aws-eni 0.1.0 → 0.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b7f9bdc9bb5d6c7427d50f1354b77317a5a4f1bc
-  data.tar.gz: fe7568417322ab7bfa41be38041efaf1e0aeeae7
+  metadata.gz: 34f9ba0cdfc6a898ddf6b4ec24f72b04187d4b49
+  data.tar.gz: a0de204e867336cb1d3293a4d13fab1ab572b45e
 SHA512:
-  metadata.gz: f86aba30d2b1b0e564810648c701f144c098388d8e349ae1143817b4ee58a07c3d86008be3b79b8e9cca66bc5a92ca801b68907711914a32eeece675894f30f4
-  data.tar.gz: bd60223a0bc09962fb82db2cd7c413da1a08f37ff603a85b716723eaa3fecbf983de317155e8c451badf50063fa59df417d3f7c3e7b6df181651026e2be6696f
+  metadata.gz: 80b6c15ac5abdd73f50b9811a20d6494ac5c4df28afc14ebedcadb9398424d470d81eba1de018da964b0926aad7bfa98903a1440d6cc5b29a4b470d040e18bcd
+  data.tar.gz: 3bc10d67d60cd4afaf30146e293f7acfcc0de280f09e863796de7e03297c5cd5712ba8b987cad90c640af8c7c136343b3cb77f780f3eddaadd99888985a38810

data/bin/aws-eni

@@ -8,7 +8,7 @@ include GLI::App
 
 program_desc 'Manage and sync local network config with AWS Elastic Network Interfaces'
 
-version Aws::ENI::VERSION
+@version = Aws::ENI::VERSION
 
 autocomplete_commands true
 subcommand_option_handling :normal
@@ -17,8 +17,11 @@ sort_help :manually
 
 # global options
 
+desc 'Display the program version'
+switch [:v,:version], negatable: false
+
 desc 'Display all system commands and warnings'
-switch [:v,:verbose], negatable: false
+switch [:V,:verbose], negatable: false
 
 pre do |opt|
   Aws::ENI::IFconfig.verbose = opt[:verbose]
@@ -207,6 +210,7 @@ arg 'security-groups', :optional
 arg 'ip-address', :optional
 command [:create] do |c|
   c.action do |global,opts,args|
+    args.delete('new')
     params = parse_args args, :subnet_id, :security_groups, :primary_ip
     interface = Aws::ENI.create_interface(params)
     puts "interface #{interface[:id]} created on #{interface[:subnet_id]}"
@@ -231,20 +235,26 @@ arg 'subnet-id', :optional
 arg 'security-groups', :optional
 arg 'ip-address', :optional
 command [:attach] do |c|
-  c.desc 'Refresh the interface configuration after attachment'
-  c.switch [:r,:c,:config], negatable: false
+  c.desc 'Do not configure or enable the device after attachment (implies block)'
+  c.switch [:n,'no-config'], negatable: false
+
+  c.desc 'Do not return until attachment is complete'
+  c.switch [:b,:block], negatable: false
 
   c.action do |global,opts,args|
+    config = !opts['no_config']
     if args.first =~ /^eni-/
       help_now! 'Too many arguments' if args.count > 1
       id = args.first
     else
+      args.delete('new')
       params = parse_args args, :subnet_id, :security_groups, :primary_ip
+      Aws::ENI.assert_ifconfig_access if config
       interface = Aws::ENI.create_interface(params)
       puts "interface #{interface[:id]} created on #{interface[:subnet_id]}"
       id = interface[:id]
     end
-    device = Aws::ENI.attach_interface(id, enable: opts[:config], configure: opts[:config])
+    device = Aws::ENI.attach_interface(id, enable: config, configure: config, block: options[:block])
     puts "interface #{device[:id]} attached to #{device[:name]}"
     puts "device #{device[:name]} enabled and configured" if opts[:config]
   end
@@ -262,18 +272,22 @@ long_desc %{
 }
 arg 'interface-id OR device-name'
 command [:detach] do |c|
-  c.desc 'Delete (or preserve) the unused ENI resource after dataching'
+  c.desc 'Delete (or preserve) the unused ENI resource after dataching (implies block)'
   c.switch [:d,:delete], default_value: :not_provided # GLI behavior workaround
 
+  c.desc 'Do not return until detachment is complete'
+  c.switch [:b,:block], negatable: false
+
   c.action do |global,opts,args|
     help_now! "Missing argument" if args.empty?
     params = parse_args args, :interface_id, :device_name
+    params[:block] = opts[:block]
     params[:delete] = opts[:delete] unless opts[:delete] == :not_provided
     id = params[:interface_id] || params[:device_name]
 
     device = Aws::ENI.detach_interface(id, params)
     if device[:deleted]
-      puts "interface #{device[:id]} detached from #{device[:name]} and destroyed"
+      puts "interface #{device[:id]} detached from #{device[:name]} and deleted"
     else
       puts "interface #{device[:id]} detached from #{device[:name]}"
     end
@@ -368,6 +382,7 @@ arg 'device-name', :optional
 command [:associate] do |c|
   c.action do |global,opts,args|
     help_now! "Missing argument" if args.empty?
+    args.delete('new')
     params = parse_args args, :private_ip, :public_ip, :allocation_id, :interface_id, :device_name
     assoc = Aws::ENI.associate_elastic_ip(params[:private_ip], params)
     puts "EIP #{assoc[:public_ip]} (#{assoc[:allocation_id]}) associated with #{assoc[:private_ip]} on #{assoc[:device_name]} (#{assoc[:interface_id]})"
@@ -405,6 +420,8 @@ long_desc %{
 }
 command [:allocate] do |c|
   c.action do |global,opts,args|
+    args.delete('new')
+    help_now! "Invalid argument: #{args.first}" unless args.empty?
     alloc = Aws::ENI.allocate_elastic_ip
     puts "EIP #{alloc[:public_ip]} allocated as #{alloc[:allocation_id]}"
   end
@@ -427,6 +444,35 @@ command [:release] do |c|
   end
 end
 
+desc 'Test access to AWS EC2 and our machine\'s network config'
+long_desc %{
+  Check for sufficient privileges to alter the local machine's network interface
+  configuration and verify that the AWS access credentials include permissions
+  necessary to perform all network related functions.
+}
+command [:test] do |c|
+  c.action do |global,opts,args|
+    help_now! "Too many arguments" if args.count > 1
+
+    print 'IFconfig permissions test... '
+    if Aws::ENI.can_modify_ifconfig?
+      puts 'success!'
+    else
+      puts 'failed'
+      puts "- unable to modify network configuration with /sbin/ip (try sudo)"
+    end
+
+    print 'AWS EC2 permissions test... '
+    if Aws::ENI.can_access_ec2?
+      puts 'success!'
+    else
+      puts 'failed'
+      puts "- insufficient EC2 access. Ensure you have granted access to the"
+      puts "  appropriate EC2 methods in your IAM policy (see documentation)"
+    end
+  end
+end
+
 # error handling
 
 on_error do |exception|

data/lib/aws-eni.rb

@@ -23,13 +23,18 @@ module Aws
           raise EnvironmentError, "Unable to detect VPC settings, library incompatible with EC2-Classic"
         end
       end.freeze
-    rescue Meta::ConnectionFailed
+    rescue ConnectionFailed
       raise EnvironmentError, "Unable to load EC2 meta-data"
     end
 
     def owner_tag(new_owner = nil)
       @owner_tag = new_owner.to_s if new_owner
-      @owner_tag || 'aws-eni script'
+      @owner_tag ||= 'aws-eni script'
+    end
+
+    def timeout(new_default = nil)
+      @timeout = new_default.to_i if new_default
+      @timeout ||= 30
     end
 
     def client
@@ -63,11 +68,15 @@ module Aws
       params[:description] = "generated by #{owner_tag} from #{environment[:instance_id]} on #{timestamp}"
 
       response = client.create_network_interface(params)
-      client.create_tags(resources: [response[:network_interface][:network_interface_id]], tags: [
-        { key: 'created by',   value: owner_tag },
-        { key: 'created on',   value: timestamp },
-        { key: 'created from', value: environment[:instance_id] }
-      ])
+      wait_for 'the interface to be created', rescue: Aws::EC2::Errors::ServiceError do
+        if interface_status(response[:network_interface][:network_interface_id]) == 'available'
+          client.create_tags(resources: [response[:network_interface][:network_interface_id]], tags: [
+            { key: 'created by',   value: owner_tag },
+            { key: 'created on',   value: timestamp },
+            { key: 'created from', value: environment[:instance_id] }
+          ])
+        end
+      end
       {
         id:           response[:network_interface][:network_interface_id],
         subnet_id:    response[:network_interface][:subnet_id],
@@ -77,6 +86,10 @@ module Aws
 
     # attach network interface
     def attach_interface(id, options = {})
+      do_enable = true unless options[:enable] == false
+      do_config = true unless options[:configure] == false
+      assert_ifconfig_access if do_config || do_enable
+
       interface = IFconfig[options[:device_number] || options[:name]]
       raise InvalidParameterError, "Interface #{interface.name} is already in use" if interface.exists?
 
@@ -86,10 +99,14 @@ module Aws
       params[:device_index] = interface.device_number
 
       response = client.attach_network_interface(params)
-      attached = wait_for(10) { interface.exists? }
-      raise TimeoutError, "Timed out waiting for the interface to attach" unless attached
-      interface.configure if options[:configure]
-      interface.enable if options[:enable]
+
+      if options[:block] || do_config || do_enable
+        wait_for 'the interface to attach', rescue: ConnectionFailed do
+          interface.exists? && interface_status(interface.interface_id) == 'in-use'
+        end
+      end
+      interface.configure if do_config
+      interface.enable if do_enable
       {
         id:           interface.interface_id,
         name:         interface.name,
@@ -125,22 +142,21 @@ module Aws
         attachment_id: description[:attachment][:attachment_id],
         force: true
       )
-      deleted = false
       created_by_us = description.tag_set.any? { |tag| tag.key == 'created by' && tag.value == owner_tag }
-      unless options[:delete] == false || options[:delete].nil? && !created_by_us
-        detached = wait_for(10, 0.3) do
+      do_delete = options[:delete] || options[:delete].nil? && created_by_us
+
+      if options[:block] || do_delete
+        wait_for 'the interface to detach', interval: 0.3 do
           !interface.exists? && interface_status(description[:network_interface_id]) == 'available'
         end
-        raise TimeoutError, "Timed out waiting for the interface to detach" unless detached
-        client.delete_network_interface(network_interface_id: description[:network_interface_id])
-        deleted = true
       end
+      client.delete_network_interface(network_interface_id: description[:network_interface_id]) if do_delete
       {
         id:            description[:network_interface_id],
         name:          "eth#{description[:attachment][:device_index]}",
         device_number: description[:attachment][:device_index],
         created_by_us: created_by_us,
-        deleted:       deleted,
+        deleted:       do_delete,
         api_response:  description
       }
     end
@@ -260,6 +276,59 @@ module Aws
       }
     end
 
+    # test whether we have permission to modify our local configuration
+    def can_modify_ifconfig?
+      IFconfig.mutable?
+    end
+
+    def assert_ifconfig_access
+      raise PermissionError, 'Insufficient user priveleges (try sudo)' unless can_modify_ifconfig?
+    end
+
+    # test whether we have the appropriate permissions within our AWS access
+    # credentials to perform all possible API calls
+    def can_access_ec2?
+      client = self.client
+      test_methods = {
+        describe_network_interfaces: nil,
+        create_network_interface: {
+          subnet_id: 'subnet-abcd1234'
+        },
+        attach_network_interface: {
+          network_interface_id: 'eni-abcd1234',
+          instance_id: 'i-abcd1234',
+          device_index: 0
+        },
+        detach_network_interface: {
+          attachment_id: 'eni-attach-abcd1234'
+        },
+        delete_network_interface: {
+          network_interface_id: 'eni-abcd1234'
+        },
+        create_tags: {
+          resources: ['eni-abcd1234'],
+          tags: []
+        }
+      }
+      test_methods.each do |method, params|
+        begin
+          params ||= {}
+          params[:dry_run] = true
+          client.public_send(method, params)
+          raise Error, "Unexpected behavior while testing AWS API access"
+        rescue Aws::EC2::Errors::DryRunOperation
+          # success
+        rescue Aws::EC2::Errors::UnauthorizedOperation
+          return false
+        end
+      end
+      true
+    end
+
+    def assert_ec2_access
+      raise AWSPermissionError, 'Insufficient AWS API access' unless can_access_ec2?
+    end
+
     private
 
     def interface_status(id)
@@ -267,12 +336,21 @@ module Aws
       resp[:network_interfaces].first[:status] unless resp[:network_interfaces].empty?
     end
 
-    def wait_for(timer = 5, interval = 0.1, &block)
-      until timer < 0 or block.call
-        timer -= interval
+    def wait_for(task, options = {}, &block)
+      errors = [*options[:rescue]]
+      timeout = options[:timeout] || self.timeout
+      interval = options[:interval] || 0.1
+
+      until timeout < 0
+        begin
+          break if block.call
+        rescue Exception => e
+          raise unless errors.any? { |error| error === e }
+        end
         sleep interval
+        timeout -= interval
       end
-      timer > 0
+      raise TimeoutError, "Timed out waiting for #{task}" unless timeout > 0
     end
   end
 end

data/lib/aws-eni/errors.rb

@@ -9,5 +9,8 @@ module Aws
     class EnvironmentError < Error; end
     class CommandError < Error; end
     class PermissionError < CommandError; end
+    class AWSPermissionError < Error; end
+    class BadResponse < Error; end
+    class ConnectionFailed < Error; end
   end
 end

data/lib/aws-eni/ifconfig.rb

@@ -70,6 +70,14 @@ module Aws
           end
         end
 
+        # Test whether we have permission to run RTNETLINK commands
+        def mutable?
+          exec 'link set dev eth0' # random innocuous command
+          true
+        rescue PermissionError
+          false
+        end
+
         # Execute a command
         def exec(command, options = {})
           output = nil
@@ -127,7 +135,7 @@ module Aws
         unless @meta_cache && hwaddr == @meta_cache[:hwaddr]
           dev_path = "network/interfaces/macs/#{hwaddr}"
           Meta.open_connection do |conn|
-            raise Meta::BadResponse unless Meta.http_get(conn, "#{dev_path}/")
+            raise BadResponse unless Meta.http_get(conn, "#{dev_path}/")
             @meta_cache = {
               hwaddr: hwaddr,
               interface_id: Meta.http_get(conn, "#{dev_path}/interface-id"),

data/lib/aws-eni/meta.rb

@@ -1,5 +1,6 @@
 require 'time'
 require 'net/http'
+require 'aws-eni/errors'
 
 module Aws
   module ENI
@@ -10,10 +11,6 @@ module Aws
       PORT = '80'
       BASE = '/latest/meta-data/'
 
-      # Custom exception classes
-      class BadResponse < RuntimeError; end
-      class ConnectionFailed < RuntimeError; end
-
       # These are the errors we trap when attempting to talk to the instance
       # metadata service.  Any of these imply the service is not present, no
       # responding or some other non-recoverable error.

data/lib/aws-eni/version.rb

@@ -1,5 +1,5 @@
 module Aws
   module ENI
-    VERSION = "0.1.0"
+    VERSION = "0.1.1"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-eni
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.1.1
 platform: ruby
 authors:
 - Mike Greiling
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-04-27 00:00:00.000000000 Z
+date: 2015-04-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: gli