Skip to content

Instantly share code, notes, and snippets.

@ajohnstone
Last active May 13, 2016 01:26
  • Star 1 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save ajohnstone/eb7b852fab0030082857 to your computer and use it in GitHub Desktop.
#!/usr/bin/env bash
UPDATE_ELB_POLICY=${UPDATE_ELB_POLICY:-0};
TMPFILE=`mktemp -t example.XXXXXXXXXX` && {
printf "Region|Status|Current security policy|Expected security policy|ELB|Action\n" >> "${TMPFILE}";
aws ec2 describe-regions |awk -F'"' '/RegionName/ {print $4}' | while read region; do
LATEST_PREDEFINED_SECURITY_GROUP=$(aws --region=$region elb describe-load-balancer-policies | grep -i PolicyName | awk -F '"' '{print $4}' | head -n1 | sed 's/[ \r\n]//g');
aws --region=$region elb describe-load-balancers | awk -F '"' '/LoadBalancerName/ {print $4}' | while read lb; do
# aws elb describe-load-balancers --load-balancer "${lb}" | ruby -e 'require "json";require "pp"; j=JSON.parse(STDIN.read);pp j["LoadBalancerDescriptions"][0]["Policies"]["OtherPolicies"].select { |i| i.include?("sec-ELBSecurityPolicy") }'
CURRENT_SECURITY_POLICY=$(aws elb describe-load-balancers --load-balancer "${lb}" | ruby -e 'require "json";require "pp"; j=JSON.parse(STDIN.read);puts j["LoadBalancerDescriptions"][0]["ListenerDescriptions"].select { |v| v["Listener"]["SSLCertificateId"] && v["PolicyNames"] }.map {|v| v["PolicyNames"].first }.first')
if [ "${CURRENT_SECURITY_POLICY}" != "" ]; then
EXPECTED_POLICY="sec-${LATEST_PREDEFINED_SECURITY_GROUP}"
if [ "${EXPECTED_POLICY}" != "${CURRENT_SECURITY_POLICY}" ]; then
printf "%s|%s|%s|%s|%s|" "${region}" "OUT_OF_DATE" "${CURRENT_SECURITY_POLICY} " "${EXPECTED_POLICY} " "${lb}" >> "${TMPFILE}"
[ "${UPDATE_ELB_POLICY}" -eq "1" ] && {
aws elb create-load-balancer-policy --load-balancer-name "${lb}" \
--policy-name "sec-${LATEST_PREDEFINED_SECURITY_GROUP}" --policy-type-name SSLNegotiationPolicyType \
--policy-attributes AttributeName=Reference-Security-Policy,AttributeValue="${LATEST_PREDEFINED_SECURITY_GROUP}";
aws --region=$region elb set-load-balancer-policies-of-listener --load-balancer-name "${lb}" --load-balancer-port 443 --policy-names "sec-${LATEST_PREDEFINED_SECURITY_GROUP}";
printf "UPDATED|$?" >> "${TMPFILE}"
} || {
printf "NO_ACTION" >> "${TMPFILE}"
}
else
printf "%s|%s|%s|%s|%s|NO_ACTION" "${region}" "UP_TO_DATE" "${CURRENT_SECURITY_POLICY} " "${EXPECTED_POLICY} " "${lb}" >> "${TMPFILE}"
fi
printf "\n" >> "${TMPFILE}"
else
printf "%s|%s|%s|%s|%s|NO_ACTION\n" "${region}" "NOT_SET" "${CURRENT_SECURITY_POLICY} " "${LATEST_PREDEFINED_SECURITY_GROUP} " "${lb}" >> "${TMPFILE}"
fi
done
done
echo
cat "${TMPFILE}" | column -t -s"|" | awk 'NR<2{print $0;next}{print $0| "sort -t\\| -k +2n"}'
rm -f "${TMPFILE}"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment