Class: Chef::Knife::RdsSgFromDataBag

Inherits:

Chef::Knife

• Object
• Chef::Knife
• Chef::Knife::RdsSgFromDataBag

Includes:

RdsBase, RdsBaseDataBag

Defined in:

lib/chef/knife/rds_sg_from_data_bag.rb

Constant Summary

Constants included from RdsBase

Chef::Knife::RdsBase::APPLY_METHODS

Instance Method Summary

• #authorize_ec2_security_groups_to_db_security_group! ⇒ Object

  assign ec2 security groups aws account id is REQUIRED.

• #authorize_ip_addresses_to_db_security_group! ⇒ Object

  Assign ip addresses to security group.

• #authorize_parameters_to_db_security_group! ⇒ Object

  Assign all parameters from data bag to security group.

• #aws_account_id ⇒ Object
• #create_db_security_group! ⇒ Object

  Create a new RDS Security group using the provideda data bag.

• #data_bag_item_name ⇒ Object

  For use with base data bag module.

• #db_security_group ⇒ Object

  Load the DB Parameter Group resource from AWS using the API.

• #db_security_group_name ⇒ Object

  The name of the database security group, extracted from name arguments.

• #revoke_ec2_security_groups_from_security_group! ⇒ Object

  Revoke security groups that are not in the data bag.

• #revoke_ip_addresses_from_db_security_group! ⇒ Object

  Revoke ip addresses belonging to group by NOT in data bag.

• #revoke_parameters_from_db_security_group! ⇒ Object

  Remove all parameters NOT in data bag from security group.

• #run ⇒ Object

Methods included from RdsBaseDataBag

#assert_data_bag_exists!, #assert_data_bag_item_exists!, #assert_data_bag_item_valid!, #assert_required_data_bag_options_present!, #data_bag_exists?, #data_bag_item, #defined_params, included, #required_data_bag_options

Methods included from RdsBase

#assert_name_args_at_least!, #assert_valid_apply_method!, #authenticate!, #connect!, included, #rds

Instance Method Details

#authorize_ec2_security_groups_to_db_security_group! ⇒ Object

assign ec2 security groups aws account id is REQUIRED. Currently, it must be exported as environment variable

# File 'lib/chef/knife/rds_sg_from_data_bag.rb', line 107

def authorize_ec2_security_groups_to_db_security_group!
  data_bag_item['ec2_security_groups'].each do |group|
    begin
      rds.client.authorize_db_security_group_ingress(
        db_security_group_name: db_security_group_name,
        ec2_security_group_owner_id: aws_account_id,
        ec2_security_group_name: group
      )
      ui.info "#{group} applied"
    rescue AWS::RDS::Errors::AuthorizationAlreadyExists => e
      ui.info "#{group} already applied"
    end
  end
end

#authorize_ip_addresses_to_db_security_group! ⇒ Object

Assign ip addresses to security group

# File 'lib/chef/knife/rds_sg_from_data_bag.rb', line 123

def authorize_ip_addresses_to_db_security_group!
  data_bag_item['ip_addresses'].each do |ip|
    begin
      rds.client.authorize_db_security_group_ingress(
        db_security_group_name: db_security_group_name,
        cidrip: ip
      )
    rescue AWS::RDS::Errors::InvalidParameterValue => e
      ui.info "Error applying ip #{ip}."
      ui.info e.message
    rescue AWS::RDS::Errors::AuthorizationAlreadyExists => e
      ui.info "#{ip} already applied."
    end

  end
end

#authorize_parameters_to_db_security_group! ⇒ Object

Assign all parameters from data bag to security group

# File 'lib/chef/knife/rds_sg_from_data_bag.rb', line 56

def authorize_parameters_to_db_security_group!
  authorize_ec2_security_groups_to_db_security_group!
  authorize_ip_addresses_to_db_security_group!
end

#aws_account_id ⇒ Object

# File 'lib/chef/knife/rds_sg_from_data_bag.rb', line 51

def aws_account_id
  ENV['AWS_ACCOUNT_ID']
end

#create_db_security_group! ⇒ Object

Create a new RDS Security group using the provideda data bag

# File 'lib/chef/knife/rds_sg_from_data_bag.rb', line 141

def create_db_security_group!
  rds.client.create_db_security_group(
    db_security_group_name: db_security_group_name,
    db_security_group_description: data_bag_item['description']
  )
end

#data_bag_item_name ⇒ Object

For use with base data bag module.

# File 'lib/chef/knife/rds_sg_from_data_bag.rb', line 156

def data_bag_item_name
  db_security_group_name
end

#db_security_group ⇒ Object

Load the DB Parameter Group resource from AWS using the API

Returns AWS::RDS::DBParameterGroup or nil

# File 'lib/chef/knife/rds_sg_from_data_bag.rb', line 163

def db_security_group
  unless @db_security_group
    begin
      @db_security_group = rds.client.describe_db_security_groups(db_security_group_name: db_security_group_name)
    rescue AWS::RDS::Errors::DBSecurityGroupNotFound => e
      @db_security_group = nil
    end
  end
  @db_security_group
end

#db_security_group_name ⇒ Object

The name of the database security group, extracted from name arguments

Returns string

# File 'lib/chef/knife/rds_sg_from_data_bag.rb', line 151

def db_security_group_name
  name_args.first
end

#revoke_ec2_security_groups_from_security_group! ⇒ Object

Revoke security groups that are not in the data bag

# File 'lib/chef/knife/rds_sg_from_data_bag.rb', line 86

def revoke_ec2_security_groups_from_security_group!
  db_security_group[:db_security_groups].first[:ec2_security_groups].each do |eg|
    eg_name = eg[:ec2_security_group_name]
    unless data_bag_item['ec2_security_groups'].include?(eg_name)
      if eg[:status] == 'authorized'
        ui.info "Revoking access for #{eg_name}"
        rds.client.revoke_db_security_group_ingress(
          db_security_group_name: db_security_group_name,
          ec2_security_group_owner_id: aws_account_id,
          ec2_security_group_name: eg_name
        )
      end
    else
      ui.info "Keeping #{eg_name}"
    end
  end
end

#revoke_ip_addresses_from_db_security_group! ⇒ Object

Revoke ip addresses belonging to group by NOT in data bag

# File 'lib/chef/knife/rds_sg_from_data_bag.rb', line 68

def revoke_ip_addresses_from_db_security_group!
  db_security_group[:db_security_groups].first[:ip_ranges].each do |ip|
    cidr = ip[:cidrip]
    unless data_bag_item['ip_addresses'].include?(cidr)
      if ip[:status] == 'authorized'
        ui.info "Revoking access for #{cidr}"
        rds.client.revoke_db_security_group_ingress(
          db_security_group_name: db_security_group_name,
          cidrip: cidr
        )
      end
    else
      ui.info "Keeping #{cidr}"
    end
  end
end

#revoke_parameters_from_db_security_group! ⇒ Object

Remove all parameters NOT in data bag from security group

# File 'lib/chef/knife/rds_sg_from_data_bag.rb', line 62

def revoke_parameters_from_db_security_group!
  revoke_ec2_security_groups_from_security_group!
  revoke_ip_addresses_from_db_security_group!
end

#run ⇒ Object

# File 'lib/chef/knife/rds_sg_from_data_bag.rb', line 25

def run

  assert_name_args_at_least!(1, "Security group name is required!")

  assert_data_bag_item_valid!

  authenticate!

  if db_security_group.nil?
    ui.info("The security group #{db_security_group_name} does not exist.")
    confirm("Would you like to create it")
    create_db_security_group!
  else
    ui.info "The security group #{db_security_group_name} exists. Continuing..."
  end

  ui.info "Revoking parameters"
  revoke_parameters_from_db_security_group!
  ui.info "Authorizing parameters."
  authorize_parameters_to_db_security_group!

  ui.info("Assigned parameters to #{db_security_group_name}")
  exit 0

end