public static void ProcessEC2SecurityGroupFromAWS(StackResourceSummary resource, CFStack stack, AmazonEC2Client ec2Client, Dictionary <string, string> secGroupMap, string stackName)
{
DescribeSecurityGroupsRequest secGroupRequest = new DescribeSecurityGroupsRequest();
//Set request to use Phisical Id
secGroupRequest.GroupIds = new List <string> {
resource.PhysicalResourceId
};
//Attempt to get security group using physical Id
DescribeSecurityGroupsResponse response = GetSecurityGroup(ec2Client, secGroupRequest);
if (response == null)
{
//Set request to use Logical Id and Stack Name Tags
secGroupRequest.GroupIds.Clear();
List <Filter> f = new List <Filter>();
f.Add(new Filter {
Name = "tag:aws:cloudformation:logical-id", Values = new List <string>()
{
resource.LogicalResourceId
}
});
f.Add(new Filter {
Name = "tag:aws:cloudformation:stack-name", Values = new List <string>()
{
stackName
}
});
secGroupRequest.Filters = f;
//Attempt to get security group using logical Id
response = GetSecurityGroup(ec2Client, secGroupRequest);
}
if (response == null | response.SecurityGroups.Count == 0)
{
return;
}
foreach (SecurityGroup group in response.SecurityGroups)
{
EC2SecurityGroup sg = new EC2SecurityGroup();
sg.LogicalId = resource.LogicalResourceId;
if (log)
{
Utils.WriteToFile(logFile, "AWS SG: " + sg.LogicalId.ToString(), true);
}
sg.Type = "AWS::EC2::SecurityGroup";
sg.Properties.GroupDescription = group.Description;
sg.Properties.VpcId = group.VpcId;
foreach (IpPermission perms in group.IpPermissions)
{
for (int i = 0; i < perms.IpRanges.Count; i++)
{
EC2SecurityGroupIngress sgi = new EC2SecurityGroupIngress();
//FormatProtocol - Protocol could be a number or text (e.g. 6 or tcp)
sgi.IpProtocol = FormatProtocol(perms.IpProtocol);
//--------------------------------------------------------------------
//FormatPortRange - Port range could be 0-0 -1-1 0-65535
string from = "";
string to = "";
FormatPortRange(perms.FromPort.ToString(), perms.ToPort.ToString(), out from, out to);
sgi.FromPort = from;
sgi.ToPort = to;
//------------------------------------------------------
sgi.CidrIp = perms.IpRanges[i];
sg.Properties.SecurityGroupIngress.Add(sgi);
if (log)
{
Utils.WriteToFile(logFile, " Protocol: " + perms.IpProtocol + " | From: " + perms.FromPort.ToString() + " To: " + perms.ToPort.ToString(), true);
}
}
for (int i = 0; i < perms.UserIdGroupPairs.Count; i++)
{
EC2SecurityGroupIngress sgi = new EC2SecurityGroupIngress();
//FormatProtocol - Protocol could be a number or text (e.g. 6 or tcp)
sgi.IpProtocol = FormatProtocol(perms.IpProtocol);
//--------------------------------------------------------------------
//FormatPortRange - Port range could be 0-0 -1-1 0-65535
string from = "";
string to = "";
FormatPortRange(perms.FromPort.ToString(), perms.ToPort.ToString(), out from, out to);
sgi.FromPort = from;
sgi.ToPort = to;
//-------------------------------------------------------
sg.Properties.SecurityGroupIngress.Add(sgi);
string groupName;
if (secGroupMap.TryGetValue(perms.UserIdGroupPairs[i].GroupId, out groupName))
{
sgi.SourceSecurityGroupId = groupName;
}
else
{
sgi.SourceSecurityGroupId = perms.UserIdGroupPairs[i].GroupId;
}
if (log)
{
Utils.WriteToFile(logFile, " Protocol: " + perms.IpProtocol + " | From: " + perms.FromPort.ToString() + " To: " + perms.ToPort.ToString(), true);
}
}
}
stack.Resources.Add(sg);
}
}
// -----------------------------------------------------------------------
// Live Stack
public static void ProcessNetworkAclFromAWS(StackResourceSummary resource, CFStack stack, AmazonEC2Client ec2Client, string stackName)
{
DescribeNetworkAclsRequest naclRequest = new DescribeNetworkAclsRequest();
naclRequest.NetworkAclIds = new List <string> {
resource.PhysicalResourceId
};
DescribeNetworkAclsResponse response = ec2Client.DescribeNetworkAcls(naclRequest);
foreach (Amazon.EC2.Model.NetworkAcl nacl in response.NetworkAcls)
{
NetworkAcl n = new NetworkAcl();
n.LogicalId = resource.LogicalResourceId;
if (log)
{
Utils.WriteToFile(logFile, "AWS NACL: " + n.LogicalId.ToString(), true);
}
n.Type = "AWS::EC2::NetworkAcl";
n.Properties.VpcId = nacl.VpcId;
foreach (Amazon.EC2.Model.NetworkAclEntry e in nacl.Entries)
{
NetworkAclEntry ne = new NetworkAclEntry();
ne.RuleNumber = e.RuleNumber.ToString();
ne.CidrBlock = e.CidrBlock;
ne.Egress = e.Egress;
if (e.PortRange == null)
{
ne.FromPort = "ALL"; ne.ToPort = "ALL";
}
else
{
//FormatPortRange - Port range could be 0-0 -1-1 0-65535
string from = "";
string to = "";
FormatPortRange(e.PortRange.From.ToString(), e.PortRange.To.ToString(), out from, out to);
ne.FromPort = from;
ne.ToPort = to;
//------------------------------------------------------
}
//FormatProtocol - Protocol could be a number or text (e.g. 6 or tcp)
ne.Protocol = FormatProtocol(e.Protocol);
//-------------------------------------------------------------------
ne.RuleAction = e.RuleAction;
//ICMP not included.
n.Properties.NetworkAclEntry.Add(ne);
if (e.PortRange == null)
{
if (log)
{
Utils.WriteToFile(logFile, ne.RuleNumber + " Protocol: " + e.Protocol + " | From: " + "null" + " To: " + "null", true);
}
}
else
{
if (log)
{
Utils.WriteToFile(logFile, ne.RuleNumber + " Protocol: " + e.Protocol + " | From: " + e.PortRange.From.ToString() + " To: " + e.PortRange.To.ToString(), true);
}
}
}
stack.Resources.Add(n);
}
}