-
-
Save sokcuri/caca3f26591469c86a6eb578395f973e to your computer and use it in GitHub Desktop.
Create or modify the AWS security group, which only allows GitHub servers to access to our services
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| FROM python:3.7 | |
| # Set the timezone to KST | |
| RUN cat /usr/share/zoneinfo/Asia/Seoul > /etc/localtime | |
| RUN set -ex \ | |
| && apt-get clean && apt-get update \ | |
| && apt-get install --no-install-recommends -y groff \ | |
| && rm -rf /var/lib/apt/lists/* | |
| ADD https://github.com/stedolan/jq/releases/download/jq-1.5/jq-linux64 /usr/local/bin/jq | |
| RUN chmod +x /usr/local/bin/jq | |
| WORKDIR /usr/src/app | |
| COPY requirements.txt ./ | |
| RUN pip install --upgrade pip | |
| RUN pip install --no-cache-dir -r requirements.txt |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: batch/v1beta1 | |
| kind: CronJob | |
| metadata: | |
| name: github-sg | |
| labels: | |
| app: github-sg | |
| spec: | |
| schedule: "30 18 * * *" | |
| jobTemplate: | |
| spec: | |
| template: | |
| metadata: | |
| annotations: | |
| iam.amazonaws.com/role: arn:aws:iam::111122223333:role/GitHubSecurityGroup | |
| labels: | |
| app: github-sg | |
| spec: | |
| containers: | |
| - name: github-sg | |
| image: my/raven-bash | |
| args: | |
| - /bin/bash | |
| - -c | |
| - "/scripts/register.sh" | |
| env: | |
| - name: AWS_DEFAULT_REGION | |
| value: ap-northeast-2 | |
| - name: SENTRY_DSN | |
| value: YOUR_SENTRY_DSN | |
| volumeMounts: | |
| - name: scripts-d | |
| mountPath: /scripts | |
| volumes: | |
| - name: scripts-d | |
| projected: | |
| defaultMode: 500 | |
| sources: | |
| - configMap: | |
| name: github-sg-scripts | |
| items: | |
| - key: register.sh | |
| path: register.sh | |
| restartPolicy: Never | |
| successfulJobsHistoryLimit: 10 | |
| failedJobsHistoryLimit: 10 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Effect": "Allow", | |
| "Action": [ | |
| "ec2:CreateSecurityGroup", | |
| "ec2:DescribeSecurityGroup*", | |
| "ec2:RevokeSecurityGroup*", | |
| "ec2:AuthorizeSecurityGroup*" | |
| ], | |
| "Resource": "*" | |
| } | |
| ] | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash -x | |
| INTERFACE=$(curl --silent http://169.254.169.254/latest/meta-data/network/interfaces/macs/ | tr -d '/') | |
| VPC_ID=$(curl --silent http://169.254.169.254/latest/meta-data/network/interfaces/macs/${INTERFACE}/vpc-id) | |
| AWS_DEFAULT_REGION=$(curl --silent http://169.254.169.254/latest/dynamic/instance-identity/document | jq -r .region) | |
| DESCRIPTION="$(date)" | |
| GROUP_IDS="$(aws ec2 describe-security-groups | jq --arg SG_NAME "${SG_NAME}" '.SecurityGroups[] | select(.GroupName | contains($SG_NAME)) | .GroupId' | tr -d '"')" | |
| if [[ "${GROUP_IDS}" == "" ]]; then | |
| aws ec2 create-security-group --vpc-id="${VPC_ID}" --group-name "${SG_NAME}" --description "Open to GitHub only" | jq .GroupId | |
| fi | |
| aws ec2 describe-security-groups | jq --arg SG_NAME "${SG_NAME}" '.SecurityGroups[] | select(.GroupName | contains($SG_NAME)) | .GroupId' | tr -d '"' | while read -r GroupId; do | |
| IP_PERMISSIONS=$(aws ec2 describe-security-groups --filters "Name=group-id,Values=${GroupId}" | jq ".SecurityGroups[] | .IpPermissions") | |
| if [[ -n "${IP_PERMISSIONS}" && "${IP_PERMISSIONS}" != "[]" ]]; then | |
| aws ec2 revoke-security-group-ingress --group-id "${GroupId}" --ip-permissions "${IP_PERMISSIONS}" | |
| fi | |
| # 똑같은 아이피가 여러 번 등장해서 `authorize-security-group-ingress`가 실패하는 경우가 있으므로 일단 오류를 보고 하지 않게 무조건 성공 처리한다 | |
| curl --silent https://api.github.com/meta | jq '.hooks[]' | tr -d '"' | while read -r CidrIp; do | |
| aws ec2 authorize-security-group-ingress --group-id "${GroupId}" --ip-permissions "[{ \"IpProtocol\": \"-1\", \"IpRanges\": [{\"CidrIp\": \"${CidrIp}\", \"Description\": \"hooks - ${DESCRIPTION}\"}]}]" | /bin/true | |
| done | |
| curl --silent https://api.github.com/meta | jq '.git[]' | tr -d '"' | while read -r CidrIp; do | |
| aws ec2 authorize-security-group-ingress --group-id "${GroupId}" --ip-permissions "[{ \"IpProtocol\": \"-1\", \"IpRanges\": [{\"CidrIp\": \"${CidrIp}\", \"Description\": \"git - ${DESCRIPTION}\"}]}]" | /bin/true | |
| done | |
| curl --silent https://api.github.com/meta | jq '.pages[]' | tr -d '"' | while read -r CidrIp; do | |
| aws ec2 authorize-security-group-ingress --group-id "${GroupId}" --ip-permissions "[{ \"IpProtocol\": \"-1\", \"IpRanges\": [{\"CidrIp\": \"${CidrIp}\", \"Description\": \"pages - ${DESCRIPTION}\"}]}]" | /bin/true | |
| done | |
| curl --silent https://api.github.com/meta | jq '.importer[]' | tr -d '"' | while read -r IpAddress; do | |
| aws ec2 authorize-security-group-ingress --group-id "${GroupId}" --ip-permissions "[{ \"IpProtocol\": \"-1\", \"IpRanges\": [{\"CidrIp\": \"${IpAddress}/32\", \"Description\": \"importer - ${DESCRIPTION}\"}]}]" | /bin/true | |
| done | |
| done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| raven-bash | |
| awscli |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment