kalbasit/aws.nix

## aws.nix
{
  resources.ec2SecurityGroups.ssh-in = {
    inherit accessKeyId region;
    description = "Allow incoming SSH connection from anywhere";
    rules = [
      { fromPort = 22; toPort = 22; protocol = "tcp"; sourceIp = "0.0.0.0/0"; }
      # TODO(low): https://github.com/NixOS/nixops/issues/683
      # {fromPort = 22; toPort = 22; protocol = "tcp"; sourceIp = "::/0"; }
    ];
  };

  resources.ec2SecurityGroups.http-in = {
    inherit accessKeyId region;
    description = "Allow incoming HTTP connection from anywhere";
    rules = [
      { fromPort = 80; toPort = 80; protocol = "tcp"; sourceIp = "0.0.0.0/0"; }
      # TODO(low): https://github.com/NixOS/nixops/issues/683
      # {fromPort = 80; toPort = 80; protocol = "tcp"; sourceIp = "::/0"; }
    ];
  };

  resources.ec2SecurityGroups.backend-http-in = {
    inherit accessKeyId region;
    description = "Allow backend HTTP connection from HTTP servers";
    rules = [
      { fromPort = 8080; toPort = 8080; protocol = "tcp"; sourceGroup = { inherit ownerId; groupName = "http-in"; }; }
      # TODO(low): https://github.com/NixOS/nixops/issues/683
      # {fromPort = 80; toPort = 80; protocol = "tcp"; sourceIp = "::/0"; }
    ];
  };

  resources.ec2SecurityGroups.redis-in = {
    inherit accessKeyId region;
    description = "Allow incoming Redis connection from backend HTTP hosts";
    rules = [
      { fromPort = 6379; toPort = 6379; protocol = "tcp"; sourceGroup = { inherit ownerId; groupName = "backend-http-in"; }; }
      # TODO(low): https://github.com/NixOS/nixops/issues/683
      # {fromPort = 80; toPort = 80; protocol = "tcp"; sourceIp = "::/0"; }
    ];
  };
}

## nixops.sh-session
redis-in.......> adding new rules to EC2 security group ‘charon-af097863-1939-11e9-b54d-0242b81b2755-redis-in’...
Traceback (most recent call last):
  File "/nix/store/7b9karb5lal6ik7vakvbm56jlz3m3xwl-nixops-1.6/bin/..nixops-wrapped-wrapped", line 985, in <module>
    args.op()
  File "/nix/store/7b9karb5lal6ik7vakvbm56jlz3m3xwl-nixops-1.6/bin/..nixops-wrapped-wrapped", line 407, in op_deploy
    max_concurrent_activate=args.max_concurrent_activate)
  File "/nix/store/7b9karb5lal6ik7vakvbm56jlz3m3xwl-nixops-1.6/lib/python2.7/site-packages/nixops/deployment.py", line 1051, in deploy
    self.run_with_notify('deploy', lambda: self._deploy(**kwargs))
  File "/nix/store/7b9karb5lal6ik7vakvbm56jlz3m3xwl-nixops-1.6/lib/python2.7/site-packages/nixops/deployment.py", line 1040, in run_with_notify
    f()
  File "/nix/store/7b9karb5lal6ik7vakvbm56jlz3m3xwl-nixops-1.6/lib/python2.7/site-packages/nixops/deployment.py", line 1051, in <lambda>
    self.run_with_notify('deploy', lambda: self._deploy(**kwargs))
  File "/nix/store/7b9karb5lal6ik7vakvbm56jlz3m3xwl-nixops-1.6/lib/python2.7/site-packages/nixops/deployment.py", line 984, in _deploy
    nixops.parallel.run_tasks(nr_workers=-1, tasks=self.active_resources.itervalues(), worker_fun=worker)
  File "/nix/store/7b9karb5lal6ik7vakvbm56jlz3m3xwl-nixops-1.6/lib/python2.7/site-packages/nixops/parallel.py", line 44, in thread_fun
    result_queue.put((worker_fun(t), None, t.name))
  File "/nix/store/7b9karb5lal6ik7vakvbm56jlz3m3xwl-nixops-1.6/lib/python2.7/site-packages/nixops/deployment.py", line 957, in worker
    r.create(self.definitions[r.name], check=check, allow_reboot=allow_reboot, allow_recreate=allow_recreate)
  File "/nix/store/7b9karb5lal6ik7vakvbm56jlz3m3xwl-nixops-1.6/lib/python2.7/site-packages/nixops/resources/ec2_security_group.py", line 198, in create
    retry_notfound(lambda: grp.authorize(ip_protocol=rule[0], from_port=rule[1], to_port=rule[2], src_group=src_group))
  File "/nix/store/7b9karb5lal6ik7vakvbm56jlz3m3xwl-nixops-1.6/lib/python2.7/site-packages/nixops/resources/ec2_security_group.py", line 101, in retry_notfound
    nixops.ec2_utils.retry(f, error_codes=['InvalidGroup.NotFound'])
  File "/nix/store/7b9karb5lal6ik7vakvbm56jlz3m3xwl-nixops-1.6/lib/python2.7/site-packages/nixops/ec2_utils.py", line 132, in retry
    handle_exception(e)
  File "/nix/store/7b9karb5lal6ik7vakvbm56jlz3m3xwl-nixops-1.6/lib/python2.7/site-packages/nixops/ec2_utils.py", line 112, in handle_exception
    raise e
boto.exception.EC2ResponseError: EC2ResponseError: 400 Bad Request
<?xml version="1.0" encoding="UTF-8"?>
<Response><Errors><Error><Code>MissingParameter</Code><Message>Source group ID missing.</Message></Error></Errors><RequestID>4f7f3041-a95f-437f-b0cb-49be02268d85</RequestID></Response>
	{
	resources.ec2SecurityGroups.ssh-in = {
	inherit accessKeyId region;
	description = "Allow incoming SSH connection from anywhere";
	rules = [
	{ fromPort = 22; toPort = 22; protocol = "tcp"; sourceIp = "0.0.0.0/0"; }
	# TODO(low): https://github.com/NixOS/nixops/issues/683
	# {fromPort = 22; toPort = 22; protocol = "tcp"; sourceIp = "::/0"; }
	];
	};

	resources.ec2SecurityGroups.http-in = {
	inherit accessKeyId region;
	description = "Allow incoming HTTP connection from anywhere";
	rules = [
	{ fromPort = 80; toPort = 80; protocol = "tcp"; sourceIp = "0.0.0.0/0"; }
	# TODO(low): https://github.com/NixOS/nixops/issues/683
	# {fromPort = 80; toPort = 80; protocol = "tcp"; sourceIp = "::/0"; }
	];
	};

	resources.ec2SecurityGroups.backend-http-in = {
	inherit accessKeyId region;
	description = "Allow backend HTTP connection from HTTP servers";
	rules = [
	{ fromPort = 8080; toPort = 8080; protocol = "tcp"; sourceGroup = { inherit ownerId; groupName = "http-in"; }; }
	# TODO(low): https://github.com/NixOS/nixops/issues/683
	# {fromPort = 80; toPort = 80; protocol = "tcp"; sourceIp = "::/0"; }
	];
	};

	resources.ec2SecurityGroups.redis-in = {
	inherit accessKeyId region;
	description = "Allow incoming Redis connection from backend HTTP hosts";
	rules = [
	{ fromPort = 6379; toPort = 6379; protocol = "tcp"; sourceGroup = { inherit ownerId; groupName = "backend-http-in"; }; }
	# TODO(low): https://github.com/NixOS/nixops/issues/683
	# {fromPort = 80; toPort = 80; protocol = "tcp"; sourceIp = "::/0"; }
	];
	};
	}
	redis-in.......> adding new rules to EC2 security group ‘charon-af097863-1939-11e9-b54d-0242b81b2755-redis-in’...
	Traceback (most recent call last):
	File "/nix/store/7b9karb5lal6ik7vakvbm56jlz3m3xwl-nixops-1.6/bin/..nixops-wrapped-wrapped", line 985, in <module>
	args.op()
	File "/nix/store/7b9karb5lal6ik7vakvbm56jlz3m3xwl-nixops-1.6/bin/..nixops-wrapped-wrapped", line 407, in op_deploy
	max_concurrent_activate=args.max_concurrent_activate)
	File "/nix/store/7b9karb5lal6ik7vakvbm56jlz3m3xwl-nixops-1.6/lib/python2.7/site-packages/nixops/deployment.py", line 1051, in deploy
	self.run_with_notify('deploy', lambda: self._deploy(**kwargs))
	File "/nix/store/7b9karb5lal6ik7vakvbm56jlz3m3xwl-nixops-1.6/lib/python2.7/site-packages/nixops/deployment.py", line 1040, in run_with_notify
	f()
	File "/nix/store/7b9karb5lal6ik7vakvbm56jlz3m3xwl-nixops-1.6/lib/python2.7/site-packages/nixops/deployment.py", line 1051, in <lambda>
	self.run_with_notify('deploy', lambda: self._deploy(**kwargs))
	File "/nix/store/7b9karb5lal6ik7vakvbm56jlz3m3xwl-nixops-1.6/lib/python2.7/site-packages/nixops/deployment.py", line 984, in _deploy
	nixops.parallel.run_tasks(nr_workers=-1, tasks=self.active_resources.itervalues(), worker_fun=worker)
	File "/nix/store/7b9karb5lal6ik7vakvbm56jlz3m3xwl-nixops-1.6/lib/python2.7/site-packages/nixops/parallel.py", line 44, in thread_fun
	result_queue.put((worker_fun(t), None, t.name))
	File "/nix/store/7b9karb5lal6ik7vakvbm56jlz3m3xwl-nixops-1.6/lib/python2.7/site-packages/nixops/deployment.py", line 957, in worker
	r.create(self.definitions[r.name], check=check, allow_reboot=allow_reboot, allow_recreate=allow_recreate)
	File "/nix/store/7b9karb5lal6ik7vakvbm56jlz3m3xwl-nixops-1.6/lib/python2.7/site-packages/nixops/resources/ec2_security_group.py", line 198, in create
	retry_notfound(lambda: grp.authorize(ip_protocol=rule[0], from_port=rule[1], to_port=rule[2], src_group=src_group))
	File "/nix/store/7b9karb5lal6ik7vakvbm56jlz3m3xwl-nixops-1.6/lib/python2.7/site-packages/nixops/resources/ec2_security_group.py", line 101, in retry_notfound
	nixops.ec2_utils.retry(f, error_codes=['InvalidGroup.NotFound'])
	File "/nix/store/7b9karb5lal6ik7vakvbm56jlz3m3xwl-nixops-1.6/lib/python2.7/site-packages/nixops/ec2_utils.py", line 132, in retry
	handle_exception(e)
	File "/nix/store/7b9karb5lal6ik7vakvbm56jlz3m3xwl-nixops-1.6/lib/python2.7/site-packages/nixops/ec2_utils.py", line 112, in handle_exception
	raise e
	boto.exception.EC2ResponseError: EC2ResponseError: 400 Bad Request
	<?xml version="1.0" encoding="UTF-8"?>
	<Response><Errors><Error><Code>MissingParameter</Code><Message>Source group ID missing.</Message></Error></Errors><RequestID>4f7f3041-a95f-437f-b0cb-49be02268d85</RequestID></Response>