// deleteInstanceNetworkSecurityRules deletes network security rules in the
// internal network security group that correspond to the specified machine.
//
// This is expected to delete *all* security rules related to the instance,
// i.e. both the ones opened by OpenPorts above, and the ones opened for API
// access.
func deleteInstanceNetworkSecurityRules(
resourceGroup string, id instance.Id,
nsgClient network.SecurityGroupsClient,
securityRuleClient network.SecurityRulesClient,
) error {
nsg, err := nsgClient.Get(resourceGroup, internalSecurityGroupName)
if err != nil {
return errors.Annotate(err, "querying network security group")
}
if nsg.Properties.SecurityRules == nil {
return nil
}
prefix := instanceNetworkSecurityRulePrefix(id)
for _, rule := range *nsg.Properties.SecurityRules {
ruleName := to.String(rule.Name)
if !strings.HasPrefix(ruleName, prefix) {
continue
}
result, err := securityRuleClient.Delete(
resourceGroup,
internalSecurityGroupName,
ruleName,
)
if err != nil {
if result.Response == nil || result.StatusCode != http.StatusNotFound {
return errors.Annotatef(err, "deleting security rule %q", ruleName)
}
}
}
return nil
}
// ClosePorts is specified in the Instance interface.
func (inst *azureInstance) ClosePorts(machineId string, ports []jujunetwork.PortRange) error {
securityRuleClient := network.SecurityRulesClient{inst.env.network}
securityGroupName := internalSecurityGroupName
// Delete rules one at a time; this is necessary to avoid trampling
// on changes made by the provisioner.
vmName := resourceName(names.NewMachineTag(machineId))
prefix := instanceNetworkSecurityRulePrefix(instance.Id(vmName))
for _, ports := range ports {
ruleName := securityRuleName(prefix, ports)
logger.Debugf("deleting security rule %q", ruleName)
var result autorest.Response
if err := inst.env.callAPI(func() (autorest.Response, error) {
var err error
result, err = securityRuleClient.Delete(
inst.env.resourceGroup, securityGroupName, ruleName,
nil, // abort channel
)
return result, err
}); err != nil {
if result.Response == nil || result.StatusCode != http.StatusNotFound {
return errors.Annotatef(err, "deleting security rule %q", ruleName)
}
}
}
return nil
}
// deleteInstanceNetworkSecurityRules deletes network security rules in the
// internal network security group that correspond to the specified machine.
//
// This is expected to delete *all* security rules related to the instance,
// i.e. both the ones opened by OpenPorts above, and the ones opened for API
// access.
func deleteInstanceNetworkSecurityRules(
resourceGroup string, id instance.Id,
nsgClient network.SecurityGroupsClient,
securityRuleClient network.SecurityRulesClient,
callAPI callAPIFunc,
) error {
var nsg network.SecurityGroup
if err := callAPI(func() (autorest.Response, error) {
var err error
nsg, err = nsgClient.Get(resourceGroup, internalSecurityGroupName, "")
return nsg.Response, err
}); err != nil {
return errors.Annotate(err, "querying network security group")
}
if nsg.Properties.SecurityRules == nil {
return nil
}
prefix := instanceNetworkSecurityRulePrefix(id)
for _, rule := range *nsg.Properties.SecurityRules {
ruleName := to.String(rule.Name)
if !strings.HasPrefix(ruleName, prefix) {
continue
}
var result autorest.Response
err := callAPI(func() (autorest.Response, error) {
var err error
result, err = securityRuleClient.Delete(
resourceGroup,
internalSecurityGroupName,
ruleName,
nil, // abort channel
)
return result, err
})
if err != nil {
if result.Response == nil || result.StatusCode != http.StatusNotFound {
return errors.Annotatef(err, "deleting security rule %q", ruleName)
}
}
}
return nil
}
