Examples with IpPermission software.amazon.awssdk.services.ec2.model.IpPermission used on opensource projects

Example 1 with IpPermission

use of software.amazon.awssdk.services.ec2.model.IpPermission in project GNS by MobilityFirst.

the class AWSEC2 method createSecurityGroup.

/**
   * Create a New Security Group with our standard permissions
   *
   * @param ec2
   * @param name
   * @return the name of the new group
   */
public static String createSecurityGroup(AmazonEC2 ec2, String name) {
    CreateSecurityGroupRequest securityGroupRequest = new CreateSecurityGroupRequest(name, name + " security group");
    ec2.createSecurityGroup(securityGroupRequest);
    AuthorizeSecurityGroupIngressRequest ingressRequest = new AuthorizeSecurityGroupIngressRequest();
    ingressRequest.setGroupName(name);
    List<IpPermission> permissions = new ArrayList<>();
    // open up ping (echo request)
    permissions.add(new IpPermission().withIpProtocol(ICMPPROTOCOL).withFromPort(ECHOTYPE).withToPort(WILDCARDCODE).withIpRanges(IPRANGESALL));
    permissions.add(new IpPermission().withIpProtocol(TCPPROTOCOL).withFromPort(SSHPORT).withToPort(SSHPORT).withIpRanges(IPRANGESALL));
    permissions.add(new IpPermission().withIpProtocol(TCPPROTOCOL).withFromPort(HTTPPORT).withToPort(HTTPPORT).withIpRanges(IPRANGESALL));
    permissions.add(new IpPermission().withIpProtocol(TCPPROTOCOL).withFromPort(HTTPNONROOTPORT).withToPort(HTTPNONROOTPORT).withIpRanges(IPRANGESALL));
    permissions.add(new IpPermission().withIpProtocol(TCPPROTOCOL).withFromPort(HTTPSPORT).withToPort(HTTPSPORT).withIpRanges(IPRANGESALL));
    permissions.add(new IpPermission().withIpProtocol(TCPPROTOCOL).withFromPort(MYSQLPORT).withToPort(MYSQLPORT).withIpRanges(IPRANGESALL));
    permissions.add(new IpPermission().withIpProtocol(TCPPROTOCOL).withFromPort(20000).withToPort(30000).withIpRanges(IPRANGESALL));
    permissions.add(new IpPermission().withIpProtocol(UDPPROTOCOL).withFromPort(20000).withToPort(30000).withIpRanges(IPRANGESALL));
    ingressRequest.setIpPermissions(permissions);
    ec2.authorizeSecurityGroupIngress(ingressRequest);
    return name;
}

Example 2 with IpPermission

use of software.amazon.awssdk.services.ec2.model.IpPermission in project Synapse-Stack-Builder by Sage-Bionetworks.

the class EC2SecuritySetup method setupResources.

/**
 * Create the EC2 security group that all elastic beanstalk instances will belong to.
 *
 * @param ec2Client - valid AmazonEC2Client
 * @param stack - The name of this stack.
 * @param instance - The name of this stack instance.
 * @param cidrForSSH - The classless inter-domain routing to be used for SSH access to these machines.
 * @return
 */
public void setupResources() {
    CreateSecurityGroupRequest request = new CreateSecurityGroupRequest();
    request.setDescription(config.getElasticSecurityGroupDescription());
    request.setGroupName(config.getElasticSecurityGroupName());
    createSecurityGroup(request);
    // Setup the permissions for this group:
    // Allow anyone to access port 80 (HTTP)
    addPermission(request.getGroupName(), new IpPermission().withIpProtocol(IP_PROTOCOL_TCP).withFromPort(PORT_HTTP).withToPort(PORT_HTTP).withIpRanges(CIDR_ALL_IP));
    // Allow anyone to access port 443 (HTTPS)
    addPermission(request.getGroupName(), new IpPermission().withIpProtocol(IP_PROTOCOL_TCP).withFromPort(PORT_HTTPS).withToPort(PORT_HTTPS).withIpRanges(CIDR_ALL_IP));
    // Only allow ssh to the given address
    addPermission(request.getGroupName(), new IpPermission().withIpProtocol(IP_PROTOCOL_TCP).withFromPort(PORT_SSH).withToPort(PORT_SSH).withIpRanges(config.getCIDRForSSH()));
    // Return the group name
    DescribeSecurityGroupsResult result = ec2Client.describeSecurityGroups(new DescribeSecurityGroupsRequest().withGroupNames(request.getGroupName()));
    if (result.getSecurityGroups() == null || result.getSecurityGroups().size() != 1)
        throw new IllegalStateException("Did not find one and ony one EC2 secruity group with the name: " + request.getGroupName());
    // Add this to the resources
    SecurityGroup group = result.getSecurityGroups().get(0);
    resources.setElasticBeanstalkEC2SecurityGroup(group);
    // Create the key pair.
    resources.setStackKeyPair(createOrGetKeyPair());
}

Example 3 with IpPermission

use of software.amazon.awssdk.services.ec2.model.IpPermission in project Synapse-Stack-Builder by Sage-Bionetworks.

the class EC2SecuritySetupTest method testAddPermissionUnknonwError.

