# Pulls the IP ranges for a specific service (e.g.CloudFront)ĭef get_ranges_for_service(ranges, service): # Splits the set of IP ranges if they need to be implemented in multiple rules instead of one # print("generate_sourcelistinput:" + str(ranges)) # Helper function for the create and update functions for creating multiple sources in one rule if needed # Helper function for the create and update functions for creating multiple destinations in one rule if neededĭestList = ranges.split(",") "Sources": generate_sourcelist(currentranges) "Destinations": generate_destlist(DESTLIST), # print("currentranges"+str(currentranges)) # print("split_ranges: "+str(split_ranges)) Split_ranges = range_splitter(ranges, NRULES) # Helper function for the create and update functions for creating multiple rules if needed # Updates the existing rule group with the new set of IP rangesĭef update_rule_group(name, ranges, updateToken): 'StatelessRules': generate_rules(ranges), # Helper function to get the update tokenĭescResponse = desc_rule_group(ruleGroupName) Update_rule_group(NAME, cf_ranges, updateToken)
If it exists, get the update token and update the list.Įxcept : Ip_ranges = json.loads(get_ip_groups_json(message))Ĭf_ranges = get_ranges_for_service(ip_ranges, SERVICE) # Get the updated IP ranges from the link in the SNS message # SNS message notification event when the ip ranges document is rotated Logging.getLogger().setLevel(logging.ERROR) If len(logging.getLogger().handlers) > 0:
NameParam = ssmClient.get_parameter(Name='RuleGroupName')ĭESTLIST = ssmClient.get_parameter(Name='DestinationRanges')Ĭlient = boto3.client('network-firewall') SERVICE = os.getenv('SERVICE', "CLOUDFRONT") Import urllib.request, urllib.error, urllib.parse # FunctionName: !GetAtt LambdaFunction.Arn (Subscribe to arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged)ĭescription: Comma delimited list of IP ranges of the origins feeding CloudFront.ĭescription: Name of the lambda function to be created. # Description: Please feed the ARN of the SNS subscription you've created in us-east-1 region. If you provide an existing name, it will be OVERWRITTEN.
Description: Rule group name for the firewall rule to be created.
0 kommentar(er)
