mirror of https://github.com/trailofbits/algo
Alternative Ingress IP (#1605)
* Separate ingress IP draft * task name fix * placeholderpull/1714/head
parent
78cc708435
commit
2abbf22196
@ -0,0 +1,22 @@
|
||||
# Alternative Ingress IP
|
||||
|
||||
This feature allows you to configure the Algo server to send outbound traffic through a different external IP address than the one you are establishing the VPN connection with.
|
||||
|
||||
![cloud-alternative-ingress-ip](/docs/images/cloud-alternative-ingress-ip.png)
|
||||
|
||||
Additional info might be found in [this issue](https://github.com/trailofbits/algo/issues/1047)
|
||||
|
||||
|
||||
|
||||
|
||||
#### Caveats
|
||||
|
||||
##### Extra charges
|
||||
|
||||
- DigitalOcean: Floating IPs are free when assigned to a Droplet, but after manually deleting a Droplet you need to also delete the Floating IP or you'll get charged for it.
|
||||
|
||||
##### IPv6
|
||||
|
||||
Some cloud providers provision a VM with an `/128` address block size. This is the only IPv6 address provided and for outbound and incoming traffic.
|
||||
|
||||
If the provided address block size is bigger, e.g., `/64`, Algo takes a separate address than the one is assigned to the server to send outbound IPv6 traffic.
|
Binary file not shown.
After Width: | Height: | Size: 34 KiB |
@ -0,0 +1,288 @@
|
||||
#!/usr/bin/python
|
||||
# -*- coding: utf-8 -*-
|
||||
#
|
||||
# (c) 2015, Patrick F. Marques <patrickfmarques@gmail.com>
|
||||
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
||||
|
||||
from __future__ import absolute_import, division, print_function
|
||||
__metaclass__ = type
|
||||
|
||||
|
||||
ANSIBLE_METADATA = {'metadata_version': '1.1',
|
||||
'status': ['preview'],
|
||||
'supported_by': 'community'}
|
||||
|
||||
DOCUMENTATION = '''
|
||||
---
|
||||
module: digital_ocean_floating_ip
|
||||
short_description: Manage DigitalOcean Floating IPs
|
||||
description:
|
||||
- Create/delete/assign a floating IP.
|
||||
version_added: "2.4"
|
||||
author: "Patrick Marques (@pmarques)"
|
||||
options:
|
||||
state:
|
||||
description:
|
||||
- Indicate desired state of the target.
|
||||
default: present
|
||||
choices: ['present', 'absent']
|
||||
ip:
|
||||
description:
|
||||
- Public IP address of the Floating IP. Used to remove an IP
|
||||
region:
|
||||
description:
|
||||
- The region that the Floating IP is reserved to.
|
||||
droplet_id:
|
||||
description:
|
||||
- The Droplet that the Floating IP has been assigned to.
|
||||
oauth_token:
|
||||
description:
|
||||
- DigitalOcean OAuth token.
|
||||
required: true
|
||||
notes:
|
||||
- Version 2 of DigitalOcean API is used.
|
||||
requirements:
|
||||
- "python >= 2.6"
|
||||
'''
|
||||
|
||||
|
||||
EXAMPLES = '''
|
||||
- name: "Create a Floating IP in region lon1"
|
||||
digital_ocean_floating_ip:
|
||||
state: present
|
||||
region: lon1
|
||||
|
||||
- name: "Create a Floating IP assigned to Droplet ID 123456"
|
||||
digital_ocean_floating_ip:
|
||||
state: present
|
||||
droplet_id: 123456
|
||||
|
||||
- name: "Delete a Floating IP with ip 1.2.3.4"
|
||||
digital_ocean_floating_ip:
|
||||
state: absent
|
||||
ip: "1.2.3.4"
|
||||
|
||||
'''
|
||||
|
||||
|
||||
RETURN = '''
|
||||
# Digital Ocean API info https://developers.digitalocean.com/documentation/v2/#floating-ips
|
||||
data:
|
||||
description: a DigitalOcean Floating IP resource
|
||||
returned: success and no resource constraint
|
||||
type: dict
|
||||
sample: {
|
||||
"action": {
|
||||
"id": 68212728,
|
||||
"status": "in-progress",
|
||||
"type": "assign_ip",
|
||||
"started_at": "2015-10-15T17:45:44Z",
|
||||
"completed_at": null,
|
||||
"resource_id": 758603823,
|
||||
"resource_type": "floating_ip",
|
||||
"region": {
|
||||
"name": "New York 3",
|
||||
"slug": "nyc3",
|
||||
"sizes": [
|
||||
"512mb",
|
||||
"1gb",
|
||||
"2gb",
|
||||
"4gb",
|
||||
"8gb",
|
||||
"16gb",
|
||||
"32gb",
|
||||
"48gb",
|
||||
"64gb"
|
||||
],
|
||||
"features": [
|
||||
"private_networking",
|
||||
"backups",
|
||||
"ipv6",
|
||||
"metadata"
|
||||
],
|
||||
"available": true
|
||||
},
|
||||
"region_slug": "nyc3"
|
||||
}
|
||||
}
|
||||
'''
|
||||
|
||||
import json
|
||||
import time
|
||||
|
||||
from ansible.module_utils.basic import AnsibleModule
|
||||
from ansible.module_utils.basic import env_fallback
|
||||
from ansible.module_utils.urls import fetch_url
|
||||
from ansible.module_utils.digital_ocean import DigitalOceanHelper
|
||||
|
||||
class Response(object):
|
||||
|
||||
def __init__(self, resp, info):
|
||||
self.body = None
|
||||
if resp:
|
||||
self.body = resp.read()
|
||||
self.info = info
|
||||
|
||||
@property
|
||||
def json(self):
|
||||
if not self.body:
|
||||
if "body" in self.info:
|
||||
return json.loads(self.info["body"])
|
||||
return None
|
||||
try:
|
||||
return json.loads(self.body)
|
||||
except ValueError:
|
||||
return None
|
||||
|
||||
@property
|
||||
def status_code(self):
|
||||
return self.info["status"]
|
||||
|
||||
def wait_action(module, rest, ip, action_id, timeout=10):
|
||||
end_time = time.time() + 10
|
||||
while time.time() < end_time:
|
||||
response = rest.get('floating_ips/{0}/actions/{1}'.format(ip, action_id))
|
||||
status_code = response.status_code
|
||||
status = response.json['action']['status']
|
||||
# TODO: check status_code == 200?
|
||||
if status == 'completed':
|
||||
return True
|
||||
elif status == 'errored':
|
||||
module.fail_json(msg='Floating ip action error [ip: {0}: action: {1}]'.format(
|
||||
ip, action_id), data=json)
|
||||
|
||||
module.fail_json(msg='Floating ip action timeout [ip: {0}: action: {1}]'.format(
|
||||
ip, action_id), data=json)
|
||||
|
||||
|
||||
def core(module):
|
||||
api_token = module.params['oauth_token']
|
||||
state = module.params['state']
|
||||
ip = module.params['ip']
|
||||
droplet_id = module.params['droplet_id']
|
||||
|
||||
rest = DigitalOceanHelper(module)
|
||||
|
||||
if state in ('present'):
|
||||
if droplet_id is not None and module.params['ip'] is not None:
|
||||
# Lets try to associate the ip to the specified droplet
|
||||
associate_floating_ips(module, rest)
|
||||
else:
|
||||
create_floating_ips(module, rest)
|
||||
|
||||
elif state in ('absent'):
|
||||
response = rest.delete("floating_ips/{0}".format(ip))
|
||||
status_code = response.status_code
|
||||
json_data = response.json
|
||||
if status_code == 204:
|
||||
module.exit_json(changed=True)
|
||||
elif status_code == 404:
|
||||
module.exit_json(changed=False)
|
||||
else:
|
||||
module.exit_json(changed=False, data=json_data)
|
||||
|
||||
|
||||
def get_floating_ip_details(module, rest):
|
||||
ip = module.params['ip']
|
||||
|
||||
response = rest.get("floating_ips/{0}".format(ip))
|
||||
status_code = response.status_code
|
||||
json_data = response.json
|
||||
if status_code == 200:
|
||||
return json_data['floating_ip']
|
||||
else:
|
||||
module.fail_json(msg="Error assigning floating ip [{0}: {1}]".format(
|
||||
status_code, json_data["message"]), region=module.params['region'])
|
||||
|
||||
|
||||
def assign_floating_id_to_droplet(module, rest):
|
||||
ip = module.params['ip']
|
||||
|
||||
payload = {
|
||||
"type": "assign",
|
||||
"droplet_id": module.params['droplet_id'],
|
||||
}
|
||||
|
||||
response = rest.post("floating_ips/{0}/actions".format(ip), data=payload)
|
||||
status_code = response.status_code
|
||||
json_data = response.json
|
||||
if status_code == 201:
|
||||
wait_action(module, rest, ip, json_data['action']['id'])
|
||||
|
||||
module.exit_json(changed=True, data=json_data)
|
||||
else:
|
||||
module.fail_json(msg="Error creating floating ip [{0}: {1}]".format(
|
||||
status_code, json_data["message"]), region=module.params['region'])
|
||||
|
||||
|
||||
def associate_floating_ips(module, rest):
|
||||
floating_ip = get_floating_ip_details(module, rest)
|
||||
droplet = floating_ip['droplet']
|
||||
|
||||
# TODO: If already assigned to a droplet verify if is one of the specified as valid
|
||||
if droplet is not None and str(droplet['id']) in [module.params['droplet_id']]:
|
||||
module.exit_json(changed=False)
|
||||
else:
|
||||
assign_floating_id_to_droplet(module, rest)
|
||||
|
||||
|
||||
def create_floating_ips(module, rest):
|
||||
payload = {
|
||||
}
|
||||
floating_ip_data = None
|
||||
|
||||
if module.params['region'] is not None:
|
||||
payload["region"] = module.params['region']
|
||||
|
||||
if module.params['droplet_id'] is not None:
|
||||
payload["droplet_id"] = module.params['droplet_id']
|
||||
|
||||
floating_ips = rest.get_paginated_data(base_url='floating_ips?', data_key_name='floating_ips')
|
||||
|
||||
for floating_ip in floating_ips:
|
||||
if floating_ip['droplet'] and floating_ip['droplet']['id'] == module.params['droplet_id']:
|
||||
floating_ip_data = {'floating_ip': floating_ip}
|
||||
|
||||
if floating_ip_data:
|
||||
module.exit_json(changed=False, data=floating_ip_data)
|
||||
else:
|
||||
response = rest.post("floating_ips", data=payload)
|
||||
status_code = response.status_code
|
||||
json_data = response.json
|
||||
|
||||
if status_code == 202:
|
||||
module.exit_json(changed=True, data=json_data)
|
||||
else:
|
||||
module.fail_json(msg="Error creating floating ip [{0}: {1}]".format(
|
||||
status_code, json_data["message"]), region=module.params['region'])
|
||||
|
||||
|
||||
def main():
|
||||
module = AnsibleModule(
|
||||
argument_spec=dict(
|
||||
state=dict(choices=['present', 'absent'], default='present'),
|
||||
ip=dict(aliases=['id'], required=False),
|
||||
region=dict(required=False),
|
||||
droplet_id=dict(required=False, type='int'),
|
||||
oauth_token=dict(
|
||||
no_log=True,
|
||||
# Support environment variable for DigitalOcean OAuth Token
|
||||
fallback=(env_fallback, ['DO_API_TOKEN', 'DO_API_KEY', 'DO_OAUTH_TOKEN']),
|
||||
required=True,
|
||||
),
|
||||
validate_certs=dict(type='bool', default=True),
|
||||
timeout=dict(type='int', default=30),
|
||||
),
|
||||
required_if=[
|
||||
('state', 'delete', ['ip'])
|
||||
],
|
||||
mutually_exclusive=[
|
||||
['region', 'droplet_id']
|
||||
],
|
||||
)
|
||||
|
||||
core(module)
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
@ -1,2 +1,9 @@
|
||||
---
|
||||
install_headers: true
|
||||
aip_supported_providers:
|
||||
- digitalocean
|
||||
snat_aipv4: false
|
||||
ipv6_default: "{{ ansible_default_ipv6.address + '/' + ansible_default_ipv6.prefix }}"
|
||||
ipv6_subnet_size: "{{ ipv6_default | ipaddr('size') }}"
|
||||
ipv6_egress_ip: >-
|
||||
{{ (ipv6_default | next_nth_usable(15 | random(seed=algo_server_name + ansible_fqdn))) + '/124' if ipv6_subnet_size|int > 1 else ipv6_default }}
|
||||
|
@ -0,0 +1,13 @@
|
||||
---
|
||||
- name: Get the anchor IP
|
||||
uri:
|
||||
url: http://169.254.169.254/metadata/v1/interfaces/public/0/anchor_ipv4/address
|
||||
return_content: true
|
||||
register: anchor_ipv4
|
||||
until: anchor_ipv4 is succeeded
|
||||
retries: 30
|
||||
delay: 10
|
||||
|
||||
- name: Set SNAT IP as a fact
|
||||
set_fact:
|
||||
snat_aipv4: "{{ anchor_ipv4.content }}"
|
@ -0,0 +1,10 @@
|
||||
---
|
||||
- name: Include alternative ingress ip configuration
|
||||
include_tasks:
|
||||
file: "{{ algo_provider if algo_provider in aip_supported_providers else 'placeholder' }}.yml"
|
||||
when: algo_provider in aip_supported_providers
|
||||
|
||||
- name: Verify SNAT IPv4 found
|
||||
assert:
|
||||
that: snat_aipv4 | ipv4
|
||||
msg: The SNAT IPv4 address not found. Cannot proceed with the alternative ingress ip.
|
@ -0,0 +1,6 @@
|
||||
network:
|
||||
version: 2
|
||||
ethernets:
|
||||
{{ ansible_default_ipv6.interface }}:
|
||||
addresses:
|
||||
- {{ ipv6_egress_ip }}
|
Loading…
Reference in New Issue