Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Copy-EC2SecurityGroupIngress.ps1
<#
.SYNOPSIS
Copies all EC2 Security Group rules from one IP range to one or more other ranges, optionally removing the original IP's rules
.DESCRIPTION
Copies all EC2 Security Group rules from one IP range to one or more other ranges, optionally removing the original IP's rules
.PARAMETER Region
The AWS Region to apply the changes to
.PARAMETER CurrentIpRange
The IP Address or CIDR Range that should be used as a template when copying rules
.PARAMETER NewIpRanges
The IP Addresses or CIDR Ranges that should receive a copy of the rules
.PARAMETER Revoke
If supplied, the rules applied to CurrentIpRange will be removed
.EXAMPLE
# Copy-EC2SecurityGroupIngress.ps1 -Region ap-southeast-2 -CurrentIpRange 123.123.123.123 -NewIpRanges @("111.111.111.111/20","111.111.111.111/32") -Verbose
Description
-----------
Copies the rules from 123.123.123.123/32 to both 111.111.111.111/20 and 111.111.111.111/32
#>
[CmdletBinding(SupportsShouldProcess=$true,ConfirmImpact='Medium')]
Param(
[Parameter(Mandatory=$True,Position=1)]
[string]$Region,
[Parameter(Mandatory=$True)]
[string]$CurrentIpRange,
[Parameter(Mandatory=$False)]
[string[]]$NewIpRanges = @(),
[Parameter()]
[switch]$Revoke
)
function ResolveIpRange
{
Param(
[string]$Range
)
if (!($Range -match '/'))
{
$Range = "$Range/32"
}
$Range
}
$CurrentIpRange = ResolveIpRange $CurrentIpRange
$NewIpRanges = ($NewIpRanges | %{ResolveIpRange $_})
$allSecurityGroups = Get-EC2SecurityGroup -Region $Region
foreach ($group in $allSecurityGroups)
{
$matchingPermissions = ($group.IpPermissions | ?{ $_.IpRanges -contains $CurrentIpRange })
foreach ($permission in $matchingPermissions)
{
if ($permission.FromPort -eq $permission.ToPort)
{
$portDisplay = [string]$permission.FromPort
}
else
{
$portDisplay = "$($permission.FromPort)-$($permission.ToPort)"
}
$applicableNewIpRanges = [string[]]@($NewIpRanges | ?{ !($permission.IpRanges -contains $_) })
if ($applicableNewIpRanges.Count -ne 0)
{
if ($PSCmdlet.ShouldProcess($group.GroupName, "Grant permissions to $($permission.IpProtocol) $portDisplay to $applicableNewIpRanges"))
{
$copiedPermission = New-Object Amazon.EC2.Model.IpPermission
$copiedPermission.IpProtocol = $permission.IpProtocol
$copiedPermission.FromPort = $permission.FromPort
$copiedPermission.ToPort = $permission.ToPort
$copiedPermission.IpRanges.AddRange($applicableNewIpRanges)
Grant-EC2SecurityGroupIngress -GroupId $group.GroupId -IpPermission $copiedPermission
}
}
if ($Revoke.IsPresent)
{
if ($PSCmdlet.ShouldProcess($group.GroupName, "Revoke permissions $($permission.IpProtocol) $portDisplay from $CurrentIpRange"))
{
$copiedPermission = New-Object Amazon.EC2.Model.IpPermission
$copiedPermission.IpProtocol = $permission.IpProtocol
$copiedPermission.FromPort = $permission.FromPort
$copiedPermission.ToPort = $permission.ToPort
$copiedPermission.IpRanges.Add([string]$CurrentIpRange)
Revoke-EC2SecurityGroupIngress -GroupId $group.GroupId -IpPermission $copiedPermission
}
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment