aws gem pull request for the security groups code (required by our
'firewalls') has been merged
(https://github.com/appoxy/aws/commit/f5a227af8049725fb5b1cfd4d52c4b1634534b83)
Travis Reeder (https://github.com/treeder) has offered to make a new
release with this code included - once that's done we can think about
pushing this code to trunk.
SO, now seems a good time to ask for a review :) - anyone have any
thoughts on this code? Until aws v.2.5.4 becomes available you can build
it using:
mkdir tempdir; cd tempdir; git clone git://github.com/appoxy/aws.git; cd
aws; gem build aws.gemspec; sudo gem install aws-2.5.3.gem
[OPTIONAL cleanup: cd ../../ ; rm -rf ./tempdir/ ]
marios
On 16/05/11 20:45, [email protected] wrote:
first revision of firewalls including suggestions by Michal:
* in xml output:<rule id="XNlciAyOTc0Njc3OTc5NDU6Ojpwcm90b2NvbCB0Y3A6Ojpmcm9tX3BvcnQgMjQ=">
rather than<rule> <id> theID</id> ...
* safely do ... blocks around ec2 invocations in ec2_driver
Also, this version adds the html interface for creating new rules. I copy/paste
notes from original message here for convenience (ammended for the above
changes):
This patch implements 'firewalls' - which are ec2 security groups. Some notes:
* This functionality relies on some modifications to the appoxy aws gem - we
have outstanding pull requests https://github.com/appoxy/aws/pull/89
(earlier one for security groups parser already in
https://github.com/appoxy/aws/pull/81). Until these commits are pulled into aws
the only way to test is with my branch (https://github.com/marios/aws):
mkdir delme; cd delme; git clone git://github.com/marios/aws.git ; cd aws
; gem build aws.gemspec; sudo gem install aws-2.4.5.gem
(ignore the version numbering of the gem - its just a remnant from when I
created my fork - latest from appoxy is 2.5.2)
=======================================================================
* XML looks like:
<firewall href='http://localhost:3001/api/firewalls/new_firewall'
id='new_firewall'>
<name><![CDATA[new_firewall]]></name>
<description><![CDATA[new_one]]></description>
<owner_id>297467797945</owner_id>
<rules>
<rule
id="dXNlciAyOTc0Njc3OTc5NDU6Ojpwcm90b2NvbCB0Y3A6Ojpmcm9tX3BvcnQgMjQ=">
<allow_protocol>tcp</allow_protocol>
<port_from>0</port_from>
<port_to>65535</port_to>
<direction>ingress</direction>
<sources>
<source name='new_firewall' owner='123456789012' type='group'></source>
<source address='10.1.1.1' family='ipv4' prefix='24'
type='address'></source>
<source address='192.168.1.1' family='ipv4' prefix='24'
type='address'></source>
</sources>
</rule>
</rules>
</firewall>
=======================================================================
* OPERATIONS: implemented GET/POST/DELETE [list, create, destroy] for
firewalls (both html and xml interfaces), GET/POST/DELETE for firewall rules.
You can also use curl rather than html interface if you prefer:
create firewall rule:
curl -F "protocol=tcp" -F "from_port=22" -F "to_port=22" -F "ip_address1=192.168.1.1/24" -F
"ip_address2=10.1.1.1/24" -F "group1=new_group" -F "group1owner=123456789" --user 'aws_key:aws_secret_key'
http://localhost:3001/api/firewalls/default/rules?format=xml
(and can specify additional sources for a given rule using ip_addressN and
groupN/groupNowner)
list firewalls: curl --user 'aws_key:aws_secret_key'
http://localhost:3001/api/firewalls?format=xml
create new firewall: curl -F "name=some_new_firewall" -F "description=gonna be
deleted immediately" --user 'aws_key:aws_secret_key'
http://localhost:3001/api/firewalls?format=xml
delete a firewall: curl -X DELETE --user 'aws_key:aws_secret_key'
http://localhost:3001/api/firewalls/some_new_firewall?format=xml
delete firewall rule: curl -X DELETE --user 'aws_key:aws_secret_key'
http://localhost:3001/api/firewalls/firewall_id/rule_id?format=xml
=======================================================================
* Firewall rule ids... amazon doesn't have any notion of an 'id' for a single
firewall rule, rather each firewall rule is identified by its constituent parts
(protocol, from&to ports, and sources [groups and ipaddress ranges]). In order
to allow for a 'delete /api/firewalls/:firewall/:rule' type operation I use
Base64.encode to encode a unique UID for each rule using 'aws_owner_id protocol
from_port to_port sources' - but this results in rather ugly looking uids...
discussion/suggestions welcome,
I'm sure theres more but this is already way too long, thanks to anyone brave
enough to try this stuff out,
all the best, marios
