/// <summary>
/// Unmarshaller the response from the service to the response class.
/// </summary>
/// <param name="context"></param>
/// <returns></returns>
public override AmazonWebServiceResponse Unmarshall(XmlUnmarshallerContext context)
{
DescribeNetworkAclsResponse response = new DescribeNetworkAclsResponse();
int originalDepth = context.CurrentDepth;
int targetDepth = originalDepth + 1;
if (context.IsStartOfDocument)
{
targetDepth = 2;
}
while (context.ReadAtDepth(originalDepth))
{
if (context.IsStartElement || context.IsAttribute)
{
if (context.TestExpression("networkAclSet/item", targetDepth))
{
var unmarshaller = NetworkAclUnmarshaller.Instance;
var item = unmarshaller.Unmarshall(context);
response.NetworkAcls.Add(item);
continue;
}
}
}
return(response);
}
public override void Invoke(AWSCredentials creds, RegionEndpoint region, int maxItems)
{
AmazonEC2Config config = new AmazonEC2Config();
config.RegionEndpoint = region;
ConfigureClient(config);
AmazonEC2Client client = new AmazonEC2Client(creds, config);
DescribeNetworkAclsResponse resp = new DescribeNetworkAclsResponse();
do
{
DescribeNetworkAclsRequest req = new DescribeNetworkAclsRequest
{
NextToken = resp.NextToken
,
MaxResults = maxItems
};
resp = client.DescribeNetworkAcls(req);
CheckError(resp.HttpStatusCode, "200");
foreach (var obj in resp.NetworkAcls)
{
AddObject(obj);
}
}while (!string.IsNullOrEmpty(resp.NextToken));
}
public List <DescribeNetworkAclsModel> MapForDescribe(DescribeNetworkAclsResponse describeNetworkAclsResponse)
{
var model = new List <DescribeNetworkAclsModel>();
foreach (var networkAcls in describeNetworkAclsResponse.NetworkAcls)
{
model.Add(new DescribeNetworkAclsModel()
{
NetworkAclsId = networkAcls.NetworkAclId
});
}
return(model);
}
public static void GetTopology()
{
IAmazonEC2 ec2 = AWSClientFactory.CreateAmazonEC2Client();
IAmazonAutoScaling asg = AWSClientFactory.CreateAmazonAutoScalingClient();
IAmazonElasticLoadBalancing elb = AWSClientFactory.CreateAmazonElasticLoadBalancingClient();
DescribeVpcsResponse vpcResponse = ec2.DescribeVpcs();
WriteFile("vpcs.csv", vpcResponse.Vpcs);
DescribeInstancesResponse instanceResponse = ec2.DescribeInstances();
var reservationIndex = 0;
foreach (var reservation in instanceResponse.Reservations)
{
if (reservationIndex == 0)
{
WriteFile("instances.csv", reservation.Instances);
}
else
{
AppendFile("instances.csv", reservation.Instances);
}
reservationIndex++;
}
DescribeNetworkAclsResponse naclResponse = ec2.DescribeNetworkAcls();
WriteFile("nacls.csv", naclResponse.NetworkAcls);
Amazon.EC2.Model.DescribeTagsResponse tagsResponse = ec2.DescribeTags();
WriteFile("tags.csv", tagsResponse.Tags);
DescribeVolumesResponse volumesResponse = ec2.DescribeVolumes();
WriteFile("volumes.csv", volumesResponse.Volumes);
DescribeLoadBalancersResponse elbResponse = elb.DescribeLoadBalancers();
WriteFile("elbs.csv", elbResponse.LoadBalancerDescriptions);
DescribeInternetGatewaysResponse igResponse = ec2.DescribeInternetGateways();
WriteFile("igs.csv", igResponse.InternetGateways);
}
private async Task BlockSubnetsInAZ(string vpcId, List <string> subnetIds)
{
//Find all existing network acl associations matching the subnets identified above
DescribeNetworkAclsResponse describeNetworkAclsResult
= await ec2Client.DescribeNetworkAclsAsync(new DescribeNetworkAclsRequest()
{
Filters = new List <Amazon.EC2.Model.Filter> {
new Amazon.EC2.Model.Filter {
Name = "association.subnet-id",
Values = subnetIds
}
}
});
// The describe will return all associations of an ACL, which can be associated with a subnet not in the filter
IEnumerable <string> associationsToUpdate = describeNetworkAclsResult.NetworkAcls.SelectMany(x => x.Associations).Where(x => subnetIds.Contains(x.SubnetId)).Select(x => x.NetworkAclAssociationId);
//create new network acl
CreateNetworkAclResponse createNetworkAclResponse = await ec2Client.CreateNetworkAclAsync(new CreateNetworkAclRequest()
{
VpcId = vpcId
});
// add both ingress and egress denying to all the traffic to the new ACL
string networkAclId = createNetworkAclResponse.NetworkAcl.NetworkAclId;
await CreateNetworkAclEntry(networkAclId, 100, "0.0.0.0/0", true, "-1", CreatePortRange(0, 65535), RuleAction.Deny);
await CreateNetworkAclEntry(networkAclId, 101, "0.0.0.0/0", false, "-1", CreatePortRange(0, 65535), RuleAction.Deny);
// update all subnets to be associated with the new ACL
foreach (string existingAssociation in associationsToUpdate)
{
// associates the specified network ACL with the subnet for the specified network ACL association
ReplaceNetworkAclAssociationResponse replaceNetworkAclAssociationResponse
= await ec2Client.ReplaceNetworkAclAssociationAsync(new ReplaceNetworkAclAssociationRequest()
{
AssociationId = existingAssociation,
NetworkAclId = networkAclId
});
}
}
public override AmazonWebServiceResponse Unmarshall(XmlUnmarshallerContext context)
{
DescribeNetworkAclsResponse response = new DescribeNetworkAclsResponse();
int targetDepth = 2;
while (context.Read())
{
if (context.IsStartElement || context.IsAttribute)
{
if (context.TestExpression("networkAclSet/item", targetDepth))
{
response.NetworkAcls.Add(NetworkAclUnmarshaller.GetInstance().Unmarshall(context));
continue;
}
}
}
return(response);
}
public virtual void failover()
{
try
{
// Modify the autoscaling group to remove the AZ affected which is the AZ passed in the input
// Find the autoscaling group that this is deployed into
// Note: This changes the asynchronous call to a synchronous one
DescribeAutoScalingGroupsResponse autoScalingGroupsResponse = AUTO_SCALING_CLIENT.DescribeAutoScalingGroupsAsync().GetAwaiter().GetResult();
if (autoScalingGroupsResponse != null && autoScalingGroupsResponse.AutoScalingGroups.Count > 0)
{
// Note: This assumes an Auto Scaling group exists; no error checking for readability
AutoScalingGroup autoScalingGroup = autoScalingGroupsResponse.AutoScalingGroups[0];
string autoScalingGroupName = autoScalingGroup.AutoScalingGroupName;
// Find all subnets in the availability zone passed in the input
DescribeSubnetsResponse subnetsResult
= EC2_CLIENT.DescribeSubnetsAsync(new DescribeSubnetsRequest()
{
Filters = new List <Amazon.EC2.Model.Filter> {
new Amazon.EC2.Model.Filter {
Name = "vpc-id",
Values = new List <string> {
vpcId
}
}
}
}).GetAwaiter().GetResult();
IList <string> desiredSubnetsForASG = new List <string>();
foreach (Amazon.EC2.Model.Subnet subnet in subnetsResult.Subnets)
{
if (!string.Equals(subnet.AvailabilityZone, azId, StringComparison.OrdinalIgnoreCase))
{
desiredSubnetsForASG.Add(subnet.SubnetId);
}
}
List <string> desiredSubnets = new List <String>(autoScalingGroup.VPCZoneIdentifier.Split(new[] { ',' }, StringSplitOptions.None));
var tempList = new List <String>(desiredSubnets);
foreach (var subnet in desiredSubnets)
{
if (!desiredSubnetsForASG.Contains(subnet))
{
tempList.Remove(subnet);
}
}
desiredSubnets = tempList;
Console.WriteLine("Updating the auto scaling group " + autoScalingGroupName + " to remove the subnet in the AZ");
// Note: This turns the asynchronous call into a synchronous one
UpdateAutoScalingGroupResponse updateAutoScalingGroupResponse
= AUTO_SCALING_CLIENT.UpdateAutoScalingGroupAsync(new UpdateAutoScalingGroupRequest
{
AutoScalingGroupName = autoScalingGroupName,
VPCZoneIdentifier = string.Join(",", desiredSubnets)
}).GetAwaiter().GetResult();
}
// Find all subnets in the availability zone passed in the input
// Note: This turns the asynchronous call into a synchronous one
DescribeSubnetsResponse describeSubnetsResult
= EC2_CLIENT.DescribeSubnetsAsync(new DescribeSubnetsRequest
{
Filters = new List <Amazon.EC2.Model.Filter> {
new Amazon.EC2.Model.Filter {
Name = "vpc-id",
Values = new List <string> {
vpcId
}
},
new Amazon.EC2.Model.Filter {
Name = "availabilityZone",
Values = new List <string> {
azId
}
}
}
}).GetAwaiter().GetResult();
IList <string> desiredSubnetsForAddingNewNacl = new List <string>();
foreach (Amazon.EC2.Model.Subnet subnet in describeSubnetsResult.Subnets)
{
desiredSubnetsForAddingNewNacl.Add(subnet.SubnetId);
}
//Find all the network acl associations matching the subnets identified above
// Note: This turns the asynchronous call into a synchronous one
DescribeNetworkAclsResponse describeNetworkAclsResult
= EC2_CLIENT.DescribeNetworkAclsAsync(new DescribeNetworkAclsRequest()
{
Filters = new List <Amazon.EC2.Model.Filter> {
new Amazon.EC2.Model.Filter {
Name = "association.subnet-id",
Values = (List <string>)desiredSubnetsForAddingNewNacl
}
}
}).GetAwaiter().GetResult();
IList <NetworkAclAssociation> desiredAclAssociations = new List <NetworkAclAssociation>();
// Note: This assumes a Network ACL is present for readability
IList <NetworkAclAssociation> networkAclsAssociatedWithSubnet = describeNetworkAclsResult.NetworkAcls[0].Associations;
foreach (string subnetId in desiredSubnetsForAddingNewNacl)
{
foreach (NetworkAclAssociation networkAcl in networkAclsAssociatedWithSubnet)
{
if (string.Equals(networkAcl.SubnetId, subnetId, StringComparison.OrdinalIgnoreCase))
{
desiredAclAssociations.Add(networkAcl);
}
}
}
//create new network acl association with both ingress and egress denying to all the traffic
CreateNetworkAclRequest createNetworkAclRequest = new CreateNetworkAclRequest();
createNetworkAclRequest.VpcId = vpcId;
// Note: This turns the asynchronous call into a synchronous one
CreateNetworkAclResponse createNetworkAclResponse = EC2_CLIENT.CreateNetworkAclAsync(createNetworkAclRequest).GetAwaiter().GetResult();
string networkAclId = createNetworkAclResponse.NetworkAcl.NetworkAclId;
createNetworkAclEntry(networkAclId, 100, "0.0.0.0/0", true, "-1", createPortRange(0, 65535), RuleAction.Deny);
createNetworkAclEntry(networkAclId, 101, "0.0.0.0/0", false, "-1", createPortRange(0, 65535), RuleAction.Deny);
// replace all the network acl associations identified for the above subnets with the new network
// acl association which will deny all traffic for those subnets in that AZ
Console.WriteLine("Creating new network ACL associations");
replaceNetworkAclAssociations(desiredAclAssociations, networkAclId);
//fail over rds which is in the same AZ
// Note: This turns the asynchronous call into a synchronous one
DescribeDBInstancesResponse describeDBInstancesResult = RDS_CLIENT.DescribeDBInstancesAsync().GetAwaiter().GetResult();
IList <DBInstance> dbInstances = describeDBInstancesResult.DBInstances;
string dbInstancedId = null;
foreach (DBInstance dbInstance in dbInstances)
{
if (string.Equals(dbInstance.DBSubnetGroup.VpcId, vpcId, StringComparison.OrdinalIgnoreCase) &&
(string.Equals(dbInstance.AvailabilityZone, azId, StringComparison.OrdinalIgnoreCase)) &&
dbInstance.MultiAZ && dbInstance.StatusInfos.Count == 0)
{
dbInstancedId = dbInstance.DBInstanceIdentifier;
}
}
// we want to fail over rds if rds is present in the same az where it is affected
if (!string.IsNullOrEmpty(dbInstancedId))
{
RebootDBInstanceRequest rebootDBInstanceRequest = new RebootDBInstanceRequest();
rebootDBInstanceRequest.DBInstanceIdentifier = dbInstancedId;
rebootDBInstanceRequest.ForceFailover = true;
Console.WriteLine("Rebooting dbInstanceId to secondary AZ " + dbInstancedId);
// Note: This turns the asynchronous call into a synchronous one
RDS_CLIENT.RebootDBInstanceAsync(rebootDBInstanceRequest).GetAwaiter().GetResult();
}
}
catch (Exception exception)
{
Console.WriteLine("Unkown exception occured " + exception.Message);
}
}
public static DescribeNetworkAclsResponse Unmarshall(UnmarshallerContext context)
{
DescribeNetworkAclsResponse describeNetworkAclsResponse = new DescribeNetworkAclsResponse();
describeNetworkAclsResponse.HttpResponse = context.HttpResponse;
describeNetworkAclsResponse.RequestId = context.StringValue("DescribeNetworkAcls.RequestId");
describeNetworkAclsResponse.TotalCount = context.StringValue("DescribeNetworkAcls.TotalCount");
describeNetworkAclsResponse.PageNumber = context.StringValue("DescribeNetworkAcls.PageNumber");
describeNetworkAclsResponse.PageSize = context.StringValue("DescribeNetworkAcls.PageSize");
List <DescribeNetworkAclsResponse.DescribeNetworkAcls_NetworkAcl> describeNetworkAclsResponse_networkAcls = new List <DescribeNetworkAclsResponse.DescribeNetworkAcls_NetworkAcl>();
for (int i = 0; i < context.Length("DescribeNetworkAcls.NetworkAcls.Length"); i++)
{
DescribeNetworkAclsResponse.DescribeNetworkAcls_NetworkAcl networkAcl = new DescribeNetworkAclsResponse.DescribeNetworkAcls_NetworkAcl();
networkAcl.NetworkAclId = context.StringValue("DescribeNetworkAcls.NetworkAcls[" + i + "].NetworkAclId");
networkAcl.RegionId = context.StringValue("DescribeNetworkAcls.NetworkAcls[" + i + "].RegionId");
networkAcl.NetworkAclName = context.StringValue("DescribeNetworkAcls.NetworkAcls[" + i + "].NetworkAclName");
networkAcl.Description = context.StringValue("DescribeNetworkAcls.NetworkAcls[" + i + "].Description");
networkAcl.VpcId = context.StringValue("DescribeNetworkAcls.NetworkAcls[" + i + "].VpcId");
networkAcl.CreationTime = context.StringValue("DescribeNetworkAcls.NetworkAcls[" + i + "].CreationTime");
networkAcl.Status = context.StringValue("DescribeNetworkAcls.NetworkAcls[" + i + "].Status");
networkAcl.OwnerId = context.LongValue("DescribeNetworkAcls.NetworkAcls[" + i + "].OwnerId");
List <DescribeNetworkAclsResponse.DescribeNetworkAcls_NetworkAcl.DescribeNetworkAcls_IngressAclEntry> networkAcl_ingressAclEntries = new List <DescribeNetworkAclsResponse.DescribeNetworkAcls_NetworkAcl.DescribeNetworkAcls_IngressAclEntry>();
for (int j = 0; j < context.Length("DescribeNetworkAcls.NetworkAcls[" + i + "].IngressAclEntries.Length"); j++)
{
DescribeNetworkAclsResponse.DescribeNetworkAcls_NetworkAcl.DescribeNetworkAcls_IngressAclEntry ingressAclEntry = new DescribeNetworkAclsResponse.DescribeNetworkAcls_NetworkAcl.DescribeNetworkAcls_IngressAclEntry();
ingressAclEntry.NetworkAclEntryId = context.StringValue("DescribeNetworkAcls.NetworkAcls[" + i + "].IngressAclEntries[" + j + "].NetworkAclEntryId");
ingressAclEntry.Policy = context.StringValue("DescribeNetworkAcls.NetworkAcls[" + i + "].IngressAclEntries[" + j + "].Policy");
ingressAclEntry.Protocol = context.StringValue("DescribeNetworkAcls.NetworkAcls[" + i + "].IngressAclEntries[" + j + "].Protocol");
ingressAclEntry.SourceCidrIp = context.StringValue("DescribeNetworkAcls.NetworkAcls[" + i + "].IngressAclEntries[" + j + "].SourceCidrIp");
ingressAclEntry.Port = context.StringValue("DescribeNetworkAcls.NetworkAcls[" + i + "].IngressAclEntries[" + j + "].Port");
ingressAclEntry.EntryType = context.StringValue("DescribeNetworkAcls.NetworkAcls[" + i + "].IngressAclEntries[" + j + "].EntryType");
ingressAclEntry.NetworkAclEntryName = context.StringValue("DescribeNetworkAcls.NetworkAcls[" + i + "].IngressAclEntries[" + j + "].NetworkAclEntryName");
ingressAclEntry.Description = context.StringValue("DescribeNetworkAcls.NetworkAcls[" + i + "].IngressAclEntries[" + j + "].Description");
networkAcl_ingressAclEntries.Add(ingressAclEntry);
}
networkAcl.IngressAclEntries = networkAcl_ingressAclEntries;
List <DescribeNetworkAclsResponse.DescribeNetworkAcls_NetworkAcl.DescribeNetworkAcls_EgressAclEntry> networkAcl_egressAclEntries = new List <DescribeNetworkAclsResponse.DescribeNetworkAcls_NetworkAcl.DescribeNetworkAcls_EgressAclEntry>();
for (int j = 0; j < context.Length("DescribeNetworkAcls.NetworkAcls[" + i + "].EgressAclEntries.Length"); j++)
{
DescribeNetworkAclsResponse.DescribeNetworkAcls_NetworkAcl.DescribeNetworkAcls_EgressAclEntry egressAclEntry = new DescribeNetworkAclsResponse.DescribeNetworkAcls_NetworkAcl.DescribeNetworkAcls_EgressAclEntry();
egressAclEntry.NetworkAclEntryId = context.StringValue("DescribeNetworkAcls.NetworkAcls[" + i + "].EgressAclEntries[" + j + "].NetworkAclEntryId");
egressAclEntry.Policy = context.StringValue("DescribeNetworkAcls.NetworkAcls[" + i + "].EgressAclEntries[" + j + "].Policy");
egressAclEntry.Protocol = context.StringValue("DescribeNetworkAcls.NetworkAcls[" + i + "].EgressAclEntries[" + j + "].Protocol");
egressAclEntry.DestinationCidrIp = context.StringValue("DescribeNetworkAcls.NetworkAcls[" + i + "].EgressAclEntries[" + j + "].DestinationCidrIp");
egressAclEntry.Port = context.StringValue("DescribeNetworkAcls.NetworkAcls[" + i + "].EgressAclEntries[" + j + "].Port");
egressAclEntry.EntryType = context.StringValue("DescribeNetworkAcls.NetworkAcls[" + i + "].EgressAclEntries[" + j + "].EntryType");
egressAclEntry.Description = context.StringValue("DescribeNetworkAcls.NetworkAcls[" + i + "].EgressAclEntries[" + j + "].Description");
egressAclEntry.NetworkAclEntryName = context.StringValue("DescribeNetworkAcls.NetworkAcls[" + i + "].EgressAclEntries[" + j + "].NetworkAclEntryName");
networkAcl_egressAclEntries.Add(egressAclEntry);
}
networkAcl.EgressAclEntries = networkAcl_egressAclEntries;
List <DescribeNetworkAclsResponse.DescribeNetworkAcls_NetworkAcl.DescribeNetworkAcls_Resource> networkAcl_resources = new List <DescribeNetworkAclsResponse.DescribeNetworkAcls_NetworkAcl.DescribeNetworkAcls_Resource>();
for (int j = 0; j < context.Length("DescribeNetworkAcls.NetworkAcls[" + i + "].Resources.Length"); j++)
{
DescribeNetworkAclsResponse.DescribeNetworkAcls_NetworkAcl.DescribeNetworkAcls_Resource resource = new DescribeNetworkAclsResponse.DescribeNetworkAcls_NetworkAcl.DescribeNetworkAcls_Resource();
resource.ResourceId = context.StringValue("DescribeNetworkAcls.NetworkAcls[" + i + "].Resources[" + j + "].ResourceId");
resource.ResourceType = context.StringValue("DescribeNetworkAcls.NetworkAcls[" + i + "].Resources[" + j + "].ResourceType");
resource.Status = context.StringValue("DescribeNetworkAcls.NetworkAcls[" + i + "].Resources[" + j + "].Status");
networkAcl_resources.Add(resource);
}
networkAcl.Resources = networkAcl_resources;
describeNetworkAclsResponse_networkAcls.Add(networkAcl);
}
describeNetworkAclsResponse.NetworkAcls = describeNetworkAclsResponse_networkAcls;
return(describeNetworkAclsResponse);
}
// -----------------------------------------------------------------------
// Live Stack
public static void ProcessNetworkAclFromAWS(StackResourceSummary resource, CFStack stack, AmazonEC2Client ec2Client, string stackName)
{
DescribeNetworkAclsRequest naclRequest = new DescribeNetworkAclsRequest();
naclRequest.NetworkAclIds = new List <string> {
resource.PhysicalResourceId
};
DescribeNetworkAclsResponse response = ec2Client.DescribeNetworkAcls(naclRequest);
foreach (Amazon.EC2.Model.NetworkAcl nacl in response.NetworkAcls)
{
NetworkAcl n = new NetworkAcl();
n.LogicalId = resource.LogicalResourceId;
if (log)
{
Utils.WriteToFile(logFile, "AWS NACL: " + n.LogicalId.ToString(), true);
}
n.Type = "AWS::EC2::NetworkAcl";
n.Properties.VpcId = nacl.VpcId;
foreach (Amazon.EC2.Model.NetworkAclEntry e in nacl.Entries)
{
NetworkAclEntry ne = new NetworkAclEntry();
ne.RuleNumber = e.RuleNumber.ToString();
ne.CidrBlock = e.CidrBlock;
ne.Egress = e.Egress;
if (e.PortRange == null)
{
ne.FromPort = "ALL"; ne.ToPort = "ALL";
}
else
{
//FormatPortRange - Port range could be 0-0 -1-1 0-65535
string from = "";
string to = "";
FormatPortRange(e.PortRange.From.ToString(), e.PortRange.To.ToString(), out from, out to);
ne.FromPort = from;
ne.ToPort = to;
//------------------------------------------------------
}
//FormatProtocol - Protocol could be a number or text (e.g. 6 or tcp)
ne.Protocol = FormatProtocol(e.Protocol);
//-------------------------------------------------------------------
ne.RuleAction = e.RuleAction;
//ICMP not included.
n.Properties.NetworkAclEntry.Add(ne);
if (e.PortRange == null)
{
if (log)
{
Utils.WriteToFile(logFile, ne.RuleNumber + " Protocol: " + e.Protocol + " | From: " + "null" + " To: " + "null", true);
}
}
else
{
if (log)
{
Utils.WriteToFile(logFile, ne.RuleNumber + " Protocol: " + e.Protocol + " | From: " + e.PortRange.From.ToString() + " To: " + e.PortRange.To.ToString(), true);
}
}
}
stack.Resources.Add(n);
}
}
