saltstack/salt

View on GitHub
salt/modules/boto_secgroup.py

Summary

Maintainability
F
6 days
Test Coverage
# -*- coding: utf-8 -*-
'''
Connection module for Amazon Security Groups

.. versionadded:: 2014.7.0

:configuration: This module accepts explicit ec2 credentials but can
    also utilize IAM roles assigned to the instance through Instance Profiles.
    Dynamic credentials are then automatically obtained from AWS API and no
    further configuration is necessary. More Information available at:

    .. code-block:: text

        http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html

    If IAM roles are not used you need to specify them either in a pillar or
    in the minion's config file:

    .. code-block:: yaml

        secgroup.keyid: GKTADJGHEIQSXMKKRBJ08H
        secgroup.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs

    A region may also be specified in the configuration:

    .. code-block:: yaml

        secgroup.region: us-east-1

    If a region is not specified, the default is us-east-1.

    It's also possible to specify key, keyid and region via a profile, either
    as a passed in dict, or as a string to pull from pillars or minion config:

    .. code-block:: yaml

        myprofile:
            keyid: GKTADJGHEIQSXMKKRBJ08H
            key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs
            region: us-east-1

:depends: boto
'''
# keep lint from choking on _get_conn and _cache_id
#pylint: disable=E0602

from __future__ import absolute_import, print_function, unicode_literals

# Import Python libs
import logging

# Import Salt libs
from salt.exceptions import CommandExecutionError, SaltInvocationError
import salt.utils.odict as odict
import salt.utils.versions

log = logging.getLogger(__name__)

# Import third party libs
from salt.ext import six
try:
    # pylint: disable=unused-import
    import boto
    import boto.ec2
    # pylint: enable=unused-import
    logging.getLogger('boto').setLevel(logging.CRITICAL)
    HAS_BOTO = True
except ImportError:
    HAS_BOTO = False


def __virtual__():
    '''
    Only load if boto libraries exist and if boto libraries are greater than
    a given version.
    '''
    # Boto < 2.4.0 GroupOrCIDR objects have different attributes than
    # Boto >= 2.4.0 GroupOrCIDR objects
    # Differences include no group_id attribute in Boto < 2.4.0 and returning
    # a groupId attribute when a GroupOrCIDR object authorizes an IP range
    # Support for Boto < 2.4.0 can be added if needed
    has_boto_reqs = salt.utils.versions.check_boto_reqs(
        boto_ver='2.4.0',
        check_boto3=False
    )
    if has_boto_reqs is True:
        __utils__['boto.assign_funcs'](__name__, 'ec2', pack=__salt__)
    return has_boto_reqs


def exists(name=None, region=None, key=None, keyid=None, profile=None,
           vpc_id=None, vpc_name=None, group_id=None):
    '''
    Check to see if a security group exists.

    CLI example::

        salt myminion boto_secgroup.exists mysecgroup
    '''
    conn = _get_conn(region=region, key=key, keyid=keyid, profile=profile)

    group = _get_group(conn, name=name, vpc_id=vpc_id, vpc_name=vpc_name,
                       group_id=group_id, region=region, key=key, keyid=keyid,
                       profile=profile)
    if group:
        return True
    else:
        return False


def _vpc_name_to_id(vpc_id=None, vpc_name=None, region=None, key=None, keyid=None,
                    profile=None):
    data = __salt__['boto_vpc.get_id'](name=vpc_name, region=region,
                                       key=key, keyid=keyid, profile=profile)
    return data.get('id')


def _split_rules(rules):
    '''
    Split rules with combined grants into individual rules.

    Amazon returns a set of rules with the same protocol, from and to ports
    together as a single rule with a set of grants. Authorizing and revoking
    rules, however, is done as a split set of rules. This function splits the
    rules up.
    '''
    split = []
    for rule in rules:
        ip_protocol = rule.get('ip_protocol')
        to_port = rule.get('to_port')
        from_port = rule.get('from_port')
        grants = rule.get('grants')
        for grant in grants:
            _rule = {'ip_protocol': ip_protocol,
                     'to_port': to_port,
                     'from_port': from_port}
            for key, val in six.iteritems(grant):
                _rule[key] = val
            split.append(_rule)
    return split


def _get_group(conn=None, name=None, vpc_id=None, vpc_name=None, group_id=None,
               region=None, key=None, keyid=None, profile=None):  # pylint: disable=W0613
    '''
    Get a group object given a name, name and vpc_id/vpc_name or group_id. Return
    a boto.ec2.securitygroup.SecurityGroup object if the group is found, else
    return None.
    '''
    if vpc_name and vpc_id:
        raise SaltInvocationError('The params \'vpc_id\' and \'vpc_name\' '
                                  'are mutually exclusive.')
    if vpc_name:
        try:
            vpc_id = _vpc_name_to_id(vpc_id=vpc_id, vpc_name=vpc_name, region=region,
                                key=key, keyid=keyid, profile=profile)
        except boto.exception.BotoServerError as e:
            log.debug(e)
            return None
    if name:
        if vpc_id is None:
            log.debug('getting group for %s', name)
            group_filter = {'group-name': name}
            filtered_groups = conn.get_all_security_groups(filters=group_filter)
            # security groups can have the same name if groups exist in both
            # EC2-Classic and EC2-VPC
            # iterate through groups to ensure we return the EC2-Classic
            # security group
            for group in filtered_groups:
                # a group in EC2-Classic will have vpc_id set to None
                if group.vpc_id is None:
                    return group
            # If there are more security groups, and no vpc_id, we can't know which one to choose.
            if len(filtered_groups) > 1:
                raise CommandExecutionError('Security group belongs to more VPCs, specify the VPC ID!')
            elif len(filtered_groups) == 1:
                return filtered_groups[0]
            return None
        elif vpc_id:
            log.debug('getting group for %s in vpc_id %s', name, vpc_id)
            group_filter = {'group-name': name, 'vpc_id': vpc_id}
            filtered_groups = conn.get_all_security_groups(filters=group_filter)
            if len(filtered_groups) == 1:
                return filtered_groups[0]
            else:
                return None
        else:
            return None
    elif group_id:
        try:
            groups = conn.get_all_security_groups(group_ids=[group_id])
        except boto.exception.BotoServerError as e:
            log.debug(e)
            return None
        if len(groups) == 1:
            return groups[0]
        else:
            return None
    else:
        return None


def _parse_rules(sg, rules):
    _rules = []
    for rule in rules:
        log.debug('examining rule %s for group %s', rule, sg.id)
        attrs = ['ip_protocol', 'from_port', 'to_port', 'grants']
        _rule = odict.OrderedDict()
        for attr in attrs:
            val = getattr(rule, attr)
            if not val:
                continue
            if attr == 'grants':
                _grants = []
                for grant in val:
                    log.debug('examining grant %s for', grant)
                    g_attrs = {'name': 'source_group_name',
                               'owner_id': 'source_group_owner_id',
                               'group_id': 'source_group_group_id',
                               'cidr_ip': 'cidr_ip'}
                    _grant = odict.OrderedDict()
                    for g_attr, g_attr_map in six.iteritems(g_attrs):
                        g_val = getattr(grant, g_attr)
                        if not g_val:
                            continue
                        _grant[g_attr_map] = g_val
                    _grants.append(_grant)
                _rule['grants'] = _grants
            elif attr == 'from_port':
                _rule[attr] = int(val)
            elif attr == 'to_port':
                _rule[attr] = int(val)
            else:
                _rule[attr] = val
        _rules.append(_rule)
    return _rules


def get_all_security_groups(groupnames=None, group_ids=None, filters=None,
                            region=None, key=None, keyid=None, profile=None):
    '''
    Return a list of all Security Groups matching the given criteria and filters.

    Note that the 'groupnames' argument only functions correctly for EC2 Classic
    and default VPC Security Groups.  To find groups by name in other VPCs you'll
    want to use the 'group-name' filter instead.

    Valid keys for the filters argument are:
        description - The description of the security group.
        egress.ip-permission.prefix-list-id - The ID (prefix) of the AWS service to which the security group allows access.
        group-id - The ID of the security group.
        group-name - The name of the security group.
        ip-permission.cidr - A CIDR range that has been granted permission.
        ip-permission.from-port - The start of port range for the TCP and UDP protocols, or an ICMP type number.
        ip-permission.group-id - The ID of a security group that has been granted permission.
        ip-permission.group-name - The name of a security group that has been granted permission.
        ip-permission.protocol - The IP protocol for the permission (tcp | udp | icmp or a protocol number).
        ip-permission.to-port - The end of port range for the TCP and UDP protocols, or an ICMP code.
        ip-permission.user-id - The ID of an AWS account that has been granted permission.
        owner-id - The AWS account ID of the owner of the security group.
        tag-key - The key of a tag assigned to the security group.
        tag-value - The value of a tag assigned to the security group.
        vpc-id - The ID of the VPC specified when the security group was created.

    CLI example::

        salt myminion boto_secgroup.get_all_security_groups filters='{group-name: mygroup}'
    '''
    conn = _get_conn(region=region, key=key, keyid=keyid, profile=profile)

    if isinstance(groupnames, six.string_types):
        groupnames = [groupnames]
    if isinstance(group_ids, six.string_types):
        groupnames = [group_ids]

    interesting = ['description', 'id', 'instances', 'name', 'owner_id',
                   'region', 'rules', 'rules_egress', 'tags', 'vpc_id']
    ret = []
    try:
        r = conn.get_all_security_groups(groupnames=groupnames,
                                         group_ids=group_ids,
                                         filters=filters)
        for g in r:
            n = {}
            for a in interesting:
                v = getattr(g, a, None)
                if a == 'region':
                    v = v.name
                elif a in ('rules', 'rules_egress'):
                    v = _parse_rules(g, v)
                elif a == 'instances':
                    v = [i.id for i in v()]
                n[a] = v
            ret += [n]
        return ret
    except boto.exception.BotoServerError as e:
        log.debug(e)
        return []


def get_group_id(name, vpc_id=None, vpc_name=None, region=None, key=None,
                 keyid=None, profile=None):
    '''
    Get a Group ID given a Group Name or Group Name and VPC ID

    CLI example::

        salt myminion boto_secgroup.get_group_id mysecgroup
    '''
    conn = _get_conn(region=region, key=key, keyid=keyid, profile=profile)
    if name.startswith('sg-'):
        log.debug('group %s is a group id. get_group_id not called.', name)
        return name
    group = _get_group(conn=conn, name=name, vpc_id=vpc_id, vpc_name=vpc_name,
                       region=region, key=key, keyid=keyid, profile=profile)
    return getattr(group, 'id', None)


def convert_to_group_ids(groups, vpc_id=None, vpc_name=None, region=None, key=None,
                         keyid=None, profile=None):
    '''
    Given a list of security groups and a vpc_id, convert_to_group_ids will
    convert all list items in the given list to security group ids.

    CLI example::

        salt myminion boto_secgroup.convert_to_group_ids mysecgroup vpc-89yhh7h
    '''
    log.debug('security group contents %s pre-conversion', groups)
    group_ids = []
    for group in groups:
        group_id = get_group_id(name=group, vpc_id=vpc_id,
                                vpc_name=vpc_name, region=region,
                                key=key, keyid=keyid, profile=profile)
        if not group_id:
            # Security groups are a big deal - need to fail if any can't be resolved...
            # But... if we're running in test mode, it may just be that the SG is scheduled
            # to be created, and thus WOULD have been there if running "for real"...
            if __opts__['test']:
                log.warning('Security Group `%s` could not be resolved to an ID.  This may '
                            'cause a failure when not running in test mode.', group)
                return []
            else:
                raise CommandExecutionError('Could not resolve Security Group name '
                                            '{0} to a Group ID'.format(group))
        else:
            group_ids.append(six.text_type(group_id))
    log.debug('security group contents %s post-conversion', group_ids)
    return group_ids


def get_config(name=None, group_id=None, region=None, key=None, keyid=None,
               profile=None, vpc_id=None, vpc_name=None):
    '''
    Get the configuration for a security group.

    CLI example::

        salt myminion boto_secgroup.get_config mysecgroup
    '''
    conn = _get_conn(region=region, key=key, keyid=keyid, profile=profile)

    sg = _get_group(conn, name=name, vpc_id=vpc_id, vpc_name=vpc_name,
                    group_id=group_id, region=region, key=key, keyid=keyid,
                    profile=profile)
    if sg:
        ret = odict.OrderedDict()
        ret['name'] = sg.name
        # TODO: add support for vpc_id in return
        # ret['vpc_id'] = sg.vpc_id
        ret['group_id'] = sg.id
        ret['owner_id'] = sg.owner_id
        ret['description'] = sg.description
        ret['tags'] = sg.tags
        _rules = _parse_rules(sg, sg.rules)
        _rules_egress = _parse_rules(sg, sg.rules_egress)
        ret['rules'] = _split_rules(_rules)
        ret['rules_egress'] = _split_rules(_rules_egress)
        return ret
    else:
        return None


def create(name, description, vpc_id=None, vpc_name=None, region=None, key=None,
           keyid=None, profile=None):
    '''
    Create a security group.

    CLI example::

        salt myminion boto_secgroup.create mysecgroup 'My Security Group'
    '''
    conn = _get_conn(region=region, key=key, keyid=keyid, profile=profile)

    if not vpc_id and vpc_name:
        try:
            vpc_id = _vpc_name_to_id(vpc_id=vpc_id, vpc_name=vpc_name, region=region,
                                key=key, keyid=keyid, profile=profile)
        except boto.exception.BotoServerError as e:
            log.debug(e)
            return False

    created = conn.create_security_group(name, description, vpc_id)
    if created:
        log.info('Created security group %s.', name)
        return True
    else:
        msg = 'Failed to create security group {0}.'.format(name)
        log.error(msg)
        return False


def delete(name=None, group_id=None, region=None, key=None, keyid=None,
           profile=None, vpc_id=None, vpc_name=None):
    '''
    Delete a security group.

    CLI example::

        salt myminion boto_secgroup.delete mysecgroup
    '''
    conn = _get_conn(region=region, key=key, keyid=keyid, profile=profile)

    group = _get_group(conn, name=name, vpc_id=vpc_id, vpc_name=vpc_name,
                       group_id=group_id, region=region, key=key, keyid=keyid,
                       profile=profile)
    if group:
        deleted = conn.delete_security_group(group_id=group.id)
        if deleted:
            log.info('Deleted security group %s with id %s.', group.name, group.id)
            return True
        else:
            msg = 'Failed to delete security group {0}.'.format(name)
            log.error(msg)
            return False
    else:
        log.debug('Security group not found.')
        return False


def authorize(name=None, source_group_name=None,
              source_group_owner_id=None, ip_protocol=None,
              from_port=None, to_port=None, cidr_ip=None, group_id=None,
              source_group_group_id=None, region=None, key=None, keyid=None,
              profile=None, vpc_id=None, vpc_name=None, egress=False):
    '''
    Add a new rule to an existing security group.

