/**
* Edit page
*
* @param string $cloudLocation AWS region
* @param string $dBClusterIdentifier optional DB Cluster identifier
* @param string $vpcId Vpc id
*/
public function editAction($cloudLocation, $dBClusterIdentifier = null, $vpcId = null)
{
$this->request->restrictAccess(Acl::RESOURCE_AWS_RDS, Acl::PERM_AWS_RDS_MANAGE);
$aws = $this->getAwsClient($cloudLocation);
$dbCluster = $aws->rds->dbCluster->describe($dBClusterIdentifier)->get(0)->toArray(true);
$vpcSglist = null;
if (!empty($vpcId)) {
$filter[] = ['name' => SecurityGroupFilterNameType::vpcId(), 'value' => $vpcId];
$vpcSglist = $aws->ec2->securityGroup->describe(null, null, $filter);
}
foreach ($dbCluster['VpcSecurityGroups'] as &$vpcSg) {
$vpcSecurityGroupName = null;
foreach ($vpcSglist as $vpcSqData) {
/* @var $vpcSqData \Scalr\Service\Aws\Ec2\DataType\SecurityGroupData */
if ($vpcSqData->groupId == $vpcSg['VpcSecurityGroupId']) {
$vpcSecurityGroupName = $vpcSqData->groupName;
break;
}
}
$vpcSg = ['vpcSecurityGroupId' => $vpcSg['VpcSecurityGroupId'], 'vpcSecurityGroupName' => $vpcSecurityGroupName];
}
$dbCluster['VpcId'] = !empty($vpcId) ? $vpcId : null;
$this->response->page(['ui/tools/aws/rds/clusters/edit.js', 'ui/security/groups/sgeditor.js'], ['locations' => self::loadController('Platforms')->getCloudLocations(SERVER_PLATFORMS::EC2, false), 'cluster' => $dbCluster, 'accountId' => $this->environment->cloudCredentials(SERVER_PLATFORMS::EC2)->properties[Entity\CloudCredentialsProperty::AWS_ACCOUNT_ID], 'remoteAddress' => $this->request->getRemoteAddr()]);
}
/**
* @test
* @depends testFunctionalEc2
*/
public function testFunctionalVpc()
{
$this->skipIfEc2PlatformDisabled();
$aws = $this->getContainer()->aws(AwsTestCase::REGION);
$aws->ec2->enableEntityManager();
$nameTag = new ResourceTagSetData(self::TAG_NAME_KEY, self::getTestName(self::NAME_TAG_VALUE));
$ret = $aws->ec2->describeAccountAttributes(array('supported-platforms', 'default-vpc'));
$this->assertInstanceOf($this->getEc2ClassName('DataType\\AccountAttributeSetList'), $ret);
unset($ret);
//Removes previously created route tables if they exist.
$rtList = $aws->ec2->routeTable->describe(null, array(array('name' => RouteTableFilterNameType::tagName(), 'value' => self::getTestName(self::NAME_TAG_VALUE))));
$this->assertInstanceOf($this->getEc2ClassName('DataType\\RouteTableList'), $rtList);
foreach ($rtList as $rt) {
/* @var $rt RouteTableData */
foreach ($rt->routeSet as $route) {
/* @var $route RouteData */
try {
$route->delete();
} catch (ClientException $e) {
}
}
foreach ($rt->associationSet as $rtassoc) {
try {
$rtassoc->disassociate();
} catch (ClientException $e) {
}
}
$rt->delete();
}
unset($rtList);
//Removes previously created Network Interfaces if they have not been removed during past test executions.
$eniList = $aws->ec2->networkInterface->describe(null, array(array('name' => NetworkInterfaceFilterNameType::tag(self::TAG_NAME_KEY), 'value' => self::getTestName(self::NAME_TAG_VALUE))));
$this->assertInstanceOf($this->getEc2ClassName('DataType\\NetworkInterfaceList'), $eniList);
foreach ($eniList as $v) {
$v->delete();
}
unset($eniList);
$subnetList = $aws->ec2->subnet->describe(null, array(array('name' => SubnetFilterNameType::tag(self::TAG_NAME_KEY), 'value' => self::getTestName(self::NAME_TAG_VALUE))));
$this->assertInstanceOf($this->getEc2ClassName('DataType\\SubnetList'), $subnetList);
foreach ($subnetList as $subnet) {
/* @var $subnet SubnetData */
$subnet->delete();
}
unset($subnetList);
//Removes previously created Internet Gateways which has not been removed during previous test run.
$igwList = $aws->ec2->internetGateway->describe(null, array(array('name' => InternetGatewayFilterNameType::tag(self::TAG_NAME_KEY), 'value' => self::getTestName(self::NAME_TAG_VALUE))));
$this->assertInstanceOf($this->getEc2ClassName('DataType\\InternetGatewayList'), $igwList);
foreach ($igwList as $igw) {
/* @var $igw InternetGatewayData */
if (count($igw->attachmentSet)) {
//Detaches previously attachet VPC
$igw->attachmentSet->get(0)->detach();
for ($t = time(); time() - $t < 100 && !empty($igw->attachmentSet[0]) && $igw->attachmentSet[0]->state == InternetGatewayAttachmentData::STATE_DETACHING; sleep(3)) {
$igw = $igw->refresh();
}
}
//Deletes previously created internet gateways
$igw->delete();
}
unset($igwList);
//We should be assured that group which is used for the test does not exists
$list = $aws->ec2->securityGroup->describe(null, null, new SecurityGroupFilterData(SecurityGroupFilterNameType::groupName(), self::getTestName(self::NAME_SECURITY_GROUP_VPC)));
if (count($list) > 0) {
foreach ($list as $v) {
$v->delete();
}
}
unset($list);
//Describes VPC
$vpcList = $aws->ec2->vpc->describe(null, array(array('name' => VpcFilterNameType::tag(self::TAG_NAME_KEY), 'value' => self::getTestName(self::NAME_TAG_VALUE))));
$this->assertInstanceOf($this->getEc2ClassName('DataType\\VpcList'), $vpcList);
//We should remove VPC which has not been removed by some reason.
foreach ($vpcList as $vpc) {
$vpc->delete();
unset($vpc);
}
unset($vpcList);
//Creates VPC
$vpc = $aws->ec2->vpc->create('10.0.0.0/16');
$this->assertInstanceOf($this->getEc2ClassName('DataType\\VpcData'), $vpc);
for ($t = time(); time() - $t < 600 && $vpc->state !== VpcData::STATE_AVAILABLE;) {
sleep(5);
$vpc = $vpc->refresh();
}
$this->assertTrue($vpc->state == VpcData::STATE_AVAILABLE);
$ret = $vpc->createTags($nameTag);
$this->assertTrue($ret);
//Creates an VPC Security group
$securityGroupId = $aws->ec2->securityGroup->create(self::getTestName(self::NAME_SECURITY_GROUP_VPC), self::getTestName(self::NAME_SECURITY_GROUP_VPC) . ' description', $vpc->vpcId);
$this->assertNotEmpty($securityGroupId);
sleep(2);
$sg = $aws->ec2->securityGroup->describe(null, $securityGroupId)->get(0);
$this->assertInstanceOf($this->getEc2ClassName('DataType\\SecurityGroupData'), $sg);
//Authorizes security group Egress
//Example, how to construct the list with arrays
$ipperm3array = array(array('ipProtocol' => 'tcp', 'fromPort' => 80, 'toPort' => 80, 'ipRanges' => array(array('cidrIp' => '192.0.2.0/24'), array('cidrIp' => '198.51.100.0/24'))));
$ipperm3 = new IpPermissionList($ipperm3array);
$this->assertInstanceOf($this->getEc2ClassName('DataType\\IpPermissionData'), $ipperm3->get(0));
$this->assertInstanceOf($this->getEc2ClassName('DataType\\IpRangeList'), $ipperm3->get(0)->ipRanges);
$this->assertEquals(2, $ipperm3->get(0)->ipRanges->count());
$this->assertEquals('192.0.2.0/24', $ipperm3->get(0)->ipRanges->get(0)->cidrIp);
$this->assertEquals('198.51.100.0/24', $ipperm3->get(0)->ipRanges->get(1)->cidrIp);
//The same can be produced in the another way
$ipperm4 = new IpPermissionList(new IpPermissionData('tcp', 80, 80, array(new IpRangeData('192.0.2.0/24'), new IpRangeData('198.51.100.0/24'))));
//Checks the equality
$this->assertEquals($ipperm3->toArray(), $ipperm4->toArray());
//Authorizes IP Permission Egress
$ret = $sg->authorizeEgress($ipperm3);
$this->assertTrue($ret);
sleep(1);
//Checks if specified IP Permission is successfully set
$sg->refresh();
$this->assertContains('192.0.2.0/24', $sg->ipPermissionsEgress->getQueryArrayBare());
//Revokes IP Permission Egress
//You may pass an array directly to the method
$ret = $sg->revokeEgress($ipperm3array);
$this->assertTrue($ret);
sleep(3);
$sg->refresh();
//Checks if IP Permission is successfully revoked.
