public DeferredResult<Void> removeIngressRules(String groupId, List<IpPermission> rules) { if (CollectionUtils.isNotEmpty(rules)) { RevokeSecurityGroupIngressRequest req = new RevokeSecurityGroupIngressRequest() .withGroupId(groupId).withIpPermissions(rules); String message = "Remove Ingress Rules from AWS Security Group with id [" + groupId + "]."; AWSDeferredResultAsyncHandler<RevokeSecurityGroupIngressRequest, RevokeSecurityGroupIngressResult> handler = new AWSDeferredResultAsyncHandler<RevokeSecurityGroupIngressRequest, RevokeSecurityGroupIngressResult>(this.service, message) { @Override protected Exception consumeError(Exception e) { if (e instanceof AmazonEC2Exception && ((AmazonEC2Exception)e).getErrorCode().equals (SECURITY_GROUP_RULE_NOT_FOUND)) { Utils.log(AWSUtils.class, AWSUtils.class.getSimpleName(), Level.WARNING, () -> String .format("Ingress rules cannot be removed because " + "they do not exist: %s", Utils.toString(e))); return null; } else { return e; } } }; this.client.revokeSecurityGroupIngressAsync(req, handler); return handler.toDeferredResult() .thenApply(r -> (Void)null); } else { return DeferredResult.completed(null); } }
@Override public void run(final WhitelistCidrForVpcAccessCommand command) { final BaseOutputs baseStackOutputs = configStore.getBaseStackOutputs(); logger.info("Revoking the previous ingress rules..."); final DescribeSecurityGroupsResult securityGroupsResult = ec2Client.describeSecurityGroups( new DescribeSecurityGroupsRequest().withGroupIds(baseStackOutputs.getToolsIngressSgId())); securityGroupsResult.getSecurityGroups().forEach(securityGroup -> { if (!securityGroup.getIpPermissions().isEmpty()) { RevokeSecurityGroupIngressRequest revokeIngressRequest = new RevokeSecurityGroupIngressRequest() .withGroupId(baseStackOutputs.getToolsIngressSgId()) .withIpPermissions(securityGroup.getIpPermissions()); ec2Client.revokeSecurityGroupIngress(revokeIngressRequest); } }); logger.info("Done."); logger.info("Authorizing the new ingress rules..."); final List<IpPermission> ipPermissionList = Lists.newArrayListWithCapacity(command.getPorts().size()); command.getPorts().forEach(port -> { IpPermission ipPermission = new IpPermission() .withIpRanges(command.getCidrs()) .withIpProtocol("tcp") .withFromPort(port) .withToPort(port); ipPermissionList.add(ipPermission); }); AuthorizeSecurityGroupIngressRequest ingressRequest = new AuthorizeSecurityGroupIngressRequest() .withGroupId(baseStackOutputs.getToolsIngressSgId()) .withIpPermissions(ipPermissionList); ec2Client.authorizeSecurityGroupIngress(ingressRequest); logger.info("Done."); }
public void deleteSGIngressRules(String securityGroupId, List<IpPermission> rules) { logger.info("delete ingress sg rules, sgId={}, rules={}", securityGroupId, rules); ec2.revokeSecurityGroupIngress(new RevokeSecurityGroupIngressRequest() .withGroupId(securityGroupId) .withIpPermissions(rules)); }
@Test public void revokeIngressRules() { amazonEc2.setRegion(region); amazonEc2.revokeSecurityGroupIngress(new RevokeSecurityGroupIngressRequest( "securityGroupName", ImmutableList.of(ipPermission(7000, "4.4.4.4/32")))); replayAll(); service().revokeIngressRules("securityGroupName", "dc1", groupPermission(7000, "4.4.4.4/32")); }
private void revokeIngressRules(AmazonEC2 client, String groupName, Set<IpPermission> ipPermissions) { if (!ipPermissions.isEmpty()) { LOG.info(">> Revoking Security Group Ingress Rules: {} for {}", ipPermissions, groupName); RevokeSecurityGroupIngressRequest request = new RevokeSecurityGroupIngressRequest() .withGroupName(groupName).withIpPermissions(ipPermissions); client.revokeSecurityGroupIngress(request); } }
private Set<Rule> revokeAnyRule(Set<Rule> ingressRules) { List<IpPermission> permissions = newArrayList(transform(ingressRules, ConvertRuleToIpPermission.FUNCTION)); Collections.shuffle(permissions); IpPermission permission = permissions.get(0); LOG.info(">> Revoking permission {} on {} for test.", permission, SECURITY_GROUP_NAME); client.revokeSecurityGroupIngress(new RevokeSecurityGroupIngressRequest() .withGroupName(SECURITY_GROUP_NAME).withIpPermissions(permission)); return Sets.difference(ingressRules, ImmutableSet.of(ConvertIpPermissionToRule.FUNCTION.apply(permission))); }
@Override public void deleteRules( final String name, final Collection<IpRule> ipRules ) { if( ipRules == null || ipRules.size() == 0 ) { return; } Collection<IpPermission> permissions = new ArrayList<IpPermission>( ipRules.size() ); for( IpRule rule : ipRules ) { permissions.add( toIpPermission( rule ) ); } RevokeSecurityGroupIngressRequest request = new RevokeSecurityGroupIngressRequest(); request = request.withGroupName( name ).withIpPermissions( permissions ); client.revokeSecurityGroupIngress( request ); }
@Override public void deleteRules( final String name, final Collection<String> ipRanges, final String protocol, final int port ) { IpPermission permission = new IpPermission(); permission = permission.withIpProtocol( protocol ) .withFromPort( port ) .withToPort( port ) .withIpRanges( ipRanges ); RevokeSecurityGroupIngressRequest request = new RevokeSecurityGroupIngressRequest(); request = request.withGroupName( name ).withIpPermissions( permission ); client.revokeSecurityGroupIngress( request ); }
@Override public void revokeSecurityGroupIngress(RevokeSecurityGroupIngressRequest revokeSecurityGroupIngressRequest) throws AmazonServiceException, AmazonClientException { throw new UnsupportedOperationException("Not supported in mock"); }
@Override public void revokeIngress(RevokeSecurityGroupIngressRequest request) { revokeIngress(request, null); }
@Override public void revokeIngress(RevokeSecurityGroupIngressRequest request, ResultCapture<Void> extractor) { resource.performAction("RevokeIngress", request, extractor); }
@Override public void revokeIngressRules(String groupName, String dataCenter, SecurityGroupPermission permission) { client(dataCenter).revokeSecurityGroupIngress( new RevokeSecurityGroupIngressRequest(groupName, toIpPermissions(permission))); }
/** * Performs the <code>RevokeIngress</code> action. * * <p> * The following request parameters will be populated from the data of this * <code>SecurityGroup</code> resource, and any conflicting parameter value * set in the request will be overridden: * <ul> * <li> * <b><code>GroupId</code></b> * - mapped from the <code>Id</code> identifier. * </li> * </ul> * * <p> * * @see RevokeSecurityGroupIngressRequest */ void revokeIngress(RevokeSecurityGroupIngressRequest request);
/** * Performs the <code>RevokeIngress</code> action and use a ResultCapture to * retrieve the low-level client response. * * <p> * The following request parameters will be populated from the data of this * <code>SecurityGroup</code> resource, and any conflicting parameter value * set in the request will be overridden: * <ul> * <li> * <b><code>GroupId</code></b> * - mapped from the <code>Id</code> identifier. * </li> * </ul> * * <p> * * @see RevokeSecurityGroupIngressRequest */ void revokeIngress(RevokeSecurityGroupIngressRequest request, ResultCapture<Void> extractor);
