I work from home a lot. My ISP used to never change IP addresses dynamically the first 3 years or so I was with them. Now they change it often (more than once a week). This creates a slower response time when I am at home, get a page, go to log in via ssh, and find out my ip has changed since we restrict our AWS environment via group policies. The times I have needed to do this are relatively few, but still its a problem if there is an emergency. Leave it to me to come up with a simple solution….
This script has few requirements. You can make copies of the script or modify it if you need to include more than one security group in which your IP address is changed. It requires the awscli package so first make sure python-pip is installed:
[codesyntax lang=”bash”]
# for redhat based systems yum -y install python-pip # for debian systems apt-get install python-pip
[/codesyntax]
Next we install awscli
[codesyntax lang=”bash”]
pip install awscli
[/codesyntax]
Finally, we configure awscli. For this part, you will need to know your aws secret key and your public key. You will also need to know your default amazon zone.
[codesyntax lang=”bash”]
aws configure
[/codesyntax]
Example output is below…….and no, those are not valid keys
[codesyntax lang=”bash”]
AWS Access Key ID [None]: AAAABBBBCCCCDDDDEEEE AWS Secret Access Key [None]: aaaabbbb111112222ccccddddd33334444eeeefff Default region name [None]: us-east-1 Default output format [None]: json
[/codesyntax]
After you have the above done, you can now validate it works.
[codesyntax lang=”bash”]
aws ec2 describe-regions
[/codesyntax]
You should get output like…..
[codesyntax lang=”bash”]
$ aws ec2 describe-regions
{
"Regions": [
{
"Endpoint": "ec2.eu-west-1.amazonaws.com",
"RegionName": "eu-west-1"
},
{
"Endpoint": "ec2.sa-east-1.amazonaws.com",
"RegionName": "sa-east-1"
},
{
"Endpoint": "ec2.us-east-1.amazonaws.com",
"RegionName": "us-east-1"
},
{
"Endpoint": "ec2.ap-northeast-1.amazonaws.com",
"RegionName": "ap-northeast-1"
},
{
"Endpoint": "ec2.us-west-2.amazonaws.com",
"RegionName": "us-west-2"
},
{
"Endpoint": "ec2.us-west-1.amazonaws.com",
"RegionName": "us-west-1"
},
{
"Endpoint": "ec2.ap-southeast-1.amazonaws.com",
"RegionName": "ap-southeast-1"
},
{
"Endpoint": "ec2.ap-southeast-2.amazonaws.com",
"RegionName": "ap-southeast-2"
}
]
}
[/codesyntax]
Finally, below is the script I created which will update your ip address in the security group you specify. It is currently set up to change it for port 22 only. If you have more than one group or more than one port, you will need to modify the script to support that….or simply copy the script to a new name to support however many groups and ports you need.
[codesyntax lang=”bash”]
#!/bin/bash
# By Ed Wiget
# This is run via cron whenever my ip address changes in order to update aws security group
# 20131120 - original script
############################################################################################################################################
# example add: aws ec2 authorize-security-group-ingress --group-name MySecurityGroup --protocol tcp --port 22 --cidr 203.0.113.0/24
# example revoke: aws ec2 revoke-security-group-ingress --group-name MySecurityGroup --protocol tcp --port 22 --cidr 203.0.113.0/24
#############################################################################################################################################
##### VARIABLES TO SET ##########################
# set our home directory which holds our ip file
HOMEDIR=/home/my_username
# set the name of the security group as show in aws console
SEC_GROUP=mysecuritygroup
##### END VARIABLES TO SET ######################
# here we check for the aws binary and if it dont exist we bail cause sysadmin silly to try to run this script
which aws
if [ $? = 0 ]; then
echo "wooohooooo"
else
echo "silly rabbit, sysadmin ain't for kids"
exit 1
fi
# first we check for existing file
if [ -f ${HOMEDIR}/.amazonip ]; then
# if it exists, we create a backup for comparison
cp ${HOMEDIR}/.amazonip ${HOMEDIR}/.amazonip.old
# then grab the current ip
WAN=`curl -s http://www.edwiget.name/ip.php`
# and populate the new file
echo ${WAN} > ${HOMEDIR}/.amazonip
# here we need to check if the files differ
diff ${HOMEDIR}/.amazonip ${HOMEDIR}/.amazonip.old
if [ $? = 0 ]; then
echo "no update required"
exit 1
else
echo "update required....stand by"
# here we get the value to revoke
REVOKE=`cat ${HOMEDIR}/.amazonip.old`
# then revoke the old ip
aws ec2 revoke-security-group-ingress --group-name ${SEC_GROUP} --protocol tcp --port 22 --cidr ${REVOKE}/32
# next we set the new ip to allow ssh access
NEWIP=`cat ${HOMEDIR}/.amazonip`
# and set the new ip address for ssh access
aws ec2 authorize-security-group-ingress --group-name ${SEC_GROUP} --protocol tcp --port 22 --cidr ${NEWIP}/32
fi
else
# our file didnt exist, so it must be a new system, so lets set it up
# get the ip
WAN=`curl -s http://www.edwiget.name/ip.php`
# create the file
echo ${WAN} > ${HOMEDIR}/.amazonip
# set the variable so we can add the ip to the systems security group
NEWIP=`cat ${HOMEDIR}/.amazonip`
# and set the new ip address for ssh access
aws ec2 authorize-security-group-ingress --group-name ${SEC_GROUP} --protocol tcp --port 22 --cidr ${NEWIP}/32
fi
[/codesyntax]
Finally, copy the above somewhere and make it executable, chmod +x. Set up a cron job to run it as often as you need,
Leave a Reply
You must be logged in to post a comment.