Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Group Data Bag Quote Parsing for Port Ranges #477

Open
ajeba99 opened this issue Apr 20, 2016 · 2 comments
Open

Security Group Data Bag Quote Parsing for Port Ranges #477

ajeba99 opened this issue Apr 20, 2016 · 2 comments

Comments

@ajeba99
Copy link

ajeba99 commented Apr 20, 2016

So I am trying to build the networking portion of my customer environment in AWS using data bags.

Here is my Chef environment ...

chef -v
Chef Development Kit Version: 0.12.0
chef-client version: 12.8.1
berks version: 4.3.0
kitchen version: 1.6.0

chef-provisioning (1.6.0)
chef-provisioning-aws (1.8.0)
chef-provisioning-azure (0.5.0)
chef-provisioning-fog (0.16.0)
chef-provisioning-vagrant (0.11.0)

I am having two issues.

First, when security groups are being created, if I am defining a range or list of ports, yet only the first port is being acknowledged. Here is my script ...

devices["securitygroups"].each do |securitygroups|
  aws_security_group securitygroups["security_group_name"] do
    vpc securitygroups["security_group_vpc"]

    @inboundrules = []
    @outboundrules = []

    securitygroups["inbound_rules"].each do |inbound|
      inboundopts = {}
      inboundopts = {
        port: inbound["port"],
        protocol: inbound["protocol"],
        sources: inbound["sources"]
      }
     @inboundrules << inboundopts
    end

    securitygroups["outbound_rules"].each do |outbound|
      outboundopts = {}
      outboundopts = {
        port: outbound["port"],
        protocol: outbound["protocol"],
        destinations: outbound["destinations"]
      }
     @outboundrules << outboundopts
    end

    inbound_rules @inboundrules
    outbound_rules @outboundrules
    aws_tags description: securitygroups["security_group_description"]
  end
end

Here is the security group portion of my data bag the script is pulling from ...

"securitygroups" : [
{
  "security_group_name" : "TestEnv_SG",
  "security_group_vpc" : "TestEnv_VPC",
  "security_group_description" : "aws_sg_TestEnv",
  "inbound_rules" : [
    {
      "port" : "80, 443",
      "protocol" : "tcp",
      "sources" : "0.0.0.0/0"
    },
    {
      "port" : "1024..2048",
      "protocol" : "tcp",
      "sources" : "127.0.0.1/32"
    },
    {
      "port" : "80, 443",
      "protocol" : "udp",
      "sources" : "1.1.1.0/24"
    }
  ],
  "outbound_rules" : [
    {
      "port" : "81",
      "protocol" : "tcp",
      "destinations" : "0.0.0.0/0"
    },
    {
      "port" : "2048..4096",
      "protocol" : "tcp",
      "destinations" : "TestEnv_SG"
    },
    {
      "port" : "8080, 8081",
      "protocol" : "tcp",
      "destinations" : "2.2.2.0/24"
    }
  ]
}
],

... And here is the output from the log ...

[2015-11-16T11:21:17-06:00] INFO: [AWS EC2 200 0.272027 0 retries] authorize_security_group_egress(:group_id=>"sg-c6f5a1a2",:ip_permissions=>[{:from_port=>2048,:ip_protocol=>"tcp",:to_port=>2048,:user_id_group_pairs=>[{:group_id=>"sg-c6f5a1a2",:user_id=>"115481970544"}]}])

- authorize group TestEnv_SG (sg-c6f5a1a2) to send traffic to sg-c6f5a1a2 on port_range "2048..4096" with protocol tcp
However, when I check the AWS Security Group in the GUI I only see the first port was created for this outbound rule (port 2048). This appears to be an issues with parsing quotes. You can even see this in the examples. Most (maybe all) options that involve numbers don't have any quotes around them. I cannot do this in json as it requires quotes. In my json data bag, when I am only using one number I don't use quotes to be able to get around this design. Yet when dealing with port ranges I must use quotes. How do I work around this?

Second, when I hit up-arrow and enter to just simply rerun the command again I get the following ...

[2015-11-16T11:29:26-06:00] INFO: [AWS EC2 400 0.272027 0 retries] authorize_security_group_egress(:group_id=>"sg-eaf7a38e",:ip_permissions=>[{:from_port=>81,:ip_protocol=>"tcp",:ip_ranges=>[{:cidr_ip=>"0.0.0.0/0"}],:to_port=>81}]) AWS::EC2::Errors::InvalidPermission::Duplicate the specified rule "peer: 0.0.0.0/0, TCP, from port: 81, to port: 81, ALLOW" already exists

================================================================================
Error executing action `create` on resource 'aws_security_group[TestEnv_SG]'
================================================================================

AWS::EC2::Errors::InvalidPermission::Duplicate
----------------------------------------------
the specified rule "peer: 0.0.0.0/0, TCP, from port: 81, to port: 81, ALLOW" already exists

It seems it's not doing what it's supposed to on subsequent runs.
@eheydrick
Copy link

Take a look at #398 (comment) to see the solution I found using the ranger gem to turn the string from the databag into a range that chef-provisioning-aws expects.

@ajeba99
Copy link
Author

ajeba99 commented Apr 25, 2016

Right, I do appreciate the potential work around but I am looking for this to work like other parts Chef Provisioning when using data bags.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@eheydrick @ajeba99