shell 使用aws cli从AWS中的安全组更新现有IP

x33g5p2x  于 2022-11-25  发布在  Shell
关注(0)|答案(5)|浏览(226)

我有一个shell脚本,它将我的公共IP添加到指定的ec2-security-group。我已经浏览了一些AWS文档,但找不到使用哪个API来更新现有IP地址,而不是简单地添加一个。
我经历了以下几点:

  1. update-security-group-rule-descriptions-ingress
  2. authorize-security-group-ingress
    是否有API可用于简单地更新安全组中的现有IP地址?
    我将使用下面的bash脚本向安全组添加新条目。
#!/bin/bash
curl https://checkip.amazonaws.com > ip.txt
awk '{ print $0 "/32" }' < ip.txt > ipnew.txt
export stuff=$(cat ipnew.txt)
aws ec2 authorize-security-group-ingress --group-name XXXXX --protocol tcp --port 22 --cidr $stuff --profile xxxxx
jvidinwx

jvidinwx1#

此脚本将查找标记为密钥ssh-from-my-ip和不区分大小写的值trueyes的任何安全组。然后,它将撤销来自端口22的旧入口访问(如果有),并授权您的新IP CIDR。它需要aws cli和jq。

#! /bin/bash

# This script makes it easier to maintain security groups that allow SSH access
# from a computer with a dynamic IP, such as a computer on a home network or ISP.
#
# Using the script will allow you to SSH to an EC2 without having to allow
# access to the whole world (0.0.0.0/0). If you run this script whenever your IP
# changes then the security groups in your account specified by your AWS profile
# will be updated.
#
# The script will find any security groups for your current profile that are
# tagged with a Tag with a Key of "ssh-from-my-ip" and a case insensitive value
# of "true" or "yes".
#
# For each security group found it will revoke any existing tcp ingress on
# port 22 and authorize ingress on port 22 for your current IP.
#
# Dependencies - AWS CLI and jq

# need my current ip
MY_IP=$(curl --silent https://checkip.amazonaws.com)
echo "Your IP is ${MY_IP}"

# need security group id(s) and existing CIDR for the SG
pairs=$(aws ec2 describe-security-groups | aws ec2 describe-security-groups | jq -c '.SecurityGroups[]? | select( (.Tags[]? | select(.Key == "ssh-from-my-ip") | .Value | test("true|yes"; "i"))) | if .IpPermissions | length == 0 then {sg: .GroupId, cidr: null } else {sg: .GroupId, cidr: .IpPermissions[].IpRanges[].CidrIp} end')

for p in $pairs
do
  SG=$(echo "$p" | jq -r '.sg')
  OLD_CIDR=$(echo "$p" | jq -r '.cidr')

  echo "Updating security group ${SG}"
  if [[ $OLD_CIDR != 'null' ]]
  then
    echo "Revoking ingress permission for ${OLD_CIDR} in security group ${SG}"
    # remove the existing ingress permission
    aws ec2 revoke-security-group-ingress \
        --group-id "${SG}" \
        --protocol tcp \
        --port 22 \
        --cidr "${OLD_CIDR}"
  fi

  # authorize my new IP CIDR
  NEW_CIDR="${MY_IP}"/32
  echo "Authorizing ingress permission for ${NEW_CIDR} in security group ${SG}"
  aws ec2 authorize-security-group-ingress --group-id "${SG}" --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 22, "ToPort": 22, "IpRanges": [{"CidrIp": "'"${NEW_CIDR}"'", "Description": "Rule0"}]}]'
done
kmbjn2e3

kmbjn2e32#

没有“更新”规则的命令。您需要添加和删除规则。
下面是我使用的一个类似脚本:

IP=`curl -s http://whatismyip.akamai.com/`
aws ec2 authorize-security-group-ingress --group-name XXX --protocol tcp --port 22 --cidr $IP/32 --output text

然而,这最终会添加太多的规则,所以我需要删除现有的规则。您可以在添加规则之前自动删除。

8iwquhpp

8iwquhpp3#

您要查找的命令是modify-security-group-ruleshttps://docs.aws.amazon.com/cli/latest/reference/ec2/modify-security-group-rules.html
下面是一个使用它的脚本。

# update a security group rule allowing 
# your current IPv4 I.P. to connect on port 22 (SSH)

CURRENT_DATE=$(date +'%Y-%m-%d')

# variables to identify sec group and sec group rule
SEC_GROUP_ID='sg-xxXXxx'
SEC_GROUP_RULE_ID='sgr-xxXXxxXXxxXX'
# description updated
SEC_GROUP_RULE_DESCRIPTION="dynamic ip updated - ${CURRENT_DATE}"

# gets I.P. and adds /32 for ipv4 cidr
CURRENT_IP=$(curl --silent https://checkip.amazonaws.com)
NEW_IPV4_CIDR="${CURRENT_IP}"/32

# updates the I.P. in the rule
aws ec2 modify-security-group-rules --group-id ${SEC_GROUP_ID} --security-group-rules SecurityGroupRuleId=${SEC_GROUP_RULE_ID},SecurityGroupRule="{CidrIpv4=${NEW_IPV4_CIDR}, IpProtocol=tcp,FromPort=22,ToPort=22,Description=${SEC_GROUP_RULE_DESCRIPTION}}"

# shows the rule updated
aws ec2 describe-security-group-rules --filter Name="security-group-rule-id",Values="${SEC_GROUP_RULE_ID}"
ovfsdjhp

ovfsdjhp4#

我已经能够破解我的方式来使这个工作。正如约翰建议,我已经创建了另一个安全组,添加了需要访问的端口,并通过shell脚本更新它。更新的工作原理是删除安全组中提到的所有规则,并再次添加它们与所需的IP
源代码已在Github上发布

zi8p0yeb

zi8p0yeb5#

导出我的IP地址=$(curl https://checkip.amazonaws.com
aws ec2授权-安全-组-入口-组-id sg-xxx -协议tcp-端口22 -cidr $my_ip/32

相关问题