Last active
August 5, 2021 14:42
-
-
Save ega4432/fa2fead099e7ea376805315dcb2ae7a2 to your computer and use it in GitHub Desktop.
A script that puts the front-end environment ( S3 + CloudFront)into maintenance state
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
192.168.0.0/32 | |
192.168.255.255/32 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh -eu | |
S3_BUCKET=your-domain.com | |
DISTRIBUTION_ID=E123XXXXXXXXXX | |
echo "\n============== TARGET INFORMATION ============== | |
environment : develop | |
S3 bucket : $S3_BUCKET | |
CloudFront distribution : $DISTRIBUTION_ID | |
================================================\n" | |
# 現在の Web ディストリビューション構成を JSON として出力し、メンテナンスモード用に整形 | |
aws cloudfront get-distribution-config --id $DISTRIBUTION_ID | jq . > ./dist.json | |
ERROR_RESPONSE=$(cat << EOS | |
{ | |
"ErrorCode" : 403, | |
"ResponsePagePath": "/maintenance.html", | |
"ResponseCode": "503", | |
"ErrorCachingMinTTL": 0 | |
} | |
EOS | |
) | |
aws s3 cp ./maintenance.html s3://${S3_BUCKET}/dist/maintenance.html --acl public-read | |
# テキストファイルより IP セットを作成 | |
IP_LIST=$(paste -s -d " " ./ip.txt) | |
echo "IP list: [ $IP_LIST ]\n" | |
echo "Creating ip set ..." | |
IP_SET=$(aws wafv2 create-ip-set \ | |
--name "maintenance-developers" \ | |
--scope CLOUDFRONT \ | |
--region us-east-1 \ | |
--ip-address-version IPV4 \ | |
--addresses $IP_LIST) | |
echo "Success: created ip set!" | |
echo $IP_SET | jq '.Summary | { Name: .Name, Id: .Id, Scope: "CLOUDFRONT", LockToken: .LockToken }' > ./ip-set.json | |
IPSET_ARN=$(echo $IP_SET | jq .Summary.ARN) | |
cat ./waf-rule.json | jq '.[].Statement.IPSetReferenceStatement.ARN |= '"${IPSET_ARN}"'' > ./tmp-waf-rule.json | |
# Web ACL を作成 | |
echo "Creating web acl ..." | |
WEB_ACL=$(aws wafv2 create-web-acl \ | |
--name "test" \ | |
--scope CLOUDFRONT \ | |
--region us-east-1 \ | |
--default-action Block={} \ | |
--visibility-config SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=MaintenanceWebAclMetrics \ | |
--rules file://bin/tmp-waf-rule.json) && \ | |
rm -f ./tmp-waf-rule.json | |
echo "Success: created web acl!" | |
echo $WEB_ACL | jq '.Summary | { Name: .Name, Id: .Id, Scope: "CLOUDFRONT", LockToken: .LockToken }' > ./web-acl.json | |
WEB_ACL_ARN=$(echo $WEB_ACL | jq .Summary.ARN) | |
cat ./bin/dist.json | \ | |
jq '. |= .+ {"IfMatch": .ETag} | |
| del(.ETag) | |
| .DistributionConfig.CustomErrorResponses.Items |= map((select(.ErrorCode == 403) |= '"$ERROR_RESPONSE"') // .) | |
| (.DistributionConfig.WebACLId |= '"${WEB_ACL_ARN}"')' \ | |
> tmp.json && \ | |
mv tmp.json ./dist.json | |
# Webディストリビューションの構成を更新 | |
aws cloudfront update-distribution \ | |
--cli-input-json file://dist.json \ | |
--id $DISTRIBUTION_ID \ | |
> ./result.json && \ | |
rm -f tmp.json && \ | |
echo "Success: updated cloudfront distribution!" | |
# キャッシュ削除 | |
aws cloudfront create-invalidation --distribution-id $DISTRIBUTION_ID --path '/*' > /dev/null && \ | |
echo "Success: removed cache on CloudFront: $DISTRIBUTION_ID!" | |
echo "Finish processes." |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ | |
{ | |
"Name": "test-ribon", | |
"Priority": 0, | |
"Statement": { | |
"IPSetReferenceStatement": { | |
"ARN": "" | |
} | |
}, | |
"Action": { | |
"Allow": {} | |
}, | |
"VisibilityConfig": { | |
"SampledRequestsEnabled": true, | |
"CloudWatchMetricsEnabled": true, | |
"MetricName": "test-ribon" | |
} | |
} | |
] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment