module Grouper

Public Instance Methods

add_rule(group, rule) click to toggle source

add a rule to a security group

# File lib/grouper.rb, line 58
def add_rule(group, rule)
  begin
    case rule.direction
    when :in
      group.authorize_ingress(rule.protocol, rule.ports, *rule.sources)
    when :out
      group.authorize_egress(*rule.sources, :protocol => rule.protocol, :ports => rule.ports)
    else
      group.authorize_ingress(rule.protocol, rule.ports, *rule.sources)
      group.authorize_egress(*rule.sources, :protocol => rule.protocol, :ports => rule.ports)
    end
  rescue AWS::EC2::Errors::InvalidPermission::Duplicate
  
  end
end
apply_rules(group, rules) click to toggle source

Takes an array of rules and applies them to a security froup if the security group has rules that are not part of the rules array being applied these are revoked

# File lib/grouper.rb, line 16
def apply_rules(group, rules)
  remove_old_rules(group, rules)
  rules.each do |rule|
    add_rule(group, rule)
  end
end
find_or_create(ec2, group_name) click to toggle source

find a security group, create it if it does not exist

# File lib/grouper.rb, line 5
def find_or_create(ec2, group_name)
  if ec2.security_groups.map(&:name).include?(group_name)
    ec2.security_groups.filter('group-name', group_name).first
  else
    ec2.security_groups.create(group_name)
  end
end
is_rule?(permission, rules) click to toggle source

checks to see if an EC2 IP permission is in array of rules

# File lib/grouper.rb, line 36
def is_rule?(permission, rules)
  rules.each do |rule|
    return true if match?(permission, rule)
  end
  false
end
match?(permission, rule) click to toggle source

checks to see if an EC2 IP permission matches a rule AWS doesn’t do clever recombination of rules in the background so we do simple comparaisons to keep things simples

# File lib/grouper.rb, line 46
def match?(permission, rule)
  if rule.direction == :in
    (permission.port_range == rule.ports) and (permission.ip_ranges == rule.sources) and (permission.protocol == rule.protocol) and (!permission.egress)
  elsif rule.direction == :out
    (permission.port_range == rule.ports) and (permission.ip_ranges == rule.sources) and (permission.protocol == rule.protocol) and (permission.egress)
  else #rule.direction == :both
    (permission.port_range == rule.ports) and (permission.ip_ranges == rule.sources) and (permission.protocol == rule.protocol)
  end
end
remove_old_rules(group, rules) click to toggle source

revoke old rules that are not part of the rules array

# File lib/grouper.rb, line 25
def remove_old_rules(group, rules)
  group.ingress_ip_permissions.each do |p|
    p.revoke if !is_rule?(p, rules)
  end
  group.egress_ip_permissions.each do |p|
    p.revoke if !is_rule?(p, rules)
  end
end
revoke_rule(group, rule) click to toggle source

remove rule from a security group

# File lib/grouper.rb, line 76
def revoke_rule(group, rule)
  case rule.direction
  when :in
    group.revoke_ingress(rule.protocol, rule.ports, *rule.sources)
  when :out
    group.revoke_egress(*rule.sources, :protocol => rule.protocol, :ports => rule.ports)
  else
    group.revoke_ingress(rule.protocol, rule.ports, *rule.sources)
    group.revoke_egress(*rule.sources, :protocol => rule.protocol, :ports => rule.ports)
  end
end