build-cloud 0.0.9 → 0.0.10

checksums.yaml

@@ -1,15 +1,7 @@
 ---
-!binary "U0hBMQ==":
-  metadata.gz: !binary |-
-    MzNmNjcyYmQxZDhkNGY1NTNkYTJhMmI1MDI4YjQ5NzJjOTg4MzUyMQ==
-  data.tar.gz: !binary |-
-    MTNhZTJlMDAzYmYzODFiMjgwOWVjZTEwN2IzZDA3Mjg5M2YyODljMw==
+SHA1:
+  metadata.gz: b46efc757b6cc4e2d30df4b845e6472719f680e2
+  data.tar.gz: 713e03740e84b1f99bf58d1c2adba9bf0c9ad6b0
 SHA512:
-  metadata.gz: !binary |-
-    ZTI2ZTQ4MTBhMWU0MTFkMmEyOGI4NTUxNzJmMThmZDg0MTRhNjNlMjRmZTdk
-    OTZjOWE3NTA3NDUxMjc1ZDI5YmIxYjUzY2E1ZTc3NDhmY2M1YmQ1NWM1ODRm
-    OWI1YTM1MjI3MmZlZmI4YzkwODZhYmQxOTNmZmM1Y2RjYzVjYzg=
-  data.tar.gz: !binary |-
-    OTA1Y2NhZWI3ZTIwM2U2MzBiOTlmMWQ4NGQ5Yjc1Y2RlYTZmOGQyYTFlODdm
-    YWI2MTJjMmNlYTc5OThjNTMzYjkyNjcyY2U2MDc4MzcwZGRlYTk4YTU3YmI1
-    ZTY5M2QxM2JkMjYzMzVlODM2ZDJjNjc0YmYyYjY2ZmU4ZmIxMjQ=
+  metadata.gz: cc19de13443897e1d5aaa15f9d7e03696298b82821f420cea175e543eb954788186e97f893460df6d8f4920c3bc71574b09fa3227117138cef5f805e54c4a56a
+  data.tar.gz: 9707da8ae27fc6bb54a4d05ed8bbab7a9a6965193d8c508f237fb85446893917eccc7dc1c79c94c19e242f9d210a3852ca321e8a063586758cb09c71c43ee06c

data/README.md

@@ -22,6 +22,8 @@ See the command line help for `build-cloud`.
 
 ## Changelog
 
+2015-04-14 - version 0.0.10 - adds "lifecycle" functionality for security groups. Existing security groups will now have rules removed from them or added to them to make AWS reflect the YAML passed to build-cloud. Previously, once a security group had been created by build-cloud, it was never subsequently updated.
+
 2014-12-12 - version 0.0.9 - bugfixes to file path resolution. It is worth noting that when multiple files are passed to `--config` they're treated as relative to the CWD - this is what you'd expect from referencing a file in a command line option. When file(s) are specified in an `:include` key in the given YAML file, relative paths given there are considered to be relative to the location of the YAML file given to `--config` - this is to ensure consistent behaviour regardless of what $CWD is when calling build-cloud.
 
 2014-12-01 - version 0.0.8 - when multiple files are passed to `--config`, any top-level elements in the second and subsequent files which are arrays are merged into the arrays from previously read in files. This means, for examples, that you can have lists of instances or security groups in multiple files, and they will all be read in. Previously, subsequent files overwrote what was in previous files. Note that this only applies for top level elements of YAML files which are arrays - the previous overwriting behaviour applies still to strings.

data/build-cloud.gemspec

@@ -4,7 +4,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 
 Gem::Specification.new do |spec|
   spec.name          = "build-cloud"
-  spec.version       = "0.0.9"
+  spec.version       = "0.0.10"
   spec.authors       = ["The Scale Factory"]
   spec.email         = ["info@scalefactory.com"]
   spec.summary       = %q{Tools for building resources in AWS}

data/lib/build-cloud/securitygroup.rb

@@ -36,38 +36,157 @@ class BuildCloud::SecurityGroup
     end
 
     def create
-        
-        return if exists?
-
-        @log.info( "Creating security group #{@options[:name]}" )
 
         options = @options.dup
 
-        unless options[:vpc_id]
-
-            options[:vpc_id] = BuildCloud::VPC.get_id_by_name( options[:vpc_name] )
-            options.delete(:vpc_name)
-
-        end
-
         authorized_ranges = []
         if options[:authorized_ranges]
             authorized_ranges = options[:authorized_ranges]
             options.delete(:authorized_ranges)
         end
 
-        security_group = @compute.security_groups.new( options )
-        security_group.save
+        unless exists?
+
+            @log.info( "Creating security group #{@options[:name]}" )
+
+            unless options[:vpc_id]
+
+                options[:vpc_id] = BuildCloud::VPC.get_id_by_name( options[:vpc_name] )
+                options.delete(:vpc_name)
+
+            end
+
+            security_group = @compute.security_groups.new( options )
+            security_group.save
+
+            @log.debug( security_group.inspect )
+
+        end
+
+        rationalise_rules( authorized_ranges )
+
+    end
+
+    def rationalise_rules( authorized_ranges )
+
+        security_group = read
+
+        current_rules = []
+        rules_to_add  = []
+
+        # Read all the existing rules from the SG object. Turn what we find into
+        # a list of hashes, where the hash parameter names match those that we use
+        # in the YAML description.  This will aid comparison of current vs. desired rules
+        
+        security_group.ip_permissions.each do |r|
+
+            if r['groups'] != []
+
+                    c = {
+                        :min_port    => r['fromPort'],
+                        :max_port    => r['toPort'],
+                        :ip_protocol => r['ipProtocol'],
+                        :name        => @compute.security_groups.select { |sg| sg.group_id == r['groups'].first['groupId'] }.first.name,
+                    }
+
+                    current_rules << c
+
+            end
+
+            if r['ipRanges'] != []
+
+                r['ipRanges'].each do |ipRange|
+
+                    c = {
+                        :min_port    => r['fromPort'],
+                        :max_port    => r['toPort'],
+                        :ip_protocol => r['ipProtocol'],
+                        :cidr_ip     => ipRange['cidrIp'],
+                    }
+
+                    current_rules << c
+
+                end
+
+            end
+
+        end
+
+        # Work through the list of desired rules.
 
         authorized_ranges.each do |r|
 
-            security_group.authorize_port_range(
+            # If we find a current rule that matches the desired rule, then
+            # remove that from the list of current rules - you'll see why later.
+
+            already_exists = false
+            current_rules.delete_if do |c|
+               if c == r
+                  @log.debug ( "#{r.inspect} already exists" )
+                  already_exists = true
+                  true # so that delete_if removes the list item
+               end 
+            end
+
+            unless already_exists
+
+                # If the rule doesn't exist already, flag it to be added.
+                # We do this *after* deleting old rules since some changes
+                # to existing rules can cause conflict and error.
+                # (eg. changing a rule from matching a sg name to matching
+                # a cidr block causes this)
+
+                rules_to_add << r
+
+            end
+
+        end
+
+        # At the end of this loop, anything left in the current_rules list
+        # represents a rule that's present on the infra, but should be deleted
+        # (since there's no matching desired rule), so delete those.
+        # Changing a rule maps to "delete old rule, create new one".
+
+        current_rules.each do |r|
+
+            @log.debug ( "Revoking superfluous #{r.inspect}" )
+
+            # Translate sg name into id - looking up with API so we can reference SG names not in the config yaml
+            if r.has_key?(:name) 
+                groups = @compute.security_groups.select { |sg| sg.name == r[:name] }
+                if groups.count == 0
+                    raise "Can't find security group id for group name '#{r[:name]}'"
+                end
+                r[:group] = groups.first.group_id
+            end
+
+
+            security_group.revoke_port_range( 
                 r.delete(:min_port)..r.delete(:max_port), r
             )
 
         end
 
-        @log.debug( security_group.inspect )
+        # Add any new rules that are required.
+
+        rules_to_add.each do |r|
+
+            @log.debug( "Adding #{r.inspect}" )
+
+            # Translate sg name into id - looking up with API so we can reference SG names not in the config yaml
+            if r.has_key?(:name) 
+                groups = @compute.security_groups.select { |sg| sg.name == r[:name] }
+                if groups.count == 0
+                    raise "Can't find security group id for group name '#{r[:name]}'"
+                end
+                r[:group] = groups.first.group_id
+            end
+
+            security_group.authorize_port_range(
+                r.delete(:min_port)..r.delete(:max_port), r
+            )
+
+        end
 
     end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: build-cloud
 version: !ruby/object:Gem::Version
-  version: 0.0.9
+  version: 0.0.10
 platform: ruby
 authors:
 - The Scale Factory
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-12-12 00:00:00.000000000 Z
+date: 2015-04-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -28,42 +28,42 @@ dependencies:
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: fog
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: 1.22.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: 1.22.0
 - !ruby/object:Gem::Dependency
   name: pry
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: 0.9.12.6
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: 0.9.12.6
 description: 
@@ -117,17 +117,17 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.4
+rubygems_version: 2.0.14
 signing_key: 
 specification_version: 4
 summary: Tools for building resources in AWS