use of com.amazonaws.services.ec2.model.GroupIdentifier in project elasticsearch by elastic.
the class AwsEc2UnicastHostsProvider method fetchDynamicNodes.
protected List<DiscoveryNode> fetchDynamicNodes() {
List<DiscoveryNode> discoNodes = new ArrayList<>();
DescribeInstancesResult descInstances;
try {
// Query EC2 API based on AZ, instance state, and tag.
// NOTE: we don't filter by security group during the describe instances request for two reasons:
// 1. differences in VPCs require different parameters during query (ID vs Name)
// 2. We want to use two different strategies: (all security groups vs. any security groups)
descInstances = SocketAccess.doPrivileged(() -> client.describeInstances(buildDescribeInstancesRequest()));
} catch (AmazonClientException e) {
logger.info("Exception while retrieving instance list from AWS API: {}", e.getMessage());
logger.debug("Full exception:", e);
return discoNodes;
}
logger.trace("building dynamic unicast discovery nodes...");
for (Reservation reservation : descInstances.getReservations()) {
for (Instance instance : reservation.getInstances()) {
// lets see if we can filter based on groups
if (!groups.isEmpty()) {
List<GroupIdentifier> instanceSecurityGroups = instance.getSecurityGroups();
ArrayList<String> securityGroupNames = new ArrayList<String>();
ArrayList<String> securityGroupIds = new ArrayList<String>();
for (GroupIdentifier sg : instanceSecurityGroups) {
securityGroupNames.add(sg.getGroupName());
securityGroupIds.add(sg.getGroupId());
}
if (bindAnyGroup) {
// We check if we can find at least one group name or one group id in groups.
if (disjoint(securityGroupNames, groups) && disjoint(securityGroupIds, groups)) {
logger.trace("filtering out instance {} based on groups {}, not part of {}", instance.getInstanceId(), instanceSecurityGroups, groups);
// continue to the next instance
continue;
}
} else {
// We need tp match all group names or group ids, otherwise we ignore this instance
if (!(securityGroupNames.containsAll(groups) || securityGroupIds.containsAll(groups))) {
logger.trace("filtering out instance {} based on groups {}, does not include all of {}", instance.getInstanceId(), instanceSecurityGroups, groups);
// continue to the next instance
continue;
}
}
}
String address = null;
if (hostType.equals(PRIVATE_DNS)) {
address = instance.getPrivateDnsName();
} else if (hostType.equals(PRIVATE_IP)) {
address = instance.getPrivateIpAddress();
} else if (hostType.equals(PUBLIC_DNS)) {
address = instance.getPublicDnsName();
} else if (hostType.equals(PUBLIC_IP)) {
address = instance.getPublicIpAddress();
} else if (hostType.startsWith(TAG_PREFIX)) {
// Reading the node host from its metadata
String tagName = hostType.substring(TAG_PREFIX.length());
logger.debug("reading hostname from [{}] instance tag", tagName);
List<Tag> tags = instance.getTags();
for (Tag tag : tags) {
if (tag.getKey().equals(tagName)) {
address = tag.getValue();
logger.debug("using [{}] as the instance address", address);
}
}
} else {
throw new IllegalArgumentException(hostType + " is unknown for discovery.ec2.host_type");
}
if (address != null) {
try {
// we only limit to 1 port per address, makes no sense to ping 100 ports
TransportAddress[] addresses = transportService.addressesFromString(address, 1);
for (int i = 0; i < addresses.length; i++) {
logger.trace("adding {}, address {}, transport_address {}", instance.getInstanceId(), address, addresses[i]);
discoNodes.add(new DiscoveryNode(instance.getInstanceId(), "#cloud-" + instance.getInstanceId() + "-" + i, addresses[i], emptyMap(), emptySet(), Version.CURRENT.minimumCompatibilityVersion()));
}
} catch (Exception e) {
final String finalAddress = address;
logger.warn((Supplier<?>) () -> new ParameterizedMessage("failed to add {}, address {}", instance.getInstanceId(), finalAddress), e);
}
} else {
logger.trace("not adding {}, address is null, host_type {}", instance.getInstanceId(), hostType);
}
}
}
logger.debug("using dynamic discovery nodes {}", discoNodes);
return discoNodes;
}
use of com.amazonaws.services.ec2.model.GroupIdentifier in project photon-model by vmware.
the class TestAWSProvisionTask method assertVMSercurityGroupsConfiguration.
private void assertVMSercurityGroupsConfiguration(Instance instance, ComputeState vm) {
// This assert is only suitable for real (non-mocking env).
if (this.isMock) {
return;
}
this.host.log(Level.INFO, "%s: Assert security groups configuration for [%s] VM", this.currentTestName.getMethodName(), this.vmState.name);
// Get the SecurityGroupStates that were provided in the request ComputeState
Collector<SecurityGroupState, ?, Map<String, SecurityGroupState>> convertToMap = Collectors.<SecurityGroupState, String, SecurityGroupState>toMap(sg -> sg.name, sg -> sg);
Map<String, SecurityGroupState> currentSGNamesToStates = vm.networkInterfaceLinks.stream().map(nicLink -> this.host.getServiceState(null, NetworkInterfaceState.class, UriUtils.buildUri(this.host, nicLink))).<// collect all SecurityGroup States from all NIC states
SecurityGroupState>flatMap(nicState -> nicState.securityGroupLinks.stream().map(sgLink -> {
SecurityGroupState sgState = this.host.getServiceState(null, SecurityGroupState.class, UriUtils.buildUri(this.host, sgLink));
return sgState;
})).collect(convertToMap);
// Compare ComputeState after provisioning to the ComputeState in the request
assertNotNull("Instance should have security groups attached.", instance.getSecurityGroups());
// Provisioned Instance should have the same number of SecurityGroups as requested
assertEquals(instance.getSecurityGroups().size(), currentSGNamesToStates.size());
for (SecurityGroupState currentSGState : currentSGNamesToStates.values()) {
// Get corresponding requested state
GroupIdentifier provisionedGroupIdentifier = null;
for (GroupIdentifier awsGroupIdentifier : instance.getSecurityGroups()) {
if (awsGroupIdentifier.getGroupId().equals(currentSGState.id)) {
provisionedGroupIdentifier = awsGroupIdentifier;
break;
}
}
// Ensure that the requested SecurityGroup was actually provisioned
assertNotNull(provisionedGroupIdentifier);
if (currentSGState.name.contains(TestAWSSetupUtils.AWS_NEW_GROUP_PREFIX)) {
this.sgToCleanUp = currentSGState.id;
SecurityGroup awsSecurityGroup = getSecurityGroupsIdUsingEC2Client(this.client, provisionedGroupIdentifier.getGroupId());
assertNotNull(awsSecurityGroup);
// Validate rules are correctly created as requested
IpPermission awsIngressRule = awsSecurityGroup.getIpPermissions().get(0);
IpPermission awsEgressRule = awsSecurityGroup.getIpPermissionsEgress().get(1);
assertNotNull(awsIngressRule);
assertNotNull(awsEgressRule);
assertEquals("Error in created ingress rule", awsIngressRule.getIpProtocol(), currentSGState.ingress.get(0).protocol);
assertEquals("Error in created ingress rule", awsIngressRule.getIpv4Ranges().get(0).getCidrIp(), currentSGState.ingress.get(0).ipRangeCidr);
assertEquals("Error in created egress rule", awsEgressRule.getIpProtocol(), currentSGState.egress.get(0).protocol);
assertEquals("Error in created egress rule", awsEgressRule.getIpv4Ranges().get(0).getCidrIp(), currentSGState.egress.get(0).ipRangeCidr);
}
}
}
use of com.amazonaws.services.ec2.model.GroupIdentifier in project photon-model by vmware.
the class AWSComputeDiskDay2ServiceTest method assertAndSetVMSecurityGroupsToBeDeleted.
private void assertAndSetVMSecurityGroupsToBeDeleted(Instance instance, ComputeState vm) {
// This assert is only suitable for real (non-mocking env).
if (this.isMock) {
return;
}
this.host.log(Level.INFO, "%s: Assert security groups configuration for [%s] VM", this.currentTestName.getMethodName(), this.vmState.name);
// Get the SecurityGroupStates that were provided in the request ComputeState
Collector<SecurityGroupService.SecurityGroupState, ?, Map<String, SecurityGroupService.SecurityGroupState>> convertToMap = Collectors.<SecurityGroupService.SecurityGroupState, String, SecurityGroupService.SecurityGroupState>toMap(sg -> sg.name, sg -> sg);
Map<String, SecurityGroupService.SecurityGroupState> currentSGNamesToStates = vm.networkInterfaceLinks.stream().map(nicLink -> this.host.getServiceState(null, NetworkInterfaceService.NetworkInterfaceState.class, UriUtils.buildUri(this.host, nicLink))).<// collect all SecurityGroup States from all NIC states
SecurityGroupService.SecurityGroupState>flatMap(nicState -> nicState.securityGroupLinks.stream().map(sgLink -> {
SecurityGroupService.SecurityGroupState sgState = this.host.getServiceState(null, SecurityGroupService.SecurityGroupState.class, UriUtils.buildUri(this.host, sgLink));
return sgState;
})).collect(convertToMap);
// Compare ComputeState after provisioning to the ComputeState in the request
assertNotNull("Instance should have security groups attached.", instance.getSecurityGroups());
// Provisioned Instance should have the same number of SecurityGroups as requested
assertEquals(instance.getSecurityGroups().size(), currentSGNamesToStates.size());
for (SecurityGroupService.SecurityGroupState currentSGState : currentSGNamesToStates.values()) {
// Get corresponding requested state
GroupIdentifier provisionedGroupIdentifier = null;
for (GroupIdentifier awsGroupIdentifier : instance.getSecurityGroups()) {
if (awsGroupIdentifier.getGroupId().equals(currentSGState.id)) {
provisionedGroupIdentifier = awsGroupIdentifier;
break;
}
}
// Ensure that the requested SecurityGroup was actually provisioned
assertNotNull(provisionedGroupIdentifier);
if (currentSGState.name.contains(TestAWSSetupUtils.AWS_NEW_GROUP_PREFIX)) {
this.sgToCleanUp = currentSGState.id;
SecurityGroup awsSecurityGroup = getSecurityGroupsIdUsingEC2Client(this.client, provisionedGroupIdentifier.getGroupId());
assertNotNull(awsSecurityGroup);
// Validate rules are correctly created as requested
IpPermission awsIngressRule = awsSecurityGroup.getIpPermissions().get(0);
IpPermission awsEgressRule = awsSecurityGroup.getIpPermissionsEgress().get(1);
assertNotNull(awsIngressRule);
assertNotNull(awsEgressRule);
assertEquals("Error in created ingress rule", awsIngressRule.getIpProtocol(), currentSGState.ingress.get(0).protocol);
assertEquals("Error in created ingress rule", awsIngressRule.getIpv4Ranges().get(0).getCidrIp(), currentSGState.ingress.get(0).ipRangeCidr);
assertEquals("Error in created egress rule", awsEgressRule.getIpProtocol(), currentSGState.egress.get(0).protocol);
assertEquals("Error in created egress rule", awsEgressRule.getIpv4Ranges().get(0).getCidrIp(), currentSGState.egress.get(0).ipRangeCidr);
}
}
}
use of com.amazonaws.services.ec2.model.GroupIdentifier in project photon-model by vmware.
the class AWSRebootServiceTest method assertAndSetVMSecurityGroupsToBeDeleted.
private void assertAndSetVMSecurityGroupsToBeDeleted(Instance instance, ComputeState vm) {
// This assert is only suitable for real (non-mocking env).
if (this.isMock) {
return;
}
this.host.log(Level.INFO, "%s: Assert security groups configuration for [%s] VM", this.currentTestName.getMethodName(), this.vmState.name);
// Get the SecurityGroupStates that were provided in the request ComputeState
Collector<SecurityGroupState, ?, Map<String, SecurityGroupState>> convertToMap = Collectors.<SecurityGroupState, String, SecurityGroupState>toMap(sg -> sg.name, sg -> sg);
Map<String, SecurityGroupState> currentSGNamesToStates = vm.networkInterfaceLinks.stream().map(nicLink -> this.host.getServiceState(null, NetworkInterfaceState.class, UriUtils.buildUri(this.host, nicLink))).<// collect all SecurityGroup States from all NIC states
SecurityGroupState>flatMap(nicState -> nicState.securityGroupLinks.stream().map(sgLink -> {
SecurityGroupState sgState = this.host.getServiceState(null, SecurityGroupState.class, UriUtils.buildUri(this.host, sgLink));
return sgState;
})).collect(convertToMap);
// Compare ComputeState after provisioning to the ComputeState in the request
assertNotNull("Instance should have security groups attached.", instance.getSecurityGroups());
// Provisioned Instance should have the same number of SecurityGroups as requested
assertEquals(instance.getSecurityGroups().size(), currentSGNamesToStates.size());
for (SecurityGroupState currentSGState : currentSGNamesToStates.values()) {
// Get corresponding requested state
GroupIdentifier provisionedGroupIdentifier = null;
for (GroupIdentifier awsGroupIdentifier : instance.getSecurityGroups()) {
if (awsGroupIdentifier.getGroupId().equals(currentSGState.id)) {
provisionedGroupIdentifier = awsGroupIdentifier;
break;
}
}
// Ensure that the requested SecurityGroup was actually provisioned
assertNotNull(provisionedGroupIdentifier);
if (currentSGState.name.contains(TestAWSSetupUtils.AWS_NEW_GROUP_PREFIX)) {
this.sgToCleanUp = currentSGState.id;
SecurityGroup awsSecurityGroup = getSecurityGroupsIdUsingEC2Client(this.client, provisionedGroupIdentifier.getGroupId());
assertNotNull(awsSecurityGroup);
// Validate rules are correctly created as requested
IpPermission awsIngressRule = awsSecurityGroup.getIpPermissions().get(0);
IpPermission awsEgressRule = awsSecurityGroup.getIpPermissionsEgress().get(1);
assertNotNull(awsIngressRule);
assertNotNull(awsEgressRule);
assertEquals("Error in created ingress rule", awsIngressRule.getIpProtocol(), currentSGState.ingress.get(0).protocol);
assertEquals("Error in created ingress rule", awsIngressRule.getIpv4Ranges().get(0).getCidrIp(), currentSGState.ingress.get(0).ipRangeCidr);
assertEquals("Error in created egress rule", awsEgressRule.getIpProtocol(), currentSGState.egress.get(0).protocol);
assertEquals("Error in created egress rule", awsEgressRule.getIpv4Ranges().get(0).getCidrIp(), currentSGState.egress.get(0).ipRangeCidr);
}
}
}
use of com.amazonaws.services.ec2.model.GroupIdentifier in project SimianArmy by Netflix.
the class InstanceInSecurityGroup method getInstanceSecurityGroups.
/**
* Gets the security groups for a list of instance ids of the same region. The default implementation
* is using an AWS client. The method can be overridden in subclasses to get the security groups differently.
* @param region
* the region of the instances
* @param instanceIds
* the instance ids, all instances should be in the same region.
* @return
* the map from instance id to the list of security group names the instance has
*/
protected Map<String, List<String>> getInstanceSecurityGroups(String region, String... instanceIds) {
Map<String, List<String>> result = Maps.newHashMap();
if (instanceIds == null || instanceIds.length == 0) {
return result;
}
AWSClient awsClient = new AWSClient(region, awsCredentialsProvider);
for (Instance instance : awsClient.describeInstances(instanceIds)) {
// Ignore instances that are in VPC
if (StringUtils.isNotEmpty(instance.getVpcId())) {
LOGGER.info(String.format("Instance %s is in VPC and is ignored.", instance.getInstanceId()));
continue;
}
if (!"running".equals(instance.getState().getName())) {
LOGGER.info(String.format("Instance %s is not running, state is %s.", instance.getInstanceId(), instance.getState().getName()));
continue;
}
List<String> sgs = Lists.newArrayList();
for (GroupIdentifier groupId : instance.getSecurityGroups()) {
sgs.add(groupId.getGroupName());
}
result.put(instance.getInstanceId(), sgs);
}
return result;
}
Aggregations