小工具解决的问题:
由于安全组不能垮Region,当一个Region中的安全组比较好,我们在另一个Region中也想使用同样的规则时,通过这个小工具实现安全组约束的拷贝。数量限制:
每个用户最多可创建100个安全组每个用户最多创建指定个数VPC都拷贝了什么:
安全组 :Name,IpProtocol,PortRange,SourceGroupOwnerAccount,Priority,SourceGroupId,SourceCidrIp,Policy,NicType所属VPC :Name,UserCidrs,CidrBlock,Description如何使用:
公共参数设置:(1)填写Access Key Id 和 Secrect。(2)regionIdLocal:被复制的regionId。(3)securityGroupIdLocal:regionIdLocal中被复制的安全组Id。(4)regionId:要复制到的regionId。复制classic类型安全组,直接运行。复制vpc类型安全组,当isVpcKeepSame为True,表示复制的安全组所属的VPC也是相似的。本工具首先根据UserCidrs和CidrBlock在新Region中查找是否有相似的VPC,如果找到,就把安全组复制到这个VPC中,如果没找到,根据原始Region中VPC创建类似的VPC,然后复制安全组,当isVpcKeepSame为False,直接在新Region中查找Available状态VPC,然后复制安全组,如果没有找到,新建VPC。 # coding=utf-8 # if the python sdk is not install using 'sudo pip install aliyun-python-sdk-ecs' # if the python sdk is install using 'sudo pip install --upgrade aliyun-python-sdk-ecs' # make sure the sdk version is 2.1.2, you can use command 'pip show aliyun-python-sdk-ecs' to check import json import logging import time from aliyunsdkcore import client from aliyunsdkecs.request.v20140526.AuthorizeSecurityGroupRequest import \ AuthorizeSecurityGroupRequest from aliyunsdkecs.request.v20140526.DescribeSecurityGroupAttributeRequest import \ DescribeSecurityGroupAttributeRequest from aliyunsdkecs.request.v20140526.CreateSecurityGroupRequest import \ CreateSecurityGroupRequest from aliyunsdkecs.request.v20140526.CreateVpcRequest import CreateVpcRequest from aliyunsdkecs.request.v20140526.DescribeVpcsRequest import DescribeVpcsRequest # configuration the log output formatter, if you want to save the output to file, # append ",filename='ecs_invoke.log'" after datefmt. logging.basicConfig(level=logging.INFO, format='%(asctime)s %(filename)s[line:%(lineno)d] %(levelname)s %(message)s', datefmt='%a, %d %b %Y %H:%M:%S') # send open api request def _send_request(request): request.set_accept_format('json') try: response_str = clt.do_action(request) logging.info(response_str) response_detail = json.loads(response_str) return response_detail except Exception as e: logging.error(e) # To add rules to classic network cloud server def execute_add_classical_intranat_ingress(regionId,source_sg_id, permission, dry_run): request = AuthorizeSecurityGroupRequest() clt.set_region_id(regionId) request.set_SecurityGroupId(source_sg_id) request.set_IpProtocol(permission.get("IpProtocol")) request.set_PortRange(permission.get("PortRange")) request.set_SourceGroupOwnerAccount(permission.get("SourceGroupOwnerAccount")) request.set_Priority(permission.get("Priority")) request.set_SourceGroupId(permission.get("SourceGroupId")) request.set_SourceCidrIp(permission.get("SourceCidrIp")) request.set_Policy(permission.get("Policy")) request.set_NicType(permission.get("NicType")) if dry_run: logging.info("add sg id %s as the in security group id %s", in_sg_id, source_sg_id) else: response = _send_request(request) return response # How many rules are there under the current security group def query_sg_rules_for_sg(regionId,security_group_id): request = DescribeSecurityGroupAttributeRequest() clt.set_region_id(regionId) request.set_SecurityGroupId(security_group_id) response = _send_request(request) if (str(response.get("Code")) == "InvalidSecurityGroupId.NotFound"): logging.error("please check if there is an securityGroupId in your region") return "null" return response # create VPC def createVPC(vpcLocal): request = CreateVpcRequest() request.set_CidrBlock(vpcLocal.get("CidrBlock")) request.set_Description(vpcLocal.get("Description")) UserCidrs = '' for uc in vpcLocal.get("UserCidrs").get("UserCidr"): UserCidrs = UserCidrs + str(uc)+"," if(UserCidrs != ''): request.set_UserCidr(UserCidrs) request.set_VpcName(vpcLocal.get("VpcName")+"copy") response = _send_request(request) newVPCId = response.get("VpcId") if(newVPCId == None): logging.error(response) newVPCId = "null" return newVPCId # compare UserCidrs def compareUserCidrs(usercidrs1,usercidrs2): l1 = len(usercidrs1) l2 = len(usercidrs2) flag = False if(l1 == l2): flag = True for cidr in usercidrs1: if(cidr in usercidrs2): logging.info(cidr+"passed") else: flag = False break else: return flag return flag # find sameVpc according to UserCidrs and CidrBlock def findSameVpc(vpcLocal,isVpcKeepSame): request = DescribeVpcsRequest() response = _send_request(request) vpcs = response.get("Vpcs").get("Vpc") if(isVpcKeepSame == False): if(len(vpcs)>=1): for vpc in vpcs: if(vpc.get("Status") == 'Available'): return vpc.get("VpcId") else: return "null" for vpc in vpcs: if(str(vpc.get("Status")) == 'Available'): usercidrs1 = vpc.get("UserCidrs").get("UserCidr") usercidrs2 = vpcLocal.get("UserCidrs").get("UserCidr") if((vpc.get("CidrBlock") == vpcLocal.get("CidrBlock")) and (compareUserCidrs(usercidrs1,usercidrs2))): return vpc.get("VpcId") return "null" # find VPC by vpcId def GetVpc(vpcId): request = DescribeVpcsRequest() request.set_VpcId(vpcId) response = _send_request(request) if(response.get("TotalCount") >= 1): return response.get("Vpcs").get("Vpc")[0] return "null" # create SecurityGroup def CreateSecurityGroup(regionId,securityGroupName,vpcId,vpcLocal,isVpcKeepSame): request = CreateSecurityGroupRequest() clt.set_region_id(regionId) request.set_SecurityGroupName(securityGroupName) newVpcId = '' if(vpcId != ''): vpcIdAvailable = findSameVpc(vpcLocal,isVpcKeepSame) if(vpcIdAvailable == 'null'): newVpcId = createVPC(vpcLocal) time.sleep(10) if(newVpcId == "null"): return "null" else: newVpcId = vpcIdAvailable request.set_VpcId(str(newVpcId)) response = _send_request(request) return response def copy_securityGroup(regionIdLocal,securityGroupIdLocal,regionId,isVpcKeepSame): # Query a region under a security group all rules responsepermissions = query_sg_rules_for_sg(regionIdLocal, securityGroupIdLocal) if (responsepermissions == "null"): logging.error("error:please check if there is an securityGroupId in your region") return "null" else: permissions = responsepermissions.get("Permissions").get("Permission") vpcId = responsepermissions.get("VpcId") vpcLocal = '' if (vpcId != ''): vpcLocal = GetVpc(vpcId) if(vpcLocal == "null"): logging.error("the vpc=vpcId:%s not exist",vpcId) return vpcId securityGroupNameLocal = responsepermissions.get("SecurityGroupName") # Create security group securityGroupName = securityGroupNameLocal + "_copyfrom_" + regionIdLocal response = CreateSecurityGroup(regionId, securityGroupName, vpcId, vpcLocal,isVpcKeepSame) if(response == "null"): return "null" securityGroupId = response.get("SecurityGroupId") # Copy rules for permission in permissions: execute_add_classical_intranat_ingress(regionId, securityGroupId, permission, False) logging.info("In region %s ,create securityGroup:%s success", regionId, securityGroupName) if __name__ == '__main__': clt = client.AcsClient('Your Access Key Id', 'Your Access Key Secrect', 'cn-beijing') #The regionId of the security group being copied regionIdLocal = 'cn-shanghai' #Copy securityGroupId in regionIdLocal securityGroupIdLocal = 'sg-uf62j00kbggavkplfb56' #Copy to region regionId regionId = 'ap-northeast-1' #whether VPC need to be consistent isVpcKeepSame = False #start copy 相关资源:敏捷开发V1.0.pptx