If you ever need to take over management of an AWS farm, it’s very likely you will need to attach SG to all instances. Be that for monitoring or access. Here is a bash script to add 1 SG to all instances.
You will need to first setup a profile on awscli. Then run the script with the profile name as first argument, and the SG id as the second.
Note: The script will not work on instances with multiple NICs
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
#!/usr/bin/env bash # # script to add 1 SG to all instances. # this scripts takes 2 arguments, first is the aws profile name, second is the SG to add. # e.g. ./add-sg.sh acme sg-1234567 # # you will need awscli for this script to work, and an aws profile # associated with an IAM user with the AmazonEC2FullAccess policy export AWSPROFILE=$1 export ADDSG=$2 doit() { echo "Checking $1..." SG=$(aws --profile=$AWSPROFILE ec2 describe-instances --instance-ids $1 --output json | jq ".[][].Instances[].SecurityGroups[].GroupId" -r | xargs) echo "Existing SGs: $SG" if [[ $SG == *$ADDSG* ]]; then echo "$ADDSG already associated, do nothing" else aws --profile=$AWSPROFILE ec2 modify-instance-attribute --dry-run --instance-id $1 --groups $SG $ADDSG echo "New SGs: $(aws --profile=$AWSPROFILE ec2 describe-instances --instance-ids $1 --output json | jq ".[][].Instances[].SecurityGroups[].GroupId" -r | xargs)" fi } export -f doit aws --profile=$AWSPROFILE ec2 describe-instances --output json \ | jq ".[][].Instances[].InstanceId" -r | parallel -j10 doit |
