Skip to content
This ansible role gets information from an AWS VPC and generate a graphical representation of security groups
Branch: master
Clone or download
jeanlouisferey Merge pull request #3 from AndyO91/master
No error is displayed when Graphviz is installed
Latest commit 87661ee Dec 20, 2018

README.md

aws-securitygroup-grapher

This ansible role gets information from an aws VPC and generate a graphical representation of security groups through a dot file rendered by Graphviz.

This role is inspired by https://github.com/jeanlouisferey/openstack-securitygroup-grapher which do the same for Openstack Tenants.

Requirements

Ansible, of course, because it's an Ansible role.

Boto library needs to be installed, as that is required by the EC2 Ansible modules.

To render (i.e. to draw and obtain a graphic file), Graphviz needs to be installed.

Role Variables

Variable Content
asggrapherAwsRegion Name of aws region where your VPC is deployed. (mandatory)
asggrapherAwsVPC Name of your VPC. (mandatory)
asggrapherShowDefault Do you want to see default security group, default value: false
asggrapherShowInstances Do you want to see instances with their security groups, default value: false
asggrapherServerLabel Label for instances, used when asggrapherShowInstances = true, default value: Servers
asggrapherRankdir See https://www.graphviz.org/doc/info/attrs.html#d:rankdir, default value: LR
asggrapherDotFileToRender Path and name of generated dot file , default value: "./awsCloudGrapher.dot"
asggrapherFileToRender Path and name of generated image file, default value: "./awsCloudGrapher.png"

Example Playbook

aws-sg-grapher.yml:

---
  - name: AWS Security group grapher
    hosts: localhost
    connection: local
    gather_facts: false
    roles:
      - role: aws-securitygroup-grapher
        asggrapherAwsRegion: "eu-west-1"
        asggrapherAwsVPC: "TEST-VPC"

Run it with:

ansible-playbook aws-sg-grapher.yml

After some time, you'll have a awsCloudGrapher.png file with your sg graph.

Examples of generated images

How to read the graph

Ellipses are security groups.

The red arrows represent egress flows: for example, the UDP stream 53 is authorized as output of SG-VPC-INTERNAL to 10.xxx.yyy.zza.

The blue arrows represent ingress flows: for example, tcp stream 443 is allowed as input of SG-VPC-LB from any (0.0.0.0/0)

The arrow head is always on the security group which contains the rule represented by the arrow.

Full example

It shows a tenant with several security groups corresponding to the different functions of the machines present in the project.

Example

Simpler example

It shows in particular a SG that accepts any input from any source and a SG that allows any output to any destination.

Example

asggrapherShowDefault

With asggrapherShowDefault: true, you'll have on your graph all the SGs, included the default AWS SG:

Example

asggrapherShowInstances

With asggrapherShowInstances: true, you'll have on your graph all the instances (VM) within SGs used by these instances.

Example

asggrapherRankdir

With asggrapherRankdir: LR, left to right, RL, right to left, TB, top to bottom, BT, bottom to top, you can change the way to draw the graph.

LR example

Example

TB example

Example

Author Information

Jean-Louis FEREY

You can’t perform that action at this time.