/** * Edit page * * @param string $cloudLocation AWS region * @param string $dBClusterIdentifier optional DB Cluster identifier * @param string $vpcId Vpc id */ public function editAction($cloudLocation, $dBClusterIdentifier = null, $vpcId = null) { $this->request->restrictAccess(Acl::RESOURCE_AWS_RDS, Acl::PERM_AWS_RDS_MANAGE); $aws = $this->getAwsClient($cloudLocation); $dbCluster = $aws->rds->dbCluster->describe($dBClusterIdentifier)->get(0)->toArray(true); $vpcSglist = null; if (!empty($vpcId)) { $filter[] = ['name' => SecurityGroupFilterNameType::vpcId(), 'value' => $vpcId]; $vpcSglist = $aws->ec2->securityGroup->describe(null, null, $filter); } foreach ($dbCluster['VpcSecurityGroups'] as &$vpcSg) { $vpcSecurityGroupName = null; foreach ($vpcSglist as $vpcSqData) { /* @var $vpcSqData \Scalr\Service\Aws\Ec2\DataType\SecurityGroupData */ if ($vpcSqData->groupId == $vpcSg['VpcSecurityGroupId']) { $vpcSecurityGroupName = $vpcSqData->groupName; break; } } $vpcSg = ['vpcSecurityGroupId' => $vpcSg['VpcSecurityGroupId'], 'vpcSecurityGroupName' => $vpcSecurityGroupName]; } $dbCluster['VpcId'] = !empty($vpcId) ? $vpcId : null; $this->response->page(['ui/tools/aws/rds/clusters/edit.js', 'ui/security/groups/sgeditor.js'], ['locations' => self::loadController('Platforms')->getCloudLocations(SERVER_PLATFORMS::EC2, false), 'cluster' => $dbCluster, 'accountId' => $this->environment->cloudCredentials(SERVER_PLATFORMS::EC2)->properties[Entity\CloudCredentialsProperty::AWS_ACCOUNT_ID], 'remoteAddress' => $this->request->getRemoteAddr()]); }
/** * @test * @depends testFunctionalEc2 */ public function testFunctionalVpc() { $this->skipIfEc2PlatformDisabled(); $aws = $this->getContainer()->aws(AwsTestCase::REGION); $aws->ec2->enableEntityManager(); $nameTag = new ResourceTagSetData(self::TAG_NAME_KEY, self::getTestName(self::NAME_TAG_VALUE)); $ret = $aws->ec2->describeAccountAttributes(array('supported-platforms', 'default-vpc')); $this->assertInstanceOf($this->getEc2ClassName('DataType\\AccountAttributeSetList'), $ret); unset($ret); //Removes previously created route tables if they exist. $rtList = $aws->ec2->routeTable->describe(null, array(array('name' => RouteTableFilterNameType::tagName(), 'value' => self::getTestName(self::NAME_TAG_VALUE)))); $this->assertInstanceOf($this->getEc2ClassName('DataType\\RouteTableList'), $rtList); foreach ($rtList as $rt) { /* @var $rt RouteTableData */ foreach ($rt->routeSet as $route) { /* @var $route RouteData */ try { $route->delete(); } catch (ClientException $e) { } } foreach ($rt->associationSet as $rtassoc) { try { $rtassoc->disassociate(); } catch (ClientException $e) { } } $rt->delete(); } unset($rtList); //Removes previously created Network Interfaces if they have not been removed during past test executions. $eniList = $aws->ec2->networkInterface->describe(null, array(array('name' => NetworkInterfaceFilterNameType::tag(self::TAG_NAME_KEY), 'value' => self::getTestName(self::NAME_TAG_VALUE)))); $this->assertInstanceOf($this->getEc2ClassName('DataType\\NetworkInterfaceList'), $eniList); foreach ($eniList as $v) { $v->delete(); } unset($eniList); $subnetList = $aws->ec2->subnet->describe(null, array(array('name' => SubnetFilterNameType::tag(self::TAG_NAME_KEY), 'value' => self::getTestName(self::NAME_TAG_VALUE)))); $this->assertInstanceOf($this->getEc2ClassName('DataType\\SubnetList'), $subnetList); foreach ($subnetList as $subnet) { /* @var $subnet SubnetData */ $subnet->delete(); } unset($subnetList); //Removes previously created Internet Gateways which has not been removed during previous test run. $igwList = $aws->ec2->internetGateway->describe(null, array(array('name' => InternetGatewayFilterNameType::tag(self::TAG_NAME_KEY), 'value' => self::getTestName(self::NAME_TAG_VALUE)))); $this->assertInstanceOf($this->getEc2ClassName('DataType\\InternetGatewayList'), $igwList); foreach ($igwList as $igw) { /* @var $igw InternetGatewayData */ if (count($igw->attachmentSet)) { //Detaches previously attachet VPC $igw->attachmentSet->get(0)->detach(); for ($t = time(); time() - $t < 100 && !empty($igw->attachmentSet[0]) && $igw->attachmentSet[0]->state == InternetGatewayAttachmentData::STATE_DETACHING; sleep(3)) { $igw = $igw->refresh(); } } //Deletes previously created internet gateways $igw->delete(); } unset($igwList); //We should be assured that group which is used for the test does not exists $list = $aws->ec2->securityGroup->describe(null, null, new SecurityGroupFilterData(SecurityGroupFilterNameType::groupName(), self::getTestName(self::NAME_SECURITY_GROUP_VPC))); if (count($list) > 0) { foreach ($list as $v) { $v->delete(); } } unset($list); //Describes VPC $vpcList = $aws->ec2->vpc->describe(null, array(array('name' => VpcFilterNameType::tag(self::TAG_NAME_KEY), 'value' => self::getTestName(self::NAME_TAG_VALUE)))); $this->assertInstanceOf($this->getEc2ClassName('DataType\\VpcList'), $vpcList); //We should remove VPC which has not been removed by some reason. foreach ($vpcList as $vpc) { $vpc->delete(); unset($vpc); } unset($vpcList); //Creates VPC $vpc = $aws->ec2->vpc->create('10.0.0.0/16'); $this->assertInstanceOf($this->getEc2ClassName('DataType\\VpcData'), $vpc); for ($t = time(); time() - $t < 600 && $vpc->state !== VpcData::STATE_AVAILABLE;) { sleep(5); $vpc = $vpc->refresh(); } $this->assertTrue($vpc->state == VpcData::STATE_AVAILABLE); $ret = $vpc->createTags($nameTag); $this->assertTrue($ret); //Creates an VPC Security group $securityGroupId = $aws->ec2->securityGroup->create(self::getTestName(self::NAME_SECURITY_GROUP_VPC), self::getTestName(self::NAME_SECURITY_GROUP_VPC) . ' description', $vpc->vpcId); $this->assertNotEmpty($securityGroupId); sleep(2); $sg = $aws->ec2->securityGroup->describe(null, $securityGroupId)->get(0); $this->assertInstanceOf($this->getEc2ClassName('DataType\\SecurityGroupData'), $sg); //Authorizes security group Egress //Example, how to construct the list with arrays $ipperm3array = array(array('ipProtocol' => 'tcp', 'fromPort' => 80, 'toPort' => 80, 'ipRanges' => array(array('cidrIp' => '192.0.2.0/24'), array('cidrIp' => '198.51.100.0/24')))); $ipperm3 = new IpPermissionList($ipperm3array); $this->assertInstanceOf($this->getEc2ClassName('DataType\\IpPermissionData'), $ipperm3->get(0)); $this->assertInstanceOf($this->getEc2ClassName('DataType\\IpRangeList'), $ipperm3->get(0)->ipRanges); $this->assertEquals(2, $ipperm3->get(0)->ipRanges->count()); $this->assertEquals('192.0.2.0/24', $ipperm3->get(0)->ipRanges->get(0)->cidrIp); $this->assertEquals('198.51.100.0/24', $ipperm3->get(0)->ipRanges->get(1)->cidrIp); //The same can be produced in the another way $ipperm4 = new IpPermissionList(new IpPermissionData('tcp', 80, 80, array(new IpRangeData('192.0.2.0/24'), new IpRangeData('198.51.100.0/24')))); //Checks the equality $this->assertEquals($ipperm3->toArray(), $ipperm4->toArray()); //Authorizes IP Permission Egress $ret = $sg->authorizeEgress($ipperm3); $this->assertTrue($ret); sleep(1); //Checks if specified IP Permission is successfully set $sg->refresh(); $this->assertContains('192.0.2.0/24', $sg->ipPermissionsEgress->getQueryArrayBare()); //Revokes IP Permission Egress //You may pass an array directly to the method $ret = $sg->revokeEgress($ipperm3array); $this->assertTrue($ret); sleep(3); $sg->refresh(); //Checks if IP Permission is successfully revoked. $this->assertNotContains('192.0.2.0/24', $sg->ipPermissionsEgress->getQueryArrayBare()); $this->assertNotContains('198.51.100.0/24', $sg->ipPermissionsEgress->getQueryArrayBare()); //Creates subneet for the networkInterface $subnet = $aws->ec2->subnet->create($vpc->vpcId, '10.0.0.0/16'); $this->assertInstanceOf($this->getEc2ClassName('DataType\\SubnetData'), $subnet); for ($t = time(); time() - $t < 600 && $subnet->state !== SubnetData::STATE_AVAILABLE;) { sleep(5); $subnet = $subnet->refresh(); } $this->assertTrue($subnet->state == SubnetData::STATE_AVAILABLE); $ret = $subnet->createTags($nameTag); $this->assertTrue($ret); //Creates network interface $eni = $aws->ec2->networkInterface->create($subnet->subnetId); $this->assertInstanceOf($this->getEc2ClassName('DataType\\NetworkInterfaceData'), $eni); sleep(4); $ret = $eni->createTags($nameTag); $this->assertTrue($ret); //DescribeAttribute test foreach (NetworkInterfaceAttributeType::getAllowedValues() as $attr) { $expected = $eni->{$attr}; $v = $eni->describeAttribute($attr); $this->assertEquals($expected, $v); if (is_object($v)) { //It's true only if entityManager is enabled $this->assertSame($eni->{$attr}, $v); } } //ModifyAttribute test $ret = $eni->modifyAttribute(NetworkInterfaceAttributeType::sourceDestCheck(), true); $this->assertTrue($ret); //ResetAttrubute test $ret = $eni->resetAttribute(NetworkInterfaceAttributeType::sourceDestCheck()); $this->assertTrue($ret); //Creates Internet Gateway $igw = $aws->ec2->internetGateway->create(); $this->assertInstanceOf($this->getEc2ClassName('DataType\\InternetGatewayData'), $igw); $this->assertNotEmpty($igw->internetGatewayId); sleep(4); $igw->createTags($nameTag); //Attaches Internet Gateway to VPC $ret = $igw->attach($vpc->vpcId); $this->assertTrue($ret); $t = time(); do { sleep(3); $igw = $igw->refresh(); //Verifies that external index for attachmentSet is set properly. $this->assertEquals($igw->internetGatewayId, $igw->attachmentSet[0]->getInternetGatewayId()); } while (time() - $t < 100 && $igw->attachmentSet[0]->state != InternetGatewayAttachmentData::STATE_ATTACHED); $this->assertTrue($igw->attachmentSet[0]->state == InternetGatewayAttachmentData::STATE_AVAILABLE); //Detaches Internet Gateway from VPC $ret = $igw->detach($vpc->vpcId); $this->assertTrue($ret); for ($t = time(); time() - $t < 100 && count($igw->attachmentSet) && $igw->attachmentSet[0]->state == InternetGatewayAttachmentData::STATE_DETACHING; sleep(3)) { $igw = $igw->refresh(); } $this->assertTrue($igw->attachmentSet[0]->state !== InternetGatewayAttachmentData::STATE_DETACHING); //Creates RouteTable $rt = $vpc->createRouteTable(); $this->assertInstanceOf($this->getEc2ClassName('DataType\\RouteTableData'), $rt); $this->assertNotEmpty($rt->routeTableId); $this->assertEquals($vpc->vpcId, $rt->vpcId); sleep(5); $ret = $rt->createTags($nameTag); $this->assertTrue($ret); //Associates route table with the subnet $associationId = $rt->associate($subnet->subnetId); $this->assertNotEmpty($associationId); $rt = $rt->refresh(); $this->assertTrue(count($rt->associationSet) > 0); $c = array(); foreach ($rt->associationSet as $rtassoc) { /* @var $rtassoc RouteTableAssociationData */ $c[] = $rtassoc->routeTableAssociationId; } $this->assertContains($associationId, $c); //Adds Route to Route Table $destinationCidrBlock = '0.0.0.0/0'; $ret = $rt->createRoute($destinationCidrBlock, null, null, $eni->networkInterfaceId); $this->assertTrue($ret); $rt = $rt->refresh(); $this->assertTrue(count($rt->routeSet) > 0); $c = array(); foreach ($rt->routeSet as $route) { /* @var $route RouteData */ $c[$route->destinationCidrBlock] = $route; unset($route); } $this->assertArrayHasKey($destinationCidrBlock, $c); $route = $c[$destinationCidrBlock]; //Deletes Route $ret = $route->delete(); $this->assertTrue($ret); unset($route); $rt = $rt->refresh(); //Disassociates route table with the subnet foreach ($rt->associationSet as $rtassoc) { if ($rtassoc->routeTableAssociationId == $associationId) { $ret = $rtassoc->disassociate(); $this->assertTrue($ret); } } //RunInstance test $request = new RunInstancesRequestData(self::INSTANCE_IMAGE_ID, 1, 1); $request->instanceType = self::INSTANCE_TYPE; //Placement groups may not be used with instances of type 'm1.small'. $request->setPlacement(new PlacementResponseData($subnet->availabilityZone)); $request->setMonitoring(true); // test Assosiate Public Ip $instanceList = new Ec2\DataType\InstanceNetworkInterfaceSetRequestList(); $instanceData = new Ec2\DataType\InstanceNetworkInterfaceSetRequestData(); $instanceData->deviceIndex = 0; $instanceData->associatePublicIpAddress = true; $instanceData->subnetId = $subnet->subnetId; $instanceList->append($instanceData); $request->setNetworkInterface($instanceList); $request->userData = base64_encode("test=26;"); $rd = $aws->ec2->instance->run($request); $this->assertInstanceOf($this->getEc2ClassName('DataType\\ReservationData'), $rd); sleep(60); //Terminates the instance $ind = $rd->instancesSet[0]; $st = $ind->terminate(); $this->assertInstanceOf($this->getEc2ClassName('DataType\\InstanceStateChangeList'), $st); $this->assertEquals(1, count($st)); $this->assertEquals($rd->instancesSet[0]->instanceId, $st[0]->getInstanceId()); for ($t = time(); time() - $t < 200 && $ind && $ind->instanceState->name != InstanceStateData::NAME_TERMINATED; sleep(5)) { $ind = $ind->refresh(); } $this->assertTrue(!$ind || $ind->instanceState->name == InstanceStateData::NAME_TERMINATED); if (isset($ind)) { unset($ind); } //Removes Route Table $ret = $rt->delete(); $this->assertTrue($ret); //Removes Internet Gateway $ret = $igw->delete(); $this->assertTrue($ret); //Removes Network Interface $ret = $eni->delete(); $this->assertTrue($ret); //Removes Subnet $ret = $subnet->delete(); $this->assertTrue($ret); //Removes securigy group $ret = $sg->delete(); $this->assertTrue($ret); //Removes VPC $ret = $vpc->delete(); $this->assertTrue($ret); $aws->ec2->getEntityManager()->detachAll(); }
/** * Gets the list of the security groups for the specified db server. * * If server does not have required security groups this method will create them. * * @param DBServer $DBServer The DB Server instance * @param \Scalr\Service\Aws\Ec2 $ec2 Ec2 Client instance * @param string $vpcId optional The ID of VPC * @return array Returns array looks like array(groupid-1, groupid-2, ..., groupid-N) */ private function GetServerSecurityGroupsList(DBServer $DBServer, \Scalr\Service\Aws\Ec2 $ec2, $vpcId = "", \Scalr_Governance $governance = null) { $retval = array(); $checkGroups = array(); $sgGovernance = true; $allowAdditionalSgs = true; $vpcId = null; if ($governance) { $sgs = $governance->getValue(\SERVER_PLATFORMS::EUCALYPTUS, \Scalr_Governance::EUCALYPTUS_SECURITY_GROUPS); if ($sgs !== null) { $governanceSecurityGroups = @explode(",", $sgs); if (!empty($governanceSecurityGroups)) { foreach ($governanceSecurityGroups as $sg) { if ($sg != '') { array_push($checkGroups, trim($sg)); } } } $sgGovernance = false; $allowAdditionalSgs = $governance->getValue(\SERVER_PLATFORMS::EUCALYPTUS, \Scalr_Governance::EUCALYPTUS_SECURITY_GROUPS, 'allow_additional_sec_groups'); } } if (!$sgGovernance || $allowAdditionalSgs) { if ($DBServer->farmRoleId != 0) { $dbFarmRole = $DBServer->GetFarmRoleObject(); if ($dbFarmRole->GetSetting(DBFarmRole::SETTING_EUCA_SECURITY_GROUPS_LIST) !== null) { // New SG management $sgs = @json_decode($dbFarmRole->GetSetting(DBFarmRole::SETTING_EUCA_SECURITY_GROUPS_LIST)); if (!empty($sgs)) { foreach ($sgs as $sg) { if (stripos($sg, 'sg-') === 0) { array_push($retval, $sg); } else { array_push($checkGroups, $sg); } } } } } else { array_push($checkGroups, 'scalr-rb-system'); } } // No name based security groups, return only SG ids. if (empty($checkGroups)) { return $retval; } // Filter groups $filter = array(array('name' => SecurityGroupFilterNameType::groupName(), 'value' => $checkGroups)); // Get filtered list of SG required by scalr; try { $list = $ec2->securityGroup->describe(null, null, $filter); $sgList = array(); foreach ($list as $sg) { /* @var $sg \Scalr\Service\Aws\Ec2\DataType\SecurityGroupData */ if ($vpcId == '' && !$sg->vpcId || $vpcId && $sg->vpcId == $vpcId) { $sgList[$sg->groupName] = $sg->groupId; } } unset($list); } catch (\Exception $e) { throw new \Exception("Cannot get list of security groups (1): {$e->getMessage()}"); } foreach ($checkGroups as $groupName) { // Check default SG if ($groupName == 'default') { array_push($retval, $sgList[$groupName]); // Check Roles builder SG } elseif ($groupName == 'scalr-rb-system') { if (!isset($sgList[$groupName])) { try { $securityGroupId = $ec2->securityGroup->create('scalr-rb-system', "Security group for Roles Builder", $vpcId); $ipRangeList = new IpRangeList(); foreach (\Scalr::config('scalr.aws.ip_pool') as $ip) { $ipRangeList->append(new IpRangeData($ip)); } sleep(2); $ec2->securityGroup->authorizeIngress(array(new IpPermissionData('tcp', 22, 22, $ipRangeList), new IpPermissionData('tcp', 8008, 8013, $ipRangeList)), $securityGroupId); $sgList['scalr-rb-system'] = $securityGroupId; } catch (\Exception $e) { throw new \Exception(sprintf(_("Cannot create security group '%s': %s"), 'scalr-rb-system', $e->getMessage())); } } array_push($retval, $sgList[$groupName]); //Check scalr-farm.* security group } elseif (stripos($groupName, 'scalr-farm.') === 0) { if (!isset($sgList[$groupName])) { try { $securityGroupId = $ec2->securityGroup->create($groupName, sprintf("Security group for FarmID N%s", $DBServer->farmId), $vpcId); sleep(2); $userIdGroupPairList = new UserIdGroupPairList(new UserIdGroupPairData($DBServer->GetEnvironmentObject()->getPlatformConfigValue(self::ACCOUNT_ID), null, $groupName)); $ec2->securityGroup->authorizeIngress(array(new IpPermissionData('tcp', 0, 65535, null, $userIdGroupPairList), new IpPermissionData('udp', 0, 65535, null, $userIdGroupPairList)), $securityGroupId); $sgList[$groupName] = $securityGroupId; } catch (\Exception $e) { throw new \Exception(sprintf(_("Cannot create security group '%s': %s"), $groupName, $e->getMessage())); } } array_push($retval, $sgList[$groupName]); //Check scalr-role.* security group } elseif (stripos($groupName, 'scalr-role.') === 0) { if (!isset($sgList[$groupName])) { try { $securityGroupId = $ec2->securityGroup->create($groupName, sprintf("Security group for FarmRoleID N%s on FarmID N%s", $DBServer->GetFarmRoleObject()->ID, $DBServer->farmId), $vpcId); sleep(2); // DB rules $dbRules = $DBServer->GetFarmRoleObject()->GetRoleObject()->getSecurityRules(); $groupRules = array(); foreach ($dbRules as $rule) { $groupRules[\Scalr_Util_CryptoTool::hash($rule['rule'])] = $rule; } // Behavior rules foreach (\Scalr_Role_Behavior::getListForFarmRole($DBServer->GetFarmRoleObject()) as $bObj) { $bRules = $bObj->getSecurityRules(); foreach ($bRules as $r) { if ($r) { $groupRules[\Scalr_Util_CryptoTool::hash($r)] = array('rule' => $r); } } } // Default rules $userIdGroupPairList = new UserIdGroupPairList(new UserIdGroupPairData($DBServer->GetEnvironmentObject()->getPlatformConfigValue(self::ACCOUNT_ID), null, $groupName)); $rules = array(new IpPermissionData('tcp', 0, 65535, null, $userIdGroupPairList), new IpPermissionData('udp', 0, 65535, null, $userIdGroupPairList)); foreach ($groupRules as $rule) { $group_rule = explode(":", $rule["rule"]); $rules[] = new IpPermissionData($group_rule[0], $group_rule[1], $group_rule[2], new IpRangeData($group_rule[3])); } $ec2->securityGroup->authorizeIngress($rules, $securityGroupId); $sgList[$groupName] = $securityGroupId; } catch (\Exception $e) { throw new \Exception(sprintf(_("Cannot create security group '%s': %s"), $groupName, $e->getMessage())); } } array_push($retval, $sgList[$groupName]); } elseif ($groupName == \Scalr::config('scalr.aws.security_group_name')) { if (!isset($sgList[$groupName])) { try { $securityGroupId = $ec2->securityGroup->create($groupName, "Security rules needed by Scalr", $vpcId); $ipRangeList = new IpRangeList(); foreach (\Scalr::config('scalr.aws.ip_pool') as $ip) { $ipRangeList->append(new IpRangeData($ip)); } // TODO: Open only FOR VPC ranges $ipRangeList->append(new IpRangeData('10.0.0.0/8')); sleep(2); $ec2->securityGroup->authorizeIngress(array(new IpPermissionData('tcp', 3306, 3306, $ipRangeList), new IpPermissionData('tcp', 8008, 8013, $ipRangeList), new IpPermissionData('udp', 8014, 8014, $ipRangeList)), $securityGroupId); $sgList[$groupName] = $securityGroupId; } catch (\Exception $e) { throw new \Exception(sprintf(_("Cannot create security group '%s': %s"), $groupName, $e->getMessage())); } } array_push($retval, $sgList[$groupName]); } else { if (!isset($sgList[$groupName])) { throw new \Exception(sprintf(_("Security group '%s' is not found"), $groupName)); } else { array_push($retval, $sgList[$groupName]); } } } return $retval; }
