DEV Community: hayao-k The latest articles on DEV Community by hayao-k (@hayao_k). https://dev.to/hayao_k https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F99749%2Fd187b41c-0650-46e2-95c6-d267db8f0880.png DEV Community: hayao-k https://dev.to/hayao_k en Effortlessly Export AWS Health Organizational View to CSV with This CLI Tool hayao-k Thu, 16 May 2024 15:49:59 +0000 https://dev.to/aws-builders/effortlessly-export-aws-health-organizational-view-to-csv-with-this-cli-tool-29ae https://dev.to/aws-builders/effortlessly-export-aws-health-organizational-view-to-csv-with-this-cli-tool-29ae <p>πŸ’‘ The tools discussed in this article leverage the AWS Health API, which requires a Business or higher-level AWS Support plan.</p> <h2> Introduction </h2> <p>For all AWS Organizations administrators, how do you handle the events notified by AWS Health? I imagine you receive numerous notifications daily when utilizing AWS services.</p> <p>These events need to be properly managed as they can have a significant impact on the availability and reliability of your systems. Recently, there have been significant events scheduled, such as the Amazon RDS certificate update in August and the end of support for the AWS Lambda Python 3.8 runtime in October.</p> <p>If you're managing multiple accounts within your organization, manually checking events and gathering relevant information can take time and effort.</p> <p>I have developed a CLI tool called AWS Health Exporter to address this challenge.</p> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://res.cloudinary.com/practicaldev/image/fetch/s--A9-wwsHG--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev.to/assets/github-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/hayao-k" rel="noopener noreferrer"> hayao-k </a> / <a href="https://github.com/hayao-k/aws-health-exporter" rel="noopener noreferrer"> aws-health-exporter </a> </h2> <h3> AWS Health Exporter is a command-line tool designed to describe AWS Health events for your organization. </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"> <div class="markdown-heading"> <h1 class="heading-element">AWS Health Exporter</h1> </div> <p>Health Exporter is a command-line tool designed to describe AWS Health events for your organization. It allows you to filter events by service name and status, and export the details to a CSV file. Optionally, you can echo the CSV content to standard output.</p> <div class="markdown-heading"> <h2 class="heading-element">Features</h2> </div> <ul> <li>Event Filtering: Filter events by service name, event status, and other criteria to get precisely the data you need.</li> <li>Entity Filtering: Filter affected entities by status code (IMPAIRED, UNIMPAIRED, UNKNOWN, PENDING, or RESOLVED).</li> <li>AWS Organizations Support: Works seamlessly with AWS Organizations, allowing you to get a health overview of all accounts.</li> <li>CSV Export: Automatically formats and exports the data into a CSV file, making it simple to store, share, and analyze.</li> </ul> <div class="markdown-heading"> <h2 class="heading-element">Prerequisites</h2> </div> <ul> <li>AWS credentials with appropriate permissions to access AWS Health and AWS Organizations services</li> <li>You must have a Business, Enterprise On-Ramp, or Enterprise Support plan from AWS Support to use the…</li> </ul> </div> </div> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/hayao-k/aws-health-exporter" rel="noopener noreferrer">View on GitHub</a></div> </div> <h2> Key Features </h2> <p>AWS Health Exporter is a command-line tool for retrieving event information from the organizational view of AWS Health. It allows you to filter events by service name, status, and more and export details of the relevant accounts and resource IDs to a CSV file.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8cvgb1hnvcsyk3v9z561.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8cvgb1hnvcsyk3v9z561.png" alt="Image description" width="800" height="163"></a></p> <ul> <li><p><strong>AWS Organizations Support:</strong> Retrieves information from the organizational view of AWS Health. It cannot be used with standalone accounts, but there is an option to output data for a single account only.</p></li> <li><p><strong>CSV Export:</strong> Data is formatted and exported in CSV format, making it easy to save, share, and analyze.</p></li> <li><p><strong>Event Filtering:</strong> Filters events by conditions such as service name and status, making it easier to find the events you're looking for.</p></li> <li><p><strong>Resource Filtering:</strong> Only retrieves resources matching specific status codes (IMPAIRED, UNIMPAIRED, UNKNOWN, PENDING, or RESOLVED).</p></li> </ul> <h2> About AWS Health Organizational View </h2> <p>Enabling the organizational view allows you to aggregate AWS Health events for all accounts within the organization. Data is retained for 90 days, and users/roles of the organization's management or delegated administrator accounts can access the information.</p> <p>You can set it up and refer to it from "Your organization health" in the AWS Health dashboard.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwpdph8pnfoncbdzgw8st.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwpdph8pnfoncbdzgw8st.png" alt="Image description" width="800" height="209"></a></p> <p>In the organizational view, you can check information for each event, such as:</p> <ul> <li><p>Affected accounts</p></li> <li><p>Number of affected resources and breakdown of their statuses</p></li> <li><p>Resources affected within each account</p></li> </ul> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxoq7shsh20r5wjci50nv.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxoq7shsh20r5wjci50nv.png" alt="Image description" width="800" height="266"></a></p> <p>This tool can export all this information to a CSV file!</p> <h2> Prerequisites for using the tool </h2> <ul> <li><p>The organizational view of AWS Health is enabled.</p></li> <li> <p>AWS authentication credentials to access AWS Health and AWS Organizations</p> <ul> <li>Authentication credentials for the management or delegated administrator accounts are required to use the organizational view.</li> </ul> </li> <li> <p>A business plan or higher-level AWS support contract</p> <ul> <li>Required to use the AWS Health API</li> </ul> </li> </ul> <h2> How to Use </h2> <p>Download the latest binary suitable for your environment from the GitHub repository's releases page.</p> <p><a href="https://github.com/hayao-k/aws-health-exporter/releases" rel="noopener noreferrer">https://github.com/hayao-k/aws-health-exporter/releases</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>wget https://github.com/hayao-k/aws-health-exporter/releases/download/v0.8.1/aws-health-exporter_0.8.1_linux_amd64.tar.gz <span class="nb">tar </span>xvf aws-health-exporter_0.8.1_linux_amd64.tar.gz </code></pre> </div> <p>To use AWS Health Exporter, run the binary with the desired flags. Below are the available flags:</p> <ul> <li><p><code>--event-filter</code>, <code>--filter</code>, <code>-f</code>: Filter events by service name, event status, and other criteria.</p></li> <li><p><code>--status-code</code>, <code>-c</code>: Filter entity by status code. Possible values are IMPAIRED, UNIMPAIRED, UNKNOWN, PENDING and RESOLVED</p></li> <li><p><code>--echo</code>, <code>-e</code>: Echo CSV content to standard output.</p></li> <li><p><code>--profile</code>, <code>-p</code>: Specify the AWS credential profile to use.</p></li> <li><p><code>--account-id</code>, <code>-i</code>: Specify a single account ID to process (optional).</p></li> <li><p><code>--output-file</code>, <code>--file-name</code>, <code>o</code>: Specify the output CSV file name.</p></li> </ul> <h3> Details of the event filtering option </h3> <p>The <code>--event-filter</code> option allows you to specify complex filtering criteria. Below is a table of the available fields that can be included in the filter criteria:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Field</th> <th>Description</th> <th>Possible Values</th> </tr> </thead> <tbody> <tr> <td><code>service</code></td> <td>Filter events by AWS service name.</td> <td>e.g., <code>LAMBDA</code>, <code>RDS</code>, <code>EKS</code> </td> </tr> <tr> <td><code>status</code></td> <td>Filter events by status.</td> <td> <code>open</code>, <code>closed</code>, <code>upcoming</code> </td> </tr> <tr> <td><code>category</code></td> <td>Filter events by category.</td> <td> <code>issue</code>, <code>accountNotification</code>, <code>scheduledChange</code>, <code>investigation</code> </td> </tr> <tr> <td><code>region</code></td> <td>Filter events by region.</td> <td>AWS region codes, e.g., <code>us-east-1</code> </td> </tr> <tr> <td><code>startTime</code></td> <td>Filter events by start time.</td> <td>ISO 8601 date format</td> </tr> <tr> <td><code>endTime</code></td> <td>Filter events by end time.</td> <td>ISO 8601 date format</td> </tr> <tr> <td><code>lastUpdatedTime</code></td> <td>Filter events by last updated time.</td> <td>ISO 8601 date format</td> </tr> </tbody> </table></div> <p>For <code>startTime</code>, <code>endTime,</code> and <code>lastUpdatedTime</code>, you can specify a time range using <code>from</code> and <code>to</code> in ISO 8601 date format. Here is the structure for determining the time range:</p> <ul> <li><code>{from:YYYY-MM-DDTHH:MM:SSZ,to:YYYY-MM-DDTHH:MM:SSZ}</code></li> </ul> <h3> Example Commands </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Describe RDS events with open status and export to CSV</span> ./health-exporter <span class="nt">--event-filter</span> <span class="nv">service</span><span class="o">=</span>RDS,status<span class="o">=</span>open <span class="c"># Describe upcoming LAMBDA events and echo the output to STDOUT</span> ./health-exporter <span class="nt">--event-filter</span> <span class="nv">service</span><span class="o">=</span>LAMBDA,status<span class="o">=</span>upcoming <span class="nt">--echo</span> <span class="c"># Describe only events in the Tokyo region and specify their last updated time.</span> ./health-exporter <span class="nt">----event-filter</span> <span class="s2">"lastUpdatedTime={from=2024-03-01T00:00:00Z,to=2024-05-02T23:59:59Z},region=ap-northeast-1"</span> <span class="c"># Get entities with pending status only and specify a custom file name</span> ./health-exporter <span class="nt">--status-code</span> PENDING <span class="nt">--output-file</span> my_event_details.csv <span class="c"># Get events using the specified profile</span> ./health-exporter <span class="nt">--profile</span> my-profile <span class="c"># Process only a single account</span> ./health-exporter <span class="nt">--account-id</span> 123456789012 </code></pre> </div> <h3> Execution Example </h3> <p>When you execute the command, an interactive prompt will be displayed. In the following example, the <code>--event-filter</code> flag extracts only the upcoming status events related to AWS Lambda.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>health-exporter <span class="nt">--event-filter</span> <span class="nv">service</span><span class="o">=</span>LAMBDA,status<span class="o">=</span>upcoming <span class="nt">--status-code</span> PENDING Use the arrow keys to navigate: ↓ ↑ β†’ ← ? Select an event: β–Έ LAMBDA - AWS_LAMBDA_PLANNED_LIFECYCLE_EVENT <span class="o">(</span>us-east-1, 2024-10-14 07:00:00<span class="o">)</span> LAMBDA - AWS_LAMBDA_PLANNED_LIFECYCLE_EVENT <span class="o">(</span>ap-northeast-1, 2024-10-14 07:00:00<span class="o">)</span> LAMBDA - AWS_LAMBDA_PLANNED_LIFECYCLE_EVENT <span class="o">(</span>ap-northeast-1, 2024-06-12 07:00:00<span class="o">)</span> LAMBDA - AWS_LAMBDA_PLANNED_LIFECYCLE_EVENT <span class="o">(</span>ap-southeast-2, 2024-10-14 07:00:00<span class="o">)</span> ↓ LAMBDA - AWS_LAMBDA_PLANNED_LIFECYCLE_EVENT <span class="o">(</span>us-east-1, 2024-06-12 07:00:00<span class="o">)</span> </code></pre> </div> <p>From the prompt, select the event you want to output. After selection, the tool will gather related account and entity information and output it to a CSV file.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>βœ” LAMBDA - AWS_LAMBDA_PLANNED_LIFECYCLE_EVENT <span class="o">(</span>us-east-1, 2024-10-14 07:00:00<span class="o">)</span> Event details have been written to AWS_LAMBDA_PLANNED_LIFECYCLE_EVENT_2024-10-14_07-00-00_us-east-1_PENDING.csv. </code></pre> </div> <p>The output CSV will contain information such as Account ID, Account Name, Region, Identifier, Status, and Last Updated. In this example, since <code>--status-code PENDING</code> was specified during command execution, only resources with PENDING status are output.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code>Account ID, Account Name, Region, Identifier, Status, Last Updated 000000000000,account-0000,us-east-1,arn:aws:lambda:us-east-1:000000000000:function:Old_Runtime_Lambda_Function-1PBKPZPFSJ058,PENDING,2024-04-21 20:11:29 111111111111,account-1111,us-east-1,arn:aws:lambda:us-east-1:111111111111:function:Old_Runtime_Lambda_Function-uuTi2u7DbooD,PENDING,2024-04-21 20:11:29 111111111111,account-1111,us-east-1,arn:aws:lambda:us-east-1:111111111111:function:Old_Runtime_Lambda_Function-omdieC8Umobo,PENDING,2024-04-21 20:11:29 222222222222,account-2222,us-east-1,arn:aws:lambda:us-east-1:222222222222:function:Old_Runtime_Lambda_Function-ULZ27BYSQ0MN,PENDING,2024-04-21 20:11:29 222222222222,account-2222,us-east-1,arn:aws:lambda:us-east-1:222222222222:function:Old_Runtime_Lambda_Function-10YNGBMU46VP9,PENDING,2024-04-21 20:11:29 222222222222,account-2222,us-east-1,arn:aws:lambda:us-east-1:222222222222:function:Old_Runtime_Lambda_Function-CEgHAu41udFy,PENDING,2024-04-21 20:11:29 333333333333,account-3333,us-east-1,arn:aws:lambda:us-east-1:333333333333:function:Old_Runtime_Lambda_Function-zNKRpLWP0pXB,PENDING,2024-04-21 20:11:29 333333333333,account-3333,us-east-1,arn:aws:lambda:us-east-1:333333333333:function:Old_Runtime_Lambda_Function-24ES8MRQJ9R6,PENDING,2024-04-21 20:11:29 444444444444,account-4444,us-east-1,arn:aws:lambda:us-east-1:444444444444:function:Old_Runtime_Lambda_Function-134QIS8IYF84K,PENDING,2024-04-21 20:11:29 444444444444,account-4444,us-east-1,arn:aws:lambda:us-east-1:444444444444:function:Old_Runtime_Lambda_Function-B97VeyrZNXIy,PENDING,2024-04-21 20:11:29 </code></pre> </div> <h2> <strong>Mechanism</strong> </h2> <p>Primarily uses 3 AWS Health APIs.</p> <ul> <li><p><a href="https://docs.aws.amazon.com/health/latest/APIReference/API_DescribeEventsForOrganization.html" rel="noopener noreferrer"><strong>DescribeEventsForOrganization API</strong></a></p></li> <li><p><a href="https://docs.aws.amazon.com/health/latest/APIReference/API_DescribeAffectedAccountsForOrganization.html" rel="noopener noreferrer"><strong>DescribeAffectedAccountsForOrganization API</strong></a></p></li> <li><p><a href="https://docs.aws.amazon.com/health/latest/APIReference/API_DescribeAffectedEntitiesForOrganization.html" rel="noopener noreferrer"><strong>DescribeAffectedEntitiesForOrganization API</strong></a></p></li> </ul> <h3> <strong>DescribeEventsForOrganization API</strong> </h3> <p>Calls the DescribeEventsForOrganization API to retrieve relevant events based on the filter conditions specified on the command line. This API returns only an overview of the events, so information about affected accounts or resources is not included.</p> <h3> <strong>DescribeAffectedAccountsForOrganization API</strong> </h3> <p>This API retrieves a list of accounts within the organization affected by the selected event.</p> <h3> <strong>DescribeAffectedEntitiesForOrganization API</strong> </h3> <p>This API returns a list of entities affected by one or more events in one or more accounts within the organization.</p> <p>When the user selects an event through the interactive prompt, information obtained from these APIs is formatted and output as a CSV file.</p> <p>I hope this helps you.</p> aws awshealth go cli AI Chatbot powered by Amazon Bedrock πŸš€πŸ€– hayao-k Fri, 29 Sep 2023 16:48:30 +0000 https://dev.to/aws-builders/ai-chatbot-powered-by-amazon-bedrock-5c9f https://dev.to/aws-builders/ai-chatbot-powered-by-amazon-bedrock-5c9f <h2> Introduction </h2> <p>I have created a sample chatbot application that uses <a href="https://github.com/Chainlit/chainlit" rel="noopener noreferrer">Chainlit</a> and <a href="https://github.com/langchain-ai/langchain" rel="noopener noreferrer">LangChain</a> to showcase Amazon Bedrock.</p> <p>You can interact with the AI assistant while switching between multiple models.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F45nlkupdpd4vp02m149a.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F45nlkupdpd4vp02m149a.png" alt="Image description"></a></p> <p>This sample application has been tested in the following environments:</p> <ul> <li>AWS Region: us-east-1</li> <li>AWS Copilot CLI: v1.30.1</li> <li>Python: v3.11.5</li> <li>boto3: v1.28.57</li> <li>LangChain: v0.0.305</li> <li>Chainlit: v0.7.0</li> </ul> <p><strong>Note:</strong> To support the GA Version of the Bedrock API, make sure to use versions of LangChain and boto3 that are newer than those mentioned above.</p> <h2> Source Code </h2> <p>Check out my GitHub repository!</p> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev.to%2Fassets%2Fgithub-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/hayao-k" rel="noopener noreferrer"> hayao-k </a> / <a href="https://github.com/hayao-k/Bedrock-AIChatbot-Sample" rel="noopener noreferrer"> Bedrock-AIChatbot-Sample </a> </h2> <h3> </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"> <div class="markdown-heading"> <h1 class="heading-element">AI Chatbot powered by Amazon Bedrock πŸš€πŸ€–</h1> </div> <div class="markdown-heading"> <h2 class="heading-element">Overview</h2> </div> <p>Sample chatbot application to experience Amazon Bedrock, using Chainlit and LangChain.</p> <p><a rel="noopener noreferrer nofollow" href="https://raw.githubusercontent.com/hayao-k/Bedrock-AIChatbot-Sample/main/images/overview.png"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fraw.githubusercontent.com%2Fhayao-k%2FBedrock-AIChatbot-Sample%2Fmain%2Fimages%2Foverview.png" alt=""></a></p> <p>You can interact with the AI assistant while switching between multiple models.</p> <p><a rel="noopener noreferrer nofollow" href="https://raw.githubusercontent.com/hayao-k/Bedrock-AIChatbot-Sample/main/images/multiple-models.png"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fraw.githubusercontent.com%2Fhayao-k%2FBedrock-AIChatbot-Sample%2Fmain%2Fimages%2Fmultiple-models.png" alt=""></a></p> <p>Please ensure you enable access to each model in Amazon Bedrock beforehand.</p> <div class="markdown-heading"> <h2 class="heading-element">Features</h2> </div> <ul> <li> <strong>Customizable Chat Settings</strong>: Through Chainlit, it offers a user-friendly interface to select models and adjust settings before initializing the chat.</li> <li> <strong>Model Selection</strong>: Amazon Bedrock model list is automatically retrieved and can be selected.</li> <li> <strong>Document Chat</strong>: Please refer to the <a href="https://docs.aws.amazon.com/bedrock/latest/userguide/conversation-inference.html#conversation-inference-supported-models-features" rel="nofollow noopener noreferrer">official documentation</a> for the support status of each model.</li> <li> <strong>Image Processing (Anthropic Models Only)</strong>: Supports image input for Claude 3 models.</li> </ul> <div class="markdown-heading"> <h2 class="heading-element">Prerequisites</h2> </div> <p>Before deploying this application, ensure you have the following:</p> <ul> <li>AWS Copilot CLI installed</li> <li>Enable access to each model in Amazon Bedrock</li> </ul> <div class="markdown-heading"> <h2 class="heading-element">Getting Started</h2> </div> <p>Deploy to AWS App Runner using AWS Copilot CLI. To deploy this application:</p> <div class="snippet-clipboard-content notranslate position-relative overflow-auto"> <pre class="notranslate"><code>git clone https://github.com/hayao-k/Bedrock-AIChatbot-Sample cd Bedrock-AIChatbot-Sample</code></pre>…</div> </div> </div> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/hayao-k/Bedrock-AIChatbot-Sample" rel="noopener noreferrer">View on GitHub</a></div> </div> <h2> Start using Bedrock </h2> <p>Before you can start using Amazon Bedrock, you must request access to each model. To add access to a model, go to the Model Access section in the Bedrock console and click Edit.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu1dxu8lakvshdszsenn7.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu1dxu8lakvshdszsenn7.png" alt="Image description"></a></p> <p>Select the models you want to use and save the settings.</p> <p><strong>Note:</strong> Third-party models such as Jurassic-2 and Claude require access through the AWS Marketplace. This means you will also be charged a Marketplace fee for using the model.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft2rp8xz11udmhdsz29pg.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft2rp8xz11udmhdsz29pg.png" alt="Image description"></a></p> <p>It will take some time for each model to become available; models with an Access status of Access granted are ready for use.</p> <p><strong>Note:</strong> Some models, such as Titan Text G1 - Express, are in Preview and may not be immediately available.</p> <h2> How to Deploy </h2> <p>The GitHub repository for the sample application contains a manifest file for deploying the container to AWS App Runner using the AWS Copilot CLI.</p> <p>Follow these steps to deploy:</p> <ol> <li>Install the AWS Copilot CLI if necessary</li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">sudo </span>curl <span class="nt">-Lo</span> /usr/local/bin/copilot https://github.com/aws/copilot-cli/releases/latest/download/copilot-linux <span class="o">&amp;&amp;</span> <span class="nb">sudo chmod</span> +x /usr/local/bin/copilot </code></pre> </div> <ol> <li>Deploy to App Runner!</li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">export </span><span class="nv">AWS_REGION</span><span class="o">=</span>us-east-1 copilot app init bedrockchat-app copilot deploy <span class="nt">--name</span> bedrockchat <span class="nt">--env</span> dev </code></pre> </div> <p>If the deployment is successful, access the URL displayed in the message. If the following screen appears, the deployment has succeeded!</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjkb60l81bi2axpse2lmq.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjkb60l81bi2axpse2lmq.png" alt="Image description"></a></p> <p>To delete an environment, execute the following command:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <p>copilot app delete</p> </code></pre> </div> <h2> <br> <br> <br> How to use the app<br> </h2> <p>The model, temperature, and maximum token size can be changed from the Settings panel.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuq9xzx8ljbwc99vci22u.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuq9xzx8ljbwc99vci22u.png" alt="Image description"></a></p> <p>The sample code allows you to choose between Claude v2, Jurassic-2 Ultra, and Amazon Titan Text G1 - Express. This enables you to compare performance while switching between models.</p> <p><strong>Note:</strong> As of 9/29/2023, Amazon Titan Text G1 - Express is in Preview status. It will be rolled out gradually, so it may not be available for some accounts.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr3typxm9c6gdib5ac0hm.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr3typxm9c6gdib5ac0hm.png" alt="Image description"></a></p> <p>You can enjoy a free-flowing conversation with the AI assistant! The conversation history during the session is retained, allowing it to reply to you while considering the context.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fka9lck0zqto1lpgb72iu.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fka9lck0zqto1lpgb72iu.png" alt="Image description"></a></p> <p>I hope this will be of help to someone else.</p> genai bedrock langchain aws Running Amazon S3 Mountpoint Inside a Container hayao-k Wed, 22 Mar 2023 12:37:04 +0000 https://dev.to/aws-builders/running-amazon-s3-mountpoint-inside-a-container-4aob https://dev.to/aws-builders/running-amazon-s3-mountpoint-inside-a-container-4aob <h2> Introduction </h2> <p>Here is a simple example of running Mountpoint for Amazon S3 from inside a container</p> <ul> <li><p>Created with information as of 3/21/2023 (version: 0.2.0-b8363a4)</p></li> <li><p>Mountpoint for Amazon S3 is currently in alpha release and should not be used in production workloads</p></li> </ul> <p>Container image is also available in <a href="https://gallery.ecr.aws/x8j1s2l2/container-mountpoint-s3" rel="noopener noreferrer">ECR Public gallery</a>.</p> <h2> Dockerfile </h2> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code> <span class="k">FROM</span><span class="w"> </span><span class="s">rust:1.68.0</span><span class="w"> </span><span class="k">as</span><span class="w"> </span><span class="s">Build</span> <span class="k">RUN </span>apt-get update <span class="o">&amp;&amp;</span> apt-get <span class="nb">install</span> <span class="nt">-y</span> <span class="se">\ </span> clang<span class="se">\ </span> cmake <span class="se">\ </span> curl <span class="se">\ </span> fuse <span class="se">\ </span> git <span class="se">\ </span> libfuse-dev <span class="se">\ </span> pkg-config <span class="se">\ </span> <span class="o">&amp;&amp;</span> apt-get clean <span class="se">\ </span> <span class="o">&amp;&amp;</span> <span class="nb">rm</span> <span class="nt">-rf</span> /var/lib/apt/lists/<span class="k">*</span> <span class="se">\ </span> <span class="o">&amp;&amp;</span> git clone <span class="nt">--recurse-submodules</span> https://github.com/awslabs/mountpoint-s3.git <span class="se">\ </span> <span class="o">&amp;&amp;</span> <span class="nb">cd </span>mountpoint-s3 <span class="se">\ </span> <span class="o">&amp;&amp;</span> cargo build <span class="nt">--release</span> <span class="k">FROM</span><span class="s"> debian:bullseye-slim</span> <span class="k">RUN </span>apt-get update <span class="o">&amp;&amp;</span> apt-get <span class="nb">install</span> <span class="nt">-y</span> <span class="se">\ </span> ca-certificates <span class="se">\ </span> libfuse-dev <span class="se">\ </span> <span class="nb">sudo</span> <span class="se">\ </span> <span class="o">&amp;&amp;</span> apt-get clean <span class="se">\ </span> <span class="o">&amp;&amp;</span> <span class="nb">rm</span> <span class="nt">-rf</span> /var/lib/apt/lists/<span class="k">*</span> <span class="k">COPY</span><span class="s"> --from=build /mountpoint-s3/target/release/mount-s3 /usr/local/bin/mount-s3</span> <span class="k">RUN </span><span class="nb">chmod </span>777 /usr/local/bin/mount-s3 <span class="k">RUN </span>useradd <span class="nt">-ms</span> /bin/bash mount-s3-user <span class="se">\ </span> <span class="o">&amp;&amp;</span> <span class="nb">echo</span> <span class="s1">'%sudo ALL=(ALL) NOPASSWD:ALL'</span> <span class="o">&gt;&gt;</span> /etc/sudoers <span class="se">\ </span> <span class="o">&amp;&amp;</span> adduser mount-s3-user <span class="nb">sudo</span> <span class="k">USER</span><span class="s"> mount-s3-user</span> </code></pre> </div> <h2> Getting started </h2> <p>Image Build</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> docker image build <span class="nt">-t</span> mount-s3:latest <span class="nb">.</span> </code></pre> </div> <p>Run</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> docker container run <span class="nt">--privileged</span> <span class="nt">--rm</span> <span class="nt">-it</span> mount-s3:latest bash </code></pre> </div> <p>Enjoy</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> mount-s3-user@ce43831fda04:~<span class="nv">$ </span><span class="nb">sudo </span>mount-s3 &lt;bucket_name&gt; /mnt <span class="nt">--allow-other</span> <span class="nt">--region</span> ap-northeast-1 mount-s3-user@ce43831fda04:~<span class="nv">$ </span><span class="nb">ls</span> <span class="nt">-l</span> /mnt/test.json <span class="nt">-rw-r--r--</span> 1 root root 306424 Feb 21 02:42 /mnt/test.json </code></pre> </div> <h2> EC2 on Docker Consideration </h2> <p>If using EC2 IAM roles for AWS credentials, increasing the IMDSv2 hop limit from 1 to 2 in the instance metadata options is <a href="https://docs.aws.amazon.com/ja_jp/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html#imds-considerations" rel="noopener noreferrer">recommended</a>.</p> <blockquote> <p>In a container environment, if the hop limit is 1, the IMDSv2 response does not return because going to the container is considered an additional network hop. To avoid the process of falling back to IMDSv1 and the resultant delay, in a container environment we recommend that you set the hop limit to 2</p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> aws ec2 modify-instance-metadata-options <span class="se">\</span> <span class="nt">--instance-id</span> i-xxxxxxxxxxxxxxxxx <span class="se">\</span> <span class="nt">--http-put-response-hop-limit</span> 2 <span class="se">\</span> <span class="nt">--http-endpoint</span> enabled </code></pre> </div> <p>I hope this will be of help to someone else.</p> <h2> GitHub Repo </h2> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev.to%2Fassets%2Fgithub-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/hayao-k" rel="noopener noreferrer"> hayao-k </a> / <a href="https://github.com/hayao-k/container-mountpoint-s3" rel="noopener noreferrer"> container-mountpoint-s3 </a> </h2> <h3> </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"> <div class="markdown-heading"> <h1 class="heading-element">container-mountpoint-s3</h1> </div> <p>This is a simple container image to verify the operation of <a href="https://github.com/awslabs/mountpoint-s3" rel="noopener noreferrer">Mountpoint for Amazon S3</a> in a container environment.</p> <p>Container image is also available in <a href="https://gallery.ecr.aws/x8j1s2l2/container-mountpoint-s3" rel="nofollow noopener noreferrer">ECR Public gallery</a>.</p> <div class="markdown-heading"> <h2 class="heading-element">Getting started</h2> </div> <p>Image Build</p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto js-code-highlight"> <pre>docker image build -t mount-s3:latest <span class="pl-c1">.</span></pre> </div> <p>Run</p> <div class="snippet-clipboard-content notranslate position-relative overflow-auto"><pre class="notranslate"><code>docker container run --privileged --rm -it mount-s3:latest bash </code></pre></div> <p>Enjoy</p> <div class="snippet-clipboard-content notranslate position-relative overflow-auto"><pre class="notranslate"><code>mount-s3-user@ce43831fda04:~$ sudo mount-s3 &lt;bucket_name&gt; /mnt --allow-other --region ap-northeast-1 mount-s3-user@ce43831fda04:~$ ls -l /mnt/test.json -rw-r--r-- 1 root root 306424 Feb 21 02:42 /mnt/test.json </code></pre></div> <div class="markdown-heading"> <h2 class="heading-element">EC2 on Docker Consideration</h2> </div> <p>If using EC2 IAM roles for AWS credentials, increasing the IMDSv2 hop limit from 1 to 2 in the instance metadata options is <a href="https://docs.aws.amazon.com/ja_jp/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html#imds-considerations" rel="nofollow noopener noreferrer">recommended</a>.</p> <blockquote> <p>In a container environment, if the hop limit is 1, the IMDSv2 response does not return because going to the container is considered an additional network hop. To avoid the process of falling back to IMDSv1 and the resultant delay, in a container environment we recommend that you set the…</p> </blockquote> </div> <br> </div> <br> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/hayao-k/container-mountpoint-s3" rel="noopener noreferrer">View on GitHub</a></div> <br> </div> <br> aws docker containers s3 Creating AWS resources for GitHub audit log streaming with CloudFormation hayao-k Fri, 17 Mar 2023 13:11:24 +0000 https://dev.to/aws-builders/creating-aws-resources-for-github-audit-log-streaming-with-cloudformation-3jo0 https://dev.to/aws-builders/creating-aws-resources-for-github-audit-log-streaming-with-cloudformation-3jo0 <h2> Introduction </h2> <p>GitHub Enterprise Cloud audit logs support log streaming to various cloud providers.</p> <p><a href="https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise" rel="noopener noreferrer">https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise</a></p> <p>Streaming audit logs to Amazon S3 can be done via OpenID Connect. This requires the creation of an OIDC Provider and IAM role on the AWS side and an S3 bucket for log storage.</p> <p>Please refer to the above document for detailed instructions.</p> <p>It is not something that is created many times, but I have created a CloudFormation template and hope it will be helpful for those who want to create a new one quickly and easily.</p> <h2> Resources to be created </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Logical ID</th> <th>Type</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>AuditLogBucket</td> <td>AWS::S3::Bucket</td> <td>S3 bucket for audit log</td> </tr> <tr> <td>AuditLogbucketPolicy</td> <td>AWS::S3::BucketPolicy</td> <td>S3 bucket policy for audit log</td> </tr> <tr> <td>AccessLogBucket</td> <td>AWS::S3::Bucket</td> <td>S3 bucket for server access log</td> </tr> <tr> <td>AccessLogBucketPolicy</td> <td>AWS::S3::BucketPolicy</td> <td>S3 bucket policy for server access log</td> </tr> <tr> <td>AuditLogEncryptionKey</td> <td>AWS::KMS::Key</td> <td>Customer Managed Key for audit log encryption</td> </tr> <tr> <td>AuditLogEncryptionKeyAlias</td> <td>AWS::KMS::Alias</td> <td>Customer Managed Key alias</td> </tr> <tr> <td>AuditLogStremingPolicy</td> <td>AWS::IAM::ManagedPolicy</td> <td>IAM policy for audit log streaming</td> </tr> <tr> <td>AuditLogStreamingRole</td> <td>AWS::IAM::Role</td> <td>IAM Role for audit log streaming</td> </tr> <tr> <td>GithubAuditLogOIDCProvider</td> <td>AWS::IAM::OIDCProvider</td> <td>GitHub OIDC provider</td> </tr> </tbody> </table></div> <h2> CloudFormation template </h2> <p>Github repository is here</p> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://res.cloudinary.com/practicaldev/image/fetch/s--A9-wwsHG--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev.to/assets/github-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/hayao-k" rel="noopener noreferrer"> hayao-k </a> / <a href="https://github.com/hayao-k/CFn-github-audit-log-streaming" rel="noopener noreferrer"> CFn-github-audit-log-streaming </a> </h2> <h3> </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"> <div class="markdown-heading"> <h1 class="heading-element">CFn-github-audit-log-streaming</h1> </div> <p>This CloudFormation template creates the AWS resources required for GitHub Enterprise Cloud audit log streaming.</p> </div> </div> <br> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/hayao-k/CFn-github-audit-log-streaming" rel="noopener noreferrer">View on GitHub</a></div> <br> </div> <br> <br><br> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">AWSTemplateFormatVersion</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2010-09-09"</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Create AWS resources required for GitHub Enterprise Cloud audit log streaming</span> <span class="na">Parameters</span><span class="pi">:</span> <span class="na">RetainDays</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Number of days to keep audit log.</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Default</span><span class="pi">:</span> <span class="m">365</span> <span class="na">EnterpriseName</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Your GitHub Enterprise Name.</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Default</span><span class="pi">:</span> <span class="s">EXAPMLECORP</span> <span class="na">AccessLogPrefix</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Server access log-prefix of audit log bucket.</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Default</span><span class="pi">:</span> <span class="s">logs/</span> <span class="na">Metadata</span><span class="pi">:</span> <span class="na">AWS::CloudFormation::Interface</span><span class="pi">:</span> <span class="na">ParameterGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Label</span><span class="pi">:</span> <span class="na">default</span><span class="pi">:</span> <span class="s">GitHub Configuration</span> <span class="na">Parameters</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">EnterpriseName</span> <span class="pi">-</span> <span class="na">Label</span><span class="pi">:</span> <span class="na">default</span><span class="pi">:</span> <span class="s">Audit Log Configuration</span> <span class="na">Parameters</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">RetainDays</span> <span class="pi">-</span> <span class="s">AccessLogPrefix</span> <span class="na">Resources</span><span class="pi">:</span> <span class="c1"># Customer Managed Key for audit log encryption</span> <span class="na">AuditLogEncryptionKey</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::KMS::Key</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Customer Managed Key for audit log encryption</span> <span class="na">Enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">EnableKeyRotation</span><span class="pi">:</span> <span class="s">True</span> <span class="na">KeyPolicy</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2012-10-17'</span> <span class="na">Id</span><span class="pi">:</span> <span class="s">key-default-1</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Sid</span><span class="pi">:</span> <span class="s">Allow administration of the key</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">AWS</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s">arn:aws:iam::${AWS::AccountId}:root</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">kms:Create*</span> <span class="pi">-</span> <span class="s">kms:Describe*</span> <span class="pi">-</span> <span class="s">kms:Enable*</span> <span class="pi">-</span> <span class="s">kms:List*</span> <span class="pi">-</span> <span class="s">kms:Put*</span> <span class="pi">-</span> <span class="s">kms:Update*</span> <span class="pi">-</span> <span class="s">kms:Revoke*</span> <span class="pi">-</span> <span class="s">kms:Disable*</span> <span class="pi">-</span> <span class="s">kms:Get*</span> <span class="pi">-</span> <span class="s">kms:Delete*</span> <span class="pi">-</span> <span class="s">kms:ScheduleKeyDeletion</span> <span class="pi">-</span> <span class="s">kms:CancelKeyDeletion</span> <span class="na">Resource</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="pi">-</span> <span class="na">Sid</span><span class="pi">:</span> <span class="s">Allow local use of the key</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">AWS</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s">arn:aws:iam::${AWS::AccountId}:root</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">kms:Encrypt</span> <span class="pi">-</span> <span class="s">kms:Decrypt</span> <span class="pi">-</span> <span class="s">kms:ReEncrypt*</span> <span class="pi">-</span> <span class="s">kms:GenerateDataKey*</span> <span class="pi">-</span> <span class="s">kms:DescribeKey</span> <span class="na">Resource</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="c1"># Customer Managed Key ALias</span> <span class="na">AuditLogEncryptionKeyAlias</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::KMS::Alias</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">AliasName</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s">alias/${AWS::StackName}-key</span> <span class="na">TargetKeyId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">AuditLogEncryptionKey</span> <span class="c1"># S3 bucket for audit log</span> <span class="na">AuditLogBucket</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::S3::Bucket</span> <span class="na">DeletionPolicy</span><span class="pi">:</span> <span class="s">Retain</span> <span class="na">UpdateReplacePolicy</span><span class="pi">:</span> <span class="s">Retain</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">BucketEncryption</span><span class="pi">:</span> <span class="na">ServerSideEncryptionConfiguration</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">ServerSideEncryptionByDefault</span><span class="pi">:</span> <span class="na">SSEAlgorithm</span><span class="pi">:</span> <span class="s">aws:kms</span> <span class="na">KMSMasterKeyID</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">AuditLogEncryptionKey.Arn</span> <span class="na">BucketKeyEnabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">LifecycleConfiguration</span><span class="pi">:</span> <span class="na">Rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Id</span><span class="pi">:</span> <span class="s">Retain</span> <span class="na">Status</span><span class="pi">:</span> <span class="s">Enabled</span> <span class="na">ExpirationInDays</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">RetainDays</span> <span class="na">PublicAccessBlockConfiguration</span><span class="pi">:</span> <span class="na">BlockPublicAcls</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">BlockPublicPolicy</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">IgnorePublicAcls</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">RestrictPublicBuckets</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">LoggingConfiguration</span><span class="pi">:</span> <span class="na">DestinationBucketName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">AccessLogBucket</span> <span class="na">LogFilePrefix</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">AccessLogPrefix</span> <span class="na">VersioningConfiguration</span><span class="pi">:</span> <span class="na">Status</span><span class="pi">:</span> <span class="s">Enabled</span> <span class="na">OwnershipControls</span><span class="pi">:</span> <span class="na">Rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">ObjectOwnership</span><span class="pi">:</span> <span class="s">BucketOwnerEnforced</span> <span class="c1"># S3 bucket policy for audit log</span> <span class="na">AudtiLogBucketPolicy</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::S3::BucketPolicy</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Bucket</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">AuditLogBucket</span> <span class="na">PolicyDocument</span><span class="pi">:</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Deny</span> <span class="na">Principal</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">Action</span><span class="pi">:</span> <span class="s1">'</span><span class="s">s3:*'</span> <span class="na">Resource</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Sub</span> <span class="s">${AuditLogBucket.Arn}/*</span> <span class="pi">-</span> <span class="kt">!GetAtt</span> <span class="s">AuditLogBucket.Arn</span> <span class="na">Condition</span><span class="pi">:</span> <span class="na">Bool</span><span class="pi">:</span> <span class="na">aws:SecureTransport</span><span class="pi">:</span> <span class="kc">false</span> <span class="c1"># S3 bucket for server access log</span> <span class="na">AccessLogBucket</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::S3::Bucket</span> <span class="na">DeletionPolicy</span><span class="pi">:</span> <span class="s">Retain</span> <span class="na">UpdateReplacePolicy</span><span class="pi">:</span> <span class="s">Retain</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">BucketEncryption</span><span class="pi">:</span> <span class="na">ServerSideEncryptionConfiguration</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">ServerSideEncryptionByDefault</span><span class="pi">:</span> <span class="na">SSEAlgorithm</span><span class="pi">:</span> <span class="s">AES256</span> <span class="na">LifecycleConfiguration</span><span class="pi">:</span> <span class="na">Rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Id</span><span class="pi">:</span> <span class="s">Retain</span> <span class="na">Status</span><span class="pi">:</span> <span class="s">Enabled</span> <span class="na">ExpirationInDays</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">RetainDays</span> <span class="na">PublicAccessBlockConfiguration</span><span class="pi">:</span> <span class="na">BlockPublicAcls</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">BlockPublicPolicy</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">IgnorePublicAcls</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">RestrictPublicBuckets</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">VersioningConfiguration</span><span class="pi">:</span> <span class="na">Status</span><span class="pi">:</span> <span class="s">Enabled</span> <span class="na">OwnershipControls</span><span class="pi">:</span> <span class="na">Rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">ObjectOwnership</span><span class="pi">:</span> <span class="s">BucketOwnerEnforced</span> <span class="c1"># S3 bucket policy for server access log</span> <span class="na">AccessLogBucketPolicy</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::S3::BucketPolicy</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Bucket</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">AccessLogBucket</span> <span class="na">PolicyDocument</span><span class="pi">:</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Deny</span> <span class="na">Principal</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">Action</span><span class="pi">:</span> <span class="s1">'</span><span class="s">s3:*'</span> <span class="na">Resource</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Sub</span> <span class="s">${AccessLogBucket.Arn}/*</span> <span class="pi">-</span> <span class="kt">!GetAtt</span> <span class="s">AccessLogBucket.Arn</span> <span class="na">Condition</span><span class="pi">:</span> <span class="na">Bool</span><span class="pi">:</span> <span class="na">aws:SecureTransport</span><span class="pi">:</span> <span class="kc">false</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">Service</span><span class="pi">:</span> <span class="s">logging.s3.amazonaws.com</span> <span class="na">Action</span><span class="pi">:</span> <span class="s">s3:PutObject</span> <span class="na">Resource</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Sub</span> <span class="s">${AccessLogBucket.Arn}/${AccessLogPrefix}*</span> <span class="na">Condition</span><span class="pi">:</span> <span class="na">ArnLike</span><span class="pi">:</span> <span class="na">aws:SourceArn</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">AuditLogBucket.Arn</span> <span class="na">StringEquals</span><span class="pi">:</span> <span class="na">aws:SourceAccount</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">AWS::AccountId</span> <span class="c1"># IAM policy for audit log streaming role</span> <span class="na">AuditLogStremingPolicy</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::IAM::ManagedPolicy</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Policy for GitHub Audit Log Streaming</span> <span class="na">PolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s">2012-10-17</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">s3:PutObject</span> <span class="na">Resource</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Sub</span> <span class="s">${AuditLogBucket.Arn}/*</span> <span class="c1"># IAM Role for audit log streaming role</span> <span class="na">AuditLogStreamingRole</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::IAM::Role</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">ManagedPolicyArns</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">AuditLogStremingPolicy</span> <span class="na">AssumeRolePolicyDocument</span><span class="pi">:</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Action</span><span class="pi">:</span> <span class="s">sts:AssumeRoleWithWebIdentity</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">Federated</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">GithubAuditLogOIDCProvider</span> <span class="na">Condition</span><span class="pi">:</span> <span class="na">StringEquals</span><span class="pi">:</span> <span class="na">oidc-configuration.audit-log.githubusercontent.com:sub</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s">https://github.com/${EnterpriseName}</span> <span class="na">oidc-configuration.audit-log.githubusercontent.com:aud</span><span class="pi">:</span> <span class="s">sts.amazonaws.com</span> <span class="na">GithubAuditLogOIDCProvider</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::IAM::OIDCProvider</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Url</span><span class="pi">:</span> <span class="s">https://oidc-configuration.audit-log.githubusercontent.com</span> <span class="na">ClientIdList</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sts.amazonaws.com</span> <span class="na">ThumbprintList</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">7e6db7b7584d8cf2003e0931e6cfc41a3a62d3df</span> <span class="na">Outputs</span><span class="pi">:</span> <span class="na">IAMRole</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">IAM role for audit log streaming role</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">AuditLogStreamingRole.Arn</span> <span class="na">AuditLogBucket</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">S3 bucket for audit log</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">AuditLogBucket</span> </code></pre> </div> <h2> Deploy </h2> <p>3 parameters are required.</p> <ul> <li><p>GitHub Enterprise Name (<code>EnterpriseName</code>)</p></li> <li><p>Number of days to keep audit log (<code>RetainDays</code>)</p></li> <li><p>Server access log-prefix of audit log bucket (<code>AccessLogPrefix</code>)</p></li> </ul> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu00pamlwiiixkrdcumrp.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu00pamlwiiixkrdcumrp.png" alt="Image description" width="800" height="566"></a></p> <p>After deploying the stack, set the output S3 bucket name and IAM Role ARN to GitHub Enterprise Cloud.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgb3svk1fppbi2h7ld81t.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgb3svk1fppbi2h7ld81t.png" alt="Image description" width="800" height="253"></a></p> <p>If the endpoint connection check is successful, save the configuration.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnclnytxz2blk86eqpe4t.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnclnytxz2blk86eqpe4t.png" alt="Image description" width="526" height="607"></a></p> <p>You can see the audit log in the AuditLogBucket!</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fikms98l5e7chyg46eewi.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fikms98l5e7chyg46eewi.png" alt="Image description" width="800" height="308"></a></p> <p>I hope this will be of help to someone else.</p> aws cloudformation github audit Automate AWS Enterprise Support Activation for Member Accounts hayao-k Mon, 13 Mar 2023 07:16:45 +0000 https://dev.to/aws-builders/automate-aws-enterprise-support-activation-for-member-accounts-cfg https://dev.to/aws-builders/automate-aws-enterprise-support-activation-for-member-accounts-cfg <h2> Why do we need automation? </h2> <p>Member accounts added to AWS Organizations after subscribing to Enterprise Support are not enrolled in Enterprise Support.</p> <p>To register a new member account with Enterprise Support, you must open a support case in the management account.</p> <h2> Example </h2> <p>This example is a simple workflow that executes case creation, close confirmation, and notification with AWS Step Functions.</p> <h3> Input </h3> <p>You can use Amazon EventBrige to trigger the CreateAccount event in AWS Organizations or the CreateManagedAccount event in AWS Control Tower to launch the state machine.</p> <p>Therefore, the input for the state machine is a single account as follows.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"AccountId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"&lt;Account ID&gt;"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> State machine definition </h3> <p>The process flow is as follows. Creating cases and checking status uses AWS SDK service integrations.</p> <ul> <li><p>In the CeateCase state, create a support case with the account ID received from the state machine startup input as the activation target</p></li> <li> <p>Execute the DescribeCases state based on the Case ID returned as the result of the CreateCase state task.</p> <ul> <li>DescribeCases API requires passing a list of case IDs, so use the built-in function <a href="https://docs.aws.amazon.com/ja_jp/step-functions/latest/dg/amazon-states-language-intrinsic-functions.html#asl-intrsc-func-arrays" rel="noopener noreferrer">States.Array</a>.</li> <li>Since the task result is also a list, specify <code>$.Cases[0]</code> in OutputPath.</li> </ul> </li> <li> <p>In the Choice state, check the status of support cases from the DescirbeCases output</p> <ul> <li>If <code>resolved</code>, proceed to SNS Pulibsh state.</li> <li>Otherwise, wait for a specified time in the Wait state and execute DescribeCases again.</li> </ul> </li> <li><p>In the SNS Publish state, publish a message to the specified SNS Topic<br><br> </p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Comment"</span><span class="p">:</span><span class="w"> </span><span class="s2">"A description of your state machine"</span><span class="p">,</span><span class="w"> </span><span class="nl">"StartAt"</span><span class="p">:</span><span class="w"> </span><span class="s2">"CreateCase"</span><span class="p">,</span><span class="w"> </span><span class="nl">"States"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"CreateCase"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Task"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Parameters"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Subject"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Enterprise Activation Request for Linked account"</span><span class="p">,</span><span class="w"> </span><span class="nl">"ServiceCode"</span><span class="p">:</span><span class="w"> </span><span class="s2">"customer-account"</span><span class="p">,</span><span class="w"> </span><span class="nl">"SeverityCode"</span><span class="p">:</span><span class="w"> </span><span class="s2">"low"</span><span class="p">,</span><span class="w"> </span><span class="nl">"CategoryCode"</span><span class="p">:</span><span class="w"> </span><span class="s2">"other-account-issues"</span><span class="p">,</span><span class="w"> </span><span class="nl">"CommunicationBody.$"</span><span class="p">:</span><span class="w"> </span><span class="s2">"States.Format('Please enable Enterprise support for following account ID:</span><span class="se">\n</span><span class="s2">{}</span><span class="se">\n</span><span class="s2">', $.AccountId)"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Language"</span><span class="p">:</span><span class="w"> </span><span class="s2">"en"</span><span class="p">,</span><span class="w"> </span><span class="nl">"IssueType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"customer-service"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:states:::aws-sdk:support:createCase"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Next"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DescribeCases"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"DescribeCases"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Task"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Parameters"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"CaseIdList.$"</span><span class="p">:</span><span class="w"> </span><span class="s2">"States.Array($.CaseId)"</span><span class="p">,</span><span class="w"> </span><span class="nl">"IncludeResolvedCases"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:states:::aws-sdk:support:describeCases"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Next"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Choice"</span><span class="p">,</span><span class="w"> </span><span class="nl">"OutputPath"</span><span class="p">:</span><span class="w"> </span><span class="s2">"$.Cases[0]"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Choice"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Choice"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Choices"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Variable"</span><span class="p">:</span><span class="w"> </span><span class="s2">"$.Status"</span><span class="p">,</span><span class="w"> </span><span class="nl">"StringEquals"</span><span class="p">:</span><span class="w"> </span><span class="s2">"resolved"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Next"</span><span class="p">:</span><span class="w"> </span><span class="s2">"SNS Publish"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Default"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Wait"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"SNS Publish"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Task"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:states:::sns:publish"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Parameters"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Message.$"</span><span class="p">:</span><span class="w"> </span><span class="s2">"$"</span><span class="p">,</span><span class="w"> </span><span class="nl">"TopicArn"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:sns:us-east-1:123456789012:your-sns-topic"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"End"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Wait"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Wait"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Seconds"</span><span class="p">:</span><span class="w"> </span><span class="mi">30</span><span class="p">,</span><span class="w"> </span><span class="nl">"Next"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DescribeCases"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>On Workflow Studio, it is displayed as follows.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu0qoto89am19ax0d7cpa.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu0qoto89am19ax0d7cpa.png" alt="Image description" width="800" height="521"></a></p> <h3> Execution example </h3> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvm90qcmad16af2koyi4d.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvm90qcmad16af2koyi4d.png" alt="Image description" width="800" height="340"></a></p> <p>I hope this will be of help to someone else.</p> aws stepfunctions awsorganizations awssupport How to restore EC2 instance with multiple ENIs attached from AWS Backup hayao-k Thu, 12 Jan 2023 03:27:19 +0000 https://dev.to/aws-builders/how-to-restore-ec2-instance-with-multiple-enis-attached-from-aws-backup-d3 https://dev.to/aws-builders/how-to-restore-ec2-instance-with-multiple-enis-attached-from-aws-backup-d3 <h2> Goal of this post </h2> <ul> <li><p>Backup EC2 instances with multiple ENIs attached with AWS Backup</p></li> <li><p>Restore EC2 instances with multiple ENIs attached, when restored from a recovery point</p></li> </ul> <h2> How? </h2> <ul> <li><p>Run the StartRestoreJob API, e.g., from the AWS CLI or SDK</p></li> <li><p>Restore jobs launched from the console cannot customize the network i\nterface</p></li> </ul> <h2> EC2 instance backup with multiple ENIs attached </h2> <p>EC2 instances with multiple ENIs attached can also be backed up with AWS Backup. Backup data is stored as AMI, but AMI does not contain network interface information.</p> <p>However, the metadata of the recovery point includes the network interface information. Recovery point metadata can be checked with the <a href="https://docs.aws.amazon.com/ja_jp/aws-backup/latest/devguide/API_GetRecoveryPointRestoreMetadata.html" rel="noopener noreferrer">GetRecoveryPointRestoreMetadata API</a>.</p> <p>The following is an example of execution with the AWS CLI.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>aws backup get-recovery-point-restore-metadata <span class="nt">--backup-vault-name</span> Default <span class="nt">--recovery-point-arn</span> arn:aws:ec2:us-west-2::image/ami-xxxxxxxxxxxxxxxxx <span class="o">{</span> <span class="s2">"BackupVaultArn"</span>: <span class="s2">"arn:aws:backup:us-west-2:123456789012:backup-vault:Default"</span>, <span class="s2">"RecoveryPointArn"</span>: <span class="s2">"arn:aws:ec2:us-west-2::image/ami-xxxxxxxxxxxxxxxxx"</span>, <span class="s2">"RestoreMetadata"</span>: <span class="o">{</span> <span class="s2">"CapacityReservationSpecification"</span>: <span class="s2">"{</span><span class="se">\"</span><span class="s2">CapacityReservationPreference</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">open</span><span class="se">\"</span><span class="s2">}"</span>, <span class="s2">"CpuOptions"</span>: <span class="s2">"{</span><span class="se">\"</span><span class="s2">CoreCount</span><span class="se">\"</span><span class="s2">:2,</span><span class="se">\"</span><span class="s2">ThreadsPerCore</span><span class="se">\"</span><span class="s2">:1}"</span>, <span class="s2">"CreditSpecification"</span>: <span class="s2">"{</span><span class="se">\"</span><span class="s2">CpuCredits</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">unlimited</span><span class="se">\"</span><span class="s2">}"</span>, <span class="s2">"DisableApiTermination"</span>: <span class="s2">"false"</span>, <span class="s2">"EbsOptimized"</span>: <span class="s2">"true"</span>, <span class="s2">"HibernationOptions"</span>: <span class="s2">"{</span><span class="se">\"</span><span class="s2">Configured</span><span class="se">\"</span><span class="s2">:false}"</span>, <span class="s2">"InstanceInitiatedShutdownBehavior"</span>: <span class="s2">"stop"</span>, <span class="s2">"InstanceType"</span>: <span class="s2">"t4g.micro"</span>, <span class="s2">"Monitoring"</span>: <span class="s2">"{</span><span class="se">\"</span><span class="s2">State</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">disabled</span><span class="se">\"</span><span class="s2">}"</span>, <span class="s2">"NetworkInterfaces"</span>: <span class="s2">"[{</span><span class="se">\"</span><span class="s2">AssociatePublicIpAddress</span><span class="se">\"</span><span class="s2">:true,</span><span class="se">\"</span><span class="s2">DeleteOnTermination</span><span class="se">\"</span><span class="s2">:true,</span><span class="se">\"</span><span class="s2">Description</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">DeviceIndex</span><span class="se">\"</span><span class="s2">:0,</span><span class="se">\"</span><span class="s2">Groups</span><span class="se">\"</span><span class="s2">:[</span><span class="se">\"</span><span class="s2">sg-xxxxxxxxxxxxxxxxx</span><span class="se">\"</span><span class="s2">],</span><span class="se">\"</span><span class="s2">Ipv6AddressCount</span><span class="se">\"</span><span class="s2">:0,</span><span class="se">\"</span><span class="s2">Ipv6Addresses</span><span class="se">\"</span><span class="s2">:[],</span><span class="se">\"</span><span class="s2">NetworkInterfaceId</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">eni-aaaaaaaaaaaaaaaaa</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">PrivateIpAddress</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">172.31.62.169</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">PrivateIpAddresses</span><span class="se">\"</span><span class="s2">:[{</span><span class="se">\"</span><span class="s2">Primary</span><span class="se">\"</span><span class="s2">:true,</span><span class="se">\"</span><span class="s2">PrivateIpAddress</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">172.31.62.169</span><span class="se">\"</span><span class="s2">}],</span><span class="se">\"</span><span class="s2">SecondaryPrivateIpAddressCount</span><span class="se">\"</span><span class="s2">:0,</span><span class="se">\"</span><span class="s2">SubnetId</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">subnet-xxxxxxxxxxxxxxxxx</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">InterfaceType</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">interface</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">Ipv4Prefixes</span><span class="se">\"</span><span class="s2">:[],</span><span class="se">\"</span><span class="s2">Ipv6Prefixes</span><span class="se">\"</span><span class="s2">:[]},{</span><span class="se">\"</span><span class="s2">AssociatePublicIpAddress</span><span class="se">\"</span><span class="s2">:true,</span><span class="se">\"</span><span class="s2">DeleteOnTermination</span><span class="se">\"</span><span class="s2">:false,</span><span class="se">\"</span><span class="s2">Description</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">DeviceIndex</span><span class="se">\"</span><span class="s2">:1,</span><span class="se">\"</span><span class="s2">Groups</span><span class="se">\"</span><span class="s2">:[</span><span class="se">\"</span><span class="s2">sg-xxxxxxxxxxxxxxxxx</span><span class="se">\"</span><span class="s2">],</span><span class="se">\"</span><span class="s2">Ipv6AddressCount</span><span class="se">\"</span><span class="s2">:0,</span><span class="se">\"</span><span class="s2">Ipv6Addresses</span><span class="se">\"</span><span class="s2">:[],</span><span class="se">\"</span><span class="s2">NetworkInterfaceId</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">eni-bbbbbbbbbbbbbbbbb</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">PrivateIpAddress</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">172.31.54.130</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">PrivateIpAddresses</span><span class="se">\"</span><span class="s2">:[{</span><span class="se">\"</span><span class="s2">Primary</span><span class="se">\"</span><span class="s2">:true,</span><span class="se">\"</span><span class="s2">PrivateIpAddress</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">172.31.54.130</span><span class="se">\"</span><span class="s2">}],</span><span class="se">\"</span><span class="s2">SecondaryPrivateIpAddressCount</span><span class="se">\"</span><span class="s2">:0,</span><span class="se">\"</span><span class="s2">SubnetId</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">subnet-xxxxxxxxxxxxxxxxx</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">InterfaceType</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">interface</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">Ipv4Prefixes</span><span class="se">\"</span><span class="s2">:[],</span><span class="se">\"</span><span class="s2">Ipv6Prefixes</span><span class="se">\"</span><span class="s2">:[]}]"</span>, <span class="s2">"Placement"</span>: <span class="s2">"{</span><span class="se">\"</span><span class="s2">AvailabilityZone</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">us-west-2d</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">GroupName</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">Tenancy</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">default</span><span class="se">\"</span><span class="s2">}"</span>, <span class="s2">"RequireIMDSv2"</span>: <span class="s2">"false"</span>, <span class="s2">"SecurityGroupIds"</span>: <span class="s2">"[</span><span class="se">\"</span><span class="s2">sg-xxxxxxxxxxxxxxxxx</span><span class="se">\"</span><span class="s2">]"</span>, <span class="s2">"SubnetId"</span>: <span class="s2">"subnet-xxxxxxxxxxxxxxxxx"</span>, <span class="s2">"VpcId"</span>: <span class="s2">"vpc-xxxxxxxxxxxxxxxxx"</span>, <span class="s2">"aws:backup:request-id"</span>: <span class="s2">"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>In the above, you can see that <code>eni-aaaaaaaaaaaaaaaaa</code> and <code>eni-bbbbbbbbbbbbbbbbb</code> information is included.