maedoc · August 9, 2017 21:33
diff --git a/awssg.py b/awssg.py
 import boto
 import requests
 import json
 import os.path

 # keep the list of cidr/ip addrs we used in the past
 known_fname = os.path.expanduser('~/.awssg')

 # aws credentials
 creds = {
    'aws_env': (
        'aws_key',
        'aws_secretyness'
    ),
 }

 # security group name to swap rules for
 group_name_stem = 'devops'

 def get_and_update_known_cidr_ips(current_cidr_ip) -> [str]:
    with open(known_fname, 'r') as fd:
        known_cidr_ips = set([line.strip() for line in fd.readlines()])
    known_cidr_ips.add(current_cidr_ip)
    with open(known_fname, 'w') as fd:
        for cidr_ip in known_cidr_ips:
            fd.write(f'{cidr_ip}\n')
    return known_cidr_ips


 def get_cidr_ip(post='/32') -> str:
    ipify_url = 'https://api.ipify.org?format=json'
    response: str = requests.get(ipify_url)
    ip_json: dict = json.loads(response.content)
    return ip_json['ip'] + post


 def revoke_known(known_cidr_ips, dry_run=True):
    from boto.ec2.securitygroup import SecurityGroup, IPPermissions
    for env, keys in creds.items():
        ec2 = boto.connect_ec2(*keys)
        for group in ec2.get_all_security_groups():
            group: SecurityGroup
            for rule in group.rules:
                rule: IPPermissions
                for grant in rule.grants:
                    if grant.cidr_ip in known_cidr_ips:
                        print(f'revoke: {env}/{group.name}/'
                              f'{rule.ip_protocol}:{rule.from_port}:{rule.to_port}'
                              f'/{grant.cidr_ip}')
                        if not dry_run:
                            group.revoke(
                                ip_protocol=rule.ip_protocol,
                                from_port=rule.from_port,
                                to_port=rule.to_port,
                                cidr_ip=grant.cidr_ip,
                            )



 def grant_current(current_cidr_ip, dry_run=True):
    from boto.ec2.securitygroup import SecurityGroup
    for env, keys in creds.items():
        ec2 = boto.connect_ec2(*keys)
        for group in ec2.get_all_security_groups():
            group: SecurityGroup
            if group_name_stem in group.name.lower():
                print(f'grant: {env}/{group.name}/'
                      f'tcp:22:22'
                      f'/{current_cidr_ip}')
                if not dry_run:
                    group.authorize(
                        ip_protocol='tcp',
                        from_port=22,
                        to_port=22,
                        cidr_ip=current_cidr_ip,
                    )


 def main():
    args = build_argparser().parse_args()
    current_cidr_ip = get_cidr_ip()
    known_cidr_ips = get_and_update_known_cidr_ips(current_cidr_ip)
    revoke_known(known_cidr_ips, dry_run=args.dry_run)
    grant_current(current_cidr_ip, dry_run=args.dry_run)


 def build_argparser():
    from argparse import ArgumentParser
    parser = ArgumentParser()
    parser.add_argument('-r', '--dry-run',
                        action='store_false',
                        help='Dry run revoke/grant actions')
    return parser



 if __name__ == '__main__':
    main()
	import boto
	import requests
	import json
	import os.path

	# keep the list of cidr/ip addrs we used in the past
	known_fname = os.path.expanduser('~/.awssg')

	# aws credentials
	creds = {
	'aws_env': (
	'aws_key',
	'aws_secretyness'
	),
	}

	# security group name to swap rules for
	group_name_stem = 'devops'

	def get_and_update_known_cidr_ips(current_cidr_ip) -> [str]:
	with open(known_fname, 'r') as fd:
	known_cidr_ips = set([line.strip() for line in fd.readlines()])
	known_cidr_ips.add(current_cidr_ip)
	with open(known_fname, 'w') as fd:
	for cidr_ip in known_cidr_ips:
	fd.write(f'{cidr_ip}\n')
	return known_cidr_ips


	def get_cidr_ip(post='/32') -> str:
	ipify_url = 'https://api.ipify.org?format=json'
	response: str = requests.get(ipify_url)
	ip_json: dict = json.loads(response.content)
	return ip_json['ip'] + post


	def revoke_known(known_cidr_ips, dry_run=True):
	from boto.ec2.securitygroup import SecurityGroup, IPPermissions
	for env, keys in creds.items():
	ec2 = boto.connect_ec2(*keys)
	for group in ec2.get_all_security_groups():
	group: SecurityGroup
	for rule in group.rules:
	rule: IPPermissions
	for grant in rule.grants:
	if grant.cidr_ip in known_cidr_ips:
	print(f'revoke: {env}/{group.name}/'
	f'{rule.ip_protocol}:{rule.from_port}:{rule.to_port}'
	f'/{grant.cidr_ip}')
	if not dry_run:
	group.revoke(
	ip_protocol=rule.ip_protocol,
	from_port=rule.from_port,
	to_port=rule.to_port,
	cidr_ip=grant.cidr_ip,
	)



	def grant_current(current_cidr_ip, dry_run=True):
	from boto.ec2.securitygroup import SecurityGroup
	for env, keys in creds.items():
	ec2 = boto.connect_ec2(*keys)
	for group in ec2.get_all_security_groups():
	group: SecurityGroup
	if group_name_stem in group.name.lower():
	print(f'grant: {env}/{group.name}/'
	f'tcp:22:22'
	f'/{current_cidr_ip}')
	if not dry_run:
	group.authorize(
	ip_protocol='tcp',
	from_port=22,
	to_port=22,
	cidr_ip=current_cidr_ip,
	)


	def main():
	args = build_argparser().parse_args()
	current_cidr_ip = get_cidr_ip()
	known_cidr_ips = get_and_update_known_cidr_ips(current_cidr_ip)
	revoke_known(known_cidr_ips, dry_run=args.dry_run)
	grant_current(current_cidr_ip, dry_run=args.dry_run)


	def build_argparser():
	from argparse import ArgumentParser
	parser = ArgumentParser()
	parser.add_argument('-r', '--dry-run',
	action='store_false',
	help='Dry run revoke/grant actions')
	return parser



	if __name__ == '__main__':
	main()