%PDF- %PDF-
Mini Shell

Mini Shell

Direktori : /proc/self/root/proc/3522530/root/lib/python2.7/site-packages/salt/states/
Upload File :
Create Path :
Current File : //proc/self/root/proc/3522530/root/lib/python2.7/site-packages/salt/states/boto_secgroup.pyo

�
���^c@@sZdZddlmZmZmZddlZddlZddljj	Z	ddl
mZddlm
Z
eje�Zd�Zddddeedddddd�Zddddddd�Zd	�Zd
�Zd�Zeddddddd�Zeddddddd
�Zddddddd�Zddddddd�ZdS(uR

Manage Security Groups
======================

.. versionadded:: 2014.7.0

Create and destroy Security Groups. Be aware that this interacts with Amazon's
services, and so may incur charges.

This module uses ``boto``, which can be installed via package, or pip.

This module accepts explicit EC2 credentials but can also utilize
IAM roles assigned to the instance through Instance Profiles. Dynamic
credentials are then automatically obtained from AWS API and no further
configuration is necessary. More information available `here
<http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html>`_.

If IAM roles are not used you need to specify them either in a pillar file or
in the minion's config file:

.. code-block:: yaml

    secgroup.keyid: GKTADJGHEIQSXMKKRBJ08H
    secgroup.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs

It's also possible to specify ``key``, ``keyid`` and ``region`` via a profile, either
passed in as a dict, or as a string to pull from pillars or minion config:

.. code-block:: yaml

    myprofile:
        keyid: GKTADJGHEIQSXMKKRBJ08H
        key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs
        region: us-east-1

.. code-block:: yaml

    Ensure mysecgroup exists:
        boto_secgroup.present:
            - name: mysecgroup
            - description: My security group
            - vpc_name: myvpc
            - rules:
                - ip_protocol: tcp
                  from_port: 80
                  to_port: 80
                  cidr_ip:
                    - 10.0.0.0/8
                    - 192.168.0.0/16
                - ip_protocol: tcp
                  from_port: 8080
                  to_port: 8090
                  cidr_ip:
                    - 10.0.0.0/8
                    - 192.168.0.0/16
                - ip_protocol: icmp
                  from_port: -1
                  to_port: -1
                  source_group_name: mysecgroup
                - ip_protocol: tcp
                  from_port: 8080
                  to_port: 8080
                  source_group_name: MyOtherSecGroup
                  source_group_name_vpc: MyPeeredVPC
            - rules_egress:
                - ip_protocol: all
                  from_port: -1
                  to_port: -1
                  cidr_ip:
                    - 10.0.0.0/8
                    - 192.168.0.0/16
            - tags:
                SomeTag: 'My Tag Value'
                SomeOtherTag: 'Other Tag Value'
            - region: us-east-1
            - keyid: GKTADJGHEIQSXMKKRBJ08H
            - key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs

    # Using a profile from pillars
    Ensure mysecgroup exists:
        boto_secgroup.present:
            - name: mysecgroup
            - description: My security group
            - profile: myprofile

    # Passing in a profile
    Ensure mysecgroup exists:
        boto_secgroup.present:
            - name: mysecgroup
            - description: My security group
            - profile:
                keyid: GKTADJGHEIQSXMKKRBJ08H
                key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs
                region: us-east-1

.. note::

    When using the ``profile`` parameter and ``region`` is set outside of
    the profile group, region is ignored and a default region will be used.

    If ``region`` is missing from the ``profile`` data set, ``us-east-1``
    will be used as the default region.

i(tabsolute_importtprint_functiontunicode_literalsN(tSaltInvocationError(tsixcC@sdtkrdStS(u)
    Only load if boto is available.
    uboto_secgroup.existsu
boto_secgroup(t__salt__tFalse(((s=/usr/lib/python2.7/site-packages/salt/states/boto_secgroup.pyt__virtual__xsc
C@s�i|d6td6dd6id6}
t||d|d|d|d	|	d
|
d|�}|d|
d<dj|
d|dg�|
d<|ds�|d|
d<|
dtkr�|
S|
ddkr�|
Sn|dk	rft|||d|d|d|d	|	d
|
d|�}tj|
d|d�|
d<dj|
d|dg�|
d<|dsf|d|
d<qfn|dk	rt|||d|d|d|d	|	d
|
d|�}tj|
d|d�|
d<dj|
d|dg�|
d<|ds|d|
d<qnt	d
|d|d|d|d|d	|	d
|
d|�}tj|
d|d�|
d<dj|
d|dg�|
d<|ds�|d|
d<n|
S(u�
    Ensure the security group exists with the specified rules.

    name
        Name of the security group.

    description
        A description of this security group.

    vpc_id
        The ID of the VPC to create the security group in, if any. Exclusive with vpc_name.

    vpc_name
        The name of the VPC to create the security group in, if any. Exclusive with vpc_id.

        .. versionadded:: 2016.3.0

        .. versionadded:: 2015.8.2

    rules
        A list of ingress rule dicts. If not specified, ``rules=None``,
        the ingress rules will be unmanaged. If set to an empty list, ``[]``,
        then all ingress rules will be removed.

    rules_egress
        A list of egress rule dicts. If not specified, ``rules_egress=None``,
        the egress rules will be unmanaged. If set to an empty list, ``[]``,
        then all egress rules will be removed.

    delete_ingress_rules
        Some tools (EMR comes to mind) insist on adding rules on-the-fly, which
        salt will happily remove on the next run.  Set this param to False to
        avoid deleting rules which were added outside of salt.

    delete_egress_rules
        Some tools (EMR comes to mind) insist on adding rules on-the-fly, which
        salt will happily remove on the next run.  Set this param to False to
        avoid deleting rules which were added outside of salt.

    region
        Region to connect to.

    key
        Secret key to be used.

    keyid
        Access key to be used.

    profile
        A dict with region, key and keyid, or a pillar key (string)
        that contains a dict with region, key, and keyid.

    tags
        List of key:value pairs of tags to set on the security group

        .. versionadded:: 2016.3.0
    unameuresultuucommentuchangestvpc_idtvpc_nametregiontkeytkeyidtprofileu tnamettagsN(
tTruet_security_group_presenttjoinRtNonet_rules_presentt
dictupdatetupdatet_rules_egress_presentt
_tags_present(RtdescriptionRR	trulestrules_egresstdelete_ingress_rulestdelete_egress_rulesR
RRR
Rtrett_ret((s=/usr/lib/python2.7/site-packages/salt/states/boto_secgroup.pytpresentsJG"!
!
	!
!
cC@seitd6dd6id6}td|||||||�}	|	sNtdrndj|�|d<d|d<|Stdd	|d
|d|d|d
|d|d|d|�}
|
r.idd6|dd<tdd	|ddd
|d|d|d|d|d|�}i|d6|dd<dj|�|d<qat|d<dj|�|d<ndj|�|d<|S(u�
    given a group name or a group name and vpc id (or vpc name):
    1. determine if the group exists
    2. if the group does not exist, creates the group
    3. return the group's configuration and any changes made
    uresultuucommentuchangesuboto_secgroup.existsutestu(Security group {0} is set to be created.uboto_secgroup.createRRRR	R
RRR
usecgroupuolduboto_secgroup.get_configtgroup_idunewuSecurity group {0} created.u$Failed to create {0} security group.uSecurity group {0} present.N(RRt__opts__tformatRR(RRRR	R
RRR
Rtexiststcreatedtsg((s=/usr/lib/python2.7/site-packages/salt/states/boto_secgroup.pyR�s.

	"	
c
C@sEg}x8|D]0}|jd�}|jd�}|jd�}|r�t|tj�r�x�|D])}|j�}||d<|j|�q`Wq
|r�t|tj�r�x�|D])}|j�}||d<|j|�q�Wq
|r0t|tj�r0xA|D])}	|j�}|	|d<|j|�qWq
|j|�q
W|S(u
    Split rules with lists into individual rules.

    We accept some attributes as lists or strings. The data we get back from
    the execution module lists rules as individual rules. We need to split the
    provided rules into individual rules to compare them.
    ucidr_ipusource_group_nameusource_group_group_id(tgett
isinstanceRtstring_typestcopytappend(
Rtsplittruletcidr_ipt
group_nameR!tipt_ruleRt_id((s=/usr/lib/python2.7/site-packages/salt/states/boto_secgroup.pyt_split_ruless,






c	C@sc|jd�d	kr"d|d<n|jd�d	krDd|d<n|d|dkr_tj|d�tj|d�kr_tj|d�tj|d�kr_|jd�}|r�||jd�kr�tS|jd�}|r||jd�krtS|jd�}|r.||jd�kr.tS|jd�}|r_||jd�kr_tSntS(
u�
    Check to see if two rules are the same. Needed to compare rules fetched
    from boto, since they may not completely match rules defined in sls files
    but may be functionally equivalent.
    u	from_porti����uto_portuip_protocolucidr_ipusource_group_owner_idusource_group_group_idusource_group_nameN(R'RRt	text_typeRR(R-R1t_cidr_ipt	_owner_idt	_group_idt_group_name((s=/usr/lib/python2.7/site-packages/salt/states/boto_secgroup.pyt_check_rule2s(

&&c
C@sRg}g}x�|D]�}ytj|jd��}Wntk
rTtd��nXddddddd	d
ddd
dg}||kr�dj|�j�s�t|�dkr�tdj|���n|dkr�d
|d<n|jdd�}|jdd�}|jdd�}	|r;|	s,|r;td��n|	rV|rVtd��n|pe|	pe|swtd��nt	}
x'|D]}t
||�r�t}
Pq�q�W|
s|j|�qqWxd|D]\}t	}
x'|D]}t
||�r�t}
Pq�q�W|
s�|j
dd�|j|�q�q�Wtjd|�tjd|�||fS(u�
    given a list of desired rules (rules) and existing rules (_rules) return
    a list of rules to delete (to_delete) and to create (to_create)
    uip_protocoluTip_protocol, to_port, and from_port are required arguments for security group rules.utcpu6iuudpu17iuicmpu1iuallu-1i����u{0}i�u9Invalid ip_protocol {0} specified in security group rule.ucidr_ipusource_group_nameusource_group_group_iduLcidr_ip and source groups can not both be specified in security group rules.uiEither source_group_group_id or source_group_name can be specified in security group rules, but not both.u_cidr_ip, source_group_group_id, or source_group_name must be provided for security group rules.uRules to be deleted: %suRules to be created: %sN(RR4R'tKeyErrorRR#tisdigittintRRR9RR+tpoptlogtdebug(Rt_rulest	to_deletet	to_createR-tip_protocoltsupported_protocolsR.R/R!t
rule_foundR1((s=/usr/lib/python2.7/site-packages/salt/states/boto_secgroup.pyt_get_rule_changesUsV

(



c	C@s�itd6dd6id6}	tdd|dd d|d	|d
|d|d|d
|�}
|
sdj|�|	d<t|	d<|	St|�}|s�|rxx�|D]�}|jdd �}|r�|}
|}|jdd �}|r�|}
d }ntdd|d|d
|
d|d	|d
|d|�}|sDtdj|���nd |d<|rd|jd�n||d<q�q�Wnt	||
d�\}}|r�|ng}|s�|r�t
dr�dj|tj|�tj|��}||	d<d |	d<|	S|r�t}xT|D]L}td|d|d
|d|d	|d
|d||�}|st}qqW|rwdj|�|	d<q�dj|�|	d<t|	d<n|r\t}xT|D]L}td|d|d
|d|d	|d
|d||�}|s�t}q�q�W|r)dj
|	ddj|�g�|	d<q\dj
|	ddj|�g�|	d<t|	d<ni|
dd6|	dd<tdd|dd d|d	|d
|d|d|d
|�}
i|
dd6|	dd<n|	S(!u'
    given a group name or group name and vpc_id (or vpc name):
    1. get lists of desired rule changes (using _get_rule_changes)
    2. authorize/create rules missing rules
    3. if delete_ingress_rules is True, delete/revoke non-requested rules
    4. return 'old' and 'new' group rules
    uresultuucommentuchangesuboto_secgroup.get_configRR!R
RRR
RR	u8{0} security group configuration could not be retrieved.usource_group_nameusource_group_name_vpcuboto_secgroup.get_group_idu>source_group_name {0} does not map to a valid source group id.usource_group_group_idurulesutestulSecurity group {0} set to have rules modified.
            To be created: {1}
            To be deleted: {2}uboto_secgroup.revokeu$Removed rules on {0} security group.u-Failed to remove rules on {0} security group.uboto_secgroup.authorizeu u$Created rules on {0} security group.u-Failed to create rules on {0} security group.uoldunewN(RRRR#RR3R'RR=RFR"tpprinttpformatR(RRRRR	R
RRR
RR&R-t_source_group_namet_group_vpc_namet
_group_vpc_idt_source_group_name_vpcR7RARBtmsgtdeletedt_deletedR%t_created((s=/usr/lib/python2.7/site-packages/salt/states/boto_secgroup.pyR�s�	"	

	










"	c	C@sitd6dd6id6}	tdd|dd!d|d	|d
|d|d|d
|�}
|
sdj|�|	d<t|	d<|	St|�}|s�|rxx�|D]�}|jdd!�}|r�|}
|}|jdd!�}|r�|}
d!}ntdd|d|d
|
d|d	|d
|d|�}|sDtdj|���nd!|d<|rd|jd�n||d<q�q�Wnt	||
d�\}}|r�|ng}|s�|rt
dr�dj|tj|�tj|��}||	d<d!|	d<|	S|r�t}xZ|D]R}td|d|d
|d|d	|d
|d|dt|�}|st}qqW|r�dj
|	ddj|�g�|	d<q�dj
|	ddj|�g�|	d<t|	d<n|r�t}xZ|D]R}td|d|d
|d|d	|d
|d|dt|�}|s�t}q�q�W|r[dj
|	ddj|�g�|	d<q�dj
|	ddj|�g�|	d<t|	d<ni|
dd6|	dd<tdd|dd!d|d	|d
|d|d|d
|�}
i|
dd6|	dd <n|	S("u 
    given a group name or group name and vpc_id (or vpc name):
    1. get lists of desired rule changes (using _get_rule_changes)
    2. authorize/create missing rules
    3. if delete_egress_rules is True, delete/revoke non-requested rules
    4. return 'old' and 'new' group rules
    uresultuucommentuchangesuboto_secgroup.get_configRR!R
RRR
RR	u8{0} security group configuration could not be retrieved.usource_group_nameusource_group_name_vpcuboto_secgroup.get_group_idu>source_group_name {0} does not map to a valid source group id.usource_group_group_idurules_egressutestulSecurity group {0} set to have rules modified.
            To be created: {1}
            To be deleted: {2}uboto_secgroup.revoketegressu u*Removed egress rule on {0} security group.u3Failed to remove egress rule on {0} security group.uboto_secgroup.authorizeu+Created egress rules on {0} security group.u4Failed to create egress rules on {0} security group.uoldunewN(RRRR#RR3R'RR=RFR"RGRHR(RRRRR	R
RRR
RR&R-RIRJRKRLR7RARBRMRNROR%RP((s=/usr/lib/python2.7/site-packages/salt/states/boto_secgroup.pyR�s�	"	

	










"	c
C@sJi|d6td6dd6id6}tdd|ddd	|d
|d|d|d
|d|�}|r3tdr�dj|�|d<d|d<|Stdd|ddd	|d
|d|d|d
|d|�}	|	ri|d6|dd<idd6|dd<dj|�|d<qFt|d<dj|�|d<ndj|�|d<|S(u�
    Ensure a security group with the specified name does not exist.

    name
        Name of the security group.

    vpc_id
        The ID of the VPC to remove the security group from, if any. Exclusive with vpc_name.

    vpc_name
        The name of the VPC to remove the security group from, if any. Exclusive with vpc_name.

        .. versionadded:: 2016.3.0

    region
        Region to connect to.

    key
        Secret key to be used.

    keyid
        Access key to be used.

    profile
        A dict with region, key and keyid, or a pillar key (string)
        that contains a dict with region, key and keyid.

        .. versionadded:: 2016.3.0
    unameuresultuucommentuchangesuboto_secgroup.get_configRR!R
RRR
RR	utestu(Security group {0} is set to be removed.uboto_secgroup.deleteusecgroupuoldunewuSecurity group {0} deleted.u$Failed to delete {0} security group.u"{0} security group does not exist.N(RRRR"R#R(
RRR	R
RRR
RR&RN((s=/usr/lib/python2.7/site-packages/salt/states/boto_secgroup.pytabsent[s(%""	

"	
cC@s itd6dd6id6}|rtdd|dd"d|d	|d
|d|d|d
|�}	|	s�dj|�|d<t|d<|S|}
i}g}|	jd�rxv|	dD]g}
|
|kr�|
|kr|j|
�qq�||
|	d|
kr||
||
<n|
j|
�q�Wn|rstdr�djt	|�dkrMdnddj
|��}dj
|d|g�|d<d"|d<qstd|d|dd"d
|d|d|d	|d
|d|�}|st|d<dj
|ddj|�g�|d<|Sd|dkrAtj|diiid6d6�|d<nx/|D]$}|	d||ddd|<qHWn|
s|r�tdrj|
r�djt	|
j
��dkr�dnddj
|
j
���}dj
|d|g�|d<d"|d<n|r�djt	|j
��dkr"dnddj
|j
���}dj
|d|g�|d<d"|d<q�q�tj|
|�}td|d|dd"d
|d|d|d	|d
|d|�}|s�t|d<d}dj
|d|g�|d<|Sd|dkr.tj|diiid6d6�|d<nd |dkritj|diiid6d 6�|d<nxx|D]m}|||dd d|<d|	krp|	dr�||	dkr�|	d||ddd|<q�q�qpqpWn|r|r|
rdj
|dd!g�|d<qn|S(#u6
    helper function to validate tags are correct
    uresultuucommentuchangesuboto_secgroup.get_configRR!R
RRR
RR	u8{0} security group configuration could not be retrieved.utagsutestu,The following tag{0} set to be removed: {1}.ius areu isu, u uboto_secgroup.delete_tagsu$Error attempting to delete tags {0}.uoldu*The following tag{0} set to be added: {1}.u-The following tag {0} set to be updated: {1}.u
values areuvalue isuboto_secgroup.set_tagsuError attempting to set tags.unewuTags are already set.N(RRRR#RR'R+R=R"tlenRRRtkeys(RRRR	R
RRR
RR&ttags_to_addttags_to_updatettags_to_removetexisting_tagRMttemp_rettrem_tagtall_tag_changesttag((s=/usr/lib/python2.7/site-packages/salt/states/boto_secgroup.pyR�s�"	

-

	
+
%
!
!
	
++

.#(t__doc__t
__future__RRRtloggingRGtsalt.utils.dictupdatetutilsRtsalt.exceptionsRtsalt.extRt	getLoggert__name__R>RRRR RR3R9RFRRRRR(((s=/usr/lib/python2.7/site-packages/salt/states/boto_secgroup.pyt<module>isH	
b"	!	#	C]f8	

Zerion Mini Shell 1.0