Skip to content

Instantly share code, notes, and snippets.

@jasonmimick
Created April 21, 2021 12:57
Show Gist options
  • Save jasonmimick/2344e961477dca123387ce09cdb82f46 to your computer and use it in GitHub Desktop.
Save jasonmimick/2344e961477dca123387ce09cdb82f46 to your computer and use it in GitHub Desktop.
Add all AWS IP ranges to a MongoDB Atlas Org api key access list
#!/usr/bin/env bash
#
# aws-access-lister.sh
#
# This utility script can be used to maintain the Access List for
# a MongoDB Atlas Programatic API Key. For example, when running on AWS lambda
# the IP-address of the host is not know beforehand and thus it's not possible to
# securly configure an api key. This script will dynamically fetch a valid set of
# IP ranges directly from AWS and then either create a new apikey or modify an existing key
# with all the IP ranges.
#
# This tool requires `mongocli` to be installed and configured with
# an appropriatly scopre apikey (ORG_OWNER).
#
# Options - set via environment variables only
# REGION - default 'us-east-1', use valid AWS regions
# SERVICE - list of services to allow default 'EC2', possible values:
#AMAZON,AMAZON_APPFLOW,AMAZON_CONNECT,API_GATEWAY,CHIME_VOICECONNECTOR,CLOUD9,CLOUDFRONT,CODEBUILD,DYNAMODB,EC2,EC2_INSTANCE_CONNECT,GLOBALACCELERATOR,KINESIS_VIDEO_STREAMS,ROUTE53_HEALTHCHECKS,ROUTE53_HEALTHCHECKS_PUBLISHING,S3,WORKSPACES_GATEWAYS,
#
# Usage:
# This tool will produce a set of mongocli commands
# you can run as a script to add apikey accesslist entries
# for known AWS ip ranges.
#
# Input: An Atlas Public Key or `--create-key` to genereate a new apikey
#
#
# DevOps Notes:
#
# Handly bash one-liner to clean up any aws-access-lister generated keys
#
# mongocli iam organizations apikeys list --output json | jq -r '.[] | select(.desc|test("^aws-access-lister")) | .id' | xargs -I {} mongocli iam organizations apikeys delete --force {}
#
TARGET_APIKEY_PUBLIC_KEY="${1}"
if [ -z "$TARGET_APIKEY_PUBLIC_KEY" ]
then
echo "usage: ./aws-access-lister.sh <TARGET_APIKEY_PUBLIC_KEY>"
exit 1
fi
echo "#!/usr/bin/env bash"
echo "#"
echo "# This is a generated bash script. DO NOT EDIT."
echo "# aws-access-lister.sh"
echo "#"
echo "# TODO - <notes on what this is for users here>"
echo "#"
echo "## TARGET_APIKEY_PUBLIC_KEY:${TARGET_APIKEY_PUBLIC_KEY}"
if [ "--create-key" == "${TARGET_APIKEY_PUBLIC_KEY}" ]
then
echo "# --create-key detected"
new_key_desc="${2:-aws-access-lister.sh generated by $(whoami) on $(date)}"
new_key=$(mongocli iam organizations apikeys create \
--role ORG_GROUP_CREATOR \
--desc "${new_key_desc}" \
--output=json)
echo "# new key:"
echo ": '"
echo ${new_key}
echo "'"
TARGET_APIKEY_PUBLIC_KEY=$(echo ${new_key} | jq -r '.publicKey')
echo "## TARGET_APIKEY_PUBLIC_KEY:${TARGET_APIKEY_PUBLIC_KEY}"
fi
TARGET_APIKEY_ID=$(mongocli iam organizations apikeys list --output json | \
jq -r --arg tpk "${TARGET_APIKEY_PUBLIC_KEY}" \
'.[] | select(.publicKey == $tpk) | .id')
echo "## TARGET_APIKEY_ID:${TARGET_APIKEY_ID}"
if [ -z "$REGION" ]
then
region=${2:-us-east-1}
else
region=${2:-${REGION}}
fi
if [ -z "$REGION" ]
then
services=${3:-EC2}
else
services=${3:-${SERVICES}}
fi
echo "# Filtering AWS ip ranges for following region and services"
echo "# region=${region}, services=${services}"
if [ -f ip-ranges.json ]
then
cp ip-ranges.json{,.$(date --iso-8601=seconds)}
echo "# Backed up existing ip-ranges.json"
echo ": '"
echo "$(ls -l ip-ranges.json.*)"
echo "'"
fi
AWS_IP_RANGES_URL="https://ip-ranges.amazonaws.com/ip-ranges.json"
curl -skOL "${AWS_IP_RANGES_URL}" > ip-ranges.json
echo "# Downloaded ip-ranges from ${AWS_IP_RANGES_URL}"
echo "# $(ls -l ip-ranges.json)"
cat ip-ranges.json | \
jq --arg reg "${region}" \
--arg svcs "${services}" \
'.prefixes[] | select((.region == $reg) and (.service | inside($svcs))) | .' | \
jq --slurp '.' | \
jq '.[] | .ip_prefix' | \
xargs -I {} echo "mongocli iam organizations apikeys whitelists create --apiKey ${TARGET_APIKEY_ID} --cidr {}"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment