kmkale/aws-process-default-sg-security-rules.js

## aws-process-default-sg-security-rules.js
const aws = require('aws-sdk');
const ec2 = new aws.EC2();
const lambda = new aws.Lambda();

exports.handler = (event, context, callback) => {
  if (!(event.regions)) {
    //lets get the regions
    ec2.describeRegions({}, function(regionerr, region_data) {
      if (regionerr) {
        console.log("Error from ec2.describeRegions: ", regionerr);
        callback(regionerr);
      } else {
        console.log("Data from ec2.describeRegions: " + JSON.stringify(region_data));
        event.regions = region_data.Regions;
        //lets process one region per iteration
        var thisregion = event.regions.pop();
        deleteRulesFromDefaultSG(thisregion.RegionName, function(err, data) {
          if (err) {
            console.log("Error from deleteRulesFromDefaultSG: ", err);
            callback(err);
          } else {
            console.log("Data from deleteRulesFromDefaultSG: ", data);
            //lets invoke this function with the event object
            //since we have poped a region from it, each iteration will process
            //one region. After all are processed the function will exit in the
            //first if (event.regions.length === 0) block
            //lets call this function recursively till we process all regions
            invokeLambda(event, "process-security-rules", callback);
          }
        });
      }
    });
  } else if (event.regions.length === 0) {
    //looks like we have processed all regions
    //lets callback success
    console.log("regions.length === 0 calling back success");
    callback(null, "SUCCESS");
  } else {
    //lets process one region per iteration
    var thisregion = event.regions.pop();
    deleteRulesFromDefaultSG(thisregion.RegionName, function(err, data) {
      if (err) {
        console.log("Error from deleteRulesFromDefaultSG: ", err);
        callback(err);
      } else {
        console.log("Data from deleteRulesFromDefaultSG: ", data);
        //lets invoke this function with the event object
        //since we have poped a region from it, each iteration will process
        //one region. After all are processed the function will exit in the
        //first if (event.regions.length === 0) block
        //lets call this function recursively till we process all regions
        invokeLambda(event, "process-security-rules", callback);
      }
    });
  }
};

/**
 * Invokes the given lambda function with received invoke_params
 * @param  {Object}   invoke_params object with region and VPC arrays
 * @param  {String}   functionName Name of the Lambda function to invoke
 */
function invokeLambda(invoke_params, functionName, callback) {
  console.log("invokeLambda received invoke_params: " + JSON.stringify(invoke_params));
  console.log("invokeLambda received functionName: " + functionName);
  var params = {
    FunctionName: functionName,
    InvocationType: "Event",
    Payload: JSON.stringify(invoke_params)
  };
  lambda.invoke(params, function(err, data) {
    if (err) {
      console.log("Error in invokeLambda " + JSON.stringify(err));
      callback(err);
    } else {
      console.log("in invokeLambda got data: " + data);
      callback(null, data);
    }
  });
}

/**
 * This function calls ec2.describeSecurityGroups with a filter of group-name = default
 * If it find any ingress or egress rules in the default security group it calls
 * ec2.revokeSecurityGroupIngress and ec2.revokeSecurityGroupEgress to remove these rules
 * @param  {[String}   thisregion region to process
 * @param  {Function} cb         callback
 */
function deleteRulesFromDefaultSG(thisregion, cb) {
  console.log("in deleteRulesFromDefaultSG processing region: ", thisregion);
  var regional_ec2 = new aws.EC2({
    region: thisregion
  });
  var params = {
    DryRun: false,
    Filters: [{
      Name: 'group-name',
      Values: [
        'default'
      ]
    }]
  };
  var sgloop = 0;
  var inpermsdone = false;
  var outpermsdone = false;
  var numIngressRules = 0;
  var numEgressRules = 0;

  regional_ec2.describeSecurityGroups(params, function(err, sgdata) {
    if (err) {
      console.log("error in regional_ec2.describeSecurityGroups: " + err, err.stack);
      cb(err);
    } else {
      console.log("regional_ec2.describeSecurityGroups returned data: " + JSON.stringify(sgdata));
      if (sgdata.SecurityGroups.length > 0) {
        for (var sg of sgdata.SecurityGroups) {
          if (sg.IpPermissions.length > 0) {
            numIngressRules += sg.IpPermissions.length;
            //we found some ingress rules lets remove each
            var x = 0;
            for (var i = 0; i < sg.IpPermissions.length; i++) {

              var in_params = {};
              in_params.GroupId = sg.GroupId;
              in_params.IpPermissions = [];
              var IpPermission = {};
              IpPermission.IpProtocol = sg.IpPermissions[i].IpProtocol;
              if (sg.IpPermissions[i].FromPort)
                IpPermission.FromPort = sg.IpPermissions[i].FromPort;
              if (sg.IpPermissions[i].ToPort)
                IpPermission.ToPort = sg.IpPermissions[i].ToPort;
              if (sg.IpPermissions[i].IpRanges.length > 0)
                IpPermission.IpRanges = sg.IpPermissions[i].IpRanges;
              if (sg.IpPermissions[i].Ipv6Ranges.length > 0)
                IpPermission.Ipv6Ranges = sg.IpPermissions[i].Ipv6Ranges;
              if (sg.IpPermissions[i].PrefixListIds.length > 0)
                IpPermission.PrefixListIds = sg.IpPermissions[i].PrefixListIds;
              if (sg.IpPermissions[i].UserIdGroupPairs.length > 0)
                IpPermission.UserIdGroupPairs = sg.IpPermissions[i].UserIdGroupPairs;

              in_params.IpPermissions[0] = IpPermission;

              console.log("sending params to ec2.revokeSecurityGroupIngress: " + JSON.stringify(in_params));
              regional_ec2.revokeSecurityGroupIngress(in_params, function(err, data) {
                x++;
                console.log("inside IpPermissions loop x=" + x + " & numIngressRules=" + numIngressRules);
                if (x === numIngressRules) inpermsdone = true;
                if (err) {
                  console.log("error in ec2.revokeSecurityGroupIngress: " + err, err.stack);
                  cb(err);
                } else {
                  console.log("data from ec2.revokeSecurityGroupIngress: " + JSON.stringify(data));
                  console.log("in deleteRulesFromDefaultSG sgloop=" + sgloop + " & sgdata.SecurityGroups.length=" + sgdata.SecurityGroups.length + " & outpermsdone=" + outpermsdone + " & inpermsdone=" + inpermsdone);
                  if ((sgloop === sgdata.SecurityGroups.length) && outpermsdone && inpermsdone) {
                    console.log("in deleteRulesFromDefaultSG sending back SUCCESS");
                    cb(null, "SUCCESS");
                  }
                }
              });
            }
          } else inpermsdone = true;

          if (sg.IpPermissionsEgress.length > 0) {
            numEgressRules += sg.IpPermissionsEgress.length;
            //we found an egress rule lets remove it
            var y = 0;
            for (var i = 0; i < sg.IpPermissionsEgress.length; i++) {

              var eg_params = {};
              eg_params.GroupId = sg.GroupId;
              eg_params.IpPermissions = [];
              var eg_IpPermission = {};
              eg_IpPermission.IpProtocol = sg.IpPermissionsEgress[i].IpProtocol;
              if (sg.IpPermissionsEgress[i].FromPort)
                eg_IpPermission.FromPort = sg.IpPermissionsEgress[i].FromPort;
              if (sg.IpPermissionsEgress[i].ToPort)
                eg_IpPermission.ToPort = sg.IpPermissionsEgress[i].ToPort;
              if (sg.IpPermissionsEgress[i].IpRanges.length > 0)
                eg_IpPermission.IpRanges = sg.IpPermissionsEgress[i].IpRanges;
              if (sg.IpPermissionsEgress[i].Ipv6Ranges.length > 0)
                eg_IpPermission.Ipv6Ranges = sg.IpPermissionsEgress[i].Ipv6Ranges;
              if (sg.IpPermissionsEgress[i].PrefixListIds.length > 0)
                eg_IpPermission.PrefixListIds = sg.IpPermissionsEgress[i].PrefixListIds;
              if (sg.IpPermissionsEgress[i].UserIdGroupPairs.length > 0)
                eg_IpPermission.UserIdGroupPairs = sg.IpPermissionsEgress[i].UserIdGroupPairs;

              eg_params.IpPermissions[0] = eg_IpPermission;

              console.log("sending params to ec2.revokeSecurityGroupEgress: " + JSON.stringify(eg_params));
              regional_ec2.revokeSecurityGroupEgress(eg_params, function(err, data) {
                y++;
                console.log("inside IpPermissionsEgress loop y=" + y + " & numEgressRules=" + numEgressRules);
                if (y === numEgressRules) outpermsdone = true;
                if (err) {
                  console.log("error in ec2.revokeSecurityGroupEgress: " + err, err.stack);
                  cb(err);
                } else {
                  console.log("data from ec2.revokeSecurityGroupEgress: " + JSON.stringify(data));
                  console.log("in deleteRulesFromDefaultSG sgloop=" + sgloop + " & sgdata.SecurityGroups.length=" + sgdata.SecurityGroups.length + " & outpermsdone=" + outpermsdone + " & inpermsdone=" + inpermsdone);
                  if ((sgloop === sgdata.SecurityGroups.length) && outpermsdone && inpermsdone) {
                    console.log("in deleteRulesFromDefaultSG sending back SUCCESS");
                    cb(null, "SUCCESS");
                  }
                }
              });
            }
          } else outpermsdone = true;

          sgloop++;
          if ((sgloop === sgdata.SecurityGroups.length) && outpermsdone && inpermsdone) {
            console.log("in deleteRulesFromDefaultSG sending back SUCCESS");
            cb(null, "SUCCESS");
          }

        }
      } else {
        console.log("in deleteRulesFromDefaultSG sgdata.SecurityGroups.length =0 returning success");
        cb(null, "SUCCESS");
      }
    }
  });
}
	const aws = require('aws-sdk');
	const ec2 = new aws.EC2();
	const lambda = new aws.Lambda();

	exports.handler = (event, context, callback) => {
	if (!(event.regions)) {
	//lets get the regions
	ec2.describeRegions({}, function(regionerr, region_data) {
	if (regionerr) {
	console.log("Error from ec2.describeRegions: ", regionerr);
	callback(regionerr);
	} else {
	console.log("Data from ec2.describeRegions: " + JSON.stringify(region_data));
	event.regions = region_data.Regions;
	//lets process one region per iteration
	var thisregion = event.regions.pop();
	deleteRulesFromDefaultSG(thisregion.RegionName, function(err, data) {
	if (err) {
	console.log("Error from deleteRulesFromDefaultSG: ", err);
	callback(err);
	} else {
	console.log("Data from deleteRulesFromDefaultSG: ", data);
	//lets invoke this function with the event object
	//since we have poped a region from it, each iteration will process
	//one region. After all are processed the function will exit in the
	//first if (event.regions.length === 0) block
	//lets call this function recursively till we process all regions
	invokeLambda(event, "process-security-rules", callback);
	}
	});
	}
	});
	} else if (event.regions.length === 0) {
	//looks like we have processed all regions
	//lets callback success
	console.log("regions.length === 0 calling back success");
	callback(null, "SUCCESS");
	} else {
	//lets process one region per iteration
	var thisregion = event.regions.pop();
	deleteRulesFromDefaultSG(thisregion.RegionName, function(err, data) {
	if (err) {
	console.log("Error from deleteRulesFromDefaultSG: ", err);
	callback(err);
	} else {
	console.log("Data from deleteRulesFromDefaultSG: ", data);
	//lets invoke this function with the event object
	//since we have poped a region from it, each iteration will process
	//one region. After all are processed the function will exit in the
	//first if (event.regions.length === 0) block
	//lets call this function recursively till we process all regions
	invokeLambda(event, "process-security-rules", callback);
	}
	});
	}
	};

	/**
	* Invokes the given lambda function with received invoke_params
	* @param {Object} invoke_params object with region and VPC arrays
	* @param {String} functionName Name of the Lambda function to invoke
	*/
	function invokeLambda(invoke_params, functionName, callback) {
	console.log("invokeLambda received invoke_params: " + JSON.stringify(invoke_params));
	console.log("invokeLambda received functionName: " + functionName);
	var params = {
	FunctionName: functionName,
	InvocationType: "Event",
	Payload: JSON.stringify(invoke_params)
	};
	lambda.invoke(params, function(err, data) {
	if (err) {
	console.log("Error in invokeLambda " + JSON.stringify(err));
	callback(err);
	} else {
	console.log("in invokeLambda got data: " + data);
	callback(null, data);
	}
	});
	}

	/**
	* This function calls ec2.describeSecurityGroups with a filter of group-name = default
	* If it find any ingress or egress rules in the default security group it calls
	* ec2.revokeSecurityGroupIngress and ec2.revokeSecurityGroupEgress to remove these rules
	* @param {[String} thisregion region to process
	* @param {Function} cb callback
	*/
	function deleteRulesFromDefaultSG(thisregion, cb) {
	console.log("in deleteRulesFromDefaultSG processing region: ", thisregion);
	var regional_ec2 = new aws.EC2({
	region: thisregion
	});
	var params = {
	DryRun: false,
	Filters: [{
	Name: 'group-name',
	Values: [
	'default'
	]
	}]
	};
	var sgloop = 0;
	var inpermsdone = false;
	var outpermsdone = false;
	var numIngressRules = 0;
	var numEgressRules = 0;

	regional_ec2.describeSecurityGroups(params, function(err, sgdata) {
	if (err) {
	console.log("error in regional_ec2.describeSecurityGroups: " + err, err.stack);
	cb(err);
	} else {
	console.log("regional_ec2.describeSecurityGroups returned data: " + JSON.stringify(sgdata));
	if (sgdata.SecurityGroups.length > 0) {
	for (var sg of sgdata.SecurityGroups) {
	if (sg.IpPermissions.length > 0) {
	numIngressRules += sg.IpPermissions.length;
	//we found some ingress rules lets remove each
	var x = 0;
	for (var i = 0; i < sg.IpPermissions.length; i++) {

	var in_params = {};
	in_params.GroupId = sg.GroupId;
	in_params.IpPermissions = [];
	var IpPermission = {};
	IpPermission.IpProtocol = sg.IpPermissions[i].IpProtocol;
	if (sg.IpPermissions[i].FromPort)
	IpPermission.FromPort = sg.IpPermissions[i].FromPort;
	if (sg.IpPermissions[i].ToPort)
	IpPermission.ToPort = sg.IpPermissions[i].ToPort;
	if (sg.IpPermissions[i].IpRanges.length > 0)
	IpPermission.IpRanges = sg.IpPermissions[i].IpRanges;
	if (sg.IpPermissions[i].Ipv6Ranges.length > 0)
	IpPermission.Ipv6Ranges = sg.IpPermissions[i].Ipv6Ranges;
	if (sg.IpPermissions[i].PrefixListIds.length > 0)
	IpPermission.PrefixListIds = sg.IpPermissions[i].PrefixListIds;
	if (sg.IpPermissions[i].UserIdGroupPairs.length > 0)
	IpPermission.UserIdGroupPairs = sg.IpPermissions[i].UserIdGroupPairs;

	in_params.IpPermissions[0] = IpPermission;

	console.log("sending params to ec2.revokeSecurityGroupIngress: " + JSON.stringify(in_params));
	regional_ec2.revokeSecurityGroupIngress(in_params, function(err, data) {
	x++;
	console.log("inside IpPermissions loop x=" + x + " & numIngressRules=" + numIngressRules);
	if (x === numIngressRules) inpermsdone = true;
	if (err) {
	console.log("error in ec2.revokeSecurityGroupIngress: " + err, err.stack);
	cb(err);
	} else {
	console.log("data from ec2.revokeSecurityGroupIngress: " + JSON.stringify(data));
	console.log("in deleteRulesFromDefaultSG sgloop=" + sgloop + " & sgdata.SecurityGroups.length=" + sgdata.SecurityGroups.length + " & outpermsdone=" + outpermsdone + " & inpermsdone=" + inpermsdone);
	if ((sgloop === sgdata.SecurityGroups.length) && outpermsdone && inpermsdone) {
	console.log("in deleteRulesFromDefaultSG sending back SUCCESS");
	cb(null, "SUCCESS");
	}
	}
	});
	}
	} else inpermsdone = true;

	if (sg.IpPermissionsEgress.length > 0) {
	numEgressRules += sg.IpPermissionsEgress.length;
	//we found an egress rule lets remove it
	var y = 0;
	for (var i = 0; i < sg.IpPermissionsEgress.length; i++) {

	var eg_params = {};
	eg_params.GroupId = sg.GroupId;
	eg_params.IpPermissions = [];
	var eg_IpPermission = {};
	eg_IpPermission.IpProtocol = sg.IpPermissionsEgress[i].IpProtocol;
	if (sg.IpPermissionsEgress[i].FromPort)
	eg_IpPermission.FromPort = sg.IpPermissionsEgress[i].FromPort;
	if (sg.IpPermissionsEgress[i].ToPort)
	eg_IpPermission.ToPort = sg.IpPermissionsEgress[i].ToPort;
	if (sg.IpPermissionsEgress[i].IpRanges.length > 0)
	eg_IpPermission.IpRanges = sg.IpPermissionsEgress[i].IpRanges;
	if (sg.IpPermissionsEgress[i].Ipv6Ranges.length > 0)
	eg_IpPermission.Ipv6Ranges = sg.IpPermissionsEgress[i].Ipv6Ranges;
	if (sg.IpPermissionsEgress[i].PrefixListIds.length > 0)
	eg_IpPermission.PrefixListIds = sg.IpPermissionsEgress[i].PrefixListIds;
	if (sg.IpPermissionsEgress[i].UserIdGroupPairs.length > 0)
	eg_IpPermission.UserIdGroupPairs = sg.IpPermissionsEgress[i].UserIdGroupPairs;

	eg_params.IpPermissions[0] = eg_IpPermission;

	console.log("sending params to ec2.revokeSecurityGroupEgress: " + JSON.stringify(eg_params));
	regional_ec2.revokeSecurityGroupEgress(eg_params, function(err, data) {
	y++;
	console.log("inside IpPermissionsEgress loop y=" + y + " & numEgressRules=" + numEgressRules);
	if (y === numEgressRules) outpermsdone = true;
	if (err) {
	console.log("error in ec2.revokeSecurityGroupEgress: " + err, err.stack);
	cb(err);
	} else {
	console.log("data from ec2.revokeSecurityGroupEgress: " + JSON.stringify(data));
	console.log("in deleteRulesFromDefaultSG sgloop=" + sgloop + " & sgdata.SecurityGroups.length=" + sgdata.SecurityGroups.length + " & outpermsdone=" + outpermsdone + " & inpermsdone=" + inpermsdone);
	if ((sgloop === sgdata.SecurityGroups.length) && outpermsdone && inpermsdone) {
	console.log("in deleteRulesFromDefaultSG sending back SUCCESS");
	cb(null, "SUCCESS");
	}
	}
	});
	}
	} else outpermsdone = true;

	sgloop++;
	if ((sgloop === sgdata.SecurityGroups.length) && outpermsdone && inpermsdone) {
	console.log("in deleteRulesFromDefaultSG sending back SUCCESS");
	cb(null, "SUCCESS");
	}

	}
	} else {
	console.log("in deleteRulesFromDefaultSG sgdata.SecurityGroups.length =0 returning success");
	cb(null, "SUCCESS");
	}
	}
	});
	}