$this->assertNotContains('192.0.2.0/24', $sg->ipPermissionsEgress->getQueryArrayBare());
$this->assertNotContains('198.51.100.0/24', $sg->ipPermissionsEgress->getQueryArrayBare());
//Creates subneet for the networkInterface
$subnet = $aws->ec2->subnet->create($vpc->vpcId, '10.0.0.0/16');
$this->assertInstanceOf($this->getEc2ClassName('DataType\\SubnetData'), $subnet);
for ($t = time(); time() - $t < 600 && $subnet->state !== SubnetData::STATE_AVAILABLE;) {
sleep(5);
$subnet = $subnet->refresh();
}
$this->assertTrue($subnet->state == SubnetData::STATE_AVAILABLE);
$ret = $subnet->createTags($nameTag);
$this->assertTrue($ret);
//Creates network interface
$eni = $aws->ec2->networkInterface->create($subnet->subnetId);
$this->assertInstanceOf($this->getEc2ClassName('DataType\\NetworkInterfaceData'), $eni);
sleep(4);
$ret = $eni->createTags($nameTag);
$this->assertTrue($ret);
//DescribeAttribute test
foreach (NetworkInterfaceAttributeType::getAllowedValues() as $attr) {
$expected = $eni->{$attr};
$v = $eni->describeAttribute($attr);
$this->assertEquals($expected, $v);
if (is_object($v)) {
//It's true only if entityManager is enabled
$this->assertSame($eni->{$attr}, $v);
}
}
//ModifyAttribute test
$ret = $eni->modifyAttribute(NetworkInterfaceAttributeType::sourceDestCheck(), true);
$this->assertTrue($ret);
//ResetAttrubute test
$ret = $eni->resetAttribute(NetworkInterfaceAttributeType::sourceDestCheck());
$this->assertTrue($ret);
//Creates Internet Gateway
$igw = $aws->ec2->internetGateway->create();
$this->assertInstanceOf($this->getEc2ClassName('DataType\\InternetGatewayData'), $igw);
$this->assertNotEmpty($igw->internetGatewayId);
sleep(4);
$igw->createTags($nameTag);
//Attaches Internet Gateway to VPC
$ret = $igw->attach($vpc->vpcId);
$this->assertTrue($ret);
$t = time();
do {
sleep(3);
$igw = $igw->refresh();
//Verifies that external index for attachmentSet is set properly.
$this->assertEquals($igw->internetGatewayId, $igw->attachmentSet[0]->getInternetGatewayId());
} while (time() - $t < 100 && $igw->attachmentSet[0]->state != InternetGatewayAttachmentData::STATE_ATTACHED);
$this->assertTrue($igw->attachmentSet[0]->state == InternetGatewayAttachmentData::STATE_AVAILABLE);
//Detaches Internet Gateway from VPC
$ret = $igw->detach($vpc->vpcId);
$this->assertTrue($ret);
for ($t = time(); time() - $t < 100 && count($igw->attachmentSet) && $igw->attachmentSet[0]->state == InternetGatewayAttachmentData::STATE_DETACHING; sleep(3)) {
$igw = $igw->refresh();
}
$this->assertTrue($igw->attachmentSet[0]->state !== InternetGatewayAttachmentData::STATE_DETACHING);
//Creates RouteTable
$rt = $vpc->createRouteTable();
$this->assertInstanceOf($this->getEc2ClassName('DataType\\RouteTableData'), $rt);
$this->assertNotEmpty($rt->routeTableId);
$this->assertEquals($vpc->vpcId, $rt->vpcId);
sleep(5);
$ret = $rt->createTags($nameTag);
$this->assertTrue($ret);
//Associates route table with the subnet
$associationId = $rt->associate($subnet->subnetId);
$this->assertNotEmpty($associationId);
$rt = $rt->refresh();
$this->assertTrue(count($rt->associationSet) > 0);
$c = array();
foreach ($rt->associationSet as $rtassoc) {
/* @var $rtassoc RouteTableAssociationData */
$c[] = $rtassoc->routeTableAssociationId;
}
$this->assertContains($associationId, $c);
//Adds Route to Route Table
$destinationCidrBlock = '0.0.0.0/0';
$ret = $rt->createRoute($destinationCidrBlock, null, null, $eni->networkInterfaceId);
$this->assertTrue($ret);
$rt = $rt->refresh();
$this->assertTrue(count($rt->routeSet) > 0);
$c = array();
foreach ($rt->routeSet as $route) {
/* @var $route RouteData */
$c[$route->destinationCidrBlock] = $route;
unset($route);
}
$this->assertArrayHasKey($destinationCidrBlock, $c);
$route = $c[$destinationCidrBlock];
//Deletes Route
$ret = $route->delete();
$this->assertTrue($ret);
unset($route);
$rt = $rt->refresh();
//Disassociates route table with the subnet
foreach ($rt->associationSet as $rtassoc) {
if ($rtassoc->routeTableAssociationId == $associationId) {
$ret = $rtassoc->disassociate();
$this->assertTrue($ret);
}
}
//RunInstance test
$request = new RunInstancesRequestData(self::INSTANCE_IMAGE_ID, 1, 1);
$request->instanceType = self::INSTANCE_TYPE;
//Placement groups may not be used with instances of type 'm1.small'.
$request->setPlacement(new PlacementResponseData($subnet->availabilityZone));
$request->setMonitoring(true);
// test Assosiate Public Ip
$instanceList = new Ec2\DataType\InstanceNetworkInterfaceSetRequestList();
$instanceData = new Ec2\DataType\InstanceNetworkInterfaceSetRequestData();
$instanceData->deviceIndex = 0;
$instanceData->associatePublicIpAddress = true;
$instanceData->subnetId = $subnet->subnetId;
$instanceList->append($instanceData);
$request->setNetworkInterface($instanceList);
$request->userData = base64_encode("test=26;");
$rd = $aws->ec2->instance->run($request);
$this->assertInstanceOf($this->getEc2ClassName('DataType\\ReservationData'), $rd);
sleep(60);
//Terminates the instance
$ind = $rd->instancesSet[0];
$st = $ind->terminate();
$this->assertInstanceOf($this->getEc2ClassName('DataType\\InstanceStateChangeList'), $st);
$this->assertEquals(1, count($st));
$this->assertEquals($rd->instancesSet[0]->instanceId, $st[0]->getInstanceId());
for ($t = time(); time() - $t < 200 && $ind && $ind->instanceState->name != InstanceStateData::NAME_TERMINATED; sleep(5)) {
$ind = $ind->refresh();
}
$this->assertTrue(!$ind || $ind->instanceState->name == InstanceStateData::NAME_TERMINATED);
if (isset($ind)) {
unset($ind);
}
//Removes Route Table
$ret = $rt->delete();
$this->assertTrue($ret);
//Removes Internet Gateway
$ret = $igw->delete();
$this->assertTrue($ret);
//Removes Network Interface
$ret = $eni->delete();
$this->assertTrue($ret);
//Removes Subnet
$ret = $subnet->delete();
$this->assertTrue($ret);
//Removes securigy group
$ret = $sg->delete();
$this->assertTrue($ret);
//Removes VPC
$ret = $vpc->delete();
$this->assertTrue($ret);
$aws->ec2->getEntityManager()->detachAll();
}
/**
* Gets the list of the security groups for the specified db server.
*
* If server does not have required security groups this method will create them.
*
* @param DBServer $DBServer The DB Server instance
* @param \Scalr\Service\Aws\Ec2 $ec2 Ec2 Client instance
* @param string $vpcId optional The ID of VPC
* @return array Returns array looks like array(groupid-1, groupid-2, ..., groupid-N)
*/
private function GetServerSecurityGroupsList(DBServer $DBServer, \Scalr\Service\Aws\Ec2 $ec2, $vpcId = "", \Scalr_Governance $governance = null)
{
$retval = array();
$checkGroups = array();
$sgGovernance = true;
$allowAdditionalSgs = true;
$vpcId = null;
if ($governance) {
$sgs = $governance->getValue(\SERVER_PLATFORMS::EUCALYPTUS, \Scalr_Governance::EUCALYPTUS_SECURITY_GROUPS);
if ($sgs !== null) {
$governanceSecurityGroups = @explode(",", $sgs);
if (!empty($governanceSecurityGroups)) {
foreach ($governanceSecurityGroups as $sg) {
if ($sg != '') {
array_push($checkGroups, trim($sg));
}
}
}
$sgGovernance = false;
$allowAdditionalSgs = $governance->getValue(\SERVER_PLATFORMS::EUCALYPTUS, \Scalr_Governance::EUCALYPTUS_SECURITY_GROUPS, 'allow_additional_sec_groups');
}
}
if (!$sgGovernance || $allowAdditionalSgs) {
if ($DBServer->farmRoleId != 0) {
$dbFarmRole = $DBServer->GetFarmRoleObject();
if ($dbFarmRole->GetSetting(DBFarmRole::SETTING_EUCA_SECURITY_GROUPS_LIST) !== null) {
// New SG management
$sgs = @json_decode($dbFarmRole->GetSetting(DBFarmRole::SETTING_EUCA_SECURITY_GROUPS_LIST));
if (!empty($sgs)) {
foreach ($sgs as $sg) {
if (stripos($sg, 'sg-') === 0) {
array_push($retval, $sg);
} else {
array_push($checkGroups, $sg);
}
}
}
}
} else {
array_push($checkGroups, 'scalr-rb-system');
}
}
// No name based security groups, return only SG ids.
if (empty($checkGroups)) {
return $retval;
}
// Filter groups
$filter = array(array('name' => SecurityGroupFilterNameType::groupName(), 'value' => $checkGroups));
// Get filtered list of SG required by scalr;
try {
$list = $ec2->securityGroup->describe(null, null, $filter);
$sgList = array();
foreach ($list as $sg) {
/* @var $sg \Scalr\Service\Aws\Ec2\DataType\SecurityGroupData */
if ($vpcId == '' && !$sg->vpcId || $vpcId && $sg->vpcId == $vpcId) {
$sgList[$sg->groupName] = $sg->groupId;
}
}
unset($list);
} catch (\Exception $e) {
throw new \Exception("Cannot get list of security groups (1): {$e->getMessage()}");
}
foreach ($checkGroups as $groupName) {
// Check default SG
if ($groupName == 'default') {
array_push($retval, $sgList[$groupName]);
// Check Roles builder SG
} elseif ($groupName == 'scalr-rb-system') {
if (!isset($sgList[$groupName])) {
try {
$securityGroupId = $ec2->securityGroup->create('scalr-rb-system', "Security group for Roles Builder", $vpcId);
$ipRangeList = new IpRangeList();
foreach (\Scalr::config('scalr.aws.ip_pool') as $ip) {
$ipRangeList->append(new IpRangeData($ip));
}
sleep(2);
$ec2->securityGroup->authorizeIngress(array(new IpPermissionData('tcp', 22, 22, $ipRangeList), new IpPermissionData('tcp', 8008, 8013, $ipRangeList)), $securityGroupId);
$sgList['scalr-rb-system'] = $securityGroupId;
} catch (\Exception $e) {
throw new \Exception(sprintf(_("Cannot create security group '%s': %s"), 'scalr-rb-system', $e->getMessage()));
}
}
array_push($retval, $sgList[$groupName]);
//Check scalr-farm.* security group
} elseif (stripos($groupName, 'scalr-farm.') === 0) {
if (!isset($sgList[$groupName])) {
try {
$securityGroupId = $ec2->securityGroup->create($groupName, sprintf("Security group for FarmID N%s", $DBServer->farmId), $vpcId);
sleep(2);
$userIdGroupPairList = new UserIdGroupPairList(new UserIdGroupPairData($DBServer->GetEnvironmentObject()->getPlatformConfigValue(self::ACCOUNT_ID), null, $groupName));
$ec2->securityGroup->authorizeIngress(array(new IpPermissionData('tcp', 0, 65535, null, $userIdGroupPairList), new IpPermissionData('udp', 0, 65535, null, $userIdGroupPairList)), $securityGroupId);
$sgList[$groupName] = $securityGroupId;
} catch (\Exception $e) {
throw new \Exception(sprintf(_("Cannot create security group '%s': %s"), $groupName, $e->getMessage()));
}
}
array_push($retval, $sgList[$groupName]);
//Check scalr-role.* security group
} elseif (stripos($groupName, 'scalr-role.') === 0) {
if (!isset($sgList[$groupName])) {
try {
$securityGroupId = $ec2->securityGroup->create($groupName, sprintf("Security group for FarmRoleID N%s on FarmID N%s", $DBServer->GetFarmRoleObject()->ID, $DBServer->farmId), $vpcId);
sleep(2);
// DB rules
$dbRules = $DBServer->GetFarmRoleObject()->GetRoleObject()->getSecurityRules();
$groupRules = array();
foreach ($dbRules as $rule) {
$groupRules[\Scalr_Util_CryptoTool::hash($rule['rule'])] = $rule;
}
// Behavior rules
foreach (\Scalr_Role_Behavior::getListForFarmRole($DBServer->GetFarmRoleObject()) as $bObj) {
$bRules = $bObj->getSecurityRules();
foreach ($bRules as $r) {
if ($r) {
$groupRules[\Scalr_Util_CryptoTool::hash($r)] = array('rule' => $r);
}
}
}
// Default rules
$userIdGroupPairList = new UserIdGroupPairList(new UserIdGroupPairData($DBServer->GetEnvironmentObject()->getPlatformConfigValue(self::ACCOUNT_ID), null, $groupName));
$rules = array(new IpPermissionData('tcp', 0, 65535, null, $userIdGroupPairList), new IpPermissionData('udp', 0, 65535, null, $userIdGroupPairList));
foreach ($groupRules as $rule) {
$group_rule = explode(":", $rule["rule"]);
$rules[] = new IpPermissionData($group_rule[0], $group_rule[1], $group_rule[2], new IpRangeData($group_rule[3]));
}
$ec2->securityGroup->authorizeIngress($rules, $securityGroupId);
$sgList[$groupName] = $securityGroupId;
} catch (\Exception $e) {
throw new \Exception(sprintf(_("Cannot create security group '%s': %s"), $groupName, $e->getMessage()));
}
}
array_push($retval, $sgList[$groupName]);
} elseif ($groupName == \Scalr::config('scalr.aws.security_group_name')) {
if (!isset($sgList[$groupName])) {
try {
$securityGroupId = $ec2->securityGroup->create($groupName, "Security rules needed by Scalr", $vpcId);
$ipRangeList = new IpRangeList();
foreach (\Scalr::config('scalr.aws.ip_pool') as $ip) {
$ipRangeList->append(new IpRangeData($ip));
}
// TODO: Open only FOR VPC ranges
$ipRangeList->append(new IpRangeData('10.0.0.0/8'));
sleep(2);
$ec2->securityGroup->authorizeIngress(array(new IpPermissionData('tcp', 3306, 3306, $ipRangeList), new IpPermissionData('tcp', 8008, 8013, $ipRangeList), new IpPermissionData('udp', 8014, 8014, $ipRangeList)), $securityGroupId);
$sgList[$groupName] = $securityGroupId;
} catch (\Exception $e) {
throw new \Exception(sprintf(_("Cannot create security group '%s': %s"), $groupName, $e->getMessage()));
}
}
array_push($retval, $sgList[$groupName]);
} else {
if (!isset($sgList[$groupName])) {
throw new \Exception(sprintf(_("Security group '%s' is not found"), $groupName));
} else {
array_push($retval, $sgList[$groupName]);
}
}
}
return $retval;
}
public function onFarmSave(DBFarm $dbFarm, DBFarmRole $dbFarmRole)
{
$vpcId = $dbFarm->GetSetting(DBFarm::SETTING_EC2_VPC_ID);
if (!$vpcId) {
//REMOVE VPC RELATED SETTINGS
return;
}
if ($dbFarmRole->GetSetting(self::ROLE_VPC_ROUTER_CONFIGURED) == 1) {
// ALL OBJECTS ALREADY CONFIGURED
return true;
}
$aws = $dbFarm->GetEnvironmentObject()->aws($dbFarmRole->CloudLocation);
$filter = array(array('name' => SubnetFilterNameType::vpcId(), 'value' => $vpcId), array('name' => SubnetFilterNameType::tagKey(), 'value' => 'scalr-sn-type'), array('name' => SubnetFilterNameType::tagValue(), 'value' => self::INTERNET_ACCESS_FULL));
// Try to find scalr FULL subnet
$subnets = $aws->ec2->subnet->describe(null, $filter);
if ($subnets->count() > 0) {
$subnetId = $subnets->get(0)->subnetId;
}
if (!$subnetId) {
$platform = PlatformFactory::NewPlatform(SERVER_PLATFORMS::EC2);
$subnet = $platform->AllocateNewSubnet($aws->ec2, $vpcId, null);
$subnetId = $subnet->subnetId;
//ADD TAGS
try {
$subnet->createTags(array(array('key' => "scalr-id", 'value' => SCALR_ID), array('key' => "scalr-sn-type", 'value' => self::INTERNET_ACCESS_FULL), array('key' => "Name", 'value' => 'Scalr System Subnet')));
} catch (Exception $e) {
}
$routingTableId = $platform->getRoutingTable(self::INTERNET_ACCESS_FULL, $aws, null, $vpcId);
//Associate Routing table with subnet
$aws->ec2->routeTable->associate($routingTableId, $subnetId);
}
$niId = $dbFarmRole->GetSetting(self::ROLE_VPC_NID);
if (!$niId) {
//Create Network interface
$createNetworkInterfaceRequestData = new CreateNetworkInterfaceRequestData($subnetId);
// Check and create security group
$filter = array(array('name' => SecurityGroupFilterNameType::groupName(), 'value' => array('SCALR-VPC')), array('name' => SecurityGroupFilterNameType::vpcId(), 'value' => $vpcId));
try {
$list = $aws->ec2->securityGroup->describe(null, null, $filter);
if ($list->count() > 0 && $list->get(0)->groupName == 'SCALR-VPC') {
$sgId = $list->get(0)->groupId;
}
} catch (Exception $e) {
throw new Exception("Cannot get list of security groups (1): {$e->getMessage()}");
}
if (!$sgId) {
$sgId = $aws->ec2->securityGroup->create('SCALR-VPC', 'System SG for Scalr VPC integration', $vpcId);
$ipRangeList = new IpRangeList();
$ipRangeList->append(new IpRangeData('0.0.0.0/0'));
$ipRangeListLocal = new IpRangeList();
$ipRangeListLocal->append(new IpRangeData('10.0.0.0/8'));
$aws->ec2->securityGroup->authorizeIngress(array(new IpPermissionData('tcp', 8008, 8013, $ipRangeList), new IpPermissionData('tcp', 80, 80, $ipRangeList), new IpPermissionData('tcp', 443, 443, $ipRangeList), new IpPermissionData('tcp', 0, 65535, $ipRangeListLocal), new IpPermissionData('udp', 0, 65535, $ipRangeListLocal)), $sgId);
}
$createNetworkInterfaceRequestData->setSecurityGroupId(array('groupId' => $sgId));
$networkInterface = $aws->ec2->networkInterface->create($createNetworkInterfaceRequestData);
// Disable sourceDeskCheck
$networkInterface->modifyAttribute(NetworkInterfaceAttributeType::sourceDestCheck(), 0);
$niId = $networkInterface->networkInterfaceId;
$dbFarmRole->SetSetting(self::ROLE_VPC_NID, $niId, DBFarmRole::TYPE_LCL);
try {
$networkInterface->createTags(array(array('key' => "scalr-id", 'value' => SCALR_ID), array('key' => "Name", 'value' => 'Scalr System ENI')));
} catch (Exception $e) {
}
}
// If there is no public IP allocate it and associate with NI
$publicIp = $dbFarmRole->GetSetting(self::ROLE_VPC_IP);
if ($niId && !$publicIp) {
$address = $aws->ec2->address->allocate('vpc');
$publicIp = $address->publicIp;
$dbFarmRole->SetSetting(self::ROLE_VPC_IP, $publicIp, DBFarmRole::TYPE_LCL);
$dbFarmRole->SetSetting(self::ROLE_VPC_AID, $address->allocationId, DBFarmRole::TYPE_LCL);
$associateAddressRequestData = new AssociateAddressRequestData();
$associateAddressRequestData->networkInterfaceId = $niId;
$associateAddressRequestData->allocationId = $address->allocationId;
//Associate PublicIP with NetworkInterface
$aws->ec2->address->associate($associateAddressRequestData);
}
$dbFarmRole->SetSetting(self::ROLE_VPC_ROUTER_CONFIGURED, 1, DBFarmRole::TYPE_LCL);
}
private function getGroupIdByName($platform, $cloudLocation, $securityGroupName, $vpcId = null)
{
$result = null;
$filter = array(array('name' => SecurityGroupFilterNameType::groupName(), 'value' => $securityGroupName));
if ($vpcId) {
$filter[] = array('name' => SecurityGroupFilterNameType::vpcId(), 'value' => $vpcId);
}
/* @var $sgInfo SecurityGroupData */
$list = $this->getCloudInstance($platform, $cloudLocation)->ec2->securityGroup->describe(null, null, $filter);
if (count($list) > 0) {
foreach ($list as $v) {
if (!empty($vpcId) && $v->vpcId == $vpcId || empty($vpcId) && empty($v->vpcId)) {
$result = $v->groupId;
break;
}
}
}
return $result;
}
private function listGroupsEc2($platform, $cloudLocation, $filters)
{
$sgFilter = null;
$result = array();
if (!empty($filters['sgIds'])) {
$sgFilter = is_null($sgFilter) ? array() : $sgFilter;
$sgFilter[] = array('name' => SecurityGroupFilterNameType::groupId(), 'value' => $filters['sgIds']);
}
if (!empty($filters['vpcId'])) {
$sgFilter = is_null($sgFilter) ? array() : $sgFilter;
$sgFilter[] = array('name' => SecurityGroupFilterNameType::vpcId(), 'value' => $filters['vpcId']);
}
$sgList = $this->getPlatformService($platform, $cloudLocation)->describe(null, null, $sgFilter);
/* @var $sg SecurityGroupData */
foreach ($sgList as $sg) {
$result[] = array('id' => $sg->groupId, 'name' => $sg->groupName, 'description' => $sg->groupDescription, 'vpcId' => $sg->vpcId, 'owner' => $sg->ownerId);
}
return $result;
}
/**
* xLaunchInstanceAction
*
* @param string $cloudLocation
* @param string $Engine
* @param string $DBInstanceIdentifier
* @param string $DBInstanceClass
* @param string $MasterUsername
* @param RawData $MasterUserPassword
* @param string $DBParameterGroup
* @param string $LicenseModel optional
* @param string $OptionGroupName optional
* @param string $AllocatedStorage optional
* @param string $StorageType optional
* @param int $farmId optional
* @param string $DBName optional
* @param int $Port optional
* @param string $VpcId optional
* @param JsonData $VpcSecurityGroups optional
* @param JsonData $DBSecurityGroups optional
* @param JsonData $SubnetIds optional
* @param bool $StorageEncrypted optional
* @param string $KmsKeyId optional
* @param string $PreferredBackupWindow optional
* @param string $CharacterSetName optional
* @param bool $MultiAZ optional
* @param bool $AutoMinorVersionUpgrade optional
* @param string $AvailabilityZone optional
* @param int $Iops optional
* @param string $BackupRetentionPeriod optional
* @param string $PreferredMaintenanceWindow optional
* @param string $DBSubnetGroupName optional
* @param string $EngineVersion optional
* @param bool $PubliclyAccessible optional
* @throws Exception
* @throws ScalrException
*/
public function xLaunchInstanceAction($cloudLocation, $Engine, $DBInstanceIdentifier, $DBInstanceClass, $MasterUsername, RawData $MasterUserPassword, $DBParameterGroup, $LicenseModel = null, $OptionGroupName = null, $AllocatedStorage = null, $StorageType = null, $farmId = null, $DBName = null, $Port = null, $VpcId = null, JsonData $VpcSecurityGroups = null, JsonData $DBSecurityGroups = null, JsonData $SubnetIds = null, $StorageEncrypted = false, $KmsKeyId = null, $PreferredBackupWindow = null, $CharacterSetName = null, $MultiAZ = null, $AutoMinorVersionUpgrade = false, $AvailabilityZone = null, $Iops = null, $BackupRetentionPeriod = null, $PreferredMaintenanceWindow = null, $DBSubnetGroupName = null, $EngineVersion = null, $PubliclyAccessible = false)
{
$this->request->restrictAccess(Acl::RESOURCE_AWS_RDS, Acl::PERM_AWS_RDS_MANAGE);
$aws = $this->getAwsClient($cloudLocation);
if ($Engine == 'mysql') {
$Engine = 'MySQL';
}
$request = new CreateDBInstanceRequestData($DBInstanceIdentifier, $DBInstanceClass, $Engine);
if ($Engine == 'aurora') {
$StorageType = 'aurora';
$request->dBClusterIdentifier = strtolower($DBInstanceIdentifier);
}
if ($StorageEncrypted) {
$request->storageEncrypted = $Engine != 'aurora' ? true : null;
if ($KmsKeyId) {
$kmsKey = $aws->kms->key->describe($KmsKeyId);
if (!$kmsKey->enabled) {
throw new Exception("This KMS Key is disabled, please choose another one.");
}
$allowed = true;
$governance = new Scalr_Governance($this->getEnvironmentId());
$allowedKeys = $governance->getValue(SERVER_PLATFORMS::EC2, Scalr_Governance::AWS_KMS_KEYS, $cloudLocation);
if (!empty($allowedKeys)) {
$allowed = false;
foreach ($allowedKeys['keys'] as $key) {
if ($key['id'] == $kmsKey->keyId) {
$allowed = true;
break;
}
}
}
if (!$allowed) {
throw new ScalrException("A KMS Policy is active in this Environment, access to '{$kmsKey->keyId}' has been restricted by account owner.");
}
$request->kmsKeyId = $Engine != 'aurora' ? $KmsKeyId : null;
}
}
if (empty($request->dBClusterIdentifier)) {
$request->allocatedStorage = $AllocatedStorage;
$request->masterUsername = $MasterUsername;
$request->masterUserPassword = (string) $MasterUserPassword;
$request->dBName = $DBName ?: null;
$request->port = $Port ?: null;
$request->preferredBackupWindow = $PreferredBackupWindow ?: null;
$vpcSgIds = [];
foreach ($VpcSecurityGroups as $VpcSecurityGroup) {
$vpcSgIds[] = $VpcSecurityGroup['id'];
}
$request->vpcSecurityGroupIds = empty($vpcSgIds) ? null : $vpcSgIds;
}
$request->characterSetName = $CharacterSetName ?: null;
if (!empty($DBParameterGroup)) {
$paramGroups = $aws->rds->dbParameterGroup->describe();
foreach ($paramGroups as $param) {
/* @var $param DBParameterGroupData */
if ($param->dBParameterGroupName == $DBParameterGroup) {
$paramGroup = $param;
break;
}
}
}
if (!empty($paramGroup)) {
$request->dBParameterGroupName = $paramGroup->dBParameterGroupName;
}
$isMirror = $MultiAZ && in_array($Engine, [DBInstanceData::ENGINE_SQL_SERVER_SE, DBInstanceData::ENGINE_SQL_SERVER_EE]);
$optionList = $aws->rds->optionGroup->describe($Engine);
foreach ($optionList as $option) {
/* @var $option OptionGroupData */
if ($option->optionGroupName == $OptionGroupName) {
$optionGroup = $option;
break;
}
}
if (isset($optionGroup)) {
$request->optionGroupName = $optionGroup->optionGroupName;
} else {
if ($isMirror) {
$request->optionGroupName = $OptionGroupName;
}
}
$dbSgIds = [];
foreach ($DBSecurityGroups as $DBSecurityGroup) {
$dbSgIds[] = $DBSecurityGroup;
}
$request->dBSecurityGroups = empty($dbSgIds) ? null : $dbSgIds;
$request->autoMinorVersionUpgrade = $AutoMinorVersionUpgrade;
$request->availabilityZone = $AvailabilityZone ?: null;
$request->backupRetentionPeriod = $BackupRetentionPeriod ?: null;
$request->preferredMaintenanceWindow = $PreferredMaintenanceWindow ?: null;
$request->multiAZ = $isMirror ? false : $MultiAZ;
$request->storageType = $StorageType;
$request->dBSubnetGroupName = $DBSubnetGroupName ?: null;
$request->licenseModel = $LicenseModel;
$request->engineVersion = $EngineVersion ?: null;
$request->iops = $Iops ?: null;
if ($VpcId) {
$request->publiclyAccessible = $PubliclyAccessible;
}
$tagsObject = $farmId ? DBFarm::LoadByID($farmId) : $this->environment;
$request->tags = new TagsList($tagsObject->getAwsTags());
$result = self::loadController('Aws', 'Scalr_UI_Controller_Tools')->checkSecurityGroupsPolicy($VpcSecurityGroups, Aws::SERVICE_INTERFACE_RDS);
if ($result === true) {
$result = self::loadController('Aws', 'Scalr_UI_Controller_Tools')->checkVpcPolicy($VpcId, $SubnetIds, $cloudLocation);
}
if ($result === true) {
if (!empty($request->dBClusterIdentifier)) {
try {
$checkInstance = $aws->rds->dbInstance->describe($request->dBInstanceIdentifier);
} catch (Exception $e) {
$checkInstance = [];
}
if (count($checkInstance) > 0) {
throw new Exception(sprintf("AWS Error. DB Instance with identifier %s already exists.", $request->dBInstanceIdentifier));
}
self::loadController('Clusters', 'Scalr_UI_Controller_Tools_Aws_Rds')->xSaveAction($cloudLocation, $request->dBClusterIdentifier, $Engine, $MasterUsername, $MasterUserPassword, $VpcId, $Port, $DBName, $request->characterSetName, $request->dBParameterGroupName, $request->optionGroupName, new JsonData([$request->availabilityZone]), $request->backupRetentionPeriod, $PreferredBackupWindow, $request->preferredMaintenanceWindow, $request->dBSubnetGroupName, $request->engineVersion, $farmId, $VpcSecurityGroups, $SubnetIds, $StorageEncrypted, $KmsKeyId);
}
$instance = $aws->rds->dbInstance->create($request);
CloudResource::deletePk($request->dBInstanceIdentifier, CloudResource::TYPE_AWS_RDS, $this->getEnvironmentId(), \SERVER_PLATFORMS::EC2, $cloudLocation);
if ($farmId) {
$cloudResource = new CloudResource();
$cloudResource->id = $request->dBInstanceIdentifier;
$cloudResource->type = CloudResource::TYPE_AWS_RDS;
$cloudResource->platform = \SERVER_PLATFORMS::EC2;
$cloudResource->cloudLocation = $cloudLocation;
$cloudResource->envId = $this->getEnvironmentId();
$cloudResource->farmId = $farmId;
$cloudResource->save();
}
$vpcSglist = null;
if (!empty($VpcId)) {
$filter[] = ['name' => SecurityGroupFilterNameType::vpcId(), 'value' => $VpcId];
$vpcSglist = $aws->ec2->securityGroup->describe(null, null, $filter);
}
$clusters = null;
if (!empty($instance->dBClusterIdentifier)) {
/* @var $cluster DBClusterData */
$clusters = $aws->rds->dbCluster->describe($instance->dBClusterIdentifier);
}
$data = $this->getDbInstanceData($aws, $instance, $vpcSglist, $clusters);
$data['isReplica'] = false;
if ($isMirror) {
$data['MultiAZ'] = true;
}
$this->response->success("DB Instance successfully created");
$this->response->data(['instance' => $data, 'cloudLocation' => $cloudLocation]);
} else {
$this->response->failure($result);
}
}
/**
* Gets the list of the security groups for the specified db server.
*
* If server does not have required security groups this method will create them.
*
* @param DBServer $DBServer The DB Server instance
* @param \Scalr\Service\Aws\Ec2 $ec2 Ec2 Client instance
* @param string $vpcId optional The ID of VPC
* @param \Scalr_Governance $governance Governance
* @param string $osFamily optional OS family of the instance
* @return array Returns array looks like array(groupid-1, groupid-2, ..., groupid-N)
*/
private function GetServerSecurityGroupsList(DBServer $DBServer, \Scalr\Service\Aws\Ec2 $ec2, $vpcId = "", \Scalr_Governance $governance = null, $osFamily = null)
{
$retval = array();
$checkGroups = array();
$wildCardSgs = [];
$sgGovernance = false;
$allowAdditionalSgs = true;
$roleBuilderSgName = \Scalr::config('scalr.aws.security_group_name') . "-rb";
if ($governance && $DBServer->farmRoleId) {
$sgs = $governance->getValue(SERVER_PLATFORMS::EC2, \Scalr_Governance::AWS_SECURITY_GROUPS);
if ($osFamily == 'windows' && $governance->getValue(SERVER_PLATFORMS::EC2, \Scalr_Governance::AWS_SECURITY_GROUPS, 'windows')) {
$sgs = $governance->getValue(SERVER_PLATFORMS::EC2, \Scalr_Governance::AWS_SECURITY_GROUPS, 'windows');
}
if ($sgs !== null) {
$governanceSecurityGroups = @explode(",", $sgs);
if (!empty($governanceSecurityGroups)) {
foreach ($governanceSecurityGroups as $sg) {
if ($sg != '') {
array_push($checkGroups, trim($sg));
if (strpos($sg, '*') !== false) {
array_push($wildCardSgs, trim($sg));
}
}
}
}
if (!empty($checkGroups)) {
$sgGovernance = true;
}
$allowAdditionalSgs = $governance->getValue(SERVER_PLATFORMS::EC2, \Scalr_Governance::AWS_SECURITY_GROUPS, 'allow_additional_sec_groups');
}
}
if (!$sgGovernance || $allowAdditionalSgs) {
if ($DBServer->farmRoleId != 0) {
$dbFarmRole = $DBServer->GetFarmRoleObject();
if ($dbFarmRole->GetSetting(Entity\FarmRoleSetting::AWS_SECURITY_GROUPS_LIST) !== null) {
// New SG management
$sgs = @json_decode($dbFarmRole->GetSetting(Entity\FarmRoleSetting::AWS_SECURITY_GROUPS_LIST));
if (!empty($sgs)) {
foreach ($sgs as $sg) {
if (stripos($sg, 'sg-') === 0) {
array_push($retval, $sg);
} else {
array_push($checkGroups, $sg);
}
}
}
} else {
// Old SG management
array_push($checkGroups, 'default');
array_push($checkGroups, \Scalr::config('scalr.aws.security_group_name'));
if (!$vpcId) {
array_push($checkGroups, "scalr-farm.{$DBServer->farmId}");
array_push($checkGroups, "scalr-role.{$DBServer->farmRoleId}");
}
$additionalSgs = trim($dbFarmRole->GetSetting(Entity\FarmRoleSetting::AWS_SG_LIST));
if ($additionalSgs) {
$sgs = explode(",", $additionalSgs);
if (!empty($sgs)) {
foreach ($sgs as $sg) {
$sg = trim($sg);
if (stripos($sg, 'sg-') === 0) {
array_push($retval, $sg);
} else {
array_push($checkGroups, $sg);
}
}
}
}
}
} else {
array_push($checkGroups, $roleBuilderSgName);
}
}
// No name based security groups, return only SG ids.
if (empty($checkGroups)) {
return $retval;
}
// Filter groups
$filter = array(array('name' => SecurityGroupFilterNameType::groupName(), 'value' => $checkGroups));
// If instance run in VPC, add VPC filter
if ($vpcId != '') {
$filter[] = array('name' => SecurityGroupFilterNameType::vpcId(), 'value' => $vpcId);
}
// Get filtered list of SG required by scalr;
try {
$list = $ec2->securityGroup->describe(null, null, $filter);
$sgList = array();
foreach ($list as $sg) {
/* @var $sg \Scalr\Service\Aws\Ec2\DataType\SecurityGroupData */
if ($vpcId == '' && !$sg->vpcId || $vpcId && $sg->vpcId == $vpcId) {
$sgList[$sg->groupName] = $sg->groupId;
}
}
unset($list);
} catch (Exception $e) {
throw new Exception("Cannot get list of security groups (1): {$e->getMessage()}");
}
foreach ($checkGroups as $groupName) {
// Check default SG
if ($groupName == 'default') {
array_push($retval, $sgList[$groupName]);
// Check Roles builder SG
} elseif ($groupName == $roleBuilderSgName) {
if (!isset($sgList[$groupName])) {
try {
$securityGroupId = $ec2->securityGroup->create($roleBuilderSgName, "Security group for Roles Builder", $vpcId);
$ipRangeList = new IpRangeList();
foreach (\Scalr::config('scalr.aws.ip_pool') as $ip) {
$ipRangeList->append(new IpRangeData($ip));
}
sleep(2);
$ec2->securityGroup->authorizeIngress(array(new IpPermissionData('tcp', 22, 22, $ipRangeList), new IpPermissionData('tcp', 8008, 8013, $ipRangeList)), $securityGroupId);
$sgList[$roleBuilderSgName] = $securityGroupId;
} catch (Exception $e) {
throw new Exception(sprintf(_("Cannot create security group '%s': %s"), $roleBuilderSgName, $e->getMessage()));
}
}
array_push($retval, $sgList[$groupName]);
//Check scalr-farm.* security group
} elseif (stripos($groupName, 'scalr-farm.') === 0) {
if (!isset($sgList[$groupName])) {
try {
$securityGroupId = $ec2->securityGroup->create($groupName, sprintf("Security group for FarmID N%s", $DBServer->farmId), $vpcId);
sleep(2);
$userIdGroupPairList = new UserIdGroupPairList(new UserIdGroupPairData($DBServer->GetEnvironmentObject()->keychain(SERVER_PLATFORMS::EC2)->properties[Entity\CloudCredentialsProperty::AWS_ACCOUNT_ID], null, $groupName));
$ec2->securityGroup->authorizeIngress(array(new IpPermissionData('tcp', 0, 65535, null, $userIdGroupPairList), new IpPermissionData('udp', 0, 65535, null, $userIdGroupPairList)), $securityGroupId);
$sgList[$groupName] = $securityGroupId;
} catch (Exception $e) {
throw new Exception(sprintf(_("Cannot create security group '%s': %s"), $groupName, $e->getMessage()));
}
}
array_push($retval, $sgList[$groupName]);
//Check scalr-role.* security group
} elseif (stripos($groupName, 'scalr-role.') === 0) {
if (!isset($sgList[$groupName])) {
try {
$securityGroupId = $ec2->securityGroup->create($groupName, sprintf("Security group for FarmRoleID N%s on FarmID N%s", $DBServer->GetFarmRoleObject()->ID, $DBServer->farmId), $vpcId);
sleep(2);
// DB rules
$dbRules = $DBServer->GetFarmRoleObject()->GetRoleObject()->getSecurityRules();
$groupRules = array();
foreach ($dbRules as $rule) {
$groupRules[CryptoTool::hash($rule['rule'])] = $rule;
}
// Behavior rules
foreach (\Scalr_Role_Behavior::getListForFarmRole($DBServer->GetFarmRoleObject()) as $bObj) {
$bRules = $bObj->getSecurityRules();
foreach ($bRules as $r) {
if ($r) {
$groupRules[CryptoTool::hash($r)] = array('rule' => $r);
}
}
}
// Default rules
$userIdGroupPairList = new UserIdGroupPairList(new UserIdGroupPairData($DBServer->GetEnvironmentObject()->keychain(SERVER_PLATFORMS::EC2)->properties[Entity\CloudCredentialsProperty::AWS_ACCOUNT_ID], null, $groupName));
$rules = array(new IpPermissionData('tcp', 0, 65535, null, $userIdGroupPairList), new IpPermissionData('udp', 0, 65535, null, $userIdGroupPairList));
foreach ($groupRules as $rule) {
$group_rule = explode(":", $rule["rule"]);
$rules[] = new IpPermissionData($group_rule[0], $group_rule[1], $group_rule[2], new IpRangeData($group_rule[3]));
}
$ec2->securityGroup->authorizeIngress($rules, $securityGroupId);
$sgList[$groupName] = $securityGroupId;
} catch (Exception $e) {
throw new Exception(sprintf(_("Cannot create security group '%s': %s"), $groupName, $e->getMessage()));
}
}
array_push($retval, $sgList[$groupName]);
} elseif ($groupName == \Scalr::config('scalr.aws.security_group_name')) {
if (!isset($sgList[$groupName])) {
try {
$securityGroupId = $ec2->securityGroup->create($groupName, "Security rules needed by Scalr", $vpcId);
$ipRangeList = new IpRangeList();
foreach (\Scalr::config('scalr.aws.ip_pool') as $ip) {
$ipRangeList->append(new IpRangeData($ip));
}
// TODO: Open only FOR VPC ranges
$ipRangeList->append(new IpRangeData('10.0.0.0/8'));
sleep(2);
$ec2->securityGroup->authorizeIngress(array(new IpPermissionData('tcp', 3306, 3306, $ipRangeList), new IpPermissionData('tcp', 8008, 8013, $ipRangeList), new IpPermissionData('udp', 8014, 8014, $ipRangeList)), $securityGroupId);
$sgList[$groupName] = $securityGroupId;
} catch (Exception $e) {
throw new Exception(sprintf(_("Cannot create security group '%s': %s"), $groupName, $e->getMessage()));
}
}
array_push($retval, $sgList[$groupName]);
} else {
if (!isset($sgList[$groupName])) {
if (!in_array($groupName, $wildCardSgs)) {
throw new Exception(sprintf(_("Security group '%s' is not found"), $groupName));
} else {
$wildCardMatchedSgs = [];
$groupNamePattern = \Scalr_Governance::convertAsteriskPatternToRegexp($groupName);
foreach ($sgList as $sgGroupName => $sgGroupId) {
if (preg_match($groupNamePattern, $sgGroupName) === 1) {
array_push($wildCardMatchedSgs, $sgGroupId);
}
}
if (empty($wildCardMatchedSgs)) {
throw new Exception(sprintf(_("Security group matched to pattern '%s' is not found."), $groupName));
} else {
if (count($wildCardMatchedSgs) > 1) {
throw new Exception(sprintf(_("There are more than one Security group matched to pattern '%s' found."), $groupName));
} else {
array_push($retval, $wildCardMatchedSgs[0]);
}
}
}
} else {
array_push($retval, $sgList[$groupName]);
}
}
}
return $retval;
}
public function xCreateNetworkInterfaceAction()
{
$aws = $this->getEnvironment()->aws($this->getParam('cloudLocation'));
$ec2 = $aws->ec2;
try {
$subnetId = $this->getParam('subnetId');
$vpcId = $this->getParam('vpcId');
$vpcInfo = $ec2->vpc->describe($vpcId);
/* @var $vpc \Scalr\Service\Aws\Ec2\DataType\VpcData */
$vpc = $vpcInfo->get(0);
//Create Network interface
$createNetworkInterfaceRequestData = new CreateNetworkInterfaceRequestData($subnetId);
$routerSgName = Scalr::config('scalr.aws.security_group_prefix') . 'vpc-router';
// Check and create security group
$filter = array(array('name' => SecurityGroupFilterNameType::groupName(), 'value' => array($routerSgName, 'SCALR-VPC')), array('name' => SecurityGroupFilterNameType::vpcId(), 'value' => $vpcId));
try {
$list = $ec2->securityGroup->describe(null, null, $filter);
if ($list->count() > 0 && in_array($list->get(0)->groupName, array('SCALR-VPC', $routerSgName))) {
$sgId = $list->get(0)->groupId;
}
} catch (Exception $e) {
throw new Exception("Cannot get list of security groups (1): {$e->getMessage()}");
}
if (!$sgId) {
$sgId = $aws->ec2->securityGroup->create($routerSgName, 'System SG for Scalr VPC integration', $vpcId);
$ipRangeList = new IpRangeList();
$ipRangeList->append(new IpRangeData('0.0.0.0/0'));
$ipRangeListLocal = new IpRangeList();
$ipRangeListLocal->append(new IpRangeData($vpc->cidrBlock));
$attempts = 0;
while (true) {
$attempts++;
try {
$aws->ec2->securityGroup->authorizeIngress(array(new IpPermissionData('tcp', 8008, 8013, $ipRangeList), new IpPermissionData('tcp', 80, 80, $ipRangeList), new IpPermissionData('tcp', 443, 443, $ipRangeList), new IpPermissionData('tcp', 0, 65535, $ipRangeListLocal), new IpPermissionData('udp', 0, 65535, $ipRangeListLocal)), $sgId);
break;
} catch (Exception $e) {
if ($attempts >= 3) {
throw $e;
} else {
sleep(1);
}
}
}
}
$createNetworkInterfaceRequestData->setSecurityGroupId(array('groupId' => $sgId));
$networkInterface = $ec2->networkInterface->create($createNetworkInterfaceRequestData);
// Disable sourceDeskCheck
$networkInterface->modifyAttribute(NetworkInterfaceAttributeType::sourceDestCheck(), 0);
$niId = $networkInterface->networkInterfaceId;
$attemptsCounter = 0;
while (true) {
try {
$networkInterface->createTags(array(array('key' => "scalr-id", 'value' => SCALR_ID), array('key' => "Name", 'value' => "VPC Router ENI")));
break;
} catch (Exception $e) {
$attemptsCounter++;
if ($attemptsCounter < 5) {
sleep(1);
continue;
} else {
throw new Exception($e->getMessage());
}
}
break;
}
//ASSOCIATE PUBLIC IP
$address = $ec2->address->allocate('vpc');
$publicIp = $address->publicIp;
$associateAddressRequestData = new AssociateAddressRequestData();
$associateAddressRequestData->networkInterfaceId = $niId;
$associateAddressRequestData->allocationId = $address->allocationId;
$associateAddressRequestData->allowReassociation = true;
//Associate PublicIP with NetworkInterface
$ec2->address->associate($associateAddressRequestData);
} catch (Exception $e) {
if ($niId) {
$ec2->networkInterface->delete($niId);
}
if ($publicIp) {
$ec2->address->release(null, $address->allocationId);
}
throw $e;
}
$this->response->success('Network interface successfully created');
$this->response->data(array('ni' => array('id' => $niId, 'publicIp' => $publicIp)));
}
private function listGroupsEc2($platform, $cloudLocation, $filters)
{
$sgFilter = null;
$result = [];
if (!is_array($filters)) {
$filters = [];
}
if (!empty($filters['sgIds'])) {
$sgFilter = is_null($sgFilter) ? array() : $sgFilter;
$sgFilter[] = array('name' => SecurityGroupFilterNameType::groupId(), 'value' => $filters['sgIds']);
}
if (empty($filters['vpcId']) && array_key_exists('vpcId', $filters)) {
$p = PlatformFactory::NewPlatform(SERVER_PLATFORMS::EC2);
$defaultVpc = $p->getDefaultVpc($this->environment, $cloudLocation);
if ($defaultVpc) {
$filters['vpcId'] = $defaultVpc;
}
}
if (!empty($filters['vpcId'])) {
$sgFilter = is_null($sgFilter) ? array() : $sgFilter;
$sgFilter[] = array('name' => SecurityGroupFilterNameType::vpcId(), 'value' => $filters['vpcId']);
}
$sgList = $this->getPlatformService($platform, $cloudLocation)->describe(null, null, $sgFilter);
/* @var $sg SecurityGroupData */
foreach ($sgList as $sg) {
if (is_array($filters) && array_key_exists('vpcId', $filters) && $filters['vpcId'] == null && $sg->vpcId) {
//we don't want to see VPC Security groups when $filters['vpcId'] == null
continue;
}
$result[] = ['id' => $sg->groupId, 'name' => $sg->groupName, 'description' => $sg->groupDescription, 'vpcId' => $sg->vpcId, 'owner' => $sg->ownerId];
}
if ($filters['considerGovernance']) {
$filteredSg = [];
$allowedSgNames = [];
$governance = new Scalr_Governance($this->getEnvironmentId());
$governanceSecurityGroups = $governance->getValue(SERVER_PLATFORMS::EC2, Scalr_Governance::getEc2SecurityGroupPolicyNameForService($filters['serviceName']), '');
if ($governanceSecurityGroups) {
$sgRequiredPatterns = \Scalr_Governance::prepareSecurityGroupsPatterns($filters['osFamily'] == 'windows' && $governanceSecurityGroups['windows'] ? $governanceSecurityGroups['windows'] : $governanceSecurityGroups['value']);
$sgOptionalPatterns = $governanceSecurityGroups['allow_additional_sec_groups'] ? \Scalr_Governance::prepareSecurityGroupsPatterns($governanceSecurityGroups['additional_sec_groups_list']) : [];
foreach ($result as $sg) {
$sgNameLowerCase = strtolower($sg['name']);
$sgAllowed = false;
if ($governanceSecurityGroups['allow_additional_sec_groups']) {
if (!empty($sgOptionalPatterns)) {
if (isset($sgOptionalPatterns[$sgNameLowerCase])) {
$sgAllowed = true;
} else {
foreach ($sgOptionalPatterns as &$sgOptionalPattern) {
if (isset($sgOptionalPattern['regexp']) && preg_match($sgOptionalPattern['regexp'], $sg['name']) === 1) {
$sgAllowed = true;
break;
}
}
}
} else {
$sgAllowed = true;
}
}
if (isset($sgRequiredPatterns[$sgNameLowerCase])) {
$sgAllowed = true;
$sg['addedByGovernance'] = true;
$sgRequiredPatterns[$sgNameLowerCase]['found'] = true;
} else {
foreach ($sgRequiredPatterns as &$sgRequiredPattern) {
if (isset($sgRequiredPattern['regexp']) && preg_match($sgRequiredPattern['regexp'], $sg['name']) === 1) {
$sgRequiredPattern['matches'][] = $sg;
break;
}
}
}
if ($sgAllowed) {
$allowedSgNames[] = $sgNameLowerCase;
$filteredSg[$sg['id']] = $sg;
}
}
foreach ($sgRequiredPatterns as &$sgRequiredPattern) {
if (isset($sgRequiredPattern['matches']) && count($sgRequiredPattern['matches']) == 1) {
$sg = $sgRequiredPattern['matches'][0];
if (!isset($filteredSg[$sg['id']])) {
$filteredSg[$sg['id']] = $sg;
}
$filteredSg[$sg['id']]['addedByGovernance'] = true;
$sgRequiredPattern['found'] = true;
}
}
$result = $filteredSg;
if (!$filters['existingGroupsOnly']) {
foreach ($sgRequiredPatterns as $sgRequiredPattern) {
if (!$sgRequiredPattern['found']) {
$result[] = ['id' => null, 'name' => $sgRequiredPattern['value'], 'description' => null, 'vpcId' => null, 'owner' => null, 'addedByGovernance' => true];
}
}
}
}
}
return $result;
}
private function listGroupsEc2($platform, $cloudLocation, $filters)
{
$sgFilter = null;
$result = [];
if (!is_array($filters)) {
$filters = [];
}
if (empty($filters['vpcId']) && array_key_exists('vpcId', $filters)) {
$p = PlatformFactory::NewPlatform(SERVER_PLATFORMS::EC2);
$defaultVpc = $p->getDefaultVpc($this->environment, $cloudLocation);
if ($defaultVpc) {
$filters['vpcId'] = $defaultVpc;
}
}
if (!empty($filters['vpcId'])) {
$sgFilter = is_null($sgFilter) ? array() : $sgFilter;
$sgFilter[] = array('name' => SecurityGroupFilterNameType::vpcId(), 'value' => $filters['vpcId']);
}
$sgList = $this->getPlatformService($platform, $cloudLocation)->describe(null, null, $sgFilter);
$sgIdsList = !empty($filters['sgIds']) ? (array) $filters['sgIds'] : null;
$sgNamesList = !empty($filters['sgNames']) ? (array) $filters['sgNames'] : null;
/* @var $sg SecurityGroupData */
foreach ($sgList as $sg) {
if (array_key_exists('vpcId', $filters) && $filters['vpcId'] == null && $sg->vpcId) {
//we don't want to see VPC Security groups when $filters['vpcId'] == null
continue;
}
if (!$this->isSecurityGroupsListed($sg->groupId, $sg->groupName, $sgIdsList, $sgNamesList)) {
continue;
}
$result[] = ['id' => $sg->groupId, 'name' => $sg->groupName, 'description' => $sg->groupDescription, 'vpcId' => $sg->vpcId, 'owner' => $sg->ownerId];
}
return $this->applyGovernanceToSgList($result, $platform, $cloudLocation, $filters);
}
private function listGroupsEc2($platform, $cloudLocation, $filters)
{
$sgFilter = null;
$result = [];
if (!is_array($filters)) {
$filters = [];
}
if (!empty($filters['sgIds'])) {
$sgFilter = is_null($sgFilter) ? array() : $sgFilter;
$sgFilter[] = array('name' => SecurityGroupFilterNameType::groupId(), 'value' => $filters['sgIds']);
}
if (empty($filters['vpcId']) && array_key_exists('vpcId', $filters)) {
$p = PlatformFactory::NewPlatform(SERVER_PLATFORMS::EC2);
$defaultVpc = $p->getDefaultVpc($this->environment, $cloudLocation);
if ($defaultVpc) {
$filters['vpcId'] = $defaultVpc;
}
}
if (!empty($filters['vpcId'])) {
$sgFilter = is_null($sgFilter) ? array() : $sgFilter;
$sgFilter[] = array('name' => SecurityGroupFilterNameType::vpcId(), 'value' => $filters['vpcId']);
}
$sgList = $this->getPlatformService($platform, $cloudLocation)->describe(null, null, $sgFilter);
/* @var $sg SecurityGroupData */
$considerGovernance = $filters['considerGovernance'];
if ($considerGovernance) {
$governance = new Scalr_Governance($this->getEnvironmentId());
$values = $governance->getValues(true);
if (!empty($values['ec2']['aws.additional_security_groups']->value)) {
$sgDefaultNames = explode(',', $values['ec2']['aws.additional_security_groups']->value);
}
}
$sgNames = [];
foreach ($sgList as $sg) {
if (is_array($filters) && array_key_exists('vpcId', $filters) && $filters['vpcId'] == null && $sg->vpcId) {
continue;
}
if ($considerGovernance && empty($values['ec2']['aws.additional_security_groups']->allow_additional_sec_groups) && !empty($sgDefaultNames) && !in_array($sg->groupName, $sgDefaultNames)) {
continue;
}
$result[] = ['id' => $sg->groupId, 'name' => $sg->groupName, 'description' => $sg->groupDescription, 'vpcId' => $sg->vpcId, 'owner' => $sg->ownerId];
$sgNames[] = $sg->groupName;
}
if ($considerGovernance && !empty($sgDefaultNames)) {
foreach ($sgDefaultNames as $sgDefaultName) {
if (!in_array($sgDefaultName, $sgNames)) {
$result[] = ['id' => null, 'name' => $sgDefaultName, 'description' => null, 'vpcId' => null, 'owner' => null];
}
}
}
return $result;
}