public function onFarmSave(DBFarm $dbFarm, DBFarmRole $dbFarmRole) { $vpcId = $dbFarm->GetSetting(DBFarm::SETTING_EC2_VPC_ID); if (!$vpcId) { //REMOVE VPC RELATED SETTINGS return; } if ($dbFarmRole->GetSetting(self::ROLE_VPC_ROUTER_CONFIGURED) == 1) { // ALL OBJECTS ALREADY CONFIGURED return true; } $aws = $dbFarm->GetEnvironmentObject()->aws($dbFarmRole->CloudLocation); $filter = array(array('name' => SubnetFilterNameType::vpcId(), 'value' => $vpcId), array('name' => SubnetFilterNameType::tagKey(), 'value' => 'scalr-sn-type'), array('name' => SubnetFilterNameType::tagValue(), 'value' => self::INTERNET_ACCESS_FULL)); // Try to find scalr FULL subnet $subnets = $aws->ec2->subnet->describe(null, $filter); if ($subnets->count() > 0) { $subnetId = $subnets->get(0)->subnetId; } if (!$subnetId) { $platform = PlatformFactory::NewPlatform(SERVER_PLATFORMS::EC2); $subnet = $platform->AllocateNewSubnet($aws->ec2, $vpcId, null); $subnetId = $subnet->subnetId; //ADD TAGS try { $subnet->createTags(array(array('key' => "scalr-id", 'value' => SCALR_ID), array('key' => "scalr-sn-type", 'value' => self::INTERNET_ACCESS_FULL), array('key' => "Name", 'value' => 'Scalr System Subnet'))); } catch (Exception $e) { } $routingTableId = $platform->getRoutingTable(self::INTERNET_ACCESS_FULL, $aws, null, $vpcId); //Associate Routing table with subnet $aws->ec2->routeTable->associate($routingTableId, $subnetId); } $niId = $dbFarmRole->GetSetting(self::ROLE_VPC_NID); if (!$niId) { //Create Network interface $createNetworkInterfaceRequestData = new CreateNetworkInterfaceRequestData($subnetId); // Check and create security group $filter = array(array('name' => SecurityGroupFilterNameType::groupName(), 'value' => array('SCALR-VPC')), array('name' => SecurityGroupFilterNameType::vpcId(), 'value' => $vpcId)); try { $list = $aws->ec2->securityGroup->describe(null, null, $filter); if ($list->count() > 0 && $list->get(0)->groupName == 'SCALR-VPC') { $sgId = $list->get(0)->groupId; } } catch (Exception $e) { throw new Exception("Cannot get list of security groups (1): {$e->getMessage()}"); } if (!$sgId) { $sgId = $aws->ec2->securityGroup->create('SCALR-VPC', 'System SG for Scalr VPC integration', $vpcId); $ipRangeList = new IpRangeList(); $ipRangeList->append(new IpRangeData('0.0.0.0/0')); $ipRangeListLocal = new IpRangeList(); $ipRangeListLocal->append(new IpRangeData('10.0.0.0/8')); $aws->ec2->securityGroup->authorizeIngress(array(new IpPermissionData('tcp', 8008, 8013, $ipRangeList), new IpPermissionData('tcp', 80, 80, $ipRangeList), new IpPermissionData('tcp', 443, 443, $ipRangeList), new IpPermissionData('tcp', 0, 65535, $ipRangeListLocal), new IpPermissionData('udp', 0, 65535, $ipRangeListLocal)), $sgId); } $createNetworkInterfaceRequestData->setSecurityGroupId(array('groupId' => $sgId)); $networkInterface = $aws->ec2->networkInterface->create($createNetworkInterfaceRequestData); // Disable sourceDeskCheck $networkInterface->modifyAttribute(NetworkInterfaceAttributeType::sourceDestCheck(), 0); $niId = $networkInterface->networkInterfaceId; $dbFarmRole->SetSetting(self::ROLE_VPC_NID, $niId, DBFarmRole::TYPE_LCL); try { $networkInterface->createTags(array(array('key' => "scalr-id", 'value' => SCALR_ID), array('key' => "Name", 'value' => 'Scalr System ENI'))); } catch (Exception $e) { } } // If there is no public IP allocate it and associate with NI $publicIp = $dbFarmRole->GetSetting(self::ROLE_VPC_IP); if ($niId && !$publicIp) { $address = $aws->ec2->address->allocate('vpc'); $publicIp = $address->publicIp; $dbFarmRole->SetSetting(self::ROLE_VPC_IP, $publicIp, DBFarmRole::TYPE_LCL); $dbFarmRole->SetSetting(self::ROLE_VPC_AID, $address->allocationId, DBFarmRole::TYPE_LCL); $associateAddressRequestData = new AssociateAddressRequestData(); $associateAddressRequestData->networkInterfaceId = $niId; $associateAddressRequestData->allocationId = $address->allocationId; //Associate PublicIP with NetworkInterface $aws->ec2->address->associate($associateAddressRequestData); } $dbFarmRole->SetSetting(self::ROLE_VPC_ROUTER_CONFIGURED, 1, DBFarmRole::TYPE_LCL); }
private function getGroupIdByName($platform, $cloudLocation, $securityGroupName, $vpcId = null) { $result = null; $filter = array(array('name' => SecurityGroupFilterNameType::groupName(), 'value' => $securityGroupName)); if ($vpcId) { $filter[] = array('name' => SecurityGroupFilterNameType::vpcId(), 'value' => $vpcId); } /* @var $sgInfo SecurityGroupData */ $list = $this->getCloudInstance($platform, $cloudLocation)->ec2->securityGroup->describe(null, null, $filter); if (count($list) > 0) { foreach ($list as $v) { if (!empty($vpcId) && $v->vpcId == $vpcId || empty($vpcId) && empty($v->vpcId)) { $result = $v->groupId; break; } } } return $result; }
private function listGroupsEc2($platform, $cloudLocation, $filters) { $sgFilter = null; $result = array(); if (!empty($filters['sgIds'])) { $sgFilter = is_null($sgFilter) ? array() : $sgFilter; $sgFilter[] = array('name' => SecurityGroupFilterNameType::groupId(), 'value' => $filters['sgIds']); } if (!empty($filters['vpcId'])) { $sgFilter = is_null($sgFilter) ? array() : $sgFilter; $sgFilter[] = array('name' => SecurityGroupFilterNameType::vpcId(), 'value' => $filters['vpcId']); } $sgList = $this->getPlatformService($platform, $cloudLocation)->describe(null, null, $sgFilter); /* @var $sg SecurityGroupData */ foreach ($sgList as $sg) { $result[] = array('id' => $sg->groupId, 'name' => $sg->groupName, 'description' => $sg->groupDescription, 'vpcId' => $sg->vpcId, 'owner' => $sg->ownerId); } return $result; }
/** * xLaunchInstanceAction * * @param string $cloudLocation * @param string $Engine * @param string $DBInstanceIdentifier * @param string $DBInstanceClass * @param string $MasterUsername * @param RawData $MasterUserPassword * @param string $DBParameterGroup * @param string $LicenseModel optional * @param string $OptionGroupName optional * @param string $AllocatedStorage optional * @param string $StorageType optional * @param int $farmId optional * @param string $DBName optional * @param int $Port optional * @param string $VpcId optional * @param JsonData $VpcSecurityGroups optional * @param JsonData $DBSecurityGroups optional * @param JsonData $SubnetIds optional * @param bool $StorageEncrypted optional * @param string $KmsKeyId optional * @param string $PreferredBackupWindow optional * @param string $CharacterSetName optional * @param bool $MultiAZ optional * @param bool $AutoMinorVersionUpgrade optional * @param string $AvailabilityZone optional * @param int $Iops optional * @param string $BackupRetentionPeriod optional * @param string $PreferredMaintenanceWindow optional * @param string $DBSubnetGroupName optional * @param string $EngineVersion optional * @param bool $PubliclyAccessible optional * @throws Exception * @throws ScalrException */ public function xLaunchInstanceAction($cloudLocation, $Engine, $DBInstanceIdentifier, $DBInstanceClass, $MasterUsername, RawData $MasterUserPassword, $DBParameterGroup, $LicenseModel = null, $OptionGroupName = null, $AllocatedStorage = null, $StorageType = null, $farmId = null, $DBName = null, $Port = null, $VpcId = null, JsonData $VpcSecurityGroups = null, JsonData $DBSecurityGroups = null, JsonData $SubnetIds = null, $StorageEncrypted = false, $KmsKeyId = null, $PreferredBackupWindow = null, $CharacterSetName = null, $MultiAZ = null, $AutoMinorVersionUpgrade = false, $AvailabilityZone = null, $Iops = null, $BackupRetentionPeriod = null, $PreferredMaintenanceWindow = null, $DBSubnetGroupName = null, $EngineVersion = null, $PubliclyAccessible = false) { $this->request->restrictAccess(Acl::RESOURCE_AWS_RDS, Acl::PERM_AWS_RDS_MANAGE); $aws = $this->getAwsClient($cloudLocation); if ($Engine == 'mysql') { $Engine = 'MySQL'; } $request = new CreateDBInstanceRequestData($DBInstanceIdentifier, $DBInstanceClass, $Engine); if ($Engine == 'aurora') { $StorageType = 'aurora'; $request->dBClusterIdentifier = strtolower($DBInstanceIdentifier); } if ($StorageEncrypted) { $request->storageEncrypted = $Engine != 'aurora' ? true : null; if ($KmsKeyId) { $kmsKey = $aws->kms->key->describe($KmsKeyId); if (!$kmsKey->enabled) { throw new Exception("This KMS Key is disabled, please choose another one."); } $allowed = true; $governance = new Scalr_Governance($this->getEnvironmentId()); $allowedKeys = $governance->getValue(SERVER_PLATFORMS::EC2, Scalr_Governance::AWS_KMS_KEYS, $cloudLocation); if (!empty($allowedKeys)) { $allowed = false; foreach ($allowedKeys['keys'] as $key) { if ($key['id'] == $kmsKey->keyId) { $allowed = true; break; } } } if (!$allowed) { throw new ScalrException("A KMS Policy is active in this Environment, access to '{$kmsKey->keyId}' has been restricted by account owner."); } $request->kmsKeyId = $Engine != 'aurora' ? $KmsKeyId : null; } } if (empty($request->dBClusterIdentifier)) { $request->allocatedStorage = $AllocatedStorage; $request->masterUsername = $MasterUsername; $request->masterUserPassword = (string) $MasterUserPassword; $request->dBName = $DBName ?: null; $request->port = $Port ?: null; $request->preferredBackupWindow = $PreferredBackupWindow ?: null; $vpcSgIds = []; foreach ($VpcSecurityGroups as $VpcSecurityGroup) { $vpcSgIds[] = $VpcSecurityGroup['id']; } $request->vpcSecurityGroupIds = empty($vpcSgIds) ? null : $vpcSgIds; } $request->characterSetName = $CharacterSetName ?: null; if (!empty($DBParameterGroup)) { $paramGroups = $aws->rds->dbParameterGroup->describe(); foreach ($paramGroups as $param) { /* @var $param DBParameterGroupData */ if ($param->dBParameterGroupName == $DBParameterGroup) { $paramGroup = $param; break; } } } if (!empty($paramGroup)) { $request->dBParameterGroupName = $paramGroup->dBParameterGroupName; } $isMirror = $MultiAZ && in_array($Engine, [DBInstanceData::ENGINE_SQL_SERVER_SE, DBInstanceData::ENGINE_SQL_SERVER_EE]); $optionList = $aws->rds->optionGroup->describe($Engine); foreach ($optionList as $option) { /* @var $option OptionGroupData */ if ($option->optionGroupName == $OptionGroupName) { $optionGroup = $option; break; } } if (isset($optionGroup)) { $request->optionGroupName = $optionGroup->optionGroupName; } else { if ($isMirror) { $request->optionGroupName = $OptionGroupName; } } $dbSgIds = []; foreach ($DBSecurityGroups as $DBSecurityGroup) { $dbSgIds[] = $DBSecurityGroup; } $request->dBSecurityGroups = empty($dbSgIds) ? null : $dbSgIds; $request->autoMinorVersionUpgrade = $AutoMinorVersionUpgrade; $request->availabilityZone = $AvailabilityZone ?: null; $request->backupRetentionPeriod = $BackupRetentionPeriod ?: null; $request->preferredMaintenanceWindow = $PreferredMaintenanceWindow ?: null; $request->multiAZ = $isMirror ? false : $MultiAZ; $request->storageType = $StorageType; $request->dBSubnetGroupName = $DBSubnetGroupName ?: null; $request->licenseModel = $LicenseModel; $request->engineVersion = $EngineVersion ?: null; $request->iops = $Iops ?: null; if ($VpcId) { $request->publiclyAccessible = $PubliclyAccessible; } $tagsObject = $farmId ? DBFarm::LoadByID($farmId) : $this->environment; $request->tags = new TagsList($tagsObject->getAwsTags()); $result = self::loadController('Aws', 'Scalr_UI_Controller_Tools')->checkSecurityGroupsPolicy($VpcSecurityGroups, Aws::SERVICE_INTERFACE_RDS); if ($result === true) { $result = self::loadController('Aws', 'Scalr_UI_Controller_Tools')->checkVpcPolicy($VpcId, $SubnetIds, $cloudLocation); } if ($result === true) { if (!empty($request->dBClusterIdentifier)) { try { $checkInstance = $aws->rds->dbInstance->describe($request->dBInstanceIdentifier); } catch (Exception $e) { $checkInstance = []; } if (count($checkInstance) > 0) { throw new Exception(sprintf("AWS Error. DB Instance with identifier %s already exists.", $request->dBInstanceIdentifier)); } self::loadController('Clusters', 'Scalr_UI_Controller_Tools_Aws_Rds')->xSaveAction($cloudLocation, $request->dBClusterIdentifier, $Engine, $MasterUsername, $MasterUserPassword, $VpcId, $Port, $DBName, $request->characterSetName, $request->dBParameterGroupName, $request->optionGroupName, new JsonData([$request->availabilityZone]), $request->backupRetentionPeriod, $PreferredBackupWindow, $request->preferredMaintenanceWindow, $request->dBSubnetGroupName, $request->engineVersion, $farmId, $VpcSecurityGroups, $SubnetIds, $StorageEncrypted, $KmsKeyId); } $instance = $aws->rds->dbInstance->create($request); CloudResource::deletePk($request->dBInstanceIdentifier, CloudResource::TYPE_AWS_RDS, $this->getEnvironmentId(), \SERVER_PLATFORMS::EC2, $cloudLocation); if ($farmId) { $cloudResource = new CloudResource(); $cloudResource->id = $request->dBInstanceIdentifier; $cloudResource->type = CloudResource::TYPE_AWS_RDS; $cloudResource->platform = \SERVER_PLATFORMS::EC2; $cloudResource->cloudLocation = $cloudLocation; $cloudResource->envId = $this->getEnvironmentId(); $cloudResource->farmId = $farmId; $cloudResource->save(); } $vpcSglist = null; if (!empty($VpcId)) { $filter[] = ['name' => SecurityGroupFilterNameType::vpcId(), 'value' => $VpcId]; $vpcSglist = $aws->ec2->securityGroup->describe(null, null, $filter); } $clusters = null; if (!empty($instance->dBClusterIdentifier)) { /* @var $cluster DBClusterData */ $clusters = $aws->rds->dbCluster->describe($instance->dBClusterIdentifier); } $data = $this->getDbInstanceData($aws, $instance, $vpcSglist, $clusters); $data['isReplica'] = false; if ($isMirror) { $data['MultiAZ'] = true; } $this->response->success("DB Instance successfully created"); $this->response->data(['instance' => $data, 'cloudLocation' => $cloudLocation]); } else { $this->response->failure($result); } }
/** * Gets the list of the security groups for the specified db server. * * If server does not have required security groups this method will create them. * * @param DBServer $DBServer The DB Server instance * @param \Scalr\Service\Aws\Ec2 $ec2 Ec2 Client instance * @param string $vpcId optional The ID of VPC * @param \Scalr_Governance $governance Governance * @param string $osFamily optional OS family of the instance * @return array Returns array looks like array(groupid-1, groupid-2, ..., groupid-N) */ private function GetServerSecurityGroupsList(DBServer $DBServer, \Scalr\Service\Aws\Ec2 $ec2, $vpcId = "", \Scalr_Governance $governance = null, $osFamily = null) { $retval = array(); $checkGroups = array(); $wildCardSgs = []; $sgGovernance = false; $allowAdditionalSgs = true; $roleBuilderSgName = \Scalr::config('scalr.aws.security_group_name') . "-rb"; if ($governance && $DBServer->farmRoleId) { $sgs = $governance->getValue(SERVER_PLATFORMS::EC2, \Scalr_Governance::AWS_SECURITY_GROUPS); if ($osFamily == 'windows' && $governance->getValue(SERVER_PLATFORMS::EC2, \Scalr_Governance::AWS_SECURITY_GROUPS, 'windows')) { $sgs = $governance->getValue(SERVER_PLATFORMS::EC2, \Scalr_Governance::AWS_SECURITY_GROUPS, 'windows'); } if ($sgs !== null) { $governanceSecurityGroups = @explode(",", $sgs); if (!empty($governanceSecurityGroups)) { foreach ($governanceSecurityGroups as $sg) { if ($sg != '') { array_push($checkGroups, trim($sg)); if (strpos($sg, '*') !== false) { array_push($wildCardSgs, trim($sg)); } } } } if (!empty($checkGroups)) { $sgGovernance = true; } $allowAdditionalSgs = $governance->getValue(SERVER_PLATFORMS::EC2, \Scalr_Governance::AWS_SECURITY_GROUPS, 'allow_additional_sec_groups'); } } if (!$sgGovernance || $allowAdditionalSgs) { if ($DBServer->farmRoleId != 0) { $dbFarmRole = $DBServer->GetFarmRoleObject(); if ($dbFarmRole->GetSetting(Entity\FarmRoleSetting::AWS_SECURITY_GROUPS_LIST) !== null) { // New SG management $sgs = @json_decode($dbFarmRole->GetSetting(Entity\FarmRoleSetting::AWS_SECURITY_GROUPS_LIST)); if (!empty($sgs)) { foreach ($sgs as $sg) { if (stripos($sg, 'sg-') === 0) { array_push($retval, $sg); } else { array_push($checkGroups, $sg); } } } } else { // Old SG management array_push($checkGroups, 'default'); array_push($checkGroups, \Scalr::config('scalr.aws.security_group_name')); if (!$vpcId) { array_push($checkGroups, "scalr-farm.{$DBServer->farmId}"); array_push($checkGroups, "scalr-role.{$DBServer->farmRoleId}"); } $additionalSgs = trim($dbFarmRole->GetSetting(Entity\FarmRoleSetting::AWS_SG_LIST)); if ($additionalSgs) { $sgs = explode(",", $additionalSgs); if (!empty($sgs)) { foreach ($sgs as $sg) { $sg = trim($sg); if (stripos($sg, 'sg-') === 0) { array_push($retval, $sg); } else { array_push($checkGroups, $sg); } } } } } } else { array_push($checkGroups, $roleBuilderSgName); } } // No name based security groups, return only SG ids. if (empty($checkGroups)) { return $retval; } // Filter groups $filter = array(array('name' => SecurityGroupFilterNameType::groupName(), 'value' => $checkGroups)); // If instance run in VPC, add VPC filter if ($vpcId != '') { $filter[] = array('name' => SecurityGroupFilterNameType::vpcId(), 'value' => $vpcId); } // Get filtered list of SG required by scalr; try { $list = $ec2->securityGroup->describe(null, null, $filter); $sgList = array(); foreach ($list as $sg) { /* @var $sg \Scalr\Service\Aws\Ec2\DataType\SecurityGroupData */ if ($vpcId == '' && !$sg->vpcId || $vpcId && $sg->vpcId == $vpcId) { $sgList[$sg->groupName] = $sg->groupId; } } unset($list); } catch (Exception $e) { throw new Exception("Cannot get list of security groups (1): {$e->getMessage()}"); } foreach ($checkGroups as $groupName) { // Check default SG if ($groupName == 'default') { array_push($retval, $sgList[$groupName]); // Check Roles builder SG } elseif ($groupName == $roleBuilderSgName) { if (!isset($sgList[$groupName])) { try { $securityGroupId = $ec2->securityGroup->create($roleBuilderSgName, "Security group for Roles Builder", $vpcId); $ipRangeList = new IpRangeList(); foreach (\Scalr::config('scalr.aws.ip_pool') as $ip) { $ipRangeList->append(new IpRangeData($ip)); } sleep(2); $ec2->securityGroup->authorizeIngress(array(new IpPermissionData('tcp', 22, 22, $ipRangeList), new IpPermissionData('tcp', 8008, 8013, $ipRangeList)), $securityGroupId); $sgList[$roleBuilderSgName] = $securityGroupId; } catch (Exception $e) { throw new Exception(sprintf(_("Cannot create security group '%s': %s"), $roleBuilderSgName, $e->getMessage())); } } array_push($retval, $sgList[$groupName]); //Check scalr-farm.* security group } elseif (stripos($groupName, 'scalr-farm.') === 0) { if (!isset($sgList[$groupName])) { try { $securityGroupId = $ec2->securityGroup->create($groupName, sprintf("Security group for FarmID N%s", $DBServer->farmId), $vpcId); sleep(2); $userIdGroupPairList = new UserIdGroupPairList(new UserIdGroupPairData($DBServer->GetEnvironmentObject()->keychain(SERVER_PLATFORMS::EC2)->properties[Entity\CloudCredentialsProperty::AWS_ACCOUNT_ID], null, $groupName)); $ec2->securityGroup->authorizeIngress(array(new IpPermissionData('tcp', 0, 65535, null, $userIdGroupPairList), new IpPermissionData('udp', 0, 65535, null, $userIdGroupPairList)), $securityGroupId); $sgList[$groupName] = $securityGroupId; } catch (Exception $e) { throw new Exception(sprintf(_("Cannot create security group '%s': %s"), $groupName, $e->getMessage())); } } array_push($retval, $sgList[$groupName]); //Check scalr-role.