Consul Lock/Unlock with timeout

consulLock.sh

#!/bin/bash

set -e

export CONSUL_HTTP_ADDR="https://my-consul-address"
VALUE=$(consul kv get <key>)

if [ "$VALUE" != "locked" ]; then
  # Unlocked, check the timeout
  TIMEOUT=$(echo $VALUE | jq 'reduce .[] as $num (0; .+$num)')
  if [ $TIMEOUT -lt $(date  +%Y%m%d%M) ]; then
      echo "Timeout has expired. Locking security group"
      aws ec2 revoke-security-group-ingress --protocol tcp --port 443 --group-id <my-security-group> --cidr 0.0.0.0/0
      consul kv put <key> "locked"
      echo "Locked"
  else
    echo "Timeout still pending. Keeping it unlocked"
    exit 0
  fi
fi

# Assert lock - this will fail with non-0 code if 443 is still found in the ingress permissions list
if aws ec2 describe-security-groups --group-id <my-security-group> \
	| jq -e '.SecurityGroups[0].IpPermissions[] | select(.FromPort==443)'; then
    echo "The security group is still unlocked! Unable to lock somehow. Failing..."
    exit 1
else
	echo "The security group is locked"
fi

consulUnlock.sh

#!/bin/bash

set -e

export CONSUL_HTTP_ADDR="https://my-consul-addr"

# put current timestamp (in minutes granularity)
consul kv put <key> "{\"current\":$(date  +"%Y%m%d%M"), \"timeout\":$LockTimeoutMinutes}"
aws ec2 authorize-security-group-ingress --protocol tcp --port 443 --group-id <my-security-group> --cidr 0.0.0.0/0

echo "Will auto-lock in $LockTimeoutMinutes minutes"