=rule['FromSgId'],
GroupId=variables['GroupId'].ref,
)
)
def add_resources(self):
self.jmeter_security_group = self.template.add_resource(
ec2.SecurityGroup(
"JMeterSecurityGroup",
VpcId=Ref(self.jmeter_vpc),
GroupDescription="jmeter_security_group",
Tags=Tags(Name="jmeter_security_group"),
))
self.jmeter_ingress_rule_01 = self.template.add_resource(
ec2.SecurityGroupIngress(
"JMeterIngressRule01",
GroupId=Ref(self.jmeter_security_group),
ToPort="22",
IpProtocol="tcp",
CidrIp=Ref(self.jmeter_allowed_ip),
FromPort="22",
))
self.jmeter_ingress_rule_02 = self.template.add_resource(
ec2.SecurityGroupIngress(
"JMeterIngressRule02",
GroupId=Ref(self.jmeter_security_group),
ToPort="1099",
IpProtocol="tcp",
SourceSecurityGroupId=Ref(self.jmeter_security_group),
FromPort="1099",
))
self.jmeter_ingress_rule_03 = self.template.add_resource(
ec2.SecurityGroupIngress(
"JMeterIngressRule03",
GroupId=Ref(self.jmeter_security_group),
ToPort="65535",
IpProtocol="tcp",
SourceSecurityGroupId=Ref(self.jmeter_security_group),
FromPort="30000",
))
def add_resources(self):
"""Add resources to template."""
template = self.template
variables = self.get_variables()
template.add_resource(
ec2.SecurityGroupIngress('SecurityGroupIngressFromCidr',
FromPort=variables['FromPort'].ref,
ToPort=variables['ToPort'].ref,
IpProtocol=variables['IpProtocol'].ref,
CidrIp=variables['FromCidr'].ref,
GroupId=variables['GroupId'].ref,
Condition='CidrDefined'))
template.add_resource(
ec2.SecurityGroupIngress(
'SecurityGroupIngressFromSg',
FromPort=variables['FromPort'].ref,
ToPort=variables['ToPort'].ref,
IpProtocol=variables['IpProtocol'].ref,
SourceSecurityGroupId=variables['FromSgId'].ref,
GroupId=variables['GroupId'].ref,
Condition='SrcSgDefined'))
def handle(self, chain_context):
template = chain_context.template
name = '%sElbToASGPort%s' % (chain_context.instance_name,
self.port_to_open)
template.add_resource(
ec2.SecurityGroupIngress(
name,
IpProtocol="tcp",
FromPort=self.port_to_open,
ToPort=self.port_to_open,
SourceSecurityGroupId=Ref(self.alb_sg_name),
GroupId=chain_context.metadata[META_SECURITY_GROUP_REF]))
def __add_ingress_rule(self, template, rule, sg):
if 'sg' in rule:
template.add_resource(
ec2.SecurityGroupIngress(rule['name'],
ToPort=rule['to_port'],
FromPort=rule['from_port'],
IpProtocol='tcp',
GroupId=Ref(sg),
Description=rule['description'],
SourceSecurityGroupId=Ref(
rule['sg'])))
elif 'cidr_ip' in rule:
template.add_resource(
ec2.SecurityGroupIngress(rule['name'],
ToPort=rule['to_port'],
FromPort=rule['from_port'],
IpProtocol='tcp',
CidrIp=rule['cidr_ip'],
GroupId=Ref(sg),
Description=rule['description']))
elif 'instances' in rule:
count = 0
instance_ids = self.ec2op.get_instance_ids_from_tag(
tag_name="Name", tag_value=rule['instances'])
for instance_id in instance_ids:
instance_ip = str(
self.ec2op.get_external_ip_from_instance_id(
instance_id=instance_id)) + "/32"
template.add_resource(
ec2.SecurityGroupIngress(rule['name'] + str(count),
ToPort=rule['to_port'],
FromPort=rule['from_port'],
IpProtocol='tcp',
CidrIp=instance_ip,
GroupId=Ref(sg),
Description=rule['description']))
count += 1
def create_security_groups_ingress(self):
""" Creates ingress rule for elb security groups """
template = self.template
variables = self.get_variables()
cidringress = template.add_resource(
ec2.SecurityGroupIngress('SecurityGroupIngressCidr',
FromPort=variables['FromPort'].ref,
ToPort=variables['ToPort'].ref,
GroupId=variables['GroupId'].ref,
IpProtocol=variables['IpProtocol'].ref,
CidrIp=variables['CidrIp'].ref,
Condition='UseCidrIp'))
securitygroupingress = template.add_resource(
ec2.SecurityGroupIngress(
'SecurityGroupIngressSecurityGroupId',
FromPort=variables['FromPort'].ref,
ToPort=variables['ToPort'].ref,
GroupId=variables['GroupId'].ref,
IpProtocol=variables['IpProtocol'].ref,
SourceSecurityGroupId=variables['SourceSecurityGroupId'].ref,
Condition='UseSourceSecurityGroupId'))
template.add_output(
Output(
cidringress.title,
Description='Security group ingres rule for client',
Export=Export(Sub('${AWS::StackName}-%s' % cidringress.title)), # nopep8 pylint: disable=C0301
Value=Ref(cidringress),
Condition='UseCidrIp'))
template.add_output(
Output(
securitygroupingress.title,
Description='Security group ingres rule for client',
Export=Export(
Sub('${AWS::StackName}-%s' % securitygroupingress.title)), # nopep8 pylint: disable=C0301
Value=Ref(securitygroupingress),
Condition='UseSourceSecurityGroupId'))
def https_ingress_rule(
self,
security_group: ec2.SecurityGroup) -> ec2.SecurityGroupIngress:
"""Return Ingress rule allowing HTTPS traffic from a given security group.
:param security_group: authorize https inbound access from this sg.
"""
return ec2.SecurityGroupIngress(
name_to_id(f"{self.name}Ingress{security_group.title}"),
SourceSecurityGroupId=Ref(security_group),
FromPort="443",
ToPort="443",
IpProtocol="tcp",
GroupId=Ref(self.security_group),
)
