search

NixOS / nixops-aws

GNU Lesser General Public License v3.0
52 stars 38 forks source link

Dynamic securityGroupIds #81

Open ip1981 opened 8 years ago

ip1981 commented 8 years ago

We can define resources.ec2KeyPairs and refer them in deployment.ec2. E. g.:

{
# ...
resources.ec2KeyPairs.petcatKey = { inherit accessKeyId; region = "ap-southeast-1"; };
# ...
petcat = { resources, config, pkgs, lib, ... }: {
#...
 deployment.ec2.keyPair = resources.ec2KeyPairs.petcatKey;
# ...
};
# ...
}

We can do the same for security groups, but only when not deploying to VPC. There is a difference between securityGroupIds which should be used for VPC and securityGroups for non-VPC deployments.

If one tries to write securityGroupIds = [ resources.ec2SecurityGroups.petcatSecGroup ]; an error will be raised:

error: The option value `deployment.ec2.securityGroupIds.[definition 1-entry 1]' in `/...' is not a string

Below are some scribbles to fix that. If this looks good, we can get rid of securityGroupIds and just use securityGroups for both VPC and non-VPC deployments. But i'm not vary familiar with nixops to make it the right way :-)

diff --git a/nix/ec2.nix b/nix/ec2.nix
index b1c08d0..ef10b1f 100644
--- a/nix/ec2.nix
+++ b/nix/ec2.nix
@@ -308,7 +308,7 @@ in

     deployment.ec2.securityGroupIds = mkOption {
       default = [];
-      type = types.listOf types.str;
+      type = types.listOf (types.either types.str (resource "ec2-security-group"));
       description = ''
         Security Group IDs for the instance. Necessary if starting
         an instance inside a VPC/subnet. In the non-default VPC, security
diff --git a/nixops/backends/ec2.py b/nixops/backends/ec2.py
index cc95dbd..006ab95 100644
--- a/nixops/backends/ec2.py
+++ b/nixops/backends/ec2.py
@@ -595,13 +595,13 @@ class EC2State(MachineState, nixops.resources.ec2_common.EC2CommonState):

     def _get_network_interfaces(self, defn):
-        groups = defn.security_group_ids
+        groups = map(lambda g: g['name'] if isinstance(g, dict) else g, defn.security_group_ids)

-        sg_names = filter(lambda g: not g.startswith('sg-'), defn.security_group_ids)
+        sg_names = filter(lambda g: not g.startswith('sg-'), groups)
         if sg_names != []:
             self.connect_vpc()
             vpc_id = self._conn_vpc.get_all_subnets([defn.subnet_id])[0].vpc_id
-            groups = map(lambda g: nixops.ec2_utils.name_to_security_group(self._conn, g, vpc_id), defn.security_group_ids)
+            groups = map(lambda g: nixops.ec2_utils.name_to_security_group(self._conn, g, vpc_id), groups)

         return boto.ec2.networkinterface.NetworkInterfaceCollection(
             boto.ec2.networkinterface.NetworkInterfaceSpecification(
rbvermaa commented 8 years ago

@ip1981 I started a patch for consolidating security groups for both vpc and ec2-classic a while back. We did some groundwork for this in 1.3 release. Let me see if I can dig up the patch, and commit it in the next week or so.

ip1981 commented 8 years ago

that would be great!

k0001 commented 8 years ago

I'm facing this issue as well (and NixOS/nixops-aws#78) :) Have there been any changes related to this?

joehealy commented 6 years ago

is there a workaround to this? or NixOS/nixops-aws#78?

ip1981 commented 5 years ago

Is it fixed? https://github.com/NixOS/nixops/commit/1a71a2e595af5aff54a84779c2bf58b5e2f55ac6

tbenst commented 5 years ago

@ip1981 thanks for linking that, works for me!

