viasat / hotcidr Goto Github PK

Amazon leaves terminated instances in the list for a while after they're killed; we need to make sure we filter only for running, started, or stopped instances.

Currently HotCIDR can filter groups down to a specific region; we should add a filter down to particular VPCs

It's a bit tedious laying out every single instance in boxes.yaml. We might change it up to match on hostname (either through tag:Name or reverse DNS), and apply rules based on that. Something like

.*:
  groups:
    - default
dc-.*\.example\.com:
  groups:
    - LdapServer
    - DnsServer

We use print or .write a lot, and should switch to Python's logging framework where appropriate.

Unit tests should be written especially for applying, and also for auditing.

As it is, unused security groups are not deleted in EC2 by apply, as they do not affect the behavior of the network. Still, it would be nice to delete them anyways to clean the VPC up a bit.

Use python's tempfile library rather than creating hard-coded directories wherever AWS_out and /tmp/hotcidr are mentioned. This is a good coding practice because the temporary files are always deleted, and it enhances cross-platform portability.

I tried to add a "secure-default" group to one of our VPCs and the new group was created in EC2-Classic, not the VPC I'd laid out in the config.

All our database functions need to use prepared statements

The command line audit does not exhibit this behavior - the audit reliably shows up. The behavior is infrequent and can be solved by attempting the audit again (or, rarely, several times).

Audit and apply buttons are there. A similar button should be created for validation.

Rather than just allowing seconds-until to be input, a set date (in iso date format) should be allowed for expirations of both kinds (in expirations.yaml and in the rules yaml).

As it is, the time range only looks at the created-date, not the approved date. It should look at the approved date, but more accurately it should look at both actions and include all rules with any action (created or approved) within the time range.

We need to figure out how to stop from needing to pull the entire commit log for a repo to do the diffs properly

If you have terminated an instance but it has not yet been removed from AWS' system, hotCidr will throw the exception below when trying to apply rules to it.

Unexpected exception raised. Aborting.
Traceback (most recent call last):
  File "/home/jkwan/hotcidr/venv/bin/hc-apply", line 26, in <module>
    args['expected']
  File "/home/jkwan/hotcidr/venv/local/lib/python2.7/site-packages/hotcidr/apply.py", line 230, in main
    action(conn)
  File "/home/jkwan/hotcidr/venv/local/lib/python2.7/site-packages/hotcidr/apply.py", line 13, in __call__
    self.run(conn)
  File "/home/jkwan/hotcidr/venv/local/lib/python2.7/site-packages/hotcidr/apply.py", line 44, in run
    conn.modify_instance_attribute(self.inst_id, self.attr, self.value)
  File "/usr/local/lib/python2.7/dist-packages/boto/ec2/connection.py", line 1262, in modify_instance_attribute
    return self.get_status('ModifyInstanceAttribute', params, verb='POST')
  File "/usr/local/lib/python2.7/dist-packages/boto/connection.py", line 1197, in get_status
    raise self.ResponseError(response.status, response.reason, body)
boto.exception.EC2ResponseError: EC2ResponseError: 400 Bad Request
<?xml version="1.0" encoding="UTF-8"?>
<Response><Errors><Error><Code>InvalidParameterCombination</Code><Message>You may only modify the groupSet attribute for VPC instances</Message></Error></Errors><RequestID>9bde642f-a747-43ba-99b4-3d5b03d35065</RequestID></Response>