自 2 天以来,我一直在尝试查找使用 aws java sdk 更新 aws ec2 安全组的文档,我能够找到使用 aws java sdk 创建和删除安全组的文档,但无法找到用于添加的相同文档,删除,使用java sdk更新安全组入站规则,如果有人可以给我文档的链接,或者任何java中的工作示例代码,这对我来说真的很有帮助。
希望您能找到问题的解决方案,因为它是一个月前发布的。 我目前正在做同样的事情,我发现使用 AuthorizeSecurityGroupIngressRequest 允许您更新现有的安全组,而不是每次都创建新的安全组。
IpRange ipRange = IpRange.builder()
.cidrIp("0.0.0.0/0").build();
IpPermission ipPerm = IpPermission.builder()
.ipProtocol("tcp")
.toPort(22)
.fromPort(22)
.ipRanges(ipRange)
.build();
AuthorizeSecurityGroupIngressRequest authRequest =
AuthorizeSecurityGroupIngressRequest.builder()
.groupName(YOUR_GROUP_NAME) // can also use .groupId
.ipPermissions(ipPerm)
.build();
ec2.authorizeSecurityGroupIngress(authRequest);
UpdateSecurityGroupRuleDescriptionsIngressRequest authRequest = UpdateSecurityGroupRuleDescriptionsIngressRequest.builder()
.groupName("default")
.ipPermissions(ipPerm)
.build();
UpdateSecurityGroupRuleDescriptionsIngressResponse updateSecurityGroupRuleDescriptionsIngress = ec2.updateSecurityGroupRuleDescriptionsIngress(authRequest);
它对我有用
我刚刚为我正在进行的一个项目解决了这个问题。我发现这种方式比需要的更难。人们可能会认为您可以通过 describe-security-groups 获取规则,修改它,然后 AuthorizeSecurityGroupIngress。我最终必须先获取安全组规则 ID 来删除规则,然后重新添加它。这是一些工作代码。
@Slf4j
@Service
public class UpdateKibanaReportsSecurityGroup {
private static final String REPORTING_GROUP_ID = "sg-0";
@PreAuthorize(REPORTING)
public void updateEntry(String tagName, String newSourceIp) {
final Ec2Client ec2Client = Ec2Client.builder()
.credentialsProvider(ProfileCredentialsProvider.create("so"))
.httpClient(UrlConnectionHttpClient.builder().build())
.region(Region.AWS_ISO_GLOBAL)
.build();
updateSecurityGroupEntryByDescription(ec2Client, tagName, newSourceIp);
ec2Client.close();
}
private void updateSecurityGroupEntryByDescription(Ec2Client ec2Client, String tagName, String newSourceIp) {
try (ec2Client) {
try {
final String securityGroupRuleId = findSecurityGroupById(ec2Client, tagName);
final RevokeSecurityGroupIngressRequest ingressRequest = RevokeSecurityGroupIngressRequest.builder()
.groupId(REPORTING_GROUP_ID)
.securityGroupRuleIds(securityGroupRuleId)
.build();
ec2Client.revokeSecurityGroupIngress(ingressRequest);
} catch (Exception ignored) {
// rule may not be set yet.
}
final TagSpecification name = TagSpecification.builder()
.tags(Tag.builder()
.key("Name").value(tagName)
.build())
.resourceType("security-group-rule")
.build();
final IpPermission build = IpPermission.builder()
.ipProtocol("tcp")
.toPort(443)
.fromPort(443)
.ipRanges(IpRange.builder()
.cidrIp(newSourceIp+"/32")
.build())
.build();
AuthorizeSecurityGroupIngressResponse response = ec2Client.authorizeSecurityGroupIngress(
AuthorizeSecurityGroupIngressRequest.builder()
.groupId(REPORTING_GROUP_ID)
.ipPermissions(build)
.tagSpecifications(name)
.build());
log.info("Inbound rule updated successfully: " + response);
}
}
private String findSecurityGroupById(Ec2Client ec2, String tagName) {
return ec2.describeSecurityGroupRules(
DescribeSecurityGroupRulesRequest.builder()
.filters(Filter.builder()
.name("group-id").values(REPORTING_GROUP_ID)
.name("tag:Name").values(tagName)
.build())
.build())
.securityGroupRules().get(0)
.securityGroupRuleId();
}
}