Class: Cumulus::SecurityGroups::Manager
Instance Method Summary
collapse
#diff, #diff_one, #filter_local, #list, #sync, #sync_one
Constructor Details
Returns a new instance of Manager.
15
16
17
18
|
# File 'lib/security/manager/Manager.rb', line 15
def initialize
super()
@ec2 = Aws::EC2::Client.new(Configuration.instance.client)
end
|
Instance Method Details
#added_diff(local) ⇒ Object
80
81
82
|
# File 'lib/security/manager/Manager.rb', line 80
def added_diff(local)
SecurityGroupDiff.added(local)
end
|
#aws_resources ⇒ Object
Hash the aws security groups using the vpc and security group name
72
73
74
|
# File 'lib/security/manager/Manager.rb', line 72
def aws_resources
@aws_resources ||= Hash[SecurityGroups::security_groups.map { |sg| [sg.vpc_group_name, sg] }]
end
|
#create(local) ⇒ Object
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
|
# File 'lib/security/manager/Manager.rb', line 88
def create(local)
result = @ec2.create_security_group({
group_name: local.name.split("/").last,
description: local.description,
vpc_id: local.vpc_id,
})
security_group_id = result.group_id
update_tags(security_group_id, local.tags, {})
update_inbound(local.vpc_id, security_group_id, local.inbound, [])
allow_all_rule = RuleConfig.allow_all
allow_all_outbound = Configuration.instance.security.outbound_default_all_allowed or local.outbound.find { |g| g.hash == allow_all_rule.hash }
outbound_remove = if allow_all_outbound
[]
else
[allow_all_rule]
end
outbound_add = local.outbound.reject { |g| g.hash == allow_all_rule.hash }
update_outbound(local.vpc_id, security_group_id, outbound_add, outbound_remove)
end
|
#diff_resource(local, aws) ⇒ Object
84
85
86
|
# File 'lib/security/manager/Manager.rb', line 84
def diff_resource(local, aws)
local.diff(aws)
end
|
#local_resources ⇒ Object
67
68
69
|
# File 'lib/security/manager/Manager.rb', line 67
def local_resources
@local_resources ||= Hash[Loader.groups.map { |local| [local.name, local] }]
end
|
#migrate ⇒ Object
Public: Migrate AWS Security Groups to Cumulus configuration.
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
|
# File 'lib/security/manager/Manager.rb', line 21
def migrate
groups_dir = "#{@migration_root}/security-groups"
if !Dir.exists?(@migration_root)
Dir.mkdir(@migration_root)
end
if !Dir.exists?(groups_dir)
Dir.mkdir(groups_dir)
end
aws_resources.map do |name, _|
parts = name.partition("/")
if parts.length > 1
"#{groups_dir}/#{parts.first}"
end
end.uniq.compact.each do |dir|
if !Dir.exists?(dir)
Dir.mkdir(dir)
end
end
aws_resources.each_value do |resource|
puts "Processing #{resource.vpc_group_name}..."
config = SecurityGroupConfig.new(resource.vpc_group_name, resource.vpc_id)
config.populate!(resource)
puts "Writing #{resource.vpc_group_name} configuration to file..."
File.open("#{groups_dir}/#{config.name}.json", "w") { |f| f.write(config.pretty_json) }
end
File.open("#{@migration_root}/subnets.json", "w") do |f|
f.write(JSON.pretty_generate({
"all" => ["0.0.0.0/0"]
}))
end
puts Colors.blue("IP addresses for inbound and outbound rules have been left as is in each individual security group, except in the case of 0.0.0.0/0.")
puts Colors.blue("0.0.0.0/0 has been renamed to 'all' and is referenced as such in security group definitions.")
puts Colors.blue("See subnets.json to see the definition of the 'all' subnet group.")
end
|
#resource_name ⇒ Object
63
64
65
|
# File 'lib/security/manager/Manager.rb', line 63
def resource_name
"Security Group"
end
|
#unmanaged_diff(aws) ⇒ Object
#update(local, diffs) ⇒ Object
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
|
# File 'lib/security/manager/Manager.rb', line 113
def update(local, diffs)
diffs_by_type = diffs.group_by(&:type)
if diffs_by_type.include?(SecurityGroupChange::DESCRIPTION)
puts "\tUnfortunately, AWS's SDK does not allow updating the description."
else
diffs.each do |diff|
case diff.type
when SecurityGroupChange::TAGS
update_tags(diff.aws.group_id, diff.tags_to_add, diff.tags_to_remove)
when SecurityGroupChange::INBOUND
update_inbound(local.vpc_id, diff.aws.group_id, diff.added_inbounds, diff.removed_inbounds)
when SecurityGroupChange::OUTBOUND
update_outbound(local.vpc_id, diff.aws.group_id, diff.added_outbounds, diff.removed_outbounds)
end
end
end
end
|