Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save kmkale/70688492392424d1a4cab56b25451ea3 to your computer and use it in GitHub Desktop.
Save kmkale/70688492392424d1a4cab56b25451ea3 to your computer and use it in GitHub Desktop.
deleteRulesFromDefaultSG Function for aws-process-default-sg-security-rules
/**
* This function calls ec2.describeSecurityGroups with a filter of group-name = default
* If it find any ingress or egress rules in the default security group it calls
* ec2.revokeSecurityGroupIngress and ec2.revokeSecurityGroupEgress to remove these rules
* @param {[String} thisregion region to process
* @param {Function} cb callback
*/
function deleteRulesFromDefaultSG(thisregion, cb) {
console.log("in deleteRulesFromDefaultSG processing region: ", thisregion);
var regional_ec2 = new aws.EC2({
region: thisregion
});
var params = {
DryRun: false,
Filters: [{
Name: 'group-name',
Values: [
'default'
]
}]
};
var sgloop = 0;
var inpermsdone = false;
var outpermsdone = false;
var numIngressRules = 0;
var numEgressRules = 0;
regional_ec2.describeSecurityGroups(params, function(err, sgdata) {
if (err) {
console.log("error in regional_ec2.describeSecurityGroups: " + err, err.stack);
cb(err);
} else {
console.log("regional_ec2.describeSecurityGroups returned data: " + JSON.stringify(sgdata));
if (sgdata.SecurityGroups.length > 0) {
for (var sg of sgdata.SecurityGroups) {
if (sg.IpPermissions.length > 0) {
numIngressRules += sg.IpPermissions.length;
//we found some ingress rules lets remove each
var x = 0;
for (var i = 0; i < sg.IpPermissions.length; i++) {
var in_params = {};
in_params.GroupId = sg.GroupId;
in_params.IpPermissions = [];
var IpPermission = {};
IpPermission.IpProtocol = sg.IpPermissions[i].IpProtocol;
if (sg.IpPermissions[i].FromPort)
IpPermission.FromPort = sg.IpPermissions[i].FromPort;
if (sg.IpPermissions[i].ToPort)
IpPermission.ToPort = sg.IpPermissions[i].ToPort;
if (sg.IpPermissions[i].IpRanges.length > 0)
IpPermission.IpRanges = sg.IpPermissions[i].IpRanges;
if (sg.IpPermissions[i].Ipv6Ranges.length > 0)
IpPermission.Ipv6Ranges = sg.IpPermissions[i].Ipv6Ranges;
if (sg.IpPermissions[i].PrefixListIds.length > 0)
IpPermission.PrefixListIds = sg.IpPermissions[i].PrefixListIds;
if (sg.IpPermissions[i].UserIdGroupPairs.length > 0)
IpPermission.UserIdGroupPairs = sg.IpPermissions[i].UserIdGroupPairs;
in_params.IpPermissions[0] = IpPermission;
console.log("sending params to ec2.revokeSecurityGroupIngress: " + JSON.stringify(in_params));
regional_ec2.revokeSecurityGroupIngress(in_params, function(err, data) {
x++;
console.log("inside IpPermissions loop x=" + x + " & numIngressRules=" + numIngressRules);
if (x === numIngressRules) inpermsdone = true;
if (err) {
console.log("error in ec2.revokeSecurityGroupIngress: " + err, err.stack);
cb(err);
} else {
console.log("data from ec2.revokeSecurityGroupIngress: " + JSON.stringify(data));
console.log("in deleteRulesFromDefaultSG sgloop=" + sgloop + " & sgdata.SecurityGroups.length=" + sgdata.SecurityGroups.length + " & outpermsdone=" + outpermsdone + " & inpermsdone=" + inpermsdone);
if ((sgloop === sgdata.SecurityGroups.length) && outpermsdone && inpermsdone) {
console.log("in deleteRulesFromDefaultSG sending back SUCCESS");
cb(null, "SUCCESS");
}
}
});
}
} else inpermsdone = true;
if (sg.IpPermissionsEgress.length > 0) {
numEgressRules += sg.IpPermissionsEgress.length;
//we found an egress rule lets remove it
var y = 0;
for (var i = 0; i < sg.IpPermissionsEgress.length; i++) {
var eg_params = {};
eg_params.GroupId = sg.GroupId;
eg_params.IpPermissions = [];
var eg_IpPermission = {};
eg_IpPermission.IpProtocol = sg.IpPermissionsEgress[i].IpProtocol;
if (sg.IpPermissionsEgress[i].FromPort)
eg_IpPermission.FromPort = sg.IpPermissionsEgress[i].FromPort;
if (sg.IpPermissionsEgress[i].ToPort)
eg_IpPermission.ToPort = sg.IpPermissionsEgress[i].ToPort;
if (sg.IpPermissionsEgress[i].IpRanges.length > 0)
eg_IpPermission.IpRanges = sg.IpPermissionsEgress[i].IpRanges;
if (sg.IpPermissionsEgress[i].Ipv6Ranges.length > 0)
eg_IpPermission.Ipv6Ranges = sg.IpPermissionsEgress[i].Ipv6Ranges;
if (sg.IpPermissionsEgress[i].PrefixListIds.length > 0)
eg_IpPermission.PrefixListIds = sg.IpPermissionsEgress[i].PrefixListIds;
if (sg.IpPermissionsEgress[i].UserIdGroupPairs.length > 0)
eg_IpPermission.UserIdGroupPairs = sg.IpPermissionsEgress[i].UserIdGroupPairs;
eg_params.IpPermissions[0] = eg_IpPermission;
console.log("sending params to ec2.revokeSecurityGroupEgress: " + JSON.stringify(eg_params));
regional_ec2.revokeSecurityGroupEgress(eg_params, function(err, data) {
y++;
console.log("inside IpPermissionsEgress loop y=" + y + " & numEgressRules=" + numEgressRules);
if (y === numEgressRules) outpermsdone = true;
if (err) {
console.log("error in ec2.revokeSecurityGroupEgress: " + err, err.stack);
cb(err);
} else {
console.log("data from ec2.revokeSecurityGroupEgress: " + JSON.stringify(data));
console.log("in deleteRulesFromDefaultSG sgloop=" + sgloop + " & sgdata.SecurityGroups.length=" + sgdata.SecurityGroups.length + " & outpermsdone=" + outpermsdone + " & inpermsdone=" + inpermsdone);
if ((sgloop === sgdata.SecurityGroups.length) && outpermsdone && inpermsdone) {
console.log("in deleteRulesFromDefaultSG sending back SUCCESS");
cb(null, "SUCCESS");
}
}
});
}
} else outpermsdone = true;
sgloop++;
if ((sgloop === sgdata.SecurityGroups.length) && outpermsdone && inpermsdone) {
console.log("in deleteRulesFromDefaultSG sending back SUCCESS");
cb(null, "SUCCESS");
}
}
} else {
console.log("in deleteRulesFromDefaultSG sgdata.SecurityGroups.length =0 returning success");
cb(null, "SUCCESS");
}
}
});
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment