Create/Update AWS Network/Group Objects for Public IP Space (R77.30-Below)

Document created by Adam Forester Employee on Jun 26, 2017Last modified by Adam Forester Employee on Jul 11, 2017
Version 3Show Document
  • View in full screen mode

Overview

The purpose of this code is to generate objects based on the AWS Public IP; https://ip-ranges.amazonaws.com/ip-ranges.json 

The scripts were made for users of the R77 code that have to maintain AWS objects for rules.

 

Description

The code is to be used on systems 77.30 and below. For the R80 code please go here;Create/Update a network group object with AWS public IP addresses 

There are 3 scripts contained in the attached ZIP file. They are all Bash scripts;

  • Aws-cp-obj-maker.sh – This is the main script you will execute. It will automatically download the latest IP list from AWS.
  • Cp-grp-maker.sh – is called by the main script. This puts all the network objects into the dbedit format for a Simple Group
  • Cp-net-maker.sh – is called by the main script. Puts all subnets into the dbedit format for network objects.

Requires curl, awk, cat, sed, JQ (this is used to parse AWS’s JSON Format)
The script will generate 3 dbedit files per Azure region;

  • Regionname-net-import.txt - Will create all the network objects for that region
  • Regionname-group-import.txt - Will create a simple group for that region and put all network objects for that region into the group.
  • Regionname-group-import-update.txt - This file is to be used to update groups that have already been built using the Regionname-net-import.txt script previously.

 

Instructions

Download the attached zip file.

Unzip the contents into a folder. 

The script requires; curl, awk, cat, sed, JQ (this is used to parse AWS’s JSON Format)

  • Ubuntu - apt-get install jq
  • Mac - Use Homebrew - 'brew install jq'

Exectute the script (make sure you have internet access) - ./Aws-cp-obj-maker.sh

  • The script will clean up any previous files from previous imports.
  • The script will call out to AWS to download the latest IPs list. Parses the json for regions/subnets and puts them into a named file for each subnet and translates the Mask-length into a dotted format. Lastly, it runs those region files through the other scripts to create the dbedit outputs.
  • Default naming convention; NETWORK objects are named aws-regionname-x.x.x.x. GROUP objects are named aws-regionname.

NOTE: The script queries Amazon subnets that include all ranges for EC2, S3, CLOUDFRONT. If you just want one of those types you can edit the query.

The output is 3 dbedit files per AWS region;

  • Regionname-net-import.txt - Will create all the network objects for that region
  • Regionname-group-import.txt - Will create a simple group for that region and put all network objects for that region into the group.
  • Regionname-group-import-update.txt - This file is to be used to update groups that have already been built using the Regionname-net-import.txt script previously.

 

Move both files for each region you wish to create over to your Managment server. Follow the instructions in sk30383; Using a dbedit script to create new network objects and network object groups 

NOTE: You must always import the NETWORK file before importing the GROUP file. 

 

You can run this  NETWORK script multiple times for updates. Each time the script is run dbedit will skip over objects that are already made. The Regionname-group-import-update.txt file will be used to update group objects that are already created. 

 

Code Version

Code version 1.0.0

 

Tested on version

R77 and below DBEDIT

Outcomes