private static async Task GrantAccess(Permission permission, Region region) { //Specify a credentials var aws = new AmazonEC2Client("", "", RegionEndpoint.EUWest1); var batchCount = 0; foreach (var ipRangeBatch in region.IpRange.Batch(50)) { var securityGroupCreateRequest = new CreateSecurityGroupRequest { //Specify a VPC VpcId = "", GroupName = $"Azure {permission.Name} {batchCount}", Description = $"An auto generated security group to allow azure {region.Name} datacenters access to {permission.Name}" }; var securityGroupCreateResponse = await aws.CreateSecurityGroupAsync(securityGroupCreateRequest); var ingressRequest = new AuthorizeSecurityGroupIngressRequest { GroupId = securityGroupCreateResponse.GroupId, IpPermissions = ipRangeBatch.Select(ip => new IpPermission { IpProtocol = permission.IpProtocol, FromPort = permission.FromPort, ToPort = permission.ToPort, IpRanges = new List <string> { ip.Subnet } }).ToList() }; var ingressResponse = await aws.AuthorizeSecurityGroupIngressAsync(ingressRequest); batchCount++; } }
public static async Task OpenInboundPort(AmazonEC2Client ec2Client, int port, string protocol, string securityGroupName) { var ipPermission = new IpPermission { FromPort = port, ToPort = port, IpProtocol = protocol, Ipv4Ranges = new List <IpRange> { new IpRange { CidrIp = "0.0.0.0/0" } } }; var ipPermissions = new List <IpPermission> { ipPermission }; var request = new AuthorizeSecurityGroupIngressRequest { GroupName = securityGroupName, IpPermissions = ipPermissions }; var response = await ec2Client.AuthorizeSecurityGroupIngressAsync(request); }
//[Obsolete] public async Task <string> CreateEC2InstanceAsync(int serverType = 0) { string secGroupName = "myec2"; string instanceID = ""; if (serverType == (int)AWSConstants.server_types.EC2) { //Step 1:- check for the security Groups var isSGExists = await IsSecurityGroupsExistsAsync(secGroupName); //Step 2:- Create Security Groups if (!isSGExists) { SecurityGroup securityGroup = CreateSecurityGroupAsync(secGroupName).Result; string ipRange = "0.0.0.0/0"; List <string> ranges = new List <string> { ipRange }; //Step 3:- Attach the IP Permissions IpPermission ipPermission = new IpPermission() { IpProtocol = "All traffic", FromPort = 0, ToPort = 65535, IpRanges = ranges }; var ingressRequest = new AuthorizeSecurityGroupIngressRequest(); ingressRequest.GroupId = securityGroup.GroupId; ingressRequest.IpPermissions.Add(ipPermission); var ingressResponse = amazonEC2Client.AuthorizeSecurityGroupIngressAsync(ingressRequest); //Step 4:- Create Key Pairs (.pem file) string keyPairName = CreateKeyPair(); //Step 5:- Create Launch Request Object string amiID = "ami-0b6158cfa2ae7b493"; List <string> groups = new List <string>() { securityGroup.GroupId }; var launchRequest = new RunInstancesRequest() { ImageId = amiID, InstanceType = "t2.micro", MinCount = 1, MaxCount = 1, KeyName = keyPairName, SecurityGroupIds = groups }; var launchResponse = await amazonEC2Client.RunInstancesAsync(launchRequest); var instances = launchResponse.Reservation.Instances; var instanceIds = new List <string>(); foreach (Instance item in instances) { instanceIds.Add(item.InstanceId); Console.WriteLine(); Console.WriteLine("New instance: " + item.InstanceId); Console.WriteLine("Instance state: " + item.State.Name); } //Step 6:- Describe Instances to know the status of the instances var instanceRequest = new DescribeInstancesRequest { InstanceIds = new List <string> { instanceIds[0] } }; while (true) { var response = await amazonEC2Client.DescribeInstancesAsync(instanceRequest); if (response.Reservations[0].Instances[0].State.Name == InstanceStateName.Running) { instanceID = response.Reservations[0].Instances[0].PublicDnsName + "With the status of " + InstanceStateName.Running; break; } } } } return(instanceID); }
/// <summary> /// Run a single item /// </summary> /// <param name="item">The item to run</param> public void RunItem(EC2SecurityGroupEntry item) { AmazonEC2Client ec2Client = new AmazonEC2Client( Config.BaseSettings.AWSAccessKeyID, Config.BaseSettings.AWSSecretAccessKey, new AmazonEC2Config { RegionEndpoint = RegionEndpoint }); //1) Revoke Old entries/permissions if (IpState.HasOldIP && IpState.Changed) { bool oldIpStillInUse = MultiClientState? .Clients? .Where(mcei => mcei.IP == IpState.OldIP) .Any() ?? false; if (!oldIpStillInUse) { RevokeSecurityGroupIngressRequest revokeRequest = new RevokeSecurityGroupIngressRequest { GroupId = item.GroupId, IpPermissions = new List <IpPermission> { new IpPermission { IpProtocol = item.IpProtocol, FromPort = item.PortRange.FromPort, ToPort = item.PortRange.ToPort, Ipv4Ranges = new List <IpRange> { new IpRange { CidrIp = IpState.NewIPRange } } } } }; RevokeSecurityGroupIngressResponse revokeResponse = null; try { revokeResponse = ec2Client .RevokeSecurityGroupIngressAsync(revokeRequest) .GetAwaiter() .GetResult(); //Output Output($"EC2SG: Revoked Security Group Rule: {item} for Old IP: {IpState.OldIP}"); } catch (Exception ex) { //In this case we do nothing. //The old rule was not removed for whatever reason, but we choose to do nothing here //so that the new rules continue to be added. Output($"EC2SG: [ACTION REQUIRED] An exception was thrown while trying to revoke Security Group Rule: {item} for Old IP: {IpState.OldIP}\nRule was likely not revoked.\nException was: {ex}"); } } } //2) Insert new entries/permissions AuthorizeSecurityGroupIngressRequest authorizeRequest = new AuthorizeSecurityGroupIngressRequest { GroupId = item.GroupId, IpPermissions = new List <IpPermission> { new IpPermission { IpProtocol = "tcp", FromPort = item.PortRange.FromPort, ToPort = item.PortRange.ToPort, Ipv4Ranges = new List <IpRange> { new IpRange { CidrIp = IpState.NewIPRange } } } } }; AuthorizeSecurityGroupIngressResponse authorizeResponse = null; try { //Output Output($"EC2SG: START : Adding Security Group Rule: {item} for New IP: {IpState.NewIP}"); //Send authorizeResponse = ec2Client .AuthorizeSecurityGroupIngressAsync(authorizeRequest) .GetAwaiter() .GetResult(); } catch (AmazonEC2Exception ex) { //Diagnostics Debug.WriteLine($"{DateTime.Now.ToString("yyyy-MM-dd HH:mm:ss.fff")}: EXCEPTION: \n" + ex.ToString()); //Handle if (string.Equals(ex.ErrorCode, "InvalidPermission.Duplicate", StringComparison.InvariantCultureIgnoreCase)) { //Apparently it is already there, and we're perfectly happy with that Output($"EC2SG: ERROR : The entry: {item} for New IP: {IpState.NewIP} was already present. No entry was added."); } else { //Don't really know quite exactly what went wrong :-| Output($"EC2SG: ERROR : While adding the entry: {item} for New IP: {IpState.NewIP} an exception was thrown. Error Code: {ex.ErrorCode}, Message: {ex.Message}"); } } catch (Exception ex) { //Diagnostics Debug.WriteLine($"{DateTime.Now.ToString("yyyy-MM-dd HH:mm:ss.fff")}: EXCEPTION: \n" + ex.ToString()); //Throw throw new ApplicationException("EC2SG: An unknown exception was thrown while trying to update AWS EC2 Security Group", ex); } finally { //Output Output($"EC2SG: COMPLETE: Finished adding Security Group Rule: {item} for New IP: {IpState.NewIP}"); } }
public async Task <IActionResult> Post(IpModel model) { if (model == null) { return(BadRequest(new { Success = false, Message = "Invalid model." })); } if (!Request.Headers.ContainsKey("Api-Secret")) { return(BadRequest(new { success = false, message = "Missing Secret header" })); } var values = Request.Headers["Api-Secret"]; var apiSecret = Environment.GetEnvironmentVariable("AWSHELPER_API_SECRET"); if (values.FirstOrDefault(x => x == apiSecret) == null) { return(Unauthorized(new { success = false, message = "Invalid secret header" })); } if (string.IsNullOrEmpty(model.Name) || string.IsNullOrWhiteSpace(model.Name)) { return(BadRequest(new { Success = false, Message = "Invalid name" })); } var namePrefix = Environment.GetEnvironmentVariable("AWSHELPER_NAME_PREFIX"); var groupId = Environment.GetEnvironmentVariable("AWSHELPER_GROUP_ID"); var accessId = Environment.GetEnvironmentVariable("AWSHELPER_ACCESS_ID"); var accessSecret = Environment.GetEnvironmentVariable("AWSHELPER_ACCESS_SECRET"); var endpoint = RegionEndpoint.GetBySystemName(Environment.GetEnvironmentVariable("AWSHELPER_REGION")); var client = new AmazonEC2Client(accessId, accessSecret, endpoint); var req = new DescribeSecurityGroupsRequest(); req.GroupIds.Add(groupId); var request = new UpdateSecurityGroupRuleDescriptionsIngressRequest { GroupId = groupId }; try { var secGroupRequest = new DescribeSecurityGroupsRequest(); secGroupRequest.GroupIds.Add(groupId); var get = await client.DescribeSecurityGroupsAsync(secGroupRequest); var securityGroup = get.SecurityGroups.FirstOrDefault(); if (securityGroup == null) { return(BadRequest(new { Success = false, Message = "Security group not found." })); } var description = $"{namePrefix}{model.Name}"; var ipRangeListRemoved = new List <IpRange>(); var ipRangeListAdded = new List <IpRange>(); foreach (var permission in securityGroup.IpPermissions) { foreach (var ipRange in permission.Ipv4Ranges) { if (description.Equals(ipRange.Description) && permission.ToPort == model.Port) { ipRangeListRemoved.Add(ipRange); } } permission.Ipv4Ranges.RemoveAll(x => ipRangeListRemoved.Contains(x)); } if (ipRangeListRemoved.Any()) { var revokeRequest = new RevokeSecurityGroupIngressRequest(); revokeRequest.GroupId = groupId; revokeRequest.IpPermissions.Add(new IpPermission { FromPort = model.Port, IpProtocol = model.Protocol, ToPort = model.Port, Ipv4Ranges = new List <IpRange>(ipRangeListRemoved) }); await client.RevokeSecurityGroupIngressAsync(revokeRequest); } var authorizeRequest = new AuthorizeSecurityGroupIngressRequest(); authorizeRequest.GroupId = groupId; var authorizeIpRange = new IpRange { CidrIp = $"{model.Ip}/32", Description = description }; authorizeRequest.IpPermissions.Add(new IpPermission { FromPort = model.Port, IpProtocol = model.Protocol, ToPort = model.Port, Ipv4Ranges = new List <IpRange> { authorizeIpRange } }); var authorizeResult = await client.AuthorizeSecurityGroupIngressAsync(authorizeRequest); return(Ok(new { Success = true, Message = "Action completed." })); } catch (Exception ex) { return(BadRequest(new { Success = false, Message = ex.Message })); } }