使用jq解析AWS安全组并添加新的入口规则
[英]Parse AWS security group with jq and add new ingress rule
问题描述
The problem I'm trying to solve is to search for AWS SG group and add a new rule (eg: 10.10.0.0/16) to the same ingress rule block(port, protocal,cidr) where when the pattern is “CidrIp”: “10.219.0.0/16” matched. 
我要解决的问题是搜索AWS SG组并将新规则(例如:10.10.0.0/16)添加到模式为“ CidrIp”的同一个入口规则块(端口,协议,cidr)中:匹配“ 10.219.0.0/16”。
Found match: - https://gist.github.com/mfang329/49575d6eb7ddb93e8f926648f9ba06e9 找到匹配项:-https: //gist.github.com/mfang329/49575d6eb7ddb93e8f926648f9ba06e9
{
"PrefixListIds": [],
"FromPort": -1,
"IpRanges": [{
"CidrIp": "10.219.0.0/16"
},
{
"Description": "testing for vpc transit connectivity",
"CidrIp": "0.0.0.0/0"
}
],
"ToPort": -1,
"IpProtocol": "icmp",
"UserIdGroupPairs": [{
"UserId": "abcde80269151",
"Description": "default SG VPC - peering ",
"GroupId": "sg-33511e41"
}],
"Ipv6Ranges": []
}
Change to - https://gist.github.com/mfang329/b5e892cf2fee2da4b7e67106cd15b3b2 更改为-https://gist.github.com/mfang329/b5e892cf2fee2da4b7e67106cd15b3b2
{
"PrefixListIds": [],
"FromPort": -1,
"IpRanges": [{
"CidrIp": "10.219.0.0/16"
},
{
"CidrIp": "10.10.0.0/16"
},
{
"Description": "testing for vpc transit connectivity",
"CidrIp": "0.0.0.0/0"
}
],
"ToPort": -1,
"IpProtocol": "icmp",
"UserIdGroupPairs": [{
"UserId": "abcde80269151",
"Description": "default SG VPC - peering ",
"GroupId": "sg-33511e41"
}],
"Ipv6Ranges": []
}
Modify the SG with the following, but how do I express the jq to query these information and use them as the input for following aws cli? 使用以下命令修改SG,但是如何表达jq来查询这些信息并将其用作跟随aws cli的输入? I know there are commands flags with JQ but I would like to what is the simplest solution to attack this problem? 我知道JQ中有命令标志,但是我想攻击这个问题的最简单的解决方案是什么?
aws ec2 revoke-security-group-ingress \
— group-id sg-33511e41 \
— port -1 \
— protocol icmp \
— cidr 10.10.0.0/16;
Full security group JSON format - https://gist.github.com/mfang329/a1871731fe82e5255ccc571648ad4886 * 完整的安全组JSON格式-https: //gist.github.com/mfang329/a1871731fe82e5255ccc571648ad4886 *
2 个解决方案
解决方案1
1 已采纳 2018-07-13 09:49:53
If your intention is to create a new CidrIp rule added when the value is 10.219.0.0/16 , do the following. 如果您打算创建一个新的CidrIp规则,当该值为10.219.0.0/16 ,请执行以下操作。 Note that this does not preserve the order of the elements in the array and adds the new IP to the tail end 请注意,这不会保留数组中元素的顺序, 而是将新IP添加到末尾
jq 'if .IpRanges[] | select(.CidrIp | contains("10.219.0.0/16") )
then .IpRanges += [ { "cidrIp" : "10.10.0.0/16" } ]
else . end' ingressJSON
To store this output in a variable and to be later used in your aws command, store the output above to a shell variable. 要将输出存储在变量中并在以后的aws命令中使用,请将上面的输出存储到shell变量中。 And pass it to the command with proper quotes as "$awsRule" 并将其传递给带有正确引号的命令"$awsRule"
awsRule=$(jq 'if .IpRanges[] | select(.CidrIp | contains("10.219.0.0/16") )
then .IpRanges += [ { "cidrIp" : "10.10.0.0/16" } ]
else . end' ingressJSON)
解决方案2
1 2018-07-16 05:12:03
The answer I eventually figured out was to construct a simple SG json format that I use to feed it back to the aws ec2 statement. 我最终想出的答案是构造一个简单的SG json格式,然后将其反馈给aws ec2语句。 This approach took me awhile to figure out but it was quite elegant and I think it was what I was going for. 这种方法花了我一段时间才能弄清楚,但是它非常优雅,我认为这就是我想要的。
# search for the matching pattern and write to the output file
aws ec2 describe-security-groups --region ${i} | \
jq -r --arg e_cidr "${existing_cidr}" \
--arg n_cidr "${new_cidr}" \
'.SecurityGroups[] | .GroupId as $gid | .IpPermissions[] | .FromPort as $port | .IpProtocol as $protocol |
.IpRanges[] | select(.CidrIp == $e_cidr) | .Description as $desc |
[{ GroupId:$gid, IpProtocol:$protocol, FromPort:$port, ToPort:$port, IpRanges:[{CidrIp:$n_cidr, Description:$desc}] }] ' -c \
| tee -a ${regional_file}
This will produce a json file similar to this format, 这将产生一个类似于此格式的json文件,
[{
"GroupId": "sg-60d78e12",
"IpProtocol": "tcp",
"FromPort": 443,
"ToPort": 443,
"IpRanges": [
{
"CidrIp": "12.179.53.18/32",
"Description": "Chicago Primary"
}
]
}]
Then what I did was to drop the "GroupId" key value from the json statement, then feed into the aws ec2 command line to add the new ingress rule with the same protocol and port as of the original cidr block. 然后,我要做的是从json语句中删除“ GroupId”键值,然后馈入aws ec2命令行以使用与原始cidr块相同的协议和端口添加新的入口规则。 This work nicely and took a little while to get to this conclusion. 这项工作很好,花了一些时间才得出结论。
while read -r sg_pattern
do
gid=$( echo $sg_pattern | jq '.[]|.GroupId' -r )
# remove the GroupId key to prepare the ip_permissions json
ip_permissions=$( echo $sg_pattern | jq '.[] | [ del(.GroupId) ]' -r )
echo " ---> adding new SG rule for ${ip_permissions}."
aws ec2 authorize-security-group-ingress --group-id $gid --ip-permissions "${ip_permissions}"
done < ${regional_file}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.