Updating our Python script

Our helloworld-cf-template.py script is fairly basic. At this point, we are only taking advantage of Python as far as using the troposphere library to easily generate JSON output in a more pleasant way than if we had to write it by hand. Of course, you might already realize that we are barely scratching the surface of what we can do when we have the ability to write scripts to create and manage infrastructures. The following section is a simple example that will let us write a couple more lines of Python and illustrate the concept of updating a CloudFormation stack, while taking advantage of more services and external resources.

The security groups we created in our previous example open up two ports to the world: 22 (SSH) and 3000 (the web application port). We could try to harden one aspect of our security by only allowing our own IP to use SSH. This means changing the Classless Inter-Domain Routing (CIDR) IP information in our Python script on the security group that handles the port 22 traffic. There are a number of free services online that will let us know what our public IP is. We are going to use one of these, available at https://api.ipify.org. We can see it in action with a simple curl command:

$ curl https://api.ipify.org 54.164.95.231  

We are going to take advantage of that service in our script. One of the reasons for using this particular service is that it has been packaged into a Python library. You can read more on this at https://github.com/rdegges/python-ipify. You can first install that library as follows:

$ pip install ipify

In case you come across some pip related errors, as shown in the following code block, the fix would be to downgrade the pip version, install ipify, and then upgrade the pip version again to the latest version:

Cannot uninstall 'requests'. It is a distutils installed project and thus we cannot accurately determine which files belong to it which would lead to only a partial uninstall.    

The preceding error can be fixed with the following commands:

$ pip install --upgrade --force-reinstall pip==9.0.3
$ pip install ipify
$ pip install --upgrade pip  

Our script requires a CIDR. In order to convert our IP address to CIDR, we will also install another library, called ipaddress. The main advantage of combining these libraries is that we don't have to worry about handling IPv4 versus IPv6:

$ pip install ipaddress 

Once those libraries are installed, reopen helloworld-cf-template.py in your editor. At the top of our script, we are going to import the libraries, then, after the ApplicationPort variable definition, we will define a new variable called PublicCidrIp and, combining the two libraries mentioned previously, we can extract our CIDR as follows:

...
from ipaddress import ip_network
from ipify import get_ip
from troposphere import (
    Base64,
    ec2,
    GetAtt,
    Join,
    Output,
    Parameter,
    Ref,
    Template,
)

ApplicationPort = "3000"
PublicCidrIp = str(ip_network(get_ip()))
...

Lastly, we can change the CidrIp declaration for the SSH group rule as follows:

SecurityGroupIngress=[
        ec2.SecurityGroupRule(
            IpProtocol="tcp",
            FromPort="22",
            ToPort="22",
            CidrIp=PublicCidrIp,
        ),    
....
    ]

We can now save these changes. The file created should look like the file at https://github.com/yogeshraheja/Effective-DevOps-with-AWS/blob/master/Chapter03/EffectiveDevOpsTemplates/helloworld-cf-template.py.

We can now generate a new diff command to visually verify the change:

$ python helloworld-cf-template.py > helloworld-cf-v2.template
$ diff helloworld-cf-v2.template helloworld-cf.template 
46c46
<             "CidrIp": "54.164.95.231/32",
---
>             "CidrIp": "0.0.0.0/0",
               91a92
>
$

As we can see, our CIDR IP is now correctly restricting the connection to our IP. We can now apply that change.