-
Notifications
You must be signed in to change notification settings - Fork 2
/
awsVPCe.go
132 lines (119 loc) · 3.97 KB
/
awsVPCe.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
package main
// awsVPCe.go - functions for VPC endpoints
// Copyright 2020-2022 F5 Inc.
// Licensed under the BSD 3-clause license; see LICENSE.md for more information.
import (
"fmt"
"strings"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/ec2"
)
func getVPCEndpointIDs(sess map[string]*session.Session, config config) (map[string][]string, error) {
var vpcebyregion map[string][]string
vpcebyregion = make(map[string][]string)
for _, region := range config.PLRegions {
var vpceids []string
ec2svc := ec2.New(sess[region])
params := &ec2.DescribeVpcEndpointServicesInput{
Filters: []*ec2.Filter{
{
Name: aws.String("tag:pipefitter"),
Values: []*string{aws.String(config.ID)},
},
},
}
resp, err := ec2svc.DescribeVpcEndpointServices(params)
if err != nil {
return nil, err
}
// vpc id is buried in the servicename. cycle through them and grab it.
serviceNames := aws.StringValueSlice(resp.ServiceNames)
for _, v := range serviceNames {
if strings.Contains(v, "vpce-svc-") {
vpceids = append(vpceids, strings.Split(v, ".")[4])
}
}
if len(vpceids) > 0 {
vpcebyregion[region] = vpceids
}
}
return vpcebyregion, nil
}
func updateVPCEndpointPermissions(sess map[string]*session.Session, config config, endpoints map[string][]string) error {
for region := range endpoints {
// pull permissions
for _, vpceid := range endpoints[region] {
ec2svc := ec2.New(sess[region])
vpcparams := &ec2.DescribeVpcEndpointServicePermissionsInput{
ServiceId: aws.String(vpceid),
}
vpcresp, err := ec2svc.DescribeVpcEndpointServicePermissions(vpcparams)
if err != nil {
return err
}
var principalsOnEndpoint []string
for _, pr := range vpcresp.AllowedPrincipals {
// convert account ARN to just account number
p := aws.StringValue(pr.Principal)
if strings.Contains(p, ":root") {
principalsOnEndpoint = append(principalsOnEndpoint, strings.Split(p, ":")[4])
} else {
// could be a *, could be something we dont know, let's just take care of it.
principalsOnEndpoint = append(principalsOnEndpoint, p)
}
}
var principalsToAdd []string
var principalsToRemove []string
var changes bool
for _, account := range config.PLAllowedPeers {
if !contains(principalsOnEndpoint, account) {
// Account is in the allowed peers group, but not in AWS.
principalsToAdd = append(principalsToAdd, fmt.Sprintf("arn:aws:iam::%s:root", account))
changes = true
}
}
for _, account := range principalsOnEndpoint {
if !contains(config.PLAllowedPeers, account) {
// AWS has this peer, but we don't. Either its a parsed account id (ideal) or another thing
// but we can handle either situation.
if len(account) == 12 {
// probably an account number, format it
principalsToRemove = append(principalsToRemove, fmt.Sprintf("arn:aws:iam::%s:root", account))
} else {
principalsToRemove = append(principalsToRemove, account)
}
changes = true
}
}
if changes == true {
vpceModifyParams := &ec2.ModifyVpcEndpointServicePermissionsInput{
ServiceId: aws.String(vpceid),
}
if len(principalsToAdd) > 0 {
vpceModifyParams.AddAllowedPrincipals = aws.StringSlice(principalsToAdd)
}
if len(principalsToRemove) > 0 {
vpceModifyParams.RemoveAllowedPrincipals = aws.StringSlice(principalsToRemove)
}
vpceModifyPerms, err := ec2svc.ModifyVpcEndpointServicePermissions(vpceModifyParams)
if err != nil {
return err
}
if aws.BoolValue(vpceModifyPerms.ReturnValue) {
fmt.Printf("INFO : Updated %s/%s: ", region, vpceid)
if len(principalsToAdd) > 0 {
fmt.Printf("added %s", principalsToAdd)
}
if len(principalsToRemove) > 0 {
fmt.Printf("removed %s", principalsToRemove)
}
fmt.Printf("\n")
}
} else {
fmt.Printf("INFO : %s/%s: No PL permisisons changes\n", region, vpceid)
}
}
}
return nil
}