Created
February 21, 2017 06:03
-
-
Save richardszalay/b2ae7c0638ef9dff349b9cad4c49e788 to your computer and use it in GitHub Desktop.
Copy-EC2SecurityGroupIngress.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
.SYNOPSIS | |
Copies all EC2 Security Group rules from one IP range to one or more other ranges, optionally removing the original IP's rules | |
.DESCRIPTION | |
Copies all EC2 Security Group rules from one IP range to one or more other ranges, optionally removing the original IP's rules | |
.PARAMETER Region | |
The AWS Region to apply the changes to | |
.PARAMETER CurrentIpRange | |
The IP Address or CIDR Range that should be used as a template when copying rules | |
.PARAMETER NewIpRanges | |
The IP Addresses or CIDR Ranges that should receive a copy of the rules | |
.PARAMETER Revoke | |
If supplied, the rules applied to CurrentIpRange will be removed | |
.EXAMPLE | |
# Copy-EC2SecurityGroupIngress.ps1 -Region ap-southeast-2 -CurrentIpRange 123.123.123.123 -NewIpRanges @("111.111.111.111/20","111.111.111.111/32") -Verbose | |
Description | |
----------- | |
Copies the rules from 123.123.123.123/32 to both 111.111.111.111/20 and 111.111.111.111/32 | |
#> | |
[CmdletBinding(SupportsShouldProcess=$true,ConfirmImpact='Medium')] | |
Param( | |
[Parameter(Mandatory=$True,Position=1)] | |
[string]$Region, | |
[Parameter(Mandatory=$True)] | |
[string]$CurrentIpRange, | |
[Parameter(Mandatory=$False)] | |
[string[]]$NewIpRanges = @(), | |
[Parameter()] | |
[switch]$Revoke | |
) | |
function ResolveIpRange | |
{ | |
Param( | |
[string]$Range | |
) | |
if (!($Range -match '/')) | |
{ | |
$Range = "$Range/32" | |
} | |
$Range | |
} | |
$CurrentIpRange = ResolveIpRange $CurrentIpRange | |
$NewIpRanges = ($NewIpRanges | %{ResolveIpRange $_}) | |
$allSecurityGroups = Get-EC2SecurityGroup -Region $Region | |
foreach ($group in $allSecurityGroups) | |
{ | |
$matchingPermissions = ($group.IpPermissions | ?{ $_.IpRanges -contains $CurrentIpRange }) | |
foreach ($permission in $matchingPermissions) | |
{ | |
if ($permission.FromPort -eq $permission.ToPort) | |
{ | |
$portDisplay = [string]$permission.FromPort | |
} | |
else | |
{ | |
$portDisplay = "$($permission.FromPort)-$($permission.ToPort)" | |
} | |
$applicableNewIpRanges = [string[]]@($NewIpRanges | ?{ !($permission.IpRanges -contains $_) }) | |
if ($applicableNewIpRanges.Count -ne 0) | |
{ | |
if ($PSCmdlet.ShouldProcess($group.GroupName, "Grant permissions to $($permission.IpProtocol) $portDisplay to $applicableNewIpRanges")) | |
{ | |
$copiedPermission = New-Object Amazon.EC2.Model.IpPermission | |
$copiedPermission.IpProtocol = $permission.IpProtocol | |
$copiedPermission.FromPort = $permission.FromPort | |
$copiedPermission.ToPort = $permission.ToPort | |
$copiedPermission.IpRanges.AddRange($applicableNewIpRanges) | |
Grant-EC2SecurityGroupIngress -GroupId $group.GroupId -IpPermission $copiedPermission | |
} | |
} | |
if ($Revoke.IsPresent) | |
{ | |
if ($PSCmdlet.ShouldProcess($group.GroupName, "Revoke permissions $($permission.IpProtocol) $portDisplay from $CurrentIpRange")) | |
{ | |
$copiedPermission = New-Object Amazon.EC2.Model.IpPermission | |
$copiedPermission.IpProtocol = $permission.IpProtocol | |
$copiedPermission.FromPort = $permission.FromPort | |
$copiedPermission.ToPort = $permission.ToPort | |
$copiedPermission.IpRanges.Add([string]$CurrentIpRange) | |
Revoke-EC2SecurityGroupIngress -GroupId $group.GroupId -IpPermission $copiedPermission | |
} | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment