{ "info": { "author": "Matthew Wedgwood", "author_email": "mw@rmn.com", "bugtrack_url": null, "classifiers": [ "Development Status :: 2 - Pre-Alpha", "Intended Audience :: Developers", "License :: OSI Approved :: MIT License", "Operating System :: OS Independent", "Programming Language :: Python :: 2", "Programming Language :: Python :: 2.7", "Programming Language :: Python :: 3", "Topic :: Internet" ], "description": "%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\nSecurity Group Management Rule Management in Situ\n%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\n\nConcepts\n********\n\nSecurity Groups rules in AWS have four basic components. In Situ and this\ndocumentation, we refer to them as follows:\n\n* A *direction*, \"in\" (ingress) or \"out\" (egress)\n* An *owner*, the group to whom the rule belongs\n* An *other*, the subject of the rule, which may be a security group or CIDR\n* A *portspec*, consisting of an IP protocol, low port, and high port\n\nIncluded Tools\n**************\n\nSitu includes two tools for managing security group rules: ``sgtables`` and ``sgmanager``.\n\n``sgmanager`` is a higher-level tool used for managing more human-friendly rule\nrepresentations. ``sgmanager`` depends on ``sgtables`` to make changes in AWS.\n\n``stgables`` is a low-level (*raw*) rule processor. It consumes and generates\nbasic rule definitions, and is capable of modifying rulesets in AWS.\n\nThese tools only manage security group *rules*. They do not create or remove\nthe groups themselves.\n\nUsing ``sgmanager``\n*******************\n\n.. hint::\n You can type ``sgmanager --help`` for detailed help about the ``sgmanager`` CLI.\n\nThere are currently three ``sgmanager`` subcommands:\n\n* *groupdefs*, a tool for extracting group definitions in the ``sgmanager``\n* format *render*, which accepts one or more configuration files and renders\n them to raw rules suitable for consumption by ``sgtables``\n* *reverse*, which can help you convert ``sgtables`` output to a set of rules\n\nWhen using ``sgmanager``, *vars_files* are files in the ``sgmanager``\nconfiguration format as outlined below. *input_files* refer to files containing\nraw rules as output by ``sgtables``.\n\n.. hint::\n ``sgmanager`` configurations can be broken into several files for\n flexibility. Consider storing accounts, CIDRs, and portspecs separately\n from group definitions and rules.\n\n``sgmanager`` Configuration\n---------------------------\n\nThere are four entity types that can be defined in an sgmanager configuration:\n\n* Rule - represents a single IpPermission on a SecurityGroup\n* SecurityGroup - represents a single AWS SecurityGroup\n* Cidr - An IPv4 CIDR address/mask\n* Account - an AWS account\n\n\nThe syntax of an sgmanager configuration is::\n\n ::= \"rule \" \" \" \" \" ( | ) \" \" \n\n ::= \"sg \" NAME \" \" SG_ID\n\n ::= \"cidr \" NAME \" \" IPADDR \"/\" INT_MASK\n \n ::= \"acct \" NAME \" \" ACCOUNT_ID\n\n ::= \"proto \" NAME \" \" \" \" \" \" \n ::= ( \"icmp\" | \"tcp\" | \"udp\" | -1 | 0 | POSITIVE_INTEGER )\n ::= -1 | 0 | POSITIVE_INTEGER\n ::= -1 | 0 | POSITIVE_INTEGER\n\nWhere:\n\n* ``SG_ID`` is an AWS security group id\n* ``IPADDR`` is an IPv4 address\n* ``INT_MASK`` is an integer between 0 and 32 (inclusive)\n* ``ACCOUNT_ID`` is an AWS numeric account ID\n\nFor port numbers, ``POSITIVE_INTEGER`` can be between 1 and 65535, and -1 means *all*.\n\n\nExample\n-------\n\nSuppose you have a sgmanager configuration file named \"myrules\" containing the following::\n\n acct prd 11223344556677\n \n cidr prd-w1 10.208.0.0/16\n \n sg prd-w1-eop sg-12345678\n sg prd-w1-app sg-abcdef12\n \n proto ssh tcp 22 22\n \n rule in prd-w1-eop prd-w1-app ssh\n rule in prd-w1-eop prd-w1 ssh\n\nRunning ``sgmanager prd myrules`` would produce the following output::\n\n in sg-12345678 sg-abcdef12 tcp 22 22\n in sg-12345678 10.208.0.0/16 tcp 22 22\n\nUsing ``sgtables``\n******************\n\n.. hint::\n See the output of ``sgtables --help`` for complete, current information\n about available options.