The latest articles on DEV Community by Abdallah Deeb (@abdallah). https://dev.to/abdallah https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F87924%2F80da0339-7f6f-4352-90d3-33a5d3c95fa3.jpeg https://dev.to/abdallah en Abdallah Deeb Fri, 07 May 2021 08:42:14 +0000 https://dev.to/abdallah/quick-whm-cpanel-all-email-passwords-reset-1cma https://dev.to/abdallah/quick-whm-cpanel-all-email-passwords-reset-1cma <p>You generally don’t want to use this script. This is a last resort, when all mailbox passwords for the entire account need to be changed. For this script to work, you need root access to your WHM/cPanel server. This could ruin everything, be warned!</p> <p><strong>Here be dragons!</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="nv">newpass</span><span class="o">=</span><span class="s1">'SomeStr0ngPasswordGoesHere!'</span> <span class="nv">accountname</span><span class="o">=</span><span class="s1">'example'</span> <span class="nv">domainname</span><span class="o">=</span><span class="s1">'example.com'</span> uapi <span class="nt">--user</span><span class="o">=</span><span class="nv">$accountname</span> Email list_pops <span class="se">\</span> | <span class="nb">grep </span>email <span class="se">\</span> | <span class="nb">awk</span> <span class="s1">'{print$2}'</span> | <span class="nb">awk</span> <span class="nt">-F</span><span class="se">\@</span> <span class="s1">'{print$1}'</span> | <span class="se">\</span> <span class="k">while </span><span class="nb">read </span>m<span class="p">;</span> <span class="k">do </span><span class="nb">echo </span>changing password <span class="k">for</span> <span class="nv">$m</span> uapi <span class="nt">--user</span><span class="o">=</span>@accountname Email passwd_pop <span class="nv">domain</span><span class="o">=</span><span class="nv">$domainname</span> <span class="nv">email</span><span class="o">=</span><span class="nv">$m</span> <span class="nv">password</span><span class="o">=</span><span class="nv">$newpass</span> <span class="k">done </span><span class="nb">echo </span><span class="k">done</span> </code></pre> </div> <p>Here are the links to the official API docs:</p> <ul> <li><a href="https://documentation.cpanel.net/display/DD/UAPI+Functions+-+Email%3A%3Apasswd%5C_pop">https://documentation.cpanel.net/display/DD/UAPI+Functions+-+Email%3A%3Apasswd\_pop</a></li> <li><a href="https://documentation.cpanel.net/display/DD/UAPI+Functions+-+Email%3A%3Alist%5C_pops">https://documentation.cpanel.net/display/DD/UAPI+Functions+-+Email%3A%3Alist\_pops</a></li> </ul> <p><strong>Is there a better way to do this?</strong> probably</p> <p><strong>Can I randomize the password?</strong> sure, but how will you send the new passwords to your users?</p> <p>Hope it helps!</p> bash cpanel password script Abdallah Deeb Wed, 07 Apr 2021 08:50:38 +0000 https://dev.to/abdallah/quick-elasticsearch-index-cleanup-4kjo https://dev.to/abdallah/quick-elasticsearch-index-cleanup-4kjo <p>There are many solutions using <code>curator</code> and other libraries. I’ll try to add links here later (if I remember)</p> <p>However, most of the time, all that’s needed is a quick <code>curl</code> call<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>curl -X DELETE "https://${ES-Endpoint}/${INDEX_NAME}" </code></pre> </div> <p>Get the ES endpoint from the domain overview</p> <p>List the index names using<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>curl "https://${ES-Endpoint}/_cat/indices" </code></pre> </div> <p>So for a quick cleanup session for everything that matches a grep<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>curl "https://${ES-Endpoint}/_cat/indices" | grep 'something' | awk '{print$3}' \ while read INDEX_NAME; do echo "Deleting ${INDEX_NAME}" curl -X DELETE "https://${ES-Endpoint}/${INDEX_NAME}" done </code></pre> </div> blogging bash curl elasticsearch Abdallah Deeb Tue, 11 Aug 2020 11:22:35 +0000 https://dev.to/abdallah/my-ansible-aws-ec2-dynamic-inventory-1fe3 https://dev.to/abdallah/my-ansible-aws-ec2-dynamic-inventory-1fe3 <p>Start with the the Ansible configuration. This can be set in <code>/etc/ansible/ansible.cfg</code> or <code>~/.ansible.cfg</code> (in the home directory) or <code>ansible.cfg</code> (in the current directory)</p> <p>My suggestion is use one of the first 2 (ie. <code>/etc/</code> or <code>~/.ansible.cfg</code> if you’re going to be managing instances from your machine. Update the configuration as needed.<br> </p> <div class="highlight"><pre class="highlight ini"><code><span class="nn">[defaults]</span> <span class="py">inventory</span> <span class="p">=</span> <span class="s">./ansible_plugins</span> <span class="py">enable_plugins</span> <span class="p">=</span> <span class="s">aws_ec2</span> <span class="py">host_key_checking</span> <span class="p">=</span> <span class="s">False</span> <span class="py">pipelining</span> <span class="p">=</span> <span class="s">True</span> <span class="py">log_path</span> <span class="p">=</span> <span class="s">/var/log/ansible</span> </code></pre></div> <p>You may need other plugins, this one is for aws_ec2. In the /etc/ansible/ansible_plugins directory, create the *_aws_ec2.yml configuration file for your inventory<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="c1"># /etc/ansible/ansible_plugins/testing_aws_ec2.yml</span> <span class="nn">---</span> <span class="na">plugin</span><span class="pi">:</span> <span class="s">aws_ec2</span> <span class="na">aws_profile</span><span class="pi">:</span> <span class="s">testing</span> <span class="na">regions</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">us-east-1</span> <span class="pi">-</span> <span class="s">us-east-2</span> <span class="na">filters</span><span class="pi">:</span> <span class="s">tag:Team: testing</span> <span class="s">instance-state-name</span> <span class="pi">:</span> <span class="s">running</span> <span class="na">hostnames</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">instance-id</span> <span class="pi">-</span> <span class="s">dns-name</span> <span class="na">keyed_groups</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">prefix</span><span class="pi">:</span> <span class="s">team</span> <span class="na">key</span><span class="pi">:</span> <span class="s">tags['Team']</span> </code></pre></div> <p>You'll notice, I’m filtering using a <code>tag:Team == testing</code> and showing only <code>running</code> instances.</p> <p>I’m also using the <code>instance-id</code> and <code>dns-name</code> attributes as hostname</p> <p>And I’m using the <code>tag['Team']</code> as a grouping.</p> <p>So now, I can do the following from any directory (since my configuration is global in <code>/etc/ansible</code>)<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>$ ansible-inventory --list --yaml all: children: aws_ec2: hosts: i-xxxxxxxxxxxxxxx: ami_launch_index: 0 architecture: x86_64 block_device_mappings: - device_name: /dev/sda1 ebs: attach_time: 2020-08-10 15:20:58+00:00 delete_on_termination: true status: attached volume_id: vol-xxxxxxxxxxxxxx ... team_testing: hosts: i-xyxyxyxyxyyxyxyy: {} i-xyxyxy2321yxyxyy: {} i-xyxyxyxyxy89yxyy: {} i-xyxy1210xyyxyxyy: {} i-xyxy999999yxyxyy: {} i-xyxyxy44xyyxyxyy: {} i-xyx2323yxyyxyxyy: {} i-xyxyxyxyxy9977yy: {} ungrouped: {} </code></pre></div> <p>I can also use the <code>team_testing</code> or the individual <code>instance_id</code> in my Ansible <code>hosts</code> calls.</p> aws devops Abdallah Deeb Tue, 23 Jun 2020 05:53:04 +0000 https://dev.to/abdallah/get-daily-cost-alerts-for-aws-5bm https://dev.to/abdallah/get-daily-cost-alerts-for-aws-5bm <p>So I wanted to have a better alarm system for when AWS hits us with unexpected costs. It’s better to know there’s something wrong rather quickly and not suffer hundreds of dollars costs for something you don’t really need or want.</p> <p>The AWS provided alarm checks for hikes on a monthly basis. Here’s the <a href="https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/monitor_estimated_charges_with_cloudwatch.html">doc they published</a>. So that’s an alarm that sounds when your estimated bill is going to be higher than the budgeted amount, or what you had in mind in the first place. Not very useful honestly in our case. It will just be too late.</p> <p>The only alternative I found was creating a daily check, that will compare yesterday’s costs against a max_amount set by default. Let’s say you want to have your daily bill not exceed 5$US.</p> <p>For ease of use and maintainability, I’m using a lambda function triggered by a cron (EventBridge rule) for the daily checks. And I’m sending the Alarm using an SNS topic, this way I can subscribe to it by email, or send it to our Mattermost channel, etc.</p> <p>Here’s the code:<br> </p> <div class="highlight"><pre class="highlight python"><code><span class="kn">import</span> <span class="nn">os</span> <span class="kn">import</span> <span class="nn">json</span> <span class="kn">import</span> <span class="nn">boto3</span> <span class="kn">from</span> <span class="nn">datetime</span> <span class="kn">import</span> <span class="n">datetime</span><span class="p">,</span> <span class="n">timedelta</span> <span class="k">def</span> <span class="nf">lambda_handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="n">yesterday</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="n">strftime</span><span class="p">(</span><span class="n">datetime</span><span class="p">.</span><span class="n">now</span><span class="p">()</span> <span class="o">-</span> <span class="n">timedelta</span><span class="p">(</span><span class="mi">1</span><span class="p">),</span> <span class="s">'%Y-%m-%d'</span><span class="p">)</span> <span class="n">twodaysago</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="n">strftime</span><span class="p">(</span><span class="n">datetime</span><span class="p">.</span><span class="n">now</span><span class="p">()</span> <span class="o">-</span> <span class="n">timedelta</span><span class="p">(</span><span class="mi">2</span><span class="p">),</span> <span class="s">'%Y-%m-%d'</span><span class="p">)</span> <span class="n">cost_metric</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="s">'cost_metric'</span><span class="p">)</span> <span class="n">max_amount</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="s">'max_amount'</span><span class="p">)</span> <span class="n">ce</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="n">client</span><span class="p">(</span><span class="s">'ce'</span><span class="p">)</span> <span class="n">sns</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="n">client</span><span class="p">(</span><span class="s">'sns'</span><span class="p">)</span> <span class="n">result</span> <span class="o">=</span> <span class="n">ce</span><span class="p">.</span><span class="n">get_cost_and_usage</span><span class="p">(</span> <span class="n">TimePeriod</span><span class="o">=</span><span class="p">{</span><span class="s">'Start'</span><span class="p">:</span> <span class="n">twodaysago</span><span class="p">,</span> <span class="s">'End'</span><span class="p">:</span> <span class="n">yesterday</span><span class="p">},</span> <span class="n">Granularity</span><span class="o">=</span><span class="s">'DAILY'</span><span class="p">,</span> <span class="n">Metrics</span><span class="o">=</span><span class="p">[</span><span class="n">cost_metric</span><span class="p">]</span> <span class="p">)</span> <span class="n">total_amount</span> <span class="o">=</span> <span class="n">result</span><span class="p">[</span><span class="s">'ResultsByTime'</span><span class="p">][</span><span class="mi">0</span><span class="p">]</span> <span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="s">'Total'</span><span class="p">).</span><span class="n">get</span><span class="p">(</span><span class="n">cost_metric</span><span class="p">).</span><span class="n">get</span><span class="p">(</span><span class="s">'Amount'</span><span class="p">)</span> <span class="k">if</span> <span class="n">total_amount</span> <span class="o">&gt;</span> <span class="n">max_amount</span><span class="p">:</span> <span class="n">sns_topic</span> <span class="o">=</span> <span class="n">sns</span><span class="p">.</span><span class="n">create_topic</span><span class="p">(</span><span class="n">Name</span><span class="o">=</span><span class="s">'BillingAlert'</span><span class="p">)</span> <span class="n">sns</span><span class="p">.</span><span class="n">publish</span><span class="p">(</span> <span class="n">TopicArn</span><span class="o">=</span><span class="n">sns_topic</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="s">'TopicArn'</span><span class="p">),</span> <span class="n">Message</span><span class="o">=</span><span class="s">'Total cost "{} USD" exceeded max_amount rate: {}'</span> <span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="n">total_amount</span><span class="p">,</span> <span class="nb">max</span><span class="p">)</span> <span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="s">'statusCode'</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="s">'body'</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="n">dumps</span><span class="p">(</span><span class="s">'cost check: {}'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="n">total_amount</span><span class="p">))</span> <span class="p">}</span> </code></pre></div> <p>Note that you will need to add a couple of environment variables to Lambda: <code>cost_metric</code> and <code>max_amount</code>.</p> <p>And add the following permissions to the role used by the lambda function: <code>ce:GetCostAndUsage</code>, <code>sns:Publish</code> and <code>sns:CreateTopic</code>. Something like this:<br> </p> <div class="highlight"><pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"VisualEditor0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ce:GetCostAndUsage"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"VisualEditor1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"logs:CreateLogStream"</span><span class="p">,</span><span class="w"> </span><span class="s2">"sns:Publish"</span><span class="p">,</span><span class="w"> </span><span class="s2">"sns:CreateTopic"</span><span class="p">,</span><span class="w"> </span><span class="s2">"logs:PutLogEvents"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"arn:aws:logs:us-east-1:*:log-group:/aws/lambda/checkDailyCosts:*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"arn:aws:sns:*:*:*"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"VisualEditor2"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"logs:CreateLogGroup"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:logs:us-east-1:*:*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> <p>After that’s setup, go to your SNS topic (created by Lambda if it doesn’t exist) and subscribe to it. There you go, daily checks and an alarm if the bill is higher than expected.</p> aws cost lambda python Abdallah Deeb Thu, 18 Jun 2020 15:42:00 +0000 https://dev.to/abdallah/get-daily-cost-alerts-on-aws-51mb https://dev.to/abdallah/get-daily-cost-alerts-on-aws-51mb <p>So I wanted to have a better alarm system for when AWS hits us with unexpected costs. It’s better to know there’s something wrong rather quickly and not suffer hundreds of dollars costs for something you don’t really need or want.</p> <p>The AWS provided alarm checks for hikes on a monthly basis. Here’s the <a href="https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/monitor_estimated_charges_with_cloudwatch.html">doc they published</a>. So that’s an alarm that sounds when your estimated bill is going to be higher than the budgeted amount, or what you had in mind in the first place. Not very useful honestly in our case. It will just be too late.</p> <p>The only alternative I found was creating a daily check, that will compare yesterday’s costs against a max_amount set by default. Let’s say you want to have your daily bill not exceed 5$US.</p> <p>For ease of use and maintainability, I’m using a lambda function triggered by a cron (EventBridge rule) for the daily checks. And I’m sending the Alarm using an SNS topic, this way I can subscribe to it by email, or send it to our Mattermost channel, etc.</p> <p>Here’s the code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="nn">os</span> <span class="kn">import</span> <span class="nn">json</span> <span class="kn">import</span> <span class="nn">boto3</span> <span class="kn">from</span> <span class="nn">datetime</span> <span class="kn">import</span> <span class="n">datetime</span><span class="p">,</span> <span class="n">timedelta</span> <span class="k">def</span> <span class="nf">lambda_handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="n">yesterday</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="n">strftime</span><span class="p">(</span><span class="n">datetime</span><span class="p">.</span><span class="n">now</span><span class="p">()</span> <span class="o">-</span> <span class="n">timedelta</span><span class="p">(</span><span class="mi">1</span><span class="p">),</span> <span class="s">'%Y-%m-%d'</span><span class="p">)</span> <span class="n">twodaysago</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="n">strftime</span><span class="p">(</span><span class="n">datetime</span><span class="p">.</span><span class="n">now</span><span class="p">()</span> <span class="o">-</span> <span class="n">timedelta</span><span class="p">(</span><span class="mi">2</span><span class="p">),</span> <span class="s">'%Y-%m-%d'</span><span class="p">)</span> <span class="n">cost_metric</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="s">'cost_metric'</span><span class="p">)</span> <span class="n">max_amount</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="s">'max_amount'</span><span class="p">)</span> <span class="n">ce</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="n">client</span><span class="p">(</span><span class="s">'ce'</span><span class="p">)</span> <span class="n">sns</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="n">client</span><span class="p">(</span><span class="s">'sns'</span><span class="p">)</span> <span class="n">result</span> <span class="o">=</span> <span class="n">ce</span><span class="p">.</span><span class="n">get_cost_and_usage</span><span class="p">(</span> <span class="n">TimePeriod</span><span class="o">=</span><span class="p">{</span><span class="s">'Start'</span><span class="p">:</span> <span class="n">twodaysago</span><span class="p">,</span> <span class="s">'End'</span><span class="p">:</span> <span class="n">yesterday</span><span class="p">},</span> <span class="n">Granularity</span><span class="o">=</span><span class="s">'DAILY'</span><span class="p">,</span> <span class="n">Metrics</span><span class="o">=</span><span class="p">[</span><span class="n">cost_metric</span><span class="p">]</span> <span class="p">)</span> <span class="n">total_amount</span> <span class="o">=</span> <span class="n">result</span><span class="p">[</span><span class="s">'ResultsByTime'</span><span class="p">][</span><span class="mi">0</span><span class="p">].</span><span class="n">get</span><span class="p">(</span><span class="s">'Total'</span><span class="p">).</span><span class="n">get</span><span class="p">(</span><span class="n">cost_metric</span><span class="p">).</span><span class="n">get</span><span class="p">(</span><span class="s">'Amount'</span><span class="p">)</span> <span class="k">if</span> <span class="n">total_amount</span> <span class="o">&gt;</span> <span class="n">max_amount</span><span class="p">:</span> <span class="n">sns_topic</span> <span class="o">=</span> <span class="n">sns</span><span class="p">.</span><span class="n">create_topic</span><span class="p">(</span><span class="n">Name</span><span class="o">=</span><span class="s">'BillingAlert'</span><span class="p">)</span> <span class="n">sns</span><span class="p">.</span><span class="n">publish</span><span class="p">(</span> <span class="n">TopicArn</span><span class="o">=</span><span class="n">sns_topic</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="s">'TopicArn'</span><span class="p">),</span> <span class="n">Message</span><span class="o">=</span><span class="s">'Total cost "{} USD" exceeded max_amount rate: {}'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="n">total_amount</span><span class="p">,</span> <span class="nb">max</span><span class="p">)</span> <span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="s">'statusCode'</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="s">'body'</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="n">dumps</span><span class="p">(</span><span class="s">'cost check: {}'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="n">total_amount</span><span class="p">))</span> <span class="p">}</span> </code></pre> </div> <p>Note that you will need to add a couple of environment variables to Lambda: <code>cost_metric</code> and <code>max_amount</code><br><br> And the following permissions to the role used by the lambda function: <code>ce:GetCostAndUsage</code>, <code>sns:Publish</code> and <code>sns:CreateTopic</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "ce:GetCostAndUsage", "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "logs:CreateLogStream", "sns:Publish", "sns:CreateTopic", "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs:us-east-1:*:log-group:/aws/lambda/checkDailyCosts:*", "arn:aws:sns:*:*:*" ] }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": "logs:CreateLogGroup", "Resource": "arn:aws:logs:us-east-1:*:*" } ] } </code></pre> </div> <p>After that’s set up, go to your SNS topic (created by Lambda if it doesn’t exist) and subscribe to it. There you go, daily checks and an alarm if the bill is higher than expected.</p> tools work aws costsavings Abdallah Deeb Tue, 12 May 2020 09:42:00 +0000 https://dev.to/abdallah/sync-s3-objects-across-aws-account-54i9 https://dev.to/abdallah/sync-s3-objects-across-aws-account-54i9 <p>How do I copy S3 objects/files/etc from another AWS account?<br> How do I migrate an S3 bucket to another AWS account? [playbook below + extra preliminary step, create the bucket]</p> <p>Well, you can do it manually following the notes in the AWS KB article I linked at the end of the article. <br> Honestly though, I am always confused by those KB articles. They are concise ans usually well written. I guess it's my dislexya ;)<br> So I have to read them a few times before I’m able to apply the steps correctly. That's not a bad thing really ... better than blindly copy/paste commands (which I NEVER DO, right).</p> <p>Recently, I’ve been going the other way around: whenever there are steps to follow, I try to translate them into an Ansible playbook. This way I make sure I got it right, AND I get to reuse the playbook, which makes things a lot faster the second time around. Oh and as an added bonus, I can share the playbook and have someone else take care of the task!</p> <p>Enough introductions, here’s what you came here for: an ansible playbook for syncing files between S3 buckets in different accounts:<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="c1"># copy-bucket.yml</span> <span class="pi">-</span> <span class="na">hosts</span><span class="pi">:</span> <span class="s">localhost</span> <span class="na">vars</span><span class="pi">:</span> <span class="na">source_bucket</span><span class="pi">:</span> <span class="s">my-source-bucket</span> <span class="na">dest_bucket</span><span class="pi">:</span> <span class="s">my-dest-bucket</span> <span class="na">dest_user_arn</span><span class="pi">:</span> <span class="s">arn:aws:iam::ACCOUNTID:user/USERNAME</span> <span class="na">dest_user_name</span><span class="pi">:</span> <span class="s">USERNAME</span> <span class="na">source_profile</span><span class="pi">:</span> <span class="s">src_profile</span> <span class="na">dest_profile</span><span class="pi">:</span> <span class="s">dest_profile</span> <span class="na">tasks</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Attach bucket policy to source bucket</span> <span class="na">s3_bucket</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">source_bucket</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">policy</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">lookup('template','bucket-policy.json.j2')</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">profile</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">source_profile</span><span class="nv"> </span><span class="s">}}"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Attach an IAM policy to a user in dest account</span> <span class="na">iam_policy</span><span class="pi">:</span> <span class="na">iam_type</span><span class="pi">:</span> <span class="s">user</span> <span class="na">iam_name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">dest_user_name</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">policy_name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">s3_move_access"</span> <span class="na">state</span><span class="pi">:</span> <span class="s">present</span> <span class="na">policy_json</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">lookup(</span><span class="nv"> </span><span class="s">'template',</span><span class="nv"> </span><span class="s">'user-policy.json.j2')</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">profile</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">dest_profile</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">register</span><span class="pi">:</span> <span class="s">user_policy</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Sync the files</span> <span class="na">shell</span><span class="pi">:</span> <span class="s">aws s3 sync s3://{{ source_bucket }}/ s3://{{ dest_bucket }}/ --profile {{ dest_profile }}</span> </code></pre></div> <p>You will also need the following json templates</p> <p><strong>bucket-policy.json.j2</strong><br> </p> <div class="highlight"><pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"s3:ListBucket"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:GetObject"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"arn:aws:s3:::{{ source_bucket }}"</span><span class="p">,</span><span class="w"> </span><span class="s2">"arn:aws:s3:::{{ source_bucket }}/*"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"s3:ListBucket"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:PutObject"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:PutObjectAcl"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"arn:aws:s3:::{{ dest_bucket }}"</span><span class="p">,</span><span class="w"> </span><span class="s2">"arn:aws:s3:::{{ dest_bucket }}/*"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> <p><strong>user-policy.json.j2</strong><br> </p> <div class="highlight"><pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DelegateS3Access"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="nl">"AWS"</span><span class="p">:</span><span class="w"> </span><span class="s2">"{{ dest_user_arn }}"</span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"s3:ListBucket"</span><span class="p">,</span><span class="s2">"s3:GetObject"</span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"arn:aws:s3:::{{ source_bucket }}/*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"arn:aws:s3:::{{ source_bucket }}"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> <p>run: <code>ansible-playbook -v copy-bucket.yml</code></p> <p>make sure the profile names are setup on your machine correctly, and the IAM user is there.</p> <p>Ref: <a href="https://aws.amazon.com/premiumsupport/knowledge-center/copy-s3-objects-account/">AWS KB: copy-s3-objects-account</a></p> s3 ansible aws devops Abdallah Deeb Fri, 14 Jun 2019 18:09:07 +0000 https://dev.to/abdallah/chatops-with-mattermost-and-aws-lambda-2ha0 https://dev.to/abdallah/chatops-with-mattermost-and-aws-lambda-2ha0 <p>I’ve been working towards making things simpler when managing distributed resources at work. And since we spend most of our day in the chat room (was Slack, now Mattermost) I thought it’s best to get started with ChatOps</p> <p>It’s just a fancy word for doing stuff right from the chat window. And there’s so much one can do, especially with simple Slash Commands.</p> <p>Here’s a lambda function I setup yesterday for invalidating CloudFront distributions.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="nn">time</span> <span class="kn">import</span> <span class="n">time</span> <span class="kn">import</span> <span class="nn">boto3</span> <span class="kn">import</span> <span class="nn">json</span> <span class="kn">import</span> <span class="nn">os</span> <span class="kn">import</span> <span class="nn">re</span> <span class="n">EXPECTED_TOKEN</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="s">'mmToken'</span><span class="p">]</span> <span class="n">ALLOWED_USERS</span> <span class="o">=</span> <span class="n">re</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">'[, ]'</span><span class="p">,</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="s">'allowedUsers'</span><span class="p">])</span> <span class="n">DISTRIBUTIONS</span> <span class="o">=</span> <span class="p">{</span> <span class="s">'site-name'</span><span class="p">:</span> <span class="s">'DISTRIBUTIONID'</span><span class="p">,</span> <span class="s">'another.site'</span><span class="p">:</span> <span class="s">'DISTRIBUTIONID05'</span> <span class="p">}</span> <span class="k">def</span> <span class="nf">parse_command_text</span><span class="p">(</span><span class="n">command_text</span><span class="p">):</span> <span class="n">pattern</span> <span class="o">=</span> <span class="sa">r</span><span class="s">"({})\s+(.*)"</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="s">'|'</span><span class="p">.</span><span class="n">join</span><span class="p">(</span><span class="n">DISTRIBUTIONS</span><span class="p">.</span><span class="n">keys</span><span class="p">()))</span> <span class="n">m</span> <span class="o">=</span> <span class="n">re</span><span class="p">.</span><span class="n">match</span><span class="p">(</span><span class="n">pattern</span><span class="p">,</span> <span class="n">command_text</span><span class="p">)</span> <span class="k">if</span> <span class="n">m</span><span class="p">:</span> <span class="k">return</span> <span class="p">{</span> <span class="s">'site'</span><span class="p">:</span> <span class="n">m</span><span class="p">.</span><span class="n">group</span><span class="p">(</span><span class="mi">1</span><span class="p">),</span> <span class="s">'path'</span><span class="p">:</span> <span class="n">path</span><span class="p">}</span> <span class="k">else</span><span class="p">:</span> <span class="k">return</span> <span class="bp">False</span> <span class="k">def</span> <span class="nf">lambda_handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="c1"># Parse the request </span> <span class="k">try</span><span class="p">:</span> <span class="n">request_data</span> <span class="o">=</span> <span class="n">event</span><span class="p">[</span><span class="s">"queryStringParameters"</span><span class="p">]</span> <span class="k">except</span><span class="p">:</span> <span class="k">return</span> <span class="p">{</span> <span class="s">"statusCode"</span><span class="p">:</span> <span class="mi">400</span><span class="p">,</span> <span class="s">"headers"</span><span class="p">:</span> <span class="p">{</span><span class="s">"Content-Type"</span><span class="p">:</span> <span class="s">"application/json"</span><span class="p">},</span> <span class="s">"body"</span><span class="p">:</span> <span class="s">'{ "message": "Use GET for setting up mattermost slash command" }'</span> <span class="p">}</span> <span class="c1"># Check the token matches. </span> <span class="k">if</span> <span class="n">request_data</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="s">"token"</span><span class="p">,</span> <span class="s">""</span><span class="p">)</span> <span class="o">!=</span> <span class="n">EXPECTED_TOKEN</span><span class="p">:</span> <span class="k">print</span><span class="p">(</span><span class="s">'Wrong Token!'</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="s">"statusCode"</span><span class="p">:</span> <span class="mi">401</span><span class="p">,</span> <span class="s">"headers"</span><span class="p">:</span> <span class="p">{</span><span class="s">"Content-Type"</span><span class="p">:</span> <span class="s">"application/json"</span><span class="p">},</span> <span class="s">"body"</span><span class="p">:</span> <span class="s">'{ "message": "Mattermost token does not match" }'</span> <span class="p">}</span> <span class="c1"># Check the user is allowed to run the command </span> <span class="k">if</span> <span class="n">request_data</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="s">"user_name"</span><span class="p">,</span> <span class="s">""</span><span class="p">)</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">ALLOWED_USERS</span><span class="p">:</span> <span class="k">print</span><span class="p">(</span><span class="s">'Wrong User! {} not in {}'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="n">request_data</span><span class="p">[</span><span class="s">'user_name'</span><span class="p">],</span> <span class="n">ALLOWED_USERS</span><span class="p">))</span> <span class="k">return</span> <span class="p">{</span> <span class="s">"statusCode"</span><span class="p">:</span> <span class="mi">401</span><span class="p">,</span> <span class="s">"headers"</span><span class="p">:</span> <span class="p">{</span><span class="s">"Content-Type"</span><span class="p">:</span> <span class="s">"application/json"</span><span class="p">},</span> <span class="s">"body"</span><span class="p">:</span> <span class="s">'{ "message": "User not allowed to perform action" }'</span> <span class="p">}</span> <span class="c1"># parse the command </span> <span class="n">command_text</span> <span class="o">=</span> <span class="n">request_data</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="s">"text"</span><span class="p">,</span> <span class="s">""</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">command_text</span><span class="p">:</span> <span class="k">print</span><span class="p">(</span><span class="s">'Nothing to do, bailing out'</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="s">"statusCode"</span><span class="p">:</span> <span class="mi">404</span><span class="p">,</span> <span class="s">"headers"</span><span class="p">:</span> <span class="p">{</span><span class="s">"Content-Type"</span><span class="p">:</span> <span class="s">"application/json"</span><span class="p">},</span> <span class="s">"body"</span><span class="p">:</span> <span class="s">'{ "message": "No command text sent" }'</span> <span class="p">}</span> <span class="n">parts</span> <span class="o">=</span> <span class="n">parse_command_text</span><span class="p">(</span><span class="n">command_text</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">parts</span><span class="p">:</span> <span class="k">print</span><span class="p">(</span><span class="s">'Bad formatting - command: {}'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="n">command_text</span><span class="p">))</span> <span class="k">return</span> <span class="p">{</span> <span class="s">"statusCode"</span><span class="p">:</span> <span class="mi">402</span><span class="p">,</span> <span class="s">"headers"</span><span class="p">:</span> <span class="p">{</span><span class="s">"Content-Type"</span><span class="p">:</span> <span class="s">"application/json"</span><span class="p">},</span> <span class="s">"body"</span><span class="p">:</span> <span class="s">'{ "message": "Wrong pattern" }'</span> <span class="p">}</span> <span class="c1"># Do the actual work </span> <span class="n">cf_client</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="n">client</span><span class="p">(</span><span class="s">'cloudfront'</span><span class="p">)</span> <span class="c1"># Invalidate </span> <span class="n">boto_response</span> <span class="o">=</span> <span class="n">cf_client</span><span class="p">.</span><span class="n">create_invalidation</span><span class="p">(</span> <span class="n">DistributionId</span><span class="o">=</span><span class="n">DISTRIBUTIONS</span><span class="p">[</span><span class="n">parts</span><span class="p">[</span><span class="s">'site'</span><span class="p">]],</span> <span class="n">InvalidationBatch</span><span class="o">=</span><span class="p">{</span> <span class="s">'Paths'</span><span class="p">:</span> <span class="p">{</span> <span class="s">'Quantity'</span><span class="p">:</span> <span class="nb">len</span><span class="p">(</span><span class="n">parts</span><span class="p">[</span><span class="s">'path'</span><span class="p">]),</span> <span class="s">'Items'</span><span class="p">:</span> <span class="n">parts</span><span class="p">[</span><span class="s">'path'</span><span class="p">]</span> <span class="p">},</span> <span class="s">'CallerReference'</span><span class="p">:</span> <span class="nb">str</span><span class="p">(</span><span class="n">time</span><span class="p">()).</span><span class="n">replace</span><span class="p">(</span><span class="s">"."</span><span class="p">,</span> <span class="s">""</span><span class="p">)</span> <span class="p">}</span> <span class="p">)[</span><span class="s">'Invalidation'</span><span class="p">]</span> <span class="c1"># Build the response message text. </span> <span class="n">text</span> <span class="o">=</span> <span class="s">"""##### Executing invalidation | Key | Info | | --- | ---- | | Site | {} | | Path | {} | | ID | {} | | Status | {} |"""</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span> <span class="n">parts</span><span class="p">[</span><span class="s">'site'</span><span class="p">],</span> <span class="n">parts</span><span class="p">[</span><span class="s">'path'</span><span class="p">],</span> <span class="n">boto_response</span><span class="p">[</span><span class="s">'Id'</span><span class="p">],</span> <span class="n">boto_response</span><span class="p">[</span><span class="s">'Status'</span><span class="p">]</span> <span class="p">)</span> <span class="c1"># Build the response object. </span> <span class="n">response</span> <span class="o">=</span> <span class="p">{</span> <span class="s">"response_type"</span><span class="p">:</span> <span class="s">"in_channel"</span><span class="p">,</span> <span class="s">"text"</span><span class="p">:</span> <span class="n">text</span><span class="p">,</span> <span class="p">}</span> <span class="c1"># Return the response as JSON </span> <span class="k">return</span> <span class="p">{</span> <span class="s">"body"</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="n">dumps</span><span class="p">(</span><span class="n">response</span><span class="p">),</span> <span class="s">"headers"</span><span class="p">:</span> <span class="p">{</span><span class="s">"Content-Type"</span><span class="p">:</span> <span class="s">"application/json"</span><span class="p">},</span> <span class="s">"statusCode"</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="p">}</span> </code></pre> </div> <p>Note that you need to hook that up with an API Gateway in AWS. Once that’s done, you will have a URL endpoint ready for deployment.</p> <p>Next, I created the slash command in mattermost with the following:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--KIW8MPus--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://deeb.me/wp-content/uploads/image-1.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--KIW8MPus--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://deeb.me/wp-content/uploads/image-1.png" alt=""></a>slash command configuration</p> <p>That’s pretty much it. Rinse and repeat for a different command, different usage.</p> <p>On my list next is to have more interaction with the user in mattermost per <a href="https://docs.mattermost.com/developer/interactive-messages.html">https://docs.mattermost.com/developer/interactive-messages.html</a><br><br> Weekend Project, Yay!</p> blogging tools work aws Abdallah Deeb Thu, 02 May 2019 18:00:33 +0000 https://dev.to/abdallah/mfa-from-command-line-1ci9 https://dev.to/abdallah/mfa-from-command-line-1ci9 <p>MFA, 2FA, 2 step validation, etc. are everywhere these days. And it’s a good thing.</p> <p>Problem with using the phone to get the authentication code is that you need to have it handy at all times (when you want to login at least) and that you have to read the code then type it in (too many steps)</p> <p>One possible alternative is to use the command line <code>oathtool</code></p> <p>Here’s my snippet, I added the following line in my <code>.bashrc</code><br> </p> <div class="highlight"><pre class="highlight plaintext"><code>function mfa () { oathtool --base32 --totp "$(cat ~/.mfa/$1.mfa)" | xclip -sel clip ;} </code></pre></div> <p>Some preparation work:<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>sudo apt install oathtool xclip&lt;br&gt;mkdir ~/.mfa&lt;br&gt; </code></pre></div> <p>If you want to use the same account with both a phone based MFA generator and the shell, set them up at the same time. Simply use the generated string for setting up the account in the <a href="https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2">Google Authenticator</a> (as an example) and the add it to the <code>~/.mfa/account_name.mfa</code></p> <p>The use of <code>xclip</code> automatically copies the 6 digit authentication code to the clipboard. You can go ahead and paste it.</p> <p>The above setup works in Ubuntu. Didn’t try it on other systems.</p> cli mfa bash Abdallah Deeb Thu, 21 Mar 2019 13:32:35 +0000 https://dev.to/abdallah/vaultpress-ssh-access-to-site-behind-aws-load-balancer-3d0p https://dev.to/abdallah/vaultpress-ssh-access-to-site-behind-aws-load-balancer-3d0p <p>I recently worked on migrating a large WordPress site from a dedicated server to AWS following the reference architecture as outlined in <a href="https://github.com/aws-samples/aws-refarch-wordpress">https://github.com/aws-samples/aws-refarch-wordpress</a></p> <p>One of the upsides of this architecture is that the site is entirely behind the load balancer and the instances running the web server are never accessible from the internet (not even via ssh or http). So any updates to the site need to be deployed using Systems Manager. I will post about that later … However due to this restriction, VaultPress is only able to access the site (for backups) over https, which causes extra load on the web instances.</p> <p>To fix that, we need to allow VaultPress SSH access directly to the web instances (at least to 1 of them). And the only way in via SSH is through a bastion instance.</p> <p>On this bastion instance, I installed Nginx with the following configuration in /etc/nginx/nginx.conf<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>stream { server { listen 1234; proxy_pass 10.0.1.12:22; } } </code></pre></div> <p>where <code>10.0.1.12</code> is the internal IP of one web instances behind the load balancer.</p> <p>At this stage (after reloading Nginx), I added the <code>vaultpress</code> user to the web instances and set their SSH public key in the <code>.ssh/authorized_keys</code> for that user.</p> <p>To test manually, I added my own public key and connected to:<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>ssh -l vaultpress -p 1234 bastion.mydomain.com </code></pre></div> <p>After that works, I tested from VaultPress dashboard. No surprises: testing the connection works (SSH/SFTP), all green! Great, both the SSH and the SFTP setups should work properly. </p> <p>One issue I faced here was that after a few hours/the next day, VaultPress somehow forgot the setup and I had to re-add the connection information. Why? No idea! Just make sure to check on it the next day to make sure it's still there! </p> <p>Since the IPs may change in case there’s an auto scaling event, I added a cron job that runs every 5 minutes on the bastion and updates the nginx configuration to point to one of the web instances internal IPs. A simplistic version looks like this:<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>#!/bin/bash IP="$(list-ips.sh | awk '{ print $1 }')" sed -i -E "s/proxy_pass (.+):22/proxy_pass ${IP}:22/" /etc/nginx/nginx.conf nginx -t &amp;&amp; service nginx reload </code></pre></div> <p>You can also use CloudWatch Events to add a rule, that runs when AutoScaling happens. Pointing that to a Lambda function that calls Systems Manager to change the IP in Nginx. Here’s a reference for that <a href="https://docs.aws.amazon.com/autoscaling/ec2/userguide/cloud-watch-events.html#create-lambda-function">https://docs.aws.amazon.com/autoscaling/ec2/userguide/cloud-watch-events.html#create-lambda-function</a></p> <p>Oh, and don’t forget to lock down the bastion instance. In my case, I set the Security group in the EC2 console to allow only the following:<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>Type: Custom TCP Rule Protocol: TCP Port Range: 1234 Source: 192.0.64.0/18 Description: VaultPress SSH Access </code></pre></div> <p>Hope it helps!<br> If you have any thoughts on improving the setup, I'm open for discussions.</p> Abdallah Deeb Fri, 01 Feb 2019 16:17:54 +0000 https://dev.to/abdallah/list-ips-from-cloudtrail-events-p4l https://dev.to/abdallah/list-ips-from-cloudtrail-events-p4l <p>A quick command to list the IPs from AWS CloudTrail events.<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>#!/bin/bash ACCESS\_KEY\_ID=AKIASMOETHINGHERE MAX\_ITEMS=100 aws cloudtrail lookup-events --lookup-attributes AttributeKey=AccessKeyId,AttributeValue=${ACCESS\_KEY\_ID} --max-items ${MAX\_ITEMS} \ | jq -r '.Events[].CloudTrailEvent' \ | jq '.sourceIPAddress' \ | sort | uniq </code></pre></div> <p>This of course can be extended to include more information, for example:<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>#!/bin/bash ACCESS\_KEY\_ID=AKIASMOETHINGHERE MAX\_ITEMS=100 aws cloudtrail lookup-events --lookup-attributes AttributeKey=AccessKeyId,AttributeValue=${ACCESS\_KEY\_ID} --max-items ${MAX\_ITEMS} \ | jq -r '.Events[].CloudTrailEvent' \ | jq '{ User: .userIdentity.userName, IP: .sourceIPAddress, Event: .eventName }' </code></pre></div> cloudtrail cli aws bash Abdallah Deeb Wed, 16 Jan 2019 16:57:46 +0000 https://dev.to/abdallah/change-profiles-automatically-in-tilix-when-connecting-to-ssh-hosts-58a8 https://dev.to/abdallah/change-profiles-automatically-in-tilix-when-connecting-to-ssh-hosts-58a8 <p>I use <a href="https://gnunn1.github.io/tilix-web/">Tilix</a> as my main terminal app on Ubuntu. I like it mainly because it’s easy to use and shows multiple sessions in tiles and tabs, so it’s easy to switch between multiple servers without too much fuss</p> <p>Tilix is also pretty customizable. I just needed to have the “profile” automatically switch according to the server/machine I switch to. This can be done according to the documentation per <a href="https://gnunn1.github.io/tilix-web/manual/profileswitch/">https://gnunn1.github.io/tilix-web/manual/profileswitch/</a> but I wanted something configured locally, not sent to the remote system.</p> <p>So I just added a function that wraps my ssh command. Here’s how it looks in my .bashrc<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>ssh() { SSHAPP=`which ssh`; ARGS=$@; echo "switching to $ARGS"; printf "\033]7;file://%s/\007" "$ARGS"; $SSHAPP $ARGS; } </code></pre></div> <p>This sets up the hostname of machine you’re logging into as the title. That’s your trigger. What remains is to create a profile and assign that profile to automatically switch when the trigger (hostname:directory, user can also be added) is set.</p> <p>Go to Profiles &gt; Edit Profile &gt; Advanced (tab) and under Match add the hostname.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--PNYXeD3B--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://deeb.me/wp-content/uploads/image-1024x787.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--PNYXeD3B--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://deeb.me/wp-content/uploads/image-1024x787.png" alt=""></a><br></p> <p>That’s about it. I’m going to add a new profile with a RED background now for my production machines! too much?</p> blogging bash convenience terminal Abdallah Deeb Tue, 15 Jan 2019 20:33:56 +0000 https://dev.to/abdallah/packetwritewait-connection-to-xxx-port-22-broken-pipe-19fd https://dev.to/abdallah/packetwritewait-connection-to-xxx-port-22-broken-pipe-19fd <p>SSH connections started dropping left and right a few days ago. I thought at first it was a problem with my connection, our DSL connection in Beirut, Lebanon is getting a lot better this last year. But it still had its quirks now and then and I blamed the wires and bad weather.</p> <p>But it happened again the second day and the third, and it was becoming really annoying with jobs killed in the middle of execution when I forget to start a screen.</p> <p>Long story short, it seems that some settings were removed or reset after an upgrade in Ubuntu on my home machine. This is what I added in /etc/ssh/ssh_config (not sshd_config!)</p> <div class="highlight"><pre class="highlight plaintext"><code>Host \* ServerAliveInterval 30 ServerAliveCountMax 5 </code></pre></div> <p>And that’s it!</p> <p>If you don’t want to edit the system-wide configuration, you can always edit ~/.ssh/config with the same for similar effect.</p> work fixoftheday ssh ubuntu