zaws 0.0.5 → 0.1.1

data/lib/zaws/services/ec2/elasticip.rb

@@ -0,0 +1,82 @@
+require 'json'
+require 'netaddr'
+require 'timeout'
+
+module ZAWS
+  module Services
+    module EC2
+      class Elasticip
+
+        def initialize(shellout, aws,undofile)
+          @shellout=shellout
+          @aws=aws
+          @undofile=undofile
+          @undofile ||= ZAWS::Helper::ZFile.new
+        end
+
+        def view(region, view, textout=nil, verbose=nil, vpcid=nil, instanceid=nil)
+          comline="aws --output #{view} --region #{region} ec2 describe-addresses"
+          if vpcid or instanceid
+            comline = comline + " --filter"
+          end
+          comline = comline + " \"Name=domain,Values=vpc\"" if vpcid
+          comline = comline + " \"Name=instance-id,Values=#{instanceid}\"" if instanceid
+          rtables=@shellout.cli(comline, verbose)
+          textout.puts(rtables.to_s) if textout
+          return rtables
+        end
+
+        def assoc_exists(region, externalid, textout=nil, verbose=nil, vpcid=nil)
+          val, instance_id, sgroups=@aws.ec2.compute.exists(region, nil, verbose, vpcid, externalid)
+          if val
+            addresses=JSON.parse(view(region, 'json', nil, verbose, vpcid, instance_id))
+            addressassoc=(addresses["Addresses"] and (addresses["Addresses"].count == 1))
+            associationid= (addressassoc and addresses["Addresses"][0]["AssociationId"]) ? addresses["Addresses"][0]["AssociationId"] : nil
+            allocationid= (addressassoc and addresses["Addresses"][0]["AllocationId"]) ? addresses["Addresses"][0]["AllocationId"] : nil
+            ip= (addressassoc and addresses["Addresses"][0]["PublicIp"]) ? addresses["Addresses"][0]["PublicIp"] : nil
+            textout.puts addressassoc.to_s if textout
+            return addressassoc, instance_id, associationid, allocationid, ip
+          else
+            textout.puts addressassoc.to_s if textout
+            return false, nil, nil, nil, nil
+          end
+        end
+
+        def declare(region, externalid, textout=nil, verbose=nil, vpcid=nil, check=nil, ufile=nil)
+          if ufile
+            @undofile.prepend("zaws elasticip release #{externalid} --region #{region} --vpcid #{vpcid} $XTRA_OPTS", '#Release elastic ip.', ufile)
+          end
+          elasticip_exists, instance_id, association_id, allocation_id, ip=assoc_exists(region, externalid, nil, verbose, vpcid)
+          return ZAWS::Helper::Output.binary_nagios_check(elasticip_exists, "OK: Elastic Ip exists.", "CRITICAL: Elastic Ip DOES NOT EXIST.", textout) if check
+          if not elasticip_exists and instance_id
+            comline="aws --region #{region} ec2 allocate-address --domain vpc"
+            allocation=JSON.parse(@shellout.cli(comline, verbose))
+            if allocation["AllocationId"]
+              comline="aws --region #{region} ec2 associate-address --instance-id #{instance_id} --allocation-id #{allocation["AllocationId"]}"
+              association=JSON.parse(@shellout.cli(comline, verbose))
+              ZAWS::Helper::Output.out_change(textout, "New elastic ip associated to instance.") if association["AssociationId"]
+            end
+          else
+            ZAWS::Helper::Output.out_no_op(textout, "instance already has an elastic ip. Skipping creation.")
+          end
+        end
+
+        def release(region, externalid, textout=nil, verbose=nil, vpcid=nil)
+          elasticip_exists, instance_id, association_id, allocation_id, ip=assoc_exists(region, externalid, nil, verbose, vpcid)
+          if elasticip_exists and association_id and allocation_id
+            comline="aws --region #{region} ec2 disassociate-address --association-id #{association_id}"
+            disassociation=JSON.parse(@shellout.cli(comline, verbose))
+            if disassociation["return"]=="true"
+              comline="aws --region #{region} ec2 release-address --allocation-id #{allocation_id}"
+              release=JSON.parse(@shellout.cli(comline, verbose))
+              ZAWS::Helper::Output.out_change(textout, "Deleted elasticip.") if release["return"] == "true"
+            end
+          else
+            ZAWS::Helper::Output.out_no_op(textout, "Elasticip does not exist. Skipping deletion.")
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/zaws/services/ec2/route_table.rb

@@ -0,0 +1,210 @@
+require 'json'
+require 'netaddr'
+require 'timeout'
+
+module ZAWS
+  module Services
+    module EC2
+      class RouteTable
+
+        def initialize(shellout, aws,undofile)
+          @shellout=shellout
+          @aws=aws
+          @undofile=undofile
+          @undofile ||= ZAWS::Helper::ZFile.new
+        end
+
+        def view(region, view, textout=nil, verbose=nil, vpcid=nil, externalid=nil)
+          comline="aws --output #{view} --region #{region} ec2 describe-route-tables"
+          if vpcid || externalid
+            comline = comline + " --filter"
+          end
+          comline = comline + " \"Name=vpc-id,Values=#{vpcid}\"" if vpcid
+          comline = comline + " \"Name=tag:externalid,Values=#{externalid}\"" if externalid
+          rtables=@shellout.cli(comline, verbose)
+          verbose.puts(rtables) if verbose
+          return rtables
+        end
+
+        def exists(region, textout=nil, verbose=nil, vpcid, externalid)
+          rtable=JSON.parse(view(region, 'json', nil, verbose, vpcid, externalid))
+          val = (rtable["RouteTables"].count == 1)
+          rtable_id = val ? rtable["RouteTables"][0]["RouteTableId"] : nil
+          textout.puts val.to_s if textout
+          return val, rtable_id
+        end
+
+        def declare(region, vpcid, externalid, nagios, textout=nil, verbose=nil, ufile=nil)
+          if ufile
+            @undofile.prepend("zaws route_table delete #{externalid} --region #{region} --vpcid #{vpcid} $XTRA_OPTS", '#Delete route table', ufile)
+          end
+          rtable_exists, rtable_id = exists(region, nil, verbose, vpcid, externalid)
+          return ZAWS::Helper::Output.binary_nagios_check(rtable_exists, "OK: Route table exists.", "CRITICAL: Route table does not exist.", textout) if nagios
+          if not rtable_exists
+            comline="aws --region #{region} ec2 create-route-table --vpc-id #{vpcid}"
+            rtable=JSON.parse(@shellout.cli(comline, verbose))
+            rtableid=rtable["RouteTable"]["RouteTableId"]
+            tagline="aws --region #{region} ec2 create-tags --resources #{rtableid} --tags \"Key=externalid,Value=#{externalid}\""
+            tagresult=JSON.parse(@shellout.cli(tagline, verbose))
+            ZAWS::Helper::Output.out_change(textout, "Route table created with external id: my_route_table.") if tagresult["return"] == "true"
+          else
+            ZAWS::Helper::Output.out_no_op(textout, "Route table exists already. Skipping Creation.")
+          end
+          return 0
+        end
+
+        def delete(region, textout=nil, verbose=nil, vpcid, externalid)
+          rtable_exists, rtable_id = exists(region, nil, verbose, vpcid, externalid)
+          if rtable_exists
+            comline="aws --region #{region} ec2 delete-route-table --route-table-id #{rtable_id}"
+            deletion=JSON.parse(@shellout.cli(comline, verbose))
+            ZAWS::Helper::Output.out_change(textout, "Route table deleted.") if deletion["return"] == "true"
+          else
+            ZAWS::Helper::Output.out_no_op(textout, "Route table does not exist. Skipping deletion.")
+          end
+        end
+
+        def route_exists_by_instance(region, textout=nil, verbose=nil, vpcid, routetable, cidrblock, externalid)
+          # Returns the answer, instance_id, route_table_id
+          instance_id=@aws.ec2.compute.instance_id_by_external_id(region, externalid, vpcid, nil, verbose)
+          return false, nil, nil if not instance_id
+          rtable=JSON.parse(view(region, 'json', nil, verbose, vpcid, routetable))
+          val = (rtable["RouteTables"].count == 1) && rtable["RouteTables"][0]["Routes"].any? { |x| x["DestinationCidrBlock"]=="#{cidrblock}" && x["InstanceId"]=="#{instance_id}" }
+          rtable_id = (rtable["RouteTables"].count == 1) ? rtable["RouteTables"][0]["RouteTableId"] : nil
+          textout.puts val.to_s if textout
+          return val, instance_id, rtable_id
+        end
+
+        def declare_route(region, textout=nil, verbose=nil, vpcid, routetable, cidrblock, externalid, nagios, ufile)
+          if ufile
+            @undofile.prepend("zaws route_table delete_route #{routetable} #{cidrblock} --region #{region} --vpcid #{vpcid} $XTRA_OPTS", '#Delete route', ufile)
+          end
+          # TODO: Route exists already of a different type?
