Add all AWS IP ranges to a MongoDB Atlas Org api key access list

aws-access-lister.sh

#!/usr/bin/env bash

#
# aws-access-lister.sh
#
# This utility script can be used to maintain the Access List for
# a MongoDB Atlas Programatic API Key. For example, when running on AWS lambda
# the IP-address of the host is not know beforehand and thus it's not possible to
# securly configure an api key. This script will dynamically fetch a valid set of
# IP ranges directly from AWS and then either create a new apikey or modify an existing key
# with all the IP ranges.
#
# This tool requires `mongocli` to be installed and configured with
# an appropriatly scopre apikey (ORG_OWNER).
#
# Options - set via environment variables only
# REGION  - default 'us-east-1', use valid AWS regions
# SERVICE - list of services to allow default 'EC2', possible values:
#AMAZON,AMAZON_APPFLOW,AMAZON_CONNECT,API_GATEWAY,CHIME_VOICECONNECTOR,CLOUD9,CLOUDFRONT,CODEBUILD,DYNAMODB,EC2,EC2_INSTANCE_CONNECT,GLOBALACCELERATOR,KINESIS_VIDEO_STREAMS,ROUTE53_HEALTHCHECKS,ROUTE53_HEALTHCHECKS_PUBLISHING,S3,WORKSPACES_GATEWAYS,
#
# Usage:
# This tool will produce a set of mongocli commands
# you can run as a script to add apikey accesslist entries
# for known AWS ip ranges.
#
# Input: An Atlas Public Key or `--create-key` to genereate a new apikey
#
#
# DevOps Notes:
#
# Handly bash one-liner to clean up any aws-access-lister generated keys
#
# mongocli iam organizations apikeys list --output json | jq -r '.[] | select(.desc|test("^aws-access-lister")) | .id' | xargs -I {} mongocli iam organizations apikeys delete --force {}
#

TARGET_APIKEY_PUBLIC_KEY="${1}"
if [ -z "$TARGET_APIKEY_PUBLIC_KEY" ]
then
    echo "usage: ./aws-access-lister.sh <TARGET_APIKEY_PUBLIC_KEY>"
    exit 1
fi

echo "#!/usr/bin/env bash"
echo "#"
echo "# This is a generated bash script. DO NOT EDIT."
echo "# aws-access-lister.sh"
echo "#"
echo "# TODO - <notes on what this is for users here>"
echo "#"
echo "## TARGET_APIKEY_PUBLIC_KEY:${TARGET_APIKEY_PUBLIC_KEY}"

if [ "--create-key" == "${TARGET_APIKEY_PUBLIC_KEY}" ]
then
    echo "# --create-key detected"
    new_key_desc="${2:-aws-access-lister.sh generated by $(whoami) on $(date)}"
    new_key=$(mongocli iam organizations apikeys create \
              --role ORG_GROUP_CREATOR \
              --desc "${new_key_desc}" \
              --output=json)
    echo "# new key:"
    echo ": '"
    echo ${new_key}
    echo "'"
    TARGET_APIKEY_PUBLIC_KEY=$(echo ${new_key} | jq -r '.publicKey')
    echo "## TARGET_APIKEY_PUBLIC_KEY:${TARGET_APIKEY_PUBLIC_KEY}"
fi

TARGET_APIKEY_ID=$(mongocli iam organizations apikeys list --output json | \
    jq -r --arg tpk "${TARGET_APIKEY_PUBLIC_KEY}" \
    '.[] | select(.publicKey == $tpk) | .id')

echo "## TARGET_APIKEY_ID:${TARGET_APIKEY_ID}"

if [ -z "$REGION" ]
then
    region=${2:-us-east-1}
else
    region=${2:-${REGION}}
fi

if [ -z "$REGION" ]
then
    services=${3:-EC2}
else
    services=${3:-${SERVICES}}
fi

echo "# Filtering AWS ip ranges for following region and services"
echo "# region=${region}, services=${services}"

if [ -f ip-ranges.json ]
then
    cp ip-ranges.json{,.$(date --iso-8601=seconds)}
    echo "# Backed up existing ip-ranges.json"
    echo ": '"
    echo "$(ls -l ip-ranges.json.*)"
    echo "'"
fi

AWS_IP_RANGES_URL="https://ip-ranges.amazonaws.com/ip-ranges.json"
curl -skOL "${AWS_IP_RANGES_URL}" > ip-ranges.json
echo "# Downloaded ip-ranges from ${AWS_IP_RANGES_URL}"
echo "# $(ls -l ip-ranges.json)"
cat ip-ranges.json | \
    jq --arg reg "${region}" \
    --arg svcs "${services}" \
    '.prefixes[] | select((.region == $reg) and (.service | inside($svcs))) | .' | \
    jq --slurp '.' | \
    jq '.[] | .ip_prefix' | \
    xargs -I {} echo "mongocli iam organizations apikeys whitelists create --apiKey ${TARGET_APIKEY_ID} --cidr {}"