Resource Access Lists

Resource Access Lists are used to protect and ingress/egress traffic to cloud resources. Examples include Security Groups, Network Access Lists and Firewalls. This class inherits from TopLevelResource and has direct access to the resource’s database object. The following attributes are directly accessible:

attr resource_id:
 The primary resource identifier that takes the form of a prefix followed by numbers and letters
attr access_list_id:
 The provider ID of the access list
attr organization_service_id:
 The ID of the organization service (cloud) this access list belongs to
attr region_name:
 The region where this resource lives
attr name:The name of this access list
attr access_list_type:
 Resource access list type (eg: secuurity group, NACL, firewall)
attr parent_resource_id:
 The resource ID of the parent (network, instance, etc.)
attr creation_date:
 The date this security group was created
attr description:
 An optional description of the group
attr rules:Returns a list of associated rules within the access list
class DivvyResource.Resources.resourceaccesslist.ResourceAccessList(resource_id)

Bases: DivvyResource.Resources.toplevelresource.TopLevelResource

Resource access list operations

Delete this resource. If wrapped in a with JobQueue() block, this will queue the deletion job to the wrapped queue, otherwise it
calls immediately.
static get_db_class()

Retrieve the Resource object that this access list is associated with, or None

static get_provider_id_field()

Retrieve resource associations.


Retrieve the dependencies for a particular resources. This is an override of the parent function because we need to reverse the order on our resource lookups.

static get_resource_type()

Depending on the resource access list type and cloud the contained rules are in a variety of different formats. This is because each cloud/access list type varies. This function obtains the rules for the access list. :return:


Retrieve all the actions which are supported by this resource.

handle_resource_created(user_resource_id=None, project_resource_id=None)

This should be called when a resource is created/discovered after the basic data is added to the database. This gives an opportunity for post-addition hooks (assignment to projects/groups, alerts, etc)


This should be called when a resource is destroyed before the basic data is removed from the database. This gives an opportunity for pre-destruction hooks (removal from projects/groups, alerts, etc)

handle_resource_modified(resource, *args, **kwargs)

This should be called when a resource is modified after the new data has been updated in the DB session This gives an opportunity for post-modification hooks

static lookup_by_name(*args, **kwargs)
DEPRECATED: Special use function. This is a work-around function for the InstanceHarvester where the SGs associated with an instance
in OpenStack variants return only a list of SG names rather than IDs. Ultimately we should look at SGs attached to Network Interfaces rather than Instances directly, but until then, this method creates a SecurityGroup by looking up a SG by name
top_level_resource = True

Validate rule compliance across all of the access list rules. This will return a boolean on whether or not the rules within valid based on the ingress/egress whitelist. We actually pass the bulk of this logic up to the cloud frontend since the format, key/value pairs and more vary from cloud to cloud as well as resource access lit type.

Parameters:ingress_whitelist_rules – A list of strings for ingress rules eg: [‘tcp:80‘, ‘tcp:443‘, ‘tcp:22‘]