Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Create or modify the AWS security group, which only allows GitHub servers to access to our services
FROM python:3.7
# Set the timezone to KST
RUN cat /usr/share/zoneinfo/Asia/Seoul > /etc/localtime
RUN set -ex \
&& apt-get clean && apt-get update \
&& apt-get install --no-install-recommends -y groff \
&& rm -rf /var/lib/apt/lists/*
ADD https://github.com/stedolan/jq/releases/download/jq-1.5/jq-linux64 /usr/local/bin/jq
RUN chmod +x /usr/local/bin/jq
WORKDIR /usr/src/app
COPY requirements.txt ./
RUN pip install --upgrade pip
RUN pip install --no-cache-dir -r requirements.txt
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: github-sg
labels:
app: github-sg
spec:
schedule: "30 18 * * *"
jobTemplate:
spec:
template:
metadata:
annotations:
iam.amazonaws.com/role: arn:aws:iam::111122223333:role/GitHubSecurityGroup
labels:
app: github-sg
spec:
containers:
- name: github-sg
image: my/raven-bash
args:
- /bin/bash
- -c
- "/scripts/register.sh"
env:
- name: AWS_DEFAULT_REGION
value: ap-northeast-2
- name: SENTRY_DSN
value: YOUR_SENTRY_DSN
volumeMounts:
- name: scripts-d
mountPath: /scripts
volumes:
- name: scripts-d
projected:
defaultMode: 500
sources:
- configMap:
name: github-sg-scripts
items:
- key: register.sh
path: register.sh
restartPolicy: Never
successfulJobsHistoryLimit: 10
failedJobsHistoryLimit: 10
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup",
"ec2:DescribeSecurityGroup*",
"ec2:RevokeSecurityGroup*",
"ec2:AuthorizeSecurityGroup*"
],
"Resource": "*"
}
]
}
#!/bin/bash -x
INTERFACE=$(curl --silent http://169.254.169.254/latest/meta-data/network/interfaces/macs/ | tr -d '/')
VPC_ID=$(curl --silent http://169.254.169.254/latest/meta-data/network/interfaces/macs/${INTERFACE}/vpc-id)
AWS_DEFAULT_REGION=$(curl --silent http://169.254.169.254/latest/dynamic/instance-identity/document | jq -r .region)
DESCRIPTION="$(date)"
GROUP_IDS="$(aws ec2 describe-security-groups | jq --arg SG_NAME "${SG_NAME}" '.SecurityGroups[] | select(.GroupName | contains($SG_NAME)) | .GroupId' | tr -d '"')"
if [[ "${GROUP_IDS}" == "" ]]; then
aws ec2 create-security-group --vpc-id="${VPC_ID}" --group-name "${SG_NAME}" --description "Open to GitHub only" | jq .GroupId
fi
aws ec2 describe-security-groups | jq --arg SG_NAME "${SG_NAME}" '.SecurityGroups[] | select(.GroupName | contains($SG_NAME)) | .GroupId' | tr -d '"' | while read -r GroupId; do
IP_PERMISSIONS=$(aws ec2 describe-security-groups --filters "Name=group-id,Values=${GroupId}" | jq ".SecurityGroups[] | .IpPermissions")
if [[ -n "${IP_PERMISSIONS}" && "${IP_PERMISSIONS}" != "[]" ]]; then
aws ec2 revoke-security-group-ingress --group-id "${GroupId}" --ip-permissions "${IP_PERMISSIONS}"
fi
# 똑같은 아이피가 여러 번 등장해서 `authorize-security-group-ingress`가 실패하는 경우가 있으므로 일단 오류를 보고 하지 않게 무조건 성공 처리한다
curl --silent https://api.github.com/meta | jq '.hooks[]' | tr -d '"' | while read -r CidrIp; do
aws ec2 authorize-security-group-ingress --group-id "${GroupId}" --ip-permissions "[{ \"IpProtocol\": \"-1\", \"IpRanges\": [{\"CidrIp\": \"${CidrIp}\", \"Description\": \"hooks - ${DESCRIPTION}\"}]}]" | /bin/true
done
curl --silent https://api.github.com/meta | jq '.git[]' | tr -d '"' | while read -r CidrIp; do
aws ec2 authorize-security-group-ingress --group-id "${GroupId}" --ip-permissions "[{ \"IpProtocol\": \"-1\", \"IpRanges\": [{\"CidrIp\": \"${CidrIp}\", \"Description\": \"git - ${DESCRIPTION}\"}]}]" | /bin/true
done
curl --silent https://api.github.com/meta | jq '.pages[]' | tr -d '"' | while read -r CidrIp; do
aws ec2 authorize-security-group-ingress --group-id "${GroupId}" --ip-permissions "[{ \"IpProtocol\": \"-1\", \"IpRanges\": [{\"CidrIp\": \"${CidrIp}\", \"Description\": \"pages - ${DESCRIPTION}\"}]}]" | /bin/true
done
curl --silent https://api.github.com/meta | jq '.importer[]' | tr -d '"' | while read -r IpAddress; do
aws ec2 authorize-security-group-ingress --group-id "${GroupId}" --ip-permissions "[{ \"IpProtocol\": \"-1\", \"IpRanges\": [{\"CidrIp\": \"${IpAddress}/32\", \"Description\": \"importer - ${DESCRIPTION}\"}]}]" | /bin/true
done
done
raven-bash
awscli
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment