public void addIngressRules(String groupId, List<IpPermission> rules) { if (CollectionUtils.isNotEmpty(rules)) { AuthorizeSecurityGroupIngressRequest req = new AuthorizeSecurityGroupIngressRequest() .withGroupId(groupId).withIpPermissions(rules); try { this.client.authorizeSecurityGroupIngress(req); } catch (AmazonEC2Exception e) { if (e.getErrorCode().equals(SECURITY_GROUP_RULE_DUPLICATE)) { Utils.log(AWSUtils.class, AWSUtils.class.getSimpleName(), Level.WARNING, () -> String .format("Ingress rules already exist: %s", Utils.toString(e))); } else { throw e; } } } }
@Override public void onError(Exception exception) { OperationContext.restoreOperationContext(this.opContext); if (exception instanceof AmazonEC2Exception) { // This is to handle enumeration after a credential update. AWS will return 400 // InvalidInstanceID.NotFound if credentials for an endpoint get updated to a // different IAM user or account. According to AWS some other account's instance IDs // are not valid for another account, which is why they throw this error. if (((AmazonEC2Exception) exception).getErrorCode() .equals(AWS_INVALID_INSTANCE_ID_ERROR_CODE)) { this.service.logInfo("IAM user or account changed for endpoint: %s. " + "Removing all invalid computes for this endpoint.", this.aws.request.original.endpointLink); this.aws.subStage = this.next; ((AWSEnumerationAndDeletionAdapterService) this.service) .deleteResourcesInLocalSystem(this.aws); return; } } this.service.logSevere(exception); this.aws.operation.fail(exception); }
/** * Method to get Disk details directly from Amazon */ public static List<Volume> getAwsDisksByIds(AmazonEC2AsyncClient client, VerificationHost host, List<String> diskIds) throws Throwable { try { host.log("Getting disks with ids " + diskIds + " from the AWS endpoint using the EC2 client."); DescribeVolumesRequest describeVolumesRequest = new DescribeVolumesRequest() .withVolumeIds(diskIds); DescribeVolumesResult describeVolumesResult = client .describeVolumes(describeVolumesRequest); return describeVolumesResult.getVolumes(); } catch (Exception e) { if (e instanceof AmazonEC2Exception && ((AmazonEC2Exception) e).getErrorCode() .equalsIgnoreCase(AWS_INVALID_VOLUME_ID_ERROR_CODE)) { return null; } } return new ArrayList<>(); }
@Test public void testDeleteSubnet() throws Throwable { Subnet awsSubnet = createAwsSubnet(); SubnetState subnetState = createSubnetState(awsSubnet.getSubnetId(), AWS_NON_EXISTING_SUBNET_NAME, AWS_NON_EXISTING_SUBNET_CIDR, null); kickOffSubnetProvision(InstanceRequestType.DELETE, subnetState, TaskStage.FINISHED); if (!this.isMock) { // Verify that the subnet was deleted. DescribeSubnetsRequest describeRequest = new DescribeSubnetsRequest() .withSubnetIds(Collections.singletonList(awsSubnet.getSubnetId())); try { this.client.describeSubnets(describeRequest).getSubnets(); fail("Subnet should not exist in AWS."); } catch (AmazonEC2Exception ex) { assertEquals(HttpResponseStatus.BAD_REQUEST.code(), ex.getStatusCode()); } } }
@Override @Cacheable(cacheNames = "ec2-instance", cacheManager = "twoHoursTTLCacheManager") public Optional<Instance> getById(final String accountId, final Region region, final String instanceId) { try { return clientProvider.getClient(AmazonEC2Client.class, accountId, region) .describeInstances(new DescribeInstancesRequest().withInstanceIds(instanceId)) .getReservations().stream() .flatMap(reservation -> reservation.getInstances().stream()) .filter(instance -> Objects.equals(instance.getInstanceId(), instanceId)) .findFirst(); } catch (AmazonEC2Exception e) { if (Objects.equals(e.getErrorCode(), "InvalidInstanceID.NotFound")) { return Optional.empty(); } else { throw e; } } }
public DeferredResult<Void> deleteSubnetAsync(String subnetId) { DeleteSubnetRequest req = new DeleteSubnetRequest().withSubnetId(subnetId); String message = "Delete AWS Subnet with id [" + subnetId + "]."; AWSDeferredResultAsyncHandler<DeleteSubnetRequest, DeleteSubnetResult> handler = new AWSDeferredResultAsyncHandler<DeleteSubnetRequest, DeleteSubnetResult>(this.service, message) { @Override protected Exception consumeError(Exception exception) { if (exception instanceof AmazonEC2Exception) { AmazonEC2Exception amazonExc = (AmazonEC2Exception) exception; if (STATUS_CODE_SUBNET_NOT_FOUND.equals(amazonExc.getErrorCode())) { // AWS subnet doesn't exist. this.service.logWarning(() -> String.format("Unable to delete AWS " + "subnet with id [%s], as it does not exist.", subnetId)); return RECOVERED; } } return exception; } }; this.client.deleteSubnetAsync(req, handler); return handler.toDeferredResult() .thenApply(result -> (Void) null); }
public DeferredResult<Void> addIngressRulesAsync(String groupId, List<IpPermission> rules) { if (CollectionUtils.isNotEmpty(rules)) { AuthorizeSecurityGroupIngressRequest req = new AuthorizeSecurityGroupIngressRequest() .withGroupId(groupId).withIpPermissions(rules); String message = "Create Ingress Rules on AWS Security Group with id [" + groupId + "]."; AWSDeferredResultAsyncHandler<AuthorizeSecurityGroupIngressRequest, AuthorizeSecurityGroupIngressResult> handler = new AWSDeferredResultAsyncHandler<AuthorizeSecurityGroupIngressRequest, AuthorizeSecurityGroupIngressResult>(this.service, message) { @Override protected Exception consumeError(Exception e) { if (e instanceof AmazonEC2Exception && ((AmazonEC2Exception)e).getErrorCode().equals (SECURITY_GROUP_RULE_DUPLICATE)) { Utils.log(AWSUtils.class, AWSUtils.class.getSimpleName(), Level.WARNING, () -> String .format("Ingress rules already exist: %s", Utils.toString(e))); return null; } else { return e; } } }; this.client.authorizeSecurityGroupIngressAsync(req, handler); return handler.toDeferredResult() .thenApply(r -> (Void)null); } else { return DeferredResult.completed(null); } }
public DeferredResult<Void> addInnerIngressRule(String securityGroupId) { AuthorizeSecurityGroupIngressRequest req = new AuthorizeSecurityGroupIngressRequest() .withGroupId(securityGroupId) .withIpPermissions(Collections.singletonList(buildInnerRule(securityGroupId))); String message = "Create internal Ingress Rule on AWS Security Group with id [" + securityGroupId + "]."; AWSDeferredResultAsyncHandler<AuthorizeSecurityGroupIngressRequest, AuthorizeSecurityGroupIngressResult> handler = new AWSDeferredResultAsyncHandler<AuthorizeSecurityGroupIngressRequest, AuthorizeSecurityGroupIngressResult>(this.service, message) { @Override protected Exception consumeError(Exception e) { if (e instanceof AmazonEC2Exception && ((AmazonEC2Exception)e).getErrorCode().equals (SECURITY_GROUP_RULE_DUPLICATE)) { Utils.log(AWSUtils.class, AWSUtils.class.getSimpleName(), Level.WARNING, () -> String .format("Ingress rule already exists: %s", Utils.toString(e))); return null; } else { return e; } } }; this.client.authorizeSecurityGroupIngressAsync(req, handler); return handler.toDeferredResult() .thenApply(r -> (Void)null); }
public DeferredResult<Void> removeIngressRules(String groupId, List<IpPermission> rules) { if (CollectionUtils.isNotEmpty(rules)) { RevokeSecurityGroupIngressRequest req = new RevokeSecurityGroupIngressRequest() .withGroupId(groupId).withIpPermissions(rules); String message = "Remove Ingress Rules from AWS Security Group with id [" + groupId + "]."; AWSDeferredResultAsyncHandler<RevokeSecurityGroupIngressRequest, RevokeSecurityGroupIngressResult> handler = new AWSDeferredResultAsyncHandler<RevokeSecurityGroupIngressRequest, RevokeSecurityGroupIngressResult>(this.service, message) { @Override protected Exception consumeError(Exception e) { if (e instanceof AmazonEC2Exception && ((AmazonEC2Exception)e).getErrorCode().equals (SECURITY_GROUP_RULE_NOT_FOUND)) { Utils.log(AWSUtils.class, AWSUtils.class.getSimpleName(), Level.WARNING, () -> String .format("Ingress rules cannot be removed because " + "they do not exist: %s", Utils.toString(e))); return null; } else { return e; } } }; this.client.revokeSecurityGroupIngressAsync(req, handler); return handler.toDeferredResult() .thenApply(r -> (Void)null); } else { return DeferredResult.completed(null); } }
public DeferredResult<Void> addEgressRules(String groupId, List<IpPermission> rules) { if (CollectionUtils.isNotEmpty(rules)) { AuthorizeSecurityGroupEgressRequest req = new AuthorizeSecurityGroupEgressRequest() .withGroupId(groupId).withIpPermissions(rules); String message = "Create Egress Rules on AWS Security Group with id [" + groupId + "]."; AWSDeferredResultAsyncHandler<AuthorizeSecurityGroupEgressRequest, AuthorizeSecurityGroupEgressResult> handler = new AWSDeferredResultAsyncHandler<AuthorizeSecurityGroupEgressRequest, AuthorizeSecurityGroupEgressResult>(this.service, message) { @Override protected Exception consumeError(Exception e) { if (e instanceof AmazonEC2Exception && ((AmazonEC2Exception)e).getErrorCode().equals (SECURITY_GROUP_RULE_DUPLICATE)) { Utils.log(AWSUtils.class, AWSUtils.class.getSimpleName(), Level.WARNING, () -> String .format("Egress rules already exist: %s", Utils.toString(e))); return null; } else { return e; } } }; this.client.authorizeSecurityGroupEgressAsync(req, handler); return handler.toDeferredResult() .thenApply(r -> (Void)null); } else { return DeferredResult.completed(null); } }
public DeferredResult<Void> addInnerEgressRule(String securityGroupId) { AuthorizeSecurityGroupEgressRequest req = new AuthorizeSecurityGroupEgressRequest() .withGroupId(securityGroupId) .withIpPermissions(Collections.singletonList(buildInnerRule(securityGroupId))); String message = "Create internal Egress Rule on AWS Security Group with id [" + securityGroupId + "]."; AWSDeferredResultAsyncHandler<AuthorizeSecurityGroupEgressRequest, AuthorizeSecurityGroupEgressResult> handler = new AWSDeferredResultAsyncHandler<AuthorizeSecurityGroupEgressRequest, AuthorizeSecurityGroupEgressResult>(this.service, message) { @Override protected Exception consumeError(Exception e) { if (e instanceof AmazonEC2Exception && ((AmazonEC2Exception)e).getErrorCode().equals (SECURITY_GROUP_RULE_DUPLICATE)) { Utils.log(AWSUtils.class, AWSUtils.class.getSimpleName(), Level.WARNING, () -> String .format("Egress rule already exists: %s", Utils.toString(e))); return null; } else { return e; } } }; this.client.authorizeSecurityGroupEgressAsync(req, handler); return handler.toDeferredResult() .thenApply(r -> (Void)null); }
public DeferredResult<Void> removeEgressRules(String groupId, List<IpPermission> rules) { if (CollectionUtils.isNotEmpty(rules)) { RevokeSecurityGroupEgressRequest req = new RevokeSecurityGroupEgressRequest() .withGroupId(groupId).withIpPermissions(rules); String message = "Remove Egress Rules from AWS Security Group with id [" + groupId + "]."; AWSDeferredResultAsyncHandler<RevokeSecurityGroupEgressRequest, RevokeSecurityGroupEgressResult> handler = new AWSDeferredResultAsyncHandler<RevokeSecurityGroupEgressRequest, RevokeSecurityGroupEgressResult>(this.service, message) { @Override protected Exception consumeError(Exception e) { if (e instanceof AmazonEC2Exception && ((AmazonEC2Exception)e).getErrorCode().equals (SECURITY_GROUP_RULE_NOT_FOUND)) { Utils.log(AWSUtils.class, AWSUtils.class.getSimpleName(), Level.WARNING, () -> String .format("Egress rules cannot be removed because " + "they do not exist: %s", Utils.toString(e))); return null; } else { return e; } } }; this.client.revokeSecurityGroupEgressAsync(req, handler); return handler.toDeferredResult() .thenApply(r -> (Void)null); } else { return DeferredResult.completed(null); } }
/** * Delete all subnet states that refer the NetworkState we are about to delete. */ private void deleteSubnetStates(AWSNetworkContext context, AWSNetworkStage next) { Query queryForReferrers = QueryUtils.queryForReferrers( context.network.documentSelfLink, SubnetState.class, SubnetState.FIELD_NAME_NETWORK_LINK); QueryByPages<SubnetState> subnetStates = new QueryByPages<>( getHost(), queryForReferrers, SubnetState.class, context.network.tenantLinks, context.network.endpointLink); subnetStates.setClusterType(ServiceTypeCluster.INVENTORY_SERVICE); DeferredResult<Void> query = subnetStates.queryDocuments(subnetState -> { // First delete Subnet in AWS try { context.client.deleteSubnet(subnetState.id); } catch (AmazonEC2Exception ex) { if (AWSNetworkClient.STATUS_CODE_SUBNET_NOT_FOUND.equals(ex.getErrorCode())) { // Ignore exception if the subnet is no longer available in AWS. this.logWarning(() -> "Unable to delete the subnet in AWS. Reason: " + ex.getMessage()); } else { throw ex; } } // Then delete tracking SubnetState Operation.createDelete(this, subnetState.documentSelfLink).sendWith(this); }); query.whenComplete((v, e) -> { if (e != null) { handleStages(context, e); } else { handleStages(context, next); } }); }
/** * Delete the specified subnet * * @throws AmazonEC2Exception if the subnet doesn't exist. */ public void deleteSubnet(String subnetId) throws AmazonEC2Exception { DeleteSubnetRequest req = new DeleteSubnetRequest().withSubnetId(subnetId); this.client.deleteSubnet(req); }