    CLI example::

        salt myminion boto_secgroup.authorize mysecgroup ip_protocol=tcp from_port=80 to_port=80 cidr_ip='['10.0.0.0/8', '192.168.0.0/24']'
    '''
    conn = _get_conn(region=region, key=key, keyid=keyid, profile=profile)

    group = _get_group(conn, name=name, vpc_id=vpc_id, vpc_name=vpc_name,
                       group_id=group_id, region=region, key=key, keyid=keyid,
                       profile=profile)
    if group:
        try:
            added = None
            if not egress:
                added = conn.authorize_security_group(
                    src_security_group_name=source_group_name,
                    src_security_group_owner_id=source_group_owner_id,
                    ip_protocol=ip_protocol, from_port=from_port, to_port=to_port,
                    cidr_ip=cidr_ip, group_id=group.id,
                    src_security_group_group_id=source_group_group_id)
            else:
                added = conn.authorize_security_group_egress(
                    ip_protocol=ip_protocol, from_port=from_port, to_port=to_port,
                    cidr_ip=cidr_ip, group_id=group.id,
                    src_group_id=source_group_group_id)
            if added:
                log.info('Added rule to security group %s with id %s',
                         group.name, group.id)
                return True
            else:
                msg = ('Failed to add rule to security group {0} with id {1}.'
                       .format(group.name, group.id))
                log.error(msg)
                return False
        except boto.exception.EC2ResponseError as e:
            # if we are trying to add the same rule then we are already in the desired state, return true
            if e.error_code == 'InvalidPermission.Duplicate':
                return True
            msg = ('Failed to add rule to security group {0} with id {1}.'
                   .format(group.name, group.id))
            log.error(msg)
            log.error(e)
            return False
    else:
        log.error('Failed to add rule to security group.')
        return False


def revoke(name=None, source_group_name=None,
           source_group_owner_id=None, ip_protocol=None,
           from_port=None, to_port=None, cidr_ip=None, group_id=None,
           source_group_group_id=None, region=None, key=None, keyid=None,
           profile=None, vpc_id=None, vpc_name=None, egress=False):
    '''
    Remove a rule from an existing security group.

    CLI example::

        salt myminion boto_secgroup.revoke mysecgroup ip_protocol=tcp from_port=80 to_port=80 cidr_ip='10.0.0.0/8'
    '''
    conn = _get_conn(region=region, key=key, keyid=keyid, profile=profile)

    group = _get_group(conn, name=name, vpc_id=vpc_id, vpc_name=vpc_name,
                       group_id=group_id, region=region, key=key, keyid=keyid,
                       profile=profile)
    if group:
        try:
            revoked = None
            if not egress:
                revoked = conn.revoke_security_group(
                    src_security_group_name=source_group_name,
                    src_security_group_owner_id=source_group_owner_id,
                    ip_protocol=ip_protocol, from_port=from_port, to_port=to_port,
                    cidr_ip=cidr_ip, group_id=group.id,
                    src_security_group_group_id=source_group_group_id)
            else:
                revoked = conn.revoke_security_group_egress(
                    ip_protocol=ip_protocol, from_port=from_port, to_port=to_port,
                    cidr_ip=cidr_ip, group_id=group.id,
                    src_group_id=source_group_group_id)

            if revoked:
                log.info('Removed rule from security group %s with id %s.',
                         group.name, group.id)
                return True
            else:
                msg = ('Failed to remove rule from security group {0} with id {1}.'
                       .format(group.name, group.id))
                log.error(msg)
                return False
        except boto.exception.EC2ResponseError as e:
            msg = ('Failed to remove rule from security group {0} with id {1}.'
                   .format(group.name, group.id))
            log.error(msg)
            log.error(e)
            return False
    else:
        log.error('Failed to remove rule from security group.')
        return False


def _find_vpcs(vpc_id=None, vpc_name=None, cidr=None, tags=None,
               region=None, key=None, keyid=None, profile=None):
    '''
    Given VPC properties, find and return matching VPC ids.
    Borrowed from boto_vpc; these could be refactored into a common library
    '''
    if all((vpc_id, vpc_name)):
        raise SaltInvocationError('Only one of vpc_name or vpc_id may be '
                                  'provided.')

    if not any((vpc_id, vpc_name, tags, cidr)):
        raise SaltInvocationError('At least one of the following must be '
                                  'provided: vpc_id, vpc_name, cidr or tags.')

    local_get_conn = __utils__['boto.get_connection_func']('vpc')
    conn = local_get_conn(region=region, key=key, keyid=keyid, profile=profile)
    filter_parameters = {'filters': {}}

    if vpc_id:
        filter_parameters['vpc_ids'] = [vpc_id]

    if cidr:
        filter_parameters['filters']['cidr'] = cidr

    if vpc_name:
        filter_parameters['filters']['tag:Name'] = vpc_name

    if tags:
        for tag_name, tag_value in six.iteritems(tags):
            filter_parameters['filters']['tag:{0}'.format(tag_name)] = tag_value

    vpcs = conn.get_all_vpcs(**filter_parameters)
    log.debug('The filters criteria %s matched the following VPCs:%s',
              filter_parameters, vpcs)

    if vpcs:
        return [vpc.id for vpc in vpcs]
    else:
        return []


def set_tags(tags,
             name=None,
             group_id=None,
             vpc_name=None,
             vpc_id=None,
             region=None,
             key=None,
             keyid=None,
             profile=None):
    '''
    sets tags on a security group

    .. versionadded:: 2016.3.0

    tags
        a dict of key:value pair of tags to set on the security group

    name
        the name of the security group

    group_id
        the group id of the security group (in lie of a name/vpc combo)

    vpc_name
        the name of the vpc to search the named group for

    vpc_id
        the id of the vpc, in lieu of the vpc_name

    region
        the amazon region

    key
        amazon key

    keyid
        amazon keyid

    profile
        amazon profile

    CLI example:

    .. code-block:: bash

        salt myminion boto_secgroup.set_tags "{'TAG1': 'Value1', 'TAG2': 'Value2'}" security_group_name vpc_id=vpc-13435 profile=my_aws_profile
    '''
    conn = _get_conn(region=region, key=key, keyid=keyid, profile=profile)
    secgrp = _get_group(conn, name=name, vpc_id=vpc_id, vpc_name=vpc_name,
                        group_id=group_id, region=region, key=key, keyid=keyid,
                        profile=profile)

    if secgrp:
        if isinstance(tags, dict):
            secgrp.add_tags(tags)
        else:
            msg = 'Tags must be a dict of tagname:tagvalue'
            raise SaltInvocationError(msg)
    else:
        msg = 'The security group could not be found'
        raise SaltInvocationError(msg)
    return True


def delete_tags(tags,
                name=None,
                group_id=None,
                vpc_name=None,
                vpc_id=None,
                region=None,
                key=None,
                keyid=None,
                profile=None):
    '''
    deletes tags from a security group

    .. versionadded:: 2016.3.0

    tags
        a list of tags to remove

    name
        the name of the security group

    group_id
        the group id of the security group (in lie of a name/vpc combo)

    vpc_name
        the name of the vpc to search the named group for

    vpc_id
        the id of the vpc, in lieu of the vpc_name

    region
        the amazon region

    key
        amazon key

    keyid
        amazon keyid

    profile
        amazon profile

    CLI example:

    .. code-block:: bash

        salt myminion boto_secgroup.delete_tags ['TAG_TO_DELETE1','TAG_TO_DELETE2'] security_group_name vpc_id=vpc-13435 profile=my_aws_profile
    '''
    conn = _get_conn(region=region, key=key, keyid=keyid, profile=profile)
    secgrp = _get_group(conn, name=name, vpc_id=vpc_id, vpc_name=vpc_name,
                        group_id=group_id, region=region, key=key, keyid=keyid,
                        profile=profile)
    if secgrp:
        if isinstance(tags, list):
            tags_to_remove = {}
            for tag in tags:
                tags_to_remove[tag] = None
            secgrp.remove_tags(tags_to_remove)
        else:
            msg = 'Tags must be a list of tagnames to remove from the security group'
            raise SaltInvocationError(msg)
    else:
        msg = 'The security group could not be found'
        raise SaltInvocationError(msg)
    return True