mirror of
https://github.com/valitydev/salt.git
synced 2024-11-09 01:36:48 +00:00
Merge pull request #44238 from bodhi-space/infra5825
INFRA-5825 - add delete_{ingress,egress}_rules params to boto_secgroup
This commit is contained in:
Mike Place
GitHub
commit
39d60f86e8
@ -126,6 +126,8 @@ def present(
|
|||||||
vpc_name=None,
|
vpc_name=None,
|
||||||
rules=None,
|
rules=None,
|
||||||
rules_egress=None,
|
rules_egress=None,
|
||||||
|
delete_ingress_rules=True,
|
||||||
|
delete_egress_rules=True,
|
||||||
region=None,
|
region=None,
|
||||||
key=None,
|
key=None,
|
||||||
keyid=None,
|
keyid=None,
|
||||||
@ -160,6 +162,16 @@ def present(
|
|||||||
the egress rules will be unmanaged. If set to an empty list, ``[]``,
|
the egress rules will be unmanaged. If set to an empty list, ``[]``,
|
||||||
then all egress rules will be removed.
|
then all egress rules will be removed.
|
||||||
|
|
||||||
|
delete_ingress_rules
|
||||||
|
Some tools (EMR comes to mind) insist on adding rules on-the-fly, which
|
||||||
|
salt will happily remove on the next run. Set this param to False to
|
||||||
|
avoid deleting rules which were added outside of salt.
|
||||||
|
|
||||||
|
delete_egress_rules
|
||||||
|
Some tools (EMR comes to mind) insist on adding rules on-the-fly, which
|
||||||
|
salt will happily remove on the next run. Set this param to False to
|
||||||
|
avoid deleting rules which were added outside of salt.
|
||||||
|
|
||||||
region
|
region
|
||||||
Region to connect to.
|
Region to connect to.
|
||||||
|
|
||||||
@ -191,17 +203,18 @@ def present(
|
|||||||
elif ret['result'] is None:
|
elif ret['result'] is None:
|
||||||
return ret
|
return ret
|
||||||
if rules is not None:
|
if rules is not None:
|
||||||
_ret = _rules_present(name, rules, vpc_id=vpc_id, vpc_name=vpc_name,
|
_ret = _rules_present(name, rules, delete_ingress_rules, vpc_id=vpc_id,
|
||||||
region=region, key=key, keyid=keyid,
|
vpc_name=vpc_name, region=region, key=key,
|
||||||
profile=profile)
|
keyid=keyid, profile=profile)
|
||||||
ret['changes'] = dictupdate.update(ret['changes'], _ret['changes'])
|
ret['changes'] = dictupdate.update(ret['changes'], _ret['changes'])
|
||||||
ret['comment'] = ' '.join([ret['comment'], _ret['comment']])
|
ret['comment'] = ' '.join([ret['comment'], _ret['comment']])
|
||||||
if not _ret['result']:
|
if not _ret['result']:
|
||||||
ret['result'] = _ret['result']
|
ret['result'] = _ret['result']
|
||||||
if rules_egress is not None:
|
if rules_egress is not None:
|
||||||
_ret = _rules_egress_present(name, rules_egress, vpc_id=vpc_id,
|
_ret = _rules_egress_present(name, rules_egress, delete_egress_rules,
|
||||||
vpc_name=vpc_name, region=region, key=key,
|
vpc_id=vpc_id, vpc_name=vpc_name,
|
||||||
keyid=keyid, profile=profile)
|
region=region, key=key, keyid=keyid,
|
||||||
|
profile=profile)
|
||||||
ret['changes'] = dictupdate.update(ret['changes'], _ret['changes'])
|
ret['changes'] = dictupdate.update(ret['changes'], _ret['changes'])
|
||||||
ret['comment'] = ' '.join([ret['comment'], _ret['comment']])
|
ret['comment'] = ' '.join([ret['comment'], _ret['comment']])
|
||||||
if not _ret['result']:
|
if not _ret['result']:
|
||||||
@ -389,13 +402,14 @@ def _get_rule_changes(rules, _rules):
|
|||||||
return (to_delete, to_create)
|
return (to_delete, to_create)
|
||||||
|
|
||||||
|
|
||||||
def _rules_present(name, rules, vpc_id=None, vpc_name=None,
|
def _rules_present(name, rules, delete_ingress_rules=True, vpc_id=None,
|
||||||
region=None, key=None, keyid=None, profile=None):
|
vpc_name=None, region=None, key=None, keyid=None, profile=None):
|
||||||
'''
|
'''
|
||||||
given a group name or group name and vpc_id (or vpc name):
|
given a group name or group name and vpc_id (or vpc name):
|
||||||
1. get lists of desired rule changes (using _get_rule_changes)
|
1. get lists of desired rule changes (using _get_rule_changes)
|
||||||
2. delete/revoke or authorize/create rules
|
2. authorize/create rules missing rules
|
||||||
3. return 'old' and 'new' group rules
|
3. if delete_ingress_rules is True, delete/revoke non-requested rules
|
||||||
|
4. return 'old' and 'new' group rules
|
||||||
'''
|
'''
|
||||||
ret = {'result': True, 'comment': '', 'changes': {}}
|
ret = {'result': True, 'comment': '', 'changes': {}}
|
||||||
sg = __salt__['boto_secgroup.get_config'](name=name, group_id=None, region=region, key=key,
|
sg = __salt__['boto_secgroup.get_config'](name=name, group_id=None, region=region, key=key,
|
||||||
@ -424,11 +438,13 @@ def _rules_present(name, rules, vpc_id=None, vpc_name=None,
|
|||||||
# rules = rules that exist in salt state
|
# rules = rules that exist in salt state
|
||||||
# sg['rules'] = that exist in present group
|
# sg['rules'] = that exist in present group
|
||||||
to_delete, to_create = _get_rule_changes(rules, sg['rules'])
|
to_delete, to_create = _get_rule_changes(rules, sg['rules'])
|
||||||
|
to_delete = to_delete if delete_ingress_rules else []
|
||||||
if to_create or to_delete:
|
if to_create or to_delete:
|
||||||
if __opts__['test']:
|
if __opts__['test']:
|
||||||
msg = """Security group {0} set to have rules modified.
|
msg = """Security group {0} set to have rules modified.
|
||||||
To be created: {1}
|
To be created: {1}
|
||||||
To be deleted: {2}""".format(name, pprint.pformat(to_create), pprint.pformat(to_delete))
|
To be deleted: {2}""".format(name, pprint.pformat(to_create),
|
||||||
|
pprint.pformat(to_delete))
|
||||||
ret['comment'] = msg
|
ret['comment'] = msg
|
||||||
ret['result'] = None
|
ret['result'] = None
|
||||||
return ret
|
return ret
|
||||||
@ -470,13 +486,14 @@ def _rules_present(name, rules, vpc_id=None, vpc_name=None,
|
|||||||
return ret
|
return ret
|
||||||
|
|
||||||
|
|
||||||
def _rules_egress_present(name, rules_egress, vpc_id=None, vpc_name=None,
|
def _rules_egress_present(name, rules_egress, delete_egress_rules=True, vpc_id=None,
|
||||||
region=None, key=None, keyid=None, profile=None):
|
vpc_name=None, region=None, key=None, keyid=None, profile=None):
|
||||||
'''
|
'''
|
||||||
given a group name or group name and vpc_id (or vpc name):
|
given a group name or group name and vpc_id (or vpc name):
|
||||||
1. get lists of desired rule changes (using _get_rule_changes)
|
1. get lists of desired rule changes (using _get_rule_changes)
|
||||||
2. delete/revoke or authorize/create rules
|
2. authorize/create missing rules
|
||||||
3. return 'old' and 'new' group rules
|
3. if delete_egress_rules is True, delete/revoke non-requested rules
|
||||||
|
4. return 'old' and 'new' group rules
|
||||||
'''
|
'''
|
||||||
ret = {'result': True, 'comment': '', 'changes': {}}
|
ret = {'result': True, 'comment': '', 'changes': {}}
|
||||||
sg = __salt__['boto_secgroup.get_config'](name=name, group_id=None, region=region, key=key,
|
sg = __salt__['boto_secgroup.get_config'](name=name, group_id=None, region=region, key=key,
|
||||||
@ -504,20 +521,20 @@ def _rules_egress_present(name, rules_egress, vpc_id=None, vpc_name=None,
|
|||||||
rule['source_group_group_id'] = _group_id
|
rule['source_group_group_id'] = _group_id
|
||||||
# rules_egress = rules that exist in salt state
|
# rules_egress = rules that exist in salt state
|
||||||
# sg['rules_egress'] = that exist in present group
|
# sg['rules_egress'] = that exist in present group
|
||||||
to_delete_egress, to_create_egress = _get_rule_changes(
|
to_delete, to_create = _get_rule_changes(rules_egress, sg['rules_egress'])
|
||||||
rules_egress, sg['rules_egress']
|
to_delete = to_delete if delete_egress_rules else []
|
||||||
)
|
if to_create or to_delete:
|
||||||
if to_create_egress or to_delete_egress:
|
|
||||||
if __opts__['test']:
|
if __opts__['test']:
|
||||||
msg = """Security group {0} set to have rules modified.
|
msg = """Security group {0} set to have rules modified.
|
||||||
To be created: {1}
|
To be created: {1}
|
||||||
To be deleted: {2}""".format(name, pprint.pformat(to_create_egress), pprint.pformat(to_delete_egress))
|
To be deleted: {2}""".format(name, pprint.pformat(to_create),
|
||||||
|
pprint.pformat(to_delete))
|
||||||
ret['comment'] = msg
|
ret['comment'] = msg
|
||||||
ret['result'] = None
|
ret['result'] = None
|
||||||
return ret
|
return ret
|
||||||
if to_delete_egress:
|
if to_delete:
|
||||||
deleted = True
|
deleted = True
|
||||||
for rule in to_delete_egress:
|
for rule in to_delete:
|
||||||
_deleted = __salt__['boto_secgroup.revoke'](
|
_deleted = __salt__['boto_secgroup.revoke'](
|
||||||
name, vpc_id=vpc_id, vpc_name=vpc_name, region=region,
|
name, vpc_id=vpc_id, vpc_name=vpc_name, region=region,
|
||||||
key=key, keyid=keyid, profile=profile, egress=True, **rule)
|
key=key, keyid=keyid, profile=profile, egress=True, **rule)
|
||||||
@ -530,9 +547,9 @@ def _rules_egress_present(name, rules_egress, vpc_id=None, vpc_name=None,
|
|||||||
msg = 'Failed to remove egress rule on {0} security group.'
|
msg = 'Failed to remove egress rule on {0} security group.'
|
||||||
ret['comment'] = ' '.join([ret['comment'], msg.format(name)])
|
ret['comment'] = ' '.join([ret['comment'], msg.format(name)])
|
||||||
ret['result'] = False
|
ret['result'] = False
|
||||||
if to_create_egress:
|
if to_create:
|
||||||
created = True
|
created = True
|
||||||
for rule in to_create_egress:
|
for rule in to_create:
|
||||||
_created = __salt__['boto_secgroup.authorize'](
|
_created = __salt__['boto_secgroup.authorize'](
|
||||||
name, vpc_id=vpc_id, vpc_name=vpc_name, region=region,
|
name, vpc_id=vpc_id, vpc_name=vpc_name, region=region,
|
||||||
key=key, keyid=keyid, profile=profile, egress=True, **rule)
|
key=key, keyid=keyid, profile=profile, egress=True, **rule)
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user