modules/mu/providers/aws/firewall_rule.rb in cloud-mu-3.4.0 vs modules/mu/providers/aws/firewall_rule.rb in cloud-mu-3.5.0
- old
+ new
@@ -50,44 +50,44 @@
end
begin
MU.log "Creating EC2 Security Group #{groupname}", details: sg_struct
- secgroup = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).create_security_group(sg_struct)
+ secgroup = MU::Cloud::AWS.ec2(region: @region, credentials: @credentials).create_security_group(sg_struct)
@cloud_id = secgroup.group_id
rescue Aws::EC2::Errors::InvalidGroupDuplicate
MU.log "EC2 Security Group #{groupname} already exists, using it", MU::NOTICE
filters = [{name: "group-name", values: [groupname]}]
filters << {name: "vpc-id", values: [vpc_id]} if !vpc_id.nil?
- secgroup = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).describe_security_groups(filters: filters).security_groups.first
+ secgroup = MU::Cloud::AWS.ec2(region: @region, credentials: @credentials).describe_security_groups(filters: filters).security_groups.first
if secgroup.nil?
raise MuError, "Failed to locate security group named #{groupname}, even though EC2 says it already exists", caller
end
@cloud_id = secgroup.group_id
end
begin
- MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).describe_security_groups(group_ids: [secgroup.group_id])
+ MU::Cloud::AWS.ec2(region: @region, credentials: @credentials).describe_security_groups(group_ids: [secgroup.group_id])
rescue Aws::EC2::Errors::InvalidGroupNotFound
MU.log "#{secgroup.group_id} not yet ready, waiting...", MU::NOTICE
sleep 10
retry
end
- MU::Cloud::AWS.createStandardTags(secgroup.group_id, region: @config['region'], credentials: @config['credentials'])
- MU::Cloud::AWS.createTag(secgroup.group_id, "Name", groupname, region: @config['region'], credentials: @config['credentials'])
+ MU::Cloud::AWS.createStandardTags(secgroup.group_id, region: @region, credentials: @credentials)
+ MU::Cloud::AWS.createTag(secgroup.group_id, "Name", groupname, region: @region, credentials: @credentials)
if @config['optional_tags']
MU::MommaCat.listOptionalTags.each { |key, value|
- MU::Cloud::AWS.createTag(secgroup.group_id, key, value, region: @config['region'], credentials: @config['credentials'])
+ MU::Cloud::AWS.createTag(secgroup.group_id, key, value, region: @region, credentials: @credentials)
}
end
if @config['tags']
@config['tags'].each { |tag|
- MU::Cloud::AWS.createTag(secgroup.group_id, tag['key'], tag['value'], region: @config['region'], credentials: @config['credentials'])
+ MU::Cloud::AWS.createTag(secgroup.group_id, tag['key'], tag['value'], region: @region, credentials: @credentials)
}
end
egress = false
egress = true if !vpc_id.nil?
@@ -121,11 +121,11 @@
end
# Log metadata about this ruleset to the currently running deployment
def notify
sg_data = MU.structToHash(
- MU::Cloud::FirewallRule.find(cloud_id: @cloud_id, region: @config['region'])
+ MU::Cloud::FirewallRule.find(cloud_id: @cloud_id, region: @region)
)
sg_data["group_id"] = @cloud_id
sg_data["cloud_id"] = @cloud_id
return sg_data
end
@@ -149,12 +149,15 @@
if sgs.size > 0
rule["firewall_rules"] ||= []
rule["firewall_rules"].concat(sgs.map { |s|
MU::Config::Ref.get(
id: s,
+ region: @region,
+ credentials: @credentials,
cloud: "AWS",
- type: "firewall_rule"
+ type: "firewall_rule",
+ dummy_ok: true
)
})
end
hosts = hosts - sgs
rule["hosts"] = hosts if hosts.size > 0
@@ -167,32 +170,32 @@
end
ec2_rule = convertToEc2([rule])
begin
if egress
- MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).authorize_security_group_egress(
+ MU::Cloud::AWS.ec2(region: @region, credentials: @credentials).authorize_security_group_egress(
group_id: @cloud_id,
ip_permissions: ec2_rule
)
else
- MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).authorize_security_group_ingress(
+ MU::Cloud::AWS.ec2(region: @region, credentials: @credentials).authorize_security_group_ingress(
group_id: @cloud_id,
ip_permissions: ec2_rule
)
end
rescue Aws::EC2::Errors::InvalidPermissionDuplicate
MU.log "Attempt to add duplicate rule to #{@cloud_id}", MU::DEBUG, details: ec2_rule
# Ensure that, at least, the description field gets updated on
# existing rules
if comment
if egress
- MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).update_security_group_rule_descriptions_egress(
+ MU::Cloud::AWS.ec2(region: @region, credentials: @credentials).update_security_group_rule_descriptions_egress(
group_id: @cloud_id,
ip_permissions: ec2_rule
)
else
- MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).update_security_group_rule_descriptions_ingress(
+ MU::Cloud::AWS.ec2(region: @region, credentials: @credentials).update_security_group_rule_descriptions_ingress(
group_id: @cloud_id,
ip_permissions: ec2_rule
)
end
end
@@ -200,11 +203,11 @@
end
# Canonical Amazon Resource Number for this resource
# @return [String]
def arn
- "arn:"+(MU::Cloud::AWS.isGovCloud?(@config["region"]) ? "aws-us-gov" : "aws")+":ec2:"+@config['region']+":"+MU::Cloud::AWS.credToAcct(@config['credentials'])+":security-group/"+@cloud_id
+ "arn:"+(MU::Cloud::AWS.isGovCloud?(@region) ? "aws-us-gov" : "aws")+":ec2:"+@region+":"+MU::Cloud::AWS.credToAcct(@credentials)+":security-group/"+@cloud_id
end
# Locate an existing security group or groups and return an array containing matching AWS resource descriptors for those that match.
# @return [Array<Hash<String,OpenStruct>>]: The cloud provider's complete descriptions of matching FirewallRules
def self.find(**args)
@@ -246,13 +249,13 @@
# We assume that any values we have in +@config+ are placeholders, and
# calculate our own accordingly based on what's live in the cloud.
def toKitten(**_args)
bok = {
"cloud" => "AWS",
- "credentials" => @config['credentials'],
+ "credentials" => @credentials,
"cloud_id" => @cloud_id,
- "region" => @config['region']
+ "region" => @region
}
if !cloud_desc
MU.log "toKitten failed to load a cloud_desc from #{@cloud_id}", MU::ERR, details: @config
return nil
@@ -647,19 +650,19 @@
end
if rule['firewall_rules']
rule['firewall_rules'].each { |sg|
if sg['name'] and !sg['deploy_id']
- MU::Config.addDependency(acl, sg['name'], "firewall_rule", no_create_wait: true)
+ MU::Config.addDependency(acl, sg['name'], "firewall_rule", my_phase: "groom")
end
}
end
if rule['loadbalancers']
rule['loadbalancers'].each { |lb|
if lb['name'] and !lb['deploy_id']
- MU::Config.addDependency(acl, lb['name'], "loadbalancer", phase: "groom")
+ MU::Config.addDependency(acl, lb['name'], "loadbalancer", their_phase: "groom")
end
}
end
}
@@ -729,11 +732,11 @@
if ext_rule[k].nil? or ext_rule[k] == []
ext_rule.delete(k)
end
}
MU.log "Removing unconfigured rule in #{@mu_name}", MU::WARN, details: ext_rule
- MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).revoke_security_group_ingress(
+ MU::Cloud::AWS.ec2(region: @region, credentials: @credentials).revoke_security_group_ingress(
group_id: @cloud_id,
ip_permissions: [ext_rule]
)
end
}
@@ -795,19 +798,19 @@
MU.retrier([Aws::EC2::Errors::InvalidGroupNotFound], max: 10, wait: 10, ignoreme: [Aws::EC2::Errors::InvalidPermissionDuplicate]) {
if ingress
if haverule
begin
- MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).revoke_security_group_ingress(
+ MU::Cloud::AWS.ec2(region: @region, credentials: @credentials).revoke_security_group_ingress(
group_id: @cloud_id,
ip_permissions: [haverule]
)
rescue Aws::EC2::Errors::InvalidPermissionNotFound
end
end
begin
- MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).authorize_security_group_ingress(
+ MU::Cloud::AWS.ec2(region: @region, credentials: @credentials).authorize_security_group_ingress(
group_id: @cloud_id,
ip_permissions: [rule]
)
rescue Aws::EC2::Errors::InvalidParameterCombination => e
MU.log "FirewallRule #{@mu_name} had a bogus rule: #{e.message}", MU::ERR, details: rule
@@ -816,17 +819,17 @@
end
if egress
if haverule
begin
- MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).revoke_security_group_egress(
+ MU::Cloud::AWS.ec2(region: @region, credentials: @credentials).revoke_security_group_egress(
group_id: @cloud_id,
ip_permissions: [haverule]
)
rescue Aws::EC2::Errors::InvalidPermissionNotFound
end
end
- MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).authorize_security_group_egress(
+ MU::Cloud::AWS.ec2(region: @region, credentials: @credentials).authorize_security_group_egress(
group_id: @cloud_id,
ip_permissions: [rule]
)
end
}