Last active
March 13, 2018 18:06
-
-
Save burdara/5399a1ea2b03fae60ed3384123957427 to your computer and use it in GitHub Desktop.
Iterate over Route53 DNS to check certificates.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| my_path="$(cd $(dirname $0); pwd)" | |
| expire_check_secs=2592000 | |
| output_dir="$my_path/output" | |
| attention_file="$output_dir/ATTENTION.md" | |
| unknown_file="$output_dir/UNKNOWN.md" | |
| which gtimeout &>/dev/null && timeout_cmd="gtimeout 3" | |
| formatDate() { | |
| date -jf '%b %d %H:%M:%S %Y %Z' "$1" +'%Y-%m-%d %H:%M:%S' | |
| } | |
| create_file() { | |
| cat <<EOF > "$2" | |
| # $1 | |
| |Host|Type|Source|Expires Soon|NotBefore|NotAfter|Subject| | |
| |----|----|------|------------|---------|--------|-------| | |
| EOF | |
| } | |
| create_md_file() { | |
| local r53_zone_id="$1" | |
| local r53_zone_nm="$2" | |
| local output_file="$output_dir/${r53_zone_id}.md" | |
| local r53_records=$( | |
| aws route53 list-resource-record-sets \ | |
| --hosted-zone-id "$r53_zone_id" | \ | |
| jq -r '.ResourceRecordSets[] | select(.Type == "A" or .Type == "CNAME")' | |
| ) | |
| create_file "$r53_zone_nm ($r53_zone_id)" "$output_file" | |
| for r53_host_nm in $(echo "$r53_records" | jq -r '.Name'); do | |
| local out_host="${r53_host_nm%.}" | |
| local out_type=$(echo "$r53_records" | jq -r "select(.Name == \"${r53_host_nm/\\/\\\\}\").Type") | |
| local out_records=$(echo $(echo "$r53_records" | jq -r "select(.Name == \"${r53_host_nm/\\/\\\\}\") | if .ResourceRecords then .ResourceRecords[].Value else \"\" end")) | |
| local out_alias=$(echo "$r53_records" | jq -r "select(.Name == \"${r53_host_nm/\\/\\\\}\") | if .AliasTarget then .AliasTarget.DNSName else \"\" end") | |
| local cert_info=$($timeout_cmd openssl s_client -connect "$out_host:443" -servername "$out_host" 2>/dev/null < /dev/null | openssl x509 -noout -subject -dates 2>/dev/null) | |
| if [[ -z "$cert_info" ]]; then | |
| local output="|$out_host|$out_type|$out_records $out_alias|?|?|?|?|" | |
| echo "$output" >> "$unknown_file" | |
| else | |
| local out_not_before=$(echo "$cert_info" | grep 'notBefore') && local out_not_before=$(formatDate "${out_not_before#*=}") | |
| local out_not_after=$(echo "$cert_info" | grep 'notAfter') && local out_not_after=$(formatDate "${out_not_after#*=}") | |
| local out_subject=$(echo "$cert_info" | grep 'subject') && local out_subject="${out_subject#*=}" | |
| local out_expires_soon=$($timeout_cmd openssl s_client -connect "$out_host:443" -servername "$out_host" 2>/dev/null < /dev/null | openssl x509 -noout -checkend "$expire_check_secs" 2>/dev/null && echo no || echo yes) | |
| local output="|$out_host|$out_type|$out_records $out_alias|$out_expires_soon|$out_not_before|$out_not_after|$out_subject|" | |
| if [[ "$out_expires_soon" == "yes" ]]; then | |
| echo "$output" >> "$attention_file" | |
| fi | |
| fi | |
| echo "$output" >> "$output_file" | |
| done | |
| } | |
| [[ ! -d "$output_dir" ]] && mkdir -p "$output_dir" | |
| r53_host_zones=$( | |
| aws route53 list-hosted-zones | \ | |
| jq -r '.HostedZones[] | select(.Config.PrivateZone == false) | .Id +"~"+ .Name' | \ | |
| awk -F/ '{print $3}' | |
| ) | |
| create_file "Expiring soon!" "$attention_file" | |
| create_file "Unknown! Please review!" "$unknown_file" | |
| for r53_zone_info in $r53_host_zones; do | |
| echo "${r53_zone_info%%~*} started" | |
| create_md_file "${r53_zone_info%%~*}" "${r53_zone_info##*~}" & | |
| pids+="$!~${r53_zone_info%%~*} " | |
| done | |
| for pid in $pids; do | |
| wait ${pid%%~*} | |
| echo "${pid##*~} finished" | |
| done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment