-
Notifications
You must be signed in to change notification settings - Fork 647
Expand file tree
/
Copy pathwafv2-web-acl-pingdom.sh
More file actions
executable file
·412 lines (352 loc) · 10.2 KB
/
wafv2-web-acl-pingdom.sh
File metadata and controls
executable file
·412 lines (352 loc) · 10.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
#!/usr/bin/env bash
# This script will Manage WAFV2 Web ACL to allow current Pingdom probe server IPs
# Allows creating or updating AWS WAFV2 IP Addresses Set and Web ACLs
# Saves a list of current Pingdom probe server IPs in the file iplist
# Creates a WAFV2 IP Address Set with all Pingdom IPs
# Creates a WAFV2 Web ACL with rules to allow Pingdom access
# Requires the AWS CLI and jq, wget
# Set Variables
CONDITIONNAME="Pingdom"
DATE=$(date "+%Y-%m-%d")
CONDITIONNAME=$CONDITIONNAME-$DATE
# Debug Mode
DEBUGMODE=false
# Functions
# Check Command
function check_command {
type -P $1 &>/dev/null || fail "Unable to find $1, please install it and run this script again."
}
# Completed
function completed(){
echo
HorizontalRule
tput setaf 2; echo "Completed!" && tput sgr0
HorizontalRule
echo
}
# Fail
function fail(){
tput setaf 1; echo "Failure: $*" && tput sgr0
exit 1
}
# Horizontal Rule
function HorizontalRule(){
echo "============================================================"
}
# Verify AWS CLI Credentials are setup
# http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html
if ! grep -q aws_access_key_id ~/.aws/config; then
if ! grep -q aws_access_key_id ~/.aws/credentials; then
fail "AWS config not found or CLI not installed. Please run \"aws configure\"."
fi
fi
# Check for AWS CLI profile argument passed into the script
# http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-multiple-profiles
if [ $# -eq 0 ]; then
scriptname=`basename "$0"`
echo "Usage: ./$scriptname profile"
echo "Where profile is the AWS CLI profile name"
echo "Using default profile"
echo
profile=default
else
profile=$1
fi
# Ensure AWS profile has necessary permissions
function preflightChecks(){
# Test WAFv2 access with a simple list command
# We'll check the specific scope later after user selects it
echo "Checking AWS CLI and credentials..."
}
# Scope of WAF CloudFront or Regional
function scopeMenu(){
tput smul; echo "Scope of WAF CloudFront or Regional?" && tput sgr0
echo "1. Global CloudFront distribution"
echo "2. Regional Application (ALB, API Gateway, AppSync, Cognito, etc.)"
echo
read -r -p "Menu selection #: " scope
case $scope in
1)
WAFSCOPE="CLOUDFRONT"
;;
2)
WAFSCOPE="REGIONAL"
;;
*)
fail "Invalid selection!"
;;
esac
}
# Get Pingdom IPv4 IPs
function GetProbeIPs(){
wget --quiet -O- https://my.pingdom.com/probes/ipv4 | \
sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 > iplist
TOTALIPS=$(cat iplist | wc -l | tr -d ' ')
if ! [ "$TOTALIPS" -gt "0" ]; then
fail "Error getting Pingdom IPs."
fi
echo
tput setaf 2
HorizontalRule
echo "Total Pingdom IPs: "$TOTALIPS
HorizontalRule
tput sgr0
echo
}
# Builds the addresses array for WAFv2 IP set
function BuildIPAddressArray(){
if [ -f ipaddresses.json ]; then
rm ipaddresses.json
fi
echo '[' > ipaddresses.json
while read iplist
do
echo " \"$iplist/32\"," >> ipaddresses.json
done < iplist
# Remove the last comma (compatible with both macOS and Linux)
if [[ "$OSTYPE" == "darwin"* ]]; then
sed -i '' '$ s/,$//' ipaddresses.json
else
sed -i '$ s/,$//' ipaddresses.json
fi
echo ']' >> ipaddresses.json
if [[ $DEBUGMODE ]]; then
echo "Built IP addresses array"
fi
}
# Create IP Set
function CreateIPSet(){
BuildIPAddressArray
ADDRESSES=$(cat ipaddresses.json | jq -c .)
CREATESET=$(aws wafv2 create-ip-set \
--scope "$WAFSCOPE" \
--name "$CONDITIONNAME" \
--description "Pingdom Probe Server IPs - $WAFSCOPE" \
--ip-address-version IPV4 \
--addresses "$ADDRESSES" \
--profile "$profile" 2>&1)
if [ ! $? -eq 0 ]; then
if [[ $DEBUGMODE ]]; then
echo "CREATE ERROR: $CREATESET"
fi
fail "$CREATESET"
fi
IPSETID=$(echo "$CREATESET" | jq -r '.Summary.Id')
IPSETARN=$(echo "$CREATESET" | jq -r '.Summary.ARN')
if [[ $DEBUGMODE ]]; then
echo "IP Set ID: $IPSETID"
echo "IP Set ARN: $IPSETARN"
fi
echo
HorizontalRule
echo "Created IP Set: $CONDITIONNAME"
echo "IP Set ID: $IPSETID"
HorizontalRule
echo
}
# Get list of all IP Sets
function ListIPSets(){
LISTSETS=$(aws wafv2 list-ip-sets --scope "$WAFSCOPE" --limit 100 --profile "$profile" 2>&1)
if [ ! $? -eq 0 ]; then
fail "$LISTSETS"
fi
IPSETID=$(echo "$LISTSETS" | jq -r '.IPSets[] | select(.Name=="'"$CONDITIONNAME"'") | .Id')
IPSETARN=$(echo "$LISTSETS" | jq -r '.IPSets[] | select(.Name=="'"$CONDITIONNAME"'") | .ARN')
if [[ $DEBUGMODE ]]; then
echo "ListIPSets ID: $IPSETID"
echo "ListIPSets ARN: $IPSETARN"
fi
}
# Get list of IPs in a single IP Set
function GetIPSet(){
GETSET=$(aws wafv2 get-ip-set --scope $WAFSCOPE --id "$IPSETID" --name "$CONDITIONNAME" --profile $profile 2>&1)
if [ ! $? -eq 0 ]; then
fail "$GETSET"
fi
GetIPSet=$(echo "$GETSET" | jq -r '.IPSet.Addresses[]')
LOCKTOKEN=$(echo "$GETSET" | jq -r '.LockToken')
if [[ $DEBUGMODE ]]; then
echo "GetIPSet Addresses: $GetIPSet"
echo "Lock Token: $LOCKTOKEN"
fi
}
# Update IP Set with new addresses
function UpdateIPSet(){
GetIPSet
BuildIPAddressArray
ADDRESSES=$(cat ipaddresses.json | jq -c .)
UPDATESET=$(aws wafv2 update-ip-set \
--scope $WAFSCOPE \
--id "$IPSETID" \
--name "$CONDITIONNAME" \
--addresses "$ADDRESSES" \
--lock-token "$LOCKTOKEN" \
--profile $profile 2>&1)
if [ ! $? -eq 0 ]; then
fail "$UPDATESET"
fi
echo
HorizontalRule
echo "IP Set Updated Successfully"
HorizontalRule
echo
}
# Creates a WAFv2 Web ACL
function CreateWebACL(){
# Create rules JSON
cat > rules.json << EOF
[
{
"Name": "AllowPingdom",
"Priority": 0,
"Statement": {
"IPSetReferenceStatement": {
"ARN": "$IPSETARN"
}
},
"Action": {
"Allow": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "AllowPingdom"
}
}
]
EOF
RULES=$(cat rules.json | jq -c .)
CREATEACL=$(aws wafv2 create-web-acl \
--scope $WAFSCOPE \
--name "$CONDITIONNAME-WebACL" \
--default-action Block={} \
--rules "$RULES" \
--visibility-config SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName="$CONDITIONNAME" \
--profile $profile 2>&1)
if [ ! $? -eq 0 ]; then
fail "$CREATEACL"
fi
ACLID=$(echo "$CREATEACL" | jq -r '.Summary.Id')
ACLARN=$(echo "$CREATEACL" | jq -r '.Summary.ARN')
echo
HorizontalRule
echo "Created Web ACL: $CONDITIONNAME-WebACL"
echo "Web ACL ID: $ACLID"
echo "Web ACL ARN: $ACLARN"
HorizontalRule
echo
}
# Exports a list of IPs in existing IP Set to the file iplist-existing
function ExportExistingIPSet(){
ListIPSets
GetIPSet
if [ -z "$GetIPSet" ]; then
echo "No IPs in Set!"
CountIPSetIPs=0
else
# Delete any existing file iplist-existing
if [ -f iplist-existing ]; then
rm iplist-existing
fi
echo "$GetIPSet" >> iplist-existing
CountIPSetIPs=$(echo "$GetIPSet" | wc -l | tr -d ' ')
if [[ $DEBUGMODE ]]; then
echo "IPs in set $CONDITIONNAME: $CountIPSetIPs"
fi
fi
}
# Main function to manage WAFv2 IP Set
function WAF(){
GetProbeIPs
# Check for existing IP Set with the same name
ListIPSets
if [ -z "$IPSETID" ]; then
# Create new IP set
echo
HorizontalRule
echo "Creating IP Addresses Set: $CONDITIONNAME"
HorizontalRule
echo
CreateIPSet
completed
else
# IP Set already exists
tput setaf 1
echo
HorizontalRule
echo "IP Set: $CONDITIONNAME Already Exists"
echo "IP Set ID: $IPSETID"
HorizontalRule
tput sgr0
echo
read -r -p "Do you want to update the IP set with new IPs? (y/n) " UPDATEIPSET
if [[ $UPDATEIPSET =~ ^([yY][eE][sS]|[yY])$ ]]; then
echo
HorizontalRule
echo "Updating IP Set: $CONDITIONNAME"
echo "IPs to be updated: $TOTALIPS"
HorizontalRule
echo
UpdateIPSet
completed
else
echo "Skipping IP Set update."
fi
fi
# Ask about creating Web ACL
read -r -p "Do you want to create a new WAFv2 Web ACL with the IP Set? (y/n) " CREATEACL
if [[ $CREATEACL =~ ^([yY][eE][sS]|[yY])$ ]]; then
# Make sure we have the ARN
if [ -z "$IPSETARN" ]; then
ListIPSets
fi
CreateWebACL
fi
}
# You can't delete an IPSet if it's still used in any Rules or if it still includes any IP addresses.
# You can't delete a Rule if it's still used in any WebACL objects.
# RULENAME=$(aws wafv2 list-rules --limit 99 --output=json --profile $profile 2>&1 | jq '.Rules | .[] | .Name' | grep "$CONDITIONNAME" | cut -d '"' -f2)
# RULEID=$(aws wafv2 list-rules --limit 99 --output=json --profile $profile 2>&1 | jq '.Rules | .[] | select(.Name=="'"$RULENAME"'") | .RuleId' | cut -d '"' -f2)
# echo
# echo "====================================================="
# echo "Deleting Rule Name $RULENAME, Rule ID $RULEID"
# echo "====================================================="
# DELETERULE=$(aws wafv2 delete-rule --rule-id "$RULEID" --profile $profile 2>&1)
# if [ ! $? -eq 0 ]; then
# fail "$DELETERULE"
# else
# echo "$DELETERULE"
# fi
# echo
# echo "====================================================="
# echo "Deleting Set $CONDITIONNAME, Set ID $IPSETID"
# echo "====================================================="
# DELETESET=$(aws wafv2 delete-ip-set --ip-set-id "$IPSETID" --profile $profile 2>&1)
# if [ ! $? -eq 0 ]; then
# fail "$DELETESET"
# else
# echo "$DELETESET"
# # echo
# # echo "====================================================="
# # echo "Creating Security Group "$GROUPNAME
# # GROUPID=$(aws ec2 create-security-group --group-name "$GROUPNAME" --description "$DESCRIPTION" --vpc-id $VPCID --profile $profile 2>&1)
# # echo $GROUPID
# # aws ec2 create-tags --resources $(aws ec2 describe-security-groups --output=json | jq '.SecurityGroups | .[] | select(.GroupName=="$GROUPNAME") | .GroupId' | cut -d '"' -f2) --tags Key=Name,Value="$GROUPNAME"
# # echo "====================================================="
# fi
# Check required commands
check_command "aws"
check_command "jq"
check_command "wget"
# Ensure Variables are set
if [ "$CONDITIONNAME" = "YOUR-CONDITION-NAME-HERE" ]; then
fail "Must set variables!"
fi
preflightChecks
scopeMenu
WAF
# Cleanup temp files
rm -f ipaddresses.json rules.json 2>/dev/null
# Open console URL if desired
# Regional: https://console.aws.amazon.com/wafv2/homev2/ip-sets
# CloudFront: https://console.aws.amazon.com/wafv2/homev2/ip-sets?region=global