Skip to content
A script for syncing Pingdom probe IPv4 addresses to AWS security groups.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE.md
README.md
sync-pingdom-ec2-security-groups.py

README.md

Sync Pingdom probe IPs to AWS security groups

A script for synchronizing AWS security group ingress rules with the published list of Pingdom probe IPv4 addresses. This script is inspired by and an alternative to the following projects:

Advantages of this script over either or both of the scripts listed above:

  • It is not affected by the AWS limit of 50 ingress rules per SG, as multiple security groups may (and should!) be provided.
  • It does not unnecessarily modify the security groups upon repeated invocations.
  • It drops obsolete ingress rules.

Usage

By default the script adds a TCP port 80 ingress rule for each Pingdom probe IP. It modifies only listed security groups. For all supported options, run the script with --help:

$ ./sync-pingdom-ec2-security-groups.py --help
usage: sync-pingdom-ec2-security-groups.py [-h] [--profile PROFILE]
                                           [--region REGION]
                                           [--whitelist WHITELIST]
                                           [--protocol {icmp,tcp,udp}]
                                           [--from-port FROM_PORT]
                                           [--to-port TO_PORT]
                                           security-group [security-group ...]

positional arguments:
  security-group        One of the security groups to be updated

optional arguments:
  -h, --help            show this help message and exit
  --profile PROFILE     The AWS config profile to use; defaults to the default
                        profile
  --region REGION       The AWS region where the security groups are located;
                        defaults to the environment's default region
  --whitelist WHITELIST
                        The URL at which the IP whitelist is located; must
                        contain one one IP per line
  --protocol {icmp,tcp,udp}
                        The protocol used by the Pingdom probe
  --from-port FROM_PORT
                        The lowest port on which Pingdom probes
  --to-port TO_PORT     The highest port on which Pingdom probes

Note that your environment must be configured to provide valid AWS credentials. See the Boto documentation or the AWS CLI documentation for instructions on how to set this up.

Example invocation

The following run shows the effect of synchronizing a set of three security groups (with anonymized IDs) after Pingdom abandoned four IPs since the script was last run:

$ ./sync-pingdom-ec2-security-groups.py sg-12345678 sg-23456789 sg-34567890
Dropping from SG sg-12345678: Permission tcp:78.31.69.179/32:80-80
Dropping from SG sg-12345678: Permission tcp:76.72.171.180/32:80-80
Dropping from SG sg-12345678: Permission tcp:158.58.173.160/32:80-80
Dropping from SG sg-12345678: Permission tcp:72.46.140.186/32:80-80
Adding to SG sg-12345678: Permission tcp:54.70.202.58/32:80-80
Adding to SG sg-12345678: Permission tcp:52.197.224.235/32:80-80
Adding to SG sg-12345678: Permission tcp:52.63.164.147/32:80-80
Adding to SG sg-12345678: Permission tcp:23.111.152.74/32:80-80
Dropping from SG sg-23456789: Permission tcp:54.70.202.58/32:80-80
Dropping from SG sg-23456789: Permission tcp:52.197.224.235/32:80-80
Dropping from SG sg-23456789: Permission tcp:52.63.164.147/32:80-80
Dropping from SG sg-23456789: Permission tcp:23.111.152.74/32:80-80
Adding to SG sg-23456789: Permission tcp:52.63.142.2/32:80-80
Adding to SG sg-23456789: Permission tcp:52.209.34.226/32:80-80
Adding to SG sg-23456789: Permission tcp:178.255.154.2/32:80-80
Adding to SG sg-23456789: Permission tcp:54.68.48.199/32:80-80
Dropping from SG sg-34567890: Permission tcp:52.63.142.2/32:80-80
Dropping from SG sg-34567890: Permission tcp:52.209.34.226/32:80-80
Dropping from SG sg-34567890: Permission tcp:178.255.154.2/32:80-80
Dropping from SG sg-34567890: Permission tcp:54.68.48.199/32:80-80
SUCCESS

Running the script once more does not further modify the security groups:

$ ./sync-pingdom-ec2-security-groups.py sg-12345678 sg-23456789 sg-34567890
SUCCESS

Contributing

Contributions are welcome! Feel free to file an issue or open a pull request.

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.