Code to update security lists on multiple OCI tenancies. This assumes that you have already setup the configs in the respective locations (check out the config_loc
variable below.)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
import urllib.request
import requests
import oci
run_code = True
config_loc = ["/home/nevin/.oci/config", "/home/nevin/.oci/config_india"]
if (run_code):
external_ip = urllib.request.urlopen(
'https://checkip.amazonaws.com/').read().decode('utf8')
for config_f in config_loc:
config = oci.config.from_file(config_f, "DEFAULT")
core_client = oci.core.VirtualNetworkClient(config)
ports = {'ssh':22, 'http':80, 'https':443}
ingress_security_rules = []
for description, port in ports.items():
setter = oci.core.models.IngressSecurityRule(
protocol="6",
source=f"{external_ip}/32",
is_stateless=False,
source_type="CIDR_BLOCK",
tcp_options=oci.core.models.TcpOptions(
destination_port_range=oci.core.models.PortRange(max=port, min=port)
),
description=description,
)
ingress_security_rules.append(setter)
if config_f == '/home/nevin/.oci/config_india':
setter = oci.core.models.IngressSecurityRule(
protocol="6",
source=f"{external_ip}/32",
is_stateless=False,
source_type="CIDR_BLOCK",
tcp_options=oci.core.models.TcpOptions(
destination_port_range=oci.core.models.PortRange(max=55, min=55)
),
description='india portainer from home',
)
ingress_security_rules.append(setter)
ipranges = []
response = requests.get("https://www.cloudflare.com/ips-v4")
response = iter(response.text.splitlines())
for ipv4 in response:
ipranges.append(ipv4)
response = requests.get("https://www.cloudflare.com/ips-v6")
response = iter(response.text.splitlines())
for ipv6 in response:
ipranges.append(ipv6)
cloudflare_ports = [80,443]
for iprange in ipranges:
for port in cloudflare_ports:
description = 'cf_http' if port == 80 else 'cf_https'
setter = oci.core.models.IngressSecurityRule(
protocol="6",
source=f"{iprange}",
is_stateless=False,
source_type="CIDR_BLOCK",
tcp_options=oci.core.models.TcpOptions(
destination_port_range=oci.core.models.PortRange(max=port, min=port)
),
description=description,
)
ingress_security_rules.append(setter)
print (ingress_security_rules)
if config_f == "/home/nevin/.oci/config":
update_security_list_response = core_client.update_security_list(
security_list_id="ocid1.securitylist.oc1.<clipped>",
update_security_list_details=oci.core.models.UpdateSecurityListDetails(
defined_tags={
"Oracle-Tags": {
"CreatedBy": "default/nevin",
"CreatedOn": "2022-09-20T12:56:57.328Z",
}
},
display_name="nevins-security-list",
egress_security_rules=[],
freeform_tags={},
ingress_security_rules=ingress_security_rules,
),
)
else:
update_security_list_response = core_client.update_security_list(
security_list_id="ocid1.securitylist.oc1.<clipped>",
update_security_list_details=oci.core.models.UpdateSecurityListDetails(
defined_tags={
"Oracle-Tags": {
"CreatedBy": "default/neo",
"CreatedOn": "2022-12-11T12:56:57.328Z",
}
},
display_name="NevinsSecurityList",
egress_security_rules=[],
freeform_tags={},
ingress_security_rules=ingress_security_rules,
),
)
else:
print("not required.")