AWS code-library documentation change
Summary
Enhanced AWS CLI example script for Elastic Load Balancing with improved error handling, input validation, security warnings, and reliability improvements. Added ARN format validation, security group/VPC ID validation, stderr error messaging, dependency violation retries, and security group configuration warnings.
Security assessment
The changes add security-focused input validation (ARN/SG/VPC formats) and explicit warnings about overly permissive security group rules (0.0.0.0/0), which helps prevent misconfigurations. However, there's no evidence this addresses a specific disclosed vulnerability. The security documentation additions are proactive best practices.
Diff
diff --git a/code-library/latest/ug/bash_2_elastic-load-balancing-v2_code_examples.md b/code-library/latest/ug/bash_2_elastic-load-balancing-v2_code_examples.md index dcc24127e..46e237f6e 100644 --- a//code-library/latest/ug/bash_2_elastic-load-balancing-v2_code_examples.md +++ b//code-library/latest/ug/bash_2_elastic-load-balancing-v2_code_examples.md @@ -59,0 +60,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + set -euo pipefail + @@ -69 +71 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - echo "ERROR: $1" + echo "ERROR: $1" >&2 @@ -75 +77 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - # Function to check command success + # Function to check AWS CLI command success @@ -77,2 +79,27 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if echo "$1" | grep -i "error" > /dev/null; then - handle_error "$1" + local output="$1" + if [[ -z "$output" ]] || [[ "$output" == "None" ]]; then + handle_error "AWS CLI command returned empty or invalid output" + fi + } + + # Function to validate ARN format + validate_arn() { + local arn="$1" + if [[ ! "$arn" =~ ^arn:aws:[a-z0-9-]+:[a-z0-9-]*:[0-9]{12}:.+$ ]]; then + handle_error "Invalid ARN format: $arn" + fi + } + + # Function to validate security group ID + validate_security_group_id() { + local sg_id="$1" + if [[ ! "$sg_id" =~ ^sg-[a-f0-9]{8,17}$ ]]; then + handle_error "Invalid security group ID format: $sg_id" + fi + } + + # Function to validate VPC ID + validate_vpc_id() { + local vpc_id="$1" + if [[ ! "$vpc_id" =~ ^vpc-[a-f0-9]{8,17}$ ]]; then + handle_error "Invalid VPC ID format: $vpc_id" @@ -86 +113 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if [ -n "$LISTENER_ARN" ]; then + if [ -n "${LISTENER_ARN:-}" ]; then @@ -88 +115 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - aws elbv2 delete-listener --listener-arn "$LISTENER_ARN" + aws elbv2 delete-listener --listener-arn "$LISTENER_ARN" 2>/dev/null || true @@ -91 +118 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if [ -n "$LOAD_BALANCER_ARN" ]; then + if [ -n "${LOAD_BALANCER_ARN:-}" ]; then @@ -93 +120 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - aws elbv2 delete-load-balancer --load-balancer-arn "$LOAD_BALANCER_ARN" + aws elbv2 delete-load-balancer --load-balancer-arn "$LOAD_BALANCER_ARN" 2>/dev/null || true @@ -97 +124 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - aws elbv2 wait load-balancers-deleted --load-balancer-arns "$LOAD_BALANCER_ARN" + aws elbv2 wait load-balancers-deleted --load-balancer-arns "$LOAD_BALANCER_ARN" 2>/dev/null || true @@ -100 +127 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if [ -n "$TARGET_GROUP_ARN" ]; then + if [ -n "${TARGET_GROUP_ARN:-}" ]; then @@ -102 +129 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - aws elbv2 delete-target-group --target-group-arn "$TARGET_GROUP_ARN" + aws elbv2 delete-target-group --target-group-arn "$TARGET_GROUP_ARN" 2>/dev/null || true @@ -105,3 +132 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - # Add a delay before attempting to delete the security group - # to ensure all ELB resources are fully deleted - if [ -n "$SECURITY_GROUP_ID" ]; then + if [ -n "${SECURITY_GROUP_ID:-}" ]; then @@ -112,8 +137,8 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - SG_DELETE_OUTPUT=$(aws ec2 delete-security-group --group-id "$SECURITY_GROUP_ID" 2>&1) - - # If there's still a dependency issue, retry a few times - RETRY_COUNT=0 - MAX_RETRIES=5 - while echo "$SG_DELETE_OUTPUT" | grep -i "DependencyViolation" > /dev/null && [ $RETRY_COUNT -lt $MAX_RETRIES ]; do - RETRY_COUNT=$((RETRY_COUNT+1)) - echo "Security group still has dependencies. Retrying in 30 seconds... (Attempt $RETRY_COUNT of $MAX_RETRIES)" + local sg_delete_output + sg_delete_output=$(aws ec2 delete-security-group --group-id "$SECURITY_GROUP_ID" 2>&1 || true) + + local retry_count=0 + local max_retries=5 + while echo "$sg_delete_output" | grep -i "DependencyViolation" > /dev/null && [ $retry_count -lt $max_retries ]; do + retry_count=$((retry_count+1)) + echo "Security group still has dependencies. Retrying in 30 seconds... (Attempt $retry_count of $max_retries)" @@ -121 +146 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - SG_DELETE_OUTPUT=$(aws ec2 delete-security-group --group-id "$SECURITY_GROUP_ID" 2>&1) + sg_delete_output=$(aws ec2 delete-security-group --group-id "$SECURITY_GROUP_ID" 2>&1 || true) @@ -124,2 +149,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if echo "$SG_DELETE_OUTPUT" | grep -i "error" > /dev/null; then - echo "WARNING: Could not delete security group: $SECURITY_GROUP_ID" + if echo "$sg_delete_output" | grep -i "error" > /dev/null; then + echo "WARNING: Could not delete security group: $SECURITY_GROUP_ID" >&2 @@ -136,0 +162,5 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + # Verify AWS CLI is available + if ! command -v aws &> /dev/null; then + handle_error "AWS CLI is not installed or not in PATH" + fi + @@ -139,2 +169 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - aws elbv2 help > /dev/null 2>&1 - if [ $? -ne 0 ]; then + if ! aws elbv2 help > /dev/null 2>&1; then @@ -146 +175 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - VPC_INFO=$(aws ec2 describe-vpcs --filters "Name=isDefault,Values=true" --query "Vpcs[0].VpcId" --output text) + VPC_INFO=$(aws ec2 describe-vpcs --filters "Name=isDefault,Values=true" --query "Vpcs[0].VpcId" --output text 2>/dev/null || echo "") @@ -148 +177,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - VPC_ID=$VPC_INFO + VPC_ID="$VPC_INFO" + validate_vpc_id "$VPC_ID" @@ -153 +183 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - SUBNET_INFO=$(aws ec2 describe-subnets --filters "Name=vpc-id,Values=$VPC_ID" --query "Subnets[0:2].SubnetId" --output text) + SUBNET_INFO=$(aws ec2 describe-subnets --filters "Name=vpc-id,Values=$VPC_ID" --query "Subnets[0:2].SubnetId" --output text 2>/dev/null || echo "") @@ -170 +200 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - --query "GroupId" --output text) + --query "GroupId" --output text 2>/dev/null || echo "") @@ -172 +202,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - SECURITY_GROUP_ID=$SG_INFO + SECURITY_GROUP_ID="$SG_INFO" + validate_security_group_id "$SECURITY_GROUP_ID" @@ -181,2 +212,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - --cidr "0.0.0.0/0" > /dev/null - # Note: In production, you should restrict the CIDR range to specific IP addresses + --cidr "0.0.0.0/0" > /dev/null 2>&1 || handle_error "Failed to authorize security group ingress" + + echo "WARNING: Security group allows HTTP from 0.0.0.0/0. In production, restrict to specific IP addresses." >&2 @@ -190 +222 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - --query "LoadBalancers[0].LoadBalancerArn" --output text) + --query "LoadBalancers[0].LoadBalancerArn" --output text 2>/dev/null || echo "") @@ -192 +224,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - LOAD_BALANCER_ARN=$LB_INFO + LOAD_BALANCER_ARN="$LB_INFO" + validate_arn "$LOAD_BALANCER_ARN" @@ -197 +230,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - aws elbv2 wait load-balancer-available --load-balancer-arns "$LOAD_BALANCER_ARN" + if ! aws elbv2 wait load-balancer-available --load-balancer-arns "$LOAD_BALANCER_ARN" 2>/dev/null; then + handle_error "Load balancer did not reach active state within timeout period" + fi @@ -207 +242 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - --query "TargetGroups[0].TargetGroupArn" --output text) + --query "TargetGroups[0].TargetGroupArn" --output text 2>/dev/null || echo "") @@ -209 +244,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - TARGET_GROUP_ARN=$TG_INFO + TARGET_GROUP_ARN="$TG_INFO" + validate_arn "$TARGET_GROUP_ARN" @@ -216,2 +252 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - --query "Reservations[*].Instances[*].InstanceId" --output text) - check_command "$INSTANCES" + --query "Reservations[*].Instances[*].InstanceId" --output text 2>/dev/null || echo "") @@ -228 +263 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - TARGET_ARGS="" + target_args=() @@ -230,2 +265,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if [ "$i" -lt 2 ]; then # Register up to 2 instances - TARGET_ARGS="$TARGET_ARGS Id=${INSTANCE_IDS[$i]} " + if [ "$i" -lt 2 ]; then + target_args+=("Id=${INSTANCE_IDS[$i]}") @@ -235,2 +270,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if [ -n "$TARGET_ARGS" ]; then - aws elbv2 register-targets \ + if [ ${#target_args[@]} -gt 0 ]; then + if aws elbv2 register-targets \ @@ -238,2 +273,5 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - --targets $TARGET_ARGS - echo "Registered instances: $TARGET_ARGS" + --targets "${target_args[@]}" 2>/dev/null; then + echo "Registered instances: ${target_args[*]}" + else + handle_error "Failed to register targets" + fi @@ -250 +288 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - --query "Listeners[0].ListenerArn" --output text) + --query "Listeners[0].ListenerArn" --output text 2>/dev/null || echo "") @@ -252 +290,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - LISTENER_ARN=$LISTENER_INFO + LISTENER_ARN="$LISTENER_INFO" + validate_arn "$LISTENER_ARN" @@ -257 +296 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - aws elbv2 describe-target-health --target-group-arn "$TARGET_GROUP_ARN" + aws elbv2 describe-target-health --target-group-arn "$TARGET_GROUP_ARN" 2>/dev/null || true @@ -262 +301 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - --query "LoadBalancers[0].DNSName" --output text) + --query "LoadBalancers[0].DNSName" --output text 2>/dev/null || echo "") @@ -278 +317 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - # Ask user if they want to clean up resources + # Prompt for cleanup confirmation @@ -282,2 +321 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - echo "Do you want to clean up all created resources? (y/n): " - read -r CLEANUP_CHOICE + read -p "Do you want to clean up all created resources? (y/n): " -r CLEANUP_CHOICE @@ -285 +323 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if [[ "$CLEANUP_CHOICE" =~ ^[Yy] ]]; then + if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then