ajohnstone/update-elb-policy.sh

## update-elb-policy.sh
#!/usr/bin/env bash

UPDATE_ELB_POLICY=${UPDATE_ELB_POLICY:-0};

TMPFILE=`mktemp -t example.XXXXXXXXXX` && {
    printf "Region|Status|Current security policy|Expected security policy|ELB|Action\n" >> "${TMPFILE}";

    aws ec2 describe-regions |awk -F'"' '/RegionName/ {print $4}' | while read region; do

        LATEST_PREDEFINED_SECURITY_GROUP=$(aws --region=$region elb describe-load-balancer-policies | grep -i PolicyName | awk -F '"' '{print $4}' | head -n1 | sed 's/[ \r\n]//g');

        aws --region=$region elb describe-load-balancers | awk -F '"' '/LoadBalancerName/ {print $4}' | while read lb; do
            # aws  elb describe-load-balancers --load-balancer "${lb}" | ruby -e 'require "json";require "pp"; j=JSON.parse(STDIN.read);pp j["LoadBalancerDescriptions"][0]["Policies"]["OtherPolicies"].select { |i| i.include?("sec-ELBSecurityPolicy") }'
            CURRENT_SECURITY_POLICY=$(aws  elb describe-load-balancers --load-balancer "${lb}" | ruby -e 'require "json";require "pp"; j=JSON.parse(STDIN.read);puts j["LoadBalancerDescriptions"][0]["ListenerDescriptions"].select { |v| v["Listener"]["SSLCertificateId"] && v["PolicyNames"] }.map {|v| v["PolicyNames"].first }.first')

            if [ "${CURRENT_SECURITY_POLICY}" != "" ]; then
                EXPECTED_POLICY="sec-${LATEST_PREDEFINED_SECURITY_GROUP}"
                if [ "${EXPECTED_POLICY}" != "${CURRENT_SECURITY_POLICY}" ]; then

                    printf "%s|%s|%s|%s|%s|" "${region}" "OUT_OF_DATE" "${CURRENT_SECURITY_POLICY} " "${EXPECTED_POLICY} " "${lb}" >> "${TMPFILE}"

                    [ "${UPDATE_ELB_POLICY}" -eq "1" ] && {
                        aws elb create-load-balancer-policy --load-balancer-name "${lb}" \
                            --policy-name "sec-${LATEST_PREDEFINED_SECURITY_GROUP}"  --policy-type-name SSLNegotiationPolicyType \
                            --policy-attributes AttributeName=Reference-Security-Policy,AttributeValue="${LATEST_PREDEFINED_SECURITY_GROUP}";

                        aws --region=$region elb set-load-balancer-policies-of-listener --load-balancer-name "${lb}" --load-balancer-port 443 --policy-names "sec-${LATEST_PREDEFINED_SECURITY_GROUP}";
                        printf "UPDATED|$?" >> "${TMPFILE}"
                    } || {
                        printf "NO_ACTION" >> "${TMPFILE}"
                    }
                else
                    printf "%s|%s|%s|%s|%s|NO_ACTION" "${region}" "UP_TO_DATE" "${CURRENT_SECURITY_POLICY} " "${EXPECTED_POLICY} " "${lb}" >> "${TMPFILE}"
                fi
                printf "\n" >> "${TMPFILE}"
            else
                printf "%s|%s|%s|%s|%s|NO_ACTION\n" "${region}" "NOT_SET" "${CURRENT_SECURITY_POLICY} " "${LATEST_PREDEFINED_SECURITY_GROUP} " "${lb}" >> "${TMPFILE}"
            fi
        done
    done
    echo
    cat "${TMPFILE}" |  column -t -s"|" | awk 'NR<2{print $0;next}{print $0| "sort -t\\| -k +2n"}'
    rm -f "${TMPFILE}"
}
	#!/usr/bin/env bash

	UPDATE_ELB_POLICY=${UPDATE_ELB_POLICY:-0};

	TMPFILE=`mktemp -t example.XXXXXXXXXX` && {
	printf "Region\|Status\|Current security policy\|Expected security policy\|ELB\|Action\n" >> "${TMPFILE}";

	aws ec2 describe-regions \|awk -F'"' '/RegionName/ {print $4}' \| while read region; do

	LATEST_PREDEFINED_SECURITY_GROUP=$(aws --region=$region elb describe-load-balancer-policies \| grep -i PolicyName \| awk -F '"' '{print $4}' \| head -n1 \| sed 's/[ \r\n]//g');

	aws --region=$region elb describe-load-balancers \| awk -F '"' '/LoadBalancerName/ {print $4}' \| while read lb; do
	# aws elb describe-load-balancers --load-balancer "${lb}" \| ruby -e 'require "json";require "pp"; j=JSON.parse(STDIN.read);pp j["LoadBalancerDescriptions"][0]["Policies"]["OtherPolicies"].select { \|i\| i.include?("sec-ELBSecurityPolicy") }'
	CURRENT_SECURITY_POLICY=$(aws elb describe-load-balancers --load-balancer "${lb}" \| ruby -e 'require "json";require "pp"; j=JSON.parse(STDIN.read);puts j["LoadBalancerDescriptions"][0]["ListenerDescriptions"].select { \|v\| v["Listener"]["SSLCertificateId"] && v["PolicyNames"] }.map {\|v\| v["PolicyNames"].first }.first')

	if [ "${CURRENT_SECURITY_POLICY}" != "" ]; then
	EXPECTED_POLICY="sec-${LATEST_PREDEFINED_SECURITY_GROUP}"
	if [ "${EXPECTED_POLICY}" != "${CURRENT_SECURITY_POLICY}" ]; then

	printf "%s\|%s\|%s\|%s\|%s\|" "${region}" "OUT_OF_DATE" "${CURRENT_SECURITY_POLICY} " "${EXPECTED_POLICY} " "${lb}" >> "${TMPFILE}"

	[ "${UPDATE_ELB_POLICY}" -eq "1" ] && {
	aws elb create-load-balancer-policy --load-balancer-name "${lb}" \
	--policy-name "sec-${LATEST_PREDEFINED_SECURITY_GROUP}" --policy-type-name SSLNegotiationPolicyType \
	--policy-attributes AttributeName=Reference-Security-Policy,AttributeValue="${LATEST_PREDEFINED_SECURITY_GROUP}";

	aws --region=$region elb set-load-balancer-policies-of-listener --load-balancer-name "${lb}" --load-balancer-port 443 --policy-names "sec-${LATEST_PREDEFINED_SECURITY_GROUP}";
	printf "UPDATED\|$?" >> "${TMPFILE}"
	} \|\| {
	printf "NO_ACTION" >> "${TMPFILE}"
	}
	else
	printf "%s\|%s\|%s\|%s\|%s\|NO_ACTION" "${region}" "UP_TO_DATE" "${CURRENT_SECURITY_POLICY} " "${EXPECTED_POLICY} " "${lb}" >> "${TMPFILE}"
	fi
	printf "\n" >> "${TMPFILE}"
	else
	printf "%s\|%s\|%s\|%s\|%s\|NO_ACTION\n" "${region}" "NOT_SET" "${CURRENT_SECURITY_POLICY} " "${LATEST_PREDEFINED_SECURITY_GROUP} " "${lb}" >> "${TMPFILE}"
	fi
	done
	done
	echo
	cat "${TMPFILE}" \| column -t -s"\|" \| awk 'NR<2{print $0;next}{print $0\| "sort -t\\\| -k +2n"}'
	rm -f "${TMPFILE}"
	}