+          route_exists, instance_id, rtable_id = route_exists_by_instance(region, nil, verbose, vpcid, routetable, cidrblock, externalid)
+          return ZAWS::Helper::Output.binary_nagios_check(route_exists, "OK: Route to instance exists.", "CRITICAL: Route to instance does not exist.", textout) if nagios
+          if not route_exists
+            comline="aws --region #{region} ec2 create-route --route-table-id #{rtable_id} --destination-cidr-block #{cidrblock} --instance-id #{instance_id}"
+            routereturn=JSON.parse(@shellout.cli(comline, verbose))
+            ZAWS::Helper::Output.out_change(textout, "Route created to instance.") if routereturn["return"] == "true"
+          else
+            ZAWS::Helper::Output.out_no_op(textout, "Route not created to instance. Skip creation.")
+          end
+          return 0
+        end
+
+        def delete_route(region, textout=nil, verbose=nil, vpcid, routetable, cidrblock)
+          rtable=JSON.parse(view(region, 'json', nil, verbose, vpcid, routetable))
+          val = (rtable["RouteTables"].count == 1) && rtable["RouteTables"][0]["Routes"].any? { |x| x["DestinationCidrBlock"]=="#{cidrblock}" }
+          rtable_id = (rtable["RouteTables"].count == 1) ? rtable["RouteTables"][0]["RouteTableId"] : nil
+          if val
+            comline="aws --region #{region} ec2 delete-route --route-table-id #{rtable_id} --destination-cidr-block #{cidrblock}"
+            deletion=JSON.parse(@shellout.cli(comline, verbose))
+            ZAWS::Helper::Output.out_change(textout, "Route deleted.") if deletion["return"] == "true"
+          else
+            ZAWS::Helper::Output.out_no_op(textout, "Route does not exist. Skipping deletion.")
+          end
+        end
+
+        def route_exists_by_gatewayid(region, textout=nil, verbose=nil, vpcid, routetable, cidrblock, gatewayid)
+          # Returns the answer, route_table_id
+          rtable=JSON.parse(view(region, 'json', nil, verbose, vpcid, routetable))
+          val = (rtable["RouteTables"].count == 1) && rtable["RouteTables"][0]["Routes"].any? { |x| x["DestinationCidrBlock"]=="#{cidrblock}" && x["GatewayId"]=="#{gatewayid}" }
+          rtable_id = (rtable["RouteTables"].count == 1) ? rtable["RouteTables"][0]["RouteTableId"] : nil
+          textout.puts val.to_s if textout
+          return val, rtable_id
+        end
+
+
+        def declare_route_to_gateway(region, textout=nil, verbose=nil, vpcid, routetable, cidrblock, gatewayid, nagios, ufile)
+          if ufile
+            @undofile.prepend("zaws route_table delete_route #{routetable} #{cidrblock} --region #{region} --vpcid #{vpcid} $XTRA_OPTS", '#Delete route', ufile)
+          end
+          # TODO: Route exists already of a different type?
+          route_exists, rtable_id = route_exists_by_gatewayid(region, nil, verbose, vpcid, routetable, cidrblock, gatewayid)
+          return ZAWS::Helper::Output.binary_nagios_check(route_exists, "OK: Route to gateway exists.", "CRITICAL: Route to gateway does not exist.", textout) if nagios
+          if not route_exists
+            comline="aws --region #{region} ec2 create-route --route-table-id #{rtable_id} --destination-cidr-block #{cidrblock} --gateway-id #{gatewayid}"
+            routereturn=JSON.parse(@shellout.cli(comline, verbose))
+            ZAWS::Helper::Output.out_change(textout, "Route created to gateway.") if routereturn["return"] == "true"
+          else
+            ZAWS::Helper::Output.out_no_op(textout, "Route to gateway exists. Skipping creation.")
+          end
+          return 0
+        end
+
+        def subnet_assoc_exists(region, textout=nil, verbose=nil, vpcid, rtable_externalid, cidrblock)
+          rtable=JSON.parse(view(region, 'json', nil, verbose, vpcid, rtable_externalid))
+          subnetid=@aws.ec2.subnet.id_by_cidrblock(region, verbose, vpcid, cidrblock)
+          val = ((not subnetid.nil?) and (rtable["RouteTables"].count == 1) and (rtable["RouteTables"][0]["Associations"].any? { |x| x["SubnetId"]=="#{subnetid}" }))
+          rtassocid= (val and rtable["RouteTables"].count == 1) ? (rtable["RouteTables"][0]["Associations"].select { |x| x["SubnetId"]=="#{subnetid}" })[0]["RouteTableAssociationId"] : nil
+          rtableid = (rtable["RouteTables"].count == 1) ? rtable["RouteTables"][0]["RouteTableId"] : nil
+          textout.puts val.to_s if textout
+          return val, subnetid, rtableid, rtassocid
+        end
+
+        def assoc_subnet(region, textout=nil, verbose=nil, vpcid, routetable, cidrblock, nagios, ufile)
+          if ufile
+            @undofile.prepend("zaws route_table delete_assoc_subnet #{routetable} #{cidrblock} --region #{region} --vpcid #{vpcid} $XTRA_OPTS", '#Delete route table association to subnet', ufile)
+          end
+          assoc_exists, subnetid, rtableid, rtassocid = subnet_assoc_exists(region, nil, verbose, vpcid, routetable, cidrblock)
+          return ZAWS::Helper::Output.binary_nagios_check(assoc_exists, "OK: Route table association to subnet exists.", "CRITICAL: Route table association to subnet does not exist.", textout) if nagios
+          if not assoc_exists
+            comline="aws --region #{region} ec2 associate-route-table --subnet-id #{subnetid} --route-table-id #{rtableid}"
+            assocreturn=JSON.parse(@shellout.cli(comline, verbose))
+            ZAWS::Helper::Output.out_change(textout, "Route table associated to subnet.") if assocreturn["AssociationId"]
+          else
+            ZAWS::Helper::Output.out_no_op(textout, "Route table already associated to subnet. Skipping association.")
+          end
+          return 0
+        end
+
+        def delete_assoc_subnet(region, textout=nil, verbose=nil, vpcid, rtable_externalid, cidrblock)
+          assoc_exists, subnetid, rtableid, rtassocid = subnet_assoc_exists(region, nil, verbose, vpcid, rtable_externalid, cidrblock)
+          if assoc_exists
+            comline="aws --region #{region} ec2 disassociate-route-table --association-id #{rtassocid}"
+            assocreturn=JSON.parse(@shellout.cli(comline, verbose))
+            ZAWS::Helper::Output.out_change(textout, "Route table association to subnet deleted.") if assocreturn["return"] == "true"
+          else
+            ZAWS::Helper::Output.out_no_op(textout, "Route table association to subnet not deleted because it does not exist.")
+          end
+        end
+
+        def propagation_exists_from_gateway(region, textout=nil, verbose=nil, vpcid, rtable_externalid, vgatewayid)
+          rtable=JSON.parse(view(region, 'json', nil, verbose, vpcid, rtable_externalid))
+          val = ((rtable["RouteTables"].count == 1) and (rtable["RouteTables"][0]["PropagatingVgws"].any? { |x| x["GatewayId"]=="#{vgatewayid}" }))
+          rtableid = (rtable["RouteTables"].count == 1) ? rtable["RouteTables"][0]["RouteTableId"] : nil
+          textout.puts val.to_s if textout
+          return val, rtableid
+        end
+
+        def declare_propagation_from_gateway(region, textout=nil, verbose=nil, vpcid, routetable, vgatewayid, nagios, ufile)
+          if ufile
+            @undofile.prepend("zaws route_table delete_propagation_from_gateway my_route_table #{vgatewayid} --region #{region} --vpcid #{vpcid} $XTRA_OPTS", '#Delete route propagation', ufile)
+          end
+          propagation_exists, rtableid = propagation_exists_from_gateway(region, nil, verbose, vpcid, routetable, vgatewayid)
+          return ZAWS::Helper::Output.binary_nagios_check(propagation_exists, "OK: Route propagation from gateway enabled.", "CRITICAL: Route propagation from gateway not enabled.", textout) if nagios
+          if not propagation_exists
+            comline="aws --region #{region} ec2 enable-vgw-route-propagation --route-table-id #{rtableid} --gateway-id #{vgatewayid}"
+            propreturn=JSON.parse(@shellout.cli(comline, verbose))
+            ZAWS::Helper::Output.out_change(textout, "Route propagation from gateway enabled.") if propreturn["return"] == "true"
+          else
+            ZAWS::Helper::Output.out_no_op(textout, "Route propagation from gateway already enabled. Skipping propagation.")
+          end
+          return 0
+        end
+
+        def delete_propagation_from_gateway(region, textout=nil, verbose=nil, vpcid, rtable_externalid, vgatewayid)
+          propagation_exists, rtableid = propagation_exists_from_gateway(region, nil, verbose, vpcid, rtable_externalid, vgatewayid)
+          if propagation_exists
+            comline="aws --region #{region} ec2 disable-vgw-route-propagation --route-table-id #{rtableid} --gateway-id #{vgatewayid}"
+            assocreturn=JSON.parse(@shellout.cli(comline, verbose))
+            ZAWS::Helper::Output.out_change(textout, "Deleted route propagation from gateway.") if assocreturn["return"] == "true"
+          else
+            ZAWS::Helper::Output.out_no_op(textout, "Route propagation from gateway does not exist, skipping deletion.")
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/zaws/services/ec2/security_group.rb

@@ -0,0 +1,186 @@
+require 'json'
+require 'netaddr'
+require 'timeout'
+
+module ZAWS
+  module Services
+    module EC2
+      class SecurityGroup
+
+        def initialize(shellout, aws, undofile)
+          @shellout=shellout
+          @aws=aws
+          @undofile=undofile
+          @undofile ||= ZAWS::Helper::ZFile.new
+        end
+
+        def view(region, viewtype, verbose=nil, vpcid=nil, groupname=nil, groupid=nil, perm_groupid=nil, perm_protocol=nil, perm_toport=nil, cidr=nil, unused=false)
+          ds=@aws.awscli.command_ec2.describeSecurityGroups
+          ds.clear_settings
+          ds.filter.vpc_id(vpcid).group_name(groupname).group_id(groupid)
+          ds.filter.ip_permission_group_id(perm_groupid).ip_permission_cidr(cidr)
+          ds.filter.ip_permission_protocol(perm_protocol).ip_permission_to_port(perm_toport)
+          ds.aws.output(viewtype)
+          ds.aws.region(region)
+          sgroups=ds.view(viewtype, verbose)
+          if unused #TODO: Improve to detect security groups associated to firewall.
+            instances = @aws.ec2.compute.view(region, 'json', nil, verbose)
+            sgroups = JSON.parse(filter_groups_by_instances(sgroups, instances))
+            sgroups = sgroups['SecurityGroups'].map { |x| x['GroupName'] }.join("\n")
+          end
+          verbose.puts(sgroups) if verbose
+          return sgroups
+        end
+
+        def exists(region, verbose=nil, vpcid, groupname)
+          view(region, 'json', verbose, vpcid, groupname)
+          val, sgroupid = @aws.awscli.command_ec2.describeSecurityGroups.exists
+          verbose.puts val.to_s if verbose
+          return val, sgroupid
+        end
+
+        def filter_groups_by_instances(security_groups, instances)
+          security_groups_hash=JSON.parse(security_groups)
+          instances_hash=JSON.parse(instances)
+          instances_hash['Reservations'].each do |w|
+            w['Instances'].each do |x|
+              x['SecurityGroups'].each do |y|
+                security_groups_hash['SecurityGroups'] = security_groups_hash['SecurityGroups'].select { |j| not j['GroupName'] == (y['GroupName']) }
+              end
+              x['NetworkInterfaces'].each do |y|
+                y['Groups'].each do |z|
+                  security_groups_hash['SecurityGroups'] = security_groups_hash['SecurityGroups'].select { |j| not j['GroupName'] == (z['GroupName']) }
+                end
+              end
+            end
+          end
+          JSON.generate(security_groups_hash)
+        end
+
+        def declare(region, vpcid, groupname, description, check, textout=nil, verbose=nil, ufile=nil)
+          if ufile
+            @undofile.prepend("zaws security_group delete #{groupname} --region #{region} --vpcid #{vpcid} $XTRA_OPTS", '#Delete security group', ufile)
+          end
+          sgroup_exists, sgroupid = exists(region, verbose, vpcid, groupname)
+          return ZAWS::Helper::Output.binary_nagios_check(sgroup_exists, "OK: Security Group Exists.", "CRITICAL: Security Group Does Not Exist.", textout) if check
+          if not sgroup_exists
+
+            comline="aws --output json --region #{region} ec2 create-security-group --vpc-id #{vpcid} --group-name #{groupname} --description '#{description}'"
+
+            sgroup=JSON.parse(@shellout.cli(comline, verbose))
+
+            ZAWS::Helper::Output.out_change(textout, "Security Group Created.") if sgroup["return"] == "true"
+          else
+            ZAWS::Helper::Output.out_no_op(textout, "Security Group Exists Already. Skipping Creation.")
+          end
+          return 0
+        end
+
+        def delete(region, verbose=nil, vpcid, groupname)
+          groupid=id_by_name(region, nil, nil, vpcid, groupname)
+          return ZAWS::Helper::Output.return_no_op("Security Group does not exist. Skipping deletion.") if !groupid
+          ds=@aws.awscli.command_ec2.deleteSecurityGroup
+          ds.clear_settings
+          ds.security_group_id(groupid)
+          ds.aws.region(region)
+          sgroup=JSON.parse(ds.execute(verbose))
+          return ZAWS::Helper::Output.return_change("Security Group deleted.") if sgroup["return"] == "true"
+        end
+
+        def id_by_name(region, textout=nil, verbose=nil, vpcid, groupname)
+          sgroups=JSON.parse(view(region, 'json', verbose, vpcid, groupname))
+          group_id= sgroups["SecurityGroups"].count == 1 ? sgroups["SecurityGroups"][0]["GroupId"] : nil
+          raise "More than one security group found when looking up id by name." if sgroups["SecurityGroups"].count > 1
+          textout.puts group_id if textout
+          return group_id
+        end
+
+        def ingress_group_exists(region, vpcid, target, source, protocol, port, textout=nil, verbose=nil)
+          targetid=id_by_name(region, nil, nil, vpcid, target)
+          sourceid=id_by_name(region, nil, nil, vpcid, source)
+          if targetid && sourceid
+            sgroups=JSON.parse(view(region, 'json', verbose, vpcid, nil, targetid, sourceid, protocol, port))
+            if (sgroups["SecurityGroups"].count > 0)
+              # Additionally filter out the sgroups that do not have the source group  and port in the same ip permissions
+              sgroups["SecurityGroups"]=sgroups["SecurityGroups"].select { |x| x['IpPermissions'].any? { |y| y['ToPort'] and y['FromPort'] and y['IpProtocol']==protocol and y['ToPort']==port.to_i and y['FromPort']==port.to_i and y['UserIdGroupPairs'].any? { |z| z['GroupId']=="#{sourceid}" } } }
+            end
+            val = (sgroups["SecurityGroups"].count > 0)
+            textout.puts val.to_s if textout
+            return val, targetid, sourceid
+          end
+        end
+
+        def ingress_cidr_exists(region, vpcid, target, cidr, protocol, port, textout=nil, verbose=nil)
+          targetid=id_by_name(region, nil, nil, vpcid, target)
+          if targetid
+            sgroups=JSON.parse(view(region, 'json', verbose, vpcid, nil, targetid, nil, protocol, port, cidr))
+            if (sgroups["SecurityGroups"].count > 0)
+              # Additionally filter out the sgroups that do not have the cidr and port in the same ip permissions
+              sgroups["SecurityGroups"]=sgroups["SecurityGroups"].select { |x| x['IpPermissions'].any? { |y| y['ToPort'] and y['FromPort'] and y['IpProtocol']==protocol and y['ToPort']==port.to_i and y['FromPort']==port.to_i and y['IpRanges'].any? { |z| z['CidrIp']=="#{cidr}" } } }
+            end
+            val = (sgroups["SecurityGroups"].count > 0)
+            textout.puts val.to_s if textout
+            return val, targetid
+          end
+        end
+
+        def declare_ingress_group(region, vpcid, target, source, protocol, port, nagios, textout=nil, verbose=nil, ufile=nil)
+          if ufile
+            @undofile.prepend("zaws security_group delete_ingress_group #{target} #{source} #{protocol} #{port} --region #{region} --vpcid #{vpcid} $XTRA_OPTS", '#Delete security group ingress group rule', ufile)
+          end
+          ingress_exists, targetid, sourceid = ingress_group_exists(region, vpcid, target, source, protocol, port, nil, verbose)
+          return ZAWS::Helper::Output.binary_nagios_check(ingress_exists, "OK: Security group ingress group rule exists.", "CRITICAL: Security group ingress group rule does not exist.", textout) if nagios
+          if not ingress_exists
+            comline="aws --region #{region} ec2 authorize-security-group-ingress --group-id #{targetid} --source-group #{sourceid} --protocol #{protocol} --port #{port}"
+            # aws cli not returning json causes error.
