// deleteInstanceNetworkSecurityRules deletes network security rules in the // internal network security group that correspond to the specified machine. // // This is expected to delete *all* security rules related to the instance, // i.e. both the ones opened by OpenPorts above, and the ones opened for API // access. func deleteInstanceNetworkSecurityRules( resourceGroup string, id instance.Id, nsgClient network.SecurityGroupsClient, securityRuleClient network.SecurityRulesClient, ) error { nsg, err := nsgClient.Get(resourceGroup, internalSecurityGroupName) if err != nil { return errors.Annotate(err, "querying network security group") } if nsg.Properties.SecurityRules == nil { return nil } prefix := instanceNetworkSecurityRulePrefix(id) for _, rule := range *nsg.Properties.SecurityRules { ruleName := to.String(rule.Name) if !strings.HasPrefix(ruleName, prefix) { continue } result, err := securityRuleClient.Delete( resourceGroup, internalSecurityGroupName, ruleName, ) if err != nil { if result.Response == nil || result.StatusCode != http.StatusNotFound { return errors.Annotatef(err, "deleting security rule %q", ruleName) } } } return nil }
// ClosePorts is specified in the Instance interface. func (inst *azureInstance) ClosePorts(machineId string, ports []jujunetwork.PortRange) error { securityRuleClient := network.SecurityRulesClient{inst.env.network} securityGroupName := internalSecurityGroupName // Delete rules one at a time; this is necessary to avoid trampling // on changes made by the provisioner. vmName := resourceName(names.NewMachineTag(machineId)) prefix := instanceNetworkSecurityRulePrefix(instance.Id(vmName)) for _, ports := range ports { ruleName := securityRuleName(prefix, ports) logger.Debugf("deleting security rule %q", ruleName) var result autorest.Response if err := inst.env.callAPI(func() (autorest.Response, error) { var err error result, err = securityRuleClient.Delete( inst.env.resourceGroup, securityGroupName, ruleName, nil, // abort channel ) return result, err }); err != nil { if result.Response == nil || result.StatusCode != http.StatusNotFound { return errors.Annotatef(err, "deleting security rule %q", ruleName) } } } return nil }
// deleteInstanceNetworkSecurityRules deletes network security rules in the // internal network security group that correspond to the specified machine. // // This is expected to delete *all* security rules related to the instance, // i.e. both the ones opened by OpenPorts above, and the ones opened for API // access. func deleteInstanceNetworkSecurityRules( resourceGroup string, id instance.Id, nsgClient network.SecurityGroupsClient, securityRuleClient network.SecurityRulesClient, callAPI callAPIFunc, ) error { var nsg network.SecurityGroup if err := callAPI(func() (autorest.Response, error) { var err error nsg, err = nsgClient.Get(resourceGroup, internalSecurityGroupName, "") return nsg.Response, err }); err != nil { return errors.Annotate(err, "querying network security group") } if nsg.Properties.SecurityRules == nil { return nil } prefix := instanceNetworkSecurityRulePrefix(id) for _, rule := range *nsg.Properties.SecurityRules { ruleName := to.String(rule.Name) if !strings.HasPrefix(ruleName, prefix) { continue } var result autorest.Response err := callAPI(func() (autorest.Response, error) { var err error result, err = securityRuleClient.Delete( resourceGroup, internalSecurityGroupName, ruleName, nil, // abort channel ) return result, err }) if err != nil { if result.Response == nil || result.StatusCode != http.StatusNotFound { return errors.Annotatef(err, "deleting security rule %q", ruleName) } } } return nil }