Created
January 10, 2011 16:11
-
-
Save bkoski/772963 to your computer and use it in GitHub Desktop.
Query Cloudkick's monitor_ips API, then add/remove EC2 security rules to allow HTTP/ping access as needed
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
namespace :monitoring do | |
desc "Query Cloudkick's list of IPs monitoring requests are sent from, then add/remove security group rules as needed" | |
task :setup_security => :environment do | |
# Ignore certificate errors | |
SECURITY_GROUP_NAME = 'monitoring' | |
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE | |
@ec2 = AWS::EC2::Base.new( | |
:access_key_id => AWSCredentials.access_key, | |
:secret_access_key => AWSCredentials.secret_access_key | |
) | |
cloudkick_ips = JSON.parse(open('https://api.cloudkick.com/1.0/monitor_ips').read) | |
permissions = @ec2.describe_security_groups(:group_name => SECURITY_GROUP_NAME).securityGroupInfo.item.first.ipPermissions.item | |
http_permissions = permissions.detect { |p| p.ipProtocol == 'tcp' && p.fromPort == '80' } | |
sync_permissions(cloudkick_ips, http_permissions) | |
ping_permissions = permissions.detect { |p| p.ipProtocol == 'icmp' } | |
sync_permissions(cloudkick_ips, ping_permissions) | |
puts "Done at #{Time.now}." | |
end | |
# Given a list of IPs from cloudkick, and an existing EC2 permission set, sync the two. | |
def sync_permissions cloudkick_ips, existing_permissions | |
existing_cidrs = existing_permissions.ipRanges.item.collect { |ip| ip.cidrIp } | |
existing_ips = existing_cidrs.collect { |cidr| cidr.split('/').first } | |
cloudkick_ips.each do |cloudkick_ip| | |
if existing_ips.include?(cloudkick_ip) | |
existing_ips.delete(cloudkick_ip) | |
next | |
else | |
@ec2.authorize_security_group_ingress(:group_name => 'monitoring', :cidr_ip => "#{cloudkick_ip}/32", | |
:ip_protocol => existing_permissions.ipProtocol, :from_port => existing_permissions.fromPort, :to_port => existing_permissions.toPort) | |
puts "Added access on #{existing_permissions.ipProtocol} #{existing_permissions.fromPort} for #{cloudkick_ip}" | |
end | |
end | |
existing_ips.each do |stale_ip| | |
@ec2.revoke_security_group_ingress(:group_name => 'monitoring', :cidr_ip => "#{stale_ip}/32", | |
:ip_protocol => existing_permissions.ipProtocol, :from_port => existing_permissions.fromPort, :to_port => existing_permissions.toPort) | |
puts "Revoked access on #{existing_permissions.ipProtocol} #{existing_permissions.fromPort} for #{stale_ip}" | |
end | |
end | |
end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment