This post is also available in:
Português
On the last year, I've been working for a customer that uses one of the Oracle OCI regions as his primary DC and the other as a Standby environment. As they are pretty identical regarding the routes and network access rules, I needed to constantly get their Standby region in sync with the primary regarding the security list rules of all of their 80+ Security Lists.
So, in case they added/changed/removed some rule on the primary, I had to find a way to reflect those changes to the corresponding security list on the Standby. This won't be an easy task if I haven't created a sort of automation to do this for me.
That is how the oci_network_seclist_clone_rules.sh script was born.
P.S: This is one more article for the OCI automation shell script series. To check all, please access my github repo page.
How does it work?
Basically, the shell script accepts up to 4 arguments:
- 1st - Source Security List Name or OCID.
- 2nd - Source VCN Name or OCID.
- 3rd - Target Security List Name or OCID.
- 4th - Target VCN Name or OCID.
So the code will basically replicate all the Security List rules of the Source SL to the Target SL. Please note it will completely replace the existing rules on the target SL.
The code accepts 4 parameters. However, only the first one is mandatory. Why?
- For the 1st parameter you can either specify the Display Name or OCID. If you specify the Security List Name, you must also provide the VCN Name or OCID in 2nd argument, turning this arg mandatory.
- The same applies for 3rd parameter.
- You may also omit 3rd and 4th parameter and use name transformation using the variables that I will explain next.
So, you can export the following variables before calling the utility, which will make some changes on the execution procedure:
- OCI_CLONE_SOURCE_REGION
- OCI_CLONE_TARGET_REGION
- OCI_CLONE_SEDREP_SEC_NAME
- OCI_CLONE_SEDREP_VCN_NAME
- OCI_CLONE_SEDREP_RULES
OCI_CLONE_SOURCE_REGION and OCI_CLONE_TARGET_REGION
You may export those variables to specify in which location is your source or target security lists are placed. In case you omit, the location used will be the default one specified at .oci/config
Example:
If the target SL is actually placed on us-phoenix-1 location:
$ export OCI_CLONE_TARGET_REGION="us-phoenix-1"
OCI_CLONE_SEDREP_SEC_NAME
You may also optionally omit the target SL name or OCID in 3rd parameter and use instead a sed replace name transformation to transform the source SL name into the target. If this variable is empty (not exported) and 3rd parameter is also not provided, the code will look for a SL with the same name as the source.
Example:
If source SL name is "ash_oci_sl", the target SL name used will be "phx_oci_sl" if not passed in 3rd parameter.
$ export OCI_CLONE_SEDREP_SEC_NAME="s/ash/phx/g"
OCI_CLONE_SEDREP_VCN_NAME
You may omit optionally the target VCN name and use instead a sed replace name transformation to transform the source VCN name into the target. If this variable is empty (not exported) and the 4th parameter are also not provided, the code will look for a VCN with the same name as the source.
Example:
If source VCN name is "ash_oci_vcn", the target VCN name will be "phx_oci_vcn" if not passed in 4th parameter.
$ export OCI_CLONE_SEDREP_VCN_NAME="s/ash/phx/g"
OCI_CLONE_SEDREP_RULES
You may optionally convert some rules while they are copied from source SL to the target SL.
Example:
You want to exchange the IPs 10.1. <-> 10.2. in your rules.
$ export OCI_CLONE_SEDREP_RULES="s/\"10\.1\./\"10.XXX./g; s/\"10\.2\./\"10.1./g; s/\"10\.XXX\./\"10.2./g;"
Demo
Download link: https://github.com/dbarj/oci-scripts/blob/master/oci_network_seclist_clone_rules.sh
Hope you enjoyed.
Have you enjoyed? Please leave a comment or give a 👍!
