{"id":17019268,"url":"https://github.com/schnoddelbotz/cdn-securitygroup-sync","last_synced_at":"2025-07-30T21:33:19.366Z","repository":{"id":57590857,"uuid":"107897627","full_name":"schnoddelbotz/cdn-securitygroup-sync","owner":"schnoddelbotz","description":"Automates sync of AWS security groups with your CDN provider's CIDRs","archived":false,"fork":false,"pushed_at":"2017-11-14T12:43:01.000Z","size":10,"stargazers_count":7,"open_issues_count":1,"forks_count":5,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-04-19T15:52:22.255Z","etag":null,"topics":["akamai","aws","aws-lambda","aws-security","cdn","cloudflare"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/schnoddelbotz.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"securitygroup.go","support":null}},"created_at":"2017-10-22T19:50:03.000Z","updated_at":"2019-03-12T14:00:17.000Z","dependencies_parsed_at":"2022-09-26T16:40:36.889Z","dependency_job_id":null,"html_url":"https://github.com/schnoddelbotz/cdn-securitygroup-sync","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/schnoddelbotz/cdn-securitygroup-sync","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/schnoddelbotz%2Fcdn-securitygroup-sync","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/schnoddelbotz%2Fcdn-securitygroup-sync/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/schnoddelbotz%2Fcdn-securitygroup-sync/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/schnoddelbotz%2Fcdn-securitygroup-sync/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/schnoddelbotz","download_url":"https://codeload.github.com/schnoddelbotz/cdn-securitygroup-sync/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/schnoddelbotz%2Fcdn-securitygroup-sync/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":267944973,"owners_count":24170214,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-30T02:00:09.044Z","response_time":70,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["akamai","aws","aws-lambda","aws-security","cdn","cloudflare"],"created_at":"2024-10-14T06:48:40.881Z","updated_at":"2025-07-30T21:33:19.340Z","avatar_url":"https://github.com/schnoddelbotz.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# cdn-securitygroup-sync\n\nAutomates sync of AWS security groups with your CDN provider's CIDRs - currently\n[Akamai Siteshield](https://community.akamai.com/community/cloud-security/blog/2016/11/15/list-of-ipscidrs-and-ports-on-the-akamai-network-that-may-contact-customers-origin-when-siteshield-is-enabled) \nand [Cloudflare](https://www.cloudflare.com/ips/) are supported.\nDoes basically the same job as [SSSG-Ninja](https://github.com/jc1518/SSSG-Ninja)\n(for Akamai) but...\n\n- comes as a single, ready-to-use, stand-alone binary\n- comes with a CloudFormation stack for simple deployment as a scheduled AWS Lambda function\n- has no hard-coded configuration data (like [this](https://github.com/jc1518/SSSG-Ninja/issues/2)\n  or [that](https://github.com/jc1518/SSSG-Ninja/blob/6ba368a618a3bc667c59f3356d38c71f6c93efc6/securitygroup/__init__.py#L13))\n\n# build / install\n\n`go get -v github.com/schnoddelbotz/cdn-securitygroup-sync` to build\nor grab a binary from the [releases page](../../releases).\n\n# CLI usage\n\n```\nUsage of cdn-securitygroup-sync:\n  -acknowledge\n      Acknowledge updated CIDRs on Akamai\n  -add-missing\n      Add missing CIDRs to AWS security group\n  -cloudflare\n      Use Cloudflare instead of Akamai\n  -delete-obsolete\n      Delete obsolete CIDRs from AWS security group\n  -list-ss-ids\n      List Akamai siteshield IDs and quit\n  -sgid string\n      AWS security group ID\n  -ssid int\n      Akamai siteshield ID\n```\n\nSecurity group (`-sgid`) can be specified via envrionment variable `AWS_SECGROUP_ID`, too.\nSiteShield ID (`-ssid`) can be alternatively provided via `AKAMAI_SSID`. Additionally,\nfor Akamai, these specific API environment variables must be defined:\n\n- `AKAMAI_EDGEGRID_HOST`\n- `AKAMAI_EDGEGRID_CLIENT_TOKEN`\n- `AKAMAI_EDGEGRID_CLIENT_SECRET`\n- `AKAMAI_EDGEGRID_ACCESS_TOKEN`\n\nBy default, `cdn-securitygroup-sync` will only list missing and obsolete CIDRs.\nArguments `-add-missing`, `-delete-obsolete` or `-acknowledge` have to be given \nexplicitly to enable corresponding actions.\n\ncdn-securitygroup-sync will create inbound rules on the given security group,\nwith a port range of 80-443, originating from CDN CIDRs. Any rules not using\nthe port range will remain untouched. You may rely on this behaviour for new\nELB/security group deployments: Create them with an inbound rule of\n0.0.0.0/32, port range 80-443; upon first cdn-securitygroup-sync invocation\nthat rule will be removed and replaced by correct CDN CIDRs.\n\n# lambda deployment\n\nThe lambda approach assumes that you store runtime configuration and credentials in parameter\nstore. To do so, [create a KMS key](http://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html)\nand refer to that key during stack deployment, as outlined below. You will also\nhave to provide a S3 bucket to store lambda code.\n\n## put required entries into EC2 parameter store\n\nThe stack will create an IAM role that is granted KMS key access. Parameter store\nentries will use a prefix (which defaults to `css`), which is used to restrict\naccess to the entries and allows to deploy multiple, independent instances of the lambda.\n\nUsing AWS CLI or AWS console, put these \"secure string\" parameters into parameter store\n(assuming default prefix `css` in this example):\n\n- `css_AWS_SECGROUP_ID`: The AWS EC2 security group to keep in sync (`sg-....`)\n- `css_CSS_ARGS`: A comma-separated list of arguments for cdn-securitygroup-sync.\n  Those arguments equal the command-line version of cdn-securitygroup-sync,\n  i.e. to fully automate sync for Akamai, use `-add-missing,-delete-obsolete,-acknowledge`.\n  To sync with Cloudflare (which doesn't require acknowledgement), use\n  `-add-missing,-delete-obsolete,-cloudflare`.\n\nIf using Akamai, you will have to provide corresponding API credentials:\n\n- `css_AKAMAI_SSID`: The SiteShield ID; can be obtained by using `-list-ss-ids` argument\n- `css_AKAMAI_EDGEGRID_HOST`: Something like `xxxxxxx.luna.akamaiapis.net`\n- `css_AKAMAI_EDGEGRID_CLIENT_TOKEN`\n- `css_AKAMAI_EDGEGRID_CLIENT_SECRET`\n- `css_AKAMAI_EDGEGRID_ACCESS_TOKEN`\n\nThere's no need to store any AWS credentials: The stack will create a policy\nthat grants the lambda required permissions to update the security group.\n\n## deploy the lambda handler\n\nThere are two options for lambda deployment: Grab a pre-built lambda handler .zip\nfrom the [releases](../../releases) page and upload it to your S3 bucket OR\nbuild cdn-securitygroup-sync from source.\n\n### variant 1 - deploy a pre-built release\n\n- download the latest cdn-securitygroup-sync-lambda-....zip from [releases](../../releases) page\n- upload the .zip to a S3 bucket (do not unzip!)\n- deploy the lambda function using [cloudFormation stack](lambda/cf-stack.yaml),\n  either via AWS console or by cloning this repository and running make:\n\n```bash\nmake deploy-prebuilt AWS_REGION=eu-west-1 AWS_ACCOUNT_ID=123456... SSM_KEY_ID=abc-def \\\n        S3_BUCKET=my-little-bucket S3_KEY=path/to/cdn-securitygroup-sync-lambda-....zip\n```\n\n### variant 2 - deploy from source\n\nBuild dependencies: AWS-CLI, Docker, Go 1.8+, Make.\n\n```bash\nmake deploy-source AWS_REGION=eu-west-1 AWS_ACCOUNT_ID=123456... SSM_KEY_ID=abc-def \\\n        S3_BUCKET=my-little-bucket\n```\n\nTo just build and upload the lambda .zip to your S3 bucket named `my-little-bucket` for later (variant 1) usage:\n\n```bash\n# S3 key / destination path defaults to 'code/cdn-securitygroup-sync-$(VERSION).zip'\nmake S3_BUCKET=my-little-bucket\n```\n\n# license\n\nMIT.\n\nUse cdn-securitygroup-sync at your own risk!\n\nThis project includes these 3rd party libraries to do its job:\n\n- [AkamaiOPEN-edgegrid-golang](https://github.com/akamai/AkamaiOPEN-edgegrid-golang)\n- [AWS golang SDK](github.com/aws/aws-sdk-go/aws)\n- [aws-lambda-go-shim](https://github.com/eawsy/aws-lambda-go-shim)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fschnoddelbotz%2Fcdn-securitygroup-sync","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fschnoddelbotz%2Fcdn-securitygroup-sync","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fschnoddelbotz%2Fcdn-securitygroup-sync/lists"}