Export OCI Security Lists rules to csv format

Every time I do create a new subnet, as a best practice I create 5 security lists for each (as for now OCI does not allow me to include/remove SLs dynamically in already created subnets) so I can guarantee I can reach the maximum possible rules if it's necessary.

When you have dozens of security lists, each of them with hundreds of access rules, the OCI web interface can be really slow sometimes due to it's dynamic javascript nature. Also it don't give you filter capabilities to show, for example, all the security lists that are handling a given IP, Port or Protocol.

One of the solutions that I've found when I need to display the rules based on a custom criteria is to reformat and keep an updated copy of all my seclists data into an excel spreed. So I can use the excel columns to apply the filters I want:

OCI interface still doesn't provide either an export button. So I created a script to make it. The code to generate the csv uses basically oci-cli and jq (lightweight and flexible command-line JSON processor). It's available at https://github.com/dbarj/oci-scripts/blob/master/oci_csv_network_seclist.sh

Before running, you must export only two shell variables specifying the Container OCID and VNC OCID which you want to generate the report:

$ ./oci_csv_network_seclist.sh
OCID of compartment not specified. Please export v_compartment_ocid variable with correct value.
"Prod","ocid1.compartment.oc1..aaaaaaaaqgqejobesvbinralewsj9fajs09j0jsjkjasfjaskjk0j09asfan"
"Test","ocid1.compartment.oc1..aaaaaaaaaewv46xqv3n5wymaslas1nlknsna1n0nsaknr109snafkn10s0an"
$ export v_compartment_ocid="ocid1.compartment.oc1..aaaaaaaaqgqejobesvbinralewsj9fajs09j0jsjkjasfjaskjk0j09asfan"
$ ./oci_csv_network_seclist.sh
OCID of VCN not specified. Please export v_vcn_ocid variable with correct value.
"myvcn","ocid1.vcn.oc1.iad.aaaaaaaa6wlpmctr43ltu5dhgzfc3h225qymftsausf9usafu0asuf09uas9"
$ export v_vcn_ocid="ocid1.vcn.oc1.iad.aaaaaaaa6wlpmctr43ltu5dhgzfc3h225qymftsausf9usafu0asuf09uas9"
$ ./oci_csv_network_seclist.sh
display-name,lifecycle-state,is-stateless,type,protocol,contype,IP,tcp-dest-port-min,tcp-dest-port-max,tcp-source-port-min,tcp-source-port-max,udp-dest-port-min,udp-dest-port-max,udp-source-port-min,udp-source-port-max
"ml1_ad2_tr2_bkp_prd","AVAILABLE",false,"ingress","all","source","192.168.81.0/24",,,,,,,,
"ml1_ad2_tr1_prd","AVAILABLE",false,"ingress","6","source","192.168.116.70/32",22,22,,,,,,
"ml1_ad2_tr1_prd","AVAILABLE",false,"ingress","6","source","192.168.116.71/32",22,22,,,,,,
"ml1_ad2_tr1_prd","AVAILABLE",false,"ingress","6","source","192.168.116.71/32",3389,3389,,,,,,
"ml1_ad2_tr1_prd","AVAILABLE",false,"ingress","6","source","192.168.116.71/32",80,80,,,,,,
"ml1_ad2_tr1_prd","AVAILABLE",false,"ingress","1","source","192.168.116.70/32",,,,,,,,
"ml1_ad2_tr1_prd","AVAILABLE",false,"ingress","1","source","192.168.116.71/32",,,,,,,,
(...)
Have you enjoyed? Please leave a comment or give a 👍!

6 comments

Skip to comment form

    • Sergio on September 20, 2018 at 11:01
    • Reply

    Hi,
    do you have the code of csv-network-security-list.sh script ? 😉

    Thank you in advance.

    1. Hi Sergio, link was broken, sorry. I've already corrected that.

      Regards,
      RJ

    • Sergio on September 21, 2018 at 04:44
    • Reply

    Thank you very much RJ.
    Have a nice day.

    • Anthony on May 17, 2019 at 17:55
    • Reply

    This was exactly what I was looking for, thanks for sharing it.

    • Earl on March 2, 2021 at 14:26
    • Reply

    This looked really good, until I realized it's not for the newer Network Security Groups rules implementation that we use. Do you have anything similar for NSG rules, by any chance?

    This is still awesome for what it is...just not QUITE what I was looking for.

    • Deepak on February 29, 2024 at 11:23
    • Reply

    I am getting error
    the provided key is not a private key, or the provided passphrase is incorrect.
    OCID of compartment not specified correctly. Please export v_compartment_ocid variable with correct value.

Leave a Reply

Your email address will not be published.