/update-elb-policy.sh
Last active May 13, 2016
| #!/usr/bin/env bash | |
| UPDATE_ELB_POLICY=${UPDATE_ELB_POLICY:-0}; | |
| TMPFILE=`mktemp -t example.XXXXXXXXXX` && { | |
| printf "Region|Status|Current security policy|Expected security policy|ELB|Action\n" >> "${TMPFILE}"; | |
| aws ec2 describe-regions |awk -F'"' '/RegionName/ {print $4}' | while read region; do | |
| LATEST_PREDEFINED_SECURITY_GROUP=$(aws --region=$region elb describe-load-balancer-policies | grep -i PolicyName | awk -F '"' '{print $4}' | head -n1 | sed 's/[ \r\n]//g'); | |
| aws --region=$region elb describe-load-balancers | awk -F '"' '/LoadBalancerName/ {print $4}' | while read lb; do | |
| # aws elb describe-load-balancers --load-balancer "${lb}" | ruby -e 'require "json";require "pp"; j=JSON.parse(STDIN.read);pp j["LoadBalancerDescriptions"][0]["Policies"]["OtherPolicies"].select { |i| i.include?("sec-ELBSecurityPolicy") }' | |
| CURRENT_SECURITY_POLICY=$(aws elb describe-load-balancers --load-balancer "${lb}" | ruby -e 'require "json";require "pp"; j=JSON.parse(STDIN.read);puts j["LoadBalancerDescriptions"][0]["ListenerDescriptions"].select { |v| v["Listener"]["SSLCertificateId"] && v["PolicyNames"] }.map {|v| v["PolicyNames"].first }.first') | |
| if [ "${CURRENT_SECURITY_POLICY}" != "" ]; then | |
| EXPECTED_POLICY="sec-${LATEST_PREDEFINED_SECURITY_GROUP}" | |
| if [ "${EXPECTED_POLICY}" != "${CURRENT_SECURITY_POLICY}" ]; then | |
| printf "%s|%s|%s|%s|%s|" "${region}" "OUT_OF_DATE" "${CURRENT_SECURITY_POLICY} " "${EXPECTED_POLICY} " "${lb}" >> "${TMPFILE}" | |
| [ "${UPDATE_ELB_POLICY}" -eq "1" ] && { | |
| aws elb create-load-balancer-policy --load-balancer-name "${lb}" \ | |
| --policy-name "sec-${LATEST_PREDEFINED_SECURITY_GROUP}" --policy-type-name SSLNegotiationPolicyType \ | |
| --policy-attributes AttributeName=Reference-Security-Policy,AttributeValue="${LATEST_PREDEFINED_SECURITY_GROUP}"; | |
| aws --region=$region elb set-load-balancer-policies-of-listener --load-balancer-name "${lb}" --load-balancer-port 443 --policy-names "sec-${LATEST_PREDEFINED_SECURITY_GROUP}"; | |
| printf "UPDATED|$?" >> "${TMPFILE}" | |
| } || { | |
| printf "NO_ACTION" >> "${TMPFILE}" | |
| } | |
| else | |
| printf "%s|%s|%s|%s|%s|NO_ACTION" "${region}" "UP_TO_DATE" "${CURRENT_SECURITY_POLICY} " "${EXPECTED_POLICY} " "${lb}" >> "${TMPFILE}" | |
| fi | |
| printf "\n" >> "${TMPFILE}" | |
| else | |
| printf "%s|%s|%s|%s|%s|NO_ACTION\n" "${region}" "NOT_SET" "${CURRENT_SECURITY_POLICY} " "${LATEST_PREDEFINED_SECURITY_GROUP} " "${lb}" >> "${TMPFILE}" | |
| fi | |
| done | |
| done | |
| echo | |
| cat "${TMPFILE}" | column -t -s"|" | awk 'NR<2{print $0;next}{print $0| "sort -t\\| -k +2n"}' | |
| rm -f "${TMPFILE}" | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment