What is goacl
The goacl is a CLI tool written in Golang.
You can view a list of AWS security groups and add rules for specific groups.
The usage and the logic of goacl
It’s a CLI tool, so it is executed from the command line.
Usage
You can check usage by simply typing goacl.
$ goacl
goacl is a CLI tool for listing AWS security groups and adding / deleting rules.
Usage:
goacl [command]
Available Commands:
add Add SecurityGroup rule
help Help about any command
list List SecurityGroup info
Flags:
--config string config file (default is $HOME/.goacl.yaml)
-h, --help help for goacl
-t, --toggle Help message for toggle
Use "goacl [command] --help" for more information about a command.list
You can check a security group list.
Use “list” subcommand like the following below.
$ goacl list --region us-west-1 --profile default
+-------------+-----------+----------+----------------+--------------+
| GROUPID | GROUPNAME | FROMPORT | CIDRIP/GROUPID | VPCID |
+-------------+-----------+----------+----------------+--------------+
| sg-XXXXXXXX | default | -1 | sg-XXXXXXXX | vpc-XXXXXXXX |
+-------------+-----------+----------+----------------+--------------+
I hide the ID part but get information about security group using aws-sdk-go inside goacl, and it outputs the results of the executions are formatted into a table.
As a command option, you can specify regions to list and a profile to use.
If you don’t specify, it refers to default values which are “ap-northeast-1” for the region and “default” for the profile.
I used cobra for subcommands and options.
add
You can add roles to specific security groups.
A setting file that is written in yaml is required to execute the add command.
rules:
-
groupid: sg-XXXXXXXX
fromport: 80
toport: 80
ipprotocol: tcp
ipranges:
- 0.0.0.0/0
-
groupid: sg-XXXXXXXX
fromport: 443
toport: 443
ipprotocol: tcp
ipranges:
- 0.0.0.0/0The above is an example of
releasing port 80/443.
The ipranges section allows IP addresses and this field can have multiple entries.
Let’s go ahead and execute it!
$ goacl add --region us-west-1 --profile default --config config.yaml
$ goacl list --region us-west-1 --profile default
+-------------+-----------+----------+----------------+--------------+
| GROUPID | GROUPNAME | FROMPORT | CIDRIP/GROUPID | VPCID |
+-------------+-----------+----------+----------------+--------------+
| sg-XXXXXXXX | default | 80 | 0.0.0.0/0 | vpc-XXXXXXXX |
+ + +----------+----------------+ +
| | | -1 | sg-XXXXXXXX | |
+ + +----------+----------------+ +
| | | 443 | 0.0.0.0/0 | |
+-------------+-----------+----------+----------------+--------------+You can specify the setting file with the “--config” option.
The option is the same as the list command.
After executing the list command after the add command, you can see that IP addresses are added.
The logic is it uses viper to read the configuration file.
It defines the same structure as the yaml structure in the Go code, puts the values written in yalm in the structures by loading the configuration file and set viper.Unmarshal.
type Config struct {
Rules []Rules `yaml:rules`
}
type Rules struct {
GroupID string `yaml:groupid`
FromPort int64 `yaml:fromport`
ToPort int64 `yaml:toport`
IpProtocol string `yaml:ipprotocol`
IpRanges []string `yaml:ipranges`
}
It works no problem now!
This blog post is translated from a blog post written by Yuki Teraoka on our Japanese website Beyond Co..