Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
AWS EC2 Security Groups: Revoke old and add new current ip to a list of rules based ob the description
#!/bin/sh
# This script will update your ec2 security group with the current ip of your connection.
# To find the "old" rules the description is used
# Requirements:
# - aws-cli with configured profile: https://aws.amazon.com/de/cli/
# - jq: https://stedolan.github.io/jq/
# - curl
####################
# CONFIGURATION
####################
# This description willbe added to the new rules an d used to find and remove existing rules
DESC="{ replace this description }"
# the aws cli profile used
AWS_PROFILE="{ aws profile to use }"
# the aws ecs security group id to update the rules
GROUP_ID="{ use your group id }"
# A List of rules to update. The format is "{tcp|udp}:{port}".
declare -a RULES=( "tcp:443" "tcp:22" "udp:666" )
# The url/service to get your currnet public ip
GET_IP_URL="https://api.ipify.org"
####################
# SCRIPT
####################
printf "get current ip ..."
NEW_IP=`curl -s $GET_IP_URL`
echo " $NEW_IP\n"
# add ip mask
NEW_IP+="/32"
printf "get ec2 sec. group '$GROUP_ID' ip ..."
SEC_GROUPS=`aws --profile $AWS_PROFILE ec2 describe-security-groups --group-id $GROUP_ID`
LAST_IP=`echo "$SEC_GROUPS" | jq --arg desc "$DESC" '.SecurityGroups[0].IpPermissions[].IpRanges[] | select( .Description == $desc ) | .CidrIp' -r | tail -1`
echo " $LAST_IP\n"
if [ -z $LAST_IP ]
then
echo "No matching rules found.\n"
elif [ $NEW_IP != $LAST_IP ]
then
echo "IP changed so change security group from '$LAST_IP' to '$NEW_IP'\n"
echo "revoke rule: old ingress rules"
for rule_revoke in "${RULES[@]}"
do
IFS=':' read -ra arr <<< "$rule_revoke"
echo "revoke protocol: ${arr[0]} port: ${arr[1]}"
aws --profile $AWS_PROFILE ec2 revoke-security-group-ingress --group-id $GROUP_ID --protocol ${arr[0]} --port ${arr[1]} --cidr $LAST_IP
done
else
echo "IP '$LAST_IP' not changed"
exit 1
fi
echo "Add rules to security group."
for rule_authorize in "${RULES[@]}"
do
IFS=':' read -ra ara <<< "$rule_authorize"
echo "authorize rule: protocol: ${ara[0]} port: ${ara[1]}"
aws --profile $AWS_PROFILE ec2 authorize-security-group-ingress --group-id $GROUP_ID --ip-permissions IpProtocol=${ara[0]},FromPort=${ara[1]},ToPort=${ara[1]},IpRanges="[{CidrIp=\"$NEW_IP\",Description=\"$DESC\"}]"
done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment