rk295 · June 10, 2022 13:19
diff --git a/sg-tool b/sg-tool
 #!/usr/bin/env bash
 #
 # Simple script to list resources that are using a specified Security Group.
 #
 # Accepts only one command line argument, which is the ID of the SecurityGroup 
 # to check for.
 #
 # Currently supports these resources:
 #
 # * EC2 Instances
 # * EC2 LoadBalancers
 # * RDS DB Instances
 # * Directory Instances
 #
 # Output is one resource per line in the format of:
 #
 # NameOfResourceType=ResourceIdentifier
 #
 # Example:
 #
 #   ./sg-tool sg-0f9ff74829dd331cd
 #   InstanceId=i-074c0dab3891a1283
 #   InstanceId=i-0e2ce6229560ba68b
 #   LoadBalancerName=test-elb
 #   DBInstanceIdentifier=test-rds-instance
 #   DirectoryName=test.ad.example.com
 #
 # Requires AWS CLI installed and working (uses current profile) and jq.
 # 
 set -euo pipefail
 IFS=$'\n\t'

 securityGroupId="${1:-}"

 if [[ -z "$securityGroupId" ]]; then
    echo "Please provide ther security group id as the first argument"
    exit 1
 fi

 if [[ "${securityGroupId#sg-*}" = "$securityGroupId" ]]; then
    echo "That doesn't look like a valid security group id. (Expected format sg-......)"
    exit 1
 fi

 shift
 awsExtraArgs=( "$@" )
 # Push this in, just incase the user selects a profile which has 
 # text or table as the default output
 awsExtraArgs+=("--output" "json")

 #
 # Cheekily lifted from here https://github.com/bpm-rocks/array/blob/master/libarray#L8-L44
 #
 array::contains() {
    local check needle

    needle=$1
    shift 1

    for check in "$@"; do
        if [[ "$needle" == "$check" ]]; then
            return 0
        fi
    done

    return 1
 }

 # Lists all DBInstanceIdentifiers
 #
 # Takes no arguments
 #
 # Returns a list of all Load Balancer names 
 function list_db_instances {
    aws rds describe-db-instances ${awsExtraArgs[@]} | jq -r '.DBInstances[].DBInstanceIdentifier'
 }

 # List all Security Groups in use by a specific DB instance
 #
 # $1 - The DBInstanceIdentifier to check
 #
 # Returns a list of all Security Groups in use by the DB Instance
 function list_db_sg {
    local DBName
    DBName="$1"

    aws rds describe-db-instances --db-instance-identifier "$DBName" ${awsExtraArgs[@]} | jq -r '.DBInstances[].VpcSecurityGroups[] | select( .Status == "active") | .VpcSecurityGroupId'
 }

 # List DB Instances using a specific Security Group
 #
 # $1 - DBInstanceIdentifier to check for
 #
 # Returns a list of all DB Instances with the specified Security Group attached
 function list_db_using_sg {
    local sgId
    sgId="$1"

    while read -r lb; do
        mapfile -t sgList < <(list_db_sg "$lb")
        array::contains "$sgId" "${sgList[@]}" && echo "$lb"
    done < <(list_db_instances)

 }

 # List Directories using the specific Security Group
 #
 # $1 - SecurityGroupID to check for
 #
 # Returns a list of names of Directories using the specified Security Group
 function list_directories {
    local sgId
    sgId="$1"

    aws ds describe-directories ${awsExtraArgs[@]} | jq -r '.DirectoryDescriptions[] | select(.VpcSettings.SecurityGroupId == "'"$sgId"'") | .Name'
 }
 # Lists the instanceIds that are using the specified security group
 #
 # $1 - The SecurityGroupId to check for.
 #
 # Returns a list of InstanceId's that are using the SecurityGroup
 function list_instances {
    local sgId
    sgId="$1"
    aws ec2 describe-network-interfaces --filters Name=group-id,Values="$sgId" ${awsExtraArgs[@]} | jq -r '.NetworkInterfaces[].Attachment | select( .InstanceId != null) | .InstanceId'
 }

 # Lists all Load Balancer names
 #
 # Takes no arguments
 #
 # Returns a list of all Load Balancer names 
 function list_lb {

    aws elb describe-load-balancers ${awsExtraArgs[@]} | jq -r '.LoadBalancerDescriptions[].LoadBalancerName'
 }


 # Lists all Security Groups in use by a specific Load Balancer
 #
 # $1 - The name of the Load Balancer to check
 #
 # Returns a list of all Security Groups attached to the Load Balancer
 function list_lb_sg {
    local lbName
    lbName="${1:-}"

    aws elb describe-load-balancers --load-balancer-names "$lbName" ${awsExtraArgs[@]} | jq -r '.LoadBalancerDescriptions[].SecurityGroups[]'
 }

 # List Load Balancers using a specific Security Group
 #
 # $1 - Security Group Id to check for
 #
 # Returns a list of all Load Balancers with the specified Security Group attached
 function list_lb_using_sg {
    local sgId
    sgId="$1"

    while read -r lb; do
        mapfile -t sgList < <(list_lb_sg "$lb")
        array::contains "$sgId" "${sgList[@]}" && echo "$lb"
    done < <(list_lb)

 }

 function main {
    local dbList iList lbList sgId
    sgId="$1"

    mapfile -t iList < <(list_instances "$sgId")
    mapfile -t lbList < <(list_lb_using_sg "$sgId")
    mapfile -t dbList < <(list_db_using_sg "$sgId")
    mapfile -t dirList < <(list_directories "$sgId")

    [[ "${#iList[@]}" -gt 0 ]] && printf 'InstanceId=%s\n' "${iList[@]}"
    [[ "${#lbList[@]}" -gt 0 ]] && printf 'LoadBalancerName=%s\n' "${lbList[@]}"
    [[ "${#dbList[@]}" -gt 0 ]] && printf 'DBInstanceIdentifier=%s\n' "${dbList[@]}"
    [[ "${#dirList[@]}" -gt 0 ]] && printf 'DirectoryName=%s\n' "${dirList[@]}"

    exit 0
 }

 main "$securityGroupId"
	#!/usr/bin/env bash
	#
	# Simple script to list resources that are using a specified Security Group.
	#
	# Accepts only one command line argument, which is the ID of the SecurityGroup
	# to check for.
	#
	# Currently supports these resources:
	#
	# * EC2 Instances
	# * EC2 LoadBalancers
	# * RDS DB Instances
	# * Directory Instances
	#
	# Output is one resource per line in the format of:
	#
	# NameOfResourceType=ResourceIdentifier
	#
	# Example:
	#
	# ./sg-tool sg-0f9ff74829dd331cd
	# InstanceId=i-074c0dab3891a1283
	# InstanceId=i-0e2ce6229560ba68b
	# LoadBalancerName=test-elb
	# DBInstanceIdentifier=test-rds-instance
	# DirectoryName=test.ad.example.com
	#
	# Requires AWS CLI installed and working (uses current profile) and jq.
	#
	set -euo pipefail
	IFS=$'\n\t'

	securityGroupId="${1:-}"

	if [[ -z "$securityGroupId" ]]; then
	echo "Please provide ther security group id as the first argument"
	exit 1
	fi

	if [[ "${securityGroupId#sg-*}" = "$securityGroupId" ]]; then
	echo "That doesn't look like a valid security group id. (Expected format sg-......)"
	exit 1
	fi

	shift
	awsExtraArgs=( "$@" )
	# Push this in, just incase the user selects a profile which has
	# text or table as the default output
	awsExtraArgs+=("--output" "json")

	#
	# Cheekily lifted from here https://github.com/bpm-rocks/array/blob/master/libarray#L8-L44
	#
	array::contains() {
	local check needle

	needle=$1
	shift 1

	for check in "$@"; do
	if [[ "$needle" == "$check" ]]; then
	return 0
	fi
	done

	return 1
	}

	# Lists all DBInstanceIdentifiers
	#
	# Takes no arguments
	#
	# Returns a list of all Load Balancer names
	function list_db_instances {
	aws rds describe-db-instances ${awsExtraArgs[@]} \| jq -r '.DBInstances[].DBInstanceIdentifier'
	}

	# List all Security Groups in use by a specific DB instance
	#
	# $1 - The DBInstanceIdentifier to check
	#
	# Returns a list of all Security Groups in use by the DB Instance
	function list_db_sg {
	local DBName
	DBName="$1"

	aws rds describe-db-instances --db-instance-identifier "$DBName" ${awsExtraArgs[@]} \| jq -r '.DBInstances[].VpcSecurityGroups[] \| select( .Status == "active") \| .VpcSecurityGroupId'
	}

	# List DB Instances using a specific Security Group
	#
	# $1 - DBInstanceIdentifier to check for
	#
	# Returns a list of all DB Instances with the specified Security Group attached
	function list_db_using_sg {
	local sgId
	sgId="$1"

	while read -r lb; do
	mapfile -t sgList < <(list_db_sg "$lb")
	array::contains "$sgId" "${sgList[@]}" && echo "$lb"
	done < <(list_db_instances)

	}

	# List Directories using the specific Security Group
	#
	# $1 - SecurityGroupID to check for
	#
	# Returns a list of names of Directories using the specified Security Group
	function list_directories {
	local sgId
	sgId="$1"

	aws ds describe-directories ${awsExtraArgs[@]} \| jq -r '.DirectoryDescriptions[] \| select(.VpcSettings.SecurityGroupId == "'"$sgId"'") \| .Name'
	}
	# Lists the instanceIds that are using the specified security group
	#
	# $1 - The SecurityGroupId to check for.
	#
	# Returns a list of InstanceId's that are using the SecurityGroup
	function list_instances {
	local sgId
	sgId="$1"
	aws ec2 describe-network-interfaces --filters Name=group-id,Values="$sgId" ${awsExtraArgs[@]} \| jq -r '.NetworkInterfaces[].Attachment \| select( .InstanceId != null) \| .InstanceId'
	}

	# Lists all Load Balancer names
	#
	# Takes no arguments
	#
	# Returns a list of all Load Balancer names
	function list_lb {

	aws elb describe-load-balancers ${awsExtraArgs[@]} \| jq -r '.LoadBalancerDescriptions[].LoadBalancerName'
	}


	# Lists all Security Groups in use by a specific Load Balancer
	#
	# $1 - The name of the Load Balancer to check
	#
	# Returns a list of all Security Groups attached to the Load Balancer
	function list_lb_sg {
	local lbName
	lbName="${1:-}"

	aws elb describe-load-balancers --load-balancer-names "$lbName" ${awsExtraArgs[@]} \| jq -r '.LoadBalancerDescriptions[].SecurityGroups[]'
	}

	# List Load Balancers using a specific Security Group
	#
	# $1 - Security Group Id to check for
	#
	# Returns a list of all Load Balancers with the specified Security Group attached
	function list_lb_using_sg {
	local sgId
	sgId="$1"

	while read -r lb; do
	mapfile -t sgList < <(list_lb_sg "$lb")
	array::contains "$sgId" "${sgList[@]}" && echo "$lb"
	done < <(list_lb)

	}

	function main {
	local dbList iList lbList sgId
	sgId="$1"

	mapfile -t iList < <(list_instances "$sgId")
	mapfile -t lbList < <(list_lb_using_sg "$sgId")
	mapfile -t dbList < <(list_db_using_sg "$sgId")
	mapfile -t dirList < <(list_directories "$sgId")

	[[ "${#iList[@]}" -gt 0 ]] && printf 'InstanceId=%s\n' "${iList[@]}"
	[[ "${#lbList[@]}" -gt 0 ]] && printf 'LoadBalancerName=%s\n' "${lbList[@]}"
	[[ "${#dbList[@]}" -gt 0 ]] && printf 'DBInstanceIdentifier=%s\n' "${dbList[@]}"
	[[ "${#dirList[@]}" -gt 0 ]] && printf 'DirectoryName=%s\n' "${dirList[@]}"

	exit 0
	}

	main "$securityGroupId"