Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- # Authored by Chad Smith on 3/10/2015
- # please feel free to contact me at arpcefxl@gmail.com with comments or questions
- # assumes you have already run aws configure or are running in an ec2 role
- import boto.ec2, sys
- region = sys.argv[1]
- secgroup = sys.argv[2]
- conn = boto.ec2.connect_to_region(region)
- allgroups = conn.get_all_security_groups()
- mygroup = conn.get_all_security_groups(groupnames=secgroup)
- groupname = mygroup[0].name
- groupid = mygroup[0].id
- group = mygroup[0]
- for rule in group.rules:
- for grants in rule.grants:
- if grants.cidr_ip:
- print "revoking ingress rule with source as cidr_ip"
- print groupname, rule.ip_protocol, rule.from_port, rule.to_port, grants.cidr_ip
- conn.revoke_security_group(group_name=groupname, ip_protocol=rule.ip_protocol, from_port=rule.from_port, to_port=rule.to_port, cidr_ip=grants.cidr_ip)
- else:
- print "revoking ingress rule with source as security group"
- print groupname, rule.ip_protocol, rule.from_port, rule.to_port, grants.name
- if grants.name == 'amazon-elb-sg':
- print "revoking ingress rule with ELB as security group"
- conn.revoke_security_group(group_name=groupname, ip_protocol=rule.ip_protocol, from_port=rule.from_port, to_port=rule.to_port, src_security_group_group_id=grants.group_id,src_security_group_owner_id='amazon-elb')
- else:
- conn.revoke_security_group(group_name=groupname, ip_protocol=rule.ip_protocol, from_port=rule.from_port, to_port=rule.to_port, src_security_group_name=grants.name)
- # handle cases where the security group is referred to by other security groups
- for othergroup in allgroups:
- for otherrule in othergroup.rules:
- for othergrant in otherrule.grants:
- grant_nom = othergrant.name or othergrant.group_id
- if grant_nom:
- if grant_nom == groupname:
- print "revoking ingress rule where source is the security group to be deleted"
- print othergroup.name, otherrule.ip_protocol, otherrule.from_port, otherrule.to_port, othergrant.name
- conn.revoke_security_group(group_name=othergroup.name, ip_protocol=otherrule.ip_protocol, from_port=otherrule.from_port, to_port=otherrule.to_port, src_security_group_name=groupname)
- # delete the security group itself
- print "deleting security group"
- conn.delete_security_group(name=groupname)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement