[Osaka/Yokohama/Tokushima] Looking for infrastructure/server side engineers!

[Osaka/Yokohama/Tokushima] Looking for infrastructure/server side engineers!

[Deployed by over 500 companies] AWS construction, operation, maintenance, and monitoring services

[Deployed by over 500 companies] AWS construction, operation, maintenance, and monitoring services

[Successor to CentOS] AlmaLinux OS server construction/migration service

[Successor to CentOS] AlmaLinux OS server construction/migration service

[For WordPress only] Cloud server “Web Speed”

[For WordPress only] Cloud server “Web Speed”

[Cheap] Website security automatic diagnosis “Quick Scanner”

[Cheap] Website security automatic diagnosis “Quick Scanner”

[Reservation system development] EDISONE customization development service

[Reservation system development] EDISONE customization development service

[Registration of 100 URLs is 0 yen] Website monitoring service “Appmill”

[Registration of 100 URLs is 0 yen] Website monitoring service “Appmill”

[Compatible with over 200 countries] Global eSIM “Beyond SIM”

[Compatible with over 200 countries] Global eSIM “Beyond SIM”

[If you are traveling, business trip, or stationed in China] Chinese SIM service “Choco SIM”

[If you are traveling, business trip, or stationed in China] Chinese SIM service “Choco SIM”

[Global exclusive service] Beyond's MSP in North America and China

[Global exclusive service] Beyond's MSP in North America and China

[YouTube] Beyond official channel “Biyomaru Channel”

[YouTube] Beyond official channel “Biyomaru Channel”

A story about creating a CLI tool to edit AWS security groups using Golang

My name is Teraoka and I am an infrastructure engineer.

This time I will talk about creating a CLI tool using Golang.
The name is "goacl", and I would like to introduce you to what it is.

1.What is goacl?

goacl is a CLI tool written in Golang.

display a list of AWS security groups and
add rules for specific groups.

Currently, it only allows list display and addition of rules, but
we plan to add functionality to allow deletion of unnecessary rules.

2. Reason for creating it

There are two reasons: internal/personal.

Internal reasons

In short, the reason is that the office's fixed IP address will change in the future.

In order to improve the quality of our internal network, we
decided to change the line itself, but
what should we do about allowing access from the new IP address?

As our main business is MSP, we
are in charge of AWS accounts for many customers.
Every time the IP address changes, you need to review the permission settings for all accounts, and
there are limits to adding permission settings manually.
"goacl" is used here.

personal reasons

I've always wanted to be able to write Golang, and I thought it
would be a good way to improve my work efficiency as well as learn for myself personally.

Golang
is also used in HashiCorp products such as Terraform and Kubernetes, so
I think there are plenty of benefits for infrastructure engineers to learn it.

3. Goacl usage and logic

Since it is a CLI tool, it can be executed from the command line.

Usage

You can check the Usage by simply typing goacl.

$ goacl goacl is a CLI tool for listing AWS security groups and adding / deleting rules. Usage: goacl [command] Available Commands: add Add SecurityGroup rule help Help about any command list List SecurityGroup info Flags: --config string config file (default is $HOME/.goacl.yaml) -h, --help help for goacl -t, --toggle Help message for toggle Use "goacl [command] --help" for more information about a command.

list

You can check the list of security groups.
Use the subcommand "list" as follows.

$ goacl list --region us-west-1 --profile default +-------------+------------+--------- --+----------------+--------------+ | GROUPID | GROUPNAME | FROMPORT | CIDRIP/GROUPID | VPCID | +- ------------+------------+------------+-------------- --+--------------+ | sg-XXXXXXXX | default | -1 | sg-XXXXXXXX | vpc-XXXXXXXX | +------------- +------------+----------+----------------+--------- -----+

Since this is a blog, the ID part is masked, but
inside goacl, aws-sdk-go is used to obtain security group information, and
the execution results are output as a table.


You can specify the region to be listed and the profile to use
as command options If nothing is specified, the default values ​​will be used and
the region will be "ap-northeast-1" and the profile will be "default".

Cobra is used
to implement subcommands and options It is probably quite famous as it is also used in the Kubernetes source code.

add

You can add rules to specific security groups.
When executing the add command, a configuration file written in yaml is required.

rules: - groupid: sg-XXXXXXXX fromport: 80 toport: 80 ipprotocol: tcp ipranges: - 0.0.0.0/0 - groupid: sg-XXXXXXXX fromport: 443 toport: 443 ipprotocol: tcp ipranges: - 0.0.0.0/0

If you want to release the 80/443 port, it will be like the above.
This is the IP address allowed by ipranges, but
multiple entries can be entered in this field.
Let's try it out.

$ goacl add --region us-west-1 --profile default --config config.yaml $ goacl list --region us-west-1 --profile default +------------- +------------+----------+----------------+--------- -----+ | GROUPID | GROUPNAME | FROMPORT | CIDRIP/GROUPID | VPCID | +-------------+------------+---- ------+----------------+--------------+ | sg-XXXXXXXX | default | 80 | 0.0. 0.0/0 | vpc-XXXXXXXX | + + +----------+----------------+ + | | | -1 | sg-XXXXXXXX | | + + +---------+----------------+ + | | | 443 | 0.0.0.0/0 | | +---- ---------+-----------+----------+----------------+ --------------+

You can specify a configuration file with the "--config" option.
The latter options are similar to the list command.
If you run the list command after executing the add command, you can confirm that it has been added.

The logic uses
viper Define a structure that is the same as the yaml structure in the Go code,
read the configuration file, and execute viper.Unmarshal to
store the value written in yaml in the structure.

type Config struct { Rules []Rules `yaml:rules` } type Rules struct { GroupID string `yaml:groupid` FromPort int64 `yaml:fromport` ToPort int64 `yaml:toport` IpProtocol string `yaml:ipprotocol` IpRanges []string `yaml:ipranges` }

I had a hard time because I didn't really understand the idea of ​​structures, but I
managed to get it to work properly (I'll study it a little more)

4.Summary

I think we will use it internally for the time being and identify any bugs, but
we hope to release it as OSS in the future.
I can't delete the rules yet, so I'll continue to implement them and summarize them in another blog!

If you found this article helpful , please give it a like!
0
Loading...
0 votes, average: 0.00 / 10
910
X facebook Hatena Bookmark pocket
[2025.6.30 Amazon Linux 2 support ended] Amazon Linux server migration solution

[2025.6.30 Amazon Linux 2 support ended] Amazon Linux server migration solution

The person who wrote this article

About the author

Yuki Teraoka

Joined Beyond in 2016 and is currently in his 6th year as an Infrastructure Engineer
MSP, where he troubleshoots failures while
also designing and building infrastructure using public clouds such as AWS.
Recently, I
have been working with Hashicorp tools such as Terraform and Packer as part of building container infrastructure such as Docker and Kubernetes and automating operations, and I
also play the role of an evangelist who speaks at external study groups and seminars.

・GitHub
https://github.com/nezumisannn

・Presentation history
https://github.com/nezumisannn/my-profile

・Presentation materials (SpeakerDeck)
https://speakerdeck.com/nezumisannn

・Certification:
AWS Certified Solutions Architect - Associate
Google Cloud Professional Cloud Architect