A story about creating a CLI tool to edit AWS security groups using Golang

My name is Teraoka and I am an infrastructure engineer

This time, I'll be talking about creating a CLI tool using Golang.
It's called "goacl," and I'd like to introduce what it is.

1. What is goacl?

goacl is a CLI tool written in Golang

view a list of AWS security groups and
add rules to specific groups.

Currently, only a list view and rule addition function are available, but
we plan to add a feature that will allow users to delete unnecessary rules.

2. Reason for creating it

There are two internal/personal reasons

Internal reasons

In short, the reason is that the office's fixed IP address will change in the future

to improve the quality of our internal network
We decided to change the network lines themselves
the question arose as to how to allow access from the new IP addresses.

As our core business is MSP (Managed Service Provider),
we are fortunate to manage a large number of AWS accounts for our clients.
Whenever an IP address changes, we need to review the permission settings for all accounts, and
manually adding permission settings has its limitations.
This is where "goacl" comes in.

personal reasons

I've always wanted to learn Golang, and I thought it would not
only improve my work efficiency but also be a good learning experience for myself.

HashiCorp products such as Terraform and
Since Golang is used in
I think there are plenty of advantages for infrastructure engineers to learn it.

3.goacl usage and logic

It is a CLI tool, so it is run from the command line

Usage

Simply type goacl to check the Usage

$ goacl goacl is a CLI tool for listing AWS security groups and adding / deleting rules. Usage: goacl [command] Available Commands: add Add SecurityGroup rule help Help about any command list List SecurityGroup info Flags: --config string config file (default is $HOME/.goacl.yaml) -h, --help help for goacl -t, --toggle Help message for toggle Use "goacl [command] --help" for more information about a command.

list

You can view a list of security groups.
Use the "list" subcommand as follows:

$ goacl list --region us-west-1 --profile default +-------------+----------+----------+----------------+--------------+ | GROUPID | GROUPNAME | FROMPORT | CIDRIP/GROUPID | VPCID | +-------------+------------+----------+----------------+--------------+ | sg-XXXXXXXX | default | +-------------+------------+----------+----------------+--------------+

Since this is a blog, the ID part is masked, but
goacl uses aws-sdk-go internally to retrieve security group information, and
the execution result is output in a formatted table.

as command options
You can specify the region to list and the profile to use
If you don't specify anything, the default values ​​will be used, with
the region being "ap-northeast-1" and the profile being "default".

The implementation of subcommands and optionsCobrauses
It's fairly well-known, as it's also used in the Kubernetes source code.

add

You can add rules to a specific security group.
The `add` command requires a configuration file written in YAML format.

rules: - groupid: sg-XXXXXXXX fromport: 80 toport: 80 ipprotocol: tcp ipranges: - 0.0.0.0/0 - groupid: sg-XXXXXXXX fromport: 443 toport: 443 ipprotocol: tcp ipranges: - 0.0.0.0/0

To open ports 80/443, use the above format.
`ipranges` specifies the allowed IP addresses;
multiple addresses can be listed in this field.
Let's try it out.

$ goacl add --region us-west-1 --profile default --config config.yaml $ goacl list --region us-west-1 --profile default +-------------+------------+----------+----------------+--------------+ | GROUPID | GROUPNAME | FROMPORT | CIDRIP/GROUPID | VPCID | +-------------+-----------+----------+----------------+--------------+ | sg-XXXXXXXX | default | 80 | 0.0.0.0/0 | vpc-XXXXXXXX | + + +----------+----------------+ + | | | -1 | sg-XXXXXXXX | | + + +----------+----------------+ + | | | 443 | 0.0.0.0/0 |

The "--config" option allows you to specify a configuration file.
The subsequent options are the same as those for the list command.
If you run the list command after running the add command, you can confirm that it has been added.

to read the configuration fileViperinvolves using
A struct identical to the YAML structure is defined within the Go code, and
by reading the configuration file and using viper.unmarshal
the values ​​written in the YAML are stored in the struct

type Config struct { Rules []Rules `yaml:rules` } type Rules struct { GroupID string `yaml:groupid` FromPort int64 `yaml:fromport` ToPort int64 `yaml:toport` IpProtocol string `yaml:ipprotocol` IpRanges []string `yaml:ipranges` }

I actually didn't understand the concept of structures at all, so I struggled quite a bit, but I finally
managed to get it working properly (I need to study more).

4. Summary

We'll use it internally for now to identify bugs, but we hope
to release it as open source in the future.
We still need to implement rule deletion, so I'll continue working on that and write another blog post about it!