ega4432/ip.txt

## ip.txt
192.168.0.0/32
192.168.255.255/32

## s3-cloudfront-waf-maintenance.sh
#!/bin/sh -eu

S3_BUCKET=your-domain.com
DISTRIBUTION_ID=E123XXXXXXXXXX

echo "\n============== TARGET INFORMATION ==============
environment             : develop
S3 bucket               : $S3_BUCKET
CloudFront distribution : $DISTRIBUTION_ID
================================================\n"

# 現在の Web ディストリビューション構成を JSON として出力し、メンテナンスモード用に整形
aws cloudfront get-distribution-config --id $DISTRIBUTION_ID | jq . > ./dist.json

ERROR_RESPONSE=$(cat << EOS
{
  "ErrorCode" : 403,
  "ResponsePagePath": "/maintenance.html",
  "ResponseCode": "503",
  "ErrorCachingMinTTL": 0
}
EOS
)

aws s3 cp ./maintenance.html s3://${S3_BUCKET}/dist/maintenance.html --acl public-read

# テキストファイルより IP セットを作成
IP_LIST=$(paste -s -d " " ./ip.txt)

echo "IP list: [ $IP_LIST ]\n"
echo "Creating ip set ..."

IP_SET=$(aws wafv2 create-ip-set \
  --name "maintenance-developers" \
  --scope CLOUDFRONT \
  --region us-east-1 \
  --ip-address-version IPV4 \
  --addresses $IP_LIST)

echo "Success: created ip set!"
echo $IP_SET | jq '.Summary | { Name: .Name, Id: .Id, Scope: "CLOUDFRONT", LockToken: .LockToken }' > ./ip-set.json

IPSET_ARN=$(echo $IP_SET | jq .Summary.ARN)
cat ./waf-rule.json | jq '.[].Statement.IPSetReferenceStatement.ARN |= '"${IPSET_ARN}"'' > ./tmp-waf-rule.json

# Web ACL を作成
echo "Creating web acl ..."
WEB_ACL=$(aws wafv2 create-web-acl \
    --name "test" \
    --scope CLOUDFRONT \
    --region us-east-1 \
    --default-action Block={} \
    --visibility-config SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=MaintenanceWebAclMetrics \
    --rules file://bin/tmp-waf-rule.json) && \
  rm -f ./tmp-waf-rule.json

echo "Success: created web acl!"

echo $WEB_ACL | jq '.Summary | { Name: .Name, Id: .Id, Scope: "CLOUDFRONT", LockToken: .LockToken }' > ./web-acl.json
WEB_ACL_ARN=$(echo $WEB_ACL | jq .Summary.ARN)

cat ./bin/dist.json | \
  jq '. |= .+ {"IfMatch": .ETag}
    | del(.ETag)
    | .DistributionConfig.CustomErrorResponses.Items |= map((select(.ErrorCode == 403) |= '"$ERROR_RESPONSE"') // .)
    | (.DistributionConfig.WebACLId |= '"${WEB_ACL_ARN}"')' \
    > tmp.json && \
  mv tmp.json ./dist.json

# Webディストリビューションの構成を更新
aws cloudfront update-distribution \
    --cli-input-json file://dist.json \
    --id $DISTRIBUTION_ID \
      > ./result.json && \
  rm -f tmp.json && \
  echo "Success: updated cloudfront distribution!"

# キャッシュ削除
aws cloudfront create-invalidation --distribution-id $DISTRIBUTION_ID --path '/*' > /dev/null && \
  echo "Success: removed cache on CloudFront: $DISTRIBUTION_ID!"

echo "Finish processes."

## waf-rule.json
[
  {
    "Name": "test-ribon",
    "Priority": 0,
    "Statement": {
      "IPSetReferenceStatement": {
        "ARN": ""
      }
    },
    "Action": {
      "Allow": {}
    },
    "VisibilityConfig": {
      "SampledRequestsEnabled": true,
      "CloudWatchMetricsEnabled": true,
      "MetricName": "test-ribon"
    }
  }
]
	#!/bin/sh -eu

	S3_BUCKET=your-domain.com
	DISTRIBUTION_ID=E123XXXXXXXXXX

	echo "\n============== TARGET INFORMATION ==============
	environment : develop
	S3 bucket : $S3_BUCKET
	CloudFront distribution : $DISTRIBUTION_ID
	================================================\n"

	# 現在の Web ディストリビューション構成を JSON として出力し、メンテナンスモード用に整形
	aws cloudfront get-distribution-config --id $DISTRIBUTION_ID \| jq . > ./dist.json

	ERROR_RESPONSE=$(cat << EOS
	{
	"ErrorCode" : 403,
	"ResponsePagePath": "/maintenance.html",
	"ResponseCode": "503",
	"ErrorCachingMinTTL": 0
	}
	EOS
	)

	aws s3 cp ./maintenance.html s3://${S3_BUCKET}/dist/maintenance.html --acl public-read

	# テキストファイルより IP セットを作成
	IP_LIST=$(paste -s -d " " ./ip.txt)

	echo "IP list: [ $IP_LIST ]\n"
	echo "Creating ip set ..."

	IP_SET=$(aws wafv2 create-ip-set \
	--name "maintenance-developers" \
	--scope CLOUDFRONT \
	--region us-east-1 \
	--ip-address-version IPV4 \
	--addresses $IP_LIST)

	echo "Success: created ip set!"
	echo $IP_SET \| jq '.Summary \| { Name: .Name, Id: .Id, Scope: "CLOUDFRONT", LockToken: .LockToken }' > ./ip-set.json

	IPSET_ARN=$(echo $IP_SET \| jq .Summary.ARN)
	cat ./waf-rule.json \| jq '.[].Statement.IPSetReferenceStatement.ARN \|= '"${IPSET_ARN}"'' > ./tmp-waf-rule.json

	# Web ACL を作成
	echo "Creating web acl ..."
	WEB_ACL=$(aws wafv2 create-web-acl \
	--name "test" \
	--scope CLOUDFRONT \
	--region us-east-1 \
	--default-action Block={} \
	--visibility-config SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=MaintenanceWebAclMetrics \
	--rules file://bin/tmp-waf-rule.json) && \
	rm -f ./tmp-waf-rule.json

	echo "Success: created web acl!"

	echo $WEB_ACL \| jq '.Summary \| { Name: .Name, Id: .Id, Scope: "CLOUDFRONT", LockToken: .LockToken }' > ./web-acl.json
	WEB_ACL_ARN=$(echo $WEB_ACL \| jq .Summary.ARN)

	cat ./bin/dist.json \| \
	jq '. \|= .+ {"IfMatch": .ETag}
	\| del(.ETag)
	\| .DistributionConfig.CustomErrorResponses.Items \|= map((select(.ErrorCode == 403) \|= '"$ERROR_RESPONSE"') // .)
	\| (.DistributionConfig.WebACLId \|= '"${WEB_ACL_ARN}"')' \
	> tmp.json && \
	mv tmp.json ./dist.json

	# Webディストリビューションの構成を更新
	aws cloudfront update-distribution \
	--cli-input-json file://dist.json \
	--id $DISTRIBUTION_ID \
	> ./result.json && \
	rm -f tmp.json && \
	echo "Success: updated cloudfront distribution!"

	# キャッシュ削除
	aws cloudfront create-invalidation --distribution-id $DISTRIBUTION_ID --path '/*' > /dev/null && \
	echo "Success: removed cache on CloudFront: $DISTRIBUTION_ID!"

	echo "Finish processes."
	[
	{
	"Name": "test-ribon",
	"Priority": 0,
	"Statement": {
	"IPSetReferenceStatement": {
	"ARN": ""
	}
	},
	"Action": {
	"Allow": {}
	},
	"VisibilityConfig": {
	"SampledRequestsEnabled": true,
	"CloudWatchMetricsEnabled": true,
	"MetricName": "test-ribon"
	}
	}
	]