add EC2 to allow/revoke security group ingress (#72)

RichieRunner · web-flow · commit c105a155950e · 2020-05-04T16:32:40.000+02:00
Signed-off-by: RichieRunner &lt;richie.ho@outlook.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,7 +2,15 @@
 
 ## [Unreleased][]
 
-[Unreleased]: https://github.com/chaostoolkit-incubator/chaostoolkit-aws/compare/0.13.0...HEAD
+[Unreleased]: https://github.com/chaostoolkit-incubator/chaostoolkit-aws/compare/0.14.0...HEAD
+
+## [0.14.0][]
+
+[0.14.0]: https://github.com/chaostoolkit-incubator/chaostoolkit-aws/compare/0.13.0...0.14.0
+
+### Added
+
+- add EC2 actions to allow/revoke security group ingress
 
 ## [0.13.0][]
 
diff --git a/README.md b/README.md
@@ -1,4 +1,4 @@
-# Chaos Toolkit Extension for AWS
+# [Chaos Toolkit Extension for AWS](https://docs.chaostoolkit.org/drivers/aws/)
 
 [![Build Status](https://travis-ci.org/chaostoolkit-incubator/chaostoolkit-aws.svg?branch=master)](https://travis-ci.org/chaostoolkit-incubator/chaostoolkit-aws)
 [![Python versions](https://img.shields.io/pypi/pyversions/chaostoolkit-aws.svg)](https://www.python.org/)
@@ -368,7 +368,7 @@ def test_reboot_instance(aws_client):
 ```
 
 By using the [built-in Python module to mock objects][pymock], we can mock the
-EC2 client and assert we edo indeed call the appropriate method with the right
+EC2 client and assert that we do indeed call the appropriate method with the right
 arguments. You are encouraged to write more than a single test for various
 conditions.
 
diff --git a/chaosaws/ec2/actions.py b/chaosaws/ec2/actions.py
@@ -8,7 +8,7 @@
 from botocore.exceptions import ClientError
 from chaosaws import aws_client
 from chaosaws.types import AWSResponse
-from chaoslib.exceptions import FailedActivity
+from chaoslib.exceptions import FailedActivity, ActivityFailed
 from chaoslib.types import Configuration, Secrets
 from logzero import logger
 
@@ -657,3 +657,110 @@ def attach_instance_volume(client: boto3.client,
             'Unable to attach volume %s to instance %s: %s' % (
                 volume_id, instance_id, e.response['Error']['Message']))
     return response
+
+
+def authorize_security_group_ingress(requested_security_group_id: str,
+                                     ip_protocol: str,
+                                     from_port: int,
+                                     to_port: int,
+                                     ingress_security_group_id: str = None,
+                                     cidr_ip: str = None,
+                                     configuration: Configuration = None,
+                                     secrets: Secrets = None) -> AWSResponse:
+    """
+    Add one ingress rule to a security group
+    https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/ec2.html#EC2.Client.authorize_security_group_ingress
+
+    - requested_security_group_id: the id for the security group to update
+    - ip_protocol: ip protocol name (tcp, udp, icmp, icmpv6) or -1 to specify all
+    - from_port: start of port range
+    - to_port: end of port range
+    - ingress_security_group_id: id of the securiy group to allow access to. You can either specify this or cidr_ip.
+    - cidr_ip: the IPv6 CIDR range.
+    You can either specify this or ingress_security_group_id
+    """  # noqa: E501
+    client = aws_client('ec2', configuration, secrets)
+    request_kwargs = create_ingress_kwargs(
+        requested_security_group_id,
+        ip_protocol,
+        from_port,
+        to_port,
+        ingress_security_group_id,
+        cidr_ip
+    )
+    try:
+        response = client.authorize_security_group_ingress(**request_kwargs)
+        return response
+    except ClientError as e:
+        raise ActivityFailed(
+            'Failed to add ingress rule: {}'.format(
+                e.response["Error"]["Message"]))
+
+
+def revoke_security_group_ingress(requested_security_group_id: str,
+                                  ip_protocol: str,
+                                  from_port: int,
+                                  to_port: int,
+                                  ingress_security_group_id: str = None,
+                                  cidr_ip: str = None,
+                                  configuration: Configuration = None,
+                                  secrets: Secrets = None) -> AWSResponse:
+    """
+    Remove one ingress rule from a security group
+    https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/ec2.html#EC2.Client.revoke_security_group_ingress
+
+    - requested_security_group_id: the id for the security group to update
+    - ip_protocol: ip protocol name (tcp, udp, icmp, icmpv6) or -1 to specify all
+    - from_port: start of port range
+    - to_port: end of port range
+    - ingress_security_group_id: id of the securiy group to allow access to. You can either specify this or cidr_ip.
+    - cidr_ip: the IPv6 CIDR range. You can either specify this or ingress_security_group_id
+    """  # noqa: E501
+    client = aws_client('ec2', configuration, secrets)
+    request_kwargs = create_ingress_kwargs(
+        requested_security_group_id,
+        ip_protocol,
+        from_port,
+        to_port,
+        ingress_security_group_id,
+        cidr_ip
+    )
+    try:
+        response = client.revoke_security_group_ingress(**request_kwargs)
+        return response
+    except ClientError as e:
+        raise ActivityFailed(
+            'Failed to remove ingress rule: {}'.format(
+                e.response["Error"]["Message"]))
+
+
+def create_ingress_kwargs(requested_security_group_id: str,
+                          ip_protocol: str,
+                          from_port: int,
+                          to_port: int,
+                          ingress_security_group_id: str = None,
+                          cidr_ip: str = None,) -> Dict[str, any]:
+    request_kwargs = {
+        'GroupId': requested_security_group_id,
+        'IpPermissions': [
+            {
+                'IpProtocol': ip_protocol,
+                'IpRanges': [{
+                    # conditionally assign the following
+                    # 'CidrIp': cidr_ip
+                }],
+                'FromPort': from_port,
+                'ToPort': to_port,
+                'UserIdGroupPairs': [{
+                    # conditionally assign the following
+                    # 'GroupId': ingress_security_group_id
+                }]
+            }
+        ]
+    }
+    req = request_kwargs['IpPermissions'][0]
+    if cidr_ip is not None:
+        req['IpRanges'][0]['CidrIp'] = cidr_ip
+    if ingress_security_group_id is not None:
+        req['UserIdGroupPairs'][0]['GroupId'] = ingress_security_group_id
+    return request_kwargs
diff --git a/tests/ec2/test_ec2_actions.py b/tests/ec2/test_ec2_actions.py
@@ -6,7 +6,8 @@
 
 from chaosaws.ec2.actions import (
     stop_instance, stop_instances, terminate_instance, terminate_instances,
-    start_instances, restart_instances, detach_random_volume, attach_volume)
+    start_instances, restart_instances, detach_random_volume, attach_volume,
+    authorize_security_group_ingress, revoke_security_group_ingress)
 
 from chaoslib.exceptions import FailedActivity
 
@@ -763,3 +764,143 @@ def test_attach_volume_ec2_filter(aws_client):
         InstanceId=instance_ids[0],
         VolumeId='vol-00000001')
     assert results[0]['DeviceName'] == '/dev/sdb'
+
+
+@patch('chaosaws.ec2.actions.aws_client', autospec=True)
+def test_authorize_security_group_ingress_with_ingress_security_group(aws_client):
+    #arrange
+    client = MagicMock()
+    aws_client.return_value = client
+    requested_security_group_id='sg-123456789abc'
+    ingress_security_group_id='sg-123456789cba'
+    ip_protocol='tcp'
+    from_port=0
+    to_port=80
+    #act
+    authorize_security_group_ingress(
+        requested_security_group_id=requested_security_group_id,
+        ip_protocol=ip_protocol,
+        from_port=from_port,
+        to_port=to_port,
+        ingress_security_group_id=ingress_security_group_id
+    )
+    #assert
+    client.authorize_security_group_ingress.assert_called_with(
+        GroupId=requested_security_group_id,
+        IpPermissions=[
+            {
+                'IpProtocol': ip_protocol,
+                'FromPort': from_port,
+                'ToPort': to_port,
+                'IpRanges': [{}],
+                'UserIdGroupPairs': [
+                    {
+                        'GroupId': ingress_security_group_id
+                    }
+                ]
+            }
+        ]
+    )
+    
+    
+@patch('chaosaws.ec2.actions.aws_client', autospec=True)
+def test_authorize_security_group_ingress_with_cidr_ip(aws_client):
+    #arrange
+    client = MagicMock()
+    aws_client.return_value = client
+    requested_security_group_id='sg-123456789abc'
+    cidr_ip='0.0.0.0/0'
+    ip_protocol='tcp'
+    from_port=0
+    to_port=80
+    #act
+    authorize_security_group_ingress(
+        requested_security_group_id=requested_security_group_id,
+        ip_protocol=ip_protocol,
+        from_port=from_port,
+        to_port=to_port,
+        cidr_ip=cidr_ip
+    )
+    #assert
+    client.authorize_security_group_ingress.assert_called_with(
+        GroupId=requested_security_group_id,
+        IpPermissions=[
+            {
+                'IpProtocol': ip_protocol,
+                'FromPort': from_port,
+                'ToPort': to_port,
+                'IpRanges': [{'CidrIp': cidr_ip}],
+                'UserIdGroupPairs': [{}]
+            }
+        ]
+    )
+    
+    
+@patch('chaosaws.ec2.actions.aws_client', autospec=True)
+def test_revoke_security_group_ingress_with_ingress_security_group(aws_client):
+    #arrange
+    client = MagicMock()
+    aws_client.return_value = client
+    requested_security_group_id='sg-123456789abc'
+    ingress_security_group_id='sg-123456789cba'
+    ip_protocol='tcp'
+    from_port=0
+    to_port=80
+    #act
+    revoke_security_group_ingress(
+        requested_security_group_id=requested_security_group_id,
+        ip_protocol=ip_protocol,
+        from_port=from_port,
+        to_port=to_port,
+        ingress_security_group_id=ingress_security_group_id
+    )
+    #assert
+    client.revoke_security_group_ingress.assert_called_with(
+        GroupId=requested_security_group_id,
+        IpPermissions=[
+            {
+                'IpProtocol': ip_protocol,
+                'FromPort': from_port,
+                'ToPort': to_port,
+                'IpRanges': [{}],
+                'UserIdGroupPairs': [
+                    {
+                        'GroupId': ingress_security_group_id
+                    }
+                ]
+            }
+        ]
+    )
+    
+
+@patch('chaosaws.ec2.actions.aws_client', autospec=True)
+def test_revoke_security_group_ingress_with_cidr_ip(aws_client):
+    #arrange
+    client = MagicMock()
+    aws_client.return_value = client
+    requested_security_group_id='sg-123456789abc'
+    cidr_ip='0.0.0.0/0'
+    ip_protocol='tcp'
+    from_port=0
+    to_port=80
+    #act
+    revoke_security_group_ingress(
+        requested_security_group_id=requested_security_group_id,
+        ip_protocol=ip_protocol,
+        from_port=from_port,
+        to_port=to_port,
+        cidr_ip=cidr_ip
+    )
+    #assert
+    client.revoke_security_group_ingress.assert_called_with(
+        GroupId=requested_security_group_id,
+        IpPermissions=[
+            {
+                'IpProtocol': ip_protocol,
+                'FromPort': from_port,
+                'ToPort': to_port,
+                'IpRanges': [{'CidrIp': cidr_ip}],
+                'UserIdGroupPairs': [{}]
+            }
+        ]
+    )