let
  region = "us-west-2";
  accessKeyId = "myid"; # symbolic name looked up in ~/.ec2-keys or a ~/.aws/credentials profile name
  # We must declare an AWS Subnet for each Availability Zone
  # because Subnets cannot span AZs.
  subnets = [
    { name = "nixops-vpc-subnet-a"; cidr = "10.0.0.0/19"; zone = "${region}a"; }
    { name = "nixops-vpc-subnet-b"; cidr = "10.0.32.0/19"; zone = "${region}b"; }
    { name = "nixops-vpc-subnet-c"; cidr = "10.0.64.0/19"; zone = "${region}c"; }
    { name = "nixops-vpc-subnet-d"; cidr = "10.0.96.0/19"; zone = "${region}d"; }
  ];
  domain = "example.com";
  ec2 = { resources, ... }: {
    deployment.targetEnv = "ec2";
    deployment.ec2.accessKeyId = accessKeyId;
    deployment.ec2.region = region;
    deployment.ec2.subnetId = resources.vpcSubnets.nixops-vpc-subnet-c;
    deployment.ec2.instanceType = "t2.micro";
    deployment.ec2.keyPair = resources.ec2KeyPairs.my-key-pair;
    deployment.ec2.associatePublicIpAddress = true;
    deployment.ec2.ebsBoot = true;
    deployment.ec2.ebsInitialRootDiskSize = 20;

    /* deployment.ec2.securityGroupIds = [
      resources.ec2SecurityGroups.allow-ssh.name
      resources.ec2SecurityGroups.allow-http.name
       ]; */
    deployment.ec2.securityGroupIds = [ "allow-ssh" "allow-http" ];

    /* deployment.route53.hostName = domain; */
  };
  lib = (import <nixpkgs> {}).lib;
in
{
  mlflow-server = ec2;

  resources = {
    # Provision an EC2 key pair.
    ec2KeyPairs.my-key-pair =
      { inherit region accessKeyId; };

    # create security groups
    ec2SecurityGroups.allow-ssh = { resources, ... }: {
      inherit region accessKeyId;
      name = "allow-ssh";
      description = "allow-ssh";
      vpcId = resources.vpc.nixops-vpc;
      rules = [
        { fromPort = 22; toPort = 22; sourceIp = "0.0.0.0/0"; }
      ];
    };

    ec2SecurityGroups.allow-http = { resources, ... }: {
      inherit region accessKeyId;
      name = "allow-http";
      description = "allow-http";
      vpcId = resources.vpc.nixops-vpc;
      rules = [
        { fromPort = 80; toPort = 80; sourceIp = "0.0.0.0/0"; }
        { fromPort = 443; toPort = 443; sourceIp = "0.0.0.0/0"; }
      ];
    };

    # configure VPC
    vpc.nixops-vpc = {
      inherit region accessKeyId;
      instanceTenancy = "default";
      enableDnsSupport = true;
      enableDnsHostnames = true;
      cidrBlock = "10.0.0.0/16";
      tags.Source = "NixOps";
    };

    vpcSubnets =
      let
        makeSubnet = {cidr, zone}:
          { resources, ... }: {
            inherit region zone accessKeyId;
            vpcId = resources.vpc.nixops-vpc;
            cidrBlock = cidr;
            mapPublicIpOnLaunch = true;
            tags.Source = "NixOps";
        };
      in
        builtins.listToAttrs
          (map
            ({ name, cidr, zone }: lib.nameValuePair name (makeSubnet { inherit cidr zone; }) )
            subnets
          );

    vpcRouteTables = {
      route-table = { resources, ... }: {
        inherit accessKeyId region;
        vpcId = resources.vpc.nixops-vpc;
      };
    };

    vpcRoutes = {
      igw-route = { resources, ... }: {
        inherit region accessKeyId;
        routeTableId = resources.vpcRouteTables.route-table;
        destinationCidrBlock = "0.0.0.0/0";
        gatewayId = resources.vpcInternetGateways.nixops-igw;
      };
    };

    vpcRouteTableAssociations =
      let
        association = subnetName: { resources, ... }: {
          inherit accessKeyId region;
          subnetId = resources.vpcSubnets."${subnetName}";
          routeTableId = resources.vpcRouteTables.route-table;
        };
      in
        builtins.listToAttrs
          (map
            ({ name, ... }: lib.nameValuePair "association-${name}" (association name) )
            subnets
          );
    vpcInternetGateways.nixops-igw = { resources, ... }: {
      inherit accessKeyId region;
      vpcId = resources.vpc.nixops-vpc;
    };

    elasticIPs.eip = {
      inherit region accessKeyId;
      vpc = true;
    };

    /* resources.vpcNatGateways.nat = { resources, ... }: {
        inherit region accessKeyId;
        allocationId = elasticIPs.eip;
        subnetId = vpcSubnets.nixops-vpc-subnet-f;
    }; */

  };
}