first revision of firewalls including suggestions by Michal: * in xml output: <rule id="XNlciAyOTc0Njc3OTc5NDU6Ojpwcm90b2NvbCB0Y3A6Ojpmcm9tX3BvcnQgMjQ="> rather than <rule> <id> theID </id> ... * safely do ... blocks around ec2 invocations in ec2_driver
Also, this version adds the html interface for creating new rules. I copy/paste notes from original message here for convenience (ammended for the above changes): This patch implements 'firewalls' - which are ec2 security groups. Some notes: * This functionality relies on some modifications to the appoxy aws gem - we have outstanding pull requests https://github.com/appoxy/aws/pull/89 (earlier one for security groups parser already in https://github.com/appoxy/aws/pull/81). Until these commits are pulled into aws the only way to test is with my branch (https://github.com/marios/aws): mkdir delme; cd delme; git clone git://github.com/marios/aws.git ; cd aws ; gem build aws.gemspec; sudo gem install aws-2.4.5.gem (ignore the version numbering of the gem - its just a remnant from when I created my fork - latest from appoxy is 2.5.2) ======================================================================= * XML looks like: <firewall href='http://localhost:3001/api/firewalls/new_firewall' id='new_firewall'> <name><![CDATA[new_firewall]]></name> <description><![CDATA[new_one]]></description> <owner_id>297467797945</owner_id> <rules> <rule id="dXNlciAyOTc0Njc3OTc5NDU6Ojpwcm90b2NvbCB0Y3A6Ojpmcm9tX3BvcnQgMjQ="> <allow_protocol>tcp</allow_protocol> <port_from>0</port_from> <port_to>65535</port_to> <direction>ingress</direction> <sources> <source name='new_firewall' owner='123456789012' type='group'></source> <source address='10.1.1.1' family='ipv4' prefix='24' type='address'></source> <source address='192.168.1.1' family='ipv4' prefix='24' type='address'></source> </sources> </rule> </rules> </firewall> ======================================================================= * OPERATIONS: implemented GET/POST/DELETE [list, create, destroy] for firewalls (both html and xml interfaces), GET/POST/DELETE for firewall rules. You can also use curl rather than html interface if you prefer: create firewall rule: curl -F "protocol=tcp" -F "from_port=22" -F "to_port=22" -F "ip_address1=192.168.1.1/24" -F "ip_address2=10.1.1.1/24" -F "group1=new_group" -F "group1owner=123456789" --user 'aws_key:aws_secret_key' http://localhost:3001/api/firewalls/default/rules?format=xml (and can specify additional sources for a given rule using ip_addressN and groupN/groupNowner) list firewalls: curl --user 'aws_key:aws_secret_key' http://localhost:3001/api/firewalls?format=xml create new firewall: curl -F "name=some_new_firewall" -F "description=gonna be deleted immediately" --user 'aws_key:aws_secret_key' http://localhost:3001/api/firewalls?format=xml delete a firewall: curl -X DELETE --user 'aws_key:aws_secret_key' http://localhost:3001/api/firewalls/some_new_firewall?format=xml delete firewall rule: curl -X DELETE --user 'aws_key:aws_secret_key' http://localhost:3001/api/firewalls/firewall_id/rule_id?format=xml ======================================================================= * Firewall rule ids... amazon doesn't have any notion of an 'id' for a single firewall rule, rather each firewall rule is identified by its constituent parts (protocol, from&to ports, and sources [groups and ipaddress ranges]). In order to allow for a 'delete /api/firewalls/:firewall/:rule' type operation I use Base64.encode to encode a unique UID for each rule using 'aws_owner_id protocol from_port to_port sources' - but this results in rather ugly looking uids... discussion/suggestions welcome, I'm sure theres more but this is already way too long, thanks to anyone brave enough to try this stuff out, all the best, marios