* security group } elseif (stripos($groupName, 'scalr-role.') === 0) { if (!isset($sgList[$groupName])) { try { $securityGroupId = $ec2->securityGroup->create($groupName, sprintf("Security group for FarmRoleID N%s on FarmID N%s", $DBServer->GetFarmRoleObject()->ID, $DBServer->farmId), $vpcId); sleep(2); // DB rules $dbRules = $DBServer->GetFarmRoleObject()->GetRoleObject()->getSecurityRules(); $groupRules = array(); foreach ($dbRules as $rule) { $groupRules[CryptoTool::hash($rule['rule'])] = $rule; } // Behavior rules foreach (\Scalr_Role_Behavior::getListForFarmRole($DBServer->GetFarmRoleObject()) as $bObj) { $bRules = $bObj->getSecurityRules(); foreach ($bRules as $r) { if ($r) { $groupRules[CryptoTool::hash($r)] = array('rule' => $r); } } } // Default rules $userIdGroupPairList = new UserIdGroupPairList(new UserIdGroupPairData($DBServer->GetEnvironmentObject()->keychain(SERVER_PLATFORMS::EC2)->properties[Entity\CloudCredentialsProperty::AWS_ACCOUNT_ID], null, $groupName)); $rules = array(new IpPermissionData('tcp', 0, 65535, null, $userIdGroupPairList), new IpPermissionData('udp', 0, 65535, null, $userIdGroupPairList)); foreach ($groupRules as $rule) { $group_rule = explode(":", $rule["rule"]); $rules[] = new IpPermissionData($group_rule[0], $group_rule[1], $group_rule[2], new IpRangeData($group_rule[3])); } $ec2->securityGroup->authorizeIngress($rules, $securityGroupId); $sgList[$groupName] = $securityGroupId; } catch (Exception $e) { throw new Exception(sprintf(_("Cannot create security group '%s': %s"), $groupName, $e->getMessage())); } } array_push($retval, $sgList[$groupName]); } elseif ($groupName == \Scalr::config('scalr.aws.security_group_name')) { if (!isset($sgList[$groupName])) { try { $securityGroupId = $ec2->securityGroup->create($groupName, "Security rules needed by Scalr", $vpcId); $ipRangeList = new IpRangeList(); foreach (\Scalr::config('scalr.aws.ip_pool') as $ip) { $ipRangeList->append(new IpRangeData($ip)); } // TODO: Open only FOR VPC ranges $ipRangeList->append(new IpRangeData('10.0.0.0/8')); sleep(2); $ec2->securityGroup->authorizeIngress(array(new IpPermissionData('tcp', 3306, 3306, $ipRangeList), new IpPermissionData('tcp', 8008, 8013, $ipRangeList), new IpPermissionData('udp', 8014, 8014, $ipRangeList)), $securityGroupId); $sgList[$groupName] = $securityGroupId; } catch (Exception $e) { throw new Exception(sprintf(_("Cannot create security group '%s': %s"), $groupName, $e->getMessage())); } } array_push($retval, $sgList[$groupName]); } else { if (!isset($sgList[$groupName])) { if (!in_array($groupName, $wildCardSgs)) { throw new Exception(sprintf(_("Security group '%s' is not found"), $groupName)); } else { $wildCardMatchedSgs = []; $groupNamePattern = \Scalr_Governance::convertAsteriskPatternToRegexp($groupName); foreach ($sgList as $sgGroupName => $sgGroupId) { if (preg_match($groupNamePattern, $sgGroupName) === 1) { array_push($wildCardMatchedSgs, $sgGroupId); } } if (empty($wildCardMatchedSgs)) { throw new Exception(sprintf(_("Security group matched to pattern '%s' is not found."), $groupName)); } else { if (count($wildCardMatchedSgs) > 1) { throw new Exception(sprintf(_("There are more than one Security group matched to pattern '%s' found."), $groupName)); } else { array_push($retval, $wildCardMatchedSgs[0]); } } } } else { array_push($retval, $sgList[$groupName]); } } } return $retval; }
public function xCreateNetworkInterfaceAction() { $aws = $this->getEnvironment()->aws($this->getParam('cloudLocation')); $ec2 = $aws->ec2; try { $subnetId = $this->getParam('subnetId'); $vpcId = $this->getParam('vpcId'); $vpcInfo = $ec2->vpc->describe($vpcId); /* @var $vpc \Scalr\Service\Aws\Ec2\DataType\VpcData */ $vpc = $vpcInfo->get(0); //Create Network interface $createNetworkInterfaceRequestData = new CreateNetworkInterfaceRequestData($subnetId); $routerSgName = Scalr::config('scalr.aws.security_group_prefix') . 'vpc-router'; // Check and create security group $filter = array(array('name' => SecurityGroupFilterNameType::groupName(), 'value' => array($routerSgName, 'SCALR-VPC')), array('name' => SecurityGroupFilterNameType::vpcId(), 'value' => $vpcId)); try { $list = $ec2->securityGroup->describe(null, null, $filter); if ($list->count() > 0 && in_array($list->get(0)->groupName, array('SCALR-VPC', $routerSgName))) { $sgId = $list->get(0)->groupId; } } catch (Exception $e) { throw new Exception("Cannot get list of security groups (1): {$e->getMessage()}"); } if (!$sgId) { $sgId = $aws->ec2->securityGroup->create($routerSgName, 'System SG for Scalr VPC integration', $vpcId); $ipRangeList = new IpRangeList(); $ipRangeList->append(new IpRangeData('0.0.0.0/0')); $ipRangeListLocal = new IpRangeList(); $ipRangeListLocal->append(new IpRangeData($vpc->cidrBlock)); $attempts = 0; while (true) { $attempts++; try { $aws->ec2->securityGroup->authorizeIngress(array(new IpPermissionData('tcp', 8008, 8013, $ipRangeList), new IpPermissionData('tcp', 80, 80, $ipRangeList), new IpPermissionData('tcp', 443, 443, $ipRangeList), new IpPermissionData('tcp', 0, 65535, $ipRangeListLocal), new IpPermissionData('udp', 0, 65535, $ipRangeListLocal)), $sgId); break; } catch (Exception $e) { if ($attempts >= 3) { throw $e; } else { sleep(1); } } } } $createNetworkInterfaceRequestData->setSecurityGroupId(array('groupId' => $sgId)); $networkInterface = $ec2->networkInterface->create($createNetworkInterfaceRequestData); // Disable sourceDeskCheck $networkInterface->modifyAttribute(NetworkInterfaceAttributeType::sourceDestCheck(), 0); $niId = $networkInterface->networkInterfaceId; $attemptsCounter = 0; while (true) { try { $networkInterface->createTags(array(array('key' => "scalr-id", 'value' => SCALR_ID), array('key' => "Name", 'value' => "VPC Router ENI"))); break; } catch (Exception $e) { $attemptsCounter++; if ($attemptsCounter < 5) { sleep(1); continue; } else { throw new Exception($e->getMessage()); } } break; } //ASSOCIATE PUBLIC IP $address = $ec2->address->allocate('vpc'); $publicIp = $address->publicIp; $associateAddressRequestData = new AssociateAddressRequestData(); $associateAddressRequestData->networkInterfaceId = $niId; $associateAddressRequestData->allocationId = $address->allocationId; $associateAddressRequestData->allowReassociation = true; //Associate PublicIP with NetworkInterface $ec2->address->associate($associateAddressRequestData); } catch (Exception $e) { if ($niId) { $ec2->networkInterface->delete($niId); } if ($publicIp) { $ec2->address->release(null, $address->allocationId); } throw $e; } $this->response->success('Network interface successfully created'); $this->response->data(array('ni' => array('id' => $niId, 'publicIp' => $publicIp))); }
private function listGroupsEc2($platform, $cloudLocation, $filters) { $sgFilter = null; $result = []; if (!is_array($filters)) { $filters = []; } if (!empty($filters['sgIds'])) { $sgFilter = is_null($sgFilter) ? array() : $sgFilter; $sgFilter[] = array('name' => SecurityGroupFilterNameType::groupId(), 'value' => $filters['sgIds']); } if (empty($filters['vpcId']) && array_key_exists('vpcId', $filters)) { $p = PlatformFactory::NewPlatform(SERVER_PLATFORMS::EC2); $defaultVpc = $p->getDefaultVpc($this->environment, $cloudLocation); if ($defaultVpc) { $filters['vpcId'] = $defaultVpc; } } if (!empty($filters['vpcId'])) { $sgFilter = is_null($sgFilter) ? array() : $sgFilter; $sgFilter[] = array('name' => SecurityGroupFilterNameType::vpcId(), 'value' => $filters['vpcId']); } $sgList = $this->getPlatformService($platform, $cloudLocation)->describe(null, null, $sgFilter); /* @var $sg SecurityGroupData */ foreach ($sgList as $sg) { if (is_array($filters) && array_key_exists('vpcId', $filters) && $filters['vpcId'] == null && $sg->vpcId) { //we don't want to see VPC Security groups when $filters['vpcId'] == null continue; } $result[] = ['id' => $sg->groupId, 'name' => $sg->groupName, 'description' => $sg->groupDescription, 'vpcId' => $sg->vpcId, 'owner' => $sg->ownerId]; } if ($filters['considerGovernance']) { $filteredSg = []; $allowedSgNames = []; $governance = new Scalr_Governance($this->getEnvironmentId()); $governanceSecurityGroups = $governance->getValue(SERVER_PLATFORMS::EC2, Scalr_Governance::getEc2SecurityGroupPolicyNameForService($filters['serviceName']), ''); if ($governanceSecurityGroups) { $sgRequiredPatterns = \Scalr_Governance::prepareSecurityGroupsPatterns($filters['osFamily'] == 'windows' && $governanceSecurityGroups['windows'] ? $governanceSecurityGroups['windows'] : $governanceSecurityGroups['value']); $sgOptionalPatterns = $governanceSecurityGroups['allow_additional_sec_groups'] ? \Scalr_Governance::prepareSecurityGroupsPatterns($governanceSecurityGroups['additional_sec_groups_list']) : []; foreach ($result as $sg) { $sgNameLowerCase = strtolower($sg['name']); $sgAllowed = false; if ($governanceSecurityGroups['allow_additional_sec_groups']) { if (!empty($sgOptionalPatterns)) { if (isset($sgOptionalPatterns[$sgNameLowerCase])) { $sgAllowed = true; } else { foreach ($sgOptionalPatterns as &$sgOptionalPattern) { if (isset($sgOptionalPattern['regexp']) && preg_match($sgOptionalPattern['regexp'], $sg['name']) === 1) { $sgAllowed = true; break; } } } } else { $sgAllowed = true; } } if (isset($sgRequiredPatterns[$sgNameLowerCase])) { $sgAllowed = true; $sg['addedByGovernance'] = true; $sgRequiredPatterns[$sgNameLowerCase]['found'] = true; } else { foreach ($sgRequiredPatterns as &$sgRequiredPattern) { if (isset($sgRequiredPattern['regexp']) && preg_match($sgRequiredPattern['regexp'], $sg['name']) === 1) { $sgRequiredPattern['matches'][] = $sg; break; } } } if ($sgAllowed) { $allowedSgNames[] = $sgNameLowerCase; $filteredSg[$sg['id']] = $sg; } } foreach ($sgRequiredPatterns as &$sgRequiredPattern) { if (isset($sgRequiredPattern['matches']) && count($sgRequiredPattern['matches']) == 1) { $sg = $sgRequiredPattern['matches'][0]; if (!isset($filteredSg[$sg['id']])) { $filteredSg[$sg['id']] = $sg; } $filteredSg[$sg['id']]['addedByGovernance'] = true; $sgRequiredPattern['found'] = true; } } $result = $filteredSg; if (!$filters['existingGroupsOnly']) { foreach ($sgRequiredPatterns as $sgRequiredPattern) { if (!$sgRequiredPattern['found']) { $result[] = ['id' => null, 'name' => $sgRequiredPattern['value'], 'description' => null, 'vpcId' => null, 'owner' => null, 'addedByGovernance' => true]; } } } } } return $result; }
private function listGroupsEc2($platform, $cloudLocation, $filters) { $sgFilter = null; $result = []; if (!is_array($filters)) { $filters = []; } if (empty($filters['vpcId']) && array_key_exists('vpcId', $filters)) { $p = PlatformFactory::NewPlatform(SERVER_PLATFORMS::EC2); $defaultVpc = $p->getDefaultVpc($this->environment, $cloudLocation); if ($defaultVpc) { $filters['vpcId'] = $defaultVpc; } } if (!empty($filters['vpcId'])) { $sgFilter = is_null($sgFilter) ? array() : $sgFilter; $sgFilter[] = array('name' => SecurityGroupFilterNameType::vpcId(), 'value' => $filters['vpcId']); } $sgList = $this->getPlatformService($platform, $cloudLocation)->describe(null, null, $sgFilter); $sgIdsList = !empty($filters['sgIds']) ? (array) $filters['sgIds'] : null; $sgNamesList = !empty($filters['sgNames']) ? (array) $filters['sgNames'] : null; /* @var $sg SecurityGroupData */ foreach ($sgList as $sg) { if (array_key_exists('vpcId', $filters) && $filters['vpcId'] == null && $sg->vpcId) { //we don't want to see VPC Security groups when $filters['vpcId'] == null continue; } if (!$this->isSecurityGroupsListed($sg->groupId, $sg->groupName, $sgIdsList, $sgNamesList)) { continue; } $result[] = ['id' => $sg->groupId, 'name' => $sg->groupName, 'description' => $sg->groupDescription, 'vpcId' => $sg->vpcId, 'owner' => $sg->ownerId]; } return $this->applyGovernanceToSgList($result, $platform, $cloudLocation, $filters); }
private function listGroupsEc2($platform, $cloudLocation, $filters) { $sgFilter = null; $result = []; if (!is_array($filters)) { $filters = []; } if (!empty($filters['sgIds'])) { $sgFilter = is_null($sgFilter) ? array() : $sgFilter; $sgFilter[] = array('name' => SecurityGroupFilterNameType::groupId(), 'value' => $filters['sgIds']); } if (empty($filters['vpcId']) && array_key_exists('vpcId', $filters)) { $p = PlatformFactory::NewPlatform(SERVER_PLATFORMS::EC2); $defaultVpc = $p->getDefaultVpc($this->environment, $cloudLocation); if ($defaultVpc) { $filters['vpcId'] = $defaultVpc; } } if (!empty($filters['vpcId'])) { $sgFilter = is_null($sgFilter) ? array() : $sgFilter; $sgFilter[] = array('name' => SecurityGroupFilterNameType::vpcId(), 'value' => $filters['vpcId']); } $sgList = $this->getPlatformService($platform, $cloudLocation)->describe(null, null, $sgFilter); /* @var $sg SecurityGroupData */ $considerGovernance = $filters['considerGovernance']; if ($considerGovernance) { $governance = new Scalr_Governance($this->getEnvironmentId()); $values = $governance->getValues(true); if (!empty($values['ec2']['aws.additional_security_groups']->value)) { $sgDefaultNames = explode(',', $values['ec2']['aws.additional_security_groups']->value); } } $sgNames = []; foreach ($sgList as $sg) { if (is_array($filters) && array_key_exists('vpcId', $filters) && $filters['vpcId'] == null && $sg->vpcId) { continue; } if ($considerGovernance && empty($values['ec2']['aws.additional_security_groups']->allow_additional_sec_groups) && !empty($sgDefaultNames) && !in_array($sg->groupName, $sgDefaultNames)) { continue; } $result[] = ['id' => $sg->groupId, 'name' => $sg->groupName, 'description' => $sg->groupDescription, 'vpcId' => $sg->vpcId, 'owner' => $sg->ownerId]; $sgNames[] = $sg->groupName; } if ($considerGovernance && !empty($sgDefaultNames)) { foreach ($sgDefaultNames as $sgDefaultName) { if (!in_array($sgDefaultName, $sgNames)) { $result[] = ['id' => null, 'name' => $sgDefaultName, 'description' => null, 'vpcId' => null, 'owner' => null]; } } } return $result; }