konsthol/SecDep
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e58c4037808330826c5d5ea06e12848c674f0ae8
SecDep/secdep.py

1499 lines
80 KiB
Python
Executable File
Raw Blame History

#!/usr/bin/env python3
# This script will use the libcloud api
# to manage vps instances from
# 1) Google Cloud Platform (GCE)
# 2) Microsoft Azure (AZURE_ARM)
# 3) Amazon Web Services (EC2)
# A user will be able to
# 1) create an instance
# 2) delete an instance or all of them across all or one cloud provider
# 3) list all instances across all cloud providers or a specific one
# 4) start a stopped instance or all of them across all or one cloud provider
# 5) stop a running instance or all of them across all or one cloud provider
# 6) reboot a running instance or all of them across all or one cloud provider
# 7) list images available for a provider
# 8) list sizes available for a provider
# 9) list locations available for a provider
# 10) run a script during the creation of a new instance to deploy docker services
# 11) ssh to an instance with a choice across all or one cloud provider
# all from the command line using flags
import os
import sys
import argparse
import time
import paramiko
import socket
from dotenv import load_dotenv
from libcloud.compute.types import Provider
from libcloud.compute.providers import get_driver
from libcloud.compute.base import NodeAuthSSHKey
from libcloud.compute.deployment import ScriptDeployment, MultiStepDeployment, ScriptFileDeployment
from azure.identity import ClientSecretCredential
from azure.mgmt.resource import ResourceManagementClient
from azure.mgmt.network import NetworkManagementClient
from azure.mgmt.network.v2022_07_01.models import SecurityRule
# Declare the ENV_FILE variable as such to always reside in the same directory as the script
# We use os.path.join to make sure the path is correct for every OS
# Also do the same for the ssh keys and the script to be used during deployment
ENV_FILE = os.path.join(os.path.dirname(__file__), ".env")
SECDEP_SSH_PUBLIC_KEY = os.path.join(os.path.dirname(__file__), "secdep.pub")
SECDEP_SSH_PRIVATE_KEY = os.path.join(os.path.dirname(__file__), "secdep")
SECDEP_DEPLOY_SCRIPT = os.path.join(os.path.dirname(__file__), "harden")
# Available choices when the action flag is used
action_choices = ["delete","start","stop","reboot","deleteall","startall","stopall","rebootall"]
# If no arguements were given let the user know this is not how to use this program
if not len(sys.argv) > 1:
print("No arguments passed. Use -h or --help for help")
exit(0)
# Define the command line arguments
parser = argparse.ArgumentParser(
prog='secdep.py',
description='Manage cloud instances',
)
parser.add_argument('-l', '--list', help='List all instances or with -P PROVIDER list a provider\'s instances', action='store_true')
parser.add_argument('-v', '--values', help='Change credential values', action='store_true')
parser.add_argument('-P', '--provider', help='Cloud provider', choices=['gce', 'azure', 'aws'])
parser.add_argument('-a', '--action', help='Action to perform on a single provider with -P PROVIDER or all instances. Valid options are delete[all] start[all] stop[all] reboot[all]', choices=action_choices, metavar='ACTION')
parser.add_argument('-c', '--create', help='Create an instance', action='store_true')
parser.add_argument('-dep', '--deploy', help='Docker images to deploy', type=str, nargs='*', default=None, required=False)
parser.add_argument('-I', '--listimages', help='List images', action='store_true')
parser.add_argument('-S', '--listsizes', help='List sizes', action='store_true')
parser.add_argument('-G', '--listlocations', help='List locations', action='store_true')
parser.add_argument('-i', '--image', help='Image to use')
parser.add_argument('-s', '--size', help='Size of instance')
parser.add_argument('-n', '--name', help='Name of instance')
parser.add_argument('-g', '--region', help='Region to use')
parser.add_argument('-y', '--yes', help='Do not ask for confirmation during creation', action='store_true')
parser.add_argument('-p', '--print', help='Also print node, image, location or size', action='store_true')
parser.add_argument('-port', '--port', help='Port to connect to when using ssh')
parser.add_argument('-awsregion', '--awsregion', help='Specify aws region to not have to go through all of them')
parser.add_argument('-ssh', '--ssh', help='Connect to an instance using ssh with the option to use -P PROVIDER to choose node from a specific provider', action='store_true')
parser.add_argument('-init', '--init', help='Initialize a specific provider\'s values' , choices=['gce', 'azure', 'aws'])
args = parser.parse_args()
# If one or both keys don't exist we create them
if not os.path.exists(SECDEP_SSH_PUBLIC_KEY) or not os.path.exists(SECDEP_SSH_PRIVATE_KEY):
# Generate a new SSH key pair
# The key is stored in the current directory and named secdep
# The public key is stored in the current directory and named secdep.pub
# The passphrase is an empty string
# The key is a 4096 bit RSA key
# The key's comment is secdep@hostname
key = paramiko.RSAKey.generate(4096)
key.write_private_key_file(SECDEP_SSH_PRIVATE_KEY)
with open(SECDEP_SSH_PUBLIC_KEY, 'w') as f:
f.write("%s %s secdep@%s" % (key.get_name(), key.get_base64(), socket.gethostname()))
# We check if the env file it exists already in order to avoid overwriting it
# and if it doesn't exist, we create it by inserting an empty string
# When using the with statement, the file is automatically
# closed at the end of the indented block
if not os.path.exists(ENV_FILE):
with open(ENV_FILE, 'w') as f:
f.write('')
# The required values for authentication are stored in the .env file in the form of KEY=VALUE
# These are
# 1) SECDEP_GCE_CLIENT_ID (the service account Email found in project's IAM & Admin section/Service Accounts)
# 2) SECDEP_GCE_CLIENT_SECRET (the service account's private Key ID found in project's IAM & Admin section/Service Accounts)
# 3) SECDEP_GCE_PROJECT_ID (the project ID found in project's dashboard)
# 4) SECDEP_AZURE_TENANT_ID (the tenant id found when viewing the azure subscription)
# 5) SECDEP_AZURE_SUB_ID (documented in the README)
# 6) SECDEP_AZURE_APP_ID (documented in the README)
# 7) SECDEP_AZURE_PASSWORD (documented in the README)
# 8) SECDEP_AWS_ACCESS_KEY (that we created in the aws IAM section)
# 9) SECDEP_AWS_SECRET_KEY (that we viewed only once when we created the key)
# For GCE we need to create a service account (with Owner Role from the IAM section) and download the json file (from
# the Service Account's manage keys section) in the same directory as the script
# We then check if the .env file is empty to determine if it's the first run of the script
if os.stat(ENV_FILE).st_size == 0:
if args.init:
match args.init:
case "gce":
with open(ENV_FILE, 'a') as f:
f.write('SECDEP_AZURE_TENANT_ID=\n')
f.write('SECDEP_AZURE_SUB_ID=\n')
f.write('SECDEP_AZURE_APP_ID=\n')
f.write('SECDEP_AZURE_PASSWORD=\n')
f.write('SECDEP_AWS_ACCESS_KEY=\n')
f.write('SECDEP_AWS_SECRET_KEY=\n')
case "azure":
with open(ENV_FILE, 'a') as f:
f.write('SECDEP_GCE_CLIENT_ID=\n')
f.write('SECDEP_GCE_CLIENT_SECRET=\n')
f.write('SECDEP_GCE_PROJECT_ID=\n')
f.write('SECDEP_AWS_ACCESS_KEY=\n')
f.write('SECDEP_AWS_SECRET_KEY=\n')
case "aws":
with open(ENV_FILE, 'a') as f:
f.write('SECDEP_GCE_CLIENT_ID=\n')
f.write('SECDEP_GCE_CLIENT_SECRET=\n')
f.write('SECDEP_GCE_PROJECT_ID=\n')
f.write('SECDEP_AZURE_TENANT_ID=\n')
f.write('SECDEP_AZURE_SUB_ID=\n')
f.write('SECDEP_AZURE_APP_ID=\n')
f.write('SECDEP_AZURE_PASSWORD=\n')
case _:
print("Invalid provider")
else:
print('You will be asked for each needed value\nIf you want to skip a provider press enter on each of their values because they are all needed for authentication\nIf at some point you delete the provider\'s value entry you will once again be asked to enter it\nIf you pressed enter by mistake or inserted an incorrect value just edit the file directly or delete the corresponding line\nThere is also the choice of using the -v option to have that done interactively')
if os.stat(ENV_FILE).st_size != 0 and args.init:
print("The init flag was only meant to be optionally run once and only in the first run if you knew you were going to be using only one provider. If you need to change or populate a provider\'s needed values use the --values or -v flag instead")
exit(0)
# We search for these values in the ENV_FILE and for each not found, we prompt the user to enter it
# We then write the values to the ENV_FILE
# An empty string is allowed in case the user does not want to use a particular cloud provider
# but he will be prompted for all values
with open(ENV_FILE, 'r') as f:
env_file_content = f.read()
if 'SECDEP_GCE_CLIENT_ID' not in env_file_content:
SECDEP_GCE_CLIENT_ID = input("Enter your GCE_CLIENT_ID: ")
with open(ENV_FILE, 'a') as f:
f.write('SECDEP_GCE_CLIENT_ID={}\n'.format(SECDEP_GCE_CLIENT_ID))
if 'SECDEP_GCE_CLIENT_SECRET' not in env_file_content:
SECDEP_GCE_CLIENT_SECRET = input("Enter your GCE_CLIENT_SECRET: ")
with open(ENV_FILE, 'a') as f:
f.write('SECDEP_GCE_CLIENT_SECRET={}\n'.format(SECDEP_GCE_CLIENT_SECRET))
if 'SECDEP_GCE_PROJECT_ID' not in env_file_content:
SECDEP_GCE_PROJECT_ID = input("Enter your GCE_PROJECT_ID: ")
with open(ENV_FILE, 'a') as f:
f.write('SECDEP_GCE_PROJECT_ID={}\n'.format(SECDEP_GCE_PROJECT_ID))
if 'SECDEP_AZURE_TENANT_ID' not in env_file_content:
SECDEP_AZURE_TENANT_ID = input("Enter your AZURE_TENANT_ID: ")
with open(ENV_FILE, 'a') as f:
f.write('SECDEP_AZURE_TENANT_ID={}\n'.format(SECDEP_AZURE_TENANT_ID))
if 'SECDEP_AZURE_SUB_ID' not in env_file_content:
SECDEP_AZURE_SUB_ID = input("Enter your AZURE_SUB_ID: ")
with open(ENV_FILE, 'a') as f:
f.write('SECDEP_AZURE_SUB_ID={}\n'.format(SECDEP_AZURE_SUB_ID))
if 'SECDEP_AZURE_APP_ID' not in env_file_content:
SECDEP_AZURE_APP_ID = input("Enter your AZURE_APP_ID: ")
with open(ENV_FILE, 'a') as f:
f.write('SECDEP_AZURE_APP_ID={}\n'.format(SECDEP_AZURE_APP_ID))
if 'SECDEP_AZURE_PASSWORD' not in env_file_content:
SECDEP_AZURE_PASSWORD = input("Enter your AZURE_PASSWORD: ")
with open(ENV_FILE, 'a') as f:
f.write('SECDEP_AZURE_PASSWORD={}\n'.format(SECDEP_AZURE_PASSWORD))
if 'SECDEP_AWS_ACCESS_KEY' not in env_file_content:
SECDEP_AWS_ACCESS_KEY = input("Enter your AWS_ACCESS_KEY: ")
with open(ENV_FILE, 'a') as f:
f.write('SECDEP_AWS_ACCESS_KEY={}\n'.format(SECDEP_AWS_ACCESS_KEY))
if 'SECDEP_AWS_SECRET_KEY' not in env_file_content:
SECDEP_AWS_SECRET_KEY = input("Enter your AWS_SECRET_KEY: ")
with open(ENV_FILE, 'a') as f:
f.write('SECDEP_AWS_SECRET_KEY={}\n'.format(SECDEP_AWS_SECRET_KEY))
# Load environment variables from ENV_FILE and temporarily store them
# along the other system environment variables
# If an environment variable is already set, it will not be overwritten
# but since the existence of the .env file is mandatory it is best if
# they are not already set.
# That is because some of them may be named something slightly different
# by the user and this program works with these exact value names
# That is also the reason they are prefixed with the SECDEP_ string
load_dotenv(ENV_FILE)
# We also store them in variables for ease of use inside the program
# We take for granted that these values exist either empty or not
def get_env_vars():
# Make them global so we can use them in other functions
global SECDEP_GCE_CLIENT_ID
global SECDEP_GCE_CLIENT_SECRET
global SECDEP_GCE_PROJECT_ID
global SECDEP_AZURE_TENANT_ID
global SECDEP_AZURE_SUB_ID
global SECDEP_AZURE_APP_ID
global SECDEP_AZURE_PASSWORD
global SECDEP_AWS_ACCESS_KEY
global SECDEP_AWS_SECRET_KEY
# GCE
SECDEP_GCE_CLIENT_ID = os.getenv('SECDEP_GCE_CLIENT_ID')
SECDEP_GCE_CLIENT_SECRET = os.getenv('SECDEP_GCE_CLIENT_SECRET')
SECDEP_GCE_PROJECT_ID = os.getenv('SECDEP_GCE_PROJECT_ID')
if SECDEP_GCE_CLIENT_SECRET !="" and SECDEP_GCE_PROJECT_ID !="":
SECDEP_GCE_CLIENT_SECRET = os.path.join(os.path.dirname(os.path.abspath(__file__)), SECDEP_GCE_PROJECT_ID+'-'+SECDEP_GCE_CLIENT_SECRET[:12]+'.json')
# Never mind the error after converting is not None to !="" because only then
# this variable doesnt end up as /home/konsthol/MyGitea/SecDep/-.json
# Azure
SECDEP_AZURE_TENANT_ID = os.getenv('SECDEP_AZURE_TENANT_ID')
SECDEP_AZURE_SUB_ID = os.getenv('SECDEP_AZURE_SUB_ID')
SECDEP_AZURE_APP_ID = os.getenv('SECDEP_AZURE_APP_ID')
SECDEP_AZURE_PASSWORD = os.getenv('SECDEP_AZURE_PASSWORD')
# AWS
SECDEP_AWS_ACCESS_KEY = os.getenv('SECDEP_AWS_ACCESS_KEY')
SECDEP_AWS_SECRET_KEY = os.getenv('SECDEP_AWS_SECRET_KEY')
get_env_vars()
# List all the entries in the .env file and ask the user which one he wants to update
# If the user enters an invalid value, the program will ask again
# If the user enters 0 the program will exit
def update_env_file():
with open(ENV_FILE, 'r') as f:
env_file_content = f.read()
# find all lines staring with SECDEP_
file_entries = list(filter(lambda x: x.startswith('SECDEP_'), env_file_content.split('\n')))
count = 0
for line in file_entries:
count += 1
print("{}) {}".format(count, line))
print("Choosing 0 will exit the function")
print("You will be asked to enter the new value until it is valid or you enter 0")
choice = input("Choose the entry you want to update: ")
try:
choice = int(choice)
if choice > count or choice < 0:
raise ValueError
elif choice == 0:
return
except ValueError:
print("Invalid choice")
update_env_file()
else:
entry = file_entries[choice - 1]
entry_name = entry.split('=')[0]
entry_value = entry.split('=')[1]
if entry_value == '':
entry_value = 'None'
print("The current value for {} is {}".format(entry_name, entry_value))
new_value = input("Enter the new value: ")
with open(ENV_FILE, 'w') as f:
f.write(env_file_content.replace(entry, "{}={}".format(entry_name, new_value)))
print("The value for {} was updated successfully".format(entry_name))
update_env_file()
# Reload the environment variables
# That was setup this way because the initial thought was exiting manually but it will stay that way just in case we do end up making it like so
load_dotenv(ENV_FILE)
get_env_vars()
# If -v or --values is passed, call the update_env_file function
if args.values:
update_env_file()
# AWS and AZURE have thousands of image choice so we hardcode the ones we want in order to not wait forever during the input validation
AWS_ubuntu22_04_images = {
"ap-northeast-1": "ami-0cd7ad8676931d727",
"ap-south-1": "ami-06984ea821ac0a879",
"ca-central-1": "ami-0dae3a932d090b3de",
"eu-central-1": "ami-03e08697c325f02ab",
"eu-north-1": "ami-00c70b245f5354c0a",
"eu-west-1": "ami-0333305f9719618c7",
"sa-east-1": "ami-015e30624fffff117",
"us-east-1": "ami-00874d747dde814fa",
"us-west-1": "ami-09b2a1e33ce552e68",
"ap-northeast-2": "ami-09eba584c30b7299f",
"ap-southeast-2": "ami-0c18f3cdeea1c220d",
"eu-west-2": "ami-0d09654d0a20d3ae2",
"us-east-2": "ami-0ab0629dba5ae551d",
"us-west-2": "ami-095413544ce52437d",
"ap-northeast-3": "ami-0ead712799090892e",
"eu-west-3": "ami-0afd55c0c8a52973a"
}
AWS_ubuntu22_10_images = {
"ap-northeast-1": "ami-04e096919731466e4",
"ap-south-1": "ami-01b60efb0632e8b18",
"ap-southeast-1": "ami-085ecfe4d567e153a",
"ca-central-1": "ami-010346a896f698f7d",
"eu-central-1": "ami-0f1cf34dcb4057a5f",
"eu-north-1": "ami-0e942149c97ff88bd",
"eu-west-1": "ami-015423a987dafce81",
"sa-east-1": "ami-06edb0fb80530aa8b",
"us-east-1": "ami-074f5b0bdbdc43210",
"us-west-1": "ami-0eb5f373317fb0ae4",
"ap-northeast-2": "ami-05493e234687bd083",
"ap-southeast-2": "ami-0bd29331dcb023a43",
"eu-west-2": "ami-0ae7948375d66d902",
"us-east-2": "ami-0de381f43eb6dbe39",
"us-west-2": "ami-0534f435d9dd0ece4",
"ap-northeast-3": "ami-05ede9a3a46934154",
"eu-west-3": "ami-0545575c963ed1276"
}
AWS_debian_10_images = {
"ap-northeast-1": "ami-041e370f47f9b619e",
"ap-northeast-2": "ami-0243bb2bec2d9707b",
"ap-northeast-3": "ami-0c1c0379b3534e7d8",
"ap-south-1": "ami-0eb2c4104acb437b2",
"ap-southeast-1": "ami-0ee39036464b9a87e",
"ap-southeast-2": "ami-0bb99834ae8c7471e",
"ca-central-1": "ami-0125327537ef16282",
"eu-central-1": "ami-0c984d7a384cafb51",
"eu-north-1": "ami-013fff3fbe1b44cd7",
"eu-west-1": "ami-00aa3f69e07141166",
"eu-west-2": "ami-073e61682f2137943",
"eu-west-3": "ami-0fa84148519465f59",
"sa-east-1": "ami-03405dcb7a98e974b",
"us-east-1": "ami-03d6e2aceefaa35b0",
"us-east-2": "ami-0246e87085c5c98e3",
"us-west-1": "ami-0809b44a732f37188",
"us-west-2": "ami-0164ab05efc075cbc"
}
AWS_debian_11_images = {
"ap-northeast-1": "ami-043fed2cdcba4027e",
"ap-northeast-2": "ami-0bb0231c184073ac1",
"ap-northeast-3": "ami-09968ae34a843a6cb",
"ap-south-1": "ami-079b117c1800d30f8",
"ap-southeast-1": "ami-07ac0a74d21a3174c",
"ap-southeast-2": "ami-0c7a13e86ce7afc80",
"ca-central-1": "ami-09b3e61273dd34f3b",
"eu-central-1": "ami-0c75b861029de4030",
"eu-north-1": "ami-08869bacfa1188ec9",
"eu-west-1": "ami-0591c8c8aa7d9b217",
"eu-west-2": "ami-0e789c3dd24faa0be",
"eu-west-3": "ami-040dc155c278da35a",
"sa-east-1": "ami-0cb45622734c55ed6",
"us-east-1": "ami-052465340e6b59fc0",
"us-east-2": "ami-06a7641d5bd7bdc65",
"us-west-1": "ami-0097d5326aebc68e0",
"us-west-2": "ami-05063446e767da4ff"
}
AWS_centos7_images = {
"eu-north-1": "ami-0e5125a0f19c52a2b",
"eu-west-2": "ami-0de2f45684e59282c",
"us-west-1": "ami-0bcd12d19d926f8e9",
"eu-central-1": "ami-0afcbcee3dfbce929",
"us-east-1": "ami-0aedf6b1cb669b4c7",
"ap-south-1": "ami-09f129ee53d3523c0",
"ap-northeast-1": "ami-06e6d2122baa563c4",
"ap-northeast-2": "ami-061f5322ab2662c82",
"eu-west-3": "ami-051806c39fa542e22",
"us-west-2": "ami-04f798ca92cc13f74",
"ap-southeast-1": "ami-03bfba2e75432064e",
"us-east-2": "ami-033adaf0b583374d4",
"ap-southeast-2": "ami-0264ead5294ad1773",
"ca-central-1": "ami-01ebef6e00efb2c20",
"sa-east-1": "ami-015f6bf0657816a2d",
"eu-west-1": "ami-00d464afa64e1fc69"
}
AWS_centos8_images = {
"sa-east-1": "ami-0ec17e5479978d435",
"ap-southeast-2": "ami-0cd15beeae86bd0b5",
"us-east-1": "ami-0c07df890a618c98a",
"eu-central-1": "ami-0b79da023fb461a12",
"us-west-2": "ami-09195cb76ab892888",
"eu-west-1": "ami-0819edf1cd94e83e8",
"ap-southeast-1": "ami-07ab649c51b1c14e7",
"eu-north-1": "ami-05eaebdafff627949",
"us-east-2": "ami-05cefb3ebaddc75f6",
"eu-west-3": "ami-05a3b9ccef6b9a4f4",
"ap-south-1": "ami-04ebf66b7be0500f6",
"eu-west-2": "ami-0495083a5dc6bc6a3",
"us-west-1": "ami-033e1fe6304139f4c",
"ap-northeast-2": "ami-014911a31aba94953",
"ap-northeast-1": "ami-0117f2fc9c6939327",
"ca-central-1": "ami-00723d0970fc53863"
}
AWS_centos9_images = {
"us-west-2": "ami-0e27c3746a0d5ecbf",
"sa-east-1": "ami-0c70afd15bcb126a9",
"eu-north-1": "ami-0a942e3eea51f9810",
"ap-southeast-2": "ami-09825374904820651",
"us-west-1": "ami-08e31531a8310da78",
"eu-west-1": "ami-08be94d0e177189de",
"eu-west-3": "ami-082f57b7c23b057df",
"ap-northeast-1": "ami-074800b0d58e64b24",
"ap-southeast-1": "ami-05a6e3d785f747c7d",
"eu-west-2": "ami-056117c19265dad25",
"ca-central-1": "ami-03f6ca47d93885ab9",
"ap-south-1": "ami-0383b9760ad3de192",
"us-east-1": "ami-027a785419f41ea0f",
"ap-northeast-2": "ami-025fab85b691896e8",
"us-east-2": "ami-0127d4ce241322a8e",
"eu-central-1": "ami-00cdc2b0769957e1c"
}
AWS_fedora37_images = {
"us-east-1": "ami-023fb534213ca41da",
"us-east-2": "ami-0d9ef71e892f861c6",
"us-west-2": "ami-019b893191a9ac44a",
"us-west-1": "ami-04e37334d4e907fab",
"eu-west-1": "ami-0f242738c5379ffc1",
"eu-central-1": "ami-0965c162c412da7ca",
"eu-west-2": "ami-0257e646e0a4b4987",
"ap-southeast-1": "ami-002185f8a7d5528e2",
"ap-northeast-1": "ami-0e010569d0798fa05",
"ap-southeast-2": "ami-028fb965bf530cd3e",
"sa-east-1": "ami-0390b84962fd284f8",
"ap-northeast-2": "ami-0902b5ee3ed4ebe17",
"ap-south-1": "ami-04e6a16b463b1dbe0",
"ca-central-1": "ami-057f927818ad393c5"
}
AWS_redhat9_images = {
"eu-north-1": "ami-0cd776c8201793f81",
"ap-south-1": "ami-063d0d3250553f017",
"eu-west-3": "ami-0b6b7402cc4708282",
"eu-west-2": "ami-03628db51da52eeaa",
"eu-west-1": "ami-028f9616b17ba1d53",
"ap-northeast-3": "ami-088c289c3f07fa115",
"ap-northeast-2": "ami-000847072b0b35502",
"ap-northeast-1": "ami-0b74caa65e36e4b38",
"sa-east-1": "ami-03f8004d2ba700e6c",
"ca-central-1": "ami-0c23a35603e3d8ba4",
"ap-southeast-1": "ami-07a79552200256856",
"ap-southeast-2": "ami-0fe791c0ace58322c",
"eu-central-1": "ami-025d24108be0a614c",
"us-east-1": "ami-0c41531b8d18cc72b",
"us-east-2": "ami-078cbc4c2d057c244",
"us-west-1": "ami-0fa0ed170a59f4917",
"us-west-2": "ami-04a616933df665b44"
}
AWS_redhat8_6_images = {
"eu-north-1": "ami-06a2a41d455060f8b",
"ap-south-1": "ami-05c8ca4485f8b138a",
"eu-west-3": "ami-0460bf124812bebfa",
"eu-west-2": "ami-035c5dc086849b5de",
"eu-west-1": "ami-0f0f1c02e5e4d9d9f",
"ap-northeast-3": "ami-044921b7897a7e0da",
"ap-northeast-2": "ami-06c568b08b5a431d5",
"ap-northeast-1": "ami-0f903fb156f24adbf",
"sa-east-1": "ami-0c1b8b886626f940c",
"ca-central-1": "ami-0c3d3a230b9668c02",
"ap-southeast-1": "ami-051f0947e420652a9",
"ap-southeast-2": "ami-0808460885ff81045",
"eu-central-1": "ami-0e7e134863fac4946",
"us-east-1": "ami-06640050dc3f556bb",
"us-east-2": "ami-092b43193629811af",
"us-west-1": "ami-0186e3fec9b0283ee",
"us-west-2": "ami-08970fb2e5767e3b8"
}
AWS_redhat7_9_images = {
"eu-north-1": "ami-003fb5b0ea327060c",
"ap-south-1": "ami-0b6d1128312a13b2a",
"eu-west-3": "ami-0f4643887b8afe9e2",
"eu-west-2": "ami-0e6c172f77df9f9c3",
"eu-west-1": "ami-020e14de09d1866b4",
"ap-northeast-3": "ami-00718a107dacde79f",
"ap-northeast-2": "ami-0c851e892c33af909",
"ap-northeast-1": "ami-0155fdd0956a0c7a0",
"sa-east-1": "ami-07eca9d9caaced495",
"ca-central-1": "ami-0de9a412a63b8f99d",
"ap-southeast-1": "ami-0f24fbd3cc8531844",
"ap-southeast-2": "ami-0fb87e863747a1610",
"eu-central-1": "ami-0f58468b80db2db66",
"us-east-1": "ami-005b7876121b7244d",
"us-east-2": "ami-0d2bf41df19c4aac7",
"us-west-1": "ami-015474e24281c803d",
"us-west-2": "ami-02d40d11bb3aaf3e5"
}
AWS_opensuseLeap15_3_images = {
"ap-south-1": "ami-0ade60d62f2a2e05c",
"eu-north-1": "ami-0ae983da6ffb9b1e7",
"eu-west-3": "ami-025ea6b220205eeda",
"eu-west-2": "ami-0c912bbb879286143",
"eu-west-1": "ami-0397bb96c927b3747",
"ap-northeast-3": "ami-073fffb8542446f02",
"ap-northeast-2": "ami-0a4130f336deb5d7d",
"ap-northeast-1": "ami-093be1d241fe4f400",
"ca-central-1": "ami-07b73495c9189e14c",
"sa-east-1": "ami-02f22e7a3a61b9ad4",
"ap-southeast-1": "ami-0e2676834fdb2722d",
"ap-southeast-2": "ami-0d75289309da084dd",
"eu-central-1": "ami-0ca8f0b74d5fe4b0c",
"us-east-1": "ami-0a21376f8d02ffa2d",
"us-east-2": "ami-0a3fdbf842659345d",
"us-west-1": "ami-0feb167c171099332",
"us-west-2": "ami-0eb50cf5b36982ab5",
}
AWS_opensuseLeap15_4_images = {
"ap-south-1": "ami-0c936741ae62acefd",
"eu-north-1": "ami-06f677915bcf57a3f",
"eu-west-3": "ami-0fcb2baaff359470d",
"eu-west-2": "ami-0d75aefcfe115e1b1",
"eu-west-1": "ami-04c349804a22e1a81",
"ap-northeast-3": "ami-0ce8958d99aded398",
"ap-northeast-2": "ami-0d6202fde5a0672cb",
"ap-northeast-1": "ami-0ad77d12fa9be7d26",
"ca-central-1": "ami-08d3a675ff259e79b",
"sa-east-1": "ami-05c679febf019e22b",
"ap-southeast-1": "ami-0eff8b51447b310c8",
"ap-southeast-2": "ami-0050fc1b597e7e5c7",
"eu-central-1": "ami-04050bb7554762bec",
"us-east-1": "ami-08159a7e0bbb30b75",
"us-east-2": "ami-028019dea1a954aa4",
"us-west-1": "ami-0685f2266425e1dec",
"us-west-2": "ami-02881e3769e7c9ab2"
}
AWS_images = {
"Ubuntu Server 22.04 LTS": AWS_ubuntu22_04_images,
"Ubuntu Server 22.10": AWS_ubuntu22_10_images,
"Debian 10": AWS_debian_10_images,
"Debian 11": AWS_debian_11_images,
"CentOS 7": AWS_centos7_images,
"CentOS 8": AWS_centos8_images,
"CentOS 9": AWS_centos9_images,
"Fedora 37": AWS_fedora37_images,
"Red Hat Enterprise Linux 7.9": AWS_redhat7_9_images,
"Red Hat Enterprise Linux 8.6": AWS_redhat8_6_images,
"Red Hat Enterprise Linux 9.0": AWS_redhat9_images,
"OpenSUSE Leap 15.3": AWS_opensuseLeap15_3_images,
"OpenSUSE Leap 15.4": AWS_opensuseLeap15_4_images
}
AZURE_images = {
"Ubuntu Server 22.04 LTS": "Canonical:0001-com-ubuntu-server-jammy:22_04-lts:22.04.202301050",
"Ubuntu Server 22.10": "Canonical:0001-com-ubuntu-server-kinetic:22_10:22.10.202301040",
"Debian 10": "Debian:debian-11:11:0.20221219.1234",
"Debian 11": "Debian:debian-10:10:0.20221205.1220",
"CentOS 8.4": "OpenLogic:CentOS:8_4:8.4.2021071900",
"CentOS 8.5": "OpenLogic:CentOS:8_5:8.5.2022101800",
"Fedora 36": "ntegralinc1586961136942:ntg_fedora_36:ntg_fedora_36:1.0.1",
"Fedora 37": "ntegralinc1586961136942:ntg_fedora_37:ntg_fedora_37:1.0.0",
"Red Hat Enterprise Linux 8.6": "RedHat:rhel-raw:8_6:8.6.2022052401",
"Red Hat Enterprise Linux 9.1": "RedHat:rhel-raw:9_1:9.1.2022112213",
"OpenSUSE Leap 15.3": "SUSE:opensuse-leap-15-3:gen1:2022.11.04",
"OpenSUSE Leap 15.4": "SUSE:opensuse-leap-15-4:gen1:2022.11.04"
}
# Declare the global variables for the drivers
global gce_driver
global azure_driver
global aws_driver
global providers_quantity
# Get GCE driver
def get_gce_driver():
if SECDEP_GCE_CLIENT_SECRET !="" and SECDEP_GCE_PROJECT_ID !="" and SECDEP_GCE_CLIENT_ID !="":
driver = get_driver(Provider.GCE)
print("Trying to authenticate with google...\n")
return driver(SECDEP_GCE_CLIENT_ID, SECDEP_GCE_CLIENT_SECRET, project=SECDEP_GCE_PROJECT_ID)
# Get Azure driver
def get_azure_driver():
if SECDEP_AZURE_TENANT_ID !="" and SECDEP_AZURE_SUB_ID !="" and SECDEP_AZURE_APP_ID !="" and SECDEP_AZURE_PASSWORD !="":
driver = get_driver(Provider.AZURE_ARM)
print("Trying to authenticate with azure...\n")
return driver(tenant_id=SECDEP_AZURE_TENANT_ID, subscription_id=SECDEP_AZURE_SUB_ID, key=SECDEP_AZURE_APP_ID, secret=SECDEP_AZURE_PASSWORD)
# Get AWS driver
def get_aws_driver():
if SECDEP_AWS_ACCESS_KEY !="" and SECDEP_AWS_SECRET_KEY !="":
driver = get_driver(Provider.EC2)
print("Trying to authenticate with amazon...\n")
return driver(SECDEP_AWS_ACCESS_KEY, SECDEP_AWS_SECRET_KEY)
# We need to know the quantity to print the loading percentage when getting the list of all the nodes
def get_providers_quantity():
providers_quantity = 0
if SECDEP_GCE_CLIENT_SECRET !="" and SECDEP_GCE_PROJECT_ID !="" and SECDEP_GCE_CLIENT_ID !="":
providers_quantity +=1
if SECDEP_AZURE_TENANT_ID !="" and SECDEP_AZURE_SUB_ID !="" and SECDEP_AZURE_APP_ID !="" and SECDEP_AZURE_PASSWORD !="":
providers_quantity +=1
if SECDEP_AWS_ACCESS_KEY !="" and SECDEP_AWS_SECRET_KEY !="":
providers_quantity +=1
return providers_quantity
providers_quantity = get_providers_quantity()
gce_driver = get_gce_driver()
azure_driver = get_azure_driver()
aws_driver = get_aws_driver()
# We call this function in almost every other function in order to not keep remaking the driver
def get_corresponding_driver(provider):
global driver
match provider:
case "gce":
driver = gce_driver
case "azure":
driver = azure_driver
case "aws":
driver = aws_driver
case _:
print("Invalid provider")
assert driver is not None, "You need to set all {} environment variables first".format(provider.upper())
return driver
# This function takes a provider arguement and lists all the available sizes
def list_provider_sizes(provider):
print("Getting "+provider+" sizes...")
driver = get_corresponding_driver(provider)
if provider == "aws" or provider == "gce":
sizes = driver.list_sizes(location=None)
sizes = [size for size in sizes if size.ram < 16384]
else:
azlocation = driver.list_locations()[0]
sizes = driver.list_sizes(location=azlocation)
sizes = [size for size in sizes if size.ram < 16384]
count = 0
print("Available "+provider+" sizes")
if provider == "aws":
for size in sizes:
count += 1
print("{}) {}\n\nRam: {}\nDisk: {}\nBandwidth: {}\nPrice: {}\n".format(count, size.name, size.ram, size.disk, size.bandwidth, size.price))
elif provider == "gce":
for size in sizes:
count += 1
print("{}) {}\n\n{}\nPrice: {}\n".format(count, size.name, size.extra['description'], size.price))
else:
for size in sizes:
count += 1
print("{}) {}\n\nRam: {}\nDisk: {}\nPrice: {}\n".format(count, size.name, size.ram, size.disk, size.price))
return sizes
# This function takes a provider arguement and lists all the available locations
def list_provider_locations(provider):
print("Getting "+provider+" locations...")
driver = get_corresponding_driver(provider)
locations = driver.list_locations()
count = 0
print("Available "+provider+" locations")
if provider == "aws":
print("Still loading...")
locations = []
awsLocations = ["ap-northeast-1", "ap-northeast-2", "ap-northeast-3", "ap-south-1", "ap-southeast-1", "ap-southeast-2", "ca-central-1", "eu-central-1", "eu-north-1", "eu-west-1", "eu-west-2", "eu-west-3", "sa-east-1", "us-east-1", "us-east-2", "us-west-1", "us-west-2"]
for region in awsLocations:
awsdr = get_driver(Provider.EC2)(SECDEP_AWS_ACCESS_KEY, SECDEP_AWS_SECRET_KEY, region=region)
specificAwsLocations = awsdr.list_locations()
for item in specificAwsLocations:
locations.append(item)
for location in locations:
count += 1
print("{}) {}\n\nRegion name: {}\nCountry: {}\n".format(count, location.name, location.availability_zone.region_name, location.country))
else:
for location in locations:
count += 1
print("{}) {}\n\nCountry: {}\n".format(count, location.name, location.country))
return locations
def listAWSregions(list):
count = 0
print("Available aws regions:")
for item in list:
count += 1
print("{}) {}".format(count, item))
return list
# This function lists all available images from the providers.
def list_provider_images(provider,images=None):
driver = get_corresponding_driver(provider)
print("Getting images from " +provider+"...")
if provider == "azure":
images = AZURE_images
elif provider == "aws":
images = AWS_images
else:
images = driver.list_images()
# We filter out the images we do not care about
images = list(filter(lambda x: 'windows' not in x.name.lower() and 'cos' not in x.name.lower() and 'arm64' not in x.name.lower() and 'byos' not in x.name.lower() and 'sap' not in x.name.lower(), images))
count = 0
print("Available "+provider+" images")
if provider == "azure" or provider == "aws":
for image in images:
count += 1
print("{}) {}".format(count, image))
else:
for image in images:
count += 1
print("{}) {}\n\n{}\n".format(count, image.name, image.extra['description']))
return images
# This function gets called in every get function to create a menu for selection
# It takes a list and a list name as arguements to differentiate how we print each one
# It also validates the user input and keeps asking for a valid one unless the user enters 0 to exit
def choose_from_list(listFromlistFunction,listName):
if len(listFromlistFunction) == 0:
print("No items")
exit(0)
if listName == "awsLocation":
printFormat = "{}) {}\n\nRegion name: {}\nCountry: {}\n"
printstring = "print(printFormat.format(count, item.name, item.availability_zone.region_name, item.country))"
elif listName == "azureLocation" or listName == "gceLocation":
printFormat = "{}) {}\n\nCountry: {}\n"
printstring = "print(printFormat.format(count, item.name, item.country))"
elif listName == "awsSize":
printFormat = "{}) {}\n\nRam: {}\nDisk: {}\nBandwidth: {}\nPrice: {}\n"
printstring = "print(printFormat.format(count, item.name, item.ram, item.disk, item.bandwidth, item.price))"
elif listName == "gceSize":
printFormat = "{}) {}\n\n{}\nPrice: {}\n"
printstring = "print(printFormat.format(count, item.name, item.extra['description'], item.price))"
elif listName == "azureSize":
printFormat = "{}) {}\n\nRam: {}\nDisk: {}\nPrice: {}\n"
printstring = "print(printFormat.format(count, item.name, item.ram, item.disk, item.price))"
elif listName == "awsImage" or listName == "azureImage" or listName == "awsRegion" or listName == "aws_region":
printFormat = "{}) {}"
printstring = "print(printFormat.format(count, item))"
elif listName == "gceImage":
printFormat = "{}) {}\n\n{}\n"
printstring = "print(printFormat.format(count, item.name, item.extra['description']))"
elif listName == "node":
printFormat = "{}) {}\n\nState: {}\nPublic IPs: {}\nPrivate IPs: {}\nDriver: {}\nSize: {}\nImage: {}\nCreation Date: {}\nExtra: {}\n"
printstring = "print(printFormat.format(count, item.name, item.state, item.public_ips, item.private_ips, item.driver, item.size, item.image, item.created_at, item.extra))"
compiled_code = compile(printstring,"<string>","exec")
print("Choosing 0 will exit")
choice = input("Choose the "+listName+" you want to use: ")
while True:
try:
choice = int(choice)
if choice > len(listFromlistFunction) or choice < 0:
raise ValueError
elif choice == 0:
return
elif choice == '':
raise ValueError
else:
if listName == "azureImage":
item = list(listFromlistFunction.values())[choice-1]
elif listName == "awsImage":
item = list(listFromlistFunction.values())[choice-1]
print(list(listFromlistFunction)[choice-1])
elif listName == "awsRegion":
item1 = list(listFromlistFunction)[choice-1]
item2 = list(listFromlistFunction.values())[choice-1]
return item1,item2
else:
item = listFromlistFunction[int(choice) - 1]
return item
except ValueError:
count = 0
for item in listFromlistFunction:
count += 1
exec(compiled_code)
print("Invalid choice")
print("Choosing 0 will exit")
choice = input("Choose the "+listName+" you want to use: ")
# This function gets a provider location and returns it
def get_provider_location(provider):
location = choose_from_list(list_provider_locations(provider),provider+"Location")
return location
# This function gets a provider size and returns it
def get_provider_size(provider):
size = choose_from_list(list_provider_sizes(provider),provider+"Size")
return size
# This function asks the user which image he wants to use and returns it
# If the user enters an invalid value, the program will ask again
# If the user enters 0 the program will exit
# For azure, after the user chooses one we take the value which is the image URN
# and use it to get the actual AzureImage
# For aws after we get the image we must select a region to get the ami because
# amis are region specific. Then we get the actual image
# Unlike GCE, the equivalent list_images() function requires NodeLocation as an argument so
# we choose the first available one.
# Without additional arguments like publisher, sku and version it takes rediculously
# long to execute because there are over 3000 images available and the code that retrieves them has about 3 nested for loops.
# That is why we use a dictionary to output the available images. The list does not get updated
# but since the options include very old releases as well it is safe to assume these will also
# be kept as available choices
# Same goes for aws
def get_provider_image(provider):
image = choose_from_list(list_provider_images(provider),provider+"Image")
if provider == "azure":
driver = get_corresponding_driver(provider)
azlocation = driver.list_locations()[0]
if image is not None:
image = driver.get_image(image,location=azlocation)
elif provider == "aws":
if image is not None:
region = choose_from_list(listAWSregions(image),provider+"Region")
if region is not None:
dr = get_driver(Provider.EC2)
correct_driver = dr(SECDEP_AWS_ACCESS_KEY, SECDEP_AWS_SECRET_KEY, region=region[0])
image = correct_driver.get_image(region[1])
else:
image = None
return image
# We need the blockPrint and enablePrint functions for when we use the list something ones during the input validation
# and don't actually need to see the lists
def blockPrint():
sys.stdout = open(os.devnull, 'w')
def enablePrint():
sys.stdout = sys.__stdout__
def getAWSRegionFromAmi(ami):
images = AWS_images.values()
for image in images:
if ami in image.values():
return list(image.keys())[list(image.values()).index(ami)]
# This is the most important function of all and uses all the previous ones to validate the input and get the actual objects
def create_node(provider, name=None, location=None, size=None, image=None, confirm=None, deploy=None):
# Get public ssh key value
with open(SECDEP_SSH_PUBLIC_KEY, 'r') as f:
pubkey = f.read()
if provider == "azure":
auth = NodeAuthSSHKey(pubkey)
# Check if name was given and if not prompt the user to give one
if name is None:
name = input("Enter the name of the node: ")
assert name != "", "Name is empty"
name = provider+"-"+name
else:
name = provider+"-"+name
# In the case of aws location has to be None because it is actually derived from the ami (image)
if provider == "aws":
location = None
# print("in aws you first have to choose an image before the location")
else:
# In other cases
# Check if location was given and if not prompt the user to choose
if location is None:
location = get_provider_location(provider)
assert location is not None, "Location is None"
# If it was given, get the list of valid values to compare the imput with
else:
blockPrint()
locations = list_provider_locations(provider)
enablePrint()
locationName = []
for loc in locations:
# gce and aws have the location name under the name tag and azure under the id.
if provider == "gce" or provider == "aws":
locationName.append(loc.name)
else:
locationName.append(loc.id)
# If it was not found prompt the user for selection
if location not in locationName:
print("Invalid Location")
location = get_provider_location(provider)
assert location is not None, "Location is None"
else:
location = locations[locationName.index(location)]
# Check if size was given and if not prompt the user to choose
if size is None:
size = get_provider_size(provider)
assert size is not None, "Size is None"
# If it was given, get the list of valid values to compare the input with
else:
blockPrint()
sizes = list_provider_sizes(provider)
enablePrint()
sizeName = []
for siz in sizes:
sizeName.append(siz.name)
if size not in sizeName:
print("Invalid Size")
size = get_provider_size(provider)
assert size is not None, "Size is None"
else:
size = sizes[sizeName.index(size)]
# Check if image was given and if not prompt the user to choose one
if image is None:
image = get_provider_image(provider)
assert image is not None, "Image is None"
if provider == "aws":
ami = image.id
region = getAWSRegionFromAmi(ami)
dr = get_corresponding_driver(provider)
assert dr is not None, "Driver is not set up correctly"
image = get_driver(Provider.EC2)(SECDEP_AWS_ACCESS_KEY, SECDEP_AWS_SECRET_KEY, region=region).get_image(ami)
else:
blockPrint()
# If provider was aws we must get the list of amis
if provider == "gce":
images = list_provider_images(provider)
elif provider == "azure":
images = AZURE_images.values()
else:
images = AWS_images.values()
enablePrint()
imageName = []
if provider == "gce":
for img in images:
imageName.append(img.name)
elif provider == "azure":
for img in images:
imageName.append(img)
else:
# In the case of aws this is how we get the list of amis
for img in images:
amis = img.values()
for ami in amis:
imageName.append(ami)
if image not in imageName:
print("Invalid Image")
image = get_provider_image(provider)
# If the image given was not in the list of valid values we must get the actual image and the region from the ami to get the correct driver
if provider == "aws":
ami = image.id
region = getAWSRegionFromAmi(ami)
dr = get_corresponding_driver(provider)
assert dr is not None, "Driver is not set up correctly"
image = get_driver(Provider.EC2)(SECDEP_AWS_ACCESS_KEY, SECDEP_AWS_SECRET_KEY, region=region).get_image(ami)
assert image is not None, "Image is None"
else:
# If image was indeed in the list we choose it
if provider == "gce":
image = images[imageName.index(image)]
elif provider == "azure":
driver = get_corresponding_driver(provider)
azlocation = driver.list_locations()[0]
image = driver.get_image(image,location=azlocation)
else:
# but in the case of aws we still need to get the region first
region = getAWSRegionFromAmi(image)
dr = get_corresponding_driver(provider)
assert dr is not None, "Driver is not set up correctly"
image = get_driver(Provider.EC2)(SECDEP_AWS_ACCESS_KEY, SECDEP_AWS_SECRET_KEY, region=region).get_image(image)
# In the case of gce we need to give the sa_scopes and the ex_metadata parameters
if provider == "gce":
sa_scopes = [{"email": "default","scopes": ["cloud-platform"]}]
ex_metadata = metadata = { "items": [{"key": "ssh-keys", "value": "secdep: %s" % (pubkey)}] }
# For any other provider we just get the driver as defined in the get_corresponding_driver function
if provider != "aws":
driver = get_corresponding_driver(provider)
else:
# But for aws we need to get the one matching our derived region from the image selection
dr = get_corresponding_driver(provider)
assert dr is not None, "Driver is not set up correctly"
driver = get_driver(Provider.EC2)(SECDEP_AWS_ACCESS_KEY, SECDEP_AWS_SECRET_KEY, region=region)
# If the user did not input the -y or --yes flag then we output the current choices for a second though
if confirm is False:
print("\nName: %s\n" % (name))
# There is a differentiation between aws and the other providers in region and location
if provider == "aws":
print("\nLocation: %s\n" % (region))
else:
print("\nLocation: %s\n" % (location))
print("\nSize: %s\n" % (size))
print("\nImage: %s\n" % (image))
print("Type yes if you want to confirm your choices")
confirm = input("Continue? ")
# Any input other than yes does not continue the node creation
assert confirm == "yes", "User did not confirm"
if provider == "gce":
gceNodes = driver.list_nodes()
for gceNode in gceNodes:
if gceNode.name == name:
print("A node with that name already exists under this project, please choose another one")
exit(0)
existIn = False
firewalls = driver.ex_list_firewalls()
for firewall in firewalls:
if firewall.name == "allow-all-inbound":
existIn = True
break
if existIn == False:
driver.ex_create_firewall(name="allow-all-inbound", allowed=[{"IPProtocol": "tcp", "ports": ["0-65534"]},{"IPProtocol": "udp", "ports": ["0-65534"]}], network='default', direction='INGRESS', priority=1000, source_service_accounts=sa_scopes, target_service_accounts=sa_scopes)
if args.deploy:
actualDeployScript = ScriptFileDeployment(script_file=SECDEP_DEPLOY_SCRIPT, args=args.deploy, name="harden", delete=True)
node = driver.deploy_node(name=name, image=image, size=size, location=location, ex_service_accounts=sa_scopes, ex_metadata=metadata, deploy=actualDeployScript, ssh_key=SECDEP_SSH_PRIVATE_KEY, ssh_username="secdep")
print('harden stdout: %s' % (actualDeployScript.stdout))
print('harden stderr: %s' % (actualDeployScript.stderr))
print('harden exit_code: %s' % (actualDeployScript.exit_status))
else:
node = driver.create_node(name=name, image=image, size=size, location=location, ex_service_accounts=sa_scopes, ex_metadata=metadata)
elif provider == "azure":
print("Keep in mind azure node creation may take a while because we need to create all the needed resources first")
res_groups = driver.ex_list_resource_groups()
for res_group in res_groups:
if res_group.name == name+"-res_group":
print("A resource group with that name already exists, please try a different virtual machine name to differentiate the resource group name")
exit(0)
credential = ClientSecretCredential(client_id=SECDEP_AZURE_APP_ID, client_secret=SECDEP_AZURE_PASSWORD, tenant_id=SECDEP_AZURE_TENANT_ID)
subscription_id = SECDEP_AZURE_SUB_ID
resource_client = ResourceManagementClient(credential, subscription_id)
network_client = NetworkManagementClient(credential, subscription_id)
# Create Resource group using azure sdk since libcloud does not offer that functionality
res_group = resource_client.resource_groups.create_or_update(name+"-res_group", {"location": location.id})
# Create Virtual Network using azure sdk since libcloud does not offer that functionality
poller = network_client.virtual_networks.begin_create_or_update(res_group.name, name+"-vir_net", { "location": location.id, "address_space": {"address_prefixes": ["10.0.0.0/16"]},},)
vir_net = poller.result()
# Create the default subnet using azure sdk since libcloud does not offer that functionality
poller = network_client.subnets.begin_create_or_update(res_group.name, vir_net.name, name+"-subnet", { "address_prefix": "10.0.0.0/24"},)
subnet = poller.result()
# Create Network Security Group
driver.ex_create_network_security_group(name=name+"-sec_group", resource_group=res_group.name, location=location)
# Get the created Virtual Network
networks = driver.ex_list_networks()
for network in networks:
if network.name == vir_net.name:
ex_network = network
break
else:
print("Could not find the virtual network. Maybe it was not created correctly?")
# Get Virtual Network's default subnet we created
subnet = driver.ex_list_subnets(network=ex_network)[0]
# Create public ip
public_ip = driver.ex_create_public_ip(name=name+"-ip", resource_group=res_group.name, location=location, public_ip_allocation_method="Static")
# Create a Virtual Network Interface
network_interface = driver.ex_create_network_interface(name=name+"-nic", subnet=subnet, resource_group=res_group.name, location=location, public_ip=public_ip)
# Get the created Virtual Network Interface
nic = driver.ex_list_nics(resource_group=res_group.name)[0]
# Get the created Network Security Group
sec_group = driver.ex_list_network_security_groups(res_group.name)[0]
# Parameters to associate the Network Security Group to the Virtual Network Interface
params = {"ipConfigurations":[{"name":"myip1","id":nic.id,"type":"Microsoft.Network/networkInterfaces/ipConfigurations","properties":{"provisioningState":"Succeeded","privateIPAddress":"10.0.0.4","privateIPAllocationMethod":"Dynamic","publicIPAddress":{"id":public_ip.id},"subnet":{"id":subnet.id},"primary":"true","privateIPAddressVersion":"IPv4"}}],"dnsSettings":{"dnsServers":[]},"enableAcceleratedNetworking":"false","enableIPForwarding":"false","disableTcpStateTracking":"false","networkSecurityGroup":{"id":sec_group.id},"nicType":"Standard"}
# New Virtual Network Interface associated with the Network Security Group
newnic = driver.ex_update_nic_properties(nic, res_group.name, params)
# Update the Network Security Group's rules to accept connections using azure sdk since libcloud does not offer that functionality
network_client.security_rules.begin_create_or_update(res_group.name, sec_group.name,"allowAllInbound", SecurityRule(protocol='*', source_address_prefix='*', destination_address_prefix='*', access='Allow', direction='Inbound', description='Allow all', source_port_range='*', destination_port_range='*', priority=4096, name="allowAll"))
network_client.security_rules.begin_create_or_update(res_group.name, sec_group.name,"allowAllOutbound", SecurityRule(protocol='*', source_address_prefix='*', destination_address_prefix='*', access='Allow', direction='Outbound', description='Allow all', source_port_range='*', destination_port_range='*', priority=4096, name="allowAll"))
# Create the node
if args.deploy:
actualDeployScript = ScriptFileDeployment(script_file=SECDEP_DEPLOY_SCRIPT, args=args.deploy, name="harden", delete=True)
node = driver.deploy_node(name=name, size=size, image=image, location=location, auth=auth, ex_user_name="secdep", ex_resource_group=res_group.name, ex_use_managed_disks=True, ex_nic=newnic, ex_os_disk_delete=True, deploy=actualDeployScript, ssh_key=SECDEP_SSH_PRIVATE_KEY, ssh_username="secdep")
print('harden stdout: %s' % (actualDeployScript.stdout))
print('harden stderr: %s' % (actualDeployScript.stderr))
print('harden exit_code: %s' % (actualDeployScript.exit_status))
else:
node = driver.create_node(name=name, size=size, image=image, location=location, auth=auth, ex_user_name="secdep", ex_resource_group=res_group.name, ex_use_managed_disks=True, ex_nic=newnic, ex_os_disk_delete=True)
else:
# If provider was aws
# Delete all keys since we are just going to upload the same one for the creation
# This doesn't affect already existing nodes because as we said, it it the same one used for the others
keys = driver.list_key_pairs()
for key in keys:
driver.delete_key_pair(key)
keyname="secdep@"+socket.gethostname()
driver.import_key_pair_from_string(keyname, pubkey)
driver.ex_authorize_security_group_permissive('default')
# since each ami decides on a different admin user name we can't use the create node
# to end up with a secdep user but we have to use the deploy_node function
SCRIPT = '''#!/usr/bin/env bash
sudo useradd -G sudo -s /bin/bash -m secdep
sudo echo "secdep:secdeppass" | sudo chpasswd
sudo mkdir -p /home/secdep/.ssh
[[ -e /root/.ssh/authorized_keys ]] && sudo cp /root/.ssh/authorized_keys /home/secdep/.ssh/authorized_keys
[[ -e /home/admin/.ssh/authorized_keys ]] && sudo cp /home/admin/.ssh/authorized_keys /home/secdep/.ssh/authorized_keys
[[ -e /home/ec2-user/.ssh/authorized_keys ]] && sudo cp /home/ec2-user/.ssh/authorized_keys /home/secdep/.ssh/authorized_keys
[[ -e /home/centos/.ssh/authorized_keys ]] && sudo cp /home/centos/.ssh/authorized_keys /home/secdep/.ssh/authorized_keys
[[ -e /home/fedora/.ssh/authorized_keys ]] && sudo cp /home/fedora/.ssh/authorized_keys /home/secdep/.ssh/authorized_keys
[[ -e /home/ubuntu/.ssh/authorized_keys ]] && sudo cp /home/ubuntu/.ssh/authorized_keys /home/secdep/.ssh/authorized_keys
sudo chmod 755 /home
sudo chown secdep:secdep /home/secdep -R
sudo chmod 700 /home/secdep /home/secdep/.ssh
sudo chmod 600 /home/secdep/.ssh/authorized_keys'''
deploy = ScriptDeployment(script=SCRIPT, name="initialization.sh", delete=True)
if args.deploy:
actualDeployScript = ScriptFileDeployment(script_file=SECDEP_DEPLOY_SCRIPT, args=args.deploy, name="harden", delete=True)
msd = MultiStepDeployment([deploy, actualDeployScript])
node = driver.deploy_node(name=name, image=image, size=size, ex_keyname=keyname, deploy=msd, ssh_key=SECDEP_SSH_PRIVATE_KEY, ssh_alternate_usernames=["admin", "ec2-user", "centos", "fedora", "ubuntu"])
print('deploy stdout: %s' % (deploy.stdout))
print('deploy stderr: %s' % (deploy.stderr))
print('deploy exit_code: %s' % (deploy.exit_status))
print('harden stdout: %s' % (actualDeployScript.stdout))
print('harden stderr: %s' % (actualDeployScript.stderr))
print('harden exit_code: %s' % (actualDeployScript.exit_status))
else:
node = driver.deploy_node(name=name, image=image, size=size, ex_keyname=keyname, deploy=deploy, ssh_key=SECDEP_SSH_PRIVATE_KEY, ssh_alternate_usernames=["admin", "ec2-user", "centos", "fedora", "ubuntu"])
print('deploy stdout: %s' % (deploy.stdout))
print('deploy stderr: %s' % (deploy.stderr))
print('deploy exit_code: %s' % (deploy.exit_status))
else:
# When the -y or --yes parameter is passed we go straight to the node creation
if provider == "gce":
gceNodes = driver.list_nodes()
for gceNode in gceNodes:
if gceNode.name == name:
print("A node with that name already exists under this project, please choose another one")
exit(0)
existIn = False
firewalls = driver.ex_list_firewalls()
for firewall in firewalls:
if firewall.name == "allow-all-inbound":
existIn = True
break
if existIn == False:
driver.ex_create_firewall(name="allow-all-inbound", allowed=[{"IPProtocol": "tcp", "ports": ["0-65534"]},{"IPProtocol": "udp", "ports": ["0-65534"]}], network='default', direction='INGRESS', priority=1000, source_service_accounts=sa_scopes, target_service_accounts=sa_scopes)
if args.deploy:
actualDeployScript = ScriptFileDeployment(script_file=SECDEP_DEPLOY_SCRIPT, args=args.deploy, name="harden", delete=True)
node = driver.deploy_node(name=name, image=image, size=size, location=location, ex_service_accounts=sa_scopes, ex_metadata=metadata, deploy=actualDeployScript, ssh_key=SECDEP_SSH_PRIVATE_KEY, ssh_username="secdep")
print('harden stdout: %s' % (actualDeployScript.stdout))
print('harden stderr: %s' % (actualDeployScript.stderr))
print('harden exit_code: %s' % (actualDeployScript.exit_status))
else:
node = driver.create_node(name=name, image=image, size=size, location=location, ex_service_accounts=sa_scopes, ex_metadata=metadata)
elif provider == "azure":
print("Keep in mind azure node creation may take a while because we need to create all the needed resources first")
res_groups = driver.ex_list_resource_groups()
for res_group in res_groups:
if res_group.name == name+"-res_group":
print("A resource group with that name already exists, please try a different virtual machine name to differentiate the resource group name")
exit(0)
credential = ClientSecretCredential(client_id=SECDEP_AZURE_APP_ID, client_secret=SECDEP_AZURE_PASSWORD, tenant_id=SECDEP_AZURE_TENANT_ID)
subscription_id = SECDEP_AZURE_SUB_ID
resource_client = ResourceManagementClient(credential, subscription_id)
network_client = NetworkManagementClient(credential, subscription_id)
# Create Resource group using azure sdk since libcloud does not offer that functionality
res_group = resource_client.resource_groups.create_or_update(name+"-res_group", {"location": location.id})
# Create Virtual Network using azure sdk since libcloud does not offer that functionality
poller = network_client.virtual_networks.begin_create_or_update(res_group.name, name+"-vir_net", { "location": location.id, "address_space": {"address_prefixes": ["10.0.0.0/16"]},},)
vir_net = poller.result()
# Create the default subnet using azure sdk since libcloud does not offer that functionality
poller = network_client.subnets.begin_create_or_update(res_group.name, vir_net.name, name+"-subnet", { "address_prefix": "10.0.0.0/24"},)
subnet = poller.result()
# Create Network Security Group
driver.ex_create_network_security_group(name=name+"-sec_group", resource_group=res_group.name, location=location)
# Get the created Virtual Network
networks = driver.ex_list_networks()
for network in networks:
if network.name == vir_net.name:
ex_network = network
break
else:
print("Could not find the virtual network. Maybe it was not created correctly?")
# Get Virtual Network's default subnet we created
subnet = driver.ex_list_subnets(network=ex_network)[0]
# Create public ip
public_ip = driver.ex_create_public_ip(name=name+"-ip", resource_group=res_group.name, location=location, public_ip_allocation_method="Static")
# Create a Virtual Network Interface
network_interface = driver.ex_create_network_interface(name=name+"-nic", subnet=subnet, resource_group=res_group.name, location=location, public_ip=public_ip)
# Get the created Virtual Network Interface
nic = driver.ex_list_nics(resource_group=res_group.name)[0]
# Get the created Network Security Group
sec_group = driver.ex_list_network_security_groups(res_group.name)[0]
# Parameters to associate the Network Security Group to the Virtual Network Interface
params = {"ipConfigurations":[{"name":"myip1","id":nic.id,"type":"Microsoft.Network/networkInterfaces/ipConfigurations","properties":{"provisioningState":"Succeeded","privateIPAddress":"10.0.0.4","privateIPAllocationMethod":"Dynamic","publicIPAddress":{"id":public_ip.id},"subnet":{"id":subnet.id},"primary":"true","privateIPAddressVersion":"IPv4"}}],"dnsSettings":{"dnsServers":[]},"enableAcceleratedNetworking":"false","enableIPForwarding":"false","disableTcpStateTracking":"false","networkSecurityGroup":{"id":sec_group.id},"nicType":"Standard"}
# New Virtual Network Interface associated with the Network Security Group
newnic = driver.ex_update_nic_properties(nic, res_group.name, params)
# Update the Network Security Group's rules to accept connections using azure sdk since libcloud does not offer that functionality
network_client.security_rules.begin_create_or_update(res_group.name, sec_group.name,"allowAllInbound", SecurityRule(protocol='*', source_address_prefix='*', destination_address_prefix='*', access='Allow', direction='Inbound', description='Allow all', source_port_range='*', destination_port_range='*', priority=4096, name="allowAll"))
network_client.security_rules.begin_create_or_update(res_group.name, sec_group.name,"allowAllOutbound", SecurityRule(protocol='*', source_address_prefix='*', destination_address_prefix='*', access='Allow', direction='Outbound', description='Allow all', source_port_range='*', destination_port_range='*', priority=4096, name="allowAll"))
# Create the node
if args.deploy:
actualDeployScript = ScriptFileDeployment(script_file=SECDEP_DEPLOY_SCRIPT, args=args.deploy, name="harden", delete=True)
node = driver.deploy_node(name=name, size=size, image=image, location=location, auth=auth, ex_user_name="secdep", ex_resource_group=res_group.name, ex_use_managed_disks=True, ex_nic=newnic, ex_os_disk_delete=True, deploy=actualDeployScript, ssh_key=SECDEP_SSH_PRIVATE_KEY, ssh_username="secdep")
print('harden stdout: %s' % (actualDeployScript.stdout))
print('harden stderr: %s' % (actualDeployScript.stderr))
print('harden exit_code: %s' % (actualDeployScript.exit_status))
else:
node = driver.create_node(name=name, size=size, image=image, location=location, auth=auth, ex_user_name="secdep", ex_resource_group=res_group.name, ex_use_managed_disks=True, ex_nic=newnic, ex_os_disk_delete=True)
else:
# If provider was aws
# Delete all keys since we are just going to upload the same one for the creation
# This doesn't affect already existing nodes because as we said, it it the same one used for the others
keys = driver.list_key_pairs()
for key in keys:
driver.delete_key_pair(key)
keyname="secdep@"+socket.gethostname()
driver.import_key_pair_from_string(keyname, pubkey)
driver.ex_authorize_security_group_permissive('default')
# since each ami decides on a different admin user name we can't use the create node
# to end up with a secdep user but we have to use the deploy_node function
SCRIPT = '''#!/usr/bin/env bash
sudo useradd -G sudo -s /bin/bash -m secdep
sudo echo "secdep:secdeppass" | sudo chpasswd
sudo mkdir -p /home/secdep/.ssh
[[ -e /root/.ssh/authorized_keys ]] && sudo cp /root/.ssh/authorized_keys /home/secdep/.ssh/authorized_keys
[[ -e /home/admin/.ssh/authorized_keys ]] && sudo cp /home/admin/.ssh/authorized_keys /home/secdep/.ssh/authorized_keys
[[ -e /home/ec2-user/.ssh/authorized_keys ]] && sudo cp /home/ec2-user/.ssh/authorized_keys /home/secdep/.ssh/authorized_keys
[[ -e /home/centos/.ssh/authorized_keys ]] && sudo cp /home/centos/.ssh/authorized_keys /home/secdep/.ssh/authorized_keys
[[ -e /home/fedora/.ssh/authorized_keys ]] && sudo cp /home/fedora/.ssh/authorized_keys /home/secdep/.ssh/authorized_keys
[[ -e /home/ubuntu/.ssh/authorized_keys ]] && sudo cp /home/ubuntu/.ssh/authorized_keys /home/secdep/.ssh/authorized_keys
sudo chmod 755 /home
sudo chown secdep:secdep /home/secdep -R
sudo chmod 700 /home/secdep /home/secdep/.ssh
sudo chmod 600 /home/secdep/.ssh/authorized_keys'''
deploy = ScriptDeployment(script=SCRIPT, name="initialization.sh", delete=True)
if args.deploy:
actualDeployScript = ScriptFileDeployment(script_file=SECDEP_DEPLOY_SCRIPT, args=args.deploy, name="harden", delete=True)
msd = MultiStepDeployment([deploy, actualDeployScript])
node = driver.deploy_node(name=name, image=image, size=size, ex_keyname=keyname, deploy=msd, ssh_key=SECDEP_SSH_PRIVATE_KEY, ssh_alternate_usernames=["admin", "ec2-user", "centos", "fedora", "ubuntu"])
print('deploy stdout: %s' % (deploy.stdout))
print('deploy stderr: %s' % (deploy.stderr))
print('deploy exit_code: %s' % (deploy.exit_status))
print('harden stdout: %s' % (actualDeployScript.stdout))
print('harden stderr: %s' % (actualDeployScript.stderr))
print('harden exit_code: %s' % (actualDeployScript.exit_status))
else:
node = driver.deploy_node(name=name, image=image, size=size, ex_keyname=keyname, deploy=deploy, ssh_key=SECDEP_SSH_PRIVATE_KEY, ssh_alternate_usernames=["admin", "ec2-user", "centos", "fedora", "ubuntu"])
print('deploy stdout: %s' % (deploy.stdout))
print('deploy stderr: %s' % (deploy.stderr))
print('deploy exit_code: %s' % (deploy.exit_status))
print(node.name + " created successfully")
print("Node is initializing")
print("ip to connect to")
print("\nIP: %s" % (node.public_ips[0]))
print("\nssh command: ssh -i %s secdep@%s\n" % (SECDEP_SSH_PRIVATE_KEY, node.public_ips[0]))
print("If you ever change the port adjust the command accordingly")
return node
def list_all_nodes(provider, filterIn=None, awsRegion=None):
print("Getting all nodes...")
print("Loading 0%...")
nodes = []
if provider is None:
if SECDEP_GCE_CLIENT_ID != "":
print("Getting GCE nodes...")
driver = get_corresponding_driver("gce")
gceNodes = driver.list_nodes()
if len(gceNodes) > 0:
for node in gceNodes:
nodes.append(node)
print("Loading %s%%..." % (int((1/providers_quantity)*100)))
else:
print("Skipping gce")
if SECDEP_AZURE_APP_ID != "":
print("Getting AZURE nodes...")
driver2 = get_corresponding_driver("azure")
azureNodes = driver2.list_nodes()
if len(azureNodes) > 0:
for node in azureNodes:
nodes.append(node)
print("Loading %s%%..." % (int((2/providers_quantity)*100)))
else:
print("Skipping azure")
if SECDEP_AWS_ACCESS_KEY != "":
driver3 = get_corresponding_driver("aws")
print("Getting AWS nodes...")
awsLocations = ["ap-northeast-1", "ap-northeast-2", "ap-northeast-3", "ap-south-1", "ap-southeast-1", "ap-southeast-2", "ca-central-1", "eu-central-1", "eu-north-1", "eu-west-1", "eu-west-2", "eu-west-3", "sa-east-1", "us-east-1", "us-east-2", "us-west-1", "us-west-2"]
for region in awsLocations:
driver3 = get_driver(Provider.EC2)(SECDEP_AWS_ACCESS_KEY, SECDEP_AWS_SECRET_KEY, region=region)
# make it so it tries all drivers
awsNodes = driver3.list_nodes()
if len(awsNodes) > 0:
for node in awsNodes:
nodes.append(node)
print("Loading %s%%..." % (int((3/providers_quantity)*100)))
else:
print("Skipping aws")
elif provider == "gce":
if SECDEP_GCE_CLIENT_ID != "":
print("Getting GCE nodes...")