@Test(expected = AmazonServiceException.class)
public void testAddPermissionUnknonwError() {
    // For this case make sure an unknown error gets thrown
    AmazonServiceException exception = new AmazonServiceException("Some error");
    exception.setErrorCode("unknown code");
    doThrow(exception).when(mockEC2Client).authorizeSecurityGroupIngress(any(AuthorizeSecurityGroupIngressRequest.class));
    ec2SecuritySetup.addPermission("groupName", new IpPermission());
}

Example 4 with IpPermission

use of software.amazon.awssdk.services.ec2.model.IpPermission in project photon-model by vmware.

the class TestAWSProvisionTask method assertVMSercurityGroupsConfiguration.

private void assertVMSercurityGroupsConfiguration(Instance instance, ComputeState vm) {
    // This assert is only suitable for real (non-mocking env).
    if (this.isMock) {
        return;
    }
    this.host.log(Level.INFO, "%s: Assert security groups configuration for [%s] VM", this.currentTestName.getMethodName(), this.vmState.name);
    // Get the SecurityGroupStates that were provided in the request ComputeState
    Collector<SecurityGroupState, ?, Map<String, SecurityGroupState>> convertToMap = Collectors.<SecurityGroupState, String, SecurityGroupState>toMap(sg -> sg.name, sg -> sg);
    Map<String, SecurityGroupState> currentSGNamesToStates = vm.networkInterfaceLinks.stream().map(nicLink -> this.host.getServiceState(null, NetworkInterfaceState.class, UriUtils.buildUri(this.host, nicLink))).<// collect all SecurityGroup States from all NIC states
    SecurityGroupState>flatMap(nicState -> nicState.securityGroupLinks.stream().map(sgLink -> {
        SecurityGroupState sgState = this.host.getServiceState(null, SecurityGroupState.class, UriUtils.buildUri(this.host, sgLink));
        return sgState;
    })).collect(convertToMap);
    // Compare ComputeState after provisioning to the ComputeState in the request
    assertNotNull("Instance should have security groups attached.", instance.getSecurityGroups());
    // Provisioned Instance should have the same number of SecurityGroups as requested
    assertEquals(instance.getSecurityGroups().size(), currentSGNamesToStates.size());
    for (SecurityGroupState currentSGState : currentSGNamesToStates.values()) {
        // Get corresponding requested state
        GroupIdentifier provisionedGroupIdentifier = null;
        for (GroupIdentifier awsGroupIdentifier : instance.getSecurityGroups()) {
            if (awsGroupIdentifier.getGroupId().equals(currentSGState.id)) {
                provisionedGroupIdentifier = awsGroupIdentifier;
                break;
            }
        }
        // Ensure that the requested SecurityGroup was actually provisioned
        assertNotNull(provisionedGroupIdentifier);
        if (currentSGState.name.contains(TestAWSSetupUtils.AWS_NEW_GROUP_PREFIX)) {
            this.sgToCleanUp = currentSGState.id;
            SecurityGroup awsSecurityGroup = getSecurityGroupsIdUsingEC2Client(this.client, provisionedGroupIdentifier.getGroupId());
            assertNotNull(awsSecurityGroup);
            // Validate rules are correctly created as requested
            IpPermission awsIngressRule = awsSecurityGroup.getIpPermissions().get(0);
            IpPermission awsEgressRule = awsSecurityGroup.getIpPermissionsEgress().get(1);
            assertNotNull(awsIngressRule);
            assertNotNull(awsEgressRule);
            assertEquals("Error in created ingress rule", awsIngressRule.getIpProtocol(), currentSGState.ingress.get(0).protocol);
            assertEquals("Error in created ingress rule", awsIngressRule.getIpv4Ranges().get(0).getCidrIp(), currentSGState.ingress.get(0).ipRangeCidr);
            assertEquals("Error in created egress rule", awsEgressRule.getIpProtocol(), currentSGState.egress.get(0).protocol);
            assertEquals("Error in created egress rule", awsEgressRule.getIpv4Ranges().get(0).getCidrIp(), currentSGState.egress.get(0).ipRangeCidr);
        }
    }
}

Example 5 with IpPermission

use of software.amazon.awssdk.services.ec2.model.IpPermission in project photon-model by vmware.

the class TestAWSSecurityGroupService method testDefaultSecurityGroupPorts.

/*
     * Create the default CM group, get the group, verify the default
       permissions are in place.  Then delete the default group
     */
@Test
public void testDefaultSecurityGroupPorts() throws Throwable {
    // create the group
    String groupId = this.client.createDefaultSecurityGroup(null);
    // allow the default ports
    this.client.addIngressRules(groupId, this.client.getDefaultRules(this.subnet));
    // get the updated CM group
    SecurityGroup group = this.client.getDefaultSecurityGroup(null);
    List<IpPermission> rules = group.getIpPermissions();
    assertTrue(rules.size() > 0);
    validateDefaultRules(rules);
    // lets delete the default CM group
    this.client.deleteSecurityGroup(groupId);
}