Nov 212013
 

I work from home a lot.  My ISP used to never change IP addresses dynamically the first 3 years or so I was with them.  Now they change it often (more than once a week).  This creates a slower response time when I am at home, get a page, go to log in via ssh, and find out my ip has changed since we restrict our AWS environment via group policies.  The times I have needed to do this are relatively few, but still its a problem if there is an emergency.  Leave it to me to come up with a simple solution….

This script has few requirements.  You can make copies of the script or modify it if you need to include more than one security group in which your IP address is changed.  It requires the awscli package so first make sure python-pip is installed:

# for redhat based systems
yum -y install python-pip
# for debian systems
apt-get install python-pip

Next we install awscli

pip install awscli

Finally, we configure awscli.  For this part, you will need to know your aws secret key and your public key.  You will also need to know your default amazon zone.

aws configure

Example output is below…….and no, those are not valid keys

AWS Access Key ID [None]: AAAABBBBCCCCDDDDEEEE
AWS Secret Access Key [None]: aaaabbbb111112222ccccddddd33334444eeeefff
Default region name [None]: us-east-1
Default output format [None]: json

After you have the above done, you can now validate it works.

aws ec2 describe-regions

You should get output like…..

$ aws ec2 describe-regions
{
    "Regions": [
        {
            "Endpoint": "ec2.eu-west-1.amazonaws.com", 
            "RegionName": "eu-west-1"
        }, 
        {
            "Endpoint": "ec2.sa-east-1.amazonaws.com", 
            "RegionName": "sa-east-1"
        }, 
        {
            "Endpoint": "ec2.us-east-1.amazonaws.com", 
            "RegionName": "us-east-1"
        }, 
        {
            "Endpoint": "ec2.ap-northeast-1.amazonaws.com", 
            "RegionName": "ap-northeast-1"
        }, 
        {
            "Endpoint": "ec2.us-west-2.amazonaws.com", 
            "RegionName": "us-west-2"
        }, 
        {
            "Endpoint": "ec2.us-west-1.amazonaws.com", 
            "RegionName": "us-west-1"
        }, 
        {
            "Endpoint": "ec2.ap-southeast-1.amazonaws.com", 
            "RegionName": "ap-southeast-1"
        }, 
        {
            "Endpoint": "ec2.ap-southeast-2.amazonaws.com", 
            "RegionName": "ap-southeast-2"
        }
    ]
}

Finally, below is the script I created which will update your ip address in the security group you specify.  It is currently set up to change it for port 22 only.  If you have more than one group or more than one port, you will need to modify the script to support that….or simply copy the script to a new name to support however many groups and ports you need.

#!/bin/bash
 
# By Ed Wiget
# This is run via cron whenever my ip address changes in order to update aws security group
 
# 20131120 - original script
 
############################################################################################################################################
 
# example add:  aws ec2 authorize-security-group-ingress --group-name MySecurityGroup --protocol tcp --port 22 --cidr 203.0.113.0/24
# example revoke: aws ec2 revoke-security-group-ingress --group-name MySecurityGroup --protocol tcp --port 22 --cidr 203.0.113.0/24
 
#############################################################################################################################################
 
##### VARIABLES TO SET ##########################
 
# set our home directory which holds our ip file
HOMEDIR=/home/my_username
 
# set the name of the security group as show in aws console
SEC_GROUP=mysecuritygroup
 
##### END VARIABLES TO SET ######################
 
# here we check for the aws binary and if it dont exist we bail cause sysadmin silly to try to run this script
 
which aws
if [ $? = 0 ]; then
	echo "wooohooooo"
else
	echo "silly rabbit, sysadmin ain't for kids"
	exit 1
fi
 
# first we check for existing file
if [ -f ${HOMEDIR}/.amazonip ]; then
	# if it exists, we create a backup for comparison
	cp ${HOMEDIR}/.amazonip ${HOMEDIR}/.amazonip.old
	# then grab the current ip
	WAN=`curl -s http://www.edwiget.name/ip.php`
	# and populate the new file
	echo ${WAN} > ${HOMEDIR}/.amazonip
 
	# here we need to check if the files differ
	diff ${HOMEDIR}/.amazonip ${HOMEDIR}/.amazonip.old
		if [ $? = 0 ]; then
			echo "no update required"
			exit 1
		else
			echo "update required....stand by"
			# here we get the value to revoke
			REVOKE=`cat ${HOMEDIR}/.amazonip.old`
			# then revoke the old ip
			aws ec2 revoke-security-group-ingress --group-name ${SEC_GROUP} --protocol tcp --port 22 --cidr ${REVOKE}/32
			# next we set the new ip to allow ssh access
			NEWIP=`cat ${HOMEDIR}/.amazonip`
			# and set the new ip address for ssh access
			aws ec2 authorize-security-group-ingress --group-name ${SEC_GROUP} --protocol tcp --port 22 --cidr ${NEWIP}/32
		fi
else
 
	# our file didnt exist, so it must be a new system, so lets set it up
	# get the ip
	WAN=`curl -s http://www.edwiget.name/ip.php`
	# create the file
	echo ${WAN} > ${HOMEDIR}/.amazonip
	# set the variable so we can add the ip to the systems security group
	NEWIP=`cat ${HOMEDIR}/.amazonip`
	# and set the new ip address for ssh access
	aws ec2 authorize-security-group-ingress --group-name ${SEC_GROUP} --protocol tcp --port 22 --cidr ${NEWIP}/32
fi

Finally, copy the above somewhere and make it executable, chmod +x.  Set up a cron job to run it as often as you need,

  One Response to “Automatically Changing Dynamic IP’s in AWS Security Group”

  1. […] is somewhat related to updating amazon group resource ip’s for dynamic ip addresses except it is a different concept.  How many times have you been on the road and needed to access […]