List of usage examples for com.amazonaws.services.ec2.model SecurityGroup getIpPermissions
public java.util.List<IpPermission> getIpPermissions()
The inbound rules associated with the security group.
From source file:Security.java
License:Open Source License
String createSG(AmazonEC2 ec2) throws IOException { try {//from w ww . ja v a 2 s .c o m securitygroup = "VirualIT_Security_Group" + Virtualize.no_of_days; CreateSecurityGroupRequest reqsec = new CreateSecurityGroupRequest().withGroupName(securitygroup) .withDescription("ssh-tcp-https-http"); CreateSecurityGroupResult ressec = ec2.createSecurityGroup(reqsec); String ipAddr = "0.0.0.0/0"; ArrayList<String> ipRanges = new ArrayList<String>(); ipRanges.add(ipAddr); ArrayList<IpPermission> ipPermissions = new ArrayList<IpPermission>(); IpPermission ipPermission_ssh = new IpPermission(); ipPermission_ssh.setIpProtocol("tcp"); ipPermission_ssh.setFromPort(new Integer(22)); ipPermission_ssh.setToPort(new Integer(22)); IpPermission ipPermission_http = new IpPermission(); ipPermission_http.setIpProtocol("tcp"); ipPermission_http.setFromPort(new Integer(80)); ipPermission_http.setToPort(new Integer(80)); IpPermission ipPermission_https = new IpPermission(); ipPermission_https.setIpProtocol("tcp"); ipPermission_https.setFromPort(new Integer(443)); ipPermission_https.setToPort(new Integer(443)); ipPermission_ssh.setIpRanges(ipRanges); ipPermission_http.setIpRanges(ipRanges); ipPermission_https.setIpRanges(ipRanges); ipPermissions.add(ipPermission_http); ipPermissions.add(ipPermission_https); ipPermissions.add(ipPermission_ssh); try { // Authorize the ports to the used. AuthorizeSecurityGroupIngressRequest ingressRequest = new AuthorizeSecurityGroupIngressRequest( securitygroup, ipPermissions); ec2.authorizeSecurityGroupIngress(ingressRequest); System.out.println("Assigned " + ingressRequest); } catch (AmazonServiceException ase) { // Ignore because this likely means the zone has already been authorized. System.err.println(ase.getMessage()); } DescribeSecurityGroupsRequest x = new DescribeSecurityGroupsRequest().withGroupNames(securitygroup); DescribeSecurityGroupsResult secgrp = ec2.describeSecurityGroups(x); for (SecurityGroup s : secgrp.getSecurityGroups()) { if (s.getGroupName().equals(securitygroup)) { System.out.println(s.getIpPermissions()); } } } catch (AmazonServiceException ase) { System.out.println("Caught Exception: " + ase.getMessage()); System.out.println("Reponse Status Code: " + ase.getStatusCode()); System.out.println("Error Code: " + ase.getErrorCode()); System.out.println("Request ID: " + ase.getRequestId()); } return securitygroup; }
From source file:c3.ops.priam.aws.AWSMembership.java
License:Apache License
/** * List SG ACL's/*from ww w.j a v a 2s . co m*/ */ public List<String> listACL(int from, int to) { AmazonEC2 client = null; try { client = getEc2Client(); List<String> ipPermissions = new ArrayList<String>(); DescribeSecurityGroupsRequest req = new DescribeSecurityGroupsRequest() .withGroupNames(Arrays.asList(config.getACLGroupName())); DescribeSecurityGroupsResult result = client.describeSecurityGroups(req); for (SecurityGroup group : result.getSecurityGroups()) for (IpPermission perm : group.getIpPermissions()) if (perm.getFromPort() == from && perm.getToPort() == to) ipPermissions.addAll(perm.getIpRanges()); return ipPermissions; } finally { if (client != null) client.shutdown(); } }
From source file:com.appdynamics.connectors.AWSConnector.java
License:Apache License
private void validateAndConfigureSecurityGroups(List<String> securityGroupNames, AmazonEC2 connector) throws ConnectorException { DescribeSecurityGroupsRequest describeSecurityGroupsRequest = new DescribeSecurityGroupsRequest(); DescribeSecurityGroupsResult describeSecurityGroupsResult = connector .describeSecurityGroups(describeSecurityGroupsRequest.withGroupNames(securityGroupNames)); String controllerIp = "0.0.0.0/0"; int agentPort = controllerServices.getDefaultAgentPort(); // check if any one of the security group // already has agent port and controller ip List<SecurityGroup> securityGroups = describeSecurityGroupsResult.getSecurityGroups(); for (SecurityGroup securityGroup : securityGroups) { List<IpPermission> ipPermissions = securityGroup.getIpPermissions(); for (IpPermission permission : ipPermissions) { if (permission.getIpRanges().contains(controllerIp) && (agentPort >= permission.getFromPort() && agentPort <= permission.getToPort())) { return; }//from ww w . j ava 2 s. c om } } String securityGroup = null; if (securityGroups.contains(Utils.DEFAULT_SECURITY_GROUP)) { securityGroup = Utils.DEFAULT_SECURITY_GROUP; } else { securityGroup = securityGroups.get(0).getGroupName(); } IpPermission ipPermission = new IpPermission(); ipPermission.setFromPort(agentPort); ipPermission.setToPort(agentPort); ipPermission.setIpProtocol("tcp"); ipPermission.setIpRanges(Lists.newArrayList(controllerIp)); connector.authorizeSecurityGroupIngress( new AuthorizeSecurityGroupIngressRequest(securityGroup, Lists.newArrayList(ipPermission))); }
From source file:com.github.trask.sandbox.ec2.Ec2Service.java
License:Apache License
public void syncInboundRules(SecurityGroup securityGroup, List<IpPermission> ipPermissions) { List<WrappedIpPermission> revokeWrappedIpPermissions = wrap(securityGroup.getIpPermissions()); revokeWrappedIpPermissions.removeAll(wrap(ipPermissions)); List<WrappedIpPermission> authorizeWrappedIpPermissions = wrap(ipPermissions); authorizeWrappedIpPermissions.removeAll(wrap(securityGroup.getIpPermissions())); // revoke must be done first in case one of multiple UserIdGroupPairs for // a single IpPermission is being revoked if (!revokeWrappedIpPermissions.isEmpty()) { RevokeSecurityGroupIngressRequest request = new RevokeSecurityGroupIngressRequest( securityGroup.getGroupName(), new ArrayList<IpPermission>(unwrap(revokeWrappedIpPermissions))); ec2.revokeSecurityGroupIngress(request); }//w ww . j ava 2 s . co m if (!authorizeWrappedIpPermissions.isEmpty()) { AuthorizeSecurityGroupIngressRequest request = new AuthorizeSecurityGroupIngressRequest( securityGroup.getGroupName(), new ArrayList<IpPermission>(unwrap(authorizeWrappedIpPermissions))); ec2.authorizeSecurityGroupIngress(request); } }
From source file:com.jaspersoft.jasperserver.api.engine.jasperreports.util.AwsDataSourceRecovery.java
License:Open Source License
private String recoverVpcSecurityGroup(AwsReportDataSource awsReportDataSource, String vpcId, String ingressPublicIp) { AWSCredentials awsCredentials = AwsCredentialUtil.getAWSCredentials(awsReportDataSource.getAWSAccessKey(), awsReportDataSource.getAWSSecretKey(), awsReportDataSource.getRoleARN()); //Security/* w ww .ja v a 2s . c o m*/ AmazonEC2Client amazonEc2Client = new AmazonEC2Client(awsCredentials); SecurityGroup vpcSecurityGroup = null; try { DescribeSecurityGroupsResult describeSecurityGroupsResult = amazonEc2Client.describeSecurityGroups(); if (describeSecurityGroupsResult != null && describeSecurityGroupsResult.getSecurityGroups() != null && describeSecurityGroupsResult.getSecurityGroups().size() > 0) { for (SecurityGroup securityGroup : describeSecurityGroupsResult.getSecurityGroups()) { if (securityGroup.getVpcId() != null && securityGroup.getVpcId().equals(vpcId) && securityGroup.getGroupName().equals(awsProperties.getSecurityGroupName())) { vpcSecurityGroup = securityGroup; break; } } } } catch (Exception ex) { //Have to be empty. } boolean ingressIpMaskExist = false; String vpcSecurityGroupId; if (vpcSecurityGroup != null) { vpcSecurityGroupId = vpcSecurityGroup.getGroupId(); List<IpPermission> ipPermissions = vpcSecurityGroup.getIpPermissions(); if (ipPermissions != null && ipPermissions.size() > 0) { for (IpPermission ipPermission : ipPermissions) { if (ipPermission.getIpRanges() != null && ipPermission.getIpRanges().size() > 0 && ipPermission.getIpRanges().contains(ingressPublicIp)) { ingressIpMaskExist = true; } } } if (!ingressIpMaskExist && ipPermissions != null && ipPermissions.size() > 0) { RevokeSecurityGroupIngressRequest revokeSecurityGroupIngressRequest = new RevokeSecurityGroupIngressRequest() .withGroupId(vpcSecurityGroup.getGroupId()).withIpPermissions() .withIpPermissions(vpcSecurityGroup.getIpPermissions()); amazonEc2Client.revokeSecurityGroupIngress(revokeSecurityGroupIngressRequest); } } else { vpcSecurityGroupId = amazonEc2Client .createSecurityGroup( new CreateSecurityGroupRequest().withGroupName(awsProperties.getSecurityGroupName()) .withVpcId(vpcId).withDescription(awsProperties.getSecurityGroupDescription())) .getGroupId(); } if (!ingressIpMaskExist) { IpPermission ipPermission = new IpPermission().withIpProtocol("tcp").withIpRanges(ingressPublicIp) .withFromPort(0).withToPort(65535); List<IpPermission> ipPermissions = new ArrayList<IpPermission>(); ipPermissions.add(ipPermission); AuthorizeSecurityGroupIngressRequest authorizeRequest = new AuthorizeSecurityGroupIngressRequest() .withIpPermissions(ipPermissions).withGroupId(vpcSecurityGroupId); amazonEc2Client.authorizeSecurityGroupIngress(authorizeRequest); } return vpcSecurityGroupId; }
From source file:com.netflix.dynomitemanager.sidecore.aws.AWSMembership.java
License:Apache License
/** * List SG ACL's// w w w. j a v a 2 s. c o m */ public List<String> listACL(int from, int to) { AmazonEC2 client = null; try { client = getEc2Client(); List<String> ipPermissions = new ArrayList<String>(); if (this.insEnvIdentity.isClassic()) { DescribeSecurityGroupsRequest req = new DescribeSecurityGroupsRequest() .withGroupNames(Arrays.asList(config.getACLGroupName())); DescribeSecurityGroupsResult result = client.describeSecurityGroups(req); for (SecurityGroup group : result.getSecurityGroups()) for (IpPermission perm : group.getIpPermissions()) if (perm.getFromPort() == from && perm.getToPort() == to) ipPermissions.addAll(perm.getIpRanges()); logger.info("Fetch current permissions for classic env of running instance"); } else { Filter nameFilter = new Filter().withName("group-name").withValues(config.getACLGroupName()); String vpcid = config.getVpcId(); if (vpcid == null || vpcid.isEmpty()) { throw new IllegalStateException("vpcid is null even though instance is running in vpc."); } Filter vpcFilter = new Filter().withName("vpc-id").withValues(vpcid); //only fetch SG for the vpc id of the running instance DescribeSecurityGroupsRequest req = new DescribeSecurityGroupsRequest().withFilters(nameFilter, vpcFilter); DescribeSecurityGroupsResult result = client.describeSecurityGroups(req); for (SecurityGroup group : result.getSecurityGroups()) for (IpPermission perm : group.getIpPermissions()) if (perm.getFromPort() == from && perm.getToPort() == to) ipPermissions.addAll(perm.getIpRanges()); logger.info("Fetch current permissions for vpc env of running instance"); } return ipPermissions; } finally { if (client != null) client.shutdown(); } }
From source file:com.netflix.raigad.aws.AWSMembership.java
License:Apache License
/** * List SG ACL's/* w ww . j a v a 2s . c o m*/ */ public List<String> listACL(int from, int to) { AmazonEC2 client = null; try { client = getEc2Client(); List<String> ipPermissions = new ArrayList<String>(); DescribeSecurityGroupsRequest req = new DescribeSecurityGroupsRequest() .withGroupNames(Arrays.asList(config.getACLGroupName())); DescribeSecurityGroupsResult result = client.describeSecurityGroups(req); for (SecurityGroup group : result.getSecurityGroups()) { for (IpPermission perm : group.getIpPermissions()) { if (perm.getFromPort() == from && perm.getToPort() == to) { ipPermissions.addAll(perm.getIpRanges()); } } } return ipPermissions; } finally { if (client != null) client.shutdown(); } }
From source file:com.netflix.spinnaker.clouddriver.aws.deploy.handlers.MigrateLoadBalancerStrategy.java
License:Apache License
/** * Creates the app specific security group, or returns the ID of one if it already exists * * @param appGroups list of existing security groups in which to look for existing app security group * @param elbGroup the elb specific security group, which will allow ingress permission from the * app specific security group *///www . j a v a 2 s. c om protected void buildApplicationSecurityGroup(LoadBalancerDescription sourceDescription, List<SecurityGroup> appGroups, MigrateSecurityGroupResult elbGroup) { if (getDeployDefaults().getAddAppGroupToServerGroup()) { AmazonEC2 targetAmazonEC2 = getAmazonClientProvider().getAmazonEC2(target.getCredentials(), target.getRegion(), true); Optional<SecurityGroup> existing = appGroups.stream().filter(isAppSecurityGroup()).findFirst(); MigrateSecurityGroupReference appGroupReference = new MigrateSecurityGroupReference(); appGroupReference.setAccountId(target.getCredentials().getAccountId()); appGroupReference.setVpcId(target.getVpcId()); appGroupReference.setTargetName(applicationName); if (existing.isPresent()) { elbGroup.getReused().add(appGroupReference); } else { elbGroup.getCreated().add(appGroupReference); if (!dryRun) { UpsertSecurityGroupDescription upsertDescription = new UpsertSecurityGroupDescription(); upsertDescription.setDescription("Application security group for " + applicationName); upsertDescription.setName(applicationName); upsertDescription.setVpcId(target.getVpcId()); upsertDescription.setRegion(target.getRegion()); upsertDescription.setCredentials(target.getCredentials()); getTask().updateStatus(LoadBalancerMigrator.BASE_PHASE, "Creating security group " + upsertDescription.getName() + " in " + target.getCredentialAccount() + "/" + target.getRegion() + "/" + target.getVpcId()); String newGroupId = targetLookup.createSecurityGroup(upsertDescription).getSecurityGroup() .getGroupId(); // After the create request completes, there is a brief period where the security group might not be // available and subsequent operations on it will fail, so make sure it's there OperationPoller.retryWithBackoff(o -> appGroups.addAll(targetAmazonEC2 .describeSecurityGroups(new DescribeSecurityGroupsRequest().withGroupIds(newGroupId)) .getSecurityGroups()), 200, 5); } } if (!dryRun) { String elbGroupId = elbGroup.getTarget().getTargetId(); SecurityGroup appGroup = appGroups.stream().filter(isAppSecurityGroup()).findFirst().get(); if (allowIngressFromClassic) { addClassicLinkIngress(targetLookup, getDeployDefaults().getClassicLinkSecurityGroupName(), appGroup.getGroupId(), target.getCredentials(), target.getVpcId()); } boolean hasElbIngressPermission = appGroup.getIpPermissions().stream().anyMatch( p -> p.getUserIdGroupPairs().stream().anyMatch(u -> u.getGroupId().equals(elbGroupId))); if (!hasElbIngressPermission) { sourceDescription.getListenerDescriptions().forEach(l -> { Listener listener = l.getListener(); IpPermission newPermission = new IpPermission().withIpProtocol("tcp") .withFromPort(listener.getInstancePort()).withToPort(listener.getInstancePort()) .withUserIdGroupPairs( new UserIdGroupPair().withGroupId(elbGroupId).withVpcId(target.getVpcId())); targetAmazonEC2.authorizeSecurityGroupIngress(new AuthorizeSecurityGroupIngressRequest() .withGroupId(appGroup.getGroupId()).withIpPermissions(newPermission)); }); } } } }
From source file:com.netflix.spinnaker.clouddriver.aws.deploy.handlers.MigrateSecurityGroupStrategy.java
License:Apache License
private Set<MigrateSecurityGroupReference> getTargetReferences(SecurityGroupUpdater source) { SecurityGroup group = source.getSecurityGroup(); if (getInfrastructureApplications().contains(Names.parseName(group.getGroupName()).getApp())) { return new HashSet<>(); }// w w w. j av a2 s . c o m return group.getIpPermissions().stream().map(IpPermission::getUserIdGroupPairs).flatMap(List::stream) .filter(pair -> !pair.getGroupId().equals(group.getGroupId()) || !pair.getUserId().equals(group.getOwnerId())) .map(pair -> { NetflixAmazonCredentials account = sourceLookup.getCredentialsForId(pair.getUserId()); if (pair.getGroupName() == null) { if (account == null) { pair.setGroupName(pair.getGroupId()); } else { sourceLookup.getSecurityGroupById(account.getName(), pair.getGroupId(), pair.getVpcId()) .ifPresent(u -> pair.setGroupName(u.getSecurityGroup().getGroupName())); } } return new MigrateSecurityGroupReference(pair, account); }).collect(Collectors.toSet()); }
From source file:com.netflix.spinnaker.clouddriver.aws.deploy.handlers.MigrateSecurityGroupStrategy.java
License:Apache License
private void filterOutExistingRules(List<IpPermission> permissionsToApply, SecurityGroup targetGroup) { permissionsToApply.forEach(permission -> { permission.getUserIdGroupPairs().removeIf(pair -> targetGroup.getIpPermissions().stream() .anyMatch(targetPermission -> targetPermission.getFromPort().equals(permission.getFromPort()) && targetPermission.getToPort().equals(permission.getToPort()) && targetPermission.getUserIdGroupPairs().stream() .anyMatch(t -> t.getGroupId().equals(pair.getGroupId())))); permission.getIpRanges().removeIf(range -> targetGroup.getIpPermissions().stream() .anyMatch(targetPermission -> targetPermission.getFromPort().equals(permission.getFromPort()) && targetPermission.getToPort().equals(permission.getToPort()) && targetPermission.getIpRanges().contains(range))); });// w w w .j a va2 s . c om }