packer-cn/builder/amazon/common/step_security_group.go

package common

import (
	"fmt"
	"log"
	"time"

	"github.com/aws/aws-sdk-go/aws"
	"github.com/aws/aws-sdk-go/private/waiter"
	"github.com/aws/aws-sdk-go/service/ec2"
	"github.com/mitchellh/multistep"
	"github.com/mitchellh/packer/common/uuid"
	"github.com/mitchellh/packer/helper/communicator"
	"github.com/mitchellh/packer/packer"
)

type StepSecurityGroup struct {
	CommConfig       *communicator.Config
	SecurityGroupIds []string
	VpcId            string

	createdGroupId string
}

func (s *StepSecurityGroup) Run(state multistep.StateBag) multistep.StepAction {
	ec2conn := state.Get("ec2").(*ec2.EC2)
	ui := state.Get("ui").(packer.Ui)

	if len(s.SecurityGroupIds) > 0 {
		_, err := ec2conn.DescribeSecurityGroups(
			&ec2.DescribeSecurityGroupsInput{
				GroupIds: aws.StringSlice(s.SecurityGroupIds),
			},
		)
		if err != nil {
			err := fmt.Errorf("Couldn't find specified security group: %s", err)
			log.Printf("[DEBUG] %s", err.Error())
			state.Put("error", err)
			return multistep.ActionHalt
		}
		log.Printf("Using specified security groups: %v", s.SecurityGroupIds)
		state.Put("securityGroupIds", s.SecurityGroupIds)
		return multistep.ActionContinue
	}

	port := s.CommConfig.Port()
	if port == 0 {
		panic("port must be set to a non-zero value.")
	}

	// Create the group
	ui.Say("Creating temporary security group for this instance...")
	groupName := fmt.Sprintf("packer %s", uuid.TimeOrderedUUID())
	log.Printf("Temporary group name: %s", groupName)
	group := &ec2.CreateSecurityGroupInput{
		GroupName:   &groupName,
		Description: aws.String("Temporary group for Packer"),
		VpcId:       &s.VpcId,
	}
	groupResp, err := ec2conn.CreateSecurityGroup(group)
	if err != nil {
		ui.Error(err.Error())
		state.Put("error", err)
		return multistep.ActionHalt
	}

	// Set the group ID so we can delete it later
	s.createdGroupId = *groupResp.GroupId

	// Authorize the SSH access for the security group
	req := &ec2.AuthorizeSecurityGroupIngressInput{
		GroupId:    groupResp.GroupId,
		IpProtocol: aws.String("tcp"),
		FromPort:   aws.Int64(int64(port)),
		ToPort:     aws.Int64(int64(port)),
		CidrIp:     aws.String("0.0.0.0/0"),
	}

	// We loop and retry this a few times because sometimes the security
	// group isn't available immediately because AWS resources are eventaully
	// consistent.
	ui.Say(fmt.Sprintf(
		"Authorizing access to port %d the temporary security group...",
		port))
	for i := 0; i < 5; i++ {
		_, err = ec2conn.AuthorizeSecurityGroupIngress(req)
		if err == nil {
			break
		}

		log.Printf("Error authorizing. Will sleep and retry. %s", err)
		time.Sleep((time.Duration(i) * time.Second) + 1)
	}

	if err != nil {
		err := fmt.Errorf("Error creating temporary security group: %s", err)
		state.Put("error", err)
		ui.Error(err.Error())
		return multistep.ActionHalt
	}

	log.Printf("[DEBUG] Waiting for temporary security group: %s", s.createdGroupId)
	err = waitUntilSecurityGroupExists(ec2conn,
		&ec2.DescribeSecurityGroupsInput{
			GroupIds: []*string{aws.String(s.createdGroupId)},
		},
	)
	if err == nil {
		log.Printf("[DEBUG] Found security group %s", s.createdGroupId)
	} else {
		err := fmt.Errorf("Timed out waiting for security group %s: %s", s.createdGroupId, err)
		log.Printf("[DEBUG] %s", err.Error())
		state.Put("error", err)
		return multistep.ActionHalt
	}

	// Set some state data for use in future steps
	state.Put("securityGroupIds", []string{s.createdGroupId})

	return multistep.ActionContinue
}

func (s *StepSecurityGroup) Cleanup(state multistep.StateBag) {
	if s.createdGroupId == "" {
		return
	}

	ec2conn := state.Get("ec2").(*ec2.EC2)
	ui := state.Get("ui").(packer.Ui)

	ui.Say("Deleting temporary security group...")

	var err error
	for i := 0; i < 5; i++ {
		_, err = ec2conn.DeleteSecurityGroup(&ec2.DeleteSecurityGroupInput{GroupId: &s.createdGroupId})
		if err == nil {
			break
		}

		log.Printf("Error deleting security group: %s", err)
		time.Sleep(5 * time.Second)
	}

	if err != nil {
		ui.Error(fmt.Sprintf(
			"Error cleaning up security group. Please delete the group manually: %s", s.createdGroupId))
	}
}

func waitUntilSecurityGroupExists(c *ec2.EC2, input *ec2.DescribeSecurityGroupsInput) error {
	waiterCfg := waiter.Config{
		Operation:   "DescribeSecurityGroups",
		Delay:       15,
		MaxAttempts: 40,
		Acceptors: []waiter.WaitAcceptor{
			{
				State:    "success",
				Matcher:  "path",
				Argument: "length(SecurityGroups[]) > `0`",
				Expected: true,
			},
			{
				State:    "retry",
				Matcher:  "error",
				Argument: "",
				Expected: "InvalidGroup.NotFound",
			},
			{
				State:    "retry",
				Matcher:  "error",
				Argument: "",
				Expected: "InvalidSecurityGroupID.NotFound",
			},
		},
	}

	w := waiter.Waiter{
		Client: c,
		Input:  input,
		Config: waiterCfg,
	}
	return w.Wait()
}
builder/amazon: extract StepSecurityGroup 2013-07-20 22:50:55 -04:00			`package common`
builder/amazonebs: Create temporary security group as well 2013-06-11 17:37:10 -04:00
			`import (`
			`"fmt"`
Migrate from mitchellh/goamz to awslabs/aws-sdk-go This commit moves the Amazon builders of Packer away from the Hashicorp fork of the goamz library to the official AWS SDK for Go, in order that third party plugins may depend on the more complete official library more easily. 2015-04-05 17:58:48 -04:00			`"log"`
			`"time"`

Migrate to new AWS repo 2015-06-03 17:13:52 -04:00			`"github.com/aws/aws-sdk-go/aws"`
builder/amazon: fix when using security_group_id If `security_group_id` was specified with a group that didn't exist, packer would go into an infinite loop waiting for it. We shouldn't make assumptions about the status of explicitely set security groups, so let's just error out right away if we can't find it. 2017-01-18 18:11:52 -05:00			`"github.com/aws/aws-sdk-go/private/waiter"`
Migrate to new AWS repo 2015-06-03 17:13:52 -04:00			`"github.com/aws/aws-sdk-go/service/ec2"`
builder/amazonebs: Create temporary security group as well 2013-06-11 17:37:10 -04:00			`"github.com/mitchellh/multistep"`
Remove dependency on identifier package, use time ordered UUID [GH-541] 2013-10-16 22:21:14 -04:00			`"github.com/mitchellh/packer/common/uuid"`
builder/amazon: various fixes (minor) to get things going 2015-06-14 02:12:59 -04:00			`"github.com/mitchellh/packer/helper/communicator"`
builder/amazonebs: Create temporary security group as well 2013-06-11 17:37:10 -04:00			`"github.com/mitchellh/packer/packer"`
			`)`

builder/amazon: extract StepSecurityGroup 2013-07-20 22:50:55 -04:00			`type StepSecurityGroup struct {`
builder/amazon: various fixes (minor) to get things going 2015-06-14 02:12:59 -04:00			`CommConfig *communicator.Config`
builder/amazon: instances can be launched with a list of security groups 2013-10-02 13:52:16 -04:00			`SecurityGroupIds []string`
			`VpcId string`
builder/amazon: extract StepSecurityGroup 2013-07-20 22:50:55 -04:00
			`createdGroupId string`
builder/amazonebs: Create temporary security group as well 2013-06-11 17:37:10 -04:00			`}`

builder/amazon/chroot: new multistep API 2013-08-31 15:58:55 -04:00			`func (s *StepSecurityGroup) Run(state multistep.StateBag) multistep.StepAction {`
			`ec2conn := state.Get("ec2").(*ec2.EC2)`
			`ui := state.Get("ui").(packer.Ui)`
builder/amazonebs: Create temporary security group as well 2013-06-11 17:37:10 -04:00
builder/amazon: instances can be launched with a list of security groups 2013-10-02 13:52:16 -04:00			`if len(s.SecurityGroupIds) > 0 {`
verify given security group 2017-01-18 18:25:31 -05:00			`_, err := ec2conn.DescribeSecurityGroups(`
			`&ec2.DescribeSecurityGroupsInput{`
			`GroupIds: aws.StringSlice(s.SecurityGroupIds),`
			`},`
			`)`
			`if err != nil {`
			`err := fmt.Errorf("Couldn't find specified security group: %s", err)`
			`log.Printf("[DEBUG] %s", err.Error())`
			`state.Put("error", err)`
			`return multistep.ActionHalt`
			`}`
builder/amazon: instances can be launched with a list of security groups 2013-10-02 13:52:16 -04:00			`log.Printf("Using specified security groups: %v", s.SecurityGroupIds)`
			`state.Put("securityGroupIds", s.SecurityGroupIds)`
Adding the ability to specify a security_group_id for the amazonebs builder 2013-07-09 11:57:21 -04:00			`return multistep.ActionContinue`
			`}`

builder/amazon: various fixes (minor) to get things going 2015-06-14 02:12:59 -04:00			`port := s.CommConfig.Port()`
			`if port == 0 {`
			`panic("port must be set to a non-zero value.")`
builder/amazon/common: panic if SSHPot is 0 2013-07-20 22:51:25 -04:00			`}`

builder/amazonebs: Create temporary security group as well 2013-06-11 17:37:10 -04:00			`// Create the group`
			`ui.Say("Creating temporary security group for this instance...")`
Remove dependency on identifier package, use time ordered UUID [GH-541] 2013-10-16 22:21:14 -04:00			`groupName := fmt.Sprintf("packer %s", uuid.TimeOrderedUUID())`
builder/amazonebs: Create temporary security group as well 2013-06-11 17:37:10 -04:00			`log.Printf("Temporary group name: %s", groupName)`
Migrate from mitchellh/goamz to awslabs/aws-sdk-go This commit moves the Amazon builders of Packer away from the Hashicorp fork of the goamz library to the official AWS SDK for Go, in order that third party plugins may depend on the more complete official library more easily. 2015-04-05 17:58:48 -04:00			`group := &ec2.CreateSecurityGroupInput{`
			`GroupName: &groupName,`
			`Description: aws.String("Temporary group for Packer"),`
Update calls to amazon to match the upstream - see http://aws.amazon.com/releasenotes/2948141298714307 - run awsmigrate-renamer on each amazon module (chroot, instance, etc.) 2015-08-17 20:44:01 -04:00			`VpcId: &s.VpcId,`
builder/amazon/*: Fix failing tests from rebase of VPC 2013-07-22 01:46:11 -04:00			`}`
			`groupResp, err := ec2conn.CreateSecurityGroup(group)`
builder/amazonebs: Create temporary security group as well 2013-06-11 17:37:10 -04:00			`if err != nil {`
			`ui.Error(err.Error())`
Report error code during Temporary Security Group creation (#2021) 2015-04-06 22:11:34 -04:00			`state.Put("error", err)`
builder/amazonebs: Create temporary security group as well 2013-06-11 17:37:10 -04:00			`return multistep.ActionHalt`
			`}`

			`// Set the group ID so we can delete it later`
Update calls to amazon to match the upstream - see http://aws.amazon.com/releasenotes/2948141298714307 - run awsmigrate-renamer on each amazon module (chroot, instance, etc.) 2015-08-17 20:44:01 -04:00			`s.createdGroupId = *groupResp.GroupId`
Migrate from mitchellh/goamz to awslabs/aws-sdk-go This commit moves the Amazon builders of Packer away from the Hashicorp fork of the goamz library to the official AWS SDK for Go, in order that third party plugins may depend on the more complete official library more easily. 2015-04-05 17:58:48 -04:00
			`// Authorize the SSH access for the security group`
			`req := &ec2.AuthorizeSecurityGroupIngressInput{`
Update calls to amazon to match the upstream - see http://aws.amazon.com/releasenotes/2948141298714307 - run awsmigrate-renamer on each amazon module (chroot, instance, etc.) 2015-08-17 20:44:01 -04:00			`GroupId: groupResp.GroupId,`
			`IpProtocol: aws.String("tcp"),`
Updated AWS SDK calls to match the 0.7.0 release of the AWS SDK 2015-07-28 20:10:21 -04:00			`FromPort: aws.Int64(int64(port)),`
			`ToPort: aws.Int64(int64(port)),`
Update calls to amazon to match the upstream - see http://aws.amazon.com/releasenotes/2948141298714307 - run awsmigrate-renamer on each amazon module (chroot, instance, etc.) 2015-08-17 20:44:01 -04:00			`CidrIp: aws.String("0.0.0.0/0"),`
builder/amazonebs: Create temporary security group as well 2013-06-11 17:37:10 -04:00			`}`

comments 2013-12-28 12:04:15 -05:00			`// We loop and retry this a few times because sometimes the security`
			`// group isn't available immediately because AWS resources are eventaully`
			`// consistent.`
builder/amazon: various fixes (minor) to get things going 2015-06-14 02:12:59 -04:00			`ui.Say(fmt.Sprintf(`
			`"Authorizing access to port %d the temporary security group...",`
			`port))`
builder/amazon: handle cases when amazon SG isn't available [GH-494] 2013-12-28 12:03:22 -05:00			`for i := 0; i < 5; i++ {`
Migrate from mitchellh/goamz to awslabs/aws-sdk-go This commit moves the Amazon builders of Packer away from the Hashicorp fork of the goamz library to the official AWS SDK for Go, in order that third party plugins may depend on the more complete official library more easily. 2015-04-05 17:58:48 -04:00			`_, err = ec2conn.AuthorizeSecurityGroupIngress(req)`
builder/amazon: handle cases when amazon SG isn't available [GH-494] 2013-12-28 12:03:22 -05:00			`if err == nil {`
			`break`
			`}`

			`log.Printf("Error authorizing. Will sleep and retry. %s", err)`
			`time.Sleep((time.Duration(i) * time.Second) + 1)`
			`}`

			`if err != nil {`
builder/amazonebs: Return proper errors 2013-06-19 23:54:02 -04:00			`err := fmt.Errorf("Error creating temporary security group: %s", err)`
builder/amazon/chroot: new multistep API 2013-08-31 15:58:55 -04:00			`state.Put("error", err)`
builder/amazonebs: Create temporary security group as well 2013-06-11 17:37:10 -04:00			`ui.Error(err.Error())`
			`return multistep.ActionHalt`
			`}`

builder/amazon: fix when using security_group_id If `security_group_id` was specified with a group that didn't exist, packer would go into an infinite loop waiting for it. We shouldn't make assumptions about the status of explicitely set security groups, so let's just error out right away if we can't find it. 2017-01-18 18:11:52 -05:00			`log.Printf("[DEBUG] Waiting for temporary security group: %s", s.createdGroupId)`
			`err = waitUntilSecurityGroupExists(ec2conn,`
			`&ec2.DescribeSecurityGroupsInput{`
			`GroupIds: []*string{aws.String(s.createdGroupId)},`
			`},`
			`)`
			`if err == nil {`
			`log.Printf("[DEBUG] Found security group %s", s.createdGroupId)`
			`} else {`
			`err := fmt.Errorf("Timed out waiting for security group %s: %s", s.createdGroupId, err)`
			`log.Printf("[DEBUG] %s", err.Error())`
			`state.Put("error", err)`
			`return multistep.ActionHalt`
			`}`

builder/amazonebs: Create temporary security group as well 2013-06-11 17:37:10 -04:00			`// Set some state data for use in future steps`
builder/amazon: instances can be launched with a list of security groups 2013-10-02 13:52:16 -04:00			`state.Put("securityGroupIds", []string{s.createdGroupId})`
builder/amazonebs: Create temporary security group as well 2013-06-11 17:37:10 -04:00
			`return multistep.ActionContinue`
			`}`

builder/amazon/chroot: new multistep API 2013-08-31 15:58:55 -04:00			`func (s *StepSecurityGroup) Cleanup(state multistep.StateBag) {`
builder/amazon: extract StepSecurityGroup 2013-07-20 22:50:55 -04:00			`if s.createdGroupId == "" {`
builder/amazonebs: Create temporary security group as well 2013-06-11 17:37:10 -04:00			`return`
			`}`

builder/amazon/chroot: new multistep API 2013-08-31 15:58:55 -04:00			`ec2conn := state.Get("ec2").(*ec2.EC2)`
			`ui := state.Get("ui").(packer.Ui)`
builder/amazonebs: Create temporary security group as well 2013-06-11 17:37:10 -04:00
			`ui.Say("Deleting temporary security group...")`
builder/amazon/common: retry deleting security group [GH-278] 2013-08-12 16:34:55 -04:00
			`var err error`
			`for i := 0; i < 5; i++ {`
Update calls to amazon to match the upstream - see http://aws.amazon.com/releasenotes/2948141298714307 - run awsmigrate-renamer on each amazon module (chroot, instance, etc.) 2015-08-17 20:44:01 -04:00			`_, err = ec2conn.DeleteSecurityGroup(&ec2.DeleteSecurityGroupInput{GroupId: &s.createdGroupId})`
builder/amazon/common: correct logic in deleting secutiry group 2013-08-12 16:43:52 -04:00			`if err == nil {`
			`break`
builder/amazon/common: retry deleting security group [GH-278] 2013-08-12 16:34:55 -04:00			`}`
builder/amazon/common: correct logic in deleting secutiry group 2013-08-12 16:43:52 -04:00
			`log.Printf("Error deleting security group: %s", err)`
			`time.Sleep(5 * time.Second)`
builder/amazon/common: retry deleting security group [GH-278] 2013-08-12 16:34:55 -04:00			`}`

builder/amazonebs: Create temporary security group as well 2013-06-11 17:37:10 -04:00			`if err != nil {`
			`ui.Error(fmt.Sprintf(`
builder/amazon: extract StepSecurityGroup 2013-07-20 22:50:55 -04:00			`"Error cleaning up security group. Please delete the group manually: %s", s.createdGroupId))`
builder/amazonebs: Create temporary security group as well 2013-06-11 17:37:10 -04:00			`}`
			`}`
builder/amazon: fix when using security_group_id If `security_group_id` was specified with a group that didn't exist, packer would go into an infinite loop waiting for it. We shouldn't make assumptions about the status of explicitely set security groups, so let's just error out right away if we can't find it. 2017-01-18 18:11:52 -05:00
			`func waitUntilSecurityGroupExists(c ec2.EC2, input ec2.DescribeSecurityGroupsInput) error {`
			`waiterCfg := waiter.Config{`
			`Operation: "DescribeSecurityGroups",`
			`Delay: 15,`
			`MaxAttempts: 40,`
			`Acceptors: []waiter.WaitAcceptor{`
			`{`
			`State: "success",`
			`Matcher: "path",`
			Argument: "length(SecurityGroups[]) > `0`",
			`Expected: true,`
			`},`
			`{`
			`State: "retry",`
			`Matcher: "error",`
			`Argument: "",`
			`Expected: "InvalidGroup.NotFound",`
			`},`
			`{`
			`State: "retry",`
			`Matcher: "error",`
			`Argument: "",`
			`Expected: "InvalidSecurityGroupID.NotFound",`
			`},`
			`},`
			`}`

			`w := waiter.Waiter{`
			`Client: c,`
			`Input: input,`
			`Config: waiterCfg,`
			`}`
			`return w.Wait()`
			`}`