Created
June 23, 2019 23:11
-
-
Save mlabbe/b36aef29a45544faf61c98b41953dc60 to your computer and use it in GitHub Desktop.
Bash script to set an AWS security group to use your current IP address, exclusively. Also works over ipv6 gateways (like your phone tether).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| # Roaming security group by Michael Labbe | |
| # @frogtoss | |
| # | |
| # security group id | |
| GROUP_ID="sg-xxx" | |
| # region the sec group is in | |
| REGION="us-west-1" | |
| # awscli profile (only need it if you have more than one account) | |
| PROFILE="some_profile" | |
| # ip description | |
| DESCRIPTION="\"$USER temporary ip\"" | |
| # port range to whitelist, inclusive. | |
| MIN_PORT="22" | |
| MAX_PORT="443" | |
| # AWS command to run | |
| AWSCLI="aws --region=$REGION --profile=$PROFILE" | |
| # set this to "-4" to force ipv4. Forcing ipv4 ip detection is useful | |
| # if you are tethering your phone and have an ipv6 address with a | |
| # downstream ipv4 gateway. The ipv4 gateway is what aws security | |
| # groups operate against. | |
| FORCE_IPV4="-4" | |
| #FORCE_IPV4="" | |
| # | |
| # Derive the cidr from the current ipv4 | |
| # | |
| curl $FORCE_IPV4 v4.ifconfig.co 2>/dev/null > /tmp/ip.txt | |
| awk '{ print $0 }' < /tmp/ip.txt > /tmp/ipnew.txt | |
| export CIDR=$(cat /tmp/ipnew.txt) | |
| # | |
| # Garbage collect previous temporary ips | |
| # | |
| echo "garbage collecting previous ips in $GROUP_ID" | |
| ip_permissions=`$AWSCLI \ | |
| ec2 describe-security-groups \ | |
| --group-id=$GROUP_ID \ | |
| --query "SecurityGroups[0].IpPermissions"` | |
| # only execute revoke if non-empty to avoid printing benign error | |
| if [ "$ip_permissions" != "[]" ]; then | |
| $AWSCLI \ | |
| ec2 revoke-security-group-ingress \ | |
| --cli-input-json \ | |
| "{\"GroupId\": \"$GROUP_ID\", \"IpPermissions\": $ip_permissions}" | |
| fi | |
| # | |
| # Add the port range for the current IP to the secgroup | |
| # | |
| COMMON_AUTHORIZE_ARGS="$AWSCLI ec2 authorize-security-group-ingress --group-id=$GROUP_ID" | |
| if [[ $CIDR =~ .*:.* ]]; then | |
| # ipv6 case | |
| echo "ipv6 $CIDR detected" | |
| $COMMON_AUTHORIZE_ARGS \ | |
| --ip-permissions "[{\"IpProtocol\": \"tcp\", \"FromPort\": $MIN_PORT, \"ToPort\": $MAX_PORT, \"Ipv6Ranges\": [{\"CidrIpv6\": \"$CIDR/128\", \"Description\": $DESCRIPTION}]}]" | |
| else | |
| # ipv4 case | |
| echo "ipv4 $CIDR detected" | |
| $COMMON_AUTHORIZE_ARGS \ | |
| --ip-permissions "[{\"IpProtocol\": \"tcp\", \"FromPort\": $MIN_PORT, \"ToPort\": $MAX_PORT, \"IpRanges\": [{\"CidrIp\": \"$CIDR/32\", \"Description\": $DESCRIPTION}]}]" | |
| fi | |
| # | |
| # Print current security group status | |
| # | |
| echo "Success. $GROUP_ID status:" | |
| $AWSCLI \ | |
| ec2 describe-security-groups \ | |
| --group-id=$GROUP_ID \ | |
| --query "SecurityGroups[0].IpPermissions" | |
| exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment