cloudfront-ipset.sh

#!/bin/bash

set +ex

URL="https://ip-ranges.amazonaws.com/ip-ranges.json"

IPV4_SET_NAME="CloudFront.IPv4"
IPV6_SET_NAME="CloudFront.IPv6"



AWS_IPS_FILE="$(mktemp --suffix .cloudfront-ips.json)"

curl -sSLo "${AWS_IPS_FILE}" "${URL}"

TMP_NAME=".$(date +%s)"

ipset create "${IPV4_SET_NAME}.${TMP_NAME}" hash:net family inet
ipset create "${IPV6_SET_NAME}.${TMP_NAME}" hash:net family inet6

for IP in $(jq -r '.prefixes[] | select(.service=="CLOUDFRONT").ip_prefix' "${AWS_IPS_FILE}"); do
    ipset add "${IPV4_SET_NAME}.${TMP_NAME}" "${IP}"
done

for IP in $(jq -r '.ipv6_prefixes[] | select(.service=="CLOUDFRONT").ipv6_prefix' "${AWS_IPS_FILE}"); do
    ipset add "${IPV6_SET_NAME}.${TMP_NAME}" "${IP}"
done

if ipset list "${IPV4_SET_NAME}" &>/dev/null; then
    ipset swap "${IPV4_SET_NAME}" "${IPV4_SET_NAME}.${TMP_NAME}"
    ipset destroy "${IPV4_SET_NAME}.${TMP_NAME}"
else
    ipset rename "${IPV4_SET_NAME}.${TMP_NAME}" "${IPV4_SET_NAME}"
fi

if ipset list "${IPV6_SET_NAME}" &>/dev/null; then
    ipset swap "${IPV6_SET_NAME}" "${IPV6_SET_NAME}.${TMP_NAME}"
    ipset destroy "${IPV6_SET_NAME}.${TMP_NAME}"
else
    ipset rename "${IPV6_SET_NAME}.${TMP_NAME}" "${IPV6_SET_NAME}"
fi

rm -f "${AWS_IPS_FILE}"