-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathindex.js
128 lines (106 loc) · 3.98 KB
/
index.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
const {
EC2Client,
DescribeSecurityGroupRulesCommand,
RevokeSecurityGroupIngressCommand,
} = require('@aws-sdk/client-ec2');
const {
GlobalAcceleratorClient,
RemoveEndpointsCommand,
DescribeEndpointGroupCommand,
} = require('@aws-sdk/client-global-accelerator');
const globalaccelerator = new GlobalAcceleratorClient({region: 'us-west-2'});
const ec2 = new EC2Client({region: process.env.Region});
const dumpResponse = function (name, response) {
console.log(
'Response from ' + name + ': ',
JSON.stringify(
response,
null,
2,
),
);
};
exports.handler = async function (event) {
console.log('Invoked with event: ', JSON.stringify(event));
const message = JSON.parse(event.Records[0].Sns.Message);
const eventType = message.Event;
const ec2InstanceId = message.EC2InstanceId;
const endpointGroup = process.env.EndpointGroup;
console.log('Interpreted event type: ', eventType);
console.log('Interpreted event message: ', JSON.stringify(message, null, 2));
if (eventType !== 'autoscaling:EC2_INSTANCE_TERMINATE') {
console.log('Unhandled event type: ', eventType);
return null;
}
const responseFromRemovingEndpoint = await globalaccelerator
.send(
new RemoveEndpointsCommand(
{
EndpointGroupArn: endpointGroup,
EndpointIdentifiers: [
{
ClientIPPreservationEnabled: true,
EndpointId: ec2InstanceId,
},
],
},
),
);
dumpResponse('removing endpoint', responseFromRemovingEndpoint);
const responseFromDescribingEndpointGroup = await globalaccelerator
.send(
new DescribeEndpointGroupCommand(
{
EndpointGroupArn: endpointGroup,
},
),
);
dumpResponse('describing endpoint group', responseFromDescribingEndpointGroup);
if (responseFromDescribingEndpointGroup.EndpointGroup.EndpointDescriptions.length > 0) {
return null;
}
const responseFromDescribingSecurityGroupRules = await ec2
.send(
new DescribeSecurityGroupRulesCommand(
{
Filters: [
{
Name: 'group-id',
Values: [
process.env.SecurityGroupId,
],
},
],
},
),
);
dumpResponse('describing security group rules', responseFromDescribingSecurityGroupRules);
if (responseFromDescribingSecurityGroupRules.SecurityGroupRules.length === 0) {
return null;
}
const globalAcceleratorIngressRuleIds = responseFromDescribingSecurityGroupRules
.SecurityGroupRules
.filter((rule) => {
return rule.FromPort === 80 || rule.FromPort === 443;
})
.map((rule) => {
return rule.SecurityGroupRuleId;
});
if (globalAcceleratorIngressRuleIds.length === 0) {
return null;
}
console.log(
'Determined that the endpoint group no longer has any endpoints and that there are security group rules allowing GlobalAccelerator access via HTTP and HTTPS, so deleting those security group rules now.',
);
const responseFromRevokingSecurityGroupIngressRules = await ec2
.send(
new RevokeSecurityGroupIngressCommand(
{
GroupId: process.env.SecurityGroupId,
SecurityGroupRuleIds: globalAcceleratorIngressRuleIds,
},
),
);
dumpResponse('revoking security group ingress rules', responseFromRevokingSecurityGroupIngressRules);
return null;
};