#!/usr/bin/env bash | |
UPDATE_ELB_POLICY=${UPDATE_ELB_POLICY:-0}; | |
TMPFILE=`mktemp -t example.XXXXXXXXXX` && { | |
printf "Region|Status|Current security policy|Expected security policy|ELB|Action\n" >> "${TMPFILE}"; | |
aws ec2 describe-regions |awk -F'"' '/RegionName/ {print $4}' | while read region; do | |
LATEST_PREDEFINED_SECURITY_GROUP=$(aws --region=$region elb describe-load-balancer-policies | grep -i PolicyName | awk -F '"' '{print $4}' | head -n1 | sed 's/[ \r\n]//g'); | |
aws --region=$region elb describe-load-balancers | awk -F '"' '/LoadBalancerName/ {print $4}' | while read lb; do | |
# aws elb describe-load-balancers --load-balancer "${lb}" | ruby -e 'require "json";require "pp"; j=JSON.parse(STDIN.read);pp j["LoadBalancerDescriptions"][0]["Policies"]["OtherPolicies"].select { |i| i.include?("sec-ELBSecurityPolicy") }' | |
CURRENT_SECURITY_POLICY=$(aws elb describe-load-balancers --load-balancer "${lb}" | ruby -e 'require "json";require "pp"; j=JSON.parse(STDIN.read);puts j["LoadBalancerDescriptions"][0]["ListenerDescriptions"].select { |v| v["Listener"]["SSLCertificateId"] && v["PolicyNames"] }.map {|v| v["PolicyNames"].first }.first') | |
if [ "${CURRENT_SECURITY_POLICY}" != "" ]; then | |
EXPECTED_POLICY="sec-${LATEST_PREDEFINED_SECURITY_GROUP}" | |
if [ "${EXPECTED_POLICY}" != "${CURRENT_SECURITY_POLICY}" ]; then | |
printf "%s|%s|%s|%s|%s|" "${region}" "OUT_OF_DATE" "${CURRENT_SECURITY_POLICY} " "${EXPECTED_POLICY} " "${lb}" >> "${TMPFILE}" | |
[ "${UPDATE_ELB_POLICY}" -eq "1" ] && { | |
aws elb create-load-balancer-policy --load-balancer-name "${lb}" \ | |
--policy-name "sec-${LATEST_PREDEFINED_SECURITY_GROUP}" --policy-type-name SSLNegotiationPolicyType \ | |
--policy-attributes AttributeName=Reference-Security-Policy,AttributeValue="${LATEST_PREDEFINED_SECURITY_GROUP}"; | |
aws --region=$region elb set-load-balancer-policies-of-listener --load-balancer-name "${lb}" --load-balancer-port 443 --policy-names "sec-${LATEST_PREDEFINED_SECURITY_GROUP}"; | |
printf "UPDATED|$?" >> "${TMPFILE}" | |
} || { | |
printf "NO_ACTION" >> "${TMPFILE}" | |
} | |
else | |
printf "%s|%s|%s|%s|%s|NO_ACTION" "${region}" "UP_TO_DATE" "${CURRENT_SECURITY_POLICY} " "${EXPECTED_POLICY} " "${lb}" >> "${TMPFILE}" | |
fi | |
printf "\n" >> "${TMPFILE}" | |
else | |
printf "%s|%s|%s|%s|%s|NO_ACTION\n" "${region}" "NOT_SET" "${CURRENT_SECURITY_POLICY} " "${LATEST_PREDEFINED_SECURITY_GROUP} " "${lb}" >> "${TMPFILE}" | |
fi | |
done | |
done | |
echo | |
cat "${TMPFILE}" | column -t -s"|" | awk 'NR<2{print $0;next}{print $0| "sort -t\\| -k +2n"}' | |
rm -f "${TMPFILE}" | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment