1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51import { EC2Client, DescribeSecurityGroupsCommand, RevokeSecurityGroupIngressCommand, AuthorizeSecurityGroupIngressCommand } from '@aws-sdk/client-ec2';
const ec2Client = new EC2Client();
export const runEveryMinute = async () => {
const newIps = (await (await fetch(`https://ip-ranges.amazonaws.com/ip-ranges.json`)).json()).prefixes
.filter(obj => obj.region === 'us-east-2' && obj.service === 'EC2').map(obj => obj.ip_prefix);
const existingIps = (await ec2Client.send(new DescribeSecurityGroupsCommand({ GroupIds: [process.env.DB_SECURITY_GROUP] }))).SecurityGroups
.map(securityGroup => securityGroup.IpPermissions
.map(ipPermission => ipPermission.IpRanges
.filter(obj => obj.Description === 'Lambda')
.map(ipRange => ipRange.CidrIp)
).flat()
).flat();
const addedIps = newIps.filter(newIp => !existingIps.includes(newIp));
const removedIps = existingIps.filter(existingIp => !newIps.includes(existingIp));
if (removedIps.length > 0) {
try {
await ec2Client.send(new RevokeSecurityGroupIngressCommand({
GroupId: process.env.DB_SECURITY_GROUP,
IpPermissions: removedIps.map(ip => ({
FromPort: 5432,
IpProtocol: 'tcp',
IpRanges: [{
CidrIp: ip,
Description: 'Lambda'
}],
ToPort: 5432,
}))
}));
}
catch (err) { console.log(err); }
}
if (addedIps.length > 0) {
try {
await ec2Client.send(new AuthorizeSecurityGroupIngressCommand({
GroupId: process.env.DB_SECURITY_GROUP,
IpPermissions: addedIps.map(ip => ({
FromPort: 5432,
IpProtocol: 'tcp',
IpRanges: [{
CidrIp: ip,
Description: 'Lambda'
}],
ToPort: 5432,
}))
}));
}
catch (err) { console.log(err); }
}
return;
}