Last active
November 3, 2023 00:01
-
-
Save eggbean/bfd81df997e405d9cabe9eb7682a95a9 to your computer and use it in GitHub Desktop.
Firewall Network Security Group update script for Oracle Cloud. Good for remote working or for use as cron job for people with dynamic IP addresses at home.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Oracle firewall update script | |
# Usage: oci-fupdate [ <source-CIDR> ] [ --query ] | |
# | |
# Updates an existing Network Security Group to allow SSH access through the OCI | |
# firewall to reach instances in a public subnet, like bastion hosts. With no | |
# argument your current public IP address is used, or you can add a source address | |
# block in CIDR format. The --query option returns the current source address. | |
# | |
# Add your variables below. To find the values, first find the ocid for your NSG: | |
# | |
# $ oci network nsg list \ | |
# --compartment-id <compartment-ocid> \ | |
# --query 'data[].{id:id,"display-name":"display-name" }' \ | |
# --output table | |
# | |
# ...then get the rule id: | |
# | |
# $ oci network nsg rules list \ | |
# --nsg-id <nsg-ocid> | |
# Variables | |
compartment_id='ocid1.compartment.oc1..aaaaaaaacvben...' | |
nsg_id='ocid1.networksecuritygroup.oc1.uk-london-1.aaaaaaaa3mhk...' | |
rule_id='6DF56F' | |
port=22 | |
# Or, source variables file if it exists so | |
# that they can be left out of git repository | |
if [[ -e $(dirname "$0")/${0##*/}.env ]]; then | |
source "$(dirname "$0")/${0##*/}.env" | |
fi | |
# Query current rule source block | |
if [[ $* =~ --query ]]; then | |
printf "%s%s\n" "Current source block CIDR: " \ | |
"$(oci network nsg rules list \ | |
--nsg-id $nsg_id | jq -r 'first(.data[]) | .source')" | |
exit | |
fi | |
# Update rule definition | |
if [[ -z $1 ]]; then | |
source_cidr="$(curl -s ipv4.icanhazip.com)/32" | |
else | |
source_cidr="$1" | |
fi | |
echo Modifying an existing NSG rule | |
echo ============================== | |
json_update_rule_file=$(mktemp) | |
cat > "${json_update_rule_file}" << EOF | |
[ | |
{ | |
"description": "Allow ssh in", | |
"direction": "INGRESS", | |
"id": "$rule_id", | |
"is-stateless": false, | |
"protocol": "6", | |
"source": "$source_cidr", | |
"source-type": "CIDR_BLOCK", | |
"tcp-options": { | |
"destination-port-range": { | |
"max": $port, | |
"min": $port | |
} | |
} | |
} | |
] | |
EOF | |
oci network nsg rules update --nsg-id $nsg_id \ | |
--security-rules file://"$json_update_rule_file" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment