The latest articles on DEV Community by Charles Uneze (@charlesuneze). https://dev.to/charlesuneze https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1035585%2F0c0566b9-8608-4eec-b770-d6c2ac1df5d0.jpeg https://dev.to/charlesuneze en Charles Uneze Mon, 08 Sep 2025 09:07:27 +0000 https://dev.to/charlesuneze/cost-efficient-etl-for-small-datasets-using-aws-lambda-s3-wrangler-and-glue-4o79 https://dev.to/charlesuneze/cost-efficient-etl-for-small-datasets-using-aws-lambda-s3-wrangler-and-glue-4o79 <p>While studying the <a href="https://aws.amazon.com/certification/certified-data-engineer-associate/" rel="noopener noreferrer">AWS Data Associate certification</a> guide and designing a data pipeline, you will be exposed to data transformation concepts like transforming a file’s format or transforming the actual data.</p> <p>As a refresher, the file format is often transformed to improve query speed. And <a href="https://docs.aws.amazon.com/athena/latest/ug/columnar-storage.html" rel="noopener noreferrer">columnar-supported file formats</a> are preferred. Popular examples are Parquet and ORC (Optimized Row Columnar).</p> <p>Transforming the actual data is about performing actions on the rows &amp; columns; things like removing duplicate rows, for example.</p> <p>The tricky thing about transforming a file format on the cloud is that it can get expensive. And sometimes you don't often need that expensive transformer when you aren’t frequently working with a huge dataset.</p> <p>The AWS Glue ETL job uses Spark for transformation, and the minimum data processor allocates <code>4 vCPUs, 16 GB memory, 94GB disk</code>. While studying, this can get expensive.</p> <p>An alternative is to convert the file using a library. In my case, where I code in Python, the <a href="https://pypi.org/project/pyarrow/" rel="noopener noreferrer">PyArrow</a> library is a good choice. I also had to convert a CSV file, so I added the <a href="https://pypi.org/project/pandas/" rel="noopener noreferrer">Pandas</a> library too.</p> <p>The solution works locally; it converts CSV to Parquet. However, the package installation size is too large to add to Lambda during a trigger. I also didn't want to package and deploy a container image to ECR and tell Lambda to pull it.</p> <p>The best alternative I ended up figuring out was to use the <a href="https://pypi.org/project/awswrangler/" rel="noopener noreferrer">AWS Wrangler package</a>. It comes preinstalled with Pandas and Pyarrow and can be attached to Lambda’s layer.</p> <h2> How to install AWS Wrangler on Lambda </h2> <ol> <li>To install it as a Lambda layer, visit the <a href="https://serverlessrepo.aws.amazon.com/applications/us-east-1/336392948345/aws-sdk-pandas-layer-py3-11" rel="noopener noreferrer">AWS serverless repository.</a> </li> <li>Deploy it for free</li> <li>Once it's completed, it should become available in your Lambda layer.</li> <li>Now you can write your transformation logic in Python and run it as a Lambda function. You also need to reference the newly added Lambda layer. </li> </ol> <h2> Defining the other ETL logics </h2> <ol> <li>Create a Glue catalog, database, crawler, trigger, and workflow.</li> <li>Create an isolated workgroup for your Athena query service based on Presto </li> <li>Add your CSV dataset to S3</li> <li>As previously described, your Lambda function reads the dataset on S3: <ul> <li>Removes duplicate rows</li> <li>Converts the CSV into Parquet</li> <li>Saves the new file to an S3 path</li> <li>Then it triggers your Glue workflow</li> </ul> </li> <li>The Glue workflow immediately does the following using Glue: <ul> <li>Crawls the Parquet file</li> <li>Creates a table</li> </ul> </li> <li>Then you can use Athena to query the data in S3</li> </ol> <h2> Demo </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1rsgckvuxzxe0w26mk0q.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1rsgckvuxzxe0w26mk0q.png" alt="Architecture" width="800" height="417"></a></p> <blockquote> <p>Architecture</p> </blockquote> <p>I have defined this logic using Terraform so that you can play with it. Clone the following repository, update the backend configuration, bucket name, and region, then apply your configuration.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/network-charles/aws-etl-wrangler.git <span class="nb">cd </span>aws-etl-wrangler terraform init <span class="nt">-backend-config</span><span class="o">=</span>backend.conf terraform apply <span class="nt">--auto-approve</span> </code></pre> </div> <h2> Final takeaway </h2> <p>If you are studying the AWS Data Associate using small datasets, once you understand how an ETL job works, you can transition to using AWS Wrangler in your pipeline instead.</p> lambda wrangler glue s3 Charles Uneze Fri, 14 Mar 2025 15:49:39 +0000 https://dev.to/charlesuneze/using-gitops-to-manage-a-kwok-deployment-35c1 https://dev.to/charlesuneze/using-gitops-to-manage-a-kwok-deployment-35c1 <h2> Table of Contents </h2> <ul> <li>Overview</li> <li>Requirements</li> <li>File Tree</li> <li>Create a Cluster</li> <li>Install Flux Controllers</li> <li>Create a Secret for Authenticating to the GitHub Repository</li> <li>Connect Flux to the Repository</li> <li>Target the KWOK Manifests using Flux</li> <li>Apply Custom Resources (CRs) of Stages</li> <li>Target the Deployment and Node YAML Manifests using Flux</li> <li>Install Prometheus and Grafana</li> <li>Enable Metrics on Kube-Scheduler</li> <li>Grab the Grafana Username and Password</li> <li>Scale the Deployment to 30 and Modify Node Affinity</li> <li>View Scheduler Metrics on Grafana Dashboard</li> <li>Conclusion</li> </ul> <h2> Overview </h2> <p>So, I have been studying the GitOps associate exam outline, I decided to document my learning by implementing it on an open-source project I worked on during my past internship experience at <a href="https://github.com/DaoCloud" rel="noopener noreferrer">DaoCloud</a>.</p> <p>DaoCloud has an open-source project called <a href="https://github.com/kubernetes-sigs/kwok" rel="noopener noreferrer">Kubernetes without Kubelet (KWOK)</a> which helps developers who are building products on Kubernetes, test their Kubernetes control plane. They do this by creating a huge amount of pods or nodes to stress test the control plane. Since running such tests in a real environment is expensive, KWOK makes this cost-effective.</p> <p>I haven’t found any resource on the internet showing users how to deploy this using Flux, a GitOps tool, and monitoring the Kubernetes scheduler using Prometheus, this article should help.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvjwen92nlxfvkerjco1x.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvjwen92nlxfvkerjco1x.png" alt="High-level architecture of a KWOK deployment using GitOps" width="800" height="523"></a></p> <blockquote> <p>High-level architecture of a KWOK deployment using GitOps</p> </blockquote> <p>It's also worth mentioning that I found a KWOK documentation bug and opened a <a href="https://github.com/kubernetes-sigs/kwok/pull/1327" rel="noopener noreferrer">PR</a> that got merged while I was preparing for this article.</p> <h2> Requirements </h2> <ul> <li><a href="https://docs.docker.com/engine/install/" rel="noopener noreferrer">Docker</a></li> <li><a href="https://kind.sigs.k8s.io/" rel="noopener noreferrer">Kubernetes in Docker (KIND)</a></li> <li><a href="https://helm.sh/docs/intro/install/" rel="noopener noreferrer">Helm</a></li> <li><a href="https://kubectl.docs.kubernetes.io/installation/kubectl/" rel="noopener noreferrer">kubectl</a></li> <li><a href="https://fluxcd.io/flux/installation/" rel="noopener noreferrer">FluxCD</a></li> </ul> <h2> File Tree </h2> <p><a href="https://github.com/network-charles/kwok-gitops" rel="noopener noreferrer">GitHub repository</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>├── cluster.yaml ├── gitops │ ├── flux │ │ ├── git.yaml │ │ ├── kwok.yaml │ │ └── others.yaml │ │ └── prometheus-grafana.yaml │ └── kustomization │ ├── kwok │ │ ├── base │ │ │ ├── kustomization.yaml │ │ │ └── namespace.yaml │ │ └── overlays │ │ └── kustomization.yaml │ └── others │ ├── base │ │ ├── deployment.yaml │ │ ├── kustomization.yaml │ │ ├── namespace.yaml │ │ └── node.yaml │ └── overlays │ └── modify-number-of-pods │ ├── deployment.yaml │ └── kustomization.yaml └── secrets.yaml </code></pre> </div> <p>We will be working with a few files, so this tree will guide us through it.</p> <p>Breaking it into sections:</p> <ul> <li> <strong><code>gitops/flux/</code></strong> → Flux configurations</li> <li> <strong><code>gitops/kustomization/kwok/</code></strong> → KWOK setup using Kustomize</li> <li> <strong><code>gitops/kustomization/others/</code></strong> → Additional Kubernetes resources</li> <li> <strong><code>secrets.yaml</code></strong> → Holds authentication credentials</li> </ul> <h2> Create a Cluster </h2> <p>The first step is to create a real Kubernetes cluster. KWOK will be deployed into the cluster. Here I will be using a <a href="https://kind.sigs.k8s.io/" rel="noopener noreferrer">Kubernetes in Docker (KIND)</a> cluster.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kind create cluster <span class="nt">--config</span> cluster.yaml </code></pre> </div> <p><code>cluster.yaml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">kind</span><span class="pi">:</span> <span class="s">Cluster</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kind.x-k8s.io/v1alpha4</span> <span class="na">nodes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">role</span><span class="pi">:</span> <span class="s">control-plane</span> <span class="na">extraPortMappings</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">30000</span> <span class="c1"># The k8s service port for grafana</span> <span class="na">hostPort</span><span class="pi">:</span> <span class="m">3000</span> <span class="c1"># The host port you want to expose the k8s service</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">30909</span> <span class="c1"># The k8s service port for prometheus</span> <span class="na">hostPort</span><span class="pi">:</span> <span class="m">9090</span> <span class="c1"># The host port you want to expose the k8s service</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> </code></pre> </div> <p>The <code>cluster.yaml</code> file configures port mappings that allow the host to access the <a href="https://grafana.com/docs/grafana-cloud/monitor-infrastructure/kubernetes-monitoring/configuration/config-other-methods/helm-operator-migration/" rel="noopener noreferrer">Grafana and Prometheus</a> services once they are deployed into the Kind cluster for observability.</p> <h2> Install Flux Controllers </h2> <p>Flux is a GitOps tool that takes the infrastructure code defined in a Git repository and automatically deploys it into a Kubernetes cluster. It also watches for changes in the repository and synchronizes those changes in the cluster.</p> <p>All these interactions are handled by the <a href="https://fluxcd.io/flux/components/" rel="noopener noreferrer">controllers</a>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>flux <span class="nb">install </span>kubectl get pod <span class="nt">-n</span> flux-system NAME READY STATUS RESTARTS AGE helm-controller-5bb6849c4f-rbrrj 1/1 Running 1 5m kustomize-controller-68597c4488-9vtnl 1/1 Running 1 5m notification-controller-7d6f99878b-plvzl 1/1 Running 1 5m source-controller-666dc49455-z4gs7 1/1 Running 1 5m </code></pre> </div> <h2> Create a Secret for Authenticating to the GitHub Repository </h2> <p>Flux needs to authenticate to your repository because this repository may be private.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="nt">-n</span> <span class="s2">"testing"</span> | <span class="nb">base64 echo</span> <span class="nt">-n</span> <span class="s2">"testing1234"</span> | <span class="nb">base64</span> </code></pre> </div> <p>Your username and password need to be converted to base64. The result will be specified as the value.</p> <p><code>secrets.yaml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">github-auth</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">flux-system</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Opaque</span> <span class="na">data</span><span class="pi">:</span> <span class="na">username</span><span class="pi">:</span> <span class="s">dGVzdGluZw==</span> <span class="na">password</span><span class="pi">:</span> <span class="s">dGVzdGluZzEyMzQ=</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> secrets.yaml </code></pre> </div> <h2> Connect Flux to the Repository </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>├── gitops ├── flux │ │ ├── git.yaml │ │ ├── kwok.yaml │ │ └── others.yaml kubectl apply <span class="nt">-f</span> gitops/flux/git.yaml </code></pre> </div> <p><code>flux/git.yaml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">source.toolkit.fluxcd.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">GitRepository</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">git</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">flux-system</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">1m</span> <span class="c1"># Syncs to the repo every 1 minutes</span> <span class="na">url</span><span class="pi">:</span> <span class="s">https://github.com/network-charles/kwok-gitops.git</span> <span class="na">ref</span><span class="pi">:</span> <span class="na">branch</span><span class="pi">:</span> <span class="s">main</span> <span class="na">secretRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">github-auth</span> </code></pre> </div> <blockquote> <p>For real-world production workloads, a longer interval (e.g., 5-10 minutes) is recommended to reduce API rate limits and unnecessary sync attempts.</p> </blockquote> <h2> Target the KWOK Manifests using Flux </h2> <p>When working with Flux, you can use a tool called <a href="https://kustomize.io/" rel="noopener noreferrer">Kustomize</a> to place your main configs in a <code>base</code> directory, and then modify any of these configs using a copy placed in an <code>overlays</code> directory. It’s preferable this way than messing with your main config.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>├── gitops │ ├── flux │ │ │ └── kwok.yaml │ └── kustomization │ ├── kwok │ │ ├── base │ │ │ ├── kustomization.yaml │ │ │ └── namespace.yaml │ │ └── overlays │ │ └── kustomization.yaml kubectl apply <span class="nt">-f</span> gitops/flux/kwok.yaml </code></pre> </div> <p><code>flux/kwok.yaml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kustomize.toolkit.fluxcd.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Kustomization</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kwok</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">flux-system</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">1m</span> <span class="c1"># Syncs to the repo every 1 minutes</span> <span class="na">targetNamespace</span><span class="pi">:</span> <span class="s">kwok</span> <span class="na">sourceRef</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">GitRepository</span> <span class="na">name</span><span class="pi">:</span> <span class="s">git</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">flux-system</span> <span class="na">path</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/gitops/kustomization/kwok/overlays"</span> <span class="na">prune</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">1m</span> <span class="c1"># time it takes for the manifest to finish applying before timing out</span> </code></pre> </div> <p>Flux targets the directory/path containing the file I will use to deploy KWOK into my cluster.</p> <p>The manifest below is the targeted file. I am attempting to modify the image version used to deploy KWOK into my cluster. Since I am already referencing the <strong>base</strong> directory via the <code>resources</code> field, Flux will create everything there first, afterward, it’d modify any image version changes I specify in the <code>patches</code> and <code>images</code> fields.</p> <p><code>kustomization/overlays/kustomization.yaml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kustomize.config.k8s.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Kustomization</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">../base</span> <span class="na">patches</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">target</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Kustomization</span> <span class="na">patch</span><span class="pi">:</span> <span class="pi">|-</span> <span class="s">apiVersion: kustomize.config.k8s.io/v1beta1</span> <span class="s">kind: Kustomization</span> <span class="s">metadata:</span> <span class="s">name: kwok</span> <span class="s">namespace: kwok</span> <span class="s">resources:</span> <span class="s">- https://github.com/kubernetes-sigs/kwok/kustomize/kwok?ref=v0.5.1</span> <span class="na">images</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">registry.k8s.io/kwok/kwok</span> <span class="na">newTag</span><span class="pi">:</span> <span class="s2">"</span><span class="s">v0.5.1"</span> </code></pre> </div> <h2> Apply Custom Resources (CRs) of Stages </h2> <p>This makes it possible to simulate the state of a pod or node in the cluster with very little resources.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">KWOK_REPO</span><span class="o">=</span>kubernetes-sigs/kwok <span class="nv">KWOK_LATEST_RELEASE</span><span class="o">=</span><span class="si">$(</span>curl <span class="s2">"https://api.github.com/repos/</span><span class="k">${</span><span class="nv">KWOK_REPO</span><span class="k">}</span><span class="s2">/releases/latest"</span> | jq <span class="nt">-r</span> <span class="s1">'.tag_name'</span><span class="si">)</span> kubectl apply <span class="nt">-f</span> <span class="s2">"https://github.com/</span><span class="k">${</span><span class="nv">KWOK_REPO</span><span class="k">}</span><span class="s2">/releases/download/</span><span class="k">${</span><span class="nv">KWOK_LATEST_RELEASE</span><span class="k">}</span><span class="s2">/stage-fast.yaml"</span> </code></pre> </div> <h2> Target the Deployment and Node YAML Manifests using Flux </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">├── gitops</span> <span class="s">│ ├── flux</span> <span class="s">│ │ │ └── others.yaml</span> <span class="s">│ └── kustomization</span> <span class="s">│ └── others</span> <span class="s">│ ├── base</span> <span class="s">│ │ ├── deployment.yaml</span> <span class="s">│ │ ├── kustomization.yaml</span> <span class="s">│ │ ├── namespace.yaml</span> <span class="s">│ │ └── node.yaml</span> <span class="s">│ └── overlays</span> <span class="s">│ └── modify-number-of-pods</span> <span class="s">│ ├── deployment.yaml</span> <span class="s">│ └── kustomization.yaml</span> <span class="s">kubectl apply -f gitops/flux/others.yaml</span> </code></pre> </div> <p>Now all manifests in this <code>others</code> directory will be managed by Flux.</p> <p><code>gitops/flux/others.yaml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kustomize.toolkit.fluxcd.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Kustomization</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">others</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">flux-system</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">1m</span> <span class="c1"># Syncs to the repo every 1 minutes</span> <span class="na">sourceRef</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">GitRepository</span> <span class="na">name</span><span class="pi">:</span> <span class="s">git</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">flux-system</span> <span class="na">path</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/gitops/kustomization/other/overlays/modify-number-of-pods"</span> <span class="na">prune</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">1m</span> </code></pre> </div> <blockquote> <p>Notice how the <code>overlays</code> directory is still been referenced and used to make changes to the main deployment.</p> </blockquote> <h2> Install Prometheus and Grafana </h2> <p>This deploys Prometheus and Grafana using Helm, but it's managed by Flux. I like this because I don’t need to manage Helm manually using the command line.</p> <p><code>prometheus-grafana.yaml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">source.toolkit.fluxcd.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">HelmRepository</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">prometheus-community</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">flux-system</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">1m</span> <span class="na">url</span><span class="pi">:</span> <span class="s">https://prometheus-community.github.io/helm-charts</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">helm.toolkit.fluxcd.io/v2</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">HelmRelease</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">prometheus-grafana</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">flux-system</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">targetNamespace</span><span class="pi">:</span> <span class="s">monitoring</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">1m</span> <span class="na">chart</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">chart</span><span class="pi">:</span> <span class="s">kube-prometheus-stack</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">*"</span> <span class="na">sourceRef</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">HelmRepository</span> <span class="na">name</span><span class="pi">:</span> <span class="s">prometheus-community</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">flux-system</span> <span class="na">install</span><span class="pi">:</span> <span class="na">createNamespace</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">values</span><span class="pi">:</span> <span class="na">prometheus</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">nodePort</span><span class="pi">:</span> <span class="m">30909</span> <span class="na">type</span><span class="pi">:</span> <span class="s">NodePort</span> <span class="na">grafana</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">NodePort</span> <span class="na">nodePort</span><span class="pi">:</span> <span class="m">30000</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> gitops/flux/prometheus-grafana.yaml </code></pre> </div> <h2> Enable Metrics on Kube-Scheduler </h2> <p>For security purposes, Kube-Scheduler is not accessible by default. So, metrics aren’t scraped, but if you are running tests and need to collect metrics from it, you need to bind the address and make it accessible to other pods like the Prometheus pod, etc.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec</span> <span class="nt">-it</span> kind-control-plane bash apt update apt <span class="nb">install </span>vim <span class="nt">-y</span> vi /etc/kubernetes/manifests/kube-scheduler.yaml spec: containers: - <span class="nb">command</span>: - kube-scheduler - <span class="nt">--bind-address</span><span class="o">=</span>0.0.0.0 <span class="c"># Allow listening on all interfaces</span> </code></pre> </div> <p>Now the Prometheus service monitor scraping metrics from the scheduler will be in an <code>up</code> state.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe3a9tj1tj7rjfhstezx7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe3a9tj1tj7rjfhstezx7.png" alt="kube-scheduler service monitor" width="800" height="123"></a></p> <blockquote> <p>kube-scheduler service monitor</p> </blockquote> <h2> Grab the Grafana Username and Password </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get secrets prometheus-grafana <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.data.admin-password}'</span> | <span class="nb">base64</span> <span class="nt">--decode</span> <span class="p">;</span> <span class="nb">echo </span>kubectl get secrets prometheus-grafana <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.data.admin-user}'</span> | <span class="nb">base64</span> <span class="nt">--decode</span> <span class="p">;</span> <span class="nb">echo</span> </code></pre> </div> <h2> Scale the Deployment to 30 and Modify Node Affinity </h2> <p>Initially, I had one pod running in the deployment.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get deployments apps nginx-deployment NAME READY UP-TO-DATE AVAILABLE AGE nginx-deployment 1/1 1 1 5s </code></pre> </div> <p>Now, I’ll scale the deployment to 30. To do this, I will modify a copy of the <code>deployment</code> stored in the <code>overlays</code> directory.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>├── gitops │ └── kustomization │ └── others │ ├── base │ └── overlays │ └── modify-number-of-pods │ ├── deployment.yaml │ └── kustomization.yaml </code></pre> </div> <p>I updated the <code>replicas</code> field and the <code>values</code> in the deployment file.</p> <p><code>overlays/modify-number-of-pods/deployment.yaml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">replicas</span><span class="pi">:</span> <span class="m">30</span> <span class="c1"># update this</span> <span class="nn">...</span> <span class="na">affinity</span><span class="pi">:</span> <span class="na">nodeAffinity</span><span class="pi">:</span> <span class="na">requiredDuringSchedulingIgnoredDuringExecution</span><span class="pi">:</span> <span class="na">nodeSelectorTerms</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">matchExpressions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">type</span> <span class="na">operator</span><span class="pi">:</span> <span class="s">In</span> <span class="na">values</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">kwokkk</span> <span class="c1"># update this</span> <span class="nn">...</span> </code></pre> </div> <p>The above manifest updates the deployment to 30 pods, it also uses the wrong label value, so the pods are unschedulable.</p> <blockquote> <p>I intentionally made them unschedulable so we can see some scheduler metrics in action.</p> </blockquote> <p>Now, push your config to GitHub and wait for 60s, so Flux pulls and updates your cluster.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git commit <span class="nt">-am</span> <span class="s2">"update deployment"</span> git push <span class="nb">sleep </span>60 kubectl get deployments apps nginx-deployment NAME READY UP-TO-DATE AVAILABLE AGE nginx-deployment 0/30 30 0 16m </code></pre> </div> <h2> View Scheduler Metrics on Grafana Dashboard </h2> <p>Log into Grafana by visiting <code>localhost:3000</code>. The username and password you received maybe this.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>username <span class="o">=</span> admin password <span class="o">=</span> prom-operator </code></pre> </div> <p>Go to <code>Menu &gt; Dashboard &gt; Kubernetes/Scheduler&gt; Edit &gt; Add &gt; Visualization &gt; Queries &gt; Metrics</code></p> <p>Add a metric to view all pending and unschedulable pods.</p> <ul> <li><code>scheduler_pending_pods{queue="unschedulable"}</code></li> </ul> <p>You should see a graph similar to this, telling you 30 pods are currently pending.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftkfuw009yftgdv5woorm.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftkfuw009yftgdv5woorm.png" alt="Prometheus metrics graph on Grafana dashboard" width="800" height="159"></a></p> <blockquote> <p>Prometheus metrics graph on Grafana dashboard</p> </blockquote> <h2> Conclusion </h2> <p>Now, we have learned how engineers and developers use GitOps to manage their KWOK deployment, collect metrics from the control-plane, and view them on Grafana. This method works on several other use cases. In a public cloud's managed Kubernetes clusters, the cluster’s control plane node is often restricted, however, the cloud provider exposes the Prometheus metrics to you. If you manage your control plane node, then this article should help you learn to expose yours for testing.</p> <ul> <li>To find more control-plane use cases for KWOK, see this <a href="https://github.com/kubernetes-sigs/kwok/issues/1063" rel="noopener noreferrer">GitHub issue</a>.</li> <li>If you’d like an opportunity to intern in the Cloud Native Computing Foundation space, see the <a href="https://github.com/cncf/mentoring/tree/main/programs" rel="noopener noreferrer">Linux Foundation Mentorship Program and Google Summer of Code</a>.</li> </ul> gitops fluxcd kubernetes prometheus Charles Uneze Fri, 01 Nov 2024 08:01:50 +0000 https://dev.to/charlesuneze/wikimedia-foundation-gsod-2024-project-report-174e https://dev.to/charlesuneze/wikimedia-foundation-gsod-2024-project-report-174e <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fii7be5aucbqy8zn7cazd.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fii7be5aucbqy8zn7cazd.png" alt="GSOD x Wikimedia" width="800" height="253"></a></p> <h2> Table of Contents </h2> <ul> <li>Project Overview</li> <li>Key Challenges</li> <li>Project Outcome</li> <li>Key Learning</li> <li>Best Practices Identified</li> <li>Recommendations for Future Projects</li> <li>Conclusion</li> <li>More Resources</li> </ul> <h2> Project Overview </h2> <p>This is a report for a project I worked on with the <a href="https://www.mediawiki.org/wiki/Wikimedia_Technical_Documentation_Team" rel="noopener noreferrer">Wikimedia Technical Documentation</a> team during the <a href="https://developers.google.com/season-of-docs" rel="noopener noreferrer">Google Season of Docs</a> 2024 program.</p> <p>The "Complete Migration of MediaWiki Documentation" project aimed to migrate an 82-page document from an old official wiki called <a href="https://meta.wikimedia.org/wiki/Main_Page" rel="noopener noreferrer">Meta</a> to a new one called <a href="https://www.mediawiki.org/wiki/MediaWiki" rel="noopener noreferrer">MediaWiki</a>.</p> <p>This wasn’t just about transferring text. A MediaWiki server had to be installed locally to test each feature described before documenting it again, and the new text had to be easier to read, navigate, and use. For maximum server uptime, I deployed the MediaWiki server on Amazon Web Services (AWS).</p> <p>I also had to ensure existing content on Meta that is Wikimedia-specific is easier to navigate and understand.</p> <h2> Key Challenges </h2> <p>During the migration, we identified five main challenges:</p> <ol> <li> <strong>Scattered Information:</strong> Some content about MediaWiki is located on Meta, making it hard for users to find everything in one place.</li> <li> <strong>New Look and Feel:</strong> Since MediaWiki is a new software, it came with a new user interface in some places.</li> <li> <strong>Rewriting for Clarity:</strong> We couldn’t just copy-paste text from Meta due to licensing issues.</li> <li> <strong>Inconsistent Organization:</strong> Similar Wikimedia Foundation-specific pages on Meta weren’t well organized into a category.</li> <li> <strong>Poor Navigation:</strong> Meta’s content navigation page which should provide easy access to most visited pages wasn’t properly structured.</li> </ol> <h2> Project Outcome </h2> <p>The project led to several major improvements:</p> <ol> <li> <strong>Centralized Information:</strong> All key MediaWiki documentation is now on MediaWiki. This will save users from switching between platforms and help them find the latest information faster.</li> <li> <strong>Updated Visuals:</strong> New images have been added to match the new interface, so users see the exact screens they’ll be working with, reducing confusion.</li> <li> <strong>User-Friendly Writing:</strong> All migrated contents are now more readable and engaging, making the documentation more approachable for all users.</li> <li> <strong>Better Organization:</strong> With improved categorization, users can now quickly find similar pages they need on Meta.</li> <li> <strong>Enhanced Navigation:</strong> Meta's revamped <a href="https://meta.wikimedia.org/wiki/Help:Contents" rel="noopener noreferrer">content</a> navigation page now leads users to the most frequently visited pages, so they can get to popular guides without wasting time. I used a wiki <a href="https://pageviews.wmcloud.org/pageviews/?project=meta.wikimedia.org&amp;platform=all-access&amp;agent=user&amp;redirects=0&amp;range=latest-20&amp;pages=Help:Round" rel="noopener noreferrer">Pageviews Analysis</a> tool to rank the most visited pages.</li> </ol> <p>The progress of this outcome was first documented on a Google Sheet maintained by a Google Season of Docs (GSOD) volunteer named <a href="https://www.mediawiki.org/wiki/User:Chinweotitookereke" rel="noopener noreferrer">Okereke Chinweotito</a>. A copy was then replicated on a <a href="https://phabricator.wikimedia.org/T358605" rel="noopener noreferrer">Wikimedia Phabricator</a> issue as a bi-weekly status update.</p> <h2> Key Learning </h2> <p>My knowledge improved in these areas:</p> <ol> <li>When editing a wiki, users make use of a markup language called <strong>wikitext</strong>. This project helped me improve my knowledge of this language.</li> <li>I learned how to navigate a wiki and perform operations like installing extensions, renaming a page, merging a page, adding permissions to a user, etc.</li> <li>I also had to brush up on my HTML skills all over again.</li> </ol> <h2> Best Practices Identified </h2> <p>While working on this project, these were the best practices I identified that were missing:</p> <ol> <li> <strong>Start with Contextual Introductions:</strong> Each page should begin with a brief introductory paragraph that explains what the feature does. This provides users with context before diving into instructions on how to use the feature. </li> <li> <strong>Remove redundant lines:</strong> Between the end of a section or subsection and the start of another, always leave one empty line rather than two.</li> <li> <strong>Add Visual Aids Where Relevant</strong>: When describing some operations that involve navigating the menu, it may be best to add a screenshot too.</li> <li> <strong>Migrate technical pages to the manual namespace:</strong> Pages containing extensive code or mathematical equations are best suited in the Manual namespace. This helps users find more technical content quickly.</li> <li> <strong>Test locally before documenting:</strong> As much as you can, it’s best to test the feature on a local MediaWiki server first before documenting it.</li> </ol> <h2> Recommendations for Future Projects </h2> <p>I am going to start by outlining the key factors that contributed to the success of this project:</p> <ol> <li>This project was well documented before it began, with all issues properly specified, so contributors could work on it. Unlike a few other projects I saw that weren’t selected by Google.</li> <li>Interested Technical Writers were instructed to outline their statement of interest on Wikimedia Phabricator rather than having to join the <a href="https://wikimedia.zulipchat.com" rel="noopener noreferrer">Zulip group chat</a>.</li> <li>The community members were very active and supportive, particularly experienced wiki administrators like <a href="https://www.mediawiki.org/wiki/User:Pppery" rel="noopener noreferrer">Pppery</a>.</li> </ol> <p>For future projects, maintaining detailed documentation of the issues to be addressed when submitting a proposal to Google and promoting an engaged community with a smooth onboarding process will be key strategies to replicate this success.</p> <h2> Conclusion </h2> <p>By migrating MediaWiki content from Meta to the MediaWiki platform and organizing Wikimedia-specific help pages on Meta, I created a more accessible and user-friendly resource for the Wikimedia community. This project strengthened my technical documentation skills and highlighted the value of community collaboration in open source. I look forward to continuing to support Wikimedia’s mission by contributing further to its documentation.</p> <h2> More Resources </h2> <ul> <li><a href="https://www.mediawiki.org/wiki/Documentation/Contribute" rel="noopener noreferrer">How to Contribute to MediaWiki</a></li> <li><a href="https://youtube.com/playlist?list=PLf4MYZEHV9yIFq0nRO9Egi6pnwSItkgKP&amp;si=3mM_-vaA53w791QJ" rel="noopener noreferrer">An open-source story documentary I was featured in</a></li> </ul> gsod wikimedia opensource Charles Uneze Tue, 27 Aug 2024 11:23:54 +0000 https://dev.to/charlesuneze/my-experience-working-on-the-kwok-project-as-an-lfx-mentee-8n2 https://dev.to/charlesuneze/my-experience-working-on-the-kwok-project-as-an-lfx-mentee-8n2 <h2> Table of Contents </h2> <ul> <li>What’s the KWOK Project About?</li> <li> How I Got Accepted <ul> <li>Step 1: Use the Project</li> <li>Step 2: Analyze the Expected Outcome</li> </ul> </li> <li>New Concepts I Learned</li> <li>What I Struggled With</li> <li>My Contributions</li> <li>Conclusion</li> </ul> <p>In June 2024, I got the amazing notification that I’d been selected as an LFX mentee in <a href="https://github.com/cncf/mentoring/tree/main/programs/lfx-mentorship/2024/02-Jun-Aug" rel="noopener noreferrer">Term 2, 2024</a>. This was my second attempt to participate in the <a href="https://lfx.linuxfoundation.org/tools/mentorship/" rel="noopener noreferrer">LFX mentorship program</a>. I found out about the program from <a href="https://open.spotify.com/episode/6sr7Ic8cavV8XBoTTfp9gX?si=yl4gvJnDTSOetWgn55043A" rel="noopener noreferrer">Divine Odazie</a> in one of his Twitter spaces.</p> <p>I was selected to work on the <a href="https://mentorship.lfx.linuxfoundation.org/project/ef8e7637-2eb6-4672-8f6c-c9f9f0677da0" rel="noopener noreferrer">Kubernetes without Kubelet (KWOK)</a> project with mentorship support from the <a href="http://daocloud.io/" rel="noopener noreferrer">DaoCloud</a> software engineering team, <a href="https://github.com/wzshiming" rel="noopener noreferrer">Shiming Zhang</a> and Zhenghao Zhu.</p> <h2> What’s the KWOK Project About? </h2> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F240916xkk6q1srouosud.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F240916xkk6q1srouosud.png" alt="CNCF - KWOK" width="800" height="465"></a></p> <blockquote> <p>Source: <a href="https://youtu.be/WtgwOmPeBKg?si=IG-x3zOw8YIZl1hC" rel="noopener noreferrer">CNCF</a></p> </blockquote> <p>KWOK is a Kubernetes sub-project, people often refer to these sub-projects as <a href="https://github.com/kubernetes-sigs" rel="noopener noreferrer">Kubernetes Special Interest Group (SIG)</a> projects.</p> <p>It allows developers to simulate large clusters with hundreds of nodes and pods that consume little resources. It uses real Kubernetes components but operates without a Kubelet.</p> <h2> How I Got Accepted </h2> <p>I never knew about the project in the past. However, I was studying the Certified Kubernetes Administrator (CKA) topics, so I understood how Kubernetes works from the perspective of an administrator. I just needed an extra push to understand the KWOK project.</p> <h3> Step 1: Use the Project </h3> <p>I spun up a virtual machine on AWS and installed the requirements needed to test the project in action. I tried various scenarios, as you would when you are learning a certification like the CKA. You can find the scenarios I tried in this <a href="https://github.com/network-charles/kwok-labs" rel="noopener noreferrer">repository</a>. </p> <p>Along the way, I noticed issues both in the project documentation and in the code outputs when interacting with the tool via the CLI. For each issue, I opened a PR, and when I got confused, I shared my questions on the <a href="https://kubernetes.slack.com/?redir=%2Farchives%2FCNXNB0ZTN" rel="noopener noreferrer">Slack channel</a>.</p> <h3> Step 2: Analyze the Expected Outcome </h3> <p>Each project specifies its expected outcome. While building my confidence, I made sure to know that I could achieve the outcome. So I reviewed each project outlined in the <a href="https://github.com/kubernetes-sigs/kwok/issues/1063" rel="noopener noreferrer">referenced GitHub issue</a>. I read each pull request and blog post to learn how the project uses KWOK. When I was confident that I understood it to a great extent, I sent in my mentee application.</p> <h2> New Concepts I Learned </h2> <ul> <li> <strong>New cloud native projects:</strong> While working on the project, I had the opportunity to learn about other projects too. For example, <a href="https://kubevirt.io/" rel="noopener noreferrer">Kubevirt</a>, Kyverno, <a href="https://clusterpedia.io/" rel="noopener noreferrer">Clusterpedia</a>, etc.</li> <li> <strong>How to generate an image from a bash script:</strong> A tool called <a href="https://asciinema.org/" rel="noopener noreferrer">Asciiema</a> allows developers to test their bash script in action while also recording the execution from their terminal. This is helpful because it validates that your script works. There were times when I assumed my documentation was accurate, however, when I tried the instructions using the tool, it failed. Thankfully, I got it fixed.</li> <li> <strong>How other cloud-native projects utilize custom control planes:</strong> While studying the <a href="https://training.linuxfoundation.org/certification/certified-kubernetes-administrator-cka/" rel="noopener noreferrer">CKA</a> topics, I only knew about the Kubernetes control plane. This mentorship exposed me to other cloud-native tools that use additional custom control planes for their specific needs.</li> <li> <strong>How projects uniquely utilize etcd:</strong> I initially knew that configuration data was stored in etcd. However, I never knew that a project could utilize it to store other important information. For example, <a href="https://kyverno.io/" rel="noopener noreferrer">Kyverno</a> uses it to store policy reports.</li> </ul> <h2> What I Struggled With </h2> <ul> <li> <strong>Git</strong>: I struggle with not knowing when to use a <code>git rebase</code> vs <code>git merge</code>. KWOK rolled out a new feature that needed to be integrated into my branch. I wanted to show only my commit history in my pull request, but I was confused about which command to use. I ended up using a <code>git rebase</code> because it produces a cleaner commit history. It integrates the new changes into my branch without including the commit history from the original branch in my pull request.</li> <li> <strong>Time difference:</strong> My mentor is based in China, so he is 7 hours ahead of me. When resolving a GitHub suggestion, I often need to start addressing issues from 4 or 5 a.m. in my time zone.</li> </ul> <h2> My Contributions </h2> <ul> <li><a href="https://github.com/kubernetes-sigs/kwok/pull/1140" rel="noopener noreferrer">Scheduler Testing with KWOK (Technical Outcome)</a></li> <li><a href="https://github.com/kubernetes-sigs/kwok/pull/1177" rel="noopener noreferrer">Scalability Testing with KWOK (Technical Outcome)</a></li> <li><a href="https://github.com/kubernetes-sigs/kwok/pull/1190" rel="noopener noreferrer">Performance Testing with KWOK (Technical Outcome)</a></li> </ul> <h2> Conclusion </h2> <p>The mentorship program was an amazing learning experience. I don't think the LFX mentorship is an easy program to get into. Most of the time, you need at least a CKA, <a href="https://training.linuxfoundation.org/certification/certified-kubernetes-application-developer-ckad/" rel="noopener noreferrer">CKAD</a>, or <a href="https://training.linuxfoundation.org/certification/certified-kubernetes-security-specialist/" rel="noopener noreferrer">CKS</a> level of understanding to stand a chance. My tasks involved a lot of references to CKA topics.</p> <p>This experience broadened my understanding of Kubernetes, and I’m excited to apply the skills and knowledge I have gained to new cloud-native projects and also to continue contributing to open-source software.</p> <p>I’m also thankful to my mentors for giving me a chance to showcase and improve my skills. I encourage others who’d like to break into the cloud-native industry to leverage the LFX mentorship program to get hands-on experience, you won’t regret it.</p> cloudnative kubernetes lfx kwok Charles Uneze Tue, 21 May 2024 05:02:52 +0000 https://dev.to/charlesuneze/utilizing-coverage-ai-agents-for-better-unit-tests-436c https://dev.to/charlesuneze/utilizing-coverage-ai-agents-for-better-unit-tests-436c <p>Artificial Intelligence agents have improved developers’ workflow in the last few years and the release of this paper from Meta about their <a href="https://arxiv.org/pdf/2402.09171" rel="noopener noreferrer">TestGen-LLM</a> has been a game changer for unit testing code.<br> <a href="https://www.codium.ai" rel="noopener noreferrer">CodiumAI</a>, an AI startup is at the forefront of the commercial application of the TestGen-LLM with their new <a href="https://github.com/Codium-ai/cover-agent" rel="noopener noreferrer">open-source</a> tool. What I love about this TestGen-LLM implementation is that it keeps iterating the code until coverage increases. See below.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqmlh53aqizoyfqytpjc3.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqmlh53aqizoyfqytpjc3.png" alt="TestGen-LLM"></a><br> <strong>Source:</strong> <a href="https://arxiv.org/pdf/2402.09171" rel="noopener noreferrer">Automated Unit Test Improvement using Large Language Models at Meta</a></p> <h2> CodiumAI’s Cover-Agent </h2> <p>Pre-coverage AI agents, Python developers would use the <a href="https://coverage.readthedocs.io/en/7.5.1/" rel="noopener noreferrer">Coverage</a> python plugin or the <a href="https://pytest-cov.readthedocs.io/en/latest/readme.html" rel="noopener noreferrer">Pytest-cov</a> plugin, while Go developers use <code>go test -coverprofile=...</code> (See <a href="https://go.dev/doc/build-cover" rel="noopener noreferrer">Go coverage profile</a>), then they’ll have to manually write tests to improve coverage in the lines missed in their code.<br> Today, tools like Cover-Agent do this automatically.</p> <h2> Demo </h2> <p>Below is a simple script that deploys AWS services using Python’s <a href="https://boto3.amazonaws.com/v1/documentation/api/latest/index.html" rel="noopener noreferrer">Boto3</a> library.</p> <p><strong>Installation</strong><br> Follow this <a href="https://github.com/Codium-ai/cover-agent#installation-and-usage" rel="noopener noreferrer">guide</a> on the CodiumAI Cover-Agent GitHub repository to install the necessary packages.<br> The following packages are also required:</p> <ul> <li>Boto3</li> <li>Moto</li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> pip <span class="nb">install </span>boto3 moto </code></pre> </div> <p><strong>Code to test</strong><br> A simple production script that creates an EC2 instance, a Dynamodb table, and puts an item into the table.</p> <p><strong>File: aws.py</strong></p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="kn">import</span> <span class="n">time</span> <span class="kn">import</span> <span class="n">boto3</span> <span class="n">dynamodb</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">resource</span><span class="p">(</span><span class="sh">'</span><span class="s">dynamodb</span><span class="sh">'</span><span class="p">)</span> <span class="n">ec2</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">resource</span><span class="p">(</span><span class="sh">'</span><span class="s">ec2</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">create_ec2_instance</span><span class="p">():</span> <span class="c1"># Define parameters for the instance </span> <span class="n">instance_params</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">ImageId</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">12345</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">InstanceType</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">t2.micro</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">KeyName</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">key</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">MinCount</span><span class="sh">'</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="sh">'</span><span class="s">MaxCount</span><span class="sh">'</span><span class="p">:</span> <span class="mi">1</span> <span class="p">}</span> <span class="c1"># Create the EC2 instance </span> <span class="n">instances</span> <span class="o">=</span> <span class="n">ec2</span><span class="p">.</span><span class="nf">create_instances</span><span class="p">(</span><span class="o">**</span><span class="n">instance_params</span><span class="p">)</span> <span class="c1"># Wait for the instance to be in running state </span> <span class="n">instance</span> <span class="o">=</span> <span class="n">instances</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="k">while</span> <span class="n">instance</span><span class="p">.</span><span class="n">state</span><span class="p">[</span><span class="sh">'</span><span class="s">Name</span><span class="sh">'</span><span class="p">]</span> <span class="o">!=</span> <span class="sh">'</span><span class="s">running</span><span class="sh">'</span><span class="p">:</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mi">5</span><span class="p">)</span> <span class="c1"># Wait for 5 seconds before checking again </span> <span class="n">instance</span><span class="p">.</span><span class="nf">reload</span><span class="p">()</span> <span class="c1"># Reload the instance object to get the latest state </span> <span class="c1"># Return the instance state </span> <span class="k">return</span> <span class="n">instance</span> <span class="k">def</span> <span class="nf">create_dynamodb_table_and_put_item</span><span class="p">():</span> <span class="sh">"""</span><span class="s"> Create a DynamoDB table and put an item in it. </span><span class="sh">"""</span> <span class="c1"># Create a DynamoDB table </span> <span class="n">table</span> <span class="o">=</span> <span class="n">dynamodb</span><span class="p">.</span><span class="nf">create_table</span><span class="p">(</span> <span class="n">TableName</span><span class="o">=</span><span class="sh">'</span><span class="s">AMI_Table</span><span class="sh">'</span><span class="p">,</span> <span class="n">KeySchema</span><span class="o">=</span><span class="p">[</span> <span class="p">{</span><span class="sh">'</span><span class="s">AttributeName</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">KeyType</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">HASH</span><span class="sh">'</span><span class="p">}</span> <span class="p">],</span> <span class="n">AttributeDefinitions</span><span class="o">=</span><span class="p">[</span> <span class="p">{</span><span class="sh">'</span><span class="s">AttributeName</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">AttributeType</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">N</span><span class="sh">'</span><span class="p">}</span> <span class="p">],</span> <span class="n">ProvisionedThroughput</span><span class="o">=</span><span class="p">{</span> <span class="sh">'</span><span class="s">ReadCapacityUnits</span><span class="sh">'</span><span class="p">:</span> <span class="mi">5</span><span class="p">,</span> <span class="sh">'</span><span class="s">WriteCapacityUnits</span><span class="sh">'</span><span class="p">:</span> <span class="mi">5</span> <span class="p">}</span> <span class="p">)</span> <span class="c1"># Wait for the table to be created (this is important!) </span> <span class="n">table</span><span class="p">.</span><span class="nf">wait_until_exists</span><span class="p">()</span> <span class="c1"># Get the table resource </span> <span class="n">get_table</span> <span class="o">=</span> <span class="n">dynamodb</span><span class="p">.</span><span class="nc">Table</span><span class="p">(</span><span class="sh">'</span><span class="s">AMI_Table</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># Put item in the table </span> <span class="n">get_table</span><span class="p">.</span><span class="nf">put_item</span><span class="p">(</span> <span class="n">Item</span><span class="o">=</span><span class="p">{</span> <span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="sh">'</span><span class="s">PK</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">Partition_Key</span><span class="sh">'</span><span class="p">,</span> <span class="sh">"</span><span class="s">REGION_AMI_ID</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">ami-123</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">AMI_State</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Create_AMI</span><span class="sh">"</span> <span class="p">}</span> <span class="p">)</span> </code></pre> </div> <p>Below is another script that tests against the production code. This script has only one test, which tests the <code>create_ec2_instance()</code> function to see if the instance ends up in the <code>running</code> state.</p> <p><strong>File: test_aws.py</strong></p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="kn">import</span> <span class="n">boto3</span> <span class="kn">from</span> <span class="n">moto</span> <span class="kn">import</span> <span class="n">mock_aws</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span> <span class="kn">from</span> <span class="n">aws</span> <span class="kn">import</span> <span class="n">create_ec2_instance</span><span class="p">,</span> <span class="n">create_dynamodb_table_and_put_item</span> <span class="nd">@mock_aws</span> <span class="k">def</span> <span class="nf">test_create_ec2_instance</span><span class="p">():</span> <span class="c1"># Create the instance </span> <span class="n">instance</span> <span class="o">=</span> <span class="nf">create_ec2_instance</span><span class="p">()</span> <span class="c1"># Assert that the instance is in a running state </span> <span class="k">assert</span> <span class="n">instance</span><span class="p">.</span><span class="n">state</span><span class="p">[</span><span class="sh">'</span><span class="s">Name</span><span class="sh">'</span><span class="p">]</span> <span class="o">==</span> <span class="sh">'</span><span class="s">running</span><span class="sh">'</span> </code></pre> </div> <p><strong>Check current coverage percentage</strong><br> Below is how much coverage my current script has (see pytest-cov configuration <a href="https://pytest-cov.readthedocs.io/en/latest/config.html#reference" rel="noopener noreferrer">references</a> to understand what each argument means):</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>pytest <span class="nt">--cov</span><span class="o">=</span>aws <span class="nt">--cov-report</span><span class="o">=</span>xml <span class="nt">--cov-report</span><span class="o">=</span>term Name Stmts Miss Cover <span class="nt">----------------------------</span> aws.py 17 4 76% <span class="nt">----------------------------</span> TOTAL 17 4 76% Coverage XML written to file coverage.xml </code></pre> </div> <p>A 76% coverage.<br> While this is nice, it isn't great.</p> <p><strong>Check the missed line in the coverage.xml file</strong></p> <p>These lines belong to the imported function that was not executed during the initial test.</p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code> <span class="nt">&lt;line</span> <span class="na">number=</span><span class="s">"35"</span> <span class="na">hits=</span><span class="s">"0"</span><span class="nt">/&gt;</span> <span class="nt">&lt;line</span> <span class="na">number=</span><span class="s">"50"</span> <span class="na">hits=</span><span class="s">"0"</span><span class="nt">/&gt;</span> <span class="nt">&lt;line</span> <span class="na">number=</span><span class="s">"53"</span> <span class="na">hits=</span><span class="s">"0"</span><span class="nt">/&gt;</span> <span class="nt">&lt;line</span> <span class="na">number=</span><span class="s">"56"</span> <span class="na">hits=</span><span class="s">"0"</span><span class="nt">/&gt;</span> </code></pre> </div> <p>For a better visual, I love the <code>coverage html</code> command. Then I navigate to the <code>htmlcov</code> folder and open the <code>aws_py.html</code> file. See below:</p> <p><strong>File: htmlcov/aws_py.html</strong></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fekzuaow260w8ruciqcw2.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fekzuaow260w8ruciqcw2.png" alt="htmlcov/aws_py.html"></a></p> <p>Now, you can go ahead and write tests for each line to increase the coverage, however, if this is a large codebase, it’s exhausting too.</p> <p><strong>Run Cover-Agent</strong><br> I am adjusting the coverage from 76% to 77%, so the AI can increase it to 100% by itself. See below:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>cover-agent <span class="se">\</span> <span class="nt">--source-file-path</span> <span class="s2">"aws.py"</span> <span class="se">\</span> <span class="nt">--test-file-path</span> <span class="s2">"test_aws.py"</span> <span class="se">\</span> <span class="nt">--code-coverage-report-path</span> <span class="s2">"./coverage.xml"</span> <span class="se">\</span> <span class="nt">--test-command</span> <span class="s2">"pytest --cov=. --cov-report=xml --cov-report=term"</span> <span class="se">\</span> <span class="nt">--test-command-dir</span> <span class="s2">"./"</span> <span class="se">\</span> <span class="nt">--coverage-type</span> <span class="s2">"cobertura"</span> <span class="se">\</span> <span class="nt">--desired-coverage</span> 77 <span class="se">\</span> <span class="nt">--max-iterations</span> 5 cover_agent.main - INFO - Current Coverage: 76.47% cover_agent.main - INFO - Desired Coverage: 77% cover_agent.UnitTestGenerator - INFO - Token count <span class="k">for </span>LLM model gpt-4o: 1930 Streaming results from LLM model... Test passed and coverage increased. Current coverage: 100.0% </code></pre> </div> <p><em>Some texts from the output are removed to improve readability.</em></p> <p>A part of the output says:<br> <code>Test passed and coverage increased. Current coverage: 100.0%</code><br> So, I was impressed. But I need to be certain that it's not hallucinating.</p> <p><strong>View the new test that increased the coverage</strong></p> <p>Any new test(s) that increase the coverage are automatically added to the test file.</p> <p><strong>File: test_aws.py</strong></p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="nd">@mock_aws</span> <span class="k">def</span> <span class="nf">test_create_dynamodb_table_wait_until_exists</span><span class="p">():</span> <span class="sh">"""</span><span class="s"> Test that the DynamoDB table waits until it exists before proceeding. This test ensures that the wait_until_exists method is called and the table is ready for operations. </span><span class="sh">"""</span> <span class="c1"># Create the DynamoDB table and put an item in it </span> <span class="nf">create_dynamodb_table_and_put_item</span><span class="p">()</span> <span class="c1"># Get the table resource </span> <span class="n">dynamodb</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">resource</span><span class="p">(</span><span class="sh">'</span><span class="s">dynamodb</span><span class="sh">'</span><span class="p">,</span> <span class="n">region_name</span><span class="o">=</span><span class="sh">'</span><span class="s">eu-west-2</span><span class="sh">'</span><span class="p">)</span> <span class="n">table</span> <span class="o">=</span> <span class="n">dynamodb</span><span class="p">.</span><span class="nc">Table</span><span class="p">(</span><span class="sh">'</span><span class="s">AMI_Table</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># Assert that the table exists and is active </span> <span class="n">table</span><span class="p">.</span><span class="nf">wait_until_exists</span><span class="p">()</span> <span class="k">assert</span> <span class="n">table</span><span class="p">.</span><span class="n">table_status</span> <span class="o">==</span> <span class="sh">'</span><span class="s">ACTIVE</span><span class="sh">'</span> </code></pre> </div> <p><strong>Check if the test passed</strong></p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>pytest collected 2 items test_aws.py .. <span class="o">[</span>100%] <span class="o">==============</span> 2 passed <span class="k">in </span>6.78s <span class="o">===============</span> </code></pre> </div> <p><em>Some texts from the output are removed to improve readability.</em><br> And yes, it does.</p> <p><strong>See the coverage report again</strong></p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>pytest <span class="nt">--cov</span><span class="o">=</span>aws <span class="nt">--cov-report</span><span class="o">=</span>xml <span class="nt">--cov-report</span><span class="o">=</span>term Name Stmts Miss Cover <span class="nt">----------------------------</span> aws.py 17 0 100% <span class="nt">----------------------------</span> TOTAL 17 0 100% Coverage XML written to file coverage.xml </code></pre> </div> <p><em>Some texts from the output are removed to improve readability.</em></p> <p><strong>View the list of all test results</strong></p> <p>To see the full result view the <code>test_results.html</code> file in your browser.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faqmoebvo5m3ghr2d4y1u.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faqmoebvo5m3ghr2d4y1u.png" alt="Test results"></a></p> <blockquote> <p>The image appears in low quality due to how dev.to rendered it. View the high quality image <a href="https://www.dropbox.com/scl/fi/xi0jujuf9qn8wskx11la9/Test-results.png?rlkey=4i1s839cruot23opa2gz4wq64&amp;st=fuaryspl&amp;raw=1" rel="noopener noreferrer">here</a>.</p> </blockquote> <p>Some of the tests in the table failed because coverage did not increase, but it doesn’t mean this isn’t a suitable test case.</p> <p><strong>Why did only one function improve coverage?</strong></p> <p>Now, I expected four new tests for each line missed while checking the coverage initially. But this single new test, <code>test_create_dynamodb_table_wait_until_exists()</code>, does indeed contribute to coverage beyond just the lines it explicitly touches. Here's how:</p> <ol> <li> <strong>Line 35:</strong> <code>table = dynamodb.create_table(</code> Although this was not directly executed in the test, the test indirectly verifies that the table exists and is active after creation. This implies that the creation process is happening correctly before the wait_until_exists()call. So, indirectly, the test ensures coverage for the table creation line as well.</li> <li> <strong>Line 50:</strong> <code>table.wait_until_exists()</code> This line is directly covered by the test, as it's part of the test logic.</li> <li> <strong>Line 53:</strong> <code>get_table = dynamodb.Table('AMI_Table')</code> Although the test doesn't include this line, it's indirectly tested because if this line failed, the subsequent <code>put_item()</code> call on get_table would fail, causing the test to fail.</li> <li> <strong>Line 56:</strong> <code>get_table.put_item(</code> Like line 53, this line is indirectly covered because the test verifies that the table is active and ready for operations, including putting items into it.</li> </ol> <h2> Why should you generate coverage reports? </h2> <p>Generating coverage reports is essential for several reasons:</p> <ol> <li> <strong>Code Quality Assessment:</strong> Coverage reports help in assessing the quality of your codebase by indicating which parts of your code are being exercised by tests and which are not. Higher code coverage generally indicates a more thorough test suite.</li> <li> <strong>Identifying Untested Code:</strong> It helps identify areas of your code that are not covered by tests, which may indicate potential bugs or unhandled edge cases. Just like the demo above.</li> <li> <strong>Code Reviews:</strong> Coverage reports can be useful during code reviews to ensure that new code changes are adequately tested and do not decrease overall coverage.</li> </ol> <p>Overall, generating coverage reports is a valuable practice for maintaining and improving the quality of your codebase.</p> <h2> More Reading </h2> <ul> <li><a href="https://read.engineerscodex.com/p/metas-new-llm-based-test-generator" rel="noopener noreferrer">Meta's new LLM-based test generator is a sneak peek to the future of development</a></li> <li><a href="https://github.com/Codium-ai/cover-agent" rel="noopener noreferrer">CodiumAI Cover-Agent</a></li> <li><a href="https://arxiv.org/pdf/2402.09171" rel="noopener noreferrer">Automated Unit Test Improvement using Large Language Models at Meta</a></li> </ul> testgenllm unittest codiumai python Charles Uneze Tue, 16 Jan 2024 21:49:16 +0000 https://dev.to/charlesuneze/docker-arp-analysis-guide-2fe5 https://dev.to/charlesuneze/docker-arp-analysis-guide-2fe5 <h2> Table of Contents </h2> <ul> <li>Introduction</li> <li> Requirements <ul> <li>Install Homebrew &amp; Multipass</li> <li>Download an Ubuntu Server from Multipass</li> <li>Go to the Shell of the Ubuntu Server</li> <li>Install Docker</li> <li>Mount a Local Folder to an Ubuntu Directory</li> <li>Verify Ubuntu Server Installation</li> <li>Install Wireshark</li> </ul> </li> <li> Architecture Deployment Guide <ul> <li>Enter into the Shell of the Ubuntu Server Again</li> <li>Create a New Network</li> <li>Verify Network</li> <li>Pull Alpine Image</li> <li>Listen for ARP Packets in each Bridge</li> <li>Create 2 Containers in the Default Bridge, Also Connect Them to the Custom Bridge</li> <li>Send Pings to the Internet From the First Interface</li> <li>Send Pings to the Internet From the Second Interface</li> <li>View Mac Addresses of Each Bridge Interface</li> <li>View Mac Addresses of Each Container Interface</li> <li>End ARP Packet Capture 1</li> <li>End ARP Packet Capture 2</li> <li>Move the Files to the Local Directory</li> </ul> </li> <li> View Packet Captures <ul> <li>Docker0 Bridge Interface</li> <li>Docker1 Bridge Interface</li> </ul> </li> <li> Clean-Up <ul> <li>Stop and Remove the Container</li> <li>Delete Custom Bridge</li> <li>Verify Network List</li> <li>Stop Ubuntu Server</li> </ul> </li> <li>Conclusion</li> <li>Resources</li> </ul> <blockquote> <p>Read this as <a href="http://docker-network.readthedocs.io/" rel="noopener noreferrer">technical documentation</a> instead.</p> </blockquote> <h2> Introduction </h2> <p>I've been immersing myself in CI/CD pipeline studies lately, and now that I've gotten a good grasp of it, I can finally dedicate my full attention to understanding container technologies. To start, I decided to focus on networking, which is the stack I'm most familiar with.<br> In this simple how-to guide, I'll walk you through observing the Address Resolution Protocol (ARP) in action within a Docker environment.<br> An Address Resolution Protocol(ARP) allows a container to learn the MAC address of another device (in this lab, it’s the bridge and other containers) dynamically.<br> Without an ARP, a ping between containers, external networks, or even a web request between containers and other devices fails.</p> <h2> Requirements </h2> <p>I recently made the switch to a Mac and found using <a href="https://multipass.run/" rel="noopener noreferrer">Multipass</a> from Canonical simpler than spinning up a VM with tools like Virtualbox. However, when it comes to container networking labs, non-Linux systems are not recommended. While I downloaded Docker Desktop for Mac, I had trouble seeing all the Docker network interfaces.<br> For Windows users, I will advise you to use WSL2 instead, it’s easier to deploy and manage compared to having to use a virtual machine like Virtualbox.<br> Keep in mind that the Ubuntu installation requirement is only for Mac and Linux users. This guide will use three terminal tabs throughout.</p> <h3> Install Homebrew and Multipass </h3> <p>Download <a href="https://brew.sh/" rel="noopener noreferrer">Homebrew</a></p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="c"># Terminal-1 Mac/Linux</span> /bin/bash <span class="nt">-c</span> <span class="s2">"</span><span class="si">$(</span>curl <span class="nt">-fsSL</span> https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh<span class="si">)</span><span class="s2">"</span> </code></pre> </div> <p>Download Multipass</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="c"># Terminal-1 Mac/Linux</span> brew <span class="nb">install </span>multipass </code></pre> </div> <h3> Download an Ubuntu Server from Multipass </h3> <p>This Ubuntu server will be customized to run the same specifications as an AWS EC2-T2 Micro instance type.</p> <ul> <li>1 CPU</li> <li>1 GB of RAM</li> <li>8 GB of disk</li> <li>version 22.04</li> </ul> <p>Simple and fast, right?</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="c"># Terminal-1 Mac/Linux</span> multipass launch jammy <span class="nt">--name</span><span class="o">=</span>ubuntu <span class="nt">--cpus</span><span class="o">=</span>1 <span class="nt">--disk</span><span class="o">=</span>8G <span class="nt">--memory</span><span class="o">=</span>1G </code></pre> </div> <p><code>jammy</code> is the <a href="https://multipass.run/docs/create-an-instance#heading--create-an-instance-with-a-specific-image" rel="noopener noreferrer">image name</a> for Ubuntu server version 22.04.</p> <h3> Go to the Shell of the Ubuntu Server </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="c"># Terminal-1 Mac/Linux</span> multipass shell ubuntu </code></pre> </div> <h3> Install Docker </h3> <p>Download <a href="https://docs.docker.com/engine/install/ubuntu/" rel="noopener noreferrer">docker</a> on the Ubuntu server.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="c"># Terminal-1 Ubuntu</span> <span class="nb">sudo </span>apt-get <span class="nb">install </span>docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin <span class="c"># Close this Ubuntu shell.</span> <span class="c"># Sometimes you might need to use the exit command severally</span> <span class="c"># to successfully exit the shell.</span> <span class="nb">exit</span> </code></pre> </div> <h3> Mount a Local Folder to an Ubuntu Directory </h3> <p>Mount the <code>Documents/</code> folder in your Mac, or other machine to the <code>mnt/</code> directory in the Ubuntu server running inside Multipass.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="c"># Terminal-1 Mac/Linux</span> multipass mount /Users/apple/Documents /mnt/ </code></pre> </div> <h3> Verify Ubuntu Server Installation </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> apple@Charles-MBP ~ % multipass info ubuntu Name: ubuntu State: Running Snapshots: 0 IPv4: 192.168.64.4 172.17.0.1 Release: Ubuntu 22.04.3 LTS Image <span class="nb">hash</span>: 9dxa2awl28c8 <span class="o">(</span>Ubuntu 22.04 LTS<span class="o">)</span> CPU<span class="o">(</span>s<span class="o">)</span>: 1 Load: 0.00 0.00 0.00 Disk usage: 2.3GiB out of 7.7GiB Memory usage: 201.4MiB out of 951.6MiB Mounts: /Users/apple/Documents <span class="o">=&gt;</span> /mnt UID map: 501:default GID map: 20:default </code></pre> </div> <h3> Install Wireshark </h3> <p>Choose your preferred machine and <a href="https://www.wireshark.org/download.html" rel="noopener noreferrer">download</a>.</p> <h2> Architecture Deployment Guide </h2> <p>I have a simple architecture that deploys two docker containers in two different subnets. In docker, you can attach one container to several subnets. This is achieved by a new interface being created and assigned to that subnet.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Funu933ml2k86emcydhj7.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Funu933ml2k86emcydhj7.png" alt="architecture"></a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fibv48bc3mf5838htqser.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fibv48bc3mf5838htqser.png" alt="table"></a></p> <h3> Enter Into the Shell of the Ubuntu Server Again </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="c"># Terminal-1 Mac/Linux</span> multipass shell ubuntu </code></pre> </div> <h3> Create a New Network </h3> <p>I noticed that in docker, you only specify a subnet and mask. This makes sense because if you are deploying this on AWS, a VPC will be defined already, all you need to do is create a new subnet mask for your containerized environment.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="c"># Terminal-1 Ubuntu</span> docker network create <span class="se">\</span> <span class="nt">-o</span> com.docker.network.bridge.name<span class="o">=</span>docker1 <span class="se">\</span> <span class="nt">--subnet</span><span class="o">=</span>172.18.0.0/24 <span class="se">\</span> <span class="nt">--gateway</span><span class="o">=</span>172.18.0.253 <span class="se">\</span> custom_bridge </code></pre> </div> <h3> Verify Network </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="c"># Terminal-1 Ubuntu</span> <span class="c"># This is a simulated command and output</span> ubuntu@ubuntu:~<span class="nv">$ </span>docker network <span class="nb">ls </span>NETWORK ID NAME DRIVER SCOPE 6e5ffkvms8c3 bridge bridge <span class="nb">local</span> <span class="k">**</span>d3b0029faed7 custom_bridge bridge <span class="nb">local</span><span class="k">**</span> e9f55dsdf605 host host <span class="nb">local </span>e9708nj5179a none null <span class="nb">local</span> </code></pre> </div> <h3> Pull Alpine Image </h3> <p>I love using Alpine Linux because it’s lightweight.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="c"># Terminal-1 Ubuntu</span> docker pull alpine </code></pre> </div> <h3> Open a New Terminal </h3> <p>Execute this command to open a new tab. <code>"⌘ + T"</code></p> <p>Then enter the Ubuntu shell</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="c"># Terminal-2 Mac</span> multipass shell ubuntu </code></pre> </div> <h3> Listen for ARP Packets in Each Bridge </h3> <p>Now that the Ubuntu shell has been initialized, execute the below command to capture all packets.</p> <h4> docker0 </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="c"># Terminal-2 Ubuntu</span> <span class="nb">sudo </span>tcpdump <span class="nt">-i</span> docker0 <span class="nt">-w</span> capture_docker_0.pcap </code></pre> </div> <p>Open a third terminal tab <code>"⌘ + T"</code></p> <h4> docker1 </h4> <p>Execute another command to listen for all packets in the <code>docker1</code> bridge interface.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="c"># Terminal-3 Ubuntu</span> <span class="nb">sudo </span>tcpdump <span class="nt">-i</span> docker1 <span class="nt">-w</span> capture_docker_1.pcap </code></pre> </div> <h3> Create 2 Containers in the Default Bridge, Also Connect Them to the Custom Bridge </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="c"># Terminal-2 Ubuntu</span> <span class="c"># Create containers in the default bridge</span> docker run <span class="nt">-itd</span> <span class="se">\</span> <span class="nt">--name</span><span class="o">=</span>alpine1 <span class="se">\</span> <span class="nt">--ip</span><span class="o">=</span>172.17.0.2 <span class="se">\</span> alpine docker run <span class="nt">-itd</span> <span class="se">\</span> <span class="nt">--name</span><span class="o">=</span>alpine2 <span class="se">\</span> <span class="nt">--ip</span><span class="o">=</span>172.17.0.4 <span class="se">\</span> alpine <span class="c"># Connect new interfaces in the containers to another network.</span> docker network connect <span class="se">\</span> <span class="nt">--ip</span><span class="o">=</span>172.18.0.3 <span class="se">\</span> custom_bridge alpine1 docker network connect <span class="se">\</span> <span class="nt">--ip</span><span class="o">=</span>172.18.0.5 <span class="se">\</span> custom_bridge alpine2 </code></pre> </div> <h3> Send Pings to the Internet From the First Interface </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="c"># Ping google.com four times in each container from 'bridge'</span> docker <span class="nb">exec</span> <span class="nt">-it</span> alpine1 ping <span class="nt">-I</span> 172.17.0.2 <span class="nt">-c</span> 2 google.com docker <span class="nb">exec</span> <span class="nt">-it</span> alpine2 ping <span class="nt">-I</span> 172.17.0.4 <span class="nt">-c</span> 2 google.com </code></pre> </div> <h3> Send Pings to the Internet From the Second Interface </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="c"># Ping google.com four times in each container from 'bridge'</span> docker <span class="nb">exec</span> <span class="nt">-it</span> alpine1 ping <span class="nt">-I</span> 172.18.0.3 <span class="nt">-c</span> 2 google.com docker <span class="nb">exec</span> <span class="nt">-it</span> alpine2 ping <span class="nt">-I</span> 172.18.0.5 <span class="nt">-c</span> 2 google.com </code></pre> </div> <h3> View MAC Addresses of Each Bridge Interface </h3> <blockquote> <p>The Organizationally Unique Identifier (OUI) of all Docker network adapters is <strong>02:42</strong>. So expect all docker container MAC addresses to begin with that.</p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="c"># Terminal-1 Ubuntu</span> ip <span class="nt">--brief</span> <span class="nb">link</span> | <span class="nb">grep</span> <span class="nt">-E</span> <span class="s1">'docker0|docker1'</span> | <span class="nb">awk</span> <span class="s1">'{print $1, $3}'</span> </code></pre> </div> <p>Output</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> docker0 02:42:28:a8:cb:f5 docker1 02:42:7c:61:6d:f0 </code></pre> </div> <h3> View Mac Addresses of Each Container Interface </h3> <h4> bridge </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="c"># Terminal-1 Ubuntu</span> docker network inspect bridge <span class="nt">--format</span> <span class="s1">'{{range .Containers}}{{.Name}}: {{.MacAddress}}{{"\n"}}{{end}}'</span> </code></pre> </div> <p>Output-1</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> alpine1: 02:42:ac:11:00:02 alpine2: 02:42:ac:11:00:03 </code></pre> </div> <h4> custom_bridge </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="c"># Terminal-2 Ubuntu</span> docker network inspect custom_bridge <span class="nt">--format</span> <span class="s1">'{{range .Containers}}{{.Name}}: {{.MacAddress}}{{"\n"}}{{end}}'</span> </code></pre> </div> <p>Output-2</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <p>alpine1: 02:42:ac:12:00:03<br> alpine2: 02:42:ac:12:00:05</p> </code></pre> </div> <h3> <br> <br> <br> End ARP Packet Capture 1<br> </h3> <br> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <p><span class="c"># Terminal-2 Ubuntu</span><br> <span class="s2">"control + c"</span></p> </code></pre> </div> <h3> <br> <br> <br> End ARP Packet Capture 2<br> </h3> <br> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <p><span class="c"># Terminal-3 Ubuntu</span><br> <span class="s2">"control + c"</span></p> </code></pre> </div> <h3> <br> <br> <br> Move the Files to the Local Directory<br> </h3> <p>The captured packet files will be moved to the local directory so they can be viewed and analyzed using Wireshark.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <p><span class="c"># Terminal-1, 2, or 3 Ubuntu</span><br> <span class="nb">mv </span>capture_docker_0.pcap /mnt<br> <span class="nb">mv </span>capture_docker_1.pcap /mnt</p> </code></pre> </div> <h3> <br> <br> <br> View Packet Captures<br> </h3> <h4> Docker0 Bridge Interface </h4> <p>Now I located and opened the packet capture.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmrg7ypzkl8lnsldzojpg.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmrg7ypzkl8lnsldzojpg.png" alt="docker0"></a></p> <p>We noticed something interesting: The default MAC addresses of <code>alpine1: 02:42:ac:11:00:02</code>, and <code>alpine2: 02:42:ac:11:00:03</code>, were requesting the MAC address for the bridge's interface, <code>docker0: 02:42:28:a8:cb:f5</code>, to send an Ethernet frame to <code>google.com</code>. The bridge's interface was used as the next hop.</p> <p>We also see that the DNS name server lookup for <code>google.com</code> could be possible only after an ARP reply from <code>docker0: 02:42:28:a8:cb:f5</code>. </p> <h4> Docker1 Bridge Interface </h4> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiixiinskrgfsjv17klix.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiixiinskrgfsjv17klix.png" alt="docker1"></a></p> <p>The same also applies here. the custom MAC addresses of <code>alpine1: 02:42:ac:12:00:03</code>, and <br> <code>alpine2: 02:42:ac:12:00:05</code> were requesting the mac-address for the bridge’s interface <code>docker1: 02:42:7c:61:6d:f0</code> so it can send an ethernet frame destined to <code>google.com</code>. The bridge’s interface is used as the next hop. </p> <blockquote> <p>Go to, View Mac Addresses of Each Bridge Interface and View Mac Addresses of Each Container Interface to confirm the mac-addresses of each device when analyzing the packet capture.</p> </blockquote> <h2> Clean-Up </h2> <h3> Stop and Remove the Container </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <p>docker stop alpine1 alpine2<br> docker <span class="nb">rm </span>alpine1 alpine2</p> </code></pre> </div> <h3> <br> <br> <br> Delete Custom Bridge<br> </h3> <br> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <p>docker network <span class="nb">rm </span>custom_bridge</p> </code></pre> </div> <h3> <br> <br> <br> Verify Network List<br> </h3> <br> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <p>root@ubuntu:/home/ubuntu# docker network <span class="nb">ls<br> </span>NETWORK ID NAME DRIVER SCOPE<br> 2eabde4e866c bridge bridge <span class="nb">local<br> </span>e9f54b21c605 host host <span class="nb">local<br> </span>e9708605179a none null <span class="nb">local</span></p> </code></pre> </div> <h3> <br> <br> <br> Stop Ubuntu Server<br> </h3> <br> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <p>multipass stop ubuntu</p> </code></pre> </div> <h2> <br> <br> <br> Conclusion<br> </h2> <p>Now, I understand that everyone can't stop talking about Kubernetes, but a lot of senior engineers have advised that it'd be best to learn docker before picking kubernetes up. Though I've played with Kubernetes severally, I struggled. However, each new day I keep spending with docker makes understanding kubernetes a piece of cake. This guide serves as a strong foundation for analyzing ARP packets in containers.</p> <h2> Resources </h2> <p>I enjoyed these two articles from Hank Preston, a principal engineer at Cisco. The last one is from me.</p> <ul> <li><a href="https://blogs.cisco.com/learning/exploring-default-docker-networking-part-1#:~:text=With%20those%20basics%20covered%2C%20let%27s,that%20uses%20the%20bridge%20driver." rel="noopener noreferrer">Exploring Default Docker Networking Part 1</a></li> <li><a href="https://blogs.cisco.com/learning/exploring-default-docker-networking-part-2" rel="noopener noreferrer">Exploring Default Docker Networking Part 2</a></li> <li> <a href="https://charlesuneze.substack.com/p/a-routers-intimacy-with-mac-addresses" rel="noopener noreferrer">A Routers Intimacy With MAC Addresses</a> (I wrote this a few years ago. It discusses ARP and ICMP in a Cisco environment.)</li> </ul> docker networking ubuntu multipass Charles Uneze Sun, 03 Dec 2023 13:09:12 +0000 https://dev.to/charlesuneze/codiumai-pr-agent-dominates-the-dev-world-with-versatility-and-open-source-power-2gl https://dev.to/charlesuneze/codiumai-pr-agent-dominates-the-dev-world-with-versatility-and-open-source-power-2gl <p>In the fast-paced world of software development, where every line of code matters, effective collaboration is non-negotiable. Yet, the often-overlooked practice of thorough pull request documentation can hinder the clarity and efficiency crucial to a project’s success. </p> <p><a href="https://www.codium.ai/products/git-plugin/">CodiumAI PR-agent (Git Plugin)</a> is an automatic action tool that responds to <strong>pull request (PR)</strong> events in or to your repository; PR created, PR merged, Issues Created, and Labels created.</p> <p>In this article, we explore how this solution empowers developers, streamlines workflows, and elevates the collaborative coding experience, in comparison to the GitHub Co-pilots PR solution.</p> <h1> Key Features </h1> <p>To describe some of these features, I’ll use a recently <a href="https://github.com/Codium-ai/pr-agent/pull/490">merged pull request</a> I made to the <a href="https://codium.ai/">CodiumAI</a> PR agent project. A live scenario like that makes it easy to understand.</p> <h3> <strong>Auto Description (<code>/describe</code>) Prompt</strong>: </h3> <p>I made a PR to the CodiumAI PR agent project on GitHub. The maintainer wanted to properly format the PR message I made, so he queried the agent via the <code>/describe</code> prompt.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fizc2hoozcrr4i292z73s.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fizc2hoozcrr4i292z73s.png" alt="Image description" width="800" height="157"></a></p> <blockquote> <p>Prompt made by an Open Source Maintainer</p> </blockquote> <p>This prompt generated a description of the PR. It contains the following: <em>title, type, description, main files walkthrough, and labels.</em> It also edited my initial comment.<br> <em><strong>1) Title</strong></em><br> The <strong>Title</strong> of the PR is renamed when the prompt <code>/describe</code> is called. Below we can see the before and after effects of this.<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkqvqei29lg4m2ptnsxg6.jpeg" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkqvqei29lg4m2ptnsxg6.jpeg" alt="Image description" width="800" height="172"></a><br> <strong><em>2) Type</em></strong><br> This is the label name. The <em>“Refactoring”</em> label name was used because, in the commit I made, I was restructuring the code to improve its readability<br> <strong><em>3) Description</em></strong><br> This is a summary of the PR.<br> <strong><em>4) Main Files Walkthrough</em></strong><br> This provides a closer explanation of what was changed in the file I committed in this PR.<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7v1nddh4ih1orpxdenjc.jpeg" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7v1nddh4ih1orpxdenjc.jpeg" alt="Image description" width="800" height="525"></a></p> <blockquote> <p>Contributors' comments were edited due to the prompt</p> </blockquote> <p><strong><em>5) Labels</em></strong><br> This labels the PR properly.<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp0s8zzu3zomhzyol5pbl.jpeg" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp0s8zzu3zomhzyol5pbl.jpeg" alt="Image description" width="800" height="145"></a></p> <h3> <strong>Question Answering (<code>/ask ...</code>) Prompt</strong>: </h3> <p>This allows a maintainer to question the commit more to be sure if it's worth a merge.<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F91ck94wk6lbjifl5do99.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F91ck94wk6lbjifl5do99.png" alt="Image description" width="800" height="522"></a><br> In this PR I opened, the maintainer asked more questions, and when he was satisfied, he merged the PR. This is a real-world implementation and it's amazing how the agent provided great feedback.</p> <h3> <strong>Update Changelog (<code>/update_changelog</code>) Prompt</strong>: </h3> <p>This prompt updates the change log file in the repository. A change log file, often named <strong>CHANGELOG.md</strong> in a repository, tracks and describes version-specific updates, like new features or bug fixes, aiding users and contributors.<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fja6sedj5d55ij40swizz.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fja6sedj5d55ij40swizz.png" alt="Image description" width="800" height="538"></a></p> <h3> <strong>Auto Review (<code>/review</code>) Prompt</strong>: </h3> <p>This is similar to the /describe prompt but with an extra description.</p> <ul> <li>It reviews if relevant tests are added to the code. If it is a simple .md file used for documentation or a .txt file used for outlining dependencies to be installed, no tests are required.</li> <li>It also scales how deep it needs to review a commit depending on whether it is documentation or actual code.</li> <li>It reviews the code for security issues and recommends a fix if a flaw is found. <img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyhdg9xzd08ltullu0b5o.jpeg" alt="Image description" width="800" height="182"> <img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh8qaya0qsinai0k0paob.jpeg" alt="Image description" width="800" height="571"> </li> </ul> <h3> <strong>Code Suggestions (<code>/improve</code>)</strong>: </h3> <p>This prompt suggests the best of what other developers have figured. It comes as a suggestion, and then you have choices:</p> <ul> <li>Commit the suggestions you are given.</li> <li>Address the suggestion by resolving it. <img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffodl5crga3t54w52tn5q.jpeg" alt="Image description" width="800" height="168"> <img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv7s0yjydi0bvi7xtyyh5.jpeg" alt="Image description" width="800" height="605"> Here the PR agent suggested I use a later version of the Python Request library.</li> </ul> <blockquote> <p>In a real-world use case, it's important to ensure that a new version committed is compatible with the existing codebase and that it doesn't introduce any breaking changes or conflicts with other dependencies.</p> </blockquote> <h3> <strong>Generate Custom Labels (<code>/generate_labels</code>) Prompt</strong>: </h3> <p>The outcome of this prompt is similar to a part of the result in the <code>/describe</code> prompt; therefore, add labels.<br> In the below example, an <code>enhancement</code> label was added because I committed a suggestion made by the agent via the <code>/improve</code> prompt.<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu1hu8yt1v3a5jzxtoze9.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu1hu8yt1v3a5jzxtoze9.png" alt="Image description" width="800" height="260"></a></p> <h3> <strong>Add Documentation (<code>/add_docs</code>) Prompt</strong>: </h3> <p>This prompt suggests the necessary documentation for the commit.<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fha7df3qb0zld4ss0i13o.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fha7df3qb0zld4ss0i13o.png" alt="Image description" width="800" height="188"></a><br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fue946f303ccw2ak4r804.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fue946f303ccw2ak4r804.png" alt="Image description" width="686" height="362"></a><br> I ended up using this suggestion.</p> <h3> <strong>Find Similar Issue (<code>/similar_issue</code>) Prompt</strong>: </h3> <p>This prompt suggests similar open issues in the repository.<br> In the below example, a user opened an <a href="https://github.com/Codium-ai/pr-agent/issues/207">issue</a> about inconsistencies in the Bitbucket documentation section of the CodiumAI PR agent. To find similar issues in the repository, one of the maintainers issued a <code>/similar_issue</code> prompt. One similar documentation issue here is the <em>“1. [GITLAB] Installation Guide for GitLab please?”</em><br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxu8kgoxd38o00toh50x3.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxu8kgoxd38o00toh50x3.png" alt="Image description" width="800" height="632"></a></p> <h1> Comparative Analysis: CodiumAI vs. GitHub Copilot </h1> <p>In the dynamic landscape of collaborative coding, CodiumAI PR-Agent, and GitHub Copilot PR emerge as notable contenders, each with its unique strengths and characteristics.</p> <p><strong>CodiumAI PR-Agent:</strong></p> <ul> <li>Excels with a comprehensive set of commands, providing developers with enhanced control over pull requests.</li> <li>Showcases platform flexibility, operating seamlessly across various environments beyond GitHub.</li> <li>Boasts an open-source model, fostering transparency and community engagement.</li> <li>It offers versatility by being available not only in Git but also in IDEs like VScode and IntelliJ IDEA.</li> <li>The commands are free for developers.</li> </ul> <p><strong>GitHub Copilot:</strong></p> <ul> <li>Stands out for its strong focus on code generation within the GitHub environment.</li> <li>Currently features a more limited set of commands; summarizing pull requests, but plans to expand in the future.</li> <li>It is primarily confined to the GitHub ecosystem.</li> <li>Operates with a closed-source model, potentially limiting visibility into the development process.</li> <li>The commands are only free for 30 days; afterward, they are available in a paid plan.</li> </ul> <p><strong>Comparative Conclusion:</strong><br> For developers seeking a robust, all-encompassing solution with a diverse command toolkit, platform flexibility, and transparency, CodiumAI PR-Agent proves to be a superior choice. Its open-source nature and compatibility with various environments provide a more versatile and collaborative coding experience. While GitHub Copilot excels in certain aspects, developers may find CodiumAI PR-Agent better suited for projects requiring broader functionality, flexibility, and community engagement. Ultimately, the choice between the two depends on specific project requirements and preferences in the collaborative coding journey.</p> <h1> Community Impact </h1> <h2> How Open Source Projects Use It </h2> <p><a href="https://codium.ai/">CodiumAI</a> PR-Agent’s influence extends deeply within open-source projects. An exemplary illustration is <a href="https://kubescape.io/">Kubescape</a>, a Cloud Native Computing Foundation (CNCF) sandbox project. Since its adoption in <a href="https://github.com/kubescape/kubescape/commit/f36d8c31b021755784205d5873fe62c0ce277d4f">August</a>, Kubescape has been utilizing the PR-Agent service. They also recently had a public <a href="https://www.codium.ai/bug-bounty-collaboration/Kubescape">bug bounty</a> collaboration with CodiumAI. This program added an extra layer of community-driven scrutiny, encouraging contributors to utilize simple commands like <code>/describe</code> for effective <a href="https://github.com/kubescape/kubescape/pull/1534">pull request</a> messages.<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjjfygc5abfl3mb0woe20.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjjfygc5abfl3mb0woe20.png" alt="Image description" width="800" height="542"></a><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fftu9kjheciwn59xs4cvf.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fftu9kjheciwn59xs4cvf.png" alt="Image description" width="800" height="251"></a><br> Here the contributor wanted to better describe the PR, so he used the <code>/describe</code> prompt.</p> <h1> Challenges and Solutions: CodiumAI PR-Agent </h1> <ol> <li> <strong>Learning Curve:</strong> <ul> <li> <strong>Challenge:</strong> Initial complexity in understanding diverse commands.</li> <li> <strong>Solution:</strong> Provide user-friendly documentation, tutorials, and community support.</li> </ul> </li> <li> <strong>Compatibility Issues:</strong> <ul> <li> <strong>Challenge:</strong> Integrating with diverse repositories may pose compatibility challenges.</li> <li> <strong>Solution:</strong> Regularly update for compatibility, and encourage prompt issue reporting.</li> </ul> </li> <li> <strong>Command Understanding:</strong> <ul> <li> <strong>Challenge:</strong> Users may find nuances in commands challenging. Like understanding when and where to apply certain commands based on the specific context of a pull request.</li> <li> <strong>Solution:</strong> Enhance command explanations, offer contextual help, and provide examples.</li> </ul> </li> <li> <strong>Community Engagement:</strong> <ul> <li> <strong>Challenge:</strong> Ensuring sustained community involvement.</li> <li> <strong>Solution:</strong> Implement bug bounties, feature requests, and collaborative projects. Communicate updates and involve the community in decisions.</li> </ul> </li> <li> <strong>Security Concerns:</strong> <ul> <li> <strong>Challenge:</strong> Addressing security concerns in an open-source environment.</li> <li> <strong>Solution:</strong> Conduct regular security audits, encourage responsible disclosure, and maintain transparent communication channels.</li> </ul> </li> <li> <strong>Limited Platform Awareness:</strong> <ul> <li> <strong>Challenge:</strong> Users may not be fully aware of platform availability.</li> <li> <strong>Solution:</strong> Improve visibility through clear documentation, platform-specific guides, and marketing efforts.</li> </ul> </li> <li> <strong>Command Evolution:</strong> <ul> <li> <strong>Challenge:</strong> Evolving commands without overwhelming users.</li> <li> <strong>Solution:</strong> Prioritize user feedback, conduct usability testing, and communicate updates.</li> </ul> </li> </ol> <h1> Future Roadmap </h1> <ul> <li> <strong>Repository Control Configuration:</strong> The new feature builds upon GitHub Actions’ existing configurability, allowing users to refine and tailor the behavior of CodiumAI PR-Agent within their private repositories. This enhancement provides organizations with a more granular approach to managing collaborative coding processes while maintaining the flexibility to choose the level of automation that suits their workflow.</li> </ul> <h2> Conclusion: Why CodiumAI PR-Agent Dominates the Dev World with Versatility and Open-Source Power </h2> <p>In summary, <a href="https://codium.ai/">CodiumAI</a> PR-Agent is a versatile and open-source tool that empowers developers and enhances collaboration in software development. With features like auto description, question answering, update changelog, and code suggestions, it provides comprehensive support for pull requests. Compared to GitHub Copilot, CodiumAI PR-Agent offers platform flexibility and transparency. Despite challenges, it continues to evolve with a future roadmap focused on repository control configuration and advanced testing integration. Overall, CodiumAI PR-Agent is a dominant force in the development world.</p> codiumai opensource githubcopilot pullrequest Charles Uneze Sat, 21 Oct 2023 08:03:31 +0000 https://dev.to/charlesuneze/automating-aws-image-management-using-serverless-python-and-nosql-30mc https://dev.to/charlesuneze/automating-aws-image-management-using-serverless-python-and-nosql-30mc <p>AWS provides managed SSM documents for specific actions which you can add to your maintenance window tasks. However, there are cases where you need a custom action, such as this one. </p> <p>This blog post will discuss a Python script that leverages AWS serverless and NoSQL database services to automate the creation and deletion of an AMI whose instance had just been patched using SSM. We'll explore how the script manages state sharing between functions and stores state information in a DynamoDB table, all while ensuring that your AMIs are maintained seamlessly.</p> <h2> Understanding State Sharing Generally </h2> <p>State sharing in Python allows multiple functions to access and modify shared data, enabling them to communicate and coordinate using a common state. Here's a concise Python example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Shared global variable </span><span class="n">shared_counter</span> <span class="o">=</span> <span class="mi">0</span> <span class="c1"># Function to increment </span><span class="k">def</span> <span class="nf">increment_counter</span><span class="p">():</span> <span class="k">global</span> <span class="n">shared_counter</span> <span class="n">shared_counter</span> <span class="o">+=</span> <span class="mi">1</span> <span class="c1"># Function to get the value </span><span class="k">def</span> <span class="nf">get_counter_value</span><span class="p">():</span> <span class="k">return</span> <span class="n">shared_counter</span> <span class="c1"># Example usage </span><span class="nf">increment_counter</span><span class="p">()</span> <span class="nf">print</span><span class="p">(</span><span class="nf">get_counter_value</span><span class="p">())</span> <span class="c1"># Output: 1 </span><span class="nf">increment_counter</span><span class="p">()</span> <span class="nf">print</span><span class="p">(</span><span class="nf">get_counter_value</span><span class="p">())</span> <span class="c1"># Output: 2 </span></code></pre> </div> <p>In this code, <code>shared_counter</code> is a global variable, shared between functions for data sharing and coordination.</p> <h2> Understanding State Sharing in my Script </h2> <p>State sharing in the main script is achieved through a global variable called <code>image_id</code>. This variable is accessible and modifiable by multiple functions, allowing them to share and update the same state information, such as the currently active AMI. This facilitates the automation of AMI creation and deletion while maintaining a consistent state across functions.</p> <h2> The Script </h2> <p>The script starts by initializing AWS clients with Boto3. It creates clients for EC2 (<code>ec2</code>) and DynamoDB (<code>dynamo</code>) to handle AWS services. A DynamoDB table named <code>AMI_Table</code> is defined with a partition key structure for item identification.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="kn">import</span> <span class="n">boto3</span> <span class="kn">import</span> <span class="n">datetime</span> <span class="c1"># Initialize the AWS clients </span><span class="n">ec2</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">'</span><span class="s">ec2</span><span class="sh">'</span><span class="p">)</span> <span class="n">dynamo</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">'</span><span class="s">dynamodb</span><span class="sh">'</span><span class="p">)</span> <span class="n">table_name</span> <span class="o">=</span> <span class="sh">'</span><span class="s">AMI_Table</span><span class="sh">'</span> <span class="n">key</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">PK</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span> <span class="sh">'</span><span class="s">S</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">Partition_Key</span><span class="sh">'</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The table format<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiwiz3yrb0171q0gxgtzl.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiwiz3yrb0171q0gxgtzl.png" alt="AMI_Table" width="249" height="97"></a></p> <h3> Storing State in DynamoDB </h3> <p>State management is crucial in any automation process, and DynamoDB serves as an excellent choice for this task. In this script, state information, specifically the <code>image_id</code>, is stored in the DynamoDB table. </p> <p>The script retrieves the <code>image_id</code> from the DynamoDB table, which acts as the identifier for the currently active AMI. This is the key to maintaining state information across multiple function invocations.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Get ami_id value from dynamodb AMI_Table </span><span class="n">get_ami_id</span> <span class="o">=</span> <span class="n">dynamo</span><span class="p">.</span><span class="nf">get_item</span><span class="p">(</span><span class="n">TableName</span><span class="o">=</span><span class="n">table_name</span><span class="p">,</span> <span class="n">Key</span><span class="o">=</span><span class="n">key</span><span class="p">)</span> <span class="c1"># Pass the value to a new variable </span><span class="n">image_id</span> <span class="o">=</span> <span class="n">get_ami_id</span><span class="p">[</span><span class="sh">'</span><span class="s">Item</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">AMI_ID</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">S</span><span class="sh">'</span><span class="p">]</span> </code></pre> </div> <h3> AMI Creation </h3> <p>The script defines a function <code>create_ami(InstanceId)</code> for creating a new AMI. It takes an EC2 <code>InstanceId</code> as input, and here's how it works:</p> <ul> <li>It creates a new AMI based on the provided <code>InstanceId</code> using the <code>ec2.create_image</code> function.</li> <li>The <code>current_time</code> is used to generate a unique name for the new AMI.</li> <li>The script updates the <code>image_id</code> global variable with the newly created AMI's ID.</li> <li>It stores the <code>image_id</code> value in the DynamoDB table to maintain the state. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">create_ami</span><span class="p">(</span><span class="n">InstanceId</span><span class="p">):</span> <span class="c1"># Declare image_id as a global variable </span> <span class="k">global</span> <span class="n">image_id</span> <span class="c1"># Get the current time to use as the AMI name </span> <span class="n">current_time</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">().</span><span class="nf">strftime</span><span class="p">(</span><span class="sh">'</span><span class="s">%Y-%m- %d-%H-%M-%S</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="n">InstanceId</span><span class="p">:</span> <span class="n">create_image</span> <span class="o">=</span> <span class="n">ec2</span><span class="p">.</span><span class="nf">create_image</span><span class="p">(</span> <span class="n">InstanceId</span><span class="o">=</span><span class="n">InstanceId</span><span class="p">,</span> <span class="c1"># Use the current time as the image name </span> <span class="n">Name</span><span class="o">=</span><span class="sa">f</span><span class="sh">'</span><span class="si">{</span><span class="n">current_time</span><span class="si">}</span><span class="s">_AMI</span><span class="sh">'</span> <span class="p">)</span> <span class="c1"># Update the global image_id variable </span> <span class="n">image_id</span> <span class="o">=</span> <span class="n">create_image</span><span class="p">[</span><span class="sh">'</span><span class="s">ImageId</span><span class="sh">'</span><span class="p">]</span> <span class="c1"># Store the image_id value as a state in a dynamodb ami_table </span> <span class="n">update_ami_id</span> <span class="o">=</span> <span class="n">dynamo</span><span class="p">.</span><span class="nf">update_item</span><span class="p">(</span> <span class="n">TableName</span><span class="o">=</span><span class="n">table_name</span><span class="p">,</span> <span class="n">Key</span><span class="o">=</span><span class="n">key</span><span class="p">,</span> <span class="c1"># (:) in :image_id is used to define a placeholder for </span> <span class="c1"># attribute name or a value that will be set. </span> <span class="n">UpdateExpression</span><span class="o">=</span><span class="sh">"</span><span class="s">SET AMI_ID = :image_id</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># Use :image_id as a placeholder, its actual value is desired_state. </span> <span class="n">ExpressionAttributeValues</span><span class="o">=</span><span class="p">{</span> <span class="sh">'</span><span class="s">:image_id</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span> <span class="sh">'</span><span class="s">S</span><span class="sh">'</span><span class="p">:</span> <span class="n">image_id</span> <span class="p">}</span> <span class="p">}</span> <span class="p">)</span> <span class="c1"># Return the value so when the function is passed to a variable, a value exists. </span> <span class="k">return</span> <span class="n">image_id</span> <span class="k">else</span><span class="p">:</span> <span class="k">return</span> <span class="sh">"</span><span class="s">InstanceId not found.</span><span class="sh">"</span> </code></pre> </div> <h3> AMI Deletion </h3> <p>Another function, <code>delete_ami(image_id)</code>, is responsible for deleting the existing AMI. It follows these steps:</p> <ul> <li>Deregister the current AMI using <code>ec2.deregister_image</code>.</li> <li>Retrieve the snapshot associated with the AMI and delete it. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">delete_ami</span><span class="p">(</span><span class="n">image_id</span><span class="p">):</span> <span class="c1"># Deregister the AMI </span> <span class="n">deregister_ami</span> <span class="o">=</span> <span class="n">ec2</span><span class="p">.</span><span class="nf">deregister_image</span><span class="p">(</span><span class="n">ImageId</span><span class="o">=</span><span class="n">image_id</span><span class="p">)</span> <span class="c1"># Get the snapshot ID associated with the AMI </span> <span class="n">ami_info</span> <span class="o">=</span> <span class="n">ec2</span><span class="p">.</span><span class="nf">describe_images</span><span class="p">(</span><span class="n">ImageIds</span><span class="o">=</span><span class="p">[</span><span class="n">image_id</span><span class="p">])</span> <span class="n">snapshot_id</span> <span class="o">=</span> <span class="n">ami_info</span><span class="p">[</span><span class="sh">'</span><span class="s">Images</span><span class="sh">'</span><span class="p">][</span><span class="mi">0</span><span class="p">][</span><span class="sh">'</span><span class="s">BlockDeviceMappings</span><span class="sh">'</span><span class="p">][</span><span class="mi">0</span><span class="p">][</span><span class="sh">'</span><span class="s">Ebs</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">SnapshotId</span><span class="sh">'</span><span class="p">]</span> <span class="c1"># Delete the associated snapshot </span> <span class="n">delete_snapshot</span> <span class="o">=</span> <span class="n">ec2</span><span class="p">.</span><span class="nf">delete_snapshot</span><span class="p">(</span><span class="n">SnapshotId</span><span class="o">=</span><span class="n">snapshot_id</span><span class="p">)</span> </code></pre> </div> <h3> Updating State </h3> <p>The <code>update_state(desired_state)</code> function is used to update the state in the DynamoDB table. This function is essential for transitioning between creating and deleting AMIs.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">update_state</span><span class="p">(</span><span class="n">desired_state</span><span class="p">):</span> <span class="n">get_ami_state</span> <span class="o">=</span> <span class="n">dynamo</span><span class="p">.</span><span class="nf">get_item</span><span class="p">(</span><span class="n">TableName</span><span class="o">=</span><span class="n">table_name</span><span class="p">,</span> <span class="n">Key</span><span class="o">=</span><span class="n">key</span><span class="p">)</span> <span class="c1"># Update the value of AMI_state </span> <span class="n">dynamo</span><span class="p">.</span><span class="nf">update_item</span><span class="p">(</span> <span class="n">TableName</span><span class="o">=</span><span class="n">table_name</span><span class="p">,</span> <span class="n">Key</span><span class="o">=</span><span class="n">key</span><span class="p">,</span> <span class="c1"># (:) in :new_state is used to define a placeholder for </span> <span class="c1"># attribute name or a value that will be set. </span> <span class="n">UpdateExpression</span><span class="o">=</span><span class="sh">'</span><span class="s">SET AMI_State = :new_state</span><span class="sh">'</span><span class="p">,</span> <span class="c1"># Use :new_state as a placeholder, its actual value is desired_state. </span> <span class="n">ExpressionAttributeValues</span><span class="o">=</span><span class="p">{</span><span class="sh">'</span><span class="s">:new_state</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span><span class="sh">'</span><span class="s">S</span><span class="sh">'</span><span class="p">:</span> <span class="n">desired_state</span><span class="p">}}</span> <span class="p">)</span> </code></pre> </div> <h3> Lambda Function </h3> <p>Finally, the script provides a Lambda function called <code>lambda_handler(event, context)</code> that orchestrates the entire process. It reads the current state from DynamoDB, which will be 'Create_AMI' then it executes the code block for it. At the end of it, it updates the current NoSQL state to 'Delete_AMI' so during further execution, only the code block having this state value runs.</p> <p>The script handles cases where the <code>InstanceId</code> is missing and ensures that the state is updated correctly.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">lambda_handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="k">try</span><span class="p">:</span> <span class="c1"># Read the dynamodb table </span> <span class="n">db_read</span> <span class="o">=</span> <span class="n">dynamo</span><span class="p">.</span><span class="nf">get_item</span><span class="p">(</span><span class="n">TableName</span><span class="o">=</span><span class="n">table_name</span><span class="p">,</span> <span class="n">Key</span><span class="o">=</span><span class="n">key</span><span class="p">)</span> <span class="c1"># Get the AMI State from the dynamodb table </span> <span class="n">ami_state</span> <span class="o">=</span> <span class="n">db_read</span><span class="p">[</span><span class="sh">'</span><span class="s">Item</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">AMI_State</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">S</span><span class="sh">'</span><span class="p">]</span> <span class="k">if</span> <span class="n">ami_state</span> <span class="o">==</span> <span class="sh">'</span><span class="s">Create_AMI</span><span class="sh">'</span><span class="p">:</span> <span class="c1"># Extract the InstanceId from the event dictionary </span> <span class="n">InstanceId</span> <span class="o">=</span> <span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">InstanceId</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># Check if InstanceId value exists </span> <span class="k">if</span> <span class="n">InstanceId</span><span class="p">:</span> <span class="c1"># Call the create_ami function and pass the InstanceId as a string. </span> <span class="nf">create_ami</span><span class="p">(</span><span class="n">InstanceId</span><span class="p">)</span> <span class="c1"># Update the value of AMI_state </span> <span class="nf">update_state</span><span class="p">(</span><span class="sh">'</span><span class="s">Delete_AMI</span><span class="sh">'</span><span class="p">)</span> <span class="k">return</span> <span class="sa">f</span><span class="sh">'</span><span class="s">Created new AMI: </span><span class="si">{</span><span class="n">image_id</span><span class="si">}</span><span class="sh">'</span> <span class="c1"># When InstanceId value does not exist </span> <span class="k">else</span><span class="p">:</span> <span class="k">return</span> <span class="sh">'</span><span class="s">InstanceId not found in event data.</span><span class="sh">'</span> <span class="k">elif</span> <span class="n">ami_state</span> <span class="o">==</span> <span class="sh">'</span><span class="s">Delete_AMI</span><span class="sh">'</span><span class="p">:</span> <span class="c1"># Check if image_id value exists </span> <span class="k">if</span> <span class="n">image_id</span><span class="p">:</span> <span class="c1"># Store the image_id before deletion </span> <span class="n">existing_ami_id</span> <span class="o">=</span> <span class="n">image_id</span> <span class="c1"># Delete the existing AMI </span> <span class="nf">delete_ami</span><span class="p">(</span><span class="n">existing_ami_id</span><span class="p">)</span> <span class="c1"># Extract the InstanceId from the event dictionary </span> <span class="n">InstanceId</span> <span class="o">=</span> <span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">InstanceId</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># Call the create_ami function </span> <span class="n">new_ami_id</span> <span class="o">=</span> <span class="nf">create_ami</span><span class="p">(</span><span class="n">InstanceId</span><span class="p">)</span> <span class="k">return</span> <span class="sa">f</span><span class="sh">'</span><span class="s">Deleted existing AMI: </span><span class="si">{</span><span class="n">existing_ami_id</span><span class="si">}</span><span class="s"> and created a new AMI: </span><span class="si">{</span><span class="n">new_ami_id</span><span class="si">}</span><span class="sh">'</span> <span class="k">else</span><span class="p">:</span> <span class="k">return</span> <span class="sh">'</span><span class="s">image_id is not set, cannot delete AMI</span><span class="sh">'</span> <span class="k">else</span><span class="p">:</span> <span class="k">return</span> <span class="sh">'</span><span class="s">Invalid state</span><span class="sh">'</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">return</span> <span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)</span> </code></pre> </div> <h2> Conclusion </h2> <p>By using Python, AWS services like EC2, Lambda, DynamoDB, and careful state management, this script automates the creation and deletion of AMIs seamlessly. This can be integrated into a larger infrastructure to ensure that your EC2 instances are always based on the latest and most reliable images. If you want to add several images, you can simply modify the NoSQL AMI_ID attribute in the AMI_Table item to use a list type for its values, and then tweak the rest of the code.</p> <p>Using NoSQL databases like DynamoDB is a powerful choice for storing state information in such automation scripts. This script is a clear example of how state sharing between functions and external systems can be effectively managed to automate complex workflows.<br> Check out Lab 4 in this <a href="https://github.com/network-charles/AWS-Sys-Ops/tree/main">repo</a> to find the full codes implementation.</p> nosql python serverless aws Charles Uneze Mon, 09 Oct 2023 14:15:16 +0000 https://dev.to/charlesuneze/how-to-allow-custom-routing-traffic-in-aws-global-accelerator-with-terraform-4nhg https://dev.to/charlesuneze/how-to-allow-custom-routing-traffic-in-aws-global-accelerator-with-terraform-4nhg <p>By intelligently routing traffic, AWS Global Accelerator improves the availability and performance of applications. However, there is currently no Terraform AWS resource available to allow custom traffic routing to specific destinations in the subnet endpoint. I'll demonstrate a Terraform workaround in this post to enable this in AWS Custom Routing Global Accelerator.</p> <h2> Workaround Using Terraform </h2> <p>To allow custom routing traffic in AWS Global Accelerator, I'll leverage Terraform along with a null resource. Here's how you can do it:<br> <strong>1. Create a null resource in your Terraform code:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"null_resource"</span> <span class="s2">"allow_custom_routing_traffic"</span> <span class="p">{</span> <span class="nx">triggers</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">endpoint_group_arn</span> <span class="p">=</span> <span class="nx">aws_globalaccelerator_custom_routing_endpoint_group</span><span class="p">.</span><span class="nx">endpoint_group</span><span class="p">.</span><span class="nx">id</span> <span class="nx">endpoint_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">Endpoint_Subnet</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="k">provisioner</span> <span class="s2">"local-exec"</span> <span class="p">{</span> <span class="nx">command</span> <span class="p">=</span> <span class="s2">"aws globalaccelerator allow-custom-routing-traffic --endpoint-group-arn </span><span class="k">${</span><span class="nx">self</span><span class="p">.</span><span class="nx">triggers</span><span class="p">.</span><span class="nx">endpoint_group_arn</span><span class="k">}</span><span class="s2"> --endpoint-id </span><span class="k">${</span><span class="nx">self</span><span class="p">.</span><span class="nx">triggers</span><span class="p">.</span><span class="nx">endpoint_id</span><span class="k">}</span><span class="s2"> --allow-all-traffic-to-endpoint --region us-west-2"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>2. Apply your configuration:</strong><br> <code>terraform apply -auto-approve</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>null_resource.allow_custom_routing_traffic: Creating... null_resource.allow_custom_routing_traffic: Provisioning with 'local-exec'... null_resource.allow_custom_routing_traffic (local-exec): Executing: ["cmd" "/C" "aws globalaccelerator --region us-west-2 allow-custom-routing-traffic --endpoint-group-arn arn:aws:globalaccelerator::1234:accelerator/1234/listener/f1234/endpoint-group/1234 --endpoint-id subnet-1234 --allow-all-traffic-to-endpoint"] null_resource.allow_custom_routing_traffic: Creation complete after 8s [id=1234] </code></pre> </div> <p>The null resource is used to apply the aws-cli config.<br> For the triggers, it's assumed you already have those resources defined in your code. Also, this trigger block ensures that the null_resource will be triggered and execute the provisioner whenever either the endpoint_group_arn or the endpoint_id changes.</p> <h2> Conclusion </h2> <p>While Terraform AWS Provider does not currently provide a direct Terraform AWS resource for allowing custom routing traffic, you can work around this limitation by using a Terraform null resource, as demonstrated in this blog post. This approach allows you to gain more control over how your traffic is routed in AWS Global Accelerator, enhancing the performance and availability of your applications. <br> s/o to <a href="https://www.linkedin.com/in/andresmontalban">Andres Montalban</a> for assisting me in this.</p> aws terraform globalaccelerator Charles Uneze Sat, 11 Mar 2023 14:06:45 +0000 https://dev.to/charlesuneze/configuring-a-transit-gateway-between-3-vpcs-using-terraform-4off https://dev.to/charlesuneze/configuring-a-transit-gateway-between-3-vpcs-using-terraform-4off <p>In this post, we will be configuring 3 intra-VPC communication using Terraform.<br> We will also be gathering packet data using flow-logs and Cloudwatch.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp1b7cnf9tjnazst5ckw3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp1b7cnf9tjnazst5ckw3.png" alt="Image description" width="800" height="498"></a></p> <h1> Algorithm of the Infrastructure </h1> <ol> <li>Create a first, second, and third VPC</li> <li>Create first VPCs Internet Gateway</li> <li>Create a first and second subnet in the first VPC</li> <li>Specify the default NACL in the first VPC</li> <li>Specify the default security group in the first VPC, and modify. <ul> <li>Add an ingress rule for SSH and ICMP</li> <li>Add an egress rule for all protocols</li> </ul> </li> <li>Launch an instance in the first subnet, for the first VPC</li> <li>Create a Transit gateway</li> <li>Specify the default route table for the first VPC <ul> <li>Add a route destined to all IP addresses, and a target to the Internet Gateway.</li> <li>Add a route destined to the second VPC, and a target to the Transit Gateway.</li> <li>Add a route destined to the third VPC, and a target to the Transit Gateway.</li> </ul> </li> <li>Create a transit gateway attachment to the two subnets associated to the first VPC.</li> <li>Create a first and second subnet in the second VPC</li> <li>Specify the default route table for the second VPC <ul> <li>Add a route destined to the first VPC, and a target to the Transit Gateway.</li> <li>Add a route destined to the third VPC, and a target to the Transit Gateway.</li> </ul> </li> <li>Specify the default NACL in the second VPC</li> <li>Specify the default security group in the second VPC, and modify. <ul> <li>Add an ingress rule for SSH and ICMP</li> <li>Add an egress rule for all protocols</li> </ul> </li> <li>Launch an instance in the first subnet, for the second VPC </li> <li>Create a transit gateway attachment to the two subnets associated to the second VPC.</li> <li>Create a first and second subnet in the third VPC</li> <li>Specify the default route table for the third VPC <ul> <li>Add a route destined to the first VPC, and a target to the Transit Gateway.</li> <li>Add a route destined to the second VPC, and a target to the Transit Gateway.</li> </ul> </li> <li>Specify the default NACL in the third VPC</li> <li>Specify the default security group in the third VPC, and modify. <ul> <li>Add an ingress rule for SSH and ICMP</li> <li>Add an egress rule for all protocols</li> </ul> </li> <li>Launch an instance in the first subnet, for the third VPC</li> <li>Create a transit gateway attachment to the two subnets associated to the third VPC.</li> <li>Create a Transit gateway route table for the second and third VPC <ul> <li>Add a route destined to all IP addresses, which uses the first VPCs transit gateway attachment as an ingress.</li> <li>Associate the first and second transit gateway attachment to the route table so they are both used individually as egresses.</li> </ul> </li> <li>Create a Transit gateway route table for the first VPC <ul> <li>Add two routes destined to the second and third VPC, which uses the second and third VPCs transit gateway attachment as an ingress.</li> <li>Associate the first transit gateway attachment to the route table, so its used as an egress.</li> </ul> </li> <li>Create an IAM Role for flow logs</li> <li>Create an IAM Role policy for flow logs</li> <li>Create a Cloudwatch log group</li> <li>Create a flow log for the first VPC</li> </ol> <p>okay, this is a long algorithm, but this is basically how the infrastructure will be built.<br> Also, one thing I learnt about writing code for this infrastructure is the naming convention. I struggled with what to name my subnets. I decided that it was best it reflects the VPC name and its AZ, for example, <code>public_subnet_1_for_VPC_A_AZ_2A</code></p> <h2> Create a first, second, and third VPC </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_vpc"</span> <span class="s2">"VPC_A"</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"192.168.0.0/16"</span> <span class="nx">instance_tenancy</span> <span class="p">=</span> <span class="s2">"default"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"VPC_A"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_vpc"</span> <span class="s2">"VPC_B"</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="nx">instance_tenancy</span> <span class="p">=</span> <span class="s2">"default"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"VPC_B"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_vpc"</span> <span class="s2">"VPC_C"</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.1.0.0/16"</span> <span class="nx">instance_tenancy</span> <span class="p">=</span> <span class="s2">"default"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"VPC_C"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Create first VPCs Internet Gateway </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_internet_gateway"</span> <span class="s2">"VPC_A_IGW"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">VPC_A</span><span class="p">.</span><span class="nx">id</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"name"</span> <span class="p">=</span> <span class="s2">"VPC_A_IGW"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Create a first and second subnet in the first VPC </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"public_subnet_1_for_VPC_A_AZ_2A"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">VPC_A</span><span class="p">.</span><span class="nx">id</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"192.168.1.0/24"</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="s2">"us-west-2a"</span> <span class="nx">map_public_ip_on_launch</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"public_subnet_1_for_VPC_A_AZ_2A"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"public_subnet_2_for_VPC_A_AZ_2B"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">VPC_A</span><span class="p">.</span><span class="nx">id</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"192.168.2.0/24"</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="s2">"us-west-2b"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"public_subnet_2_for_VPC_A_AZ_2B"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Specify the default NACL in the first VPC </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_default_network_acl"</span> <span class="s2">"Default_VPC_A_NACL"</span> <span class="p">{</span> <span class="nx">default_network_acl_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">VPC_A</span><span class="p">.</span><span class="nx">default_network_acl_id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="nx">-1</span> <span class="nx">rule_no</span> <span class="p">=</span> <span class="mi">100</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"allow"</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="p">}</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="nx">-1</span> <span class="nx">rule_no</span> <span class="p">=</span> <span class="mi">100</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"allow"</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"name"</span> <span class="p">=</span> <span class="s2">"Default_VPC_A_NACL"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Specify the default security group in the first VPC, and modify. </h2> <ul> <li>Add an ingress rule for SSH and ICMP</li> <li>Add an egress rule for all protocols </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_default_security_group"</span> <span class="s2">"SG_bastion"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">VPC_A</span><span class="p">.</span><span class="nx">id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="nx">-1</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="nx">-1</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"icmp"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Launch an instance in the first subnet, for the first VPC </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"Bastion"</span> <span class="p">{</span> <span class="nx">ami</span> <span class="p">=</span> <span class="s2">"ami-0b029b1931b347543"</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="s2">"t2.micro"</span> <span class="nx">tenancy</span> <span class="p">=</span> <span class="s2">"default"</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="s2">"us-west-2a"</span> <span class="nx">key_name</span> <span class="p">=</span> <span class="s2">""</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">public_subnet_1_for_VPC_A_AZ_2A</span><span class="p">.</span><span class="nx">id</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"</span><span class="k">${</span><span class="nx">aws_default_security_group</span><span class="p">.</span><span class="nx">SG_bastion</span><span class="p">.</span><span class="nx">id</span><span class="k">}</span><span class="s2">"</span><span class="p">]</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"name"</span> <span class="p">=</span> <span class="s2">"Bastion"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Create a Transit gateway </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_ec2_transit_gateway"</span> <span class="s2">"TGW_Lab"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"the labs transit gateway"</span> <span class="nx">default_route_table_association</span> <span class="p">=</span> <span class="s2">"disable"</span> <span class="nx">default_route_table_propagation</span> <span class="p">=</span> <span class="s2">"disable"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"TGW_Lab"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Specify the default route table for the first VPC </h2> <ul> <li>Add a route destined to all IP addresses, and a target to the Internet Gateway.</li> <li>Add a route destined to the second VPC, and a target to the Transit Gateway.</li> <li>Add a route destined to the third VPC, and a target to the Transit Gateway. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_default_route_table"</span> <span class="s2">"VPC_A_RT"</span> <span class="p">{</span> <span class="nx">default_route_table_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">VPC_A</span><span class="p">.</span><span class="nx">default_route_table_id</span> <span class="nx">route</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="nx">gateway_id</span> <span class="p">=</span> <span class="nx">aws_internet_gateway</span><span class="p">.</span><span class="nx">VPC_A_IGW</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">route</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="nx">transit_gateway_id</span> <span class="p">=</span> <span class="nx">aws_ec2_transit_gateway</span><span class="p">.</span><span class="nx">TGW_Lab</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">route</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.1.0.0/16"</span> <span class="nx">transit_gateway_id</span> <span class="p">=</span> <span class="nx">aws_ec2_transit_gateway</span><span class="p">.</span><span class="nx">TGW_Lab</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"VPC_A_RT"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Create a transit gateway attachment to the two subnets associated to the first VPC. </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_ec2_transit_gateway_vpc_attachment"</span> <span class="s2">"TGA_VPC_A"</span> <span class="p">{</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">public_subnet_1_for_VPC_A_AZ_2A</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">public_subnet_2_for_VPC_A_AZ_2B</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">transit_gateway_id</span> <span class="p">=</span> <span class="nx">aws_ec2_transit_gateway</span><span class="p">.</span><span class="nx">TGW_Lab</span><span class="p">.</span><span class="nx">id</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">VPC_A</span><span class="p">.</span><span class="nx">id</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"TGA_VPC_A"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Create a first and second subnet in the second VPC </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"public_subnet_1_for_VPC_B_AZ_2A"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">VPC_B</span><span class="p">.</span><span class="nx">id</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.2.0/24"</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="s2">"us-west-2a"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"public_subnet_1_for_VPC_B_AZ_2A"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"public_subnet_2_for_VPC_B_AZ_2B"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">VPC_B</span><span class="p">.</span><span class="nx">id</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.3.0/24"</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="s2">"us-west-2b"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"public_subnet_2_for_VPC_B_AZ_2B"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Specify the default route table for the second VPC </h2> <ul> <li>Add a route destined to the first VPC, and a target to the Transit Gateway.</li> <li>Add a route destined to the third VPC, and a target to the Transit Gateway. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_default_route_table"</span> <span class="s2">"VPC_B_RT"</span> <span class="p">{</span> <span class="nx">default_route_table_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">VPC_B</span><span class="p">.</span><span class="nx">default_route_table_id</span> <span class="nx">route</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"192.168.0.0/16"</span> <span class="nx">transit_gateway_id</span> <span class="p">=</span> <span class="nx">aws_ec2_transit_gateway</span><span class="p">.</span><span class="nx">TGW_Lab</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">route</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.1.0.0/16"</span> <span class="nx">transit_gateway_id</span> <span class="p">=</span> <span class="nx">aws_ec2_transit_gateway</span><span class="p">.</span><span class="nx">TGW_Lab</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"VPC_B_RT"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Specify the default NACL in the second VPC </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_default_network_acl"</span> <span class="s2">"Default_VPC_B_NACL"</span> <span class="p">{</span> <span class="nx">default_network_acl_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">VPC_B</span><span class="p">.</span><span class="nx">default_network_acl_id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="nx">-1</span> <span class="nx">rule_no</span> <span class="p">=</span> <span class="mi">100</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"allow"</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="p">}</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="nx">-1</span> <span class="nx">rule_no</span> <span class="p">=</span> <span class="mi">100</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"allow"</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"name"</span> <span class="p">=</span> <span class="s2">"Default_VPC_B_NACL"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Specify the default security group in the second VPC, and modify. </h2> <ul> <li>Add an ingress rule for SSH and ICMP</li> <li>Add an egress rule for all protocols </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_default_security_group"</span> <span class="s2">"DB_1"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">VPC_B</span><span class="p">.</span><span class="nx">id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="nx">-1</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="nx">-1</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"icmp"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Launch an instance in the first subnet for the second VPC. </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"DB_1"</span> <span class="p">{</span> <span class="nx">ami</span> <span class="p">=</span> <span class="s2">"ami-0b029b1931b347543"</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="s2">"t2.micro"</span> <span class="nx">tenancy</span> <span class="p">=</span> <span class="s2">"default"</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="s2">"us-west-2a"</span> <span class="nx">key_name</span> <span class="p">=</span> <span class="s2">""</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">public_subnet_1_for_VPC_B_AZ_2A</span><span class="p">.</span><span class="nx">id</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"</span><span class="k">${</span><span class="nx">aws_default_security_group</span><span class="p">.</span><span class="nx">DB_1</span><span class="p">.</span><span class="nx">id</span><span class="k">}</span><span class="s2">"</span><span class="p">]</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"name"</span> <span class="p">=</span> <span class="s2">"DB_1"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Create a transit gateway attachment to the two subnets associated to the second VPC. </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_ec2_transit_gateway_vpc_attachment"</span> <span class="s2">"TGA_VPC_B"</span> <span class="p">{</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">public_subnet_1_for_VPC_B_AZ_2A</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">public_subnet_2_for_VPC_B_AZ_2B</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">transit_gateway_id</span> <span class="p">=</span> <span class="nx">aws_ec2_transit_gateway</span><span class="p">.</span><span class="nx">TGW_Lab</span><span class="p">.</span><span class="nx">id</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">VPC_B</span><span class="p">.</span><span class="nx">id</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"TGA_VPC_A"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Create a first and second subnet in the third VPC </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"public_subnet_1_for_VPC_C_AZ_2A"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">VPC_C</span><span class="p">.</span><span class="nx">id</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.1.2.0/24"</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="s2">"us-west-2a"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"public_subnet_1_for_VPC_C_AZ_2A"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"public_subnet_2_for_VPC_C_AZ_2B"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">VPC_C</span><span class="p">.</span><span class="nx">id</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.1.3.0/24"</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="s2">"us-west-2b"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"public_subnet_2_for_VPC_C_AZ_2B"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Specify the default route table for the third VPC </h2> <ul> <li>Add a route destined to the first VPC, and a target to the Transit Gateway.</li> <li>Add a route destined to the second VPC, and a target to the Transit Gateway. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_default_route_table"</span> <span class="s2">"VPC_C_RT"</span> <span class="p">{</span> <span class="nx">default_route_table_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">VPC_C</span><span class="p">.</span><span class="nx">default_route_table_id</span> <span class="nx">route</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"192.168.0.0/16"</span> <span class="nx">transit_gateway_id</span> <span class="p">=</span> <span class="nx">aws_ec2_transit_gateway</span><span class="p">.</span><span class="nx">TGW_Lab</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">route</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="nx">transit_gateway_id</span> <span class="p">=</span> <span class="nx">aws_ec2_transit_gateway</span><span class="p">.</span><span class="nx">TGW_Lab</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"VPC_C_RT"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Specify the default NACL in the third VPC </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_default_network_acl"</span> <span class="s2">"Default_VPC_C_NACL"</span> <span class="p">{</span> <span class="nx">default_network_acl_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">VPC_C</span><span class="p">.</span><span class="nx">default_network_acl_id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="nx">-1</span> <span class="nx">rule_no</span> <span class="p">=</span> <span class="mi">100</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"allow"</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="p">}</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="nx">-1</span> <span class="nx">rule_no</span> <span class="p">=</span> <span class="mi">100</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"allow"</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"name"</span> <span class="p">=</span> <span class="s2">"Default_VPC_C_NACL"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Specify the default security group in the third VPC, and modify. </h2> <ul> <li>Add an ingress rule for SSH and ICMP</li> <li>Add an egress rule for all protocols </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_default_security_group"</span> <span class="s2">"DB_2"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">VPC_C</span><span class="p">.</span><span class="nx">id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="nx">-1</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="nx">-1</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"icmp"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Launch an instance in the first subnet, for the third VPC </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"DB_2"</span> <span class="p">{</span> <span class="nx">ami</span> <span class="p">=</span> <span class="s2">"ami-0b029b1931b347543"</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="s2">"t2.micro"</span> <span class="nx">tenancy</span> <span class="p">=</span> <span class="s2">"default"</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="s2">"us-west-2a"</span> <span class="nx">key_name</span> <span class="p">=</span> <span class="s2">""</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">public_subnet_1_for_VPC_C_AZ_2A</span><span class="p">.</span><span class="nx">id</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"</span><span class="k">${</span><span class="nx">aws_default_security_group</span><span class="p">.</span><span class="nx">DB_2</span><span class="p">.</span><span class="nx">id</span><span class="k">}</span><span class="s2">"</span><span class="p">]</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"name"</span> <span class="p">=</span> <span class="s2">"DB_2"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Create a transit gateway attachment to the two subnets associated to the third VPC. </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_ec2_transit_gateway_vpc_attachment"</span> <span class="s2">"TGA_VPC_C"</span> <span class="p">{</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">public_subnet_1_for_VPC_C_AZ_2A</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">public_subnet_2_for_VPC_C_AZ_2B</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">transit_gateway_id</span> <span class="p">=</span> <span class="nx">aws_ec2_transit_gateway</span><span class="p">.</span><span class="nx">TGW_Lab</span><span class="p">.</span><span class="nx">id</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">VPC_C</span><span class="p">.</span><span class="nx">id</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"TGA_VPC_C"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Create a Transit gateway route table for the second and third VPC </h2> <ul> <li>Add a route destined to all IP addresses, which uses the first VPCs transit gateway attachment as an ingress.</li> <li>Associate the first and second transit gateway attachment to the route table so they are both used individually as egresses. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_ec2_transit_gateway_route_table"</span> <span class="s2">"TGW_RTB_VPC_B_C"</span> <span class="p">{</span> <span class="nx">transit_gateway_id</span> <span class="p">=</span> <span class="nx">aws_ec2_transit_gateway</span><span class="p">.</span><span class="nx">TGW_Lab</span><span class="p">.</span><span class="nx">id</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"name"</span> <span class="p">=</span> <span class="s2">"TGW_RTB_VPC_B_C"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_ec2_transit_gateway_route"</span> <span class="s2">"TGW_RTB_VPC_B_C_Route_1"</span> <span class="p">{</span> <span class="nx">destination_cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="nx">transit_gateway_attachment_id</span> <span class="p">=</span> <span class="nx">aws_ec2_transit_gateway_vpc_attachment</span><span class="p">.</span><span class="nx">TGA_VPC_A</span><span class="p">.</span><span class="nx">id</span> <span class="nx">transit_gateway_route_table_id</span> <span class="p">=</span> <span class="nx">aws_ec2_transit_gateway_route_table</span><span class="p">.</span><span class="nx">TGW_RTB_VPC_B_C</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_ec2_transit_gateway_route_table_association"</span> <span class="s2">"TGW_RTB_VPC_B_C_Association_1"</span> <span class="p">{</span> <span class="nx">transit_gateway_attachment_id</span> <span class="p">=</span> <span class="nx">aws_ec2_transit_gateway_vpc_attachment</span><span class="p">.</span><span class="nx">TGA_VPC_B</span><span class="p">.</span><span class="nx">id</span> <span class="nx">transit_gateway_route_table_id</span> <span class="p">=</span> <span class="nx">aws_ec2_transit_gateway_route_table</span><span class="p">.</span><span class="nx">TGW_RTB_VPC_B_C</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_ec2_transit_gateway_route_table_association"</span> <span class="s2">"TGW_RTB_VPC_B_C_Association_2"</span> <span class="p">{</span> <span class="nx">transit_gateway_attachment_id</span> <span class="p">=</span> <span class="nx">aws_ec2_transit_gateway_vpc_attachment</span><span class="p">.</span><span class="nx">TGA_VPC_C</span><span class="p">.</span><span class="nx">id</span> <span class="nx">transit_gateway_route_table_id</span> <span class="p">=</span> <span class="nx">aws_ec2_transit_gateway_route_table</span><span class="p">.</span><span class="nx">TGW_RTB_VPC_B_C</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <h2> Create a Transit gateway route table for the first VPC </h2> <ul> <li>Add two routes destined to the second and third VPC, which uses the second and third VPCs transit gateway attachment as an ingress.</li> <li>Associate the first transit gateway attachment to the route table, so its used as an egress. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_ec2_transit_gateway_route_table"</span> <span class="s2">"TGW_RTB_VPC_A"</span> <span class="p">{</span> <span class="nx">transit_gateway_id</span> <span class="p">=</span> <span class="nx">aws_ec2_transit_gateway</span><span class="p">.</span><span class="nx">TGW_Lab</span><span class="p">.</span><span class="nx">id</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"name"</span> <span class="p">=</span> <span class="s2">"TGW_RTB_VPC_A"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_ec2_transit_gateway_route"</span> <span class="s2">"TGW_RTB_VPC_A_Route_1"</span> <span class="p">{</span> <span class="nx">destination_cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="nx">transit_gateway_attachment_id</span> <span class="p">=</span> <span class="nx">aws_ec2_transit_gateway_vpc_attachment</span><span class="p">.</span><span class="nx">TGA_VPC_B</span><span class="p">.</span><span class="nx">id</span> <span class="nx">transit_gateway_route_table_id</span> <span class="p">=</span> <span class="nx">aws_ec2_transit_gateway_route_table</span><span class="p">.</span><span class="nx">TGW_RTB_VPC_A</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_ec2_transit_gateway_route"</span> <span class="s2">"TGW_RTB_VPC_A_Route_2"</span> <span class="p">{</span> <span class="nx">destination_cidr_block</span> <span class="p">=</span> <span class="s2">"10.1.0.0/16"</span> <span class="nx">transit_gateway_attachment_id</span> <span class="p">=</span> <span class="nx">aws_ec2_transit_gateway_vpc_attachment</span><span class="p">.</span><span class="nx">TGA_VPC_C</span><span class="p">.</span><span class="nx">id</span> <span class="nx">transit_gateway_route_table_id</span> <span class="p">=</span> <span class="nx">aws_ec2_transit_gateway_route_table</span><span class="p">.</span><span class="nx">TGW_RTB_VPC_A</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_ec2_transit_gateway_route_table_association"</span> <span class="s2">"TGW_RTB_VPC_A_Association_1"</span> <span class="p">{</span> <span class="nx">transit_gateway_attachment_id</span> <span class="p">=</span> <span class="nx">aws_ec2_transit_gateway_vpc_attachment</span><span class="p">.</span><span class="nx">TGA_VPC_A</span><span class="p">.</span><span class="nx">id</span> <span class="nx">transit_gateway_route_table_id</span> <span class="p">=</span> <span class="nx">aws_ec2_transit_gateway_route_table</span><span class="p">.</span><span class="nx">TGW_RTB_VPC_A</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <h2> Create an IAM Role for flow logs </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"role_lab_flow_logs"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"role_lab_flow_logs"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "vpc-flow-logs.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } </span><span class="no">EOF </span><span class="p">}</span> </code></pre> </div> <h2> Create an IAM Role policy for flow logs </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"IAM_Role_Policy_for_Flow_Log"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"IAM_Role_Policy_for_Flow_Log"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">role_lab_flow_logs</span><span class="p">.</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> { "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogGroups", "logs:DescribeLogStreams" ], "Effect": "Allow", "Resource": "*" } ] } </span><span class="no">EOF </span><span class="p">}</span> </code></pre> </div> <h2> Create a Cloudwatch log group </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_cloudwatch_log_group"</span> <span class="s2">"Transit_Gateway_Log_Group"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"Transit_Gateway_Log_Group"</span> <span class="p">}</span> </code></pre> </div> <h2> Create a flow log for the first VPC </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_flow_log"</span> <span class="s2">"flow_log_tgw_lab"</span> <span class="p">{</span> <span class="nx">iam_role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">role_lab_flow_logs</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">log_destination</span> <span class="p">=</span> <span class="nx">aws_cloudwatch_log_group</span><span class="p">.</span><span class="nx">Transit_Gateway_Log_Group</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">traffic_type</span> <span class="p">=</span> <span class="s2">"ALL"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">VPC_A</span><span class="p">.</span><span class="nx">id</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"flow_log_tgw_lab"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This is usually the log format when reading a flow log data:<br> <code>log_format = "${version} ${account-id} ${interface-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${packets} ${bytes} ${start} ${end} ${action} ${log-status}"</code></p> <p>When you deploy the code and grab the public IP of the bastion host, then SSH into it, then do a <code>ping to 8.8.8.8</code> <br> When simply go to the Cloudwatch service via the GUI, specifically to "Log Groups," there you will find your flow log data streams for several elastic network interfaces (ENIs). <br> Do a <code>terraform state show aws_instance.Bastion</code> to get the ENI of your instance. Then go back to cloudwatch and select the ENI. Open the data, and simply search for <code>8.8.8.8</code> in the log stream, you will notice that an ICMP session was made.</p> cloud terraform aws networkenginner Charles Uneze Fri, 10 Mar 2023 13:07:36 +0000 https://dev.to/charlesuneze/securing-your-vpc-using-public-private-subnets-2lcb https://dev.to/charlesuneze/securing-your-vpc-using-public-private-subnets-2lcb <p>In this lab, two instances are created, one is launched in a first subnet which is public, while the other is launched the second subnet which is private.</p> <p>The private instance must access the internet using a Network Address Translation (NAT) gateway deployed into the first subnet.</p> <p>No default security group, NACL, or route table is used in this demonstration. This means any non-default being used must be explicitly associated with its resource. For example, a non-default route table must be explicitly associated with a subnet, etc.</p> <p>Also, in this lab, we will explore the stateful nature of a Security Group, at Algorithm no 12.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F552rbjfzopva9gtcxqa0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F552rbjfzopva9gtcxqa0.png" alt=" " width="800" height="371"></a></p> <h2> Algorithm of the Infrastructure </h2> <ol> <li>Create a VPC</li> <li>Create an Internet Gateway</li> <li>Create a first subnet</li> <li>Create a first NACL for the first subnet</li> <li>Specify the first route table <ul> <li>Add a route destined to all IP addresses, and a target to the Internet Gateway.</li> </ul> </li> <li>Create a security group in the VPC for the first subnet <ul> <li>Add an ingress rule for SSH</li> <li>Add an egress rule for SSH</li> </ul> </li> <li>Create an instance for the first subnet</li> <li>Create an elastic IP</li> <li>Create a NAT Gateway in the first subnet and attach the elastic IP to it</li> <li>Create a second subnet</li> <li>Create a second NACL for the second subnet</li> <li>Create a second security group <ul> <li>Add an ingress rule for SSH</li> <li>Add an egress rule for all ICMP</li> </ul> </li> <li>Create a second route table <ul> <li>Add a route destined for the NAT Gateway</li> </ul> </li> <li>Create a second instance</li> </ol> <h2> Create a VPC </h2> <p>CIDR = 10.0.0.0/16<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_vpc"</span> <span class="s2">"VPC_A"</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="nx">instance_tenancy</span> <span class="p">=</span> <span class="s2">"default"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"VPC_A"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Create an Internet Gateway </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_internet_gateway"</span> <span class="s2">"VPC_A_IGW"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">VPC_A</span><span class="p">.</span><span class="nx">id</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"VPC_A_IGW"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Create a first subnet </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"VPC_A_Public_Subnet_A"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">VPC_A</span><span class="p">.</span><span class="nx">id</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.20.0/24"</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="s2">"us-west-2a"</span> <span class="nx">map_public_ip_on_launch</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"VPC_A_Public_Subnet_A"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Create a first NACL for the first subnet </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_network_acl"</span> <span class="s2">"VPC_A_Public_NACL_A"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">VPC_A</span><span class="p">.</span><span class="nx">id</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">VPC_A_Public_Subnet_A</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="nx">-1</span> <span class="nx">rule_no</span> <span class="p">=</span> <span class="mi">100</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"allow"</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="p">}</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="nx">-1</span> <span class="nx">rule_no</span> <span class="p">=</span> <span class="mi">100</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"allow"</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"name"</span> <span class="p">=</span> <span class="s2">"VPC_A_Public_NACL_A"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_network_acl_association"</span> <span class="s2">"VPC_A_Public_NACL_A_Association"</span> <span class="p">{</span> <span class="nx">network_acl_id</span> <span class="p">=</span> <span class="nx">aws_network_acl</span><span class="p">.</span><span class="nx">VPC_A_Public_NACL_A</span><span class="p">.</span><span class="nx">id</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">VPC_A_Public_Subnet_A</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <h2> Specify the first route table </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_route_table"</span> <span class="s2">"VPC_A_Public_RT_A"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">VPC_A</span><span class="p">.</span><span class="nx">id</span> <span class="nx">route</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="nx">gateway_id</span> <span class="p">=</span> <span class="nx">aws_internet_gateway</span><span class="p">.</span><span class="nx">VPC_A_IGW</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"VPC_A_Public_RT_A"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_route_table_association"</span> <span class="s2">"VPC_A_Public_RT_A_Association_A"</span> <span class="p">{</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">VPC_A_Public_Subnet_A</span><span class="p">.</span><span class="nx">id</span> <span class="nx">route_table_id</span> <span class="p">=</span> <span class="nx">aws_route_table</span><span class="p">.</span><span class="nx">VPC_A_Public_RT_A</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <h2> Create a security group in the VPC for the first subnet </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"SG_bastion"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">VPC_A</span><span class="p">.</span><span class="nx">id</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">" SG for bastion host. SSH access only"</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Create an instance for the first subnet </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"Bastion"</span> <span class="p">{</span> <span class="nx">ami</span> <span class="p">=</span> <span class="s2">"ami-0b029b1931b347543"</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="s2">"t2.micro"</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="s2">"us-west-2a"</span> <span class="nx">key_name</span> <span class="p">=</span> <span class="s2">""</span> <span class="nx">tenancy</span> <span class="p">=</span> <span class="s2">"default"</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">VPC_A_Public_Subnet_A</span><span class="p">.</span><span class="nx">id</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"</span><span class="k">${</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">SG_bastion</span><span class="p">.</span><span class="nx">id</span><span class="k">}</span><span class="s2">"</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h2> Create an elastic IP </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_eip"</span> <span class="s2">"EIP_for_NAT_GW"</span> <span class="p">{</span> <span class="nx">vpc</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <h2> Create a NAT Gateway in the second subnet and attach the elastic IP to it </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_nat_gateway"</span> <span class="s2">"NAT_GW"</span> <span class="p">{</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">VPC_A_Public_Subnet_A</span><span class="p">.</span><span class="nx">id</span> <span class="nx">connectivity_type</span> <span class="p">=</span> <span class="s2">"public"</span> <span class="nx">allocation_id</span> <span class="p">=</span> <span class="nx">aws_eip</span><span class="p">.</span><span class="nx">EIP_for_NAT_GW</span><span class="p">.</span><span class="nx">id</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"Name"</span> <span class="p">=</span> <span class="s2">"NAT_GW"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Create a second subnet </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"VPC_A_Private_Subnet_A"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">VPC_A</span><span class="p">.</span><span class="nx">id</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.10.0/24"</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="s2">"us-west-2a"</span> <span class="nx">map_public_ip_on_launch</span> <span class="p">=</span> <span class="s2">"false"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"VPC_A_Private_Subnet_A"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Create a second NACL for the second subnet </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_network_acl"</span> <span class="s2">"VPC_A_Private_NACL_A"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">VPC_A</span><span class="p">.</span><span class="nx">id</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">VPC_A_Private_Subnet_A</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="nx">-1</span> <span class="nx">rule_no</span> <span class="p">=</span> <span class="mi">100</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"allow"</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="p">}</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="nx">-1</span> <span class="nx">rule_no</span> <span class="p">=</span> <span class="mi">100</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"allow"</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"name"</span> <span class="p">=</span> <span class="s2">"VPC_A_Private_NACL_A"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_network_acl_association"</span> <span class="s2">"VPC_A_Private_NACL_A_Association"</span> <span class="p">{</span> <span class="nx">network_acl_id</span> <span class="p">=</span> <span class="nx">aws_network_acl</span><span class="p">.</span><span class="nx">VPC_A_Private_NACL_A</span><span class="p">.</span><span class="nx">id</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">VPC_A_Private_Subnet_A</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <h1> Create a second security group </h1> <p>Here we will explore the stateful nature of a security group<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"SG_Private"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"SG_Private"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Security group for private subnet instances."</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">VPC_A</span><span class="p">.</span><span class="nx">id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Incoming &amp; Outgoing SSH"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Outgoing &amp; Incoming ICMP"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="nx">-1</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="nx">-1</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"icmp"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"name"</span> <span class="p">=</span> <span class="s2">"SG_Private"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>We can notice that the <code>ingress</code> rule is for an SSH protocol, while the <code>egress</code> rule is for the ICMP protocol.</p> <p>On AWS, when a packet ingresses or is directed towards an instance, it can leave the instance even if the egress rule doesn't match. That is why I described it as “incoming &amp; outgoing SSH”<br> The Bastion instance can SSH into the private instance. Since the Bastion security group has an egress SSH rule set. Also, since the Private security grphp has an ingress SSH rule set.</p> <p>Also, the private instance can ping any address on the Internet.<br> ICMP uses an "echo request" and an "echo reply.”<br> Since the first outgoing “request” traffic was approved, its incoming “reply” traffic will be approved too. That is why I described it as an “outgoing &amp; incoming ICMP”</p> <h2> Create a second route table </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_route_table"</span> <span class="s2">"VPC_A_Private_RT_A"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">VPC_A</span><span class="p">.</span><span class="nx">id</span> <span class="nx">route</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="nx">gateway_id</span> <span class="p">=</span> <span class="nx">aws_nat_gateway</span><span class="p">.</span><span class="nx">NAT_GW</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"VPC_A_Private_RT_A"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_route_table_association"</span> <span class="s2">"VPC_A_Private_RT_A_Association"</span> <span class="p">{</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">VPC_A_Private_Subnet_A</span><span class="p">.</span><span class="nx">id</span> <span class="nx">route_table_id</span> <span class="p">=</span> <span class="nx">aws_route_table</span><span class="p">.</span><span class="nx">VPC_A_Private_RT_A</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <h2> Create a second instance </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"VPC_A_Private_Subnet_A_Instance_A"</span> <span class="p">{</span> <span class="nx">ami</span> <span class="p">=</span> <span class="s2">"ami-0b029b1931b347543"</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="s2">"t2.micro"</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="s2">"us-west-2a"</span> <span class="nx">key_name</span> <span class="p">=</span> <span class="s2">""</span> <span class="nx">tenancy</span> <span class="p">=</span> <span class="s2">"default"</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">VPC_A_Private_Subnet_A</span><span class="p">.</span><span class="nx">id</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"</span><span class="k">${</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">SG_Private</span><span class="p">.</span><span class="nx">id</span><span class="k">}</span><span class="s2">"</span><span class="p">]</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"name"</span> <span class="p">=</span> <span class="s2">"VPC_A_Private_Subnet_A_Instance_A"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>After deploying the configurations, configure <a href="https://www.howtogeek.com/devops/what-is-ssh-agent-forwarding-and-how-do-you-use-it/" rel="noopener noreferrer">SSH Agent forwarding</a> on Putty, then SSH into your first instance, and then into the second instance. Lastly do a ping to any public URL from the second instance and make sure its successful.</p> <h2> Follow my AWS Advanced Networking Journey on Github </h2> <p>AWS Advanced Networking<br> <a href="https://github.com/Its-All-About-the-Journey/AWS-Advanced-Networking" rel="noopener noreferrer">https://github.com/Its-All-About-the-Journey/AWS-Advanced-Networking</a></p> discuss Charles Uneze Mon, 06 Mar 2023 18:56:22 +0000 https://dev.to/charlesuneze/create-an-instance-with-an-elastic-ip-attached-using-terraform-40ga https://dev.to/charlesuneze/create-an-instance-with-an-elastic-ip-attached-using-terraform-40ga <p>On my journey to explore the Kubernetes networking ecosystem, I decided to take my first step by completing the AWS Networking course outline using Terraform. I am attempting to gain an understanding of how things work at this layer.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpw7t0eprt5xy9xuws1j6.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpw7t0eprt5xy9xuws1j6.png" alt="Image description"></a></p> <h1> Laying the Ground Work for My Code </h1> <p>The first thing I did was to install Terraform using this <a href="https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli" rel="noopener noreferrer">tutorial</a>.</p> <h2> Defining the Backend for Storing Infrastructure Information </h2> <p>The next thing I did was to create a "Terraform.tf" file so I can set up the backend where all the information about this infrastructure will be stored. The information is mapped to the real infrastructure on AWS. I use a local backend, meaning the information is stored on my computer. This information is in JSON format.</p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="k">terraform</span> <span class="p">{</span> <span class="nx">backend</span> <span class="s2">"local"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">""</span> <span class="p">}</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">aws</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 4.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The above code in this file specifies that I am using a local backend, and also that I am using an “AWS provider.” The provider is a plugin for interacting with the AWS APIs so the infrastructure can be built.</p> <h2> Specifying the Cloud Provider </h2> <p>Next I created a "main.tf" file where I will specify the cloud provider and also the architecture as code.</p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="c1"># Configure the AWS Provider</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-west-2"</span> <span class="nx">access_key</span> <span class="p">=</span> <span class="s2">""</span> <span class="nx">secret_key</span> <span class="p">=</span> <span class="s2">""</span> <span class="p">}</span> </code></pre> </div> <h1> Algorithm of the Architecture </h1> <ol> <li>Create a VPC</li> <li>Specify the default NACL</li> <li>Specify the default security group</li> <li>Create an Internet Gateway</li> <li>Specify the default route table, and add a new route to the Internet Gateway.</li> <li>Create a subnet</li> <li>Create an instance</li> <li>Create an elastic IP address</li> </ol> <h2> Create a VPC </h2> <p>VPC = 10.0.0.0/16</p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="c1"># Create VPC</span> <span class="k">resource</span> <span class="s2">"aws_vpc"</span> <span class="s2">"VPC_A"</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="nx">instance_tenancy</span> <span class="p">=</span> <span class="s2">"default"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"VPC_A"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>When a VPC is created, AWS uses an overlay network to offer multi-tenancy for implementation. I wrote some words about this on my <a href="https://charlesuneze.substack.com/p/exploring-the-broadcom-tomahawk-5" rel="noopener noreferrer">substack</a>.</p> <h2> Specify the default NACL </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="c1"># Specify the default NACL, regardless if the VPC creates it on default</span> <span class="k">resource</span> <span class="s2">"aws_default_network_acl"</span> <span class="s2">"Default_VPC_A_NACL"</span> <span class="p">{</span> <span class="nx">default_network_acl_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">VPC_A</span><span class="p">.</span><span class="nx">default_network_acl_id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="nx">-1</span> <span class="nx">rule_no</span> <span class="p">=</span> <span class="mi">100</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"allow"</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="p">}</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="nx">-1</span> <span class="nx">rule_no</span> <span class="p">=</span> <span class="mi">100</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"allow"</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"name"</span> <span class="p">=</span> <span class="s2">"Default_VPC_A_NACL"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Specify the default security group </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="c1"># Specify the default SG, regardless if the VPC creates it on default</span> <span class="k">resource</span> <span class="s2">"aws_default_security_group"</span> <span class="s2">"Default_VPC_A_SG"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">VPC_A</span><span class="p">.</span><span class="nx">id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="nx">-1</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="nx">-1</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"name"</span> <span class="p">=</span> <span class="s2">"Default_VPC_A_SG"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Create an Internet Gateway </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="c1"># Create the Internet Gateway</span> <span class="k">resource</span> <span class="s2">"aws_internet_gateway"</span> <span class="s2">"VPC_A_IGW"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">VPC_A</span><span class="p">.</span><span class="nx">id</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"VPC_A_IGW"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Specify the default route table, and add a new route to the Internet Gateway </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="c1"># Create the default route table</span> <span class="k">resource</span> <span class="s2">"aws_default_route_table"</span> <span class="s2">"VPC_A_Default_RT"</span> <span class="p">{</span> <span class="nx">default_route_table_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">VPC_A</span><span class="p">.</span><span class="nx">default_route_table_id</span> <span class="nx">route</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="nx">gateway_id</span> <span class="p">=</span> <span class="nx">aws_internet_gateway</span><span class="p">.</span><span class="nx">VPC_A_IGW</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"VPC_A_Default_RT"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Create a subnet </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="c1"># Create Subnet</span> <span class="k">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"VPC_A_Subnet_A"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">VPC_A</span><span class="p">.</span><span class="nx">id</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.0.0/24"</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="s2">"us-west-2a"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"VPC_A_Subnet_A"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Create an Instance </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="c1"># Create AWS instance</span> <span class="k">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"VPC_A_Subnet_A_AWS_Linux"</span> <span class="p">{</span> <span class="nx">ami</span> <span class="p">=</span> <span class="s2">"ami-0b029b1931b347543"</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="s2">"t2.micro"</span> <span class="nx">tenancy</span> <span class="p">=</span> <span class="s2">"default"</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="s2">"us-west-2a"</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">VPC_A_Subnet_A</span><span class="p">.</span><span class="nx">id</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"VPC_A_Subnet_A_AWS_Linux"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Create an elastic IP address </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="c1"># Create an Elastic IP</span> <span class="k">resource</span> <span class="s2">"aws_eip"</span> <span class="s2">"VPC_A_EIP"</span> <span class="p">{</span> <span class="nx">instance</span> <span class="p">=</span> <span class="nx">aws_instance</span><span class="p">.</span><span class="nx">VPC_A_Subnet_A_AWS_Linux</span><span class="p">.</span><span class="nx">id</span> <span class="nx">vpc</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"VPC_A_EIP"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Associate the Elastic IP to the instance</span> <span class="k">resource</span> <span class="s2">"aws_eip_association"</span> <span class="s2">"VPC_A_EIP-Association"</span> <span class="p">{</span> <span class="nx">instance_id</span> <span class="p">=</span> <span class="nx">aws_instance</span><span class="p">.</span><span class="nx">VPC_A_Subnet_A_AWS_Linux</span><span class="p">.</span><span class="nx">id</span> <span class="nx">allocation_id</span> <span class="p">=</span> <span class="nx">aws_eip</span><span class="p">.</span><span class="nx">VPC_A_EIP</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <p>After applying the configuration, check for the public IP address of the script via the command below<br> <code>terraform state show aws_eip.VPC_A_EIP</code><br> Then do a ping to the public IP address, make sure it is successful.</p> <p>Do make a comment if you experience any issue in the code or article.</p> <h2> Follow my AWS Advanced Networking Journey on Github </h2> <p>AWS Advanced Networking<br> <a href="https://github.com/Its-All-About-the-Journey/AWS-Advanced-Networking" rel="noopener noreferrer">https://github.com/Its-All-About-the-Journey/AWS-Advanced-Networking</a></p> cloud terraform aws networkengineer