driver = get_corresponding_driver("gce")
gceNodes = driver.list_nodes()
if len(gceNodes) > 0:
for node in gceNodes:
nodes.append(node)
print("Loading %s%%..." % (int((1/providers_quantity)*100)))
else:
print("Skipping gce")
elif provider == "azure":
if SECDEP_AZURE_APP_ID != "":
print("Getting AZURE nodes...")
driver2 = get_corresponding_driver("azure")
azureNodes = driver2.list_nodes()
if len(azureNodes) > 0:
for node in azureNodes:
nodes.append(node)
print("Loading %s%%..." % (int((2/providers_quantity)*100)))
else:
print("Skipping azure")
elif provider == "aws":
if SECDEP_AWS_ACCESS_KEY != "":
driver3 = get_corresponding_driver("aws")
print("Getting AWS nodes...")
awsLocations = ["ap-northeast-1", "ap-northeast-2", "ap-northeast-3", "ap-south-1", "ap-southeast-1", "ap-southeast-2", "ca-central-1", "eu-central-1", "eu-north-1", "eu-west-1", "eu-west-2", "eu-west-3", "sa-east-1", "us-east-1", "us-east-2", "us-west-1", "us-west-2"]
if awsRegion is None:
for region in awsLocations:
driver3 = get_driver(Provider.EC2)(SECDEP_AWS_ACCESS_KEY, SECDEP_AWS_SECRET_KEY, region=region)
# make it so it tries all drivers
awsNodes = driver3.list_nodes()
if len(awsNodes) > 0:
for node in awsNodes:
nodes.append(node)
else:
if awsRegion not in awsLocations:
print("Invalid region")
awsRegion = choose_from_list(listAWSregions(awsLocations),"aws_region")
assert awsRegion is not None, "You chose an invalid aws region so we can't continue unless you choose a corect one"
driver3 = get_driver(Provider.EC2)(SECDEP_AWS_ACCESS_KEY, SECDEP_AWS_SECRET_KEY, region=awsRegion)
awsNodes = driver3.list_nodes()
if len(awsNodes) > 0:
for node in awsNodes:
nodes.append(node)
print("Loading %s%%..." % (int((3/providers_quantity)*100)))
else:
print("Skipping aws")
count = 0
if len(nodes) == 0:
print("No nodes")
exit(0)
# available states: running, rebooting, terminated, pending, stopped, suspended, paused, erro, unknown
# for delete
if filterIn == "delete":
nodes = list(filter(lambda x: 'running' in x.state.lower() or 'rebooting' in x.state.lower() or 'stopped' in x.state.lower() or 'suspended' in x.state.lower() or 'paused' in x.state.lower(), nodes))
# for start
if filterIn == "start":
nodes = list(filter(lambda x: 'stopped' in x.state.lower() or 'suspended' in x.state.lower() or 'paused' in x.state.lower(), nodes))
# for stop
if filterIn == "stop":
nodes = list(filter(lambda x: 'running' in x.state.lower() or 'rebooting' in x.state.lower(), nodes))
# for reboot
if filterIn == "reboot":
nodes = list(filter(lambda x: 'running' in x.state.lower() or 'suspended' in x.state.lower() or 'paused' in x.state.lower(), nodes))
for node in nodes:
count += 1
print("{}) {}\n\nState: {}\nPublic IPs: {}\nPrivate IPs: {}\nDriver: {}\nSize: {}\nImage: {}\nCreation Date: {}\nExtra: {}\n".format(count, node.name, node.state, node.public_ips, node.private_ips, node.driver, node.size, node.image, node.created_at, node.extra))
return nodes
def get_node(provider, awsRegion=None):
node = choose_from_list(list_all_nodes(provider, None, awsRegion), "node")
return node
def node_action(action, provider, awsRegion=None):
node = choose_from_list(list_all_nodes(provider, action, awsRegion), "node")
if node is None:
print("Nothing was chosen")
exit(0)
providerName = node.name.split("-")[0]
if providerName == "gce":
driver = get_corresponding_driver("gce")
elif providerName == "azure":
driver = get_corresponding_driver("azure")
node_name = node.name
credential = ClientSecretCredential(client_id=SECDEP_AZURE_APP_ID, client_secret=SECDEP_AZURE_PASSWORD, tenant_id=SECDEP_AZURE_TENANT_ID)
subscription_id = SECDEP_AZURE_SUB_ID
resource_client = ResourceManagementClient(credential, subscription_id)
network_client = NetworkManagementClient(credential, subscription_id)
elif providerName == "aws":
driver = get_corresponding_driver("aws")
assert driver is not None, "Driver is not set up correctly"
region = getAWSRegionFromAmi(node.extra['image_id'])
driver = get_driver(Provider.EC2)(SECDEP_AWS_ACCESS_KEY, SECDEP_AWS_SECRET_KEY, region=region)
match action:
case "reboot":
succeded = driver.reboot_node(node)
case "stop":
succeded = driver.stop_node(node)
case "start":
succeded = driver.start_node(node)
case "delete":
succeded = driver.destroy_node(node)
case _:
print("Invalid action command")
exit(0)
if(succeded):
print("%s node %s -> successful" % (providerName.upper(), action))
else:
print("%s node %s -> failed" % (providerName.upper(), action))
if providerName == "azure" and action == "delete":
print("Deleting the corresponding resource group may take a while")
poller = resource_client.resource_groups.begin_delete(node_name+"-res_group")
result = poller.result()
def node_action_all(action, provider, awsRegion=None):
string = action[:-3]
nodes = list_all_nodes(provider, string, awsRegion)
node_name = ""
for node in nodes:
providerName = node.name.split("-")[0]
if providerName == "gce":
driver = get_corresponding_driver("gce")
elif providerName == "azure":
driver = get_corresponding_driver("azure")
node_name = node.name
credential = ClientSecretCredential(client_id=SECDEP_AZURE_APP_ID, client_secret=SECDEP_AZURE_PASSWORD, tenant_id=SECDEP_AZURE_TENANT_ID)
subscription_id = SECDEP_AZURE_SUB_ID
resource_client = ResourceManagementClient(credential, subscription_id)
network_client = NetworkManagementClient(credential, subscription_id)
elif providerName == "aws":
driver = get_corresponding_driver("aws")
assert driver is not None, "Driver is not set up correctly"
region = getAWSRegionFromAmi(node.extra['image_id'])
driver = get_driver(Provider.EC2)(SECDEP_AWS_ACCESS_KEY, SECDEP_AWS_SECRET_KEY, region=region)
match action:
case "rebootall":
succeded = driver.reboot_node(node)
case "stopall":
succeded = driver.stop_node(node)
case "startall":
succeded = driver.start_node(node)
case "deleteall":
succeded = driver.destroy_node(node)
case _:
print("Invalid action command")
exit(0)
if(succeded):
print("%s node %s -> successful" % (node.name, string))
else:
print("%s node %s -> failed" % (node.name, string))
if providerName == "azure" and action == "delete":
print("Deleting the corresponding resource group may take a while")
poller = resource_client.resource_groups.begin_delete(node_name+"-res_group")
result = poller.result()
def ssh(provider, port=None, awsRegion=None):
node = choose_from_list(list_all_nodes(provider,"stop",awsRegion), "node")
ip = node.public_ips[0]
if port is None:
port = 22
else:
port = port
username = "secdep"
sshkey = SECDEP_SSH_PRIVATE_KEY
ssh = paramiko.SSHClient()
ssh.load_system_host_keys()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect(ip, port=port, username=username, key_filename=sshkey)
channel = ssh.get_transport()
if channel is not None:
channel = channel.open_session()
channel.get_pty()
channel.invoke_shell()
while True:
command = input('$> ')
if command == 'exit': break
channel.send((command + "\n").encode())
while True:
if channel.recv_ready():
output = channel.recv(1024)
print(output.decode())
else:
time.sleep(0.5)
if not(channel.recv_ready()):
break
ssh.close()
if args.awsregion and args.provider != "aws":
print("AWS region flag as the name suggests only goes with the aws provider")
exit(0)
# If -I -S or -G is passed, provider must be passed as well
if args.listimages or args.listsizes or args.listlocations:
assert args.provider is not None, "Provider must be passed if listing images, sizes or locations"
if args.listimages and args.provider:
# If -I or --listimages is passed, call the list_provider_images function
if args.print:
print(get_provider_image(args.provider))
else:
list_provider_images(args.provider)
exit(0)
if args.listsizes and args.provider:
# If -S or --listsizes is passed, call the list_provider_sizes function
if args.print:
print(get_provider_size(args.provider))
else:
list_provider_sizes(args.provider)
exit(0)
if args.listlocations and args.provider:
# If -G or --listlocations is passed, call the list_provider_locations function
if args.print:
print(get_provider_location(args.provider))
else:
list_provider_locations(args.provider)
exit(0)
if args.create:
assert args.provider is not None, "Provider must be specified for node creation"
# If -c or --create is passed, call the create_node function
create_node(args.provider, args.name, args.region, args.size, args.image, args.yes, args.deploy)
exit(0)
if args.list:
if args.print:
print(get_node(args.provider, args.awsregion))
else:
list_all_nodes(args.provider, None, args.awsregion)
exit(0)
# If args.action contains the word all execute the node_action_all function, otherwise the node_action function
if args.action:
if(args.action.endswith("all")):
node_action_all(args.action, args.provider, args.awsregion)
else:
node_action(args.action, args.provider, args.awsregion)
exit(0)
if args.ssh:
ssh(args.provider, args.port, args.awsregion)
exit(0)
if args.image or args.size or args.name or args.region or args.yes or args.deploy and not args.create:
print("Image, size, name, region, yes and deploy parameters only go along with the create flag")
exit(0)
if args.print and not args.list or args.listimages or args.listsizes or args.listlocations:
print("The print flag only goes together with the list, list images, list sizes or list locations")
exit(0)
if args.port and not args.ssh:
print("The port flag only goes with the ssh flag")
exit(0)
Reference in New Issue View Git Blame Copy Permalink