A story about creating a CLI tool to edit AWS security groups using Golang

My name is Teraoka and I am an infrastructure engineer

This time, I'll talk about creating a CLI tool in Golang.
It's called "goacl" and I'd like to introduce what it is.

1. What is goacl?

goacl is a CLI tool written in Golang

view a list of AWS security groups and
add rules to specific groups.

Currently, it only allows you to display a list and add rules, but
we plan to add functionality that allows you to delete unnecessary rules.

2. Reason for creating it

There are two internal/personal reasons

Internal reasons

In short, the reason is that the office's fixed IP address will change in the future

In order to improve the quality of our internal network,
we decided to change the line itself, but we
were unsure how to allow access from the new IP address.

Our company's core business is MSP, and
thanks to that, we manage the AWS accounts of many customers.
Whenever an IP address changes, the permission settings for all accounts must be reviewed, and
there are limitations to adding permission settings manually.
This is where we use "goacl."

personal reasons

I had always wanted to be able to write Golang, and I thought it would
help me streamline my work and also serve as a good opportunity for personal learning.

is a language that is also used in
HashiCorp products such as Terraform and I think there are plenty of benefits for infrastructure engineers to learn it.

3.goacl usage and logic

It is a CLI tool, so it is run from the command line

Usage

Simply type goacl to check the Usage

$ goacl goacl is a CLI tool for listing AWS security groups and adding / deleting rules. Usage: goacl [command] Available Commands: add Add SecurityGroup rule help Help about any command list List SecurityGroup info Flags: --config string config file (default is $HOME/.goacl.yaml) -h, --help help for goacl -t, --toggle Help message for toggle Use "goacl [command] --help" for more information about a command.

list

You can check the list of security groups
by using the "list" subcommand as follows:

$ goacl list --region us-west-1 --profile default +-------------+----------+----------+----------------+--------------+ | GROUPID | GROUPNAME | FROMPORT | CIDRIP/GROUPID | VPCID | +-------------+------------+----------+----------------+--------------+ | sg-XXXXXXXX | default | +-------------+------------+----------+----------------+--------------+

Since this is a blog, the ID part is masked, but
inside goacl, aws-sdk-go is used to obtain security group information, and
the execution results are formatted into a table and output.

As command options,
you can specify the region to list and the profile to use.
If you do not specify anything, the default values ​​will be referenced,
with the region being "ap-northeast-1" and the profile being "default".

The implementation of subcommands and options uses
Cobra which is also used in the Kubernetes source code, so it is probably quite well-known.

add

You can add rules to a specific security group.
When executing the add command, a configuration file written in YAML is required.

rules: - groupid: sg-XXXXXXXX fromport: 80 toport: 80 ipprotocol: tcp ipranges: - 0.0.0.0/0 - groupid: sg-XXXXXXXX fromport: 443 toport: 443 ipprotocol: tcp ipranges: - 0.0.0.0/0

To open ports 80/443, use the above command.
ipranges specifies the IP addresses to allow, and
multiple entries can be specified.
Let's try it out.

$ goacl add --region us-west-1 --profile default --config config.yaml $ goacl list --region us-west-1 --profile default +-------------+------------+----------+----------------+--------------+ | GROUPID | GROUPNAME | FROMPORT | CIDRIP/GROUPID | VPCID | +-------------+-----------+----------+----------------+--------------+ | sg-XXXXXXXX | default | 80 | 0.0.0.0/0 | vpc-XXXXXXXX | + + +----------+----------------+ + | | | -1 | sg-XXXXXXXX | | + + +----------+----------------+ + | | | 443 | 0.0.0.0/0 |

You can specify a configuration file with the "--config" option.
The remaining options are the same as the list command.
If you run the list command after running the add command, you can confirm that it has been added.

to use
viper to read the configuration file The same structure as the yaml structure is defined in the Go code, and
the configuration file is read and
the values ​​described in the yaml are stored in the structure by using viper.Unmarshal.

type Config struct { Rules []Rules `yaml:rules` } type Rules struct { GroupID string `yaml:groupid` FromPort int64 `yaml:fromport` ToPort int64 `yaml:toport` IpProtocol string `yaml:ipprotocol` IpRanges []string `yaml:ipranges` }

I had a hard time because I didn't understand the concept of structures at all, but I
managed to get it to work properly (I'll study it a bit more).

4. Summary

For now, we will be using it internally to identify any bugs, but we hope
to release it as open source in the future. We
are not yet able to delete rules, so we will continue to implement that and write about it in another blog post!