451
複製安全組小工具
- 小工具解決的問題:
- 由於安全組不能垮Region,當一個Region中的安全組比較好,我們在另一個Region中也想使用同樣的規則時,通過這個小工具實現安全組約束的拷貝。
- 數量限製:
- 都拷貝了什麼:
- 安全組 :Name,IpProtocol,PortRange,SourceGroupOwnerAccount,Priority,SourceGroupId,SourceCidrIp,Policy,NicType
- 所屬VPC :Name,UserCidrs,CidrBlock,Description
-
如何使用:
- 公共參數設置:(1)填寫Access Key Id 和 Secrect。(2)regionIdLocal:被複製的regionId。(3)securityGroupIdLocal:regionIdLocal中被複製的安全組Id。(4)regionId:要複製到的regionId。
- 複製classic類型安全組,直接運行。
-
複製vpc類型安全組,當isVpcKeepSame為True,表示複製的安全組所屬的VPC也是相似的。本工具首先根據UserCidrs和CidrBlock在新Region中查找是否有相似的VPC,如果找到,就把安全組複製到這個VPC中,如果沒找到,根據原始Region中VPC創建類似的VPC,然後複製安全組,當isVpcKeepSame為False,直接在新Region中查找Available狀態VPC,然後複製安全組,如果沒有找到,新建VPC。
# coding=utf-8
# if the python sdk is not install using 'sudo pip install aliyun-python-sdk-ecs'
# if the python sdk is install using 'sudo pip install --upgrade aliyun-python-sdk-ecs'
# make sure the sdk version is 2.1.2, you can use command 'pip show aliyun-python-sdk-ecs' to checkimport json
import logging
import timefrom aliyunsdkcore import client
from aliyunsdkecs.request.v20140526.AuthorizeSecurityGroupRequest import \
AuthorizeSecurityGroupRequest
from aliyunsdkecs.request.v20140526.DescribeSecurityGroupAttributeRequest import \
DescribeSecurityGroupAttributeRequest
from aliyunsdkecs.request.v20140526.CreateSecurityGroupRequest import \
CreateSecurityGroupRequest
from aliyunsdkecs.request.v20140526.CreateVpcRequest import CreateVpcRequest
from aliyunsdkecs.request.v20140526.DescribeVpcsRequest import DescribeVpcsRequest# configuration the log output formatter, if you want to save the output to file,
# append ",filename='ecs_invoke.log'" after datefmt.logging.basicConfig(level=logging.INFO,
format='%(asctime)s %(filename)s[line:%(lineno)d] %(levelname)s %(message)s',
datefmt='%a, %d %b %Y %H:%M:%S')# send open api request
def _send_request(request):
request.set_accept_format('json')
try:
response_str = clt.do_action(request)
logging.info(response_str)
response_detail = json.loads(response_str)
return response_detail
except Exception as e:
logging.error(e)# To add rules to classic network cloud server
def execute_add_classical_intranat_ingress(regionId,source_sg_id, permission, dry_run):
request = AuthorizeSecurityGroupRequest()
clt.set_region_id(regionId)
request.set_SecurityGroupId(source_sg_id)
request.set_IpProtocol(permission.get("IpProtocol"))
request.set_PortRange(permission.get("PortRange"))
request.set_SourceGroupOwnerAccount(permission.get("SourceGroupOwnerAccount"))
request.set_Priority(permission.get("Priority"))
request.set_SourceGroupId(permission.get("SourceGroupId"))
request.set_SourceCidrIp(permission.get("SourceCidrIp"))
request.set_Policy(permission.get("Policy"))
request.set_NicType(permission.get("NicType"))if dry_run: logging.info("add sg id %s as the in security group id %s", in_sg_id, source_sg_id) else: response = _send_request(request) return response# How many rules are there under the current security group
def query_sg_rules_for_sg(regionId,security_group_id):
request = DescribeSecurityGroupAttributeRequest()
clt.set_region_id(regionId)
request.set_SecurityGroupId(security_group_id)
response = _send_request(request)
if (str(response.get("Code")) == "InvalidSecurityGroupId.NotFound"):
logging.error("please check if there is an securityGroupId in your region")
return "null"
return response# create VPC
def createVPC(vpcLocal):
request = CreateVpcRequest()
request.set_CidrBlock(vpcLocal.get("CidrBlock"))
request.set_Description(vpcLocal.get("Description"))
UserCidrs = ''
for uc in vpcLocal.get("UserCidrs").get("UserCidr"):
UserCidrs = UserCidrs + str(uc)+","
if(UserCidrs != ''):
request.set_UserCidr(UserCidrs)
request.set_VpcName(vpcLocal.get("VpcName")+"copy")
response = _send_request(request)
newVPCId = response.get("VpcId")
if(newVPCId == None):
logging.error(response)
newVPCId = "null"
return newVPCId# compare UserCidrs
def compareUserCidrs(usercidrs1,usercidrs2):
l1 = len(usercidrs1)
l2 = len(usercidrs2)
flag = False
if(l1 == l2):
flag = True
for cidr in usercidrs1:
if(cidr in usercidrs2):
logging.info(cidr+"passed")
else:
flag = False
break
else:
return flag
return flag# find sameVpc according to UserCidrs and CidrBlock
def findSameVpc(vpcLocal,isVpcKeepSame):
request = DescribeVpcsRequest()
response = _send_request(request)
vpcs = response.get("Vpcs").get("Vpc")
if(isVpcKeepSame == False):
if(len(vpcs)>=1):
for vpc in vpcs:
if(vpc.get("Status") == 'Available'):
return vpc.get("VpcId")
else:
return "null"
for vpc in vpcs:
if(str(vpc.get("Status")) == 'Available'):
usercidrs1 = vpc.get("UserCidrs").get("UserCidr")
usercidrs2 = vpcLocal.get("UserCidrs").get("UserCidr")
if((vpc.get("CidrBlock") == vpcLocal.get("CidrBlock")) and (compareUserCidrs(usercidrs1,usercidrs2))):
return vpc.get("VpcId")
return "null"# find VPC by vpcId
def GetVpc(vpcId):
request = DescribeVpcsRequest()
request.set_VpcId(vpcId)
response = _send_request(request)
if(response.get("TotalCount") >= 1):
return response.get("Vpcs").get("Vpc")[0]
return "null"# create SecurityGroup
def CreateSecurityGroup(regionId,securityGroupName,vpcId,vpcLocal,isVpcKeepSame):
request = CreateSecurityGroupRequest()
clt.set_region_id(regionId)
request.set_SecurityGroupName(securityGroupName)
newVpcId = ''
if(vpcId != ''):
vpcIdAvailable = findSameVpc(vpcLocal,isVpcKeepSame)
if(vpcIdAvailable == 'null'):
newVpcId = createVPC(vpcLocal)
time.sleep(10)
if(newVpcId == "null"):
return "null"
else:
newVpcId = vpcIdAvailable
request.set_VpcId(str(newVpcId))
response = _send_request(request)
return responsedef copy_securityGroup(regionIdLocal,securityGroupIdLocal,regionId,isVpcKeepSame):
# Query a region under a security group all rules
responsepermissions = query_sg_rules_for_sg(regionIdLocal, securityGroupIdLocal)
if (responsepermissions == "null"):
logging.error("error:please check if there is an securityGroupId in your region")
return "null"
else:
permissions = responsepermissions.get("Permissions").get("Permission")
vpcId = responsepermissions.get("VpcId")
vpcLocal = ''
if (vpcId != ''):
vpcLocal = GetVpc(vpcId)
if(vpcLocal == "null"):
logging.error("the vpc=vpcId:%s not exist",vpcId)
return vpcId
securityGroupNameLocal = responsepermissions.get("SecurityGroupName")
# Create security group
securityGroupName = securityGroupNameLocal + "_copyfrom_" + regionIdLocal
response = CreateSecurityGroup(regionId, securityGroupName, vpcId, vpcLocal,isVpcKeepSame)
if(response == "null"):
return "null"
securityGroupId = response.get("SecurityGroupId")# Copy rules for permission in permissions: execute_add_classical_intranat_ingress(regionId, securityGroupId, permission, False) logging.info("In region %s ,create securityGroup:%s success", regionId, securityGroupName)if name == '__main__':
clt = client.AcsClient('Your Access Key Id', 'Your Access Key Secrect', 'cn-beijing') #The regionId of the security group being copied regionIdLocal = 'cn-shanghai' #Copy securityGroupId in regionIdLocal securityGroupIdLocal = 'sg-uf62j00kbggavkplfb56' #Copy to region regionId regionId = 'ap-northeast-1' #whether VPC need to be consistent isVpcKeepSame = False #start copy copy_securityGroup(regionIdLocal, securityGroupIdLocal, regionId,isVpcKeepSame)
最後更新:2017-05-19 17:02:16