Updating our Python script

Our helloworld-cf-template.py script is fairly basic. At this point, we are only taking advantage of Python to use the troposphere library to generate JSON output easily in a more pleasant way than if we had to write the JSON by hand. Of course, you might already realize that we are barely scratching the surface of what we can do when we have the ability to write scripts to create and manage infrastructures. Here is a simple example that will let us write a couple more lines of Python and illustrate the concept of updating a CloudFormation stack, while taking advantage of more services and external resources.

The security groups we created in our previous example opened up two ports to the world: 22 (SSH) and 3000 (the web application port). We could try to harden a bit of our security by only allowing our own IP to use SSH. This means changing the Classless Inter-Domain Routing IP (CidrIp) information in our Python script on the security group that handles the port 22 traffic. There are a number of free services online that will let us know what our public IP is. We are going to use one of them available at https://api.ipify.org.

We can see it in action with a simple curl command:

$ curl https://api.ipify.org
208.90.213.202%  

We are going to take advantage of that service in our script. One of the reasons for using this particular service is that it has been packaged into a Python library. You can read more on this at https://github.com/rdegges/python-ipify.

You can first install that library as follows:

$ pip install ipify  

Our script requires a CidrIp; in order to convert our IP address in CIDR, we will also install another library called ipaddress. The main advantage is that by combining those libraries, we won't have to worry about handling IPv4 versus IPv6:

$ pip install ipaddress  

Once those libraries are installed, reopen helloworld-cf-template.py in your editor. At the top of our script, we are going to import the libraries, then after the ApplicationPortvariable definition, we will define a new variable called PublicCidrIp and, combining the two libraries mentioned previously, extract our CIDR as follows:

from ipaddress import ip_network
 
from ipify import get_ip
 
from troposphere import (…)
 
ApplicationPort = "3000"
PublicCidrIp = str(ip_network(get_ip()))

Lastly, we can change the CidrIp declaration for the SSH group rule:

    SecurityGroupIngress=[ 
        ec2.SecurityGroupRule( 
            IpProtocol="tcp", 
            FromPort="22", 
            ToPort="22", 
            CidrIp=PublicCidrIp, 
        ), 

We can save the changes. The file created should look like the file at http://bit.ly/2uvdnP4.

We can now generate a new CloudFormation template and run the diff command to verify the change visually:

$ python helloworld-cf-template.py > helloworld-cf-template-v2.template
$ diff helloworld-cf-v2.template helloworld-cf.template
44c44
<                         "CidrIp": "50.254.136.236/32",
---
>                         "CidrIp": "0.0.0.0/0",
$  

As we can see, our CirdIP is now correctly restricting the connection to our IP. We can now apply that change.