+            @shellout.cli(comline, verbose)
+            ZAWS::Helper::Output.out_change(textout, "Ingress group rule created.")
+          else
+            ZAWS::Helper::Output.out_no_op(textout, "Ingress group rule not created. Exists already.")
+          end
+          return 0
+        end
+
+        def declare_ingress_cidr(region, vpcid, target, cidr, protocol, port, nagios, textout=nil, verbose=nil, ufile=nil)
+          if ufile
+            @undofile.prepend("zaws security_group delete_ingress_cidr #{target} #{cidr} #{protocol} #{port} --region #{region} --vpcid #{vpcid} $XTRA_OPTS", '#Delete cidr ingress group rule', ufile)
+          end
+          ingress_exists, targetid = ingress_cidr_exists(region, vpcid, target, cidr, protocol, port, nil, verbose)
+          return ZAWS::Helper::Output.binary_nagios_check(ingress_exists, "OK: Security group ingress cidr rule exists.", "CRITICAL: Security group ingress cidr rule does not exist.", textout) if nagios
+          if not ingress_exists
+            comline="aws --region #{region} ec2 authorize-security-group-ingress --group-id #{targetid} --cidr #{cidr} --protocol #{protocol} --port #{port}"
+            # aws cli not returning json causes error.
+            @shellout.cli(comline, verbose)
+            ZAWS::Helper::Output.out_change(textout, "Ingress cidr rule created.")
+          else
+            ZAWS::Helper::Output.out_no_op(textout, "Ingress cidr rule not created. Exists already.")
+          end
+          return 0
+        end
+
+        def delete_ingress_group(region, vpcid, target, source, protocol, port, textout=nil, verbose=nil)
+          ingress_exists, targetid, sourceid = ingress_group_exists(region, vpcid, target, source, protocol, port, nil, verbose)
+          if ingress_exists
+            comline="aws --region #{region} ec2 revoke-security-group-ingress --group-id #{targetid} --source-group #{sourceid} --protocol #{protocol} --port #{port}"
+            val=JSON.parse(@shellout.cli(comline, verbose))
+            ZAWS::Helper::Output.out_change(textout, "Security group ingress group rule deleted.") if val["return"] == "true"
+          else
+            ZAWS::Helper::Output.out_no_op(textout, "Security group ingress group rule does not exist. Skipping deletion.")
+          end
+        end
+
+        def delete_ingress_cidr(region, vpcid, target, cidr, protocol, port, textout=nil, verbose=nil)
+          ingress_exists, targetid = ingress_cidr_exists(region, vpcid, target, cidr, protocol, port, nil, verbose)
+          if ingress_exists
+            comline="aws --region #{region} ec2 revoke-security-group-ingress --group-id #{targetid} --cidr #{cidr} --protocol #{protocol} --port #{port}"
+            val=JSON.parse(@shellout.cli(comline, verbose))
+            ZAWS::Helper::Output.out_change(textout, "Security group ingress cidr rule deleted.") if val["return"] == "true"
+          else
+            ZAWS::Helper::Output.out_no_op(textout, "Security group ingress cidr rule does not exist. Skipping deletion.")
+          end
+        end
+
+      end
+    end
+  end
+end