Resource Access Lists¶
Resource Access Lists are used to protect and ingress/egress traffic to cloud resources. Examples include Security Groups, Network Access Lists and Firewalls. This class inherits from TopLevelResource and has direct access to the resource’s database object. The following attributes are directly accessible:
|The primary resource identifier that takes the form of a prefix followed by numbers and letters|
|The provider ID of the access list|
|The ID of the organization service (cloud) this access list belongs to|
|The region where this resource lives|
|attr name:||The name of this access list|
|Resource access list type (eg: secuurity group, NACL, firewall)|
|The resource ID of the parent (network, instance, etc.)|
|The date this security group was created|
|An optional description of the group|
|attr rules:||Returns a list of associated rules within the access list|
Resource access list operations
- Delete this resource. If wrapped in a with JobQueue() block, this will queue the deletion job to the wrapped queue, otherwise it
- calls immediately.
Retrieve the Resource object that this access list is associated with, or None
Retrieve resource associations.
Retrieve the dependencies for a particular resources. This is an override of the parent function because we need to reverse the order on our resource lookups.
Obtain the rules associated with this group. If a direction is not supplied then all rules are returned. This call will not include rules which are pending deletion.
Retrieve all the actions which are supported by this resource.
This should be called when a resource is created/discovered after the basic data is added to the database. This gives an opportunity for post-addition hooks (assignment to projects/groups, alerts, etc)
This should be called when a resource is destroyed before the basic data is removed from the database. This gives an opportunity for pre-destruction hooks (removal from projects/groups, alerts, etc)
handle_resource_modified(resource, *args, **kwargs)¶
This should be called when a resource is modified after the new data has been updated in the DB session This gives an opportunity for post-modification hooks
- DEPRECATED: Special use function. This is a work-around function for the InstanceHarvester where the SGs associated with an instance
- in OpenStack variants return only a list of SG names rather than IDs. Ultimately we should look at SGs attached to Network Interfaces rather than Instances directly, but until then, this method creates a SecurityGroup by looking up a SG by name
Validate rule compliance across all of the access list rules. This will return a boolean on whether or not the rules within valid based on the ingress/egress whitelist. We actually pass the bulk of this logic up to the cloud frontend since the format, key/value pairs and more vary from cloud to cloud as well as resource access lit type.
Parameters: ingress_whitelist_rules – A list of strings for ingress rules eg: [‘tcp:80‘, ‘tcp:443‘, ‘tcp:22‘] Returns: bool