Last active
November 1, 2017 01:49
-
-
Save kmkale/acfd0d99cd2ffb4e34670222a9768550 to your computer and use it in GitHub Desktop.
aws-process-default-sg-security-rules
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
const aws = require('aws-sdk'); | |
const ec2 = new aws.EC2(); | |
const lambda = new aws.Lambda(); | |
exports.handler = (event, context, callback) => { | |
if (!(event.regions)) { | |
//lets get the regions | |
ec2.describeRegions({}, function(regionerr, region_data) { | |
if (regionerr) { | |
console.log("Error from ec2.describeRegions: ", regionerr); | |
callback(regionerr); | |
} else { | |
console.log("Data from ec2.describeRegions: " + JSON.stringify(region_data)); | |
event.regions = region_data.Regions; | |
//lets process one region per iteration | |
var thisregion = event.regions.pop(); | |
deleteRulesFromDefaultSG(thisregion.RegionName, function(err, data) { | |
if (err) { | |
console.log("Error from deleteRulesFromDefaultSG: ", err); | |
callback(err); | |
} else { | |
console.log("Data from deleteRulesFromDefaultSG: ", data); | |
//lets invoke this function with the event object | |
//since we have poped a region from it, each iteration will process | |
//one region. After all are processed the function will exit in the | |
//first if (event.regions.length === 0) block | |
//lets call this function recursively till we process all regions | |
invokeLambda(event, "process-security-rules", callback); | |
} | |
}); | |
} | |
}); | |
} else if (event.regions.length === 0) { | |
//looks like we have processed all regions | |
//lets callback success | |
console.log("regions.length === 0 calling back success"); | |
callback(null, "SUCCESS"); | |
} else { | |
//lets process one region per iteration | |
var thisregion = event.regions.pop(); | |
deleteRulesFromDefaultSG(thisregion.RegionName, function(err, data) { | |
if (err) { | |
console.log("Error from deleteRulesFromDefaultSG: ", err); | |
callback(err); | |
} else { | |
console.log("Data from deleteRulesFromDefaultSG: ", data); | |
//lets invoke this function with the event object | |
//since we have poped a region from it, each iteration will process | |
//one region. After all are processed the function will exit in the | |
//first if (event.regions.length === 0) block | |
//lets call this function recursively till we process all regions | |
invokeLambda(event, "process-security-rules", callback); | |
} | |
}); | |
} | |
}; | |
/** | |
* Invokes the given lambda function with received invoke_params | |
* @param {Object} invoke_params object with region and VPC arrays | |
* @param {String} functionName Name of the Lambda function to invoke | |
*/ | |
function invokeLambda(invoke_params, functionName, callback) { | |
console.log("invokeLambda received invoke_params: " + JSON.stringify(invoke_params)); | |
console.log("invokeLambda received functionName: " + functionName); | |
var params = { | |
FunctionName: functionName, | |
InvocationType: "Event", | |
Payload: JSON.stringify(invoke_params) | |
}; | |
lambda.invoke(params, function(err, data) { | |
if (err) { | |
console.log("Error in invokeLambda " + JSON.stringify(err)); | |
callback(err); | |
} else { | |
console.log("in invokeLambda got data: " + data); | |
callback(null, data); | |
} | |
}); | |
} | |
/** | |
* This function calls ec2.describeSecurityGroups with a filter of group-name = default | |
* If it find any ingress or egress rules in the default security group it calls | |
* ec2.revokeSecurityGroupIngress and ec2.revokeSecurityGroupEgress to remove these rules | |
* @param {[String} thisregion region to process | |
* @param {Function} cb callback | |
*/ | |
function deleteRulesFromDefaultSG(thisregion, cb) { | |
console.log("in deleteRulesFromDefaultSG processing region: ", thisregion); | |
var regional_ec2 = new aws.EC2({ | |
region: thisregion | |
}); | |
var params = { | |
DryRun: false, | |
Filters: [{ | |
Name: 'group-name', | |
Values: [ | |
'default' | |
] | |
}] | |
}; | |
var sgloop = 0; | |
var inpermsdone = false; | |
var outpermsdone = false; | |
var numIngressRules = 0; | |
var numEgressRules = 0; | |
regional_ec2.describeSecurityGroups(params, function(err, sgdata) { | |
if (err) { | |
console.log("error in regional_ec2.describeSecurityGroups: " + err, err.stack); | |
cb(err); | |
} else { | |
console.log("regional_ec2.describeSecurityGroups returned data: " + JSON.stringify(sgdata)); | |
if (sgdata.SecurityGroups.length > 0) { | |
for (var sg of sgdata.SecurityGroups) { | |
if (sg.IpPermissions.length > 0) { | |
numIngressRules += sg.IpPermissions.length; | |
//we found some ingress rules lets remove each | |
var x = 0; | |
for (var i = 0; i < sg.IpPermissions.length; i++) { | |
var in_params = {}; | |
in_params.GroupId = sg.GroupId; | |
in_params.IpPermissions = []; | |
var IpPermission = {}; | |
IpPermission.IpProtocol = sg.IpPermissions[i].IpProtocol; | |
if (sg.IpPermissions[i].FromPort) | |
IpPermission.FromPort = sg.IpPermissions[i].FromPort; | |
if (sg.IpPermissions[i].ToPort) | |
IpPermission.ToPort = sg.IpPermissions[i].ToPort; | |
if (sg.IpPermissions[i].IpRanges.length > 0) | |
IpPermission.IpRanges = sg.IpPermissions[i].IpRanges; | |
if (sg.IpPermissions[i].Ipv6Ranges.length > 0) | |
IpPermission.Ipv6Ranges = sg.IpPermissions[i].Ipv6Ranges; | |
if (sg.IpPermissions[i].PrefixListIds.length > 0) | |
IpPermission.PrefixListIds = sg.IpPermissions[i].PrefixListIds; | |
if (sg.IpPermissions[i].UserIdGroupPairs.length > 0) | |
IpPermission.UserIdGroupPairs = sg.IpPermissions[i].UserIdGroupPairs; | |
in_params.IpPermissions[0] = IpPermission; | |
console.log("sending params to ec2.revokeSecurityGroupIngress: " + JSON.stringify(in_params)); | |
regional_ec2.revokeSecurityGroupIngress(in_params, function(err, data) { | |
x++; | |
console.log("inside IpPermissions loop x=" + x + " & numIngressRules=" + numIngressRules); | |
if (x === numIngressRules) inpermsdone = true; | |
if (err) { | |
console.log("error in ec2.revokeSecurityGroupIngress: " + err, err.stack); | |
cb(err); | |
} else { | |
console.log("data from ec2.revokeSecurityGroupIngress: " + JSON.stringify(data)); | |
console.log("in deleteRulesFromDefaultSG sgloop=" + sgloop + " & sgdata.SecurityGroups.length=" + sgdata.SecurityGroups.length + " & outpermsdone=" + outpermsdone + " & inpermsdone=" + inpermsdone); | |
if ((sgloop === sgdata.SecurityGroups.length) && outpermsdone && inpermsdone) { | |
console.log("in deleteRulesFromDefaultSG sending back SUCCESS"); | |
cb(null, "SUCCESS"); | |
} | |
} | |
}); | |
} | |
} else inpermsdone = true; | |
if (sg.IpPermissionsEgress.length > 0) { | |
numEgressRules += sg.IpPermissionsEgress.length; | |
//we found an egress rule lets remove it | |
var y = 0; | |
for (var i = 0; i < sg.IpPermissionsEgress.length; i++) { | |
var eg_params = {}; | |
eg_params.GroupId = sg.GroupId; | |
eg_params.IpPermissions = []; | |
var eg_IpPermission = {}; | |
eg_IpPermission.IpProtocol = sg.IpPermissionsEgress[i].IpProtocol; | |
if (sg.IpPermissionsEgress[i].FromPort) | |
eg_IpPermission.FromPort = sg.IpPermissionsEgress[i].FromPort; | |
if (sg.IpPermissionsEgress[i].ToPort) | |
eg_IpPermission.ToPort = sg.IpPermissionsEgress[i].ToPort; | |
if (sg.IpPermissionsEgress[i].IpRanges.length > 0) | |
eg_IpPermission.IpRanges = sg.IpPermissionsEgress[i].IpRanges; | |
if (sg.IpPermissionsEgress[i].Ipv6Ranges.length > 0) | |
eg_IpPermission.Ipv6Ranges = sg.IpPermissionsEgress[i].Ipv6Ranges; | |
if (sg.IpPermissionsEgress[i].PrefixListIds.length > 0) | |
eg_IpPermission.PrefixListIds = sg.IpPermissionsEgress[i].PrefixListIds; | |
if (sg.IpPermissionsEgress[i].UserIdGroupPairs.length > 0) | |
eg_IpPermission.UserIdGroupPairs = sg.IpPermissionsEgress[i].UserIdGroupPairs; | |
eg_params.IpPermissions[0] = eg_IpPermission; | |
console.log("sending params to ec2.revokeSecurityGroupEgress: " + JSON.stringify(eg_params)); | |
regional_ec2.revokeSecurityGroupEgress(eg_params, function(err, data) { | |
y++; | |
console.log("inside IpPermissionsEgress loop y=" + y + " & numEgressRules=" + numEgressRules); | |
if (y === numEgressRules) outpermsdone = true; | |
if (err) { | |
console.log("error in ec2.revokeSecurityGroupEgress: " + err, err.stack); | |
cb(err); | |
} else { | |
console.log("data from ec2.revokeSecurityGroupEgress: " + JSON.stringify(data)); | |
console.log("in deleteRulesFromDefaultSG sgloop=" + sgloop + " & sgdata.SecurityGroups.length=" + sgdata.SecurityGroups.length + " & outpermsdone=" + outpermsdone + " & inpermsdone=" + inpermsdone); | |
if ((sgloop === sgdata.SecurityGroups.length) && outpermsdone && inpermsdone) { | |
console.log("in deleteRulesFromDefaultSG sending back SUCCESS"); | |
cb(null, "SUCCESS"); | |
} | |
} | |
}); | |
} | |
} else outpermsdone = true; | |
sgloop++; | |
if ((sgloop === sgdata.SecurityGroups.length) && outpermsdone && inpermsdone) { | |
console.log("in deleteRulesFromDefaultSG sending back SUCCESS"); | |
cb(null, "SUCCESS"); | |
} | |
} | |
} else { | |
console.log("in deleteRulesFromDefaultSG sgdata.SecurityGroups.length =0 returning success"); | |
cb(null, "SUCCESS"); | |
} | |
} | |
}); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment