public static void AddIPAddressToSecurityGroup()
{
var ec2Client = new AmazonEC2Client();
//Create and Initialize IpPermission Object
var ipPermission = new IpPermission()
{
IpProtocol = "tcp",
FromPort = 3389, //RDP port
ToPort = 3389
};
ipPermission.IpRanges.Add(getExternalIp() + "/32");
//Create and initialize AuthorizeSecurityGroupIngress
var ingressRequest = new AuthorizeSecurityGroupIngressRequest();
ingressRequest.GroupId = ConfigurationManager.AppSettings["AWSSecurityGroupID"];
ingressRequest.IpPermissions.Add(ipPermission);
try
{
//Authorize Ingress
AuthorizeSecurityGroupIngressResponse ingressResponse =
ec2Client.AuthorizeSecurityGroupIngress(ingressRequest);
Console.WriteLine("IP address added to security group");
}
catch (Amazon.EC2.AmazonEC2Exception e)
{
Console.WriteLine("** IP Address already exists in the security group. **");
//Console.WriteLine("Error:" + e);
}
}
internal void AuthorizeSecurityGroupIngress(string securityGroupName)
{
try
{
AuthorizeSecurityGroupIngressRequest request = new AuthorizeSecurityGroupIngressRequest()
{
SecurityGroupName = securityGroupName,
Protocol = ProtocolType.Tcp.ToString(),
StartPort = 80,
EndPort = 80,
CidrList = new[] { "0.0.0.0/0" }.ToList()
};
_client.AuthorizeSecurityGroupIngress(request);
request = new AuthorizeSecurityGroupIngressRequest()
{
SecurityGroupName = "TestSecurityGroup",
Protocol = ProtocolType.Tcp.ToString(),
StartPort = 22,
EndPort = 22,
CidrList = new[] { "0.0.0.0/0" }.ToList()
};
_client.AuthorizeSecurityGroupIngress(request);
}
catch (Exception e)
{
WriteLog("Exception during AuthorizeSecurityGroupIngress {0}", e);
}
}
private void createSecurityGroup()
{
try
{
CreateSecurityGroupRequest requestSecurirtyGroup = new CreateSecurityGroupRequest();
requestSecurirtyGroup.GroupName = _securityGroups;
requestSecurirtyGroup.GroupDescription = jwSecurityGroupDescription;
CreateSecurityGroupResponse responseSecurityGroup = _service.CreateSecurityGroup(requestSecurirtyGroup);
AuthorizeSecurityGroupIngressRequest requestAuthz = new AuthorizeSecurityGroupIngressRequest();
requestAuthz.GroupName = _securityGroups;
requestAuthz.IpProtocol = "tcp";
requestAuthz.CidrIp = "0.0.0.0/0";
decimal[] ports = { 80, 443, 1443, 3389 };
foreach (decimal port in ports)
{
requestAuthz.FromPort = port;
requestAuthz.ToPort = port;
AuthorizeSecurityGroupIngressResponse responseAuthz = _service.AuthorizeSecurityGroupIngress(requestAuthz);
}
}
catch (AmazonEC2Exception ex)
{
throw new Exception("Caught Exception: " + ex.XML);
}
}
public void AddIngressPermission(IpPermission permission)
{
var request = new AuthorizeSecurityGroupIngressRequest
{
GroupId = GetSecurityGroup().GroupId,
IpPermissions = { permission }
};
try
{
client.AuthorizeSecurityGroupIngress(request);
}
catch (AmazonEC2Exception e)
{
// If the ingress rule already exists then don't complain. The
// user might have created it manually or they deleted their
// .last-config or .last-ip files.
if (e.ErrorCode.Equals("InvalidPermission.Duplicate"))
{
logger.Warn("Tried to create a duplicate ingress rule for group " + request.GroupId);
return;
}
throw;
}
}
public void SetSecurityGroupRules(string groupId, List <IpPermission> ipPermissions)
{
var request = new AuthorizeSecurityGroupIngressRequest
{
GroupId = groupId,
IpPermissions = ipPermissions
};
_ec2Client.AuthorizeSecurityGroupIngress(request);
}
private static void ManageSecurityGroups()
{
IAmazonEC2 ec2 = new Amazon.EC2.AmazonEC2Client();
var sgResponse = ec2.DescribeSecurityGroups();
string ipRange = "22.22.22.22/0";
List <string> ranges = new List <string>()
{
ipRange
};
var ipPermission = new IpPermission();
ipPermission.IpProtocol = "tcp";
ipPermission.FromPort = 3333;
ipPermission.ToPort = 3333;
ipPermission.IpRanges = ranges;
var ingressRequest = new AuthorizeSecurityGroupIngressRequest();
ingressRequest.IpPermissions.Add(ipPermission);
var revokeRequest = new RevokeSecurityGroupIngressRequest();
revokeRequest.IpPermissions.Add(ipPermission);
foreach (var sg in sgResponse.SecurityGroups)
{
try
{
if (new Random().Next(2) == 1)
{
ingressRequest.GroupId = sg.GroupId;
var ingressResponse = ec2.AuthorizeSecurityGroupIngress(ingressRequest);
}
else
{
revokeRequest.GroupId = sg.GroupId;
ec2.RevokeSecurityGroupIngress(revokeRequest);
}
//Console.WriteLine("New RDP rule for: " + ipRange);
}
catch (AmazonEC2Exception ex)
{
// Check the ErrorCode to see if the rule already exists.
if ("InvalidPermission.Duplicate" == ex.ErrorCode)
{
//Console.WriteLine("An RDP rule for: {0} already exists.", ipRange);
}
else
{
// The exception was thrown for another reason, so re-throw the exception.
//throw;
}
}
}
}
static async Task Authorize(IAmazonEC2 ec2Client, IpPermission ipPermission, string securityGroupId)
{
logger.LogInformation("Authorize {}: {}", securityGroupId, IpPermissionToString(ipPermission));
var authorizeIngressRequest = new AuthorizeSecurityGroupIngressRequest();
authorizeIngressRequest.GroupId = securityGroupId;
authorizeIngressRequest.IpPermissions.Add(ipPermission);
var ingressResponse = await ec2Client.AuthorizeSecurityGroupIngressAsync(authorizeIngressRequest);
logger.LogDebug("Authorize response code {}", ingressResponse.HttpStatusCode);
}
public SecurityGroup CreateSecurityGroup()
{
//Setup a new security group
var newSGRequest = new CreateSecurityGroupRequest()
{
GroupName = Configuration.SecurityGroupName,
Description = Configuration.SecurityGroupDescription,
VpcId = Configuration.VpcId
};
var csgResponse = EC2Client.CreateSecurityGroup(newSGRequest);
Console.WriteLine("Created new security group: " + csgResponse.GroupId);
//Get the new security group
var newSgRequest = new DescribeSecurityGroupsRequest()
{
GroupIds = new[] { csgResponse.GroupId }.ToList()
};
var newSgResponse = EC2Client.DescribeSecurityGroups(newSgRequest);
var securityGroup = newSgResponse.SecurityGroups[0];
//Setup permissions for the security group
var ipRanges = Configuration.SecurityGroupIpRanges.Split(',').ToList();
var permissions = Configuration.SecurityGroupIpPermissions.Split(',');
var ipPermissions = permissions.Select(p =>
{
var protocol = p.Substring(0, 3);
var port = int.Parse(p.Substring(3));
return(new IpPermission()
{
IpProtocol = protocol,
FromPort = port,
ToPort = port,
IpRanges = ipRanges
});
});
//Set the permissions on the security group
var ingressRequest = new AuthorizeSecurityGroupIngressRequest();
ingressRequest.GroupId = securityGroup.GroupId;
ingressRequest.IpPermissions = ipPermissions.ToList();
var ingressResponse = EC2Client.AuthorizeSecurityGroupIngress(ingressRequest);
Console.WriteLine("Added permissions to security group: " + ingressResponse.HttpStatusCode);
return(securityGroup);
}
private async Task AddInboundRules(String groupId)
{
var request = new AuthorizeSecurityGroupIngressRequest
{
GroupId = groupId,
IpPermissions =
{
new IpPermission {
FromPort = -1, IpProtocol = "-1"
}
}
};
await _client.AuthorizeSecurityGroupIngressAsync(request);
}
private static string CreateSecurityGroup(IAmazonEC2 client, string vpcId, string groupName)
{
// Create a new empty group
var newSgRequest = new CreateSecurityGroupRequest()
{
GroupName = groupName,
Description = "Security group for AWS Talk",
VpcId = vpcId
};
// Get a handle to the newly created group
var newSgResponse = client.CreateSecurityGroup(newSgRequest);
var groups = new List <string>()
{
newSgResponse.GroupId
};
var createdSgRequest = new DescribeSecurityGroupsRequest()
{
GroupIds = groups
};
var createdSgResponse = client.DescribeSecurityGroups(createdSgRequest);
SecurityGroup theNewGroup = createdSgResponse.SecurityGroups[0];
// Add permissions to the group
var ingressRequest = new AuthorizeSecurityGroupIngressRequest();
ingressRequest.GroupId = theNewGroup.GroupId;
ingressRequest.IpPermissions.Add(new IpPermission()
{
IpProtocol = "tcp", FromPort = 3389, ToPort = 3389, IpRanges = new List <string>()
{
"0.0.0.0/0"
}
}); // RDP
ingressRequest.IpPermissions.Add(new IpPermission()
{
IpProtocol = "tcp", FromPort = 9999, ToPort = 9999, IpRanges = new List <string>()
{
"0.0.0.0/0"
}
}); // Worker API
client.AuthorizeSecurityGroupIngress(ingressRequest);
return(newSgResponse.GroupId);
}
SecurityGroup AddSGIPrermissions(IAmazonEC2 ec2, SecurityGroup SG)
{
string ipRange = "0.0.0.0/0";
List <string> ranges = new List <string>()
{
ipRange
};
var ipPermission1 = new IpPermission();
ipPermission1.IpProtocol = "tcp";
ipPermission1.FromPort = 22;
ipPermission1.ToPort = 22;
ipPermission1.IpRanges = ranges;
var ipPermission2 = new IpPermission();
ipPermission2.IpProtocol = "tcp";
ipPermission2.FromPort = 3389;
ipPermission2.ToPort = 3389;
ipPermission2.IpRanges = ranges;
// MessageBox.Show(SG.GroupId);
// foreach ( IpPermission ipper in SG.IpPermissions)
// {
// ipper.FromPort
//
// }
try
{
SG.IpPermissions.Add(ipPermission1);
SG.IpPermissions.Add(ipPermission2);
AuthorizeSecurityGroupIngressRequest authorizeSecurityGroupIngressRequest = new AuthorizeSecurityGroupIngressRequest();
authorizeSecurityGroupIngressRequest.GroupId = SG.GroupId;
//authorizeSecurityGroupIngressRequest.GroupName = MySG.GroupName;
authorizeSecurityGroupIngressRequest.IpPermissions.Add(ipPermission1);
authorizeSecurityGroupIngressRequest.IpPermissions.Add(ipPermission2);
ec2.AuthorizeSecurityGroupIngress(authorizeSecurityGroupIngressRequest);
}
catch (Exception ex)
{
}
return(SG);
}
public void AddRuleToEc2SecurityGroup(String ipRange = "1.1.1.1/1", String ipProtocol = "tcp", int fromPort = 3389, int toPort = 3389
, string secGroupName = DefaultSecurityGroup)
{
List <string> ranges = new List <string>()
{
ipRange
};
var ipPermission = new IpPermission();
ipPermission.IpProtocol = ipProtocol;
ipPermission.FromPort = fromPort;
ipPermission.ToPort = toPort;
ipPermission.IpRanges = ranges;
var ingressRequest = new AuthorizeSecurityGroupIngressRequest();
ingressRequest.GroupId = secGroupName;
ingressRequest.IpPermissions.Add(ipPermission);
var ingressResponse = ec2Client.AuthorizeSecurityGroupIngress(ingressRequest);
}
public async Task AuthorizeIngressAsync(IEnumerable <PortRangeDescription> portRanges)
{
if (portRanges.Count() == 0)
{
return;
}
this.Logger.Log("Allowing inbound access on {0}", string.Join(", ", portRanges));
var ingressRequest = new AuthorizeSecurityGroupIngressRequest()
{
GroupName = this.SecurityGroupName,
IpPermissions = portRanges.Select(x => new IpPermission()
{
IpProtocol = x.Proto,
FromPort = x.FromPort,
ToPort = x.ToPort,
IpRanges = new List <string>()
{
"0.0.0.0/0"
},
}).ToList(),
};
try
{
await this.Client.AuthorizeSecurityGroupIngressAsync(ingressRequest);
}
catch (AmazonEC2Exception e)
{
// Duplicate port settings are just fine
if (e.ErrorCode != "InvalidPermission.Duplicate")
{
throw;
}
}
this.Logger.Log("Inbound access authorised");
}
private static async Task GrantAccess(Permission permission, Region region)
{
//Specify a credentials
var aws = new AmazonEC2Client("", "", RegionEndpoint.EUWest1);
var batchCount = 0;
foreach (var ipRangeBatch in region.IpRange.Batch(50))
{
var securityGroupCreateRequest = new CreateSecurityGroupRequest
{
//Specify a VPC
VpcId = "",
GroupName = $"Azure {permission.Name} {batchCount}",
Description =
$"An auto generated security group to allow azure {region.Name} datacenters access to {permission.Name}"
};
var securityGroupCreateResponse = await aws.CreateSecurityGroupAsync(securityGroupCreateRequest);
var ingressRequest = new AuthorizeSecurityGroupIngressRequest
{
GroupId = securityGroupCreateResponse.GroupId,
IpPermissions = ipRangeBatch.Select(ip => new IpPermission
{
IpProtocol = permission.IpProtocol,
FromPort = permission.FromPort,
ToPort = permission.ToPort,
IpRanges = new List <string> {
ip.Subnet
}
}).ToList()
};
var ingressResponse = await aws.AuthorizeSecurityGroupIngressAsync(ingressRequest);
batchCount++;
}
}
public static async Task OpenInboundPort(AmazonEC2Client ec2Client, int port, string protocol, string securityGroupName)
{
var ipPermission = new IpPermission
{
FromPort = port,
ToPort = port,
IpProtocol = protocol,
Ipv4Ranges = new List <IpRange> {
new IpRange {
CidrIp = "0.0.0.0/0"
}
}
};
var ipPermissions = new List <IpPermission> {
ipPermission
};
var request = new AuthorizeSecurityGroupIngressRequest
{
GroupName = securityGroupName,
IpPermissions = ipPermissions
};
var response = await ec2Client.AuthorizeSecurityGroupIngressAsync(request);
}
public bool load_security_group_id()
{
write_log(region + " のセキュリティグループを確認しています。");
try
{
var client = get_client();
var query_req = new DescribeSecurityGroupsRequest();
query_req.Filters.Add(new Filter()
{
Name = "tag-value", Values = new List <string>()
{
Helper.build_name(setting_, "sg")
}
});
var query_res = client.DescribeSecurityGroups(query_req);
write_log("自 IPAddress を確認しています。");
string ipaddress = Helper.get_remote_ipaddress() + "/32";
if (query_res.SecurityGroups.Count != 0)
{
security_group_id = query_res.SecurityGroups[0].GroupId;
foreach (var row in query_res.SecurityGroups[0].IpPermissions)
{
foreach (var row2 in row.IpRanges)
{
if (row2.Equals(ipaddress))
{
write_log(region + " のセキュリティグループは " + security_group_id + " です");
return(true);
}
}
}
}
else
{
write_log(region + " にセキュリティグループを作成しています。");
var create_req = new CreateSecurityGroupRequest();
create_req.VpcId = vpc_id;
create_req.GroupName = "ingress_ssh-sg";
create_req.Description = "from specific ipaddress.";
var create_res = client.CreateSecurityGroup(create_req);
security_group_id = create_res.GroupId;
set_name_tag(client, security_group_id, Helper.build_name(setting_, "sg"));
write_log("セキュリティグループ " + security_group_id + " を作成しました。");
}
write_log("セキュリティグループ " + security_group_id + " に " + ipaddress + " を関連付けます。");
IpPermission ipPermission_22 = new IpPermission();
ipPermission_22.ToPort = 22;
ipPermission_22.FromPort = 22;
ipPermission_22.IpProtocol = "6";
ipPermission_22.IpRanges.Add(ipaddress);
IpPermission ipPermission_53556 = new IpPermission();
ipPermission_53556.ToPort = 53556;
ipPermission_53556.FromPort = 53556;
ipPermission_53556.IpProtocol = "6";
ipPermission_53556.IpRanges.Add(ipaddress);
var authorize_req = new AuthorizeSecurityGroupIngressRequest();
authorize_req.GroupId = security_group_id;
authorize_req.IpPermissions = new List <IpPermission>()
{
ipPermission_22, ipPermission_53556
};
client.AuthorizeSecurityGroupIngress(authorize_req);
set_name_tag(client, security_group_id, Helper.build_name(setting_, "sg"));
write_log("セキュリティグループ " + security_group_id + " を作成しました。");
}
catch (Exception ex)
{
write_log("ERROR: " + ex.ToString());
return(false);
}
return(true);
}
/// <summary>
/// Authorize Security Group Ingress
/// </summary>
/// <param name="request">Authorize Security Group Ingress request</param>
/// <returns>Authorize Security Group Ingress Response from the service</returns>
/// <remarks>
/// The AuthorizeSecurityGroupIngress operation adds permissions to a security
/// group.
/// Permissions are specified by the IP protocol (TCP, UDP or ICMP), the source of
/// the request (by IP range or an Amazon EC2 user-group pair), the source and
/// destination port ranges (for TCP and UDP), and the ICMP codes and types (for
/// ICMP). When authorizing ICMP, -1 can be used as a wildcard in the type and code
/// fields.
/// Permission changes are propagated to instances within the security group as
/// quickly as possible. However, depending on the number of instances, a small
/// delay might occur.
/// When authorizing a user/group pair permission, GroupName,
/// SourceSecurityGroupName and SourceSecurityGroupOwnerId must be specified. When
/// authorizing a CIDR IP permission, GroupName, IpProtocol, FromPort, ToPort and
/// CidrIp must be specified. Mixing these two types of parameters is not allowed.
///
/// </remarks>
public AuthorizeSecurityGroupIngressResponse AuthorizeSecurityGroupIngress(AuthorizeSecurityGroupIngressRequest request)
{
return(Invoke <AuthorizeSecurityGroupIngressResponse>("AuthorizeSecurityGroupIngressResponse.xml"));
}
/// <summary>
/// Authorize ingress to a security group
/// </summary>
/// <param name="request">The request object</param>
public SecurityGroupResponse AuthorizeSecurityGroupIngress(AuthorizeSecurityGroupIngressRequest request)
{
XContainer response = AsyncSupport.RunAsyncJob(this, request);
return DeserialiseResponse<SecurityGroupResponse>(response, request.Command);
}
//[Obsolete]
public async Task <string> CreateEC2InstanceAsync(int serverType = 0)
{
string secGroupName = "myec2";
string instanceID = "";
if (serverType == (int)AWSConstants.server_types.EC2)
{
//Step 1:- check for the security Groups
var isSGExists = await IsSecurityGroupsExistsAsync(secGroupName);
//Step 2:- Create Security Groups
if (!isSGExists)
{
SecurityGroup securityGroup = CreateSecurityGroupAsync(secGroupName).Result;
string ipRange = "0.0.0.0/0";
List <string> ranges = new List <string>
{
ipRange
};
//Step 3:- Attach the IP Permissions
IpPermission ipPermission = new IpPermission()
{
IpProtocol = "All traffic",
FromPort = 0,
ToPort = 65535,
IpRanges = ranges
};
var ingressRequest = new AuthorizeSecurityGroupIngressRequest();
ingressRequest.GroupId = securityGroup.GroupId;
ingressRequest.IpPermissions.Add(ipPermission);
var ingressResponse = amazonEC2Client.AuthorizeSecurityGroupIngressAsync(ingressRequest);
//Step 4:- Create Key Pairs (.pem file)
string keyPairName = CreateKeyPair();
//Step 5:- Create Launch Request Object
string amiID = "ami-0b6158cfa2ae7b493";
List <string> groups = new List <string>()
{
securityGroup.GroupId
};
var launchRequest = new RunInstancesRequest()
{
ImageId = amiID,
InstanceType = "t2.micro",
MinCount = 1,
MaxCount = 1,
KeyName = keyPairName,
SecurityGroupIds = groups
};
var launchResponse = await amazonEC2Client.RunInstancesAsync(launchRequest);
var instances = launchResponse.Reservation.Instances;
var instanceIds = new List <string>();
foreach (Instance item in instances)
{
instanceIds.Add(item.InstanceId);
Console.WriteLine();
Console.WriteLine("New instance: " + item.InstanceId);
Console.WriteLine("Instance state: " + item.State.Name);
}
//Step 6:- Describe Instances to know the status of the instances
var instanceRequest = new DescribeInstancesRequest
{
InstanceIds = new List <string>
{
instanceIds[0]
}
};
while (true)
{
var response = await amazonEC2Client.DescribeInstancesAsync(instanceRequest);
if (response.Reservations[0].Instances[0].State.Name == InstanceStateName.Running)
{
instanceID = response.Reservations[0].Instances[0].PublicDnsName + "With the status of " + InstanceStateName.Running;
break;
}
}
}
}
return(instanceID);
}
/// <summary>
/// Run a single item
/// </summary>
/// <param name="item">The item to run</param>
public void RunItem(EC2SecurityGroupEntry item)
{
AmazonEC2Client ec2Client =
new AmazonEC2Client(
Config.BaseSettings.AWSAccessKeyID,
Config.BaseSettings.AWSSecretAccessKey,
new AmazonEC2Config
{
RegionEndpoint = RegionEndpoint
});
//1) Revoke Old entries/permissions
if (IpState.HasOldIP && IpState.Changed)
{
bool oldIpStillInUse =
MultiClientState?
.Clients?
.Where(mcei => mcei.IP == IpState.OldIP)
.Any()
??
false;
if (!oldIpStillInUse)
{
RevokeSecurityGroupIngressRequest revokeRequest =
new RevokeSecurityGroupIngressRequest
{
GroupId = item.GroupId,
IpPermissions =
new List <IpPermission>
{
new IpPermission
{
IpProtocol = item.IpProtocol,
FromPort = item.PortRange.FromPort,
ToPort = item.PortRange.ToPort,
Ipv4Ranges =
new List <IpRange>
{
new IpRange
{
CidrIp = IpState.NewIPRange
}
}
}
}
};
RevokeSecurityGroupIngressResponse revokeResponse = null;
try
{
revokeResponse =
ec2Client
.RevokeSecurityGroupIngressAsync(revokeRequest)
.GetAwaiter()
.GetResult();
//Output
Output($"EC2SG: Revoked Security Group Rule: {item} for Old IP: {IpState.OldIP}");
}
catch (Exception ex)
{
//In this case we do nothing.
//The old rule was not removed for whatever reason, but we choose to do nothing here
//so that the new rules continue to be added.
Output($"EC2SG: [ACTION REQUIRED] An exception was thrown while trying to revoke Security Group Rule: {item} for Old IP: {IpState.OldIP}\nRule was likely not revoked.\nException was: {ex}");
}
}
}
//2) Insert new entries/permissions
AuthorizeSecurityGroupIngressRequest authorizeRequest =
new AuthorizeSecurityGroupIngressRequest
{
GroupId = item.GroupId,
IpPermissions =
new List <IpPermission>
{
new IpPermission
{
IpProtocol = "tcp",
FromPort = item.PortRange.FromPort,
ToPort = item.PortRange.ToPort,
Ipv4Ranges =
new List <IpRange>
{
new IpRange
{
CidrIp = IpState.NewIPRange
}
}
}
}
};
AuthorizeSecurityGroupIngressResponse authorizeResponse = null;
try
{
//Output
Output($"EC2SG: START : Adding Security Group Rule: {item} for New IP: {IpState.NewIP}");
//Send
authorizeResponse =
ec2Client
.AuthorizeSecurityGroupIngressAsync(authorizeRequest)
.GetAwaiter()
.GetResult();
}
catch (AmazonEC2Exception ex)
{
//Diagnostics
Debug.WriteLine($"{DateTime.Now.ToString("yyyy-MM-dd HH:mm:ss.fff")}: EXCEPTION: \n" + ex.ToString());
//Handle
if (string.Equals(ex.ErrorCode, "InvalidPermission.Duplicate", StringComparison.InvariantCultureIgnoreCase))
{
//Apparently it is already there, and we're perfectly happy with that
Output($"EC2SG: ERROR : The entry: {item} for New IP: {IpState.NewIP} was already present. No entry was added.");
}
else
{
//Don't really know quite exactly what went wrong :-|
Output($"EC2SG: ERROR : While adding the entry: {item} for New IP: {IpState.NewIP} an exception was thrown. Error Code: {ex.ErrorCode}, Message: {ex.Message}");
}
}
catch (Exception ex)
{
//Diagnostics
Debug.WriteLine($"{DateTime.Now.ToString("yyyy-MM-dd HH:mm:ss.fff")}: EXCEPTION: \n" + ex.ToString());
//Throw
throw new ApplicationException("EC2SG: An unknown exception was thrown while trying to update AWS EC2 Security Group", ex);
}
finally
{
//Output
Output($"EC2SG: COMPLETE: Finished adding Security Group Rule: {item} for New IP: {IpState.NewIP}");
}
}
// enumerate VPC security group and create a security group for EC2-VPC
public void create_lunch_checkstatus_for_istance()
{
//Create an Amazon EC2 Client Using the the SDK
var ec2Client = new AmazonEC2Client();
// enumerate VPC security group
string secGroupName = "my-sample-sg-vpc";
SecurityGroup mySG = null;
string vpcID = "vpc-7cdc5904";
Amazon.EC2.Model.Filter vpcFilter = new Amazon.EC2.Model.Filter
{
Name = "vpc-id",
Values = new List <string>()
{
vpcID
}
};
var dsgRequest = new DescribeSecurityGroupsRequest();
dsgRequest.Filters.Add(vpcFilter);
var dsgResponse = ec2Client.DescribeSecurityGroups(dsgRequest);
List <SecurityGroup> mySGs = dsgResponse.SecurityGroups;
foreach (SecurityGroup item in mySGs)
{
Console.WriteLine("Existing security group: " + item.GroupId);
if (item.GroupName == secGroupName)
{
mySG = item;
}
}
//create a security group for EC2-VPC
if (mySG == null)
{
var newSGRequest = new CreateSecurityGroupRequest()
{
GroupName = secGroupName,
Description = "My sample security group for EC2-VPC",
VpcId = vpcID
};
var csgResponse = ec2Client.CreateSecurityGroup(newSGRequest);
Console.WriteLine();
Console.WriteLine("New security group: " + csgResponse.GroupId);
List <string> Groups = new List <string>()
{
csgResponse.GroupId
};
var newSgRequest = new DescribeSecurityGroupsRequest()
{
GroupIds = Groups
};
var newSgResponse = ec2Client.DescribeSecurityGroups(newSgRequest);
mySG = newSgResponse.SecurityGroups[0];
}
//Create and initialize an IpPermission object.
//iprange = the IP addresses of your local machine
string ipRange = "0.0.0.0/0";
List <string> ranges = new List <string>()
{
ipRange
};
var ipPermission = new IpPermission()
{
IpProtocol = "tcp",
//The beginning and end of the port range. This example specifies a single port, 3389, which is used to communicate with Windows over RDP.
//it should be changed if u launch a linux instance (use 22 insted )
FromPort = 3389,
ToPort = 3389,
IpRanges = ranges
};
//Create and initialize an AuthorizeSecurityGroupIngressRequest object.
var ingressRequest = new AuthorizeSecurityGroupIngressRequest();
ingressRequest.GroupId = mySG.GroupId;
ingressRequest.IpPermissions.Add(ipPermission);
//Pass the request object to the AuthorizeSecurityGroupIngress method, which returns an AuthorizeSecurityGroupIngressResponse object.
var ingressResponse = ec2Client.AuthorizeSecurityGroupIngress(ingressRequest);
Console.WriteLine("New RDP rule for: " + ipRange);
//Create and initialize a network interface.for lunch enstance
string subnetID = "subnet-048d6c59";
List <string> groups = new List <string>()
{
mySG.GroupId
};
var eni = new InstanceNetworkInterfaceSpecification()
{
DeviceIndex = 0,
SubnetId = subnetID,
Groups = groups,
AssociatePublicIpAddress = true
};
List <InstanceNetworkInterfaceSpecification> enis = new List <InstanceNetworkInterfaceSpecification>()
{
eni
};
string amiID = "ami-06a0d33fc8d328de0";
string keyPairName = "my-sample-key";
var launchRequest = new RunInstancesRequest()
{
ImageId = amiID,
InstanceType = "m3.large",
MinCount = 1,
MaxCount = 1,
KeyName = keyPairName,
NetworkInterfaces = enis
};
//launch
RunInstancesResponse launchResponse = ec2Client.RunInstances(launchRequest);
List <String> instanceIds = new List <string>();
foreach (Instance instance in launchResponse.Reservation.Instances)
{
Console.WriteLine(instance.InstanceId);
instanceIds.Add(instance.InstanceId);
}
//check the status of the enstance
var instanceRequest = new DescribeInstancesRequest();
instanceRequest.InstanceIds = new List <string>();
instanceRequest.InstanceIds.AddRange(instanceIds);
var response = ec2Client.DescribeInstances(instanceRequest);
Console.WriteLine(response.Reservations[0].Instances[0].State.Name);
}
private void create_security_group_rule(string key, string secret, Amazon.RegionEndpoint region, string security_group, string serverports, string ipEnpoint = "")
{
HttpStatusCode ret = HttpStatusCode.OK;
string ip = "0.0.0.0";
MailAddress fromMailer = null;
MailAddress toMailer = null;
string mailhost = "";
int mailport = 0;
bool mailssl = false;
string mailuser = "";
string mailpass = "";
bool loadConfig = true;
string partialmsg = "";
if (ipEnpoint != string.Empty)
{
ip = get_external_ip(ipEnpoint);
}
if (loadConfig)
{
try
{
fromMailer = new MailAddress(ConfigurationManager.AppSettings["MAIL-FROM"].ToString());
toMailer = new MailAddress(ConfigurationManager.AppSettings["MAIL-TO"].ToString());
mailhost = ConfigurationManager.AppSettings["MAIL-HOST"].ToString();
mailport = int.Parse(ConfigurationManager.AppSettings["MAIL-PORT"].ToString());
mailssl = bool.Parse(ConfigurationManager.AppSettings["MAIL-SSL"].ToString());
mailuser = ConfigurationManager.AppSettings["MAIL-USER"].ToString();
mailpass = ConfigurationManager.AppSettings["MAIL-PASS"].ToString();
ipEnpoint = ConfigurationManager.AppSettings["IP-ENDPOINT"].ToString();
ip = get_external_ip(ipEnpoint);
}
catch { loadConfig = false; }
}
if (ip != "")
{
try
{
AmazonEC2Client ec2Client = null;
AWSCredentials credentials = new Amazon.Runtime.BasicAWSCredentials(key, secret);
ec2Client = new AmazonEC2Client(credentials, region);
IpRange ipRange = new IpRange
{
CidrIp = ip + "/32",
Description = "Rule created by aws-security-group-access-rule at " + DateTime.Now.ToString()
};
var ingressRequest = new AuthorizeSecurityGroupIngressRequest
{
GroupId = security_group
};
var listaPortas = serverports.Split(',');
foreach (var item in listaPortas)
{
var ipPermission = new IpPermission
{
IpProtocol = "tcp",
FromPort = Int16.Parse(item),
ToPort = Int16.Parse(item)
};
ipPermission.Ipv4Ranges.Add(ipRange);
ingressRequest.IpPermissions.Add(ipPermission);
}
var ingressResponse = ec2Client.AuthorizeSecurityGroupIngress(ingressRequest);
partialmsg += "[AWS Response :: " + ingressResponse.HttpStatusCode.ToString() + "]";
ret = ingressResponse.HttpStatusCode;
#region Debug Section
/*
* switch (ingressResponse.HttpStatusCode)
* {
* case HttpStatusCode.Continue: partialmsg += ""; break;
* case HttpStatusCode.SwitchingProtocols: partialmsg += ""; break;
* case HttpStatusCode.OK: partialmsg += ""; break;
* case HttpStatusCode.Created: partialmsg += ""; break;
* case HttpStatusCode.Accepted: partialmsg += ""; break;
* case HttpStatusCode.NonAuthoritativeInformation: partialmsg += ""; break;
* case HttpStatusCode.NoContent: partialmsg += ""; break;
* case HttpStatusCode.ResetContent: partialmsg += ""; break;
* case HttpStatusCode.PartialContent: partialmsg += ""; break;
* case HttpStatusCode.MultipleChoices: partialmsg += ""; break;
* case HttpStatusCode.MovedPermanently: partialmsg += ""; break;
* case HttpStatusCode.Found: partialmsg += ""; break;
* case HttpStatusCode.SeeOther: partialmsg += ""; break;
* case HttpStatusCode.NotModified: partialmsg += ""; break;
* case HttpStatusCode.UseProxy: partialmsg += ""; break;
* case HttpStatusCode.Unused: partialmsg += ""; break;
* case HttpStatusCode.TemporaryRedirect: partialmsg += ""; break;
* case HttpStatusCode.BadRequest: partialmsg += ""; break;
* case HttpStatusCode.Unauthorized: partialmsg += ""; break;
* case HttpStatusCode.PaymentRequired: partialmsg += ""; break;
* case HttpStatusCode.Forbidden: partialmsg += ""; break;
* case HttpStatusCode.NotFound: partialmsg += ""; break;
* case HttpStatusCode.MethodNotAllowed: partialmsg += ""; break;
* case HttpStatusCode.NotAcceptable: partialmsg += ""; break;
* case HttpStatusCode.ProxyAuthenticationRequired: partialmsg += ""; break;
* case HttpStatusCode.RequestTimeout: partialmsg += ""; break;
* case HttpStatusCode.Conflict: partialmsg += ""; break;
* case HttpStatusCode.Gone: partialmsg += ""; break;
* case HttpStatusCode.LengthRequired: partialmsg += ""; break;
* case HttpStatusCode.PreconditionFailed: partialmsg += ""; break;
* case HttpStatusCode.RequestEntityTooLarge: partialmsg += ""; break;
* case HttpStatusCode.RequestUriTooLong: partialmsg += ""; break;
* case HttpStatusCode.UnsupportedMediaType: partialmsg += ""; break;
* case HttpStatusCode.RequestedRangeNotSatisfiable: partialmsg += ""; break;
* case HttpStatusCode.ExpectationFailed: partialmsg += ""; break;
* case HttpStatusCode.UpgradeRequired: partialmsg += ""; break;
* case HttpStatusCode.InternalServerError: partialmsg += ""; break;
* case HttpStatusCode.NotImplemented: partialmsg += ""; break;
* case HttpStatusCode.BadGateway: partialmsg += ""; break;
* case HttpStatusCode.ServiceUnavailable: partialmsg += ""; break;
* case HttpStatusCode.GatewayTimeout: partialmsg += ""; break;
* case HttpStatusCode.HttpVersionNotSupported: partialmsg += ""; break;
* }
*/
#endregion
}
catch (AmazonEC2Exception ex)
{
ret = ex.StatusCode;
partialmsg += "[ERROR-CODE " + ex.ErrorCode + "] " + ex.Message + "<BR>";
}
finally
{
if (loadConfig)
{
sendEmail(mailhost, mailport, mailssl, mailuser, mailpass, fromMailer, toMailer,
"[aws-security-group-access-rule]" + ret.ToString(),
string.Format("Access granted to ports {1} by IP {0}",
ip, serverports)
);
}
}
}
void sendEmail(string hostname, int port, bool ssl, string user, string pass, MailAddress fromMail, MailAddress toMail, string subject, string message, bool ishtml = false)
{
MailMessage msg = new MailMessage
{
Subject = subject,
Body = message,
IsBodyHtml = ishtml,
Priority = MailPriority.High,
From = fromMail
};
msg.To.Add(toMail);
SmtpClient mailClient = new SmtpClient
{
Host = hostname,
Port = port,
UseDefaultCredentials = false,
Credentials = new NetworkCredential(user, pass),
EnableSsl = ssl
};
mailClient.Send(msg);
}
}
public async Task <IActionResult> Post(IpModel model)
{
if (model == null)
{
return(BadRequest(new { Success = false, Message = "Invalid model." }));
}
if (!Request.Headers.ContainsKey("Api-Secret"))
{
return(BadRequest(new { success = false, message = "Missing Secret header" }));
}
var values = Request.Headers["Api-Secret"];
var apiSecret = Environment.GetEnvironmentVariable("AWSHELPER_API_SECRET");
if (values.FirstOrDefault(x => x == apiSecret) == null)
{
return(Unauthorized(new { success = false, message = "Invalid secret header" }));
}
if (string.IsNullOrEmpty(model.Name) || string.IsNullOrWhiteSpace(model.Name))
{
return(BadRequest(new { Success = false, Message = "Invalid name" }));
}
var namePrefix = Environment.GetEnvironmentVariable("AWSHELPER_NAME_PREFIX");
var groupId = Environment.GetEnvironmentVariable("AWSHELPER_GROUP_ID");
var accessId = Environment.GetEnvironmentVariable("AWSHELPER_ACCESS_ID");
var accessSecret = Environment.GetEnvironmentVariable("AWSHELPER_ACCESS_SECRET");
var endpoint = RegionEndpoint.GetBySystemName(Environment.GetEnvironmentVariable("AWSHELPER_REGION"));
var client = new AmazonEC2Client(accessId, accessSecret, endpoint);
var req = new DescribeSecurityGroupsRequest();
req.GroupIds.Add(groupId);
var request = new UpdateSecurityGroupRuleDescriptionsIngressRequest
{
GroupId = groupId
};
try
{
var secGroupRequest = new DescribeSecurityGroupsRequest();
secGroupRequest.GroupIds.Add(groupId);
var get = await client.DescribeSecurityGroupsAsync(secGroupRequest);
var securityGroup = get.SecurityGroups.FirstOrDefault();
if (securityGroup == null)
{
return(BadRequest(new { Success = false, Message = "Security group not found." }));
}
var description = $"{namePrefix}{model.Name}";
var ipRangeListRemoved = new List <IpRange>();
var ipRangeListAdded = new List <IpRange>();
foreach (var permission in securityGroup.IpPermissions)
{
foreach (var ipRange in permission.Ipv4Ranges)
{
if (description.Equals(ipRange.Description) && permission.ToPort == model.Port)
{
ipRangeListRemoved.Add(ipRange);
}
}
permission.Ipv4Ranges.RemoveAll(x => ipRangeListRemoved.Contains(x));
}
if (ipRangeListRemoved.Any())
{
var revokeRequest = new RevokeSecurityGroupIngressRequest();
revokeRequest.GroupId = groupId;
revokeRequest.IpPermissions.Add(new IpPermission
{
FromPort = model.Port,
IpProtocol = model.Protocol,
ToPort = model.Port,
Ipv4Ranges = new List <IpRange>(ipRangeListRemoved)
});
await client.RevokeSecurityGroupIngressAsync(revokeRequest);
}
var authorizeRequest = new AuthorizeSecurityGroupIngressRequest();
authorizeRequest.GroupId = groupId;
var authorizeIpRange = new IpRange
{
CidrIp = $"{model.Ip}/32",
Description = description
};
authorizeRequest.IpPermissions.Add(new IpPermission
{
FromPort = model.Port,
IpProtocol = model.Protocol,
ToPort = model.Port,
Ipv4Ranges = new List <IpRange> {
authorizeIpRange
}
});
var authorizeResult = await client.AuthorizeSecurityGroupIngressAsync(authorizeRequest);
return(Ok(new
{
Success = true,
Message = "Action completed."
}));
}
catch (Exception ex)
{
return(BadRequest(new { Success = false, Message = ex.Message }));
}
}
internal void AuthorizeSecurityGroupIngress(string securityGroupName)
{
try
{
AuthorizeSecurityGroupIngressRequest request = new AuthorizeSecurityGroupIngressRequest()
{
SecurityGroupName = securityGroupName,
Protocol = ProtocolType.Tcp.ToString(),
StartPort = 80,
EndPort = 80,
CidrList = new[] { "0.0.0.0/0" }.ToList()
};
_client.AuthorizeSecurityGroupIngress(request);
request = new AuthorizeSecurityGroupIngressRequest()
{
SecurityGroupName = "TestSecurityGroup",
Protocol = ProtocolType.Tcp.ToString(),
StartPort = 22,
EndPort = 22,
CidrList = new[] { "0.0.0.0/0" }.ToList()
};
_client.AuthorizeSecurityGroupIngress(request);
}
catch (Exception e)
{
WriteLog("Exception during AuthorizeSecurityGroupIngress {0}", e);
}
}
internal void AuthorizeSecurityGroupIngress(string securityGroupName)
{
try
{
Client session = new Client(serviceUri, apiKey, secretKey);
AuthorizeSecurityGroupIngressRequest request = new AuthorizeSecurityGroupIngressRequest()
{
SecurityGroupName = securityGroupName,
Protocol = ProtocolType.tcp,
StartPort = 80,
EndPort = 80,
CidrList = "0.0.0.0/0"
};
session.AuthorizeSecurityGroupIngress(request);
request = new AuthorizeSecurityGroupIngressRequest()
{
SecurityGroupName = "TestSecurityGroup",
Protocol = ProtocolType.tcp,
StartPort = 22,
EndPort = 22,
CidrList = "0.0.0.0/0"
};
session.AuthorizeSecurityGroupIngress(request);
}
catch (Exception e)
{
WriteLog("Exception during AuthorizeSecurityGroupIngress {0}", e);
}
}
