@@ -152,33 +152,56 @@ def delete_security_group(self, group_id: str):
152152 raise
153153
154154 def add_security_group_ingress_and_egress_rules (
155- self , security_group_id : str , ingress_rules : List [ Dict [ str , Any ]]
155+ self , security_group_id : str , client_security_group_id : str = None
156156 ):
157157 """
158- Add ingress rules to an existing security group
158+ Add required ingress and egress rules for FSx Lustre
159159 : param security_group_id: ID of the security group to modify
160- : param ingress_rules: list of dictionaries containing ingress rule configurations
161- Example: [{"protocol": "tcp", "port": "988-1023", "source-group": "sg-xxx"}]
162- : return: None
163- : raises: Exception if adding ingress rules fails
160+ : param client_security_group_id: ID of the client security group (optional)
164161 """
165162 try :
166- for rule in ingress_rules :
167- cmd = f"aws ec2 authorize-security-group-ingress --group-id { security_group_id }
168- for key , value in rule .items ():
169- cmd += f" --{ key } { value }
170- run (cmd )
171-
172- for rule in ingress_rules :
173- cmd = f"aws ec2 authorize-security-group-egress --group-id { security_group_id }
174- for key , value in rule .items ():
175- cmd += f" --{ key } { value }
176- run (cmd )
163+ # If client_security_group_id is not provided, use the same security group
164+ source_group = (
165+ client_security_group_id if client_security_group_id else security_group_id
166+ )
177167
178- logger .info (f"Added ingress rules to security group: { security_group_id } )
168+ # Define the required rules
169+ rules = [
170+ # Ingress rules for port 988
171+ f"aws ec2 authorize-security-group-ingress --group-id { security_group_id }
172+ f"--protocol tcp --port 988 --source-group { security_group_id } ,
173+ f"aws ec2 authorize-security-group-ingress --group-id { security_group_id }
174+ f"--protocol tcp --port 988 --source-group { source_group } ,
175+ # Ingress rules for ports 1018-1023
176+ f"aws ec2 authorize-security-group-ingress --group-id { security_group_id }
177+ f"--protocol tcp --port 1018-1023 --source-group { security_group_id } ,
178+ f"aws ec2 authorize-security-group-ingress --group-id { security_group_id }
179+ f"--protocol tcp --port 1018-1023 --source-group { source_group } ,
180+ # Egress rules for port 988
181+ f"aws ec2 authorize-security-group-egress --group-id { security_group_id }
182+ f"--protocol tcp --port 988 --destination-group { security_group_id } ,
183+ f"aws ec2 authorize-security-group-egress --group-id { security_group_id }
184+ f"--protocol tcp --port 988 --destination-group { source_group } ,
185+ # Egress rules for ports 1018-1023
186+ f"aws ec2 authorize-security-group-egress --group-id { security_group_id }
187+ f"--protocol tcp --port 1018-1023 --destination-group { security_group_id } ,
188+ f"aws ec2 authorize-security-group-egress --group-id { security_group_id }
189+ f"--protocol tcp --port 1018-1023 --destination-group { source_group } ,
190+ ]
191+
192+ # Execute each rule
193+ for cmd in rules :
194+ try :
195+ run (cmd )
196+ except Exception as e :
197+ logger .warning (
198+ f"Rule application failed: { e }
199+ )
200+
201+ logger .info (f"Added security group rules to: { security_group_id } )
179202
180203 except Exception as e :
181- logger .error (f"Failed to add ingress rules to security group: { e } )
204+ logger .error (f"Failed to add security group rules : { e } )
182205 raise
183206
184207 def setup_csi_driver (self ):
0 commit comments