private static async Task GrantAccess(Permission permission, Region region)
{
//Specify a credentials
var aws = new AmazonEC2Client("", "", RegionEndpoint.EUWest1);
var batchCount = 0;
foreach (var ipRangeBatch in region.IpRange.Batch(50))
{
var securityGroupCreateRequest = new CreateSecurityGroupRequest
{
//Specify a VPC
VpcId = "",
GroupName = $"Azure {permission.Name} {batchCount}",
Description =
$"An auto generated security group to allow azure {region.Name} datacenters access to {permission.Name}"
};
var securityGroupCreateResponse = await aws.CreateSecurityGroupAsync(securityGroupCreateRequest);
var ingressRequest = new AuthorizeSecurityGroupIngressRequest
{
GroupId = securityGroupCreateResponse.GroupId,
IpPermissions = ipRangeBatch.Select(ip => new IpPermission
{
IpProtocol = permission.IpProtocol,
FromPort = permission.FromPort,
ToPort = permission.ToPort,
IpRanges = new List <string> {
ip.Subnet
}
}).ToList()
};
var ingressResponse = await aws.AuthorizeSecurityGroupIngressAsync(ingressRequest);
batchCount++;
}
}
public static async Task OpenInboundPort(AmazonEC2Client ec2Client, int port, string protocol, string securityGroupName)
{
var ipPermission = new IpPermission
{
FromPort = port,
ToPort = port,
IpProtocol = protocol,
Ipv4Ranges = new List <IpRange> {
new IpRange {
CidrIp = "0.0.0.0/0"
}
}
};
var ipPermissions = new List <IpPermission> {
ipPermission
};
var request = new AuthorizeSecurityGroupIngressRequest
{
GroupName = securityGroupName,
IpPermissions = ipPermissions
};
var response = await ec2Client.AuthorizeSecurityGroupIngressAsync(request);
}
//[Obsolete]
public async Task <string> CreateEC2InstanceAsync(int serverType = 0)
{
string secGroupName = "myec2";
string instanceID = "";
if (serverType == (int)AWSConstants.server_types.EC2)
{
//Step 1:- check for the security Groups
var isSGExists = await IsSecurityGroupsExistsAsync(secGroupName);
//Step 2:- Create Security Groups
if (!isSGExists)
{
SecurityGroup securityGroup = CreateSecurityGroupAsync(secGroupName).Result;
string ipRange = "0.0.0.0/0";
List <string> ranges = new List <string>
{
ipRange
};
//Step 3:- Attach the IP Permissions
IpPermission ipPermission = new IpPermission()
{
IpProtocol = "All traffic",
FromPort = 0,
ToPort = 65535,
IpRanges = ranges
};
var ingressRequest = new AuthorizeSecurityGroupIngressRequest();
ingressRequest.GroupId = securityGroup.GroupId;
ingressRequest.IpPermissions.Add(ipPermission);
var ingressResponse = amazonEC2Client.AuthorizeSecurityGroupIngressAsync(ingressRequest);
//Step 4:- Create Key Pairs (.pem file)
string keyPairName = CreateKeyPair();
//Step 5:- Create Launch Request Object
string amiID = "ami-0b6158cfa2ae7b493";
List <string> groups = new List <string>()
{
securityGroup.GroupId
};
var launchRequest = new RunInstancesRequest()
{
ImageId = amiID,
InstanceType = "t2.micro",
MinCount = 1,
MaxCount = 1,
KeyName = keyPairName,
SecurityGroupIds = groups
};
var launchResponse = await amazonEC2Client.RunInstancesAsync(launchRequest);
var instances = launchResponse.Reservation.Instances;
var instanceIds = new List <string>();
foreach (Instance item in instances)
{
instanceIds.Add(item.InstanceId);
Console.WriteLine();
Console.WriteLine("New instance: " + item.InstanceId);
Console.WriteLine("Instance state: " + item.State.Name);
}
//Step 6:- Describe Instances to know the status of the instances
var instanceRequest = new DescribeInstancesRequest
{
InstanceIds = new List <string>
{
instanceIds[0]
}
};
while (true)
{
var response = await amazonEC2Client.DescribeInstancesAsync(instanceRequest);
if (response.Reservations[0].Instances[0].State.Name == InstanceStateName.Running)
{
instanceID = response.Reservations[0].Instances[0].PublicDnsName + "With the status of " + InstanceStateName.Running;
break;
}
}
}
}
return(instanceID);
}
/// <summary>
/// Run a single item
/// </summary>
/// <param name="item">The item to run</param>
public void RunItem(EC2SecurityGroupEntry item)
{
AmazonEC2Client ec2Client =
new AmazonEC2Client(
Config.BaseSettings.AWSAccessKeyID,
Config.BaseSettings.AWSSecretAccessKey,
new AmazonEC2Config
{
RegionEndpoint = RegionEndpoint
});
//1) Revoke Old entries/permissions
if (IpState.HasOldIP && IpState.Changed)
{
bool oldIpStillInUse =
MultiClientState?
.Clients?
.Where(mcei => mcei.IP == IpState.OldIP)
.Any()
??
false;
if (!oldIpStillInUse)
{
RevokeSecurityGroupIngressRequest revokeRequest =
new RevokeSecurityGroupIngressRequest
{
GroupId = item.GroupId,
IpPermissions =
new List <IpPermission>
{
new IpPermission
{
IpProtocol = item.IpProtocol,
FromPort = item.PortRange.FromPort,
ToPort = item.PortRange.ToPort,
Ipv4Ranges =
new List <IpRange>
{
new IpRange
{
CidrIp = IpState.NewIPRange
}
}
}
}
};
RevokeSecurityGroupIngressResponse revokeResponse = null;
try
{
revokeResponse =
ec2Client
.RevokeSecurityGroupIngressAsync(revokeRequest)
.GetAwaiter()
.GetResult();
//Output
Output($"EC2SG: Revoked Security Group Rule: {item} for Old IP: {IpState.OldIP}");
}
catch (Exception ex)
{
//In this case we do nothing.
//The old rule was not removed for whatever reason, but we choose to do nothing here
//so that the new rules continue to be added.
Output($"EC2SG: [ACTION REQUIRED] An exception was thrown while trying to revoke Security Group Rule: {item} for Old IP: {IpState.OldIP}\nRule was likely not revoked.\nException was: {ex}");
}
}
}
//2) Insert new entries/permissions
AuthorizeSecurityGroupIngressRequest authorizeRequest =
new AuthorizeSecurityGroupIngressRequest
{
GroupId = item.GroupId,
IpPermissions =
new List <IpPermission>
{
new IpPermission
{
IpProtocol = "tcp",
FromPort = item.PortRange.FromPort,
ToPort = item.PortRange.ToPort,
Ipv4Ranges =
new List <IpRange>
{
new IpRange
{
CidrIp = IpState.NewIPRange
}
}
}
}
};
AuthorizeSecurityGroupIngressResponse authorizeResponse = null;
try
{
//Output
Output($"EC2SG: START : Adding Security Group Rule: {item} for New IP: {IpState.NewIP}");
//Send
authorizeResponse =
ec2Client
.AuthorizeSecurityGroupIngressAsync(authorizeRequest)
.GetAwaiter()
.GetResult();
}
catch (AmazonEC2Exception ex)
{
//Diagnostics
Debug.WriteLine($"{DateTime.Now.ToString("yyyy-MM-dd HH:mm:ss.fff")}: EXCEPTION: \n" + ex.ToString());
//Handle
if (string.Equals(ex.ErrorCode, "InvalidPermission.Duplicate", StringComparison.InvariantCultureIgnoreCase))
{
//Apparently it is already there, and we're perfectly happy with that
Output($"EC2SG: ERROR : The entry: {item} for New IP: {IpState.NewIP} was already present. No entry was added.");
}
else
{
//Don't really know quite exactly what went wrong :-|
Output($"EC2SG: ERROR : While adding the entry: {item} for New IP: {IpState.NewIP} an exception was thrown. Error Code: {ex.ErrorCode}, Message: {ex.Message}");
}
}
catch (Exception ex)
{
//Diagnostics
Debug.WriteLine($"{DateTime.Now.ToString("yyyy-MM-dd HH:mm:ss.fff")}: EXCEPTION: \n" + ex.ToString());
//Throw
throw new ApplicationException("EC2SG: An unknown exception was thrown while trying to update AWS EC2 Security Group", ex);
}
finally
{
//Output
Output($"EC2SG: COMPLETE: Finished adding Security Group Rule: {item} for New IP: {IpState.NewIP}");
}
}
public async Task <IActionResult> Post(IpModel model)
{
if (model == null)
{
return(BadRequest(new { Success = false, Message = "Invalid model." }));
}
if (!Request.Headers.ContainsKey("Api-Secret"))
{
return(BadRequest(new { success = false, message = "Missing Secret header" }));
}
var values = Request.Headers["Api-Secret"];
var apiSecret = Environment.GetEnvironmentVariable("AWSHELPER_API_SECRET");
if (values.FirstOrDefault(x => x == apiSecret) == null)
{
return(Unauthorized(new { success = false, message = "Invalid secret header" }));
}
if (string.IsNullOrEmpty(model.Name) || string.IsNullOrWhiteSpace(model.Name))
{
return(BadRequest(new { Success = false, Message = "Invalid name" }));
}
var namePrefix = Environment.GetEnvironmentVariable("AWSHELPER_NAME_PREFIX");
var groupId = Environment.GetEnvironmentVariable("AWSHELPER_GROUP_ID");
var accessId = Environment.GetEnvironmentVariable("AWSHELPER_ACCESS_ID");
var accessSecret = Environment.GetEnvironmentVariable("AWSHELPER_ACCESS_SECRET");
var endpoint = RegionEndpoint.GetBySystemName(Environment.GetEnvironmentVariable("AWSHELPER_REGION"));
var client = new AmazonEC2Client(accessId, accessSecret, endpoint);
var req = new DescribeSecurityGroupsRequest();
req.GroupIds.Add(groupId);
var request = new UpdateSecurityGroupRuleDescriptionsIngressRequest
{
GroupId = groupId
};
try
{
var secGroupRequest = new DescribeSecurityGroupsRequest();
secGroupRequest.GroupIds.Add(groupId);
var get = await client.DescribeSecurityGroupsAsync(secGroupRequest);
var securityGroup = get.SecurityGroups.FirstOrDefault();
if (securityGroup == null)
{
return(BadRequest(new { Success = false, Message = "Security group not found." }));
}
var description = $"{namePrefix}{model.Name}";
var ipRangeListRemoved = new List <IpRange>();
var ipRangeListAdded = new List <IpRange>();
foreach (var permission in securityGroup.IpPermissions)
{
foreach (var ipRange in permission.Ipv4Ranges)
{
if (description.Equals(ipRange.Description) && permission.ToPort == model.Port)
{
ipRangeListRemoved.Add(ipRange);
}
}
permission.Ipv4Ranges.RemoveAll(x => ipRangeListRemoved.Contains(x));
}
if (ipRangeListRemoved.Any())
{
var revokeRequest = new RevokeSecurityGroupIngressRequest();
revokeRequest.GroupId = groupId;
revokeRequest.IpPermissions.Add(new IpPermission
{
FromPort = model.Port,
IpProtocol = model.Protocol,
ToPort = model.Port,
Ipv4Ranges = new List <IpRange>(ipRangeListRemoved)
});
await client.RevokeSecurityGroupIngressAsync(revokeRequest);
}
var authorizeRequest = new AuthorizeSecurityGroupIngressRequest();
authorizeRequest.GroupId = groupId;
var authorizeIpRange = new IpRange
{
CidrIp = $"{model.Ip}/32",
Description = description
};
authorizeRequest.IpPermissions.Add(new IpPermission
{
FromPort = model.Port,
IpProtocol = model.Protocol,
ToPort = model.Port,
Ipv4Ranges = new List <IpRange> {
authorizeIpRange
}
});
var authorizeResult = await client.AuthorizeSecurityGroupIngressAsync(authorizeRequest);
return(Ok(new
{
Success = true,
Message = "Action completed."
}));
}
catch (Exception ex)
{
return(BadRequest(new { Success = false, Message = ex.Message }));
}
}