\n\n``sgtables`` has four functions: *list*, *add*, *remove*, and *update*\n\n``sgtables`` always requires an AWS profile (from ~/.aws/config), a region, and\na specific VPC to operate against (or the special name 'classic' for EC2\nClassic). ``sgtables`` only operates on one network at a time. EC2 classic is\nhandled as its own network/VPC.\n\nAll data-modification commands (everything except *list*) accept a ``--noop``\nargument (for no-op) that prevents any real changes from taking place. You can\nuse the ``--verbose`` flag to see more detail about the operations performed by\nthe command. ``--debug`` will also include low-level details.\n\nThe *add* command will try to add all rules passed to it (so long as the group\nexists in the VPC). Similarly, *remove* will try to remove all rules passed to\nit. You will be warned if the given rule already exists (for *add*) or if it is\nnot found (for *remove*), but this will not cause ``sgtables`` to fail.\n\n*update* behaves somewhat differently than the other two. Before making changes,\n*update* inspects the current ruleset and compares it to the input given. For\nany security group **mentioned as an owner in the rules list**, rules are added\nif needed, then rules are removed. To put it another way, *update* expects that\nthe rules passed to it are the **only** rules that should be in those groups.\n\n*Mentioned*, in this context, means that any rule not listed as an owner in the\nruleset will not be updated. ``sgtables`` can update all rules in all security\ngroups in a VPC if passed the ominuously-named ``--obliterate`` flag to\n*update*. When ``--obliterate`` is specified, ``sgtables`` assumes that the\nrules given to it are the **only** rules that should exist in the VPC. If a\ngroup exists but no rules are defined for it, that group will have all of its\nrules removed.", "description_content_type": null, "docs_url": null, "download_url": "UNKNOWN", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "http://github.com/RetailMeNot/sgtools", "keywords": null, "license": "MIT", "maintainer": null, "maintainer_email": null, "name": "sgtools", "package_url": "https://pypi.org/project/sgtools/", "platform": "UNKNOWN", "project_url": "https://pypi.org/project/sgtools/", "project_urls": { "Download": "UNKNOWN", "Homepage": "http://github.com/RetailMeNot/sgtools" }, "release_url": "https://pypi.org/project/sgtools/0.5/", "requires_dist": null, "requires_python": null, "summary": "Standard UNIX tools for manipulating AWS security group rules", "version": "0.5" }, "last_serial": 1058115, "releases": { "0.5": [ { "comment_text": "", "digests": { "md5": "b49a4e0104763d949a75001c3bb72380", "sha256": "a9a9d3cae8fc9c53ad1e58e155433bf7ab2a820cd365a0e322f472450076a44f" }, "downloads": -1, "filename": "sgtools-0.5.tar.gz", "has_sig": false, "md5_digest": "b49a4e0104763d949a75001c3bb72380", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 19110, "upload_time": "2014-04-11T18:46:54", "url": "https://files.pythonhosted.org/packages/a5/bf/f3aded0b6477b08bd68da67c5cd4191f303b5a0af7bb203a72727bae337b/sgtools-0.5.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "b49a4e0104763d949a75001c3bb72380", "sha256": "a9a9d3cae8fc9c53ad1e58e155433bf7ab2a820cd365a0e322f472450076a44f" }, "downloads": -1, "filename": "sgtools-0.5.tar.gz", "has_sig": false, "md5_digest": "b49a4e0104763d949a75001c3bb72380", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 19110, "upload_time": "2014-04-11T18:46:54", "url": "https://files.pythonhosted.org/packages/a5/bf/f3aded0b6477b08bd68da67c5cd4191f303b5a0af7bb203a72727bae337b/sgtools-0.5.tar.gz" } ] }