Quick POC here, I may update later… But probably not. The idea here is that I might want a WAF rule to auto-permit public IPs from my own account, and I might want this to dynamically update. This Python code can be leveraged in a Lambda function that can be called two different ways:
- Cron Job in CloudWatch Events to trigger a lambda every 5-10-15 minutes or whatever works
- More ideally, a CloudWatch Event that looks for any Interface Association adds/removal API calls and triggers the Lambda
If I get around to refining this a little more I may detail the latter here and maybe make a cloudformation stack. For now, here is the core issue solved. Get all Pub IPs in account, and update a WAF rule with that output.
import boto3 import json # Define IP-Set Info wafIpName='Local-Account_IPSet' wafIpSetId='09b16840-689d-4c57-b977-92d119d7bd6d' wafIpSetScope='REGIONAL' # Define credential session client = boto3.client('wafv2') # Get all pub ips from all regions in account, return <list> def pullPubIps(): session = boto3.session.Session() client = boto3.client('ec2') regions = [region['RegionName'] for region in client.describe_regions()['Regions']] foundIps =  appendCidr = '/32' for region in regions: ec2 = session.resource('ec2', region_name=region) for vpc in ec2.vpcs.all(): for eni in vpc.network_interfaces.all(): if eni.association_attribute: foundIps.append(eni.association_attribute['PublicIp']) formatIps = [ip + appendCidr for ip in foundIps] return formatIps # Get Lock Token for defined IP Set def getLockToken(): lockToken = client.get_ip_set(Id=wafIpSetId,Scope=wafIpSetScope,Name=wafIpName)['LockToken'] return lockToken # Push Updated IpSet def pushIpSet(): response = client.update_ip_set( Name=wafIpName, Scope=wafIpSetScope, Id=wafIpSetId, Addresses=pullPubIps(), LockToken=getLockToken() ) return response pushIpSet()