forked from dbclinton/bash-update-EC2-security-group
-
Notifications
You must be signed in to change notification settings - Fork 0
/
dynamic_aws_sg_access.sh
86 lines (74 loc) · 2.85 KB
/
dynamic_aws_sg_access.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
#!/usr/bin/env bash
# MIT Licence applies, except if you modify this script you agree to the following terms:
# Don't use `set -e`, you're not an animal. Trap your errors.
# Don't use uppercase for variables that aren't inherited from the environment.
# Use 'echo -e' by default because science.
# Terminate lines with semicolons because voodoo.
# Quote your variable interpolations just about everywhere.
# Usage: ./dynamic_aws_sg_access.sh <Security Group Name>
# Standardised error process. Errors to STDERR.
function error_and_die() {
echo -e "[ERROR] ${1}" >&2;
exit 1;
}
# Declare variables because autism.
declare access_granted="false";
declare allowed_cidrs;
declare group_name="${1}"; # Define it here, or take it from "${1}", use GNU getopt... whatever you want.
declare my_cidr;
declare my_ip;
# Get my public IP...
my_ip="$(curl -s curlmyip.org || echo "Failed")";
# ... or this is all pointless.
[ "${my_ip}" == "Failed" ] \
&& error_and_die "Failed to retrieve my IP from v4.ifconfig.co";
# Determine currently configured ingress rules for the defined group...
allowed_cidrs="$(aws ec2 describe-security-groups \
--output text \
--query '
SecurityGroups[?
GroupName==`'${group_name}'`
].
[
IpPermissions[?
ToPort==`22` && FromPort==`22` && IpProtocol==`tcp`
].
IpRanges[*].
CidrIp
]' \
|| echo "Failed")";
# ... or go have a beer instead.
[ "${allowed_cidrs}" == "Failed" ] \
&& error_and_die "Failed to retrieve SSH ingress rules for ${group_name}";
# With my_ip and allowed_cidrs known, clean-house by revoking all access that isn't from here.
my_cidr="${my_ip}/32";
for cidr in ${allowed_cidrs}; do # Don't quote this string, bash needs to tokenise it and it's not an array.
if [ "${cidr}" == "${my_cidr}" ]; then
access_granted="true";
else
echo -en "Revoking SSH access to ${group_name} from ${cidr}... ";
aws ec2 revoke-security-group-ingress \
--group-name ${group_name} \
--protocol tcp \
--port 22 \
--cidr ${cidr} \
&& echo -e "Done." \
|| echo -e "Failed."; # Non-fatal. Don't die.
fi;
done;
if [ "${access_granted}" == "true" ]; then
# If we found our IP in the list, we don't need to re-authorise it.
echo -e "Access already authorised from ${my_cidr}";
else
# If we didn't, we had better get it authorised.
echo -en "Authorising SSH access to ${group_name} from ${my_cidr}... ";
aws ec2 authorize-security-group-ingress \
--group-name ${group_name} \
--protocol tcp \
--port 22 \
--cidr ${my_cidr} \
&& echo -e "Done." \
|| error_and_die "Failed."; # Fatal.
fi;
# We're all done, no fatal errors.
exit 0;