Working with Amazon EC2 Security Groups - AWS SDK for Ruby

Working with Amazon EC2 Security Groups

The following example:

  1. Creates an Amazon EC2 security group.

  2. Adds inbound rules to the security group.

  3. Displays information about available security groups.

  4. Deletes the security group.

# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX - License - Identifier: Apache - 2.0 # This code example does the following: # 1. Creates an Amazon Elastic Compute Cloud (Amazon EC2) security group. # 2. Adds inbound rules to the security group. # 3. Displays information about available security groups. # 4. Deletes the security group. require 'aws-sdk-ec2' # Creates an Amazon Elastic Compute Cloud (Amazon EC2) security group. # # Prerequisites: # # - A VPC in Amazon Virtual Private Cloud (Amazon VPC). # # @param ec2_client [Aws::EC2::Client] An initialized # Amazon EC2 client. # @param group_name [String] A name for the security group. # @param description [String] A description for the security group. # @param vpc_id [String] The ID of the VPC for the security group. # @return [String] The ID of security group that was created. # @example # puts create_security_group( # Aws::EC2::Client.new(region: 'us-east-1'), # 'my-security-group', # 'This is my security group.', # 'vpc-6713dfEX' # ) def create_security_group( ec2_client, group_name, description, vpc_id ) security_group = ec2_client.create_security_group( group_name: group_name, description: description, vpc_id: vpc_id ) puts "Created security group '#{group_name}' with ID " \ "'#{security_group.group_id}' in VPC with ID '#{vpc_id}'." return security_group.group_id rescue StandardError => e puts "Error creating security group: #{e.message}" return 'Error' end # Adds an inbound rule to an Amazon Elastic Compute Cloud (Amazon EC2) # security group. # # Prerequisites: # # - The security group. # # @param ec2_client [Aws::EC2::Client] An initialized Amazon EC2 client. # @param security_group_id [String] The ID of the security group. # @param ip_protocol [String] The network protocol for the inbound rule. # @param from_port [String] The originating port for the inbound rule. # @param to_port [String] The destination port for the inbound rule. # @param cidr_ip_range [String] The CIDR IP range for the inbound rule. # @return # @example # exit 1 unless security_group_ingress_authorized?( # Aws::EC2::Client.new(region: 'us-east-1'), # 'sg-030a858e078f1b9EX', # 'tcp', # '80', # '80', # '0.0.0.0/0' # ) def security_group_ingress_authorized?( ec2_client, security_group_id, ip_protocol, from_port, to_port, cidr_ip_range ) ec2_client.authorize_security_group_ingress( group_id: security_group_id, ip_permissions: [ { ip_protocol: ip_protocol, from_port: from_port, to_port: to_port, ip_ranges: [ { cidr_ip: cidr_ip_range } ] } ] ) puts "Added inbound rule to security group '#{security_group_id}' for protocol " \ "'#{ip_protocol}' from port '#{from_port}' to port '#{to_port}' " \ "with CIDR IP range '#{cidr_ip_range}'." return true rescue StandardError => e puts "Error adding inbound rule to security group: #{e.message}" return false end # Displays information about a security group's IP permissions set in # Amazon Elastic Compute Cloud (Amazon EC2). # # Prerequisites: # # - A security group with inbound rules, outbound rules, or both. # # @param p [Aws::EC2::Types::IpPermission] The IP permissions set. # @example # ec2_client = Aws::EC2::Client.new(region: 'us-east-1') # response = ec2_client.describe_security_groups # unless sg.ip_permissions.empty? # describe_security_group_permissions( # response.security_groups[0].ip_permissions[0] # ) # end def describe_security_group_permissions(perm) print " Protocol: #{perm.ip_protocol == '-1' ? 'All' : perm.ip_protocol}" unless perm.from_port.nil? if perm.from_port == '-1' || perm.from_port == -1 print ', From: All' else print ", From: #{perm.from_port}" end end unless perm.to_port.nil? if perm.to_port == '-1' || perm.to_port == -1 print ', To: All' else print ", To: #{perm.to_port}" end end if perm.key?(:ipv_6_ranges) && perm.ipv_6_ranges.count.positive? print ", CIDR IPv6: #{perm.ipv_6_ranges[0].cidr_ipv_6}" end if perm.key?(:ip_ranges) && perm.ip_ranges.count.positive? print ", CIDR IPv4: #{perm.ip_ranges[0].cidr_ip}" end print "\n" end # Displays information about available security groups in # Amazon Elastic Compute Cloud (Amazon EC2). # # @param ec2_client [Aws::EC2::Client] An initialized Amazon EC2 client. # @example # describe_security_groups(Aws::EC2::Client.new(region: 'us-east-1')) def describe_security_groups(ec2_client) response = ec2_client.describe_security_groups if response.security_groups.count.positive? response.security_groups.each do |sg| puts '-' * (sg.group_name.length + 13) puts "Name: #{sg.group_name}" puts "Description: #{sg.description}" puts "Group ID: #{sg.group_id}" puts "Owner ID: #{sg.owner_id}" puts "VPC ID: #{sg.vpc_id}" if sg.tags.count.positive? puts 'Tags:' sg.tags.each do |tag| puts " Key: #{tag.key}, Value: #{tag.value}" end end unless sg.ip_permissions.empty? puts 'Inbound rules:' if sg.ip_permissions.count.positive? sg.ip_permissions.each do |p| describe_security_group_permissions(p) end end unless sg.ip_permissions_egress.empty? puts 'Outbound rules:' if sg.ip_permissions.count.positive? sg.ip_permissions_egress.each do |p| describe_security_group_permissions(p) end end end else puts 'No security groups found.' end rescue StandardError => e puts "Error getting information about security groups: #{e.message}" end # Deletes an Amazon Elastic Compute Cloud (Amazon EC2) # security group. # # Prerequisites: # # - The security group. # # @param ec2_client [Aws::EC2::Client] An initialized # Amazon EC2 client. # @param security_group_id [String] The ID of the security group to delete. # @return [Boolean] true if the security group was deleted; otherwise, false. # @example # exit 1 unless security_group_deleted?( # Aws::EC2::Client.new(region: 'us-east-1'), # 'sg-030a858e078f1b9EX' # ) def security_group_deleted?(ec2_client, security_group_id) ec2_client.delete_security_group(group_id: security_group_id) puts "Deleted security group '#{security_group_id}'." return true rescue StandardError => e puts "Error deleting security group: #{e.message}" return false end # Full example call: def run_me group_name = '' description = '' vpc_id = '' ip_protocol_http = '' from_port_http = '' to_port_http = '' cidr_ip_range_http = '' ip_protocol_ssh = '' from_port_ssh = '' to_port_ssh = '' cidr_ip_range_ssh = '' region = '' # Print usage information and then stop. if ARGV[0] == '--help' || ARGV[0] == '-h' puts 'Usage: ruby ec2-ruby-example-security-group.rb ' \ 'GROUP_NAME DESCRIPTION VPC_ID IP_PROTOCOL_1 FROM_PORT_1 TO_PORT_1 ' \ 'CIDR_IP_RANGE_1 IP_PROTOCOL_2 FROM_PORT_2 TO_PORT_2 ' \ 'CIDR_IP_RANGE_2 REGION' puts 'Example: ruby ec2-ruby-example-security-group.rb ' \ 'my-security-group \'This is my security group.\' vpc-6713dfEX ' \ 'tcp 80 80 \'0.0.0.0/0\' tcp 22 22 \'0.0.0.0/0\' us-east-1' exit 1 # If no values are specified at the command prompt, use these default values. elsif ARGV.count.zero? group_name = 'my-security-group' description = 'This is my security group.' vpc_id = 'vpc-6713dfEX' ip_protocol_http = 'tcp' from_port_http = '80' to_port_http = '80' cidr_ip_range_http = '0.0.0.0/0' ip_protocol_ssh = 'tcp' from_port_ssh = '22' to_port_ssh = '22' cidr_ip_range_ssh = '0.0.0.0/0' region = 'us-east-1' # Otherwise, use the values as specified at the command prompt. else group_name = ARGV[0] description = ARGV[1] vpc_id = ARGV[2] ip_protocol_http = ARGV[3] from_port_http = ARGV[4] to_port_http = ARGV[5] cidr_ip_range_http = ARGV[6] ip_protocol_ssh = ARGV[7] from_port_ssh = ARGV[8] to_port_ssh = ARGV[9] cidr_ip_range_ssh = ARGV[10] region = ARGV[11] end security_group_id = '' security_group_exists = false ec2_client = Aws::EC2::Client.new(region: region) puts 'Attempting to create security group...' security_group_id = create_security_group( ec2_client, group_name, description, vpc_id ) if security_group_id == 'Error' puts 'Could not create security group. Skipping this step.' else security_group_exists = true end if security_group_exists puts 'Attempting to add inbound rules to security group...' unless security_group_ingress_authorized?( ec2_client, security_group_id, ip_protocol_http, from_port_http, to_port_http, cidr_ip_range_http ) puts 'Could not add inbound HTTP rule to security group. ' \ 'Skipping this step.' end unless security_group_ingress_authorized?( ec2_client, security_group_id, ip_protocol_ssh, from_port_ssh, to_port_ssh, cidr_ip_range_ssh ) puts 'Could not add inbound SSH rule to security group. ' \ 'Skipping this step.' end end puts "\nInformation about available security groups:" describe_security_groups(ec2_client) if security_group_exists puts "\nAttempting to delete security group..." unless security_group_deleted?(ec2_client, security_group_id) puts 'Could not delete security group. You must delete it yourself.' end end end run_me if $PROGRAM_NAME == __FILE__