# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 # Purpose: # ec2-ruby-example-security-group.rb demonstrates how to # create an Amazon Elastic Compute Cloud (Amazon EC2) security group, # add inbound rules to the security group, display information about # available security groups, and delete the security group. # snippet-start:[ec2.Ruby.exampleSecurityGroup] # This code example does the following: # 1. Creates an Amazon Elastic Compute Cloud (Amazon EC2) security group. # 2. Adds inbound rules to the security group. # 3. Displays information about available security groups. # 4. Deletes the security group. require "aws-sdk-ec2" # Creates an Amazon Elastic Compute Cloud (Amazon EC2) security group. # # Prerequisites: # # - A VPC in Amazon Virtual Private Cloud (Amazon VPC). # # @param ec2_client [Aws::EC2::Client] An initialized # Amazon EC2 client. # @param group_name [String] A name for the security group. # @param description [String] A description for the security group. # @param vpc_id [String] The ID of the VPC for the security group. # @return [String] The ID of security group that was created. # @example # puts create_security_group( # Aws::EC2::Client.new(region: 'us-west-2'), # 'my-security-group', # 'This is my security group.', # 'vpc-6713dfEX' # ) def create_security_group( ec2_client, group_name, description, vpc_id ) security_group = ec2_client.create_security_group( group_name: group_name, description: description, vpc_id: vpc_id ) puts "Created security group '#{group_name}' with ID " \ "'#{security_group.group_id}' in VPC with ID '#{vpc_id}'." return security_group.group_id rescue StandardError => e puts "Error creating security group: #{e.message}" return "Error" end # Adds an inbound rule to an Amazon Elastic Compute Cloud (Amazon EC2) # security group. # # Prerequisites: # # - The security group. # # @param ec2_client [Aws::EC2::Client] An initialized Amazon EC2 client. # @param security_group_id [String] The ID of the security group. # @param ip_protocol [String] The network protocol for the inbound rule. # @param from_port [String] The originating port for the inbound rule. # @param to_port [String] The destination port for the inbound rule. # @param cidr_ip_range [String] The CIDR IP range for the inbound rule. # @return # @example # exit 1 unless security_group_ingress_authorized?( # Aws::EC2::Client.new(region: 'us-west-2'), # 'sg-030a858e078f1b9EX', # 'tcp', # '80', # '80', # '0.0.0.0/0' # ) def security_group_ingress_authorized?( ec2_client, security_group_id, ip_protocol, from_port, to_port, cidr_ip_range ) ec2_client.authorize_security_group_ingress( group_id: security_group_id, ip_permissions: [ { ip_protocol: ip_protocol, from_port: from_port, to_port: to_port, ip_ranges: [ { cidr_ip: cidr_ip_range } ] } ] ) puts "Added inbound rule to security group '#{security_group_id}' for protocol " \ "'#{ip_protocol}' from port '#{from_port}' to port '#{to_port}' " \ "with CIDR IP range '#{cidr_ip_range}'." return true rescue StandardError => e puts "Error adding inbound rule to security group: #{e.message}" return false end # Displays information about a security group's IP permissions set in # Amazon Elastic Compute Cloud (Amazon EC2). # # Prerequisites: # # - A security group with inbound rules, outbound rules, or both. # # @param p [Aws::EC2::Types::IpPermission] The IP permissions set. # @example # ec2_client = Aws::EC2::Client.new(region: 'us-west-2') # response = ec2_client.describe_security_groups # unless sg.ip_permissions.empty? # describe_security_group_permissions( # response.security_groups[0].ip_permissions[0] # ) # end def describe_security_group_permissions(perm) print " Protocol: #{perm.ip_protocol == '-1' ? 'All' : perm.ip_protocol}" unless perm.from_port.nil? if perm.from_port == "-1" || perm.from_port == -1 print ", From: All" else print ", From: #{perm.from_port}" end end unless perm.to_port.nil? if perm.to_port == "-1" || perm.to_port == -1 print ", To: All" else print ", To: #{perm.to_port}" end end if perm.key?(:ipv_6_ranges) && perm.ipv_6_ranges.count.positive? print ", CIDR IPv6: #{perm.ipv_6_ranges[0].cidr_ipv_6}" end if perm.key?(:ip_ranges) && perm.ip_ranges.count.positive? print ", CIDR IPv4: #{perm.ip_ranges[0].cidr_ip}" end print "\n" end # Displays information about available security groups in # Amazon Elastic Compute Cloud (Amazon EC2). # # @param ec2_client [Aws::EC2::Client] An initialized Amazon EC2 client. # @example # describe_security_groups(Aws::EC2::Client.new(region: 'us-west-2')) def describe_security_groups(ec2_client) response = ec2_client.describe_security_groups if response.security_groups.count.positive? response.security_groups.each do |sg| puts "-" * (sg.group_name.length + 13) puts "Name: #{sg.group_name}" puts "Description: #{sg.description}" puts "Group ID: #{sg.group_id}" puts "Owner ID: #{sg.owner_id}" puts "VPC ID: #{sg.vpc_id}" if sg.tags.count.positive? puts "Tags:" sg.tags.each do |tag| puts " Key: #{tag.key}, Value: #{tag.value}" end end unless sg.ip_permissions.empty? puts "Inbound rules:" if sg.ip_permissions.count.positive? sg.ip_permissions.each do |p| describe_security_group_permissions(p) end end unless sg.ip_permissions_egress.empty? puts "Outbound rules:" if sg.ip_permissions.count.positive? sg.ip_permissions_egress.each do |p| describe_security_group_permissions(p) end end end else puts "No security groups found." end rescue StandardError => e puts "Error getting information about security groups: #{e.message}" end # Deletes an Amazon Elastic Compute Cloud (Amazon EC2) # security group. # # Prerequisites: # # - The security group. # # @param ec2_client [Aws::EC2::Client] An initialized # Amazon EC2 client. # @param security_group_id [String] The ID of the security group to delete. # @return [Boolean] true if the security group was deleted; otherwise, false. # @example # exit 1 unless security_group_deleted?( # Aws::EC2::Client.new(region: 'us-west-2'), # 'sg-030a858e078f1b9EX' # ) def security_group_deleted?(ec2_client, security_group_id) ec2_client.delete_security_group(group_id: security_group_id) puts "Deleted security group '#{security_group_id}'." return true rescue StandardError => e puts "Error deleting security group: #{e.message}" return false end # Full example call: def run_me group_name = "" description = "" vpc_id = "" ip_protocol_http = "" from_port_http = "" to_port_http = "" cidr_ip_range_http = "" ip_protocol_ssh = "" from_port_ssh = "" to_port_ssh = "" cidr_ip_range_ssh = "" region = "" # Print usage information and then stop. if ARGV[0] == "--help" || ARGV[0] == "-h" puts "Usage: ruby ec2-ruby-example-security-group.rb " \ "GROUP_NAME DESCRIPTION VPC_ID IP_PROTOCOL_1 FROM_PORT_1 TO_PORT_1 " \ "CIDR_IP_RANGE_1 IP_PROTOCOL_2 FROM_PORT_2 TO_PORT_2 " \ "CIDR_IP_RANGE_2 REGION" puts "Example: ruby ec2-ruby-example-security-group.rb " \ "my-security-group 'This is my security group.' vpc-6713dfEX " \ "tcp 80 80 '0.0.0.0/0' tcp 22 22 '0.0.0.0/0' us-west-2" exit 1 # If no values are specified at the command prompt, use these default values. elsif ARGV.count.zero? group_name = "my-security-group" description = "This is my security group." vpc_id = "vpc-6713dfEX" ip_protocol_http = "tcp" from_port_http = "80" to_port_http = "80" cidr_ip_range_http = "0.0.0.0/0" ip_protocol_ssh = "tcp" from_port_ssh = "22" to_port_ssh = "22" cidr_ip_range_ssh = "0.0.0.0/0" # Replace us-west-2 with the AWS Region you're using for Amazon EC2. region = "us-west-2" # Otherwise, use the values as specified at the command prompt. else group_name = ARGV[0] description = ARGV[1] vpc_id = ARGV[2] ip_protocol_http = ARGV[3] from_port_http = ARGV[4] to_port_http = ARGV[5] cidr_ip_range_http = ARGV[6] ip_protocol_ssh = ARGV[7] from_port_ssh = ARGV[8] to_port_ssh = ARGV[9] cidr_ip_range_ssh = ARGV[10] region = ARGV[11] end security_group_id = "" security_group_exists = false ec2_client = Aws::EC2::Client.new(region: region) puts "Attempting to create security group..." security_group_id = create_security_group( ec2_client, group_name, description, vpc_id ) if security_group_id == "Error" puts "Could not create security group. Skipping this step." else security_group_exists = true end if security_group_exists puts "Attempting to add inbound rules to security group..." unless security_group_ingress_authorized?( ec2_client, security_group_id, ip_protocol_http, from_port_http, to_port_http, cidr_ip_range_http ) puts "Could not add inbound HTTP rule to security group. " \ "Skipping this step." end unless security_group_ingress_authorized?( ec2_client, security_group_id, ip_protocol_ssh, from_port_ssh, to_port_ssh, cidr_ip_range_ssh ) puts "Could not add inbound SSH rule to security group. " \ "Skipping this step." end end puts "\nInformation about available security groups:" describe_security_groups(ec2_client) if security_group_exists puts "\nAttempting to delete security group..." unless security_group_deleted?(ec2_client, security_group_id) puts "Could not delete security group. You must delete it yourself." end end end run_me if $PROGRAM_NAME == __FILE__ # snippet-end:[ec2.Ruby.exampleSecurityGroup]