A story about creating a CLI tool to edit AWS security groups using Golang

My name is Teraoka and I am an infrastructure engineer.

This time I will talk about creating a CLI tool using Golang.
The name is "goacl", and I would like to introduce you to what it is.

1.What is goacl?

goacl is a CLI tool written in Golang.

display a list of AWS security groups and
add rules for specific groups.

Currently, it only allows list display and addition of rules, but
we plan to add functionality to allow deletion of unnecessary rules.

2. Reason for creating it

There are two reasons: internal/personal.

Internal reasons

In short, the reason is that the office's fixed IP address will change in the future.

In order to improve the quality of our internal network, we
decided to change the line itself, but
what should we do about allowing access from the new IP address?

As our main business is MSP, we
are in charge of AWS accounts for many customers.
Every time the IP address changes, you need to review the permission settings for all accounts, and
there are limits to adding permission settings manually.
"goacl" is used here.

personal reasons

I've always wanted to be able to write Golang, and I thought it
would be a good way to improve my work efficiency as well as learn for myself personally.

Golang
is also used in HashiCorp products such as Terraform and Kubernetes, so
I think there are plenty of benefits for infrastructure engineers to learn it.

3. Goacl usage and logic

Since it is a CLI tool, it can be executed from the command line.

Usage

You can check the Usage by simply typing goacl.

$ goacl goacl is a CLI tool for listing AWS security groups and adding / deleting rules. Usage: goacl [command] Available Commands: add Add SecurityGroup rule help Help about any command list List SecurityGroup info Flags: --config string config file (default is $HOME/.goacl.yaml) -h, --help help for goacl -t, --toggle Help message for toggle Use "goacl [command] --help" for more information about a command.

list

You can check the list of security groups.
Use the subcommand "list" as follows.

$ goacl list --region us-west-1 --profile default +-------------+------------+--------- --+----------------+--------------+ | GROUPID | GROUPNAME | FROMPORT | CIDRIP/GROUPID | VPCID | +- ------------+------------+------------+-------------- --+--------------+ | sg-XXXXXXXX | default | -1 | sg-XXXXXXXX | vpc-XXXXXXXX | +------------- +------------+----------+----------------+--------- -----+

Since this is a blog, the ID part is masked, but
inside goacl, aws-sdk-go is used to obtain security group information, and
the execution results are output as a table.

You can specify the region to be listed and the profile to use
as command options If nothing is specified, the default values ​​will be used and
the region will be "ap-northeast-1" and the profile will be "default".

Cobra is used
to implement subcommands and options It is probably quite famous as it is also used in the Kubernetes source code.

add

You can add rules to specific security groups.
When executing the add command, a configuration file written in yaml is required.

rules: - groupid: sg-XXXXXXXX fromport: 80 toport: 80 ipprotocol: tcp ipranges: - 0.0.0.0/0 - groupid: sg-XXXXXXXX fromport: 443 toport: 443 ipprotocol: tcp ipranges: - 0.0.0.0/0

If you want to release the 80/443 port, it will be like the above.
This is the IP address allowed by ipranges, but
multiple entries can be entered in this field.
Let's try it out.

$ goacl add --region us-west-1 --profile default --config config.yaml $ goacl list --region us-west-1 --profile default +------------- +------------+----------+----------------+--------- -----+ | GROUPID | GROUPNAME | FROMPORT | CIDRIP/GROUPID | VPCID | +-------------+------------+---- ------+----------------+--------------+ | sg-XXXXXXXX | default | 80 | 0.0. 0.0/0 | vpc-XXXXXXXX | + + +----------+----------------+ + | | | -1 | sg-XXXXXXXX | | + + +---------+----------------+ + | | | 443 | 0.0.0.0/0 | | +---- ---------+-----------+----------+----------------+ --------------+

You can specify a configuration file with the "--config" option.
The latter options are similar to the list command.
If you run the list command after executing the add command, you can confirm that it has been added.

The logic uses
viper Define a structure that is the same as the yaml structure in the Go code,
read the configuration file, and execute viper.Unmarshal to
store the value written in yaml in the structure.

type Config struct { Rules []Rules `yaml:rules` } type Rules struct { GroupID string `yaml:groupid` FromPort int64 `yaml:fromport` ToPort int64 `yaml:toport` IpProtocol string `yaml:ipprotocol` IpRanges []string `yaml:ipranges` }

I had a hard time because I didn't really understand the idea of ​​structures, but I
managed to get it to work properly (I'll study it a little more)

4.Summary

I think we will use it internally for the time being and identify any bugs, but
we hope to release it as OSS in the future.
I can't delete the rules yet, so I'll continue to implement them and summarize them in another blog!