-
-
Save dritten/51fa60a0ee669d7025ac to your computer and use it in GitHub Desktop.
| #!/usr/bin/env python | |
| import sys | |
| import boto | |
| import boto.ec2 | |
| import boto.ec2.elb | |
| import boto.rds | |
| import pprint | |
| import argparse | |
| def lookup_by_id(sgid): | |
| sg = ec2.get_all_security_groups(group_ids=sgid) | |
| return sg[0].name | |
| # set credentials | |
| #ACCESS_KEY="<ACCESS_KEY>" | |
| #SECRET_KEY="<SECRET_KEY>" | |
| #get a full list of the available regions | |
| region_list=[] | |
| counter=0 | |
| regions = boto.ec2.regions() | |
| for i in regions: | |
| #print regions[counter].name | |
| region_list.append(str(regions[counter].name)) | |
| counter=counter+1 | |
| parser = argparse.ArgumentParser(description="Show unused security groups") | |
| parser.add_argument("-r", "--region", type=str, default="us-east-1", help="The default region is us-east-1. The list of available regions are as follows: %s" % sorted(region_list)) | |
| parser.add_argument("-d", "--delete", help="delete security groups from AWS") | |
| args = parser.parse_args() | |
| pp = pprint.PrettyPrinter(indent=4) | |
| ec2 = boto.ec2.connect_to_region(args.region, aws_access_key_id=ACCESS_KEY, aws_secret_access_key=SECRET_KEY) | |
| allgroups = [] | |
| # Get ALL security groups names | |
| groups = ec2.get_all_security_groups() | |
| for groupobj in groups: | |
| allgroups.append(groupobj.name) | |
| # Get all instances security groups | |
| groups_in_use = ['default'] | |
| reservations = ec2.get_all_instances() | |
| for r in reservations: | |
| for ec2_group_list in r.groups: | |
| if ec2_group_list.name not in groups_in_use: | |
| groups_in_use.append(ec2_group_list.name) | |
| elb = boto.ec2.elb.connect_to_region(args.region, aws_access_key_id=ACCESS_KEY, aws_secret_access_key=SECRET_KEY) | |
| load_balancers = elb.get_all_load_balancers() | |
| for load_balancer in load_balancers: | |
| if load_balancer.source_security_group.name not in groups_in_use: | |
| groups_in_use.append(load_balancer.source_security_group.name) | |
| rds = boto.rds.connect_to_region(args.region, aws_access_key_id=ACCESS_KEY, aws_secret_access_key=SECRET_KEY) | |
| dbs = rds.get_all_dbinstances() | |
| for db in dbs: | |
| if len(db.vpc_security_groups) > 0: | |
| sg_name = lookup_by_id(db.vpc_security_groups[0].vpc_group) | |
| if sg_name not in groups_in_use: | |
| groups_in_use.append(sg_name) | |
| enis = ec2.get_all_network_interfaces() | |
| for eni in enis: | |
| for eni_grp in eni.groups: | |
| if eni_grp.name not in groups_in_use: | |
| groups_in_use.append(eni_grp.name) | |
| delete_candidates = [] | |
| for group in allgroups: | |
| if group not in groups_in_use and not group.startswith('AWS-OpsWorks-'): | |
| delete_candidates.append(group) | |
| if args.delete: | |
| print "We will now delete security groups identified to not be in use." | |
| for group in delete_candidates: | |
| ec2.delete_security_group(group) | |
| else: | |
| print "The list of security groups to be removed is below." | |
| print "Run this again with `-d` to remove them" | |
| #pp.pprint(sorted(delete_candidates)) | |
| for group in sorted(delete_candidates): | |
| print " " + group | |
| print "---------------" | |
| print "Activity Report" | |
| print "---------------" | |
| print "Total number of Security Groups evaluated: %d" % (len(groups_in_use)) | |
| print "Total number of EC2 Instances evaluated: %d" % (len(reservations)) | |
| print "Total number of Load Balancers evaluated: %d" % (len(load_balancers)) | |
| print "Total number of RDS instances evaluated: %d" % (len(dbs)) | |
| print "Total number of Network Interfaces evaluated: %d" % (len(enis)) | |
| if args.delete: | |
| print "Total number of security groups deleted: %d" % (len(delete_candidates)) | |
| else: | |
| print "Total number of security groups targeted for removal: %d" % (len(delete_candidates)) | |
| # For each security group in the total list, if not in the "used" list, flag for deletion | |
| # If running with a "--delete" flag, delete the ones flagged. |
Got following error (with just one group somewhy):
`$ python aws.py -d DELETE
We will now delete security groups identified to not be in use.
Traceback (most recent call last):
File "aws.py", line 79, in
ec2.delete_security_group(group)
File "/usr/lib/python2.7/dist-packages/boto/ec2/connection.py", line 3037, in delete_security_group
return self.get_status('DeleteSecurityGroup', params, verb='POST')
File "/usr/lib/python2.7/dist-packages/boto/connection.py", line 1227, in get_status
raise self.ResponseError(response.status, response.reason, body)
boto.exception.EC2ResponseError: EC2ResponseError: 400 Bad Request
InvalidParameterValueInvalid value 'icmp' for groupName. You may not reference Amazon VPC security groups by name. Please use the corresponding id for this operation.8fbbe047-3b03-4822-97d9-d7261323f72e`
Yo, I've done a boto3/python 3.5 version of this. I also included VPCs, since they now claim security groups, and I've added an exception to note security groups that could not be automatically deleted.
Thanks a lot!