felipepodesta · November 16, 2021 02:48
diff --git a/open-to-github-security-group.sh b/open-to-github-security-group.sh
 #!/usr/bin/env bash
 set -euo pipefail
 IFS=$'\n\t'

 ########################################################################################################################
 # Inspired by:
 #   https://gist.github.com/andromedarabbit/7b2ef08f0db29a728c9899163f359c88
 # Usage:
 #   wget -qO- <RAW_URL> | sh <aws-profile> <aws-vpc-id> <sg-name>

 AWS_PROFILE="${1}"
 VPC_ID="${2}"
 SG_NAME="${3}"
 DESCRIPTION="$(date)"

 GROUP_IDS="$(aws --profile "${AWS_PROFILE}" ec2 describe-security-groups | jq --arg SG_NAME "${SG_NAME}" '.SecurityGroups[] | select(.GroupName | contains($SG_NAME)) | .GroupId' | tr -d '"')"

 if [[ "${GROUP_IDS}" == "" ]]; then
  aws --profile "${AWS_PROFILE}" ec2 create-security-group --vpc-id="${VPC_ID}" --group-name "${SG_NAME}" --description "Open to GitHub only" | jq .GroupId
 fi

 aws --profile "${AWS_PROFILE}" ec2 describe-security-groups | jq --arg SG_NAME "${SG_NAME}" '.SecurityGroups[] | select(.GroupName | contains($SG_NAME)) | .GroupId' | tr -d '"' | while read -r GroupId; do
  IP_PERMISSIONS=$(aws --profile "${AWS_PROFILE}" ec2 describe-security-groups --filters "Name=group-id,Values=${GroupId}" | jq ".SecurityGroups[] | .IpPermissions")

  if [[ -n "${IP_PERMISSIONS}" && "${IP_PERMISSIONS}" != "[]" ]]; then
    aws --profile "${AWS_PROFILE}" ec2 revoke-security-group-ingress --group-id "${GroupId}" --ip-permissions "${IP_PERMISSIONS}"
  fi

  # The same IP appeared many times `authorize-security-group-ingress` Because it may fail, it is unconditionally succeeded so that it does not report an error.
  curl --silent https://api.github.com/meta | jq '.hooks[]' | tr -d '"' | while read -r CidrIp; do
    aws --profile "${AWS_PROFILE}" ec2 authorize-security-group-ingress --group-id "${GroupId}" --ip-permissions "[{ \"IpProtocol\": \"-1\", \"IpRanges\": [{\"CidrIp\": \"${CidrIp}\", \"Description\": \"hooks - ${DESCRIPTION}\"}]}]" | /bin/true
  done

  curl --silent https://api.github.com/meta | jq '.git[]' | tr -d '"' | while read -r CidrIp; do
    aws --profile "${AWS_PROFILE}" ec2 authorize-security-group-ingress --group-id "${GroupId}" --ip-permissions "[{ \"IpProtocol\": \"-1\", \"IpRanges\": [{\"CidrIp\": \"${CidrIp}\", \"Description\": \"git - ${DESCRIPTION}\"}]}]" | /bin/true
  done

  curl --silent https://api.github.com/meta | jq '.pages[]' | tr -d '"' | while read -r CidrIp; do
    aws --profile "${AWS_PROFILE}" ec2 authorize-security-group-ingress --group-id "${GroupId}" --ip-permissions "[{ \"IpProtocol\": \"-1\", \"IpRanges\": [{\"CidrIp\": \"${CidrIp}\", \"Description\": \"pages - ${DESCRIPTION}\"}]}]" | /bin/true
  done

  curl --silent https://api.github.com/meta | jq '.importer[]' | tr -d '"' | while read -r IpAddress; do
    aws --profile "${AWS_PROFILE}" ec2 authorize-security-group-ingress --group-id "${GroupId}" --ip-permissions "[{ \"IpProtocol\": \"-1\", \"IpRanges\": [{\"CidrIp\": \"${IpAddress}/32\", \"Description\": \"importer - ${DESCRIPTION}\"}]}]" | /bin/true
  done
 done
	#!/usr/bin/env bash
	set -euo pipefail
	IFS=$'\n\t'

	########################################################################################################################
	# Inspired by:
	# https://gist.github.com/andromedarabbit/7b2ef08f0db29a728c9899163f359c88
	# Usage:
	# wget -qO- <RAW_URL> \| sh <aws-profile> <aws-vpc-id> <sg-name>

	AWS_PROFILE="${1}"
	VPC_ID="${2}"
	SG_NAME="${3}"
	DESCRIPTION="$(date)"

	GROUP_IDS="$(aws --profile "${AWS_PROFILE}" ec2 describe-security-groups \| jq --arg SG_NAME "${SG_NAME}" '.SecurityGroups[] \| select(.GroupName \| contains($SG_NAME)) \| .GroupId' \| tr -d '"')"

	if [[ "${GROUP_IDS}" == "" ]]; then
	aws --profile "${AWS_PROFILE}" ec2 create-security-group --vpc-id="${VPC_ID}" --group-name "${SG_NAME}" --description "Open to GitHub only" \| jq .GroupId
	fi

	aws --profile "${AWS_PROFILE}" ec2 describe-security-groups \| jq --arg SG_NAME "${SG_NAME}" '.SecurityGroups[] \| select(.GroupName \| contains($SG_NAME)) \| .GroupId' \| tr -d '"' \| while read -r GroupId; do
	IP_PERMISSIONS=$(aws --profile "${AWS_PROFILE}" ec2 describe-security-groups --filters "Name=group-id,Values=${GroupId}" \| jq ".SecurityGroups[] \| .IpPermissions")

	if [[ -n "${IP_PERMISSIONS}" && "${IP_PERMISSIONS}" != "[]" ]]; then
	aws --profile "${AWS_PROFILE}" ec2 revoke-security-group-ingress --group-id "${GroupId}" --ip-permissions "${IP_PERMISSIONS}"
	fi

	# The same IP appeared many times `authorize-security-group-ingress` Because it may fail, it is unconditionally succeeded so that it does not report an error.
	curl --silent https://api.github.com/meta \| jq '.hooks[]' \| tr -d '"' \| while read -r CidrIp; do
	aws --profile "${AWS_PROFILE}" ec2 authorize-security-group-ingress --group-id "${GroupId}" --ip-permissions "[{ \"IpProtocol\": \"-1\", \"IpRanges\": [{\"CidrIp\": \"${CidrIp}\", \"Description\": \"hooks - ${DESCRIPTION}\"}]}]" \| /bin/true
	done

	curl --silent https://api.github.com/meta \| jq '.git[]' \| tr -d '"' \| while read -r CidrIp; do
	aws --profile "${AWS_PROFILE}" ec2 authorize-security-group-ingress --group-id "${GroupId}" --ip-permissions "[{ \"IpProtocol\": \"-1\", \"IpRanges\": [{\"CidrIp\": \"${CidrIp}\", \"Description\": \"git - ${DESCRIPTION}\"}]}]" \| /bin/true
	done

	curl --silent https://api.github.com/meta \| jq '.pages[]' \| tr -d '"' \| while read -r CidrIp; do
	aws --profile "${AWS_PROFILE}" ec2 authorize-security-group-ingress --group-id "${GroupId}" --ip-permissions "[{ \"IpProtocol\": \"-1\", \"IpRanges\": [{\"CidrIp\": \"${CidrIp}\", \"Description\": \"pages - ${DESCRIPTION}\"}]}]" \| /bin/true
	done

	curl --silent https://api.github.com/meta \| jq '.importer[]' \| tr -d '"' \| while read -r IpAddress; do
	aws --profile "${AWS_PROFILE}" ec2 authorize-security-group-ingress --group-id "${GroupId}" --ip-permissions "[{ \"IpProtocol\": \"-1\", \"IpRanges\": [{\"CidrIp\": \"${IpAddress}/32\", \"Description\": \"importer - ${DESCRIPTION}\"}]}]" \| /bin/true
	done
	done