andromedarabbit/Dockerfile

## Dockerfile
FROM python:3.7

# Set the timezone to KST
RUN cat /usr/share/zoneinfo/Asia/Seoul > /etc/localtime

RUN set -ex \
    && apt-get clean && apt-get update \
    && apt-get install --no-install-recommends -y groff \
    && rm -rf /var/lib/apt/lists/*

ADD https://github.com/stedolan/jq/releases/download/jq-1.5/jq-linux64 /usr/local/bin/jq
RUN chmod +x /usr/local/bin/jq

WORKDIR /usr/src/app

COPY requirements.txt ./

RUN pip install --upgrade pip
RUN pip install --no-cache-dir -r requirements.txt

## k8s-cronjob.yaml
apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: github-sg
  labels:
    app: github-sg
spec:
  schedule: "30 18 * * *"
  jobTemplate:
    spec:
      template:
        metadata:
          annotations:
            iam.amazonaws.com/role: arn:aws:iam::111122223333:role/GitHubSecurityGroup
          labels:
            app: github-sg
        spec:
          containers:
          - name: github-sg
            image: my/raven-bash
            args:
            - /bin/bash
            - -c
            - "/scripts/register.sh"
            env:
            - name: AWS_DEFAULT_REGION
              value: ap-northeast-2
            - name: SENTRY_DSN
              value: YOUR_SENTRY_DSN
            volumeMounts:
            - name: scripts-d
              mountPath: /scripts
          volumes:
          - name: scripts-d
            projected:
              defaultMode: 500
              sources:
              - configMap:
                  name: github-sg-scripts
                  items:
                  - key: register.sh
                    path: register.sh
          restartPolicy: Never
  successfulJobsHistoryLimit: 10
  failedJobsHistoryLimit: 10

## minimum-iam-policy.yaml
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateSecurityGroup",
                "ec2:DescribeSecurityGroup*",
                "ec2:RevokeSecurityGroup*",
                "ec2:AuthorizeSecurityGroup*"
            ],
            "Resource": "*"
        }
    ]
}

## open-to-github-security-group.sh
#!/bin/bash -x
INTERFACE=$(curl --silent http://169.254.169.254/latest/meta-data/network/interfaces/macs/ | tr -d '/')
VPC_ID=$(curl --silent http://169.254.169.254/latest/meta-data/network/interfaces/macs/${INTERFACE}/vpc-id)
AWS_DEFAULT_REGION=$(curl --silent http://169.254.169.254/latest/dynamic/instance-identity/document | jq -r .region)

DESCRIPTION="$(date)"

GROUP_IDS="$(aws ec2 describe-security-groups | jq --arg SG_NAME "${SG_NAME}" '.SecurityGroups[] | select(.GroupName | contains($SG_NAME)) | .GroupId' | tr -d '"')"
if [[ "${GROUP_IDS}" == "" ]]; then
  aws ec2 create-security-group --vpc-id="${VPC_ID}" --group-name "${SG_NAME}" --description "Open to GitHub only" | jq .GroupId
fi

aws ec2 describe-security-groups | jq --arg SG_NAME "${SG_NAME}" '.SecurityGroups[] | select(.GroupName | contains($SG_NAME)) | .GroupId' | tr -d '"' | while read -r GroupId; do
  IP_PERMISSIONS=$(aws ec2 describe-security-groups --filters "Name=group-id,Values=${GroupId}" | jq ".SecurityGroups[] | .IpPermissions")

  if [[ -n "${IP_PERMISSIONS}" && "${IP_PERMISSIONS}" != "[]" ]]; then
    aws ec2 revoke-security-group-ingress --group-id "${GroupId}" --ip-permissions "${IP_PERMISSIONS}"
  fi

  # 똑같은 아이피가 여러 번 등장해서 `authorize-security-group-ingress`가 실패하는 경우가 있으므로 일단 오류를 보고 하지 않게 무조건 성공 처리한다
  curl --silent https://api.github.com/meta | jq '.hooks[]' | tr -d '"' | while read -r CidrIp; do
    aws ec2 authorize-security-group-ingress --group-id "${GroupId}" --ip-permissions "[{ \"IpProtocol\": \"-1\", \"IpRanges\": [{\"CidrIp\": \"${CidrIp}\", \"Description\": \"hooks - ${DESCRIPTION}\"}]}]" | /bin/true
  done

  curl --silent https://api.github.com/meta | jq '.git[]' | tr -d '"' | while read -r CidrIp; do
    aws ec2 authorize-security-group-ingress --group-id "${GroupId}" --ip-permissions "[{ \"IpProtocol\": \"-1\", \"IpRanges\": [{\"CidrIp\": \"${CidrIp}\", \"Description\": \"git - ${DESCRIPTION}\"}]}]" | /bin/true
  done

  curl --silent https://api.github.com/meta | jq '.pages[]' | tr -d '"' | while read -r CidrIp; do
    aws ec2 authorize-security-group-ingress --group-id "${GroupId}" --ip-permissions "[{ \"IpProtocol\": \"-1\", \"IpRanges\": [{\"CidrIp\": \"${CidrIp}\", \"Description\": \"pages - ${DESCRIPTION}\"}]}]" | /bin/true
  done

  curl --silent https://api.github.com/meta | jq '.importer[]' | tr -d '"' | while read -r IpAddress; do
    aws ec2 authorize-security-group-ingress --group-id "${GroupId}" --ip-permissions "[{ \"IpProtocol\": \"-1\", \"IpRanges\": [{\"CidrIp\": \"${IpAddress}/32\", \"Description\": \"importer - ${DESCRIPTION}\"}]}]" | /bin/true
  done
done

## requirements.txt
raven-bash
awscli
	FROM python:3.7

	# Set the timezone to KST
	RUN cat /usr/share/zoneinfo/Asia/Seoul > /etc/localtime

	RUN set -ex \
	&& apt-get clean && apt-get update \
	&& apt-get install --no-install-recommends -y groff \
	&& rm -rf /var/lib/apt/lists/*

	ADD https://github.com/stedolan/jq/releases/download/jq-1.5/jq-linux64 /usr/local/bin/jq
	RUN chmod +x /usr/local/bin/jq

	WORKDIR /usr/src/app

	COPY requirements.txt ./

	RUN pip install --upgrade pip
	RUN pip install --no-cache-dir -r requirements.txt
	apiVersion: batch/v1beta1
	kind: CronJob
	metadata:
	name: github-sg
	labels:
	app: github-sg
	spec:
	schedule: "30 18 * * *"
	jobTemplate:
	spec:
	template:
	metadata:
	annotations:
	iam.amazonaws.com/role: arn:aws:iam::111122223333:role/GitHubSecurityGroup
	labels:
	app: github-sg
	spec:
	containers:
	- name: github-sg
	image: my/raven-bash
	args:
	- /bin/bash
	- -c
	- "/scripts/register.sh"
	env:
	- name: AWS_DEFAULT_REGION
	value: ap-northeast-2
	- name: SENTRY_DSN
	value: YOUR_SENTRY_DSN
	volumeMounts:
	- name: scripts-d
	mountPath: /scripts
	volumes:
	- name: scripts-d
	projected:
	defaultMode: 500
	sources:
	- configMap:
	name: github-sg-scripts
	items:
	- key: register.sh
	path: register.sh
	restartPolicy: Never
	successfulJobsHistoryLimit: 10
	failedJobsHistoryLimit: 10
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Effect": "Allow",
	"Action": [
	"ec2:CreateSecurityGroup",
	"ec2:DescribeSecurityGroup*",
	"ec2:RevokeSecurityGroup*",
	"ec2:AuthorizeSecurityGroup*"
	],
	"Resource": "*"
	}
	]
	}
	#!/bin/bash -x
	INTERFACE=$(curl --silent http://169.254.169.254/latest/meta-data/network/interfaces/macs/ \| tr -d '/')
	VPC_ID=$(curl --silent http://169.254.169.254/latest/meta-data/network/interfaces/macs/${INTERFACE}/vpc-id)
	AWS_DEFAULT_REGION=$(curl --silent http://169.254.169.254/latest/dynamic/instance-identity/document \| jq -r .region)

	DESCRIPTION="$(date)"

	GROUP_IDS="$(aws ec2 describe-security-groups \| jq --arg SG_NAME "${SG_NAME}" '.SecurityGroups[] \| select(.GroupName \| contains($SG_NAME)) \| .GroupId' \| tr -d '"')"
	if [[ "${GROUP_IDS}" == "" ]]; then
	aws ec2 create-security-group --vpc-id="${VPC_ID}" --group-name "${SG_NAME}" --description "Open to GitHub only" \| jq .GroupId
	fi

	aws ec2 describe-security-groups \| jq --arg SG_NAME "${SG_NAME}" '.SecurityGroups[] \| select(.GroupName \| contains($SG_NAME)) \| .GroupId' \| tr -d '"' \| while read -r GroupId; do
	IP_PERMISSIONS=$(aws ec2 describe-security-groups --filters "Name=group-id,Values=${GroupId}" \| jq ".SecurityGroups[] \| .IpPermissions")

	if [[ -n "${IP_PERMISSIONS}" && "${IP_PERMISSIONS}" != "[]" ]]; then
	aws ec2 revoke-security-group-ingress --group-id "${GroupId}" --ip-permissions "${IP_PERMISSIONS}"
	fi

	# 똑같은 아이피가 여러 번 등장해서 `authorize-security-group-ingress`가 실패하는 경우가 있으므로 일단 오류를 보고 하지 않게 무조건 성공 처리한다
	curl --silent https://api.github.com/meta \| jq '.hooks[]' \| tr -d '"' \| while read -r CidrIp; do
	aws ec2 authorize-security-group-ingress --group-id "${GroupId}" --ip-permissions "[{ \"IpProtocol\": \"-1\", \"IpRanges\": [{\"CidrIp\": \"${CidrIp}\", \"Description\": \"hooks - ${DESCRIPTION}\"}]}]" \| /bin/true
	done

	curl --silent https://api.github.com/meta \| jq '.git[]' \| tr -d '"' \| while read -r CidrIp; do
	aws ec2 authorize-security-group-ingress --group-id "${GroupId}" --ip-permissions "[{ \"IpProtocol\": \"-1\", \"IpRanges\": [{\"CidrIp\": \"${CidrIp}\", \"Description\": \"git - ${DESCRIPTION}\"}]}]" \| /bin/true
	done

	curl --silent https://api.github.com/meta \| jq '.pages[]' \| tr -d '"' \| while read -r CidrIp; do
	aws ec2 authorize-security-group-ingress --group-id "${GroupId}" --ip-permissions "[{ \"IpProtocol\": \"-1\", \"IpRanges\": [{\"CidrIp\": \"${CidrIp}\", \"Description\": \"pages - ${DESCRIPTION}\"}]}]" \| /bin/true
	done

	curl --silent https://api.github.com/meta \| jq '.importer[]' \| tr -d '"' \| while read -r IpAddress; do
	aws ec2 authorize-security-group-ingress --group-id "${GroupId}" --ip-permissions "[{ \"IpProtocol\": \"-1\", \"IpRanges\": [{\"CidrIp\": \"${IpAddress}/32\", \"Description\": \"importer - ${DESCRIPTION}\"}]}]" \| /bin/true
	done
	done