Created
April 14, 2015 04:30
-
-
Save arpcefxl/2acd7d873b95dbebcd42 to your computer and use it in GitHub Desktop.
AWS ec2 security group delete scripts. One script is for ec2-classic, the other is for VPC
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # Authored by Chad Smith on 3/10/2015 | |
| # please feel free to contact me at arpcefxl@gmail.com with comments or questions | |
| # assumes you have already run aws configure or are running in an ec2 role | |
| import boto.ec2, sys | |
| region = sys.argv[1] | |
| secgroup = sys.argv[2] | |
| conn = boto.ec2.connect_to_region(region) | |
| allgroups = conn.get_all_security_groups() | |
| mygroup = conn.get_all_security_groups(groupnames=secgroup) | |
| groupname = mygroup[0].name | |
| groupid = mygroup[0].id | |
| group = mygroup[0] | |
| for rule in group.rules: | |
| for grants in rule.grants: | |
| if grants.cidr_ip: | |
| print "revoking ingress rule with source as cidr_ip" | |
| print groupname, rule.ip_protocol, rule.from_port, rule.to_port, grants.cidr_ip | |
| conn.revoke_security_group(group_name=groupname, ip_protocol=rule.ip_protocol, from_port=rule.from_port, to_port=rule.to_port, cidr_ip=grants.cidr_ip) | |
| else: | |
| print "revoking ingress rule with source as security group" | |
| print groupname, rule.ip_protocol, rule.from_port, rule.to_port, grants.name | |
| if grants.name == 'amazon-elb-sg': | |
| print "revoking ingress rule with ELB as security group" | |
| conn.revoke_security_group(group_name=groupname, ip_protocol=rule.ip_protocol, from_port=rule.from_port, to_port=rule.to_port, src_security_group_group_id=grants.group_id,src_security_group_owner_id='amazon-elb') | |
| else: | |
| conn.revoke_security_group(group_name=groupname, ip_protocol=rule.ip_protocol, from_port=rule.from_port, to_port=rule.to_port, src_security_group_name=grants.name) | |
| # handle cases where the security group is referred to by other security groups | |
| for othergroup in allgroups: | |
| for otherrule in othergroup.rules: | |
| for othergrant in otherrule.grants: | |
| grant_nom = othergrant.name or othergrant.group_id | |
| if grant_nom: | |
| if grant_nom == groupname: | |
| print "revoking ingress rule where source is the security group to be deleted" | |
| print othergroup.name, otherrule.ip_protocol, otherrule.from_port, otherrule.to_port, othergrant.name | |
| conn.revoke_security_group(group_name=othergroup.name, ip_protocol=otherrule.ip_protocol, from_port=otherrule.from_port, to_port=otherrule.to_port, src_security_group_name=groupname) | |
| # delete the security group itself | |
| print "deleting security group" | |
| conn.delete_security_group(name=groupname) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # Authored by Chad Smith on 3/10/2015 | |
| # please feel free to contact me at arpcefxl@gmail.com with comments or questions | |
| # assumes you have already run aws configure or are running in an ec2 role | |
| import boto.ec2, sys | |
| region = sys.argv[1] | |
| secgroup = sys.argv[2] | |
| conn = boto.ec2.connect_to_region(region) | |
| allgroups = conn.get_all_security_groups() | |
| mygroup = conn.get_all_security_groups(group_ids=secgroup) | |
| groupname = mygroup[0].name | |
| groupid = mygroup[0].id | |
| group = mygroup[0] | |
| for rule in group.rules: | |
| for grants in rule.grants: | |
| if grants.cidr_ip: | |
| print "revoking ingress rule with source as cidr_ip" | |
| print groupname, groupid, rule.ip_protocol, rule.from_port, rule.to_port, grants.cidr_ip | |
| conn.revoke_security_group(group_id=groupid, ip_protocol=rule.ip_protocol, from_port=rule.from_port, to_port=rule.to_port, cidr_ip=grants.cidr_ip) | |
| else: | |
| print "revoking ingress rule with source as security group" | |
| print groupname, groupid, rule.ip_protocol, rule.from_port, rule.to_port, grants.name | |
| conn.revoke_security_group(group_id=groupid, ip_protocol=rule.ip_protocol, from_port=rule.from_port, to_port=rule.to_port, src_security_group_name=grants.name) | |
| # handle cases where the security group is referred to by other security groups | |
| for othergroup in allgroups: | |
| for otherrule in othergroup.rules: | |
| for othergrant in otherrule.grants: | |
| grant_nom = othergrant.name or othergrant.group_id | |
| if grant_nom: | |
| if grant_nom == groupid: | |
| print "revoking ingress rule where source is the security group to be deleted" | |
| print othergroup.name, otherrule.ip_protocol, otherrule.from_port, otherrule.to_port, othergrant.group_id | |
| conn.revoke_security_group(group_id=othergroup.id, ip_protocol=otherrule.ip_protocol, from_port=otherrule.from_port, to_port=otherrule.to_port, src_security_group_id=groupid) | |
| # delete the security group itself | |
| print "deleting security group" | |
| conn.delete_security_group(group_id=groupid) |
Thank you for the example, this is quite neat. Maybe worth considering the code below as it requires less code.
The key point is'IpPermissions': [ ingress ]where ingress rule is taken straight from theec2.describe_security_groups()return value.import boto3 ec2 = boto3.client('ec2') kwargs = { 'DryRun': False, 'GroupNames': [ 'test' ] } r = ec2.describe_security_groups(**kwargs) sg = r['SecurityGroups'][0] for ingress in sg['IpPermissions']: kwargs = { 'DryRun': False, 'GroupName': 'test', 'IpPermissions': [ ingress ] } r2 = ec2.revoke_security_group_ingress(**kwargs)
This results in ClientError: An error occurred (InvalidParameterCombination) when calling the RevokeSecurityGroupIngress operation: An IP permission may contain a group name or a group ID, but not both
This is what I came up with for boto3:
import boto3
from botocore.exceptions import ClientError
REGION = 'us-east-1'
ec2 = boto3.client('ec2', region_name=REGION)
# Keep removing until all are gone
while True:
groups = ec2.describe_security_groups()['SecurityGroups']
group_ids = [g['GroupId'] for g in groups]
groups_left = len(group_ids)
if groups_left > 0:
print(f'Groups left to deauthorize: {groups_left}')
else:
print('Complete! All security groups removed.')
break
for group in groups:
print(
f'Removing ingress from Group ID: {group["GroupId"]}, Group Name: {group["GroupName"]}'
)
for ingress in group['IpPermissions']:
new_group_id_pairs = list()
for user_group_id_pair in ingress['UserIdGroupPairs']:
print(user_group_id_pair)
if isinstance(user_group_id_pair, set):
list_ug = list(user_group_id_pair)
# Create a new user group pair list without a GroupName
new_ug = {}
key, value = None, None
for i, ug in enumerate(list_ug):
if i % 2 == 0:
key = ug[i]
else:
value = ug[i]
if key not in ['GroupName']:
new_ug[key] = value
elif isinstance(user_group_id_pair, dict):
new_ug = user_group_id_pair.copy()
if 'GroupName' in new_ug:
del new_ug['GroupName']
new_group_id_pairs.append(new_ug)
ingress['UserIdGroupPairs'] = new_group_id_pairs
kwargs = {
'DryRun': False,
'GroupName': group['GroupName'],
'IpPermissions': [ingress]
}
try:
r2 = ec2.revoke_security_group_ingress(**kwargs)
print(f'Revoked ingress: {ingress}')
except ClientError:
print(f'Error revoking ingress: {ingress}')
try:
ec2.delete_security_group(GroupId=group['GroupId'])
print(f'Success removing security Group ID {group["GroupId"]}, Group Name: {group["GroupName"]}!')
except ClientError:
print(f'Error removing security Group ID {group["GroupId"]}, Group Name: {group["GroupName"]}!')
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thank you for the example, this is quite neat. Maybe worth considering the code below as it requires less code.
The key point is
'IpPermissions': [ ingress ]where ingress rule is taken straight from theec2.describe_security_groups()return value.