Security groups manager
Clone or download
pbenas Merge pull request #34 from gooddata/rmo
TRIVIAL: Improve error reporting
Latest commit 4025492 Mar 16, 2018


Tooling for management of security groups. Load local configuration, load remote groups and apply differences.


With PIP from Github:

pip install -e 'git://'

Or with PIP from Pypi:

pip install sgmanager

Or from local GIT checkout:

python install

Then you can run it by sgmanager command, ensure that you have python bin in your $PATH, eg: /opt/local/Library/Frameworks/Python.framework/Versions/2.7/bin

Or you can run execution script from checkouted root directory without installation:

python gdc/sgmanager


usage: sgmanager [-h] [-c CONFIG] [--dump] [--unused] [--remove-unused] [-f]
                 [-q] [-d] [--no-remove] [--no-remove-groups]
                 [-I EC2_ACCESS_KEY] [-S EC2_SECRET_KEY] [-R EC2_REGION]
                 [-U EC2_URL] [-t TIMEOUT] [-m MODE] [--insecure]
                 [--cert CERT]

Security groups management tool

optional arguments:
  -h, --help            show this help message and exit
  -c CONFIG, --config CONFIG
                        Config file to use
  --dump                Dump remote groups and exit
  --unused              Dump groups not used by any instance
  --remove-unused       Only remove groups that are not used by any instance
  -f, --force           Force action (otherwise run dry-run)
  -q, --quiet           Be quiet, print only WARN/ERROR output
  -d, --debug           Debug mode
  --no-remove           Do not remove any groups or rules, only add
  --no-remove-groups    Do not remove any groups, only add
  -I EC2_ACCESS_KEY, --ec2-access-key EC2_ACCESS_KEY
                        EC2 Access Key to use
  -S EC2_SECRET_KEY, --ec2-secret-key EC2_SECRET_KEY
                        EC2 Secret Key to use
  -R EC2_REGION, --ec2-region EC2_REGION
                        Region to use (default us-east-1)
  -U EC2_URL, --ec2-url EC2_URL
                        EC2 API URL to use (otherwise use default)
  -t TIMEOUT, --timeout TIMEOUT
                        Set socket timeout (default 120s)
  -m MODE, --mode MODE  Mode for validating group name and description
                        (default a)
  --insecure            Do not validate SSL certs
  --cert CERT           Path to CA certificates (eg. /etc/pki/cacert.pem)

First setup EC2_ACCESS_KEY and EC2_SECRET_KEY environment variables. You can also set EC2_URL to connect to custom EC2 endpoint (eg. OpenStack). Alternatively set these options from command line.

Setup is submitted by simple YAML configuration, it can be dumped from current EC2 account by running:

./bin/ --dump > conf/aws-dev.yaml

Then you can edit output yaml file and run following to see the diff:

./bin/ -c conf/aws-dev.yaml

To apply it, force run with parameter -f / --force.

To avoid removal of existing groups that aren't present in config file, use parameter --no-remove

Each configured group passes validation, group name and description shoul not exceed 255 characters.

There are several modes for string validation of both group name and description, set by -m / --mode:

  • a, ascii - only ASCII characters
  • s, strict - matches [a-zA-Z0-9_- ]
  • v, vpc - string can contain only a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*

Mode depends on cloud used, for AWS EC2 -a is recommended, for AWS EC2 VPC -v and for OpenStack with ec2_strict_validation=on -s

Configuration options

  description: "SGManager testing security group"
	- port: 22
	  # tcp, udp or icmp
	  protocol: tcp
	  # IP ranges that are allowed to connect, can be list or string
	  cidr: []

	- port: 80
	  protocol: tcp
		# You can define security group from other account
		- {name: test2, owner: xyz2137}
  description: "SGManager testing security group number 2"
	- port_from: 50000
	  port_to: 50500
		- test1


  • support for VPC groups

Development status

This tool is actively maintained by GoodData.