From 5d9b3b22642714a85478241678d6a80ead2e0660 Mon Sep 17 00:00:00 2001 From: konsthol Date: Sun, 19 Mar 2023 01:54:54 +0200 Subject: [PATCH] I have no idea what I'm doing here. --- secdep.py | 169 ++++++++++++++++++++++++------------------------------ 1 file changed, 75 insertions(+), 94 deletions(-) diff --git a/secdep.py b/secdep.py index ba60aac..19f40fb 100755 --- a/secdep.py +++ b/secdep.py @@ -30,9 +30,10 @@ from libcloud.compute.providers import get_driver from libcloud.compute.base import NodeAuthSSHKey from libcloud.compute.deployment import ScriptDeployment, SSHKeyDeployment, MultiStepDeployment -# from azure.common.credentials import ServicePrincipalCredentials -# from azure.mgmt.network import NetworkManagementClient -# from azure.mgmt.network.models import NetworkSecurityGroup, SecurityRule +from azure.identity import ClientSecretCredential +from azure.mgmt.resource import ResourceManagementClient +from azure.mgmt.network import NetworkManagementClient +from azure.mgmt.network.v2022_07_01.models import SecurityRule # Disable SSL certificate verification # Disable SHA-2 variants of RSA key verification algorithm for backward compatibility reasons @@ -100,10 +101,8 @@ if not os.path.exists(ENV_FILE): # 5) SECDEP_AZURE_SUB_ID # 6) SECDEP_AZURE_APP_ID # 7) SECDEP_AZURE_PASSWORD -# 8) SECDEP_AZURE_RESOURCE_GROUP -# 9) SECDEP_AZURE_VIRTUAL_NETWORK -# 10) SECDEP_AWS_ACCESS_KEY -# 11) SECDEP_AWS_SECRET_KEY +# 8) SECDEP_AWS_ACCESS_KEY +# 9) SECDEP_AWS_SECRET_KEY # For GCE we need to create a service account (with Owner Role from the IAM section) and download the json file (from # the Service Account's manage keys section) in the same directory as the script @@ -146,14 +145,6 @@ with open(ENV_FILE, 'r') as f: SECDEP_AZURE_PASSWORD = input("Enter your AZURE_PASSWORD: ") with open(ENV_FILE, 'a') as f: f.write('SECDEP_AZURE_PASSWORD={}\n'.format(SECDEP_AZURE_PASSWORD)) - if 'SECDEP_AZURE_RESOURCE_GROUP' not in env_file_content: - SECDEP_AZURE_RESOURCE_GROUP = input("Enter your AZURE_RESOURCE_GROUP: ") - with open(ENV_FILE, 'a') as f: - f.write('SECDEP_AZURE_RESOURCE_GROUP={}\n'.format(SECDEP_AZURE_RESOURCE_GROUP)) - if 'SECDEP_AZURE_VIRTUAL_NETWORK' not in env_file_content: - SECDEP_AZURE_VIRTUAL_NETWORK = input("Enter your AZURE_VIRTUAL_NETWORK: ") - with open(ENV_FILE, 'a') as f: - f.write('SECDEP_AZURE_VIRTUAL_NETWORK={}\n'.format(SECDEP_AZURE_VIRTUAL_NETWORK)) if 'SECDEP_AWS_ACCESS_KEY' not in env_file_content: SECDEP_AWS_ACCESS_KEY = input("Enter your AWS_ACCESS_KEY: ") with open(ENV_FILE, 'a') as f: @@ -185,8 +176,6 @@ def get_env_vars(): global SECDEP_AZURE_SUB_ID global SECDEP_AZURE_APP_ID global SECDEP_AZURE_PASSWORD - global SECDEP_AZURE_RESOURCE_GROUP - global SECDEP_AZURE_VIRTUAL_NETWORK global SECDEP_AWS_ACCESS_KEY global SECDEP_AWS_SECRET_KEY # GCE @@ -202,8 +191,6 @@ def get_env_vars(): SECDEP_AZURE_SUB_ID = os.getenv('SECDEP_AZURE_SUB_ID') SECDEP_AZURE_APP_ID = os.getenv('SECDEP_AZURE_APP_ID') SECDEP_AZURE_PASSWORD = os.getenv('SECDEP_AZURE_PASSWORD') - SECDEP_AZURE_RESOURCE_GROUP = os.getenv('SECDEP_AZURE_RESOURCE_GROUP') - SECDEP_AZURE_VIRTUAL_NETWORK = os.getenv('SECDEP_AZURE_VIRTUAL_NETWORK') # AWS SECDEP_AWS_ACCESS_KEY = os.getenv('SECDEP_AWS_ACCESS_KEY') SECDEP_AWS_SECRET_KEY = os.getenv('SECDEP_AWS_SECRET_KEY') @@ -586,7 +573,7 @@ def get_gce_driver(): # Get Azure driver def get_azure_driver(): - if SECDEP_AZURE_TENANT_ID !="" and SECDEP_AZURE_SUB_ID !="" and SECDEP_AZURE_APP_ID !="" and SECDEP_AZURE_PASSWORD !="" and SECDEP_AZURE_RESOURCE_GROUP !="" and SECDEP_AZURE_VIRTUAL_NETWORK != "": + if SECDEP_AZURE_TENANT_ID !="" and SECDEP_AZURE_SUB_ID !="" and SECDEP_AZURE_APP_ID !="" and SECDEP_AZURE_PASSWORD !="": driver = get_driver(Provider.AZURE_ARM) print("Trying to authenticate with azure...\n") return driver(tenant_id=SECDEP_AZURE_TENANT_ID, subscription_id=SECDEP_AZURE_SUB_ID, key=SECDEP_AZURE_APP_ID, secret=SECDEP_AZURE_PASSWORD) @@ -602,7 +589,7 @@ def get_providers_quantity(): providers_quantity = 0 if SECDEP_GCE_CLIENT_SECRET !="" and SECDEP_GCE_PROJECT_ID !="" and SECDEP_GCE_CLIENT_ID !="": providers_quantity +=1 - if SECDEP_AZURE_TENANT_ID !="" and SECDEP_AZURE_SUB_ID !="" and SECDEP_AZURE_APP_ID !="" and SECDEP_AZURE_PASSWORD !="" and SECDEP_AZURE_RESOURCE_GROUP !="" and SECDEP_AZURE_VIRTUAL_NETWORK != "": + if SECDEP_AZURE_TENANT_ID !="" and SECDEP_AZURE_SUB_ID !="" and SECDEP_AZURE_APP_ID !="" and SECDEP_AZURE_PASSWORD !="": providers_quantity +=1 if SECDEP_AWS_ACCESS_KEY !="" and SECDEP_AWS_SECRET_KEY !="": providers_quantity +=1 @@ -1072,63 +1059,52 @@ def create_node(provider, name=None, location=None, size=None, image=None, confi exit(0) node = driver.create_node(name=name, image=image, size=size, location=location, ex_service_accounts=sa_scopes, ex_metadata=metadata) elif provider == "azure": - sec_groups = driver.ex_list_network_security_groups(SECDEP_AZURE_RESOURCE_GROUP) - for sec_group in sec_groups: - if sec_group.name == name+"-sec_group": - print("A security group with that name already exists, please try a different virtual machine name to differentiate the security group name") + res_groups = driver.ex_list_resource_groups() + for res_group in res_groups: + if res_group.name == name+"-res_group": + print("A resource group with that name already exists, please try a different virtual machine name to differentiate the resource group name") exit(0) - - # ips = driver.ex_list_public_ips(SECDEP_AZURE_RESOURCE_GROUP) - # for ip in ips: - # if ip.name == name+"-ip": - # print("An ip with that name already exists, please try a different virtual machine name to differentiate the ip name") - # exit(0) - - driver.ex_create_network_security_group(name=name+"-sec_group", resource_group=SECDEP_AZURE_RESOURCE_GROUP, location=location) + # Create Resource group using azure sdk since libcloud does not offer that functionality + credential = ClientSecretCredential(client_id=SECDEP_AZURE_APP_ID, client_secret=SECDEP_AZURE_PASSWORD, tenant_id=SECDEP_AZURE_TENANT_ID) + subscription_id = SECDEP_AZURE_SUB_ID + resource_client = ResourceManagementClient(credential, subscription_id) + res_group = resource_client.resource_groups.create_or_update(name+"-res_group", {"location": location.id}) + # Create Virtual Network using azure sdk since libcloud does not offer that functionality + network_client = NetworkManagementClient(credential, subscription_id) + poller = network_client.virtual_networks.begin_create_or_update(res_group.name, name+"-vir_net", { "location": location.id, "address_space": {"address_prefixes": ["10.0.0.0/16"]},},) + vir_net = poller.result() + # Create the default subnet using azure sdk since libcloud does not offer that functionality + poller = network_client.subnets.begin_create_or_update(res_group.name, vir_net.name, name+"-subnet", { "address_prefix": "10.0.0.0/24"},) + subnet = poller.result() + # Create Network Security Group + driver.ex_create_network_security_group(name=name+"-sec_group", resource_group=res_group.name, location=location) + # Get the created Virtual Network networks = driver.ex_list_networks() for network in networks: - if network.name == SECDEP_AZURE_VIRTUAL_NETWORK: + if network.name == vir_net.name: ex_network = network break else: - print("Could not find the virtual network. Maybe it was not created beforehand?") - assert ex_network is not None, "In azure you need to manually go and create a virtual network before launching a virtual machine" - if location.id != ex_network.location: - print("Because libcloud currently has no method to automatically create resource group which is tied to a location, the given location must be the same as the one specified when you created the virtual network") - print('Current virtual network\'s location: %s' % (ex_network.location)) - exit(0) + print("Could not find the virtual network. Maybe it was not created correctly?") + # Get Virtual Network's default subnet we created subnet = driver.ex_list_subnets(network=ex_network)[0] - - # public_ip = driver.ex_create_public_ip(name=name+"-ip", resource_group=SECDEP_AZURE_RESOURCE_GROUP, location=location, public_ip_allocation_method="Static") - - public_ip = driver.ex_list_public_ips(SECDEP_AZURE_RESOURCE_GROUP)[0] - network_interface = driver.ex_create_network_interface(name=name+"-nic", subnet=subnet, resource_group=SECDEP_AZURE_RESOURCE_GROUP, location=location, public_ip=public_ip) - nic = driver.ex_list_nics(resource_group=SECDEP_AZURE_RESOURCE_GROUP)[0] - sec_group = driver.ex_list_network_security_groups(SECDEP_AZURE_RESOURCE_GROUP)[0] + # Create public ip + public_ip = driver.ex_create_public_ip(name=name+"-ip", resource_group=res_group.name, location=location, public_ip_allocation_method="Static") + # Create a Virtual Network Interface + network_interface = driver.ex_create_network_interface(name=name+"-nic", subnet=subnet, resource_group=res_group.name, location=location, public_ip=public_ip) + # Get the created Virtual Network Interface + nic = driver.ex_list_nics(resource_group=res_group.name)[0] + # Get the created Network Security Group + sec_group = driver.ex_list_network_security_groups(res_group.name)[0] + # Parameters to associate the Network Security Group to the Virtual Network Interface params = {"ipConfigurations":[{"name":"myip1","id":nic.id,"type":"Microsoft.Network/networkInterfaces/ipConfigurations","properties":{"provisioningState":"Succeeded","privateIPAddress":"10.0.0.4","privateIPAllocationMethod":"Dynamic","publicIPAddress":{"id":public_ip.id},"subnet":{"id":subnet.id},"primary":"true","privateIPAddressVersion":"IPv4"}}],"dnsSettings":{"dnsServers":[]},"enableAcceleratedNetworking":"false","enableIPForwarding":"false","disableTcpStateTracking":"false","networkSecurityGroup":{"id":sec_group.id},"nicType":"Standard"} - newnic = driver.ex_update_nic_properties(nic, SECDEP_AZURE_RESOURCE_GROUP, params) - node = driver.create_node(name=name, size=size, image=image, location=location, auth=auth, ex_user_name="secdep", ex_resource_group=SECDEP_AZURE_RESOURCE_GROUP, ex_use_managed_disks=True, ex_nic=newnic, ex_os_disk_delete=True) - - # subscription_id = SECDEP_AZURE_SUB_ID - # credentials = ServicePrincipalCredentials( - # client_id = SECDEP_AZURE_APP_ID, - # secret = SECDEP_AZURE_PASSWORD, - # tenant = SECDEP_AZURE_TENANT_ID - # ) - # - # network_client = NetworkManagementClient( - # credentials, - # subscription_id - # ) - # - # network_client.security_rules.begin_create_or_update(SECDEP_AZURE_RESOURCE_GROUP,sec_group.name,"allowAllInbound",SecurityRule( - # protocol='*', - # source_address_prefix='*', - # destination_address_prefix='*', - # access='Allow', - # direction='Inbound', description='Allow all',source_port_range='*', - # destination_port_range='*', - # priority=4096, name="allowAll")) + # New Virtual Network Interface associated with the Network Security Group + newnic = driver.ex_update_nic_properties(nic, res_group.name, params) + # Update the Network Security Group's rules to accept connections using azure sdk since libcloud does not offer that functionality + network_client.security_rules.begin_create_or_update(res_group.name, sec_group.name,"allowAllInbound", SecurityRule(protocol='*', source_address_prefix='*', destination_address_prefix='*', access='Allow', direction='Inbound', description='Allow all', source_port_range='*', destination_port_range='*', priority=4096, name="allowAll")) + network_client.security_rules.begin_create_or_update(res_group.name, sec_group.name,"allowAllOutbound", SecurityRule(protocol='*', source_address_prefix='*', destination_address_prefix='*', access='Allow', direction='Outbound', description='Allow all', source_port_range='*', destination_port_range='*', priority=4096, name="allowAll")) + # Create the node + node = driver.create_node(name=name, size=size, image=image, location=location, auth=auth, ex_user_name="secdep", ex_resource_group=res_group.name, ex_use_managed_disks=True, ex_nic=newnic, ex_os_disk_delete=True) else: keys = driver.list_key_pairs() for key in keys: @@ -1263,6 +1239,7 @@ def node_action(action, provider): driver = get_corresponding_driver("gce") elif providerName == "azure": driver = get_corresponding_driver("azure") + node_name = node.name elif providerName == "aws": driver = get_corresponding_driver("aws") assert driver is not None, "Driver is not set up correctly" @@ -1285,18 +1262,19 @@ def node_action(action, provider): else: print("%s node %s -> failed" % (providerName.upper(), action)) if providerName == "azure" and action == "delete": - driver = get_corresponding_driver("azure") - node_location = node.extra['location'] - locations = driver.list_locations() - for loc in locations: - if loc.id == node_location: - location = loc - break - sec_groups = driver.ex_list_network_security_groups(SECDEP_AZURE_RESOURCE_GROUP) - for sec_group in sec_groups: - # driver.ex_delete_resource(sec_group) - if sec_group.name == node.name+"-sec_group": - driver.ex_delete_network_security_group(name=sec_group.name, resource_group=SECDEP_AZURE_RESOURCE_GROUP, location=location) + poller = resource_client.resource_groups.begin_delete(node_name+"-res_group") + result = poller.result() + # node_location = node.extra['location'] + # locations = driver.list_locations() + # for loc in locations: + # if loc.id == node_location: + # location = loc + # break + # sec_groups = driver.ex_list_network_security_groups(SECDEP_AZURE_RESOURCE_GROUP) + # for sec_group in sec_groups: + # # driver.ex_delete_resource(sec_group) + # if sec_group.name == node.name+"-sec_group": + # driver.ex_delete_network_security_group(name=sec_group.name, resource_group=SECDEP_AZURE_RESOURCE_GROUP, location=location) # ips = driver.ex_list_public_ips(SECDEP_AZURE_RESOURCE_GROUP) # for ip in ips: # if ip.name == node.name+"-ip": @@ -1310,6 +1288,7 @@ def node_action_all(action, provider): driver = get_corresponding_driver("gce") elif providerName == "azure": driver = get_corresponding_driver("azure") + node_name = node.name elif providerName == "aws": driver = get_corresponding_driver("aws") assert driver is not None, "Driver is not set up correctly" @@ -1333,18 +1312,20 @@ def node_action_all(action, provider): else: print("%s node %s -> failed" % (node.name, string)) if providerName == "azure" and action == "delete": - driver = get_corresponding_driver("azure") - node_location = node.extra['location'] - locations = driver.list_locations() - for loc in locations: - if loc.id == node_location: - location = loc - break - sec_groups = driver.ex_list_network_security_groups(SECDEP_AZURE_RESOURCE_GROUP) - for sec_group in sec_groups: - # driver.ex_delete_resource(sec_group) - if sec_group.name == node.name+"-sec_group": - driver.ex_delete_network_security_group(name=sec_group.name, resource_group=SECDEP_AZURE_RESOURCE_GROUP, location=location) + poller = resource_client.resource_groups.begin_delete(node_name+"-res_group") + result = poller.result() + # driver = get_corresponding_driver("azure") + # node_location = node.extra['location'] + # locations = driver.list_locations() + # for loc in locations: + # if loc.id == node_location: + # location = loc + # break + # sec_groups = driver.ex_list_network_security_groups(SECDEP_AZURE_RESOURCE_GROUP) + # for sec_group in sec_groups: + # # driver.ex_delete_resource(sec_group) + # if sec_group.name == node.name+"-sec_group": + # driver.ex_delete_network_security_group(name=sec_group.name, resource_group=SECDEP_AZURE_RESOURCE_GROUP, location=location) # ips = driver.ex_list_public_ips(SECDEP_AZURE_RESOURCE_GROUP) # for ip in ips: # if ip.name == node.name+"-ip":