This Lambda function to retrieve Cloudflare's IP address list and update an AWS Security Group and S3 Policies.
It was originally written by John McCracken (johnmccuk@gmail.com), updated by Ryan Gibbons (rtgibbons) and Endrigo Antonini (antonini).
Use the content of the file cf-security-group-update.py
in your lambda ou upload it.
It is also required that you upload or create the package
file as is available on this repository.
The Lambda uses the Python 2.7 runtime and requires the following enviroment variables:
SECURITY_GROUP_IDS_LIST
- a list of security group IDs to updateSECURITY_GROUP_ID
- If list is undefined, a group ID for the specified security groupPORTS_LIST
- comma-separated list of ports e.g.80,443
.S3_CLOUDFLARE_SID
- Sid that stores all the CloudFlare configurataion. That Sid is stored on the Stament policy.S3_BUCKET_IDS_LIST
- a list of S3 buckets IDs to updateS3_BUCKET_ID
- if list is undefined, a ID for the specified S3 bucket.UPDATE_IPV6
- if set to 0, will not update IPv6 ranges in security groups nor S3 bucket policies.
You need to allow the Lambda to execute those actions (example on the file allow-lambda-ingress-role
:
- ec2:AuthorizeSecurityGroupIngress
- ec2:RevokeSecurityGroupIngress
- ec2:DescribeSecurityGroup
- s3:GetBucketPolicyStatus
- s3:PutBucketPolicy
- s3:GetBucketPolicy
You need to define at least SECURITY_GROUP_ID
or SECURITY_GROUP_IDS_LIST
.
The parameter PORTS_LIST
is also used to update an AWS Security Group.
You need to define the parameter S3_CLOUDFLARE_SID
and at least one of the
following parameters S3_BUCKET_IDS_LIST
or S3_BUCKET_ID
.
- John McCracken (@johnmccuk)
- Ryan Gibbons (@rtgibbons)
- Ben Steinberg (@bensteinberg)
- Endrigo Antonini (@antonini)