</p> <h2> How to restore from a recovery point </h2> <p>When launching a restore job in the AWS Backup console, it is not possible to restore an EC2 instance with multiple ENIs attached. This is because the console limits the customizable parameters to the following.</p> <p><a href="https://docs.aws.amazon.com/aws-backup/latest/devguide/restoring-ec2.html" rel="noopener noreferrer">https://docs.aws.amazon.com/aws-backup/latest/devguide/restoring-ec2.html</a></p> <blockquote> <p>The AWS Backup console allows you to restore Amazon EC2 recovery points with the following parameters and settings you can customize:</p> <ul> <li>Instance type</li> <li>Amazon VPC</li> <li>Subnet</li> <li>Security groups</li> <li>IAM role</li> <li>Shutdown behavior</li> <li>Stop–hibernate behavior</li> <li>Termination protection</li> <li>T2/T3 unlimited</li> <li>Placement group name</li> <li>EBS-optimized instance</li> <li>Tenancy</li> <li>RAM disk ID</li> <li>Kernel ID</li> <li>User data</li> <li>Deletion on termination</li> </ul> </blockquote> <p>To restore an EC2 instance with other customized parameters, including the network interface, you must execute the StartRestoreJob API with metadata, e.g., from the AWS CLI or SDK.</p> <blockquote> <p><a href="https://docs.aws.amazon.com/aws-backup/latest/devguide/restoring-ec2.html#restoring-ec2-cli" rel="noopener noreferrer"><strong>Use the AWS Backup API, CLI, or SDK to restore Amazon EC2 recovery points</strong></a><br> Use StartRestoreJob. This option allows you to restore all 38 parameters, including the 22 parameters that are not customizable on the console.</p> </blockquote> <p>The following is an example of execution with the AWS CLI.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>aws backup start-restore-job <span class="se">\</span> <span class="nt">--recovery-point-arn</span> <span class="s2">"arn:aws:ec2:us-west-2::image/ami-xxxxxxxxxxxxxxxxx"</span> <span class="se">\</span> <span class="nt">--iam-role-arn</span> <span class="s2">"arn:aws:iam::123456789012:role/service-role/AWSBackupDefaultServiceRole"</span> <span class="se">\</span> <span class="nt">--metadata</span> file://metadata.json <span class="o">{</span> <span class="s2">"RestoreJobId"</span>: <span class="s2">"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"</span> <span class="o">}</span> </code></pre> </div> <p>You can specify parameters in metadata.json as follows.</p> <h4> Example of specifying a private IP address </h4> <p>Please note that if a backup source instance exists, the private IP address must be changed to avoid duplicate addresses.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"VpcId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"vpc-xxxxxxxxxxxxxxxxx"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Monitoring"</span><span class="p">:</span><span class="w"> </span><span class="s2">"{</span><span class="se">\"</span><span class="s2">State</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">disabled</span><span class="se">\"</span><span class="s2">}"</span><span class="p">,</span><span class="w"> </span><span class="nl">"CapacityReservationSpecification"</span><span class="p">:</span><span class="w"> </span><span class="s2">"{</span><span class="se">\"</span><span class="s2">CapacityReservationPreference</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">open</span><span class="se">\"</span><span class="s2">}"</span><span class="p">,</span><span class="w"> </span><span class="nl">"InstanceInitiatedShutdownBehavior"</span><span class="p">:</span><span class="w"> </span><span class="s2">"stop"</span><span class="p">,</span><span class="w"> </span><span class="nl">"DisableApiTermination"</span><span class="p">:</span><span class="w"> </span><span class="s2">"false"</span><span class="p">,</span><span class="w"> </span><span class="nl">"CreditSpecification"</span><span class="p">:</span><span class="w"> </span><span class="s2">"{</span><span class="se">\"</span><span class="s2">CpuCredits</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">unlimited</span><span class="se">\"</span><span class="s2">}"</span><span class="p">,</span><span class="w"> </span><span class="nl">"HibernationOptions"</span><span class="p">:</span><span class="w"> </span><span class="s2">"{</span><span class="se">\"</span><span class="s2">Configured</span><span class="se">\"</span><span class="s2">:false}"</span><span class="p">,</span><span class="w"> </span><span class="nl">"EbsOptimized"</span><span class="p">:</span><span class="w"> </span><span class="s2">"true"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Placement"</span><span class="p">:</span><span class="w"> </span><span class="s2">"{</span><span class="se">\"</span><span class="s2">AvailabilityZone</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">us-west-2d</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">GroupName</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">Tenancy</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">default</span><span class="se">\"</span><span class="s2">}"</span><span class="p">,</span><span class="w"> </span><span class="nl">"aws:backup:request-id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"</span><span class="p">,</span><span class="w"> </span><span class="nl">"InstanceType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"t4g.micro"</span><span class="p">,</span><span class="w"> </span><span class="nl">"NetworkInterfaces"</span><span class="p">:</span><span class="w"> </span><span class="s2">"[{</span><span class="se">\"</span><span class="s2">DeleteOnTermination</span><span class="se">\"</span><span class="s2">:true,</span><span class="se">\"</span><span class="s2">Description</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">DeviceIndex</span><span class="se">\"</span><span class="s2">:0,</span><span class="se">\"</span><span class="s2">Groups</span><span class="se">\"</span><span class="s2">:[</span><span class="se">\"</span><span class="s2">sg-xxxxxxxxxxxxxxxxx</span><span class="se">\"</span><span class="s2">],</span><span class="se">\"</span><span class="s2">Ipv6AddressCount</span><span class="se">\"</span><span class="s2">:0,</span><span class="se">\"</span><span class="s2">Ipv6Addresses</span><span class="se">\"</span><span class="s2">:[],</span><span class="se">\"</span><span class="s2">PrivateIpAddresses</span><span class="se">\"</span><span class="s2">:[{</span><span class="se">\"</span><span class="s2">Primary</span><span class="se">\"</span><span class="s2">:true,</span><span class="se">\"</span><span class="s2">PrivateIpAddress</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">172.31.62.169</span><span class="se">\"</span><span class="s2">}],</span><span class="se">\"</span><span class="s2">SubnetId</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">subnet-xxxxxxxxxxxxxxxxx</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">InterfaceType</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">interface</span><span class="se">\"</span><span class="s2">},{</span><span class="se">\"</span><span class="s2">DeleteOnTermination</span><span class="se">\"</span><span class="s2">:false,</span><span class="se">\"</span><span class="s2">Description</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">DeviceIndex</span><span class="se">\"</span><span class="s2">:1,</span><span class="se">\"</span><span class="s2">Groups</span><span class="se">\"</span><span class="s2">:[</span><span class="se">\"</span><span class="s2">sg-xxxxxxxxxxxxxxxxx</span><span class="se">\"</span><span class="s2">],</span><span class="se">\"</span><span class="s2">Ipv6AddressCount</span><span class="se">\"</span><span class="s2">:0,</span><span class="se">\"</span><span class="s2">Ipv6Addresses</span><span class="se">\"</span><span class="s2">:[],</span><span class="se">\"</span><span class="s2">PrivateIpAddresses</span><span class="se">\"</span><span class="s2">:[{</span><span class="se">\"</span><span class="s2">Primary</span><span class="se">\"</span><span class="s2">:true,</span><span class="se">\"</span><span class="s2">PrivateIpAddress</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">172.31.54.130</span><span class="se">\"</span><span class="s2">}],</span><span class="se">\"</span><span class="s2">SubnetId</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">subnet-xxxxxxxxxxxxxxxxx</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">InterfaceType</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">interface</span><span class="se">\"</span><span class="s2">}]"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h4> Example of specifying ENI-ID </h4> <p>Please note that the ENI must be detached from the instance and in Available status if the backup source ENI is to be used.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"VpcId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"vpc-xxxxxxxxxxxxxxxxx"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Monitoring"</span><span class="p">:</span><span class="w"> </span><span class="s2">"{</span><span class="se">\"</span><span class="s2">State</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">disabled</span><span class="se">\"</span><span class="s2">}"</span><span class="p">,</span><span class="w"> </span><span class="nl">"CapacityReservationSpecification"</span><span class="p">:</span><span class="w"> </span><span class="s2">"{</span><span class="se">\"</span><span class="s2">CapacityReservationPreference</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">open</span><span class="se">\"</span><span class="s2">}"</span><span class="p">,</span><span class="w"> </span><span class="nl">"InstanceInitiatedShutdownBehavior"</span><span class="p">:</span><span class="w"> </span><span class="s2">"stop"</span><span class="p">,</span><span class="w"> </span><span class="nl">"DisableApiTermination"</span><span class="p">:</span><span class="w"> </span><span class="s2">"false"</span><span class="p">,</span><span class="w"> </span><span class="nl">"CreditSpecification"</span><span class="p">:</span><span class="w"> </span><span class="s2">"{</span><span class="se">\"</span><span class="s2">CpuCredits</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">unlimited</span><span class="se">\"</span><span class="s2">}"</span><span class="p">,</span><span class="w"> </span><span class="nl">"HibernationOptions"</span><span class="p">:</span><span class="w"> </span><span class="s2">"{</span><span class="se">\"</span><span class="s2">Configured</span><span class="se">\"</span><span class="s2">:false}"</span><span class="p">,</span><span class="w"> </span><span class="nl">"EbsOptimized"</span><span class="p">:</span><span class="w"> </span><span class="s2">"true"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Placement"</span><span class="p">:</span><span class="w"> </span><span class="s2">"{</span><span class="se">\"</span><span class="s2">AvailabilityZone</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">us-west-2d</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">GroupName</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">Tenancy</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">default</span><span class="se">\"</span><span class="s2">}"</span><span class="p">,</span><span class="w"> </span><span class="nl">"aws:backup:request-id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"</span><span class="p">,</span><span class="w"> </span><span class="nl">"InstanceType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"t4g.micro"</span><span class="p">,</span><span class="w"> </span><span class="nl">"NetworkInterfaces"</span><span class="p">:</span><span class="w"> </span><span class="s2">"[{</span><span class="se">\"</span><span class="s2">DeleteOnTermination</span><span class="se">\"</span><span class="s2">:true,</span><span class="se">\"</span><span class="s2">Description</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">DeviceIndex</span><span class="se">\"</span><span class="s2">:0,</span><span class="se">\"</span><span class="s2">Groups</span><span class="se">\"</span><span class="s2">:[</span><span class="se">\"</span><span class="s2">sg-xxxxxxxxxxxxxxxxx</span><span class="se">\"</span><span class="s2">],</span><span class="se">\"</span><span class="s2">Ipv6AddressCount</span><span class="se">\"</span><span class="s2">:0,</span><span class="se">\"</span><span class="s2">Ipv6Addresses</span><span class="se">\"</span><span class="s2">:[],</span><span class="se">\"</span><span class="s2">PrivateIpAddresses</span><span class="se">\"</span><span class="s2">:[{</span><span class="se">\"</span><span class="s2">Primary</span><span class="se">\"</span><span class="s2">:true,</span><span class="se">\"</span><span class="s2">PrivateIpAddress</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">172.31.62.169</span><span class="se">\"</span><span class="s2">}],</span><span class="se">\"</span><span class="s2">SubnetId</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">subnet-xxxxxxxxxxxxxxxxx</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">InterfaceType</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">interface</span><span class="se">\"</span><span class="s2">},{</span><span class="se">\"</span><span class="s2">DeleteOnTermination</span><span class="se">\"</span><span class="s2">:false,</span><span class="se">\"</span><span class="s2">Description</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">DeviceIndex</span><span class="se">\"</span><span class="s2">:1,</span><span class="se">\"</span><span class="s2">Ipv6AddressCount</span><span class="se">\"</span><span class="s2">:0,</span><span class="se">\"</span><span class="s2">Ipv6Addresses</span><span class="se">\"</span><span class="s2">:[],</span><span class="se">\"</span><span class="s2">NetworkInterfaceId</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">eni-bbbbbbbbbbbbbbbbb</span><span class="se">\"</span><span class="s2">}]"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Reference </h2> <p><a href="https://aws.amazon.com/premiumsupport/knowledge-center/aws-backup-ec2-restore-cli/?nc1=h_ls" rel="noopener noreferrer">https://aws.amazon.com/premiumsupport/knowledge-center/aws-backup-ec2-restore-cli/</a></p> <p>I hope this will be of help to someone else.</p> aws ec2 backup How to use AWS Parameters and Secrets Lambda Extension hayao-k Wed, 19 Oct 2022 08:59:10 +0000 https://dev.to/aws-builders/how-to-use-aws-parameters-and-secrets-lambda-extension-16eg https://dev.to/aws-builders/how-to-use-aws-parameters-and-secrets-lambda-extension-16eg <h2> What is AWS Parameters and Secrets Lambda Extension? </h2> <p><a href="https://aws.amazon.com/jp/about-aws/whats-new/2022/10/aws-parameters-secrets-lambda-extension/" rel="noopener noreferrer">https://aws.amazon.com/jp/about-aws/whats-new/2022/10/aws-parameters-secrets-lambda-extension/</a></p> <p>This extension can be used to retrieve parameters from the AWS Systems Manager Parameter Store and secrets from the AWS Secrets Manager.</p> <h2> What makes you happy? </h2> <p>Until now, parameters and secrets were obtained in the Lambda function process using the AWS SDK or other means. </p> <p>With this extension, these values can be cached and reused during the lifecycle of a Lambda function. This reduces the latency and cost of retrieving parameters and secrets.</p> <h2> Basic usage </h2> <p>Please refer to each documents for details.</p> <p><a href="https://docs.aws.amazon.com/systems-manager/latest/userguide/ps-integration-lambda-extensions.html" rel="noopener noreferrer">https://docs.aws.amazon.com/systems-manager/latest/userguide/ps-integration-lambda-extensions.html</a></p> <p><a href="https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_lambda.html" rel="noopener noreferrer">https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_lambda.html</a></p> <h3> Set Layer of the extension to Lambda function </h3> <p>Lambda Extension is made available by configuring Lambda Layers. In Managed Console, AWS Parameters and Secrets Lambda Extension could be selected in the AWS layer.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmt009pnent4pck77undf.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmt009pnent4pck77undf.png" alt="Image description" width="800" height="726"></a></p> <p>When configuring from the CLI or other means, specify the ARN of the published Layer. A list of ARNs for each region is provided in the documentation.</p> <h3> Write HTTP GET code in the function </h3> <p>Using this Extension eliminates processing in the AWS SDK, but the code to retrieve the value with an HTTP GET request is still required. See the second half of this post for the sample code.</p> <h3> Change IAM policy for execution role </h3> <p>The extension uses the credentials of the IAM role used to execute the Lambda function itself. Therefore, an appropriate IAM policy must be set up to retrieve parameters and secrets. For example, for the Parameter Store, ssm:GetParameter and kms:Decrypt (when using SecureString) are required.</p> <h3> (Optional) Set environment variables for functions </h3> <p>TTL for the cache, log level, etc., can be controlled by setting environment variables for the Lambda function.</p> <h2> Sample Code </h2> <p>This is an example of referencing Amazon Linux 2 AMI public parameters.</p> <p>Notes are as follows.</p> <ul> <li> <code>/</code> in the parameter name must be encoded</li> <li> The extension's local HTTP server port starts at default 2773 <ul> <li> It can be changed via the environment variable PARAMETERS_SECRETS_EXTENSION_HTTP_PORT</li> </ul> </li> <li>Header 'X-Aws-Parameters-Secrets-Token' with AWS_SESSION_TOKEN environment variable must be added <ul> <li>If not specified, it will be 401 unauthorized. </li> </ul> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">https</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">http</span><span class="dl">'</span><span class="p">);</span> <span class="nx">exports</span><span class="p">.</span><span class="nx">handler</span> <span class="o">=</span> <span class="kd">function</span><span class="p">(</span><span class="nx">event</span><span class="p">,</span> <span class="nx">context</span><span class="p">,</span> <span class="nx">callback</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">options</span> <span class="o">=</span> <span class="p">{</span> <span class="na">hostname</span><span class="p">:</span> <span class="dl">'</span><span class="s1">localhost</span><span class="dl">'</span><span class="p">,</span> <span class="na">port</span><span class="p">:</span> <span class="mi">2773</span><span class="p">,</span> <span class="na">path</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/systemsmanager/parameters/get/?name=%2Faws%2Fservice%2Fami-amazon-linux-latest%2Famzn-ami-hvm-x86_64-gp2</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">X-Aws-Parameters-Secrets-Token</span><span class="dl">'</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">AWS_SESSION_TOKEN</span> <span class="p">},</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">GET</span><span class="dl">'</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">req</span> <span class="o">=</span> <span class="nx">https</span><span class="p">.</span><span class="nf">request</span><span class="p">(</span><span class="nx">options</span><span class="p">,</span> <span class="nx">res</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">data</span><span class="dl">'</span><span class="p">,</span> <span class="nx">d</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Response from cache: </span><span class="dl">"</span><span class="o">+</span><span class="nx">d</span><span class="p">);</span> <span class="k">return</span> <span class="nx">d</span><span class="p">;</span> <span class="p">});</span> <span class="p">});</span> <span class="nx">req</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">error</span><span class="dl">'</span><span class="p">,</span> <span class="nx">error</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="nx">error</span><span class="p">);</span> <span class="p">});</span> <span class="nx">req</span><span class="p">.</span><span class="nf">end</span><span class="p">();</span> <span class="p">};</span> </code></pre> </div> <p>The log of the execution result looks like this You got the parameter values!<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[AWS Parameters and Secrets Lambda Extension] 2022/10/19 06:51:08 PARAMETERS_SECRETS_EXTENSION_LOG_LEVEL is not present. Log level set to info. [AWS Parameters and Secrets Lambda Extension] 2022/10/19 06:51:08 INFO Systems Manager Parameter Store and Secrets Manager Lambda Extension 1.0.94 [AWS Parameters and Secrets Lambda Extension] 2022/10/19 06:51:08 INFO Serving on port 2773 EXTENSION Name: AWSParametersAndSecretsLambdaExtension State: Ready Events: [INVOKE,SHUTDOWN] START RequestId: bb5bcc53-38cc-42d7-9dc5-xxxxxxxxxxxx Version: $LATEST [AWS Parameters and Secrets Lambda Extension] 2022/10/19 06:51:08 INFO ready to serve traffic 2022-10-19T06:51:09.247Z bb5bcc53-38cc-42d7-9dc5-xxxxxxxxxxxx INFO Response from cache: {"Parameter":{"ARN":"arn:aws:ssm:ap-northeast-1::parameter/aws/service/ami-amazon-linux-latest/amzn-ami-hvm-x86_64-gp2","DataType":"text","LastModifiedDate":"2022-10-04T17:56:51.889Z","Name":"/aws/service/ami-amazon-linux-latest/amzn-ami-hvm-x86_64-gp2","Selector":null,"SourceResult":null,"Type":"String","Value":"ami-0fb16641312307fa9","Version":49},"ResultMetadata":{}} END RequestId: bb5bcc53-38cc-42d7-9dc5-xxxxxxxxxxxx REPORT RequestId: bb5bcc53-38cc-42d7-9dc5-xxxxxxxxxxxx Duration: 796.05 ms Billed Duration: 797 ms Memory Size: 128 MB Max Memory Used: 76 MB Init Duration: 324.74 ms </code></pre> </div> <p>I hope this will be of help to someone else.</p> aws lambda secretsmanager systemsmanager Backup AWS Support case history to your Wiki hayao-k Tue, 27 Sep 2022 03:07:59 +0000 https://dev.to/aws-builders/backup-aws-support-case-history-to-your-wiki-5ea9 https://dev.to/aws-builders/backup-aws-support-case-history-to-your-wiki-5ea9 <h2> Why do you need a backup? </h2> <p>AWS Support case histories are retained for up to 12 months.</p> <p><a href="https://aws.amazon.com/premiumsupport/faqs/" rel="noopener noreferrer">https://aws.amazon.com/premiumsupport/faqs/</a></p> <blockquote> <p><strong>Q: How long is case history retained?</strong><br><br> Case history information is available for 12 months after creation.</p> </blockquote> <p>Therefore, if you want to store the answers as knowledge in the long term, you need a backup.</p> <p>This post summarises how to convert support case answers into markdown format and post them to your Wiki via the API.</p> <h2> Architecture </h2> <ul> <li>Detecting support case closures with EventBridge event rules</li> <li>Use AWS Support API in AWS Lambda to get case details</li> <li>Formatted into Markdown format and posted to your Wiki</li> </ul> <p><strong>Note:</strong> Using AWS Support API requires a subscription to one of the following support plans: Business, Enterprise On-Ramp, or Enterprise.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy6bi24qub72346qtkes7.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy6bi24qub72346qtkes7.png" alt="Image description" width="800" height="276"></a></p> <p>This post is about GROWI, the OSS wiki, but it can be applied to any software or service that can post via API.</p> <p><a href="https://growi.org/en/" rel="noopener noreferrer">https://growi.org/en/</a></p> <h2> Points for Implementation </h2> <h3> EventBridge event rule </h3> <p>Set to detect events where event-name is <code>ResolveCase</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"source"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"aws.support"</span><span class="p">],</span><span class="w"> </span><span class="nl">"detail-type"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"Support Case Update"</span><span class="p">],</span><span class="w"> </span><span class="nl">"detail"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"event-name"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"ResolveCase"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>See documentation for examples of events.</p> <p><a href="https://docs.aws.amazon.com/awssupport/latest/user/event-bridge-support.html#example-event-logs-for-support-cases" rel="noopener noreferrer">https://docs.aws.amazon.com/awssupport/latest/user/event-bridge-support.html#example-event-logs-for-support-cases</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1aa4458d-556f-732e-ddc1-4a5b2fbd14a5"</span><span class="p">,</span><span class="w"> </span><span class="nl">"detail-type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Support Case Update"</span><span class="p">,</span><span class="w"> </span><span class="nl">"source"</span><span class="p">:</span><span class="w"> </span><span class="s2">"aws.support"</span><span class="p">,</span><span class="w"> </span><span class="nl">"account"</span><span class="p">:</span><span class="w"> </span><span class="s2">"111122223333"</span><span class="p">,</span><span class="w"> </span><span class="nl">"time"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2022-02-21T15:51:31Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"region"</span><span class="p">:</span><span class="w"> </span><span class="s2">"us-east-1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"resources"</span><span class="p">:</span><span class="w"> </span><span class="p">[],</span><span class="w"> </span><span class="nl">"detail"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"case-id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"case-111122223333-muen-2022-7118885805350839"</span><span class="p">,</span><span class="w"> </span><span class="nl">"display-id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1234563851"</span><span class="p">,</span><span class="w"> </span><span class="nl">"communication-id"</span><span class="p">:</span><span class="w"> </span><span class="s2">""</span><span class="p">,</span><span class="w"> </span><span class="nl">"event-name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ResolveCase"</span><span class="p">,</span><span class="w"> </span><span class="nl">"origin"</span><span class="p">:</span><span class="w"> </span><span class="s2">""</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Getting support case information </h3> <p>The event passed from EventBrige contains a Case ID, so use <a href="https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/support.html#Support.Client.describe_cases" rel="noopener noreferrer">DescribeCases API</a> to get the details. Communications is obtained separately, so <code>includeCommunications</code> should be False.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">describe_case</span><span class="p">(</span><span class="n">case_id</span><span class="p">):</span> <span class="n">response</span> <span class="o">=</span> <span class="n">support</span><span class="p">.</span><span class="nf">describe_cases</span><span class="p">(</span> <span class="n">caseIdList</span><span class="o">=</span><span class="p">[</span> <span class="n">case_id</span> <span class="p">],</span> <span class="n">includeResolvedCases</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">includeCommunications</span><span class="o">=</span><span class="bp">False</span> <span class="p">)</span> <span class="k">return</span> <span class="n">response</span><span class="p">[</span><span class="sh">'</span><span class="s">cases</span><span class="sh">'</span><span class="p">][</span><span class="mi">0</span><span class="p">]</span> <span class="k">def</span> <span class="nf">lambda_handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="n">case_info</span> <span class="o">=</span> <span class="nf">describe_case</span><span class="p">(</span><span class="n">event</span><span class="p">[</span><span class="sh">'</span><span class="s">detail</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">case-id</span><span class="sh">'</span><span class="p">])</span> </code></pre> </div> <h3> Cases excluded from backup </h3> <p>Increased service quotas and Enterprise support activation would not require backup.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">lambda_handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="n">case_info</span> <span class="o">=</span> <span class="nf">describe_case</span><span class="p">(</span><span class="n">event</span><span class="p">[</span><span class="sh">'</span><span class="s">detail</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">case-id</span><span class="sh">'</span><span class="p">])</span> <span class="k">if</span> <span class="n">case_info</span><span class="p">[</span><span class="sh">'</span><span class="s">serviceCode</span><span class="sh">'</span><span class="p">]</span> <span class="o">==</span> <span class="sh">"</span><span class="s">service-limit-increase</span><span class="sh">"</span> <span class="ow">or</span> \ <span class="n">case_info</span><span class="p">[</span><span class="sh">'</span><span class="s">subject</span><span class="sh">'</span><span class="p">]</span> <span class="o">==</span> <span class="sh">"</span><span class="s">Enterprise Activation Request for Linked account.</span><span class="sh">"</span><span class="p">:</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">'</span><span class="s">Result</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">Service limit increase or Enterprise support activation will not be posted.</span><span class="sh">'</span> <span class="p">}</span> </code></pre> </div> <h3> Get communication history with support </h3> <p>Use <a href="https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/support.html#Support.Client.describe_communications" rel="noopener noreferrer">DescribeCommunications API</a>. The data is retrieved from the most recent communication, so the order is reordered and concatenated.</p> <p>Certain symbols of three or more consecutive characters are displayed as headers or horizontal lines in Markdown notation. They are replaced to avoid involuntary conversions.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">describe_communications</span><span class="p">(</span><span class="n">case_id</span><span class="p">):</span> <span class="n">body</span> <span class="o">=</span> <span class="sh">""</span> <span class="n">paginator</span> <span class="o">=</span> <span class="n">support</span><span class="p">.</span><span class="nf">get_paginator</span><span class="p">(</span><span class="sh">'</span><span class="s">describe_communications</span><span class="sh">'</span><span class="p">)</span> <span class="n">page_iterator</span> <span class="o">=</span> <span class="n">paginator</span><span class="p">.</span><span class="nf">paginate</span><span class="p">(</span><span class="n">caseId</span><span class="o">=</span><span class="n">case_id</span><span class="p">)</span> <span class="k">for</span> <span class="n">page</span> <span class="ow">in</span> <span class="n">page_iterator</span><span class="p">:</span> <span class="k">for</span> <span class="n">communication</span> <span class="ow">in</span> <span class="n">page</span><span class="p">[</span><span class="sh">'</span><span class="s">communications</span><span class="sh">'</span><span class="p">]:</span> <span class="n">body</span> <span class="o">=</span> <span class="n">re</span><span class="p">.</span><span class="nf">sub</span><span class="p">(</span> <span class="sa">r</span><span class="sh">'</span><span class="s">-{3,}|={3,}|\*{3,}|_{3,}</span><span class="sh">'</span><span class="p">,</span> <span class="sh">"</span><span class="s">...</span><span class="sh">"</span><span class="p">,</span> <span class="n">communication</span><span class="p">[</span><span class="sh">'</span><span class="s">body</span><span class="sh">'</span><span class="p">]</span> <span class="p">)</span> <span class="o">+</span> <span class="sh">'</span><span class="se">\n\n</span><span class="s">---</span><span class="se">\n\n</span><span class="sh">'</span> <span class="o">+</span> <span class="n">body</span> <span class="n">communications</span> <span class="o">=</span> <span class="sh">'</span><span class="s">## Communications</span><span class="se">\n</span><span class="sh">'</span> <span class="o">+</span> <span class="n">body</span> <span class="k">return</span> <span class="n">communications</span> </code></pre> </div> <h3> Post to GROWI </h3> <p>The API reference is below.</p> <p><a href="https://docs.growi.org/en/api/rest-v3.html" rel="noopener noreferrer">https://docs.growi.org/en/api/rest-v3.html</a></p> <p>New pages are created using <code>createPage</code> (POST <code>/pages</code>).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"body"</span><span class="p">:</span><span class="w"> </span><span class="s2">"string"</span><span class="p">,</span><span class="w"> </span><span class="nl">"path"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/"</span><span class="p">,</span><span class="w"> </span><span class="nl">"grant"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"grantUserGroupId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"5ae5fccfc5577b0004dbd8ab"</span><span class="p">,</span><span class="w"> </span><span class="nl">"pageTags"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"5e2d6aede35da4004ef7e0b7"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"daily"</span><span class="p">,</span><span class="w"> </span><span class="nl">"count"</span><span class="p">:</span><span class="w"> </span><span class="mi">3</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"createFromPageTree"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <ul> <li>Only <code>body</code> (the body of the article) and <code>path</code> (the path to the post) are required.</li> <li>The <code>grant</code> specifies the extent to which the page is public (1: public, 2: only people who know the link, etc.).</li> <li>In practice, you should also include the <code>access_token</code> (api_key). </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">create_payload</span><span class="p">(</span><span class="n">account_id</span><span class="p">,</span> <span class="n">case_info</span><span class="p">):</span> <span class="n">token</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">'</span><span class="s">API_KEY</span><span class="sh">'</span><span class="p">]</span> <span class="n">title</span> <span class="o">=</span> <span class="sh">'</span><span class="s"># </span><span class="sh">'</span> <span class="o">+</span> <span class="n">case_info</span><span class="p">[</span><span class="sh">'</span><span class="s">subject</span><span class="sh">'</span><span class="p">]</span> <span class="o">+</span> <span class="sh">'</span><span class="se">\n</span><span class="sh">'</span> <span class="n">information</span> <span class="o">=</span> <span class="sh">'</span><span class="s">## Case Information</span><span class="se">\n</span><span class="sh">'</span> <span class="o">+</span> \ <span class="sh">'</span><span class="s">* Account ID: </span><span class="sh">'</span> <span class="o">+</span> <span class="n">account_id</span> <span class="o">+</span> <span class="sh">'</span><span class="se">\n</span><span class="sh">'</span> <span class="o">+</span> \ <span class="sh">'</span><span class="s">* Case ID: </span><span class="sh">'</span> <span class="o">+</span> <span class="n">case_info</span><span class="p">[</span><span class="sh">'</span><span class="s">displayId</span><span class="sh">'</span><span class="p">]</span> <span class="o">+</span> <span class="sh">'</span><span class="se">\n</span><span class="sh">'</span> <span class="o">+</span>\ <span class="sh">'</span><span class="s">* Create Date </span><span class="sh">'</span> <span class="o">+</span> <span class="n">case_info</span><span class="p">[</span><span class="sh">'</span><span class="s">timeCreated</span><span class="sh">'</span><span class="p">]</span> <span class="o">+</span> <span class="sh">'</span><span class="se">\n</span><span class="sh">'</span> <span class="o">+</span> \ <span class="sh">'</span><span class="s">* Severity: </span><span class="sh">'</span> <span class="o">+</span> <span class="n">case_info</span><span class="p">[</span><span class="sh">'</span><span class="s">severityCode</span><span class="sh">'</span><span class="p">]</span> <span class="o">+</span> <span class="sh">'</span><span class="se">\n</span><span class="sh">'</span> <span class="o">+</span> \ <span class="sh">'</span><span class="s">* Service: </span><span class="sh">'</span> <span class="o">+</span> <span class="n">case_info</span><span class="p">[</span><span class="sh">'</span><span class="s">serviceCode</span><span class="sh">'</span><span class="p">]</span> <span class="o">+</span> <span class="sh">'</span><span class="se">\n</span><span class="sh">'</span> <span class="o">+</span> \ <span class="sh">'</span><span class="s">* Category: </span><span class="sh">'</span> <span class="o">+</span> <span class="n">case_info</span><span class="p">[</span><span class="sh">'</span><span class="s">categoryCode</span><span class="sh">'</span><span class="p">]</span> <span class="o">+</span> <span class="sh">'</span><span class="se">\n</span><span class="sh">'</span> <span class="n">communications</span> <span class="o">=</span> <span class="nf">describe_communications</span><span class="p">(</span><span class="n">case_info</span><span class="p">[</span><span class="sh">'</span><span class="s">caseId</span><span class="sh">'</span><span class="p">])</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">'</span><span class="s">access_token</span><span class="sh">'</span><span class="p">:</span> <span class="n">token</span><span class="p">,</span> <span class="sh">'</span><span class="s">path</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">/PathYouWantToPost/</span><span class="sh">'</span> <span class="o">+</span> <span class="n">case_info</span><span class="p">[</span><span class="sh">'</span><span class="s">subject</span><span class="sh">'</span><span class="p">],</span> <span class="sh">'</span><span class="s">body</span><span class="sh">'</span><span class="p">:</span> <span class="n">title</span> <span class="o">+</span> <span class="n">information</span> <span class="o">+</span> <span class="n">communications</span><span class="p">,</span> <span class="sh">'</span><span class="s">grant</span><span class="sh">'</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="p">}</span> <span class="k">def</span> <span class="nf">lambda_handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="n">case_info</span> <span class="o">=</span> <span class="nf">describe_case</span><span class="p">(</span><span class="n">event</span><span class="p">[</span><span class="sh">'</span><span class="s">detail</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">case-id</span><span class="sh">'</span><span class="p">])</span> <span class="n">payload</span> <span class="o">=</span> <span class="nf">create_payload</span><span class="p">(</span><span class="n">event</span><span class="p">[</span><span class="sh">'</span><span class="s">account</span><span class="sh">'</span><span class="p">],</span> <span class="n">case_info</span><span class="p">)</span> <span class="n">url</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">'</span><span class="s">API_URL</span><span class="sh">'</span><span class="p">]</span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">Content-Type</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">application/json</span><span class="sh">'</span><span class="p">,</span> <span class="p">}</span> <span class="n">req</span> <span class="o">=</span> <span class="nc">Request</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">payload</span><span class="p">).</span><span class="nf">encode</span><span class="p">(</span><span class="sh">'</span><span class="s">utf-8</span><span class="sh">'</span><span class="p">),</span> <span class="n">headers</span><span class="p">)</span> </code></pre> </div> <h2> Lambda function example </h2> <p>The function execution role must be granted AWS Support referencing rights.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">logging</span> <span class="kn">import</span> <span class="n">getLogger</span><span class="p">,</span> <span class="n">INFO</span> <span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">os</span> <span class="kn">from</span> <span class="n">urllib.request</span> <span class="kn">import</span> <span class="n">Request</span><span class="p">,</span> <span class="n">urlopen</span> <span class="kn">from</span> <span class="n">urllib.error</span> <span class="kn">import</span> <span class="n">URLError</span><span class="p">,</span> <span class="n">HTTPError</span> <span class="kn">import</span> <span class="n">re</span> <span class="kn">from</span> <span class="n">botocore.exceptions</span> <span class="kn">import</span> <span class="n">ClientError</span> <span class="kn">import</span> <span class="n">boto3</span> <span class="n">logger</span> <span class="o">=</span> <span class="nf">getLogger</span><span class="p">()</span> <span class="n">logger</span><span class="p">.</span><span class="nf">setLevel</span><span class="p">(</span><span class="n">INFO</span><span class="p">)</span> <span class="n">support</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">'</span><span class="s">support</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">describe_communications</span><span class="p">(</span><span class="n">case_id</span><span class="p">):</span> <span class="n">body</span> <span class="o">=</span> <span class="sh">''</span> <span class="k">try</span><span class="p">:</span> <span class="n">paginator</span> <span class="o">=</span> <span class="n">support</span><span class="p">.</span><span class="nf">get_paginator</span><span class="p">(</span><span class="sh">'</span><span class="s">describe_communications</span><span class="sh">'</span><span class="p">)</span> <span class="n">page_iterator</span> <span class="o">=</span> <span class="n">paginator</span><span class="p">.</span><span class="nf">paginate</span><span class="p">(</span><span class="n">caseId</span><span class="o">=</span><span class="n">case_id</span><span class="p">)</span> <span class="k">except</span> <span class="n">ClientError</span> <span class="k">as</span> <span class="n">err</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="n">err</span><span class="p">.</span><span class="n">response</span><span class="p">[</span><span class="sh">'</span><span class="s">Error</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">Message</span><span class="sh">'</span><span class="p">])</span> <span class="k">raise</span> <span class="k">for</span> <span class="n">page</span> <span class="ow">in</span> <span class="n">page_iterator</span><span class="p">:</span> <span class="k">for</span> <span class="n">communication</span> <span class="ow">in</span> <span class="n">page</span><span class="p">[</span><span class="sh">'</span><span class="s">communications</span><span class="sh">'</span><span class="p">]:</span> <span class="n">body</span> <span class="o">=</span> <span class="n">re</span><span class="p">.</span><span class="nf">sub</span><span class="p">(</span> <span class="sa">r</span><span class="sh">'</span><span class="s">-{3,}|={3,}|\*{3,}|_{3,}</span><span class="sh">'</span><span class="p">,</span> <span class="sh">"</span><span class="s">...</span><span class="sh">"</span><span class="p">,</span> <span class="n">communication</span><span class="p">[</span><span class="sh">'</span><span class="s">body</span><span class="sh">'</span><span class="p">]</span> <span class="p">)</span> <span class="o">+</span> <span class="sh">'</span><span class="se">\n\n</span><span class="s">---</span><span class="se">\n\n</span><span class="sh">'</span> <span class="o">+</span> <span class="n">body</span> <span class="n">communications</span> <span class="o">=</span> <span class="sh">'</span><span class="s">## Communications</span><span class="se">\n</span><span class="sh">'</span> <span class="o">+</span> <span class="n">body</span> <span class="k">return</span> <span class="n">communications</span> <span class="k">def</span> <span class="nf">create_payload</span><span class="p">(</span><span class="n">account_id</span><span class="p">,</span> <span class="n">case_info</span><span class="p">):</span> <span class="n">token</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">'</span><span class="s">API_KEY</span><span class="sh">'</span><span class="p">]</span> <span class="n">title</span> <span class="o">=</span> <span class="sh">'</span><span class="s"># </span><span class="sh">'</span> <span class="o">+</span> <span class="n">case_info</span><span class="p">[</span><span class="sh">'</span><span class="s">subject</span><span class="sh">'</span><span class="p">]</span> <span class="o">+</span> <span class="sh">'</span><span class="se">\n</span><span class="sh">'</span> <span class="n">information</span> <span class="o">=</span> <span class="sh">'</span><span class="s">## Case Information</span><span class="se">\n</span><span class="sh">'</span> <span class="o">+</span> \ <span class="sh">'</span><span class="s">* Account ID: </span><span class="sh">'</span> <span class="o">+</span> <span class="n">account_id</span> <span class="o">+</span> <span class="sh">'</span><span class="se">\n</span><span class="sh">'</span> <span class="o">+</span> \ <span class="sh">'</span><span class="s">* Case ID: </span><span class="sh">'</span> <span class="o">+</span> <span class="n">case_info</span><span class="p">[</span><span class="sh">'</span><span class="s">displayId</span><span class="sh">'</span><span class="p">]</span> <span class="o">+</span> <span class="sh">'</span><span class="se">\n</span><span class="sh">'</span> <span class="o">+</span>\ <span class="sh">'</span><span class="s">* Create Date </span><span class="sh">'</span> <span class="o">+</span> <span class="n">case_info</span><span class="p">[</span><span class="sh">'</span><span class="s">timeCreated</span><span class="sh">'</span><span class="p">]</span> <span class="o">+</span> <span class="sh">'</span><span class="se">\n</span><span class="sh">'</span> <span class="o">+</span> \ <span class="sh">'</span><span class="s">* Severity: </span><span class="sh">'</span> <span class="o">+</span> <span class="n">case_info</span><span class="p">[</span><span class="sh">'</span><span class="s">severityCode</span><span class="sh">'</span><span class="p">]</span> <span class="o">+</span> <span class="sh">'</span><span class="se">\n</span><span class="sh">'</span> <span class="o">+</span> \ <span class="sh">'</span><span class="s">* Service: </span><span class="sh">'</span> <span class="o">+</span> <span class="n">case_info</span><span class="p">[</span><span class="sh">'</span><span class="s">serviceCode</span><span class="sh">'</span><span class="p">]</span> <span class="o">+</span> <span class="sh">'</span><span class="se">\n</span><span class="sh">'</span> <span class="o">+</span> \ <span class="sh">'</span><span class="s">* Category: </span><span class="sh">'</span> <span class="o">+</span> <span class="n">case_info</span><span class="p">[</span><span class="sh">'</span><span class="s">categoryCode</span><span class="sh">'</span><span class="p">]</span> <span class="o">+</span> <span class="sh">'</span><span class="se">\n</span><span class="sh">'</span> <span class="n">communications</span> <span class="o">=</span> <span class="nf">describe_communications</span><span class="p">(</span><span class="n">case_info</span><span class="p">[</span><span class="sh">'</span><span class="s">caseId</span><span class="sh">'</span><span class="p">])</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">'</span><span class="s">access_token</span><span class="sh">'</span><span class="p">:</span> <span class="n">token</span><span class="p">,</span> <span class="sh">'</span><span class="s">path</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">/PathYouWantToPost/</span><span class="sh">'</span> <span class="o">+</span> <span class="n">case_info</span><span class="p">[</span><span class="sh">'</span><span class="s">subject</span><span class="sh">'</span><span class="p">],</span> <span class="sh">'</span><span class="s">body</span><span class="sh">'</span><span class="p">:</span> <span class="n">title</span> <span class="o">+</span> <span class="n">information</span> <span class="o">+</span> <span class="n">communications</span><span class="p">,</span> <span class="sh">'</span><span class="s">grant</span><span class="sh">'</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="p">}</span> <span class="k">def</span> <span class="nf">describe_case</span><span class="p">(</span><span class="n">case_id</span><span class="p">):</span> <span class="k">try</span><span class="p">:</span> <span class="n">response</span> <span class="o">=</span> <span class="n">support</span><span class="p">.</span><span class="nf">describe_cases</span><span class="p">(</span> <span class="n">caseIdList</span><span class="o">=</span><span class="p">[</span> <span class="n">case_id</span> <span class="p">],</span> <span class="n">includeResolvedCases</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">includeCommunications</span><span class="o">=</span><span class="bp">False</span> <span class="p">)</span> <span class="k">except</span> <span class="n">ClientError</span> <span class="k">as</span> <span class="n">err</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="n">err</span><span class="p">.</span><span class="n">response</span><span class="p">[</span><span class="sh">'</span><span class="s">Error</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">Message</span><span class="sh">'</span><span class="p">])</span> <span class="k">raise</span> <span class="k">else</span><span class="p">:</span> <span class="k">return</span> <span class="n">response</span><span class="p">[</span><span class="sh">'</span><span class="s">cases</span><span class="sh">'</span><span class="p">][</span><span class="mi">0</span><span class="p">]</span> <span class="k">def</span> <span class="nf">lambda_handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="n">case_info</span> <span class="o">=</span> <span class="nf">describe_case</span><span class="p">(</span><span class="n">event</span><span class="p">[</span><span class="sh">'</span><span class="s">detail</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">case-id</span><span class="sh">'</span><span class="p">])</span> <span class="k">if</span> <span class="n">case_info</span><span class="p">[</span><span class="sh">'</span><span class="s">serviceCode</span><span class="sh">'</span><span class="p">]</span> <span class="o">==</span> <span class="sh">"</span><span class="s">service-limit-increase</span><span class="sh">"</span> <span class="ow">or</span> \ <span class="n">case_info</span><span class="p">[</span><span class="sh">'</span><span class="s">subject</span><span class="sh">'</span><span class="p">]</span> <span class="o">==</span> <span class="sh">"</span><span class="s">Enterprise Activation Request for Linked account.</span><span class="sh">"</span><span class="p">:</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">'</span><span class="s">Result</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">Service limit increase or Enterprise support activation will not be posted.</span><span class="sh">'</span> <span class="p">}</span> <span class="n">payload</span> <span class="o">=</span> <span class="nf">create_payload</span><span class="p">(</span><span class="n">event</span><span class="p">[</span><span class="sh">'</span><span class="s">account</span><span class="sh">'</span><span class="p">],</span> <span class="n">case_info</span><span class="p">)</span> <span class="n">url</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">'</span><span class="s">API_URL</span><span class="sh">'</span><span class="p">]</span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">Content-Type</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">application/json</span><span class="sh">'</span><span class="p">,</span> <span class="p">}</span> <span class="n">req</span> <span class="o">=</span> <span class="nc">Request</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">payload</span><span class="p">).</span><span class="nf">encode</span><span class="p">(</span><span class="sh">'</span><span class="s">utf-8</span><span class="sh">'</span><span class="p">),</span> <span class="n">headers</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">response</span> <span class="o">=</span> <span class="nf">urlopen</span><span class="p">(</span><span class="n">req</span><span class="p">)</span> <span class="n">response</span><span class="p">.</span><span class="nf">read</span><span class="p">()</span> <span class="k">except</span> <span class="n">HTTPError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">'</span><span class="s">Result</span><span class="sh">'</span><span class="p">:</span> <span class="sa">f</span><span class="sh">'''</span><span class="s">Request failed: </span><span class="si">{</span><span class="n">e</span><span class="p">.</span><span class="n">code</span><span class="si">}</span><span class="s">, </span><span class="si">{</span><span class="n">e</span><span class="p">.</span><span class="n">reason</span><span class="si">}</span><span class="s">)</span><span class="sh">'''</span> <span class="p">}</span> <span class="k">except</span> <span class="n">URLError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">'</span><span class="s">Result</span><span class="sh">'</span><span class="p">:</span> <span class="sa">f</span><span class="sh">'''</span><span class="s">Request failed: </span><span class="si">{</span><span class="n">e</span><span class="p">.</span><span class="n">reason</span><span class="si">}</span><span class="s">)</span><span class="sh">'''</span> <span class="p">}</span> <span class="k">else</span><span class="p">:</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">'</span><span class="s">Result</span><span class="sh">'</span> <span class="p">:</span> <span class="sh">'</span><span class="s">Knowledge posted.</span><span class="sh">'</span> <span class="p">}</span> </code></pre> </div> <p>The results of the POST are as follows. Sorry, I can't share the case's contents, so it's mostly blacked out.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F52jp53dxmy0f5qdihiso.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F52jp53dxmy0f5qdihiso.png" alt="Image description" width="800" height="738"></a></p> <p>I hope this will be of help to someone else.</p> aws python lambda eventbridge Migrating CloudFront OAI to OAC using CloudFormation hayao-k Wed, 21 Sep 2022 12:20:13 +0000 https://dev.to/aws-builders/migrating-cloudfront-oai-to-oac-using-cloudformation-3m6f https://dev.to/aws-builders/migrating-cloudfront-oai-to-oac-using-cloudformation-3m6f <h2> Goals of this post </h2> <p>Describes the CloudFormation template modifications required to migrate CloudFront's Origin access identity (OAI) to Origin Access Control (OAC).</p> <p>OAC is a new access control method for setting S3 buckets as origins in CloudFront.</p> <div class="crayons-card c-embed text-styles text-styles--secondary"> <div class="c-embed__cover"> <a href="https://aws.amazon.com/blogs/networking-and-content-delivery/amazon-cloudfront-introduces-origin-access-control-oac/" class="c-link s:max-w-50 align-middle" rel="noopener noreferrer"> <img alt="" src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fd2908q01vomqb2.cloudfront.net%2F5b384ce32d8cdef02bc3a139d4cac0a22bb029e8%2F2022%2F08%2F25%2FAmazon-CloudFront-introduces-Origin-Access-Control-OAC.jpg" height="auto" class="m-0"> </a> </div> <div class="c-embed__body"> <h2 class="fs-xl lh-tight"> <a href="https://aws.amazon.com/blogs/networking-and-content-delivery/amazon-cloudfront-introduces-origin-access-control-oac/" rel="noopener noreferrer" class="c-link"> Amazon CloudFront introduces Origin Access Control (OAC) | Networking &amp; Content Delivery </a> </h2> <div class="color-secondary fs-s flex items-center"> <img alt="favicon" class="c-embed__favicon m-0 mr-2 radius-0" src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fa0.awsstatic.com%2Fmain%2Fimages%2Fsite%2Ffav%2Ffavicon.ico"> aws.amazon.com </div> </div> </div> <p>Previously we had used Origin Access Identity (OAI) to restrict access to origin S3 buckets to CloudFront only.</p> <p>OAI is currently treated as Legacy. Migration from OAI to OAC is recommended to support security best practices and new regions.</p> <h2> Sample Template </h2> <p>See my GitHub repository!</p> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev.to%2Fassets%2Fgithub-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/hayao-k" rel="noopener noreferrer"> hayao-k </a> / <a href="https://github.com/hayao-k/CFn-sample-cloudfront-oac" rel="noopener noreferrer"> CFn-sample-cloudfront-oac </a> </h2> <h3> </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"> <div class="markdown-heading"> <h1 class="heading-element">CFn-sample-cloudfront-oac</h1> </div> <p>CloudFormation template for building a static site delivery environment with CloudFront and S3. OAC is used for origin access control.</p> <div class="markdown-heading"> <h2 class="heading-element">static-site-deploy-default.yaml</h2> </div> <p>Template for using the default CloudFront domain name.</p> <div class="markdown-heading"> <h2 class="heading-element">static-site-deploy-cname.yaml</h2> </div> <p>Template for delivery on a custom domain using a TLS certificate issued by AWS Certificate Manager (ACM). You will need to specify the CNAME and ACM identifier when deploying.</p> </div> </div> <br> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/hayao-k/CFn-sample-cloudfront-oac" rel="noopener noreferrer">View on GitHub</a></div> <br> </div> <br> <h2> Examples of modifications </h2> <p>Migrating existing CloudFormation templates from OAI to OAC requires, as a minimum, the following modifications.</p> <ul> <li>Creating an OAC</li> <li>Modifying the bucket policy</li> <li>Modifying Distribution Origin</li> </ul> <h3> Creating an OAC </h3> <p>Create an <code>AWS::CloudFront::OriginAccessControl</code>. Description of the OriginAccessControlConfig is an optional field.</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">Resources</span><span class="pi">:</span> <span class="na">CloudFrontOriginAccessControl</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::CloudFront::OriginAccessControl</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">OriginAccessControlConfig</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Default Origin Access Control</span> <span class="na">Name</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">AWS::StackName</span> <span class="na">OriginAccessControlOriginType</span><span class="pi">:</span> <span class="s">s3</span> <span class="na">SigningBehavior</span><span class="pi">:</span> <span class="s">always</span> <span class="na">SigningProtocol</span><span class="pi">:</span> <span class="s">sigv4</span> </code></pre> </div> <p><a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-originaccesscontrol.html" rel="noopener noreferrer">https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-originaccesscontrol.html</a></p> <p>Delete <code>AWS::CloudFront::CloudFrontOriginAccessIdentity</code> as it will no longer be required after migration.</p> <h3> Modifying the bucket policy </h3> <p>In the following example, the policy for OAI has been removed, but it is a recommended migration procedure to include both OAI and OAC policies. This will prevent CloudFront from losing access to S3 buckets during migration to OAC. Please take action as necessary.</p> <p><strong>Before</strong></p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="c1"># S3 bucket policy to allow access from CloudFront OAI</span> <span class="na">AssetsBucketPolicy</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::S3::BucketPolicy</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Bucket</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">AssetsBucket</span> <span class="na">PolicyDocument</span><span class="pi">:</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Action</span><span class="pi">:</span> <span class="s">s3:GetObject</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Resource</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s">${AssetsBucket.Arn}/*</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">AWS</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s">arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ${CloudFrontOriginAccessIdentity}</span> </code></pre> </div> <p><strong>After</strong></p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="c1"># S3 bucket policy to allow access from CloudFront OAC</span> <span class="na">AssetsBucketPolicy</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::S3::BucketPolicy</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Bucket</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">AssetsBucket</span> <span class="na">PolicyDocument</span><span class="pi">:</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Action</span><span class="pi">:</span> <span class="s">s3:GetObject</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Resource</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s">${AssetsBucket.Arn}/*</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">Service</span><span class="pi">:</span> <span class="s">cloudfront.amazonaws.com</span> <span class="na">Condition</span><span class="pi">:</span> <span class="na">StringEquals</span><span class="pi">:</span> <span class="na">AWS:SourceArn</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s">arn:aws:cloudfront::${AWS::AccountId}:distribution/${AssetsDistribution}</span> </code></pre> </div> <p><a href="https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html" rel="noopener noreferrer">https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html</a></p> <h3> Modifying Distribution Origin </h3> <p>OAI sets S3OriginConfig for Distribution Origin, but OAC requires OriginAccessControlId to be specified.</p> <p><strong>Before</strong></p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">AssetsDistribution</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::CloudFront::Distribution</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">DistributionConfig</span><span class="pi">:</span> <span class="na">Origins</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Id</span><span class="pi">:</span> <span class="s">S3Origin</span> <span class="na">DomainName</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">AssetsBucket.DomainName</span> <span class="na">S3OriginConfig</span><span class="pi">:</span> <span class="na">OriginAccessIdentity</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s">origin-access-identity/cloudfront/${CloudFrontOriginAccessIdentity}</span> </code></pre> </div> <p><strong>Afeter</strong></p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">AssetsDistribution</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::CloudFront::Distribution</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">DistributionConfig</span><span class="pi">:</span> <span class="na">Origins</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Id</span><span class="pi">:</span> <span class="s">S3Origin</span> <span class="na">DomainName</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">AssetsBucket.DomainName</span> <span class="na">S3OriginConfig</span><span class="pi">:</span> <span class="na">OriginAccessIdentity</span><span class="pi">:</span> <span class="s1">'</span><span class="s">'</span> <span class="na">OriginAccessControlId</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">CloudFrontOriginAccessControl.Id</span> </code></pre> </div> <p><a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-origin.html" rel="noopener noreferrer">https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-origin.html</a></p> <p><strong>Note:</strong> As of September 2022, an empty OriginAccessIdentity must be specified in S3OriginConfig.</p> <p>Deleting S3OriginConfig will result in the following error when updating the stack.</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Resource handler returned message: "Invalid request provided: Exactly one of CustomOriginConfig and S3OriginConfig must be specified" </code></pre> </div> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0fx7bsjn597p5t5bswb8.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0fx7bsjn597p5t5bswb8.png" alt="Image description"></a></p> <h2> Examples of actual migration </h2> <p>Now let's update the existing CloudFormation stack using the <a href="https://github.com/hayao-k/CFn-sample-cloudfront-oac/blob/main/CloudFront-S3-OAC.yaml" rel="noopener noreferrer">modified template</a>. Update the stack to ensure that the change set is as expected.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc24xq7ql1f36eku9g0rp.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc24xq7ql1f36eku9g0rp.png" alt="Image description"></a></p> <p>As described before, removing the bucket policy for OAI and migrating to OAC will result in Access Denied during distribution updates.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzeeutnmjoe8brhzcsr48.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzeeutnmjoe8brhzcsr48.png" alt="Image description"></a></p> <p>After updating the distribution, the S3 bucket access settings can be seen to have been updated to OAC.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fna4tu2ut3fndln4b3i5u.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fna4tu2ut3fndln4b3i5u.png" alt="Image description"></a></p> <p>The S3 bucket policy is also updated as expected.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4mjy2tgtj07k4zznmbwn.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4mjy2tgtj07k4zznmbwn.png" alt="Image description"></a></p> <p>Access from the browser seems to be okay.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpz4zqtovr0ckzgj4ch1z.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpz4zqtovr0ckzgj4ch1z.png" alt="Image description"></a></p> <p>I hope this will be of help to someone else.</p> aws cloudfront cloudformation Get daily billing amounts by account with Cost Explorer API hayao-k Sun, 26 Jun 2022 15:42:00 +0000 https://dev.to/aws-builders/get-daily-billing-amounts-by-account-with-cost-explorer-api-35ic https://dev.to/aws-builders/get-daily-billing-amounts-by-account-with-cost-explorer-api-35ic <h2> Goal of this article </h2> <p>Use Cost Explorer API to get the daily billing amount for each account and output the following data in CSV.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Account Id</th> <th>Account Name</th> <th>2022/4/1</th> <th>2022/4/2</th> <th>2022/4/3</th> <th>...</th> <th>2022/4/30</th> </tr> </thead> <tbody> <tr> <td>000000000000</td> <td>account-0000</td> <td>42.792716528</td> <td>40.124716527</td> <td>43.123416527</td> <td>...</td> <td>50.922465287</td> </tr> <tr> <td>111111111111</td> <td>account-1111</td> <td>32.263379809</td> <td>30.235379809</td> <td>31.263353594</td> <td>...</td> <td>22.133798094</td> </tr> <tr> <td>222222222222</td> <td>account-2222</td> <td>751.71034839</td> <td>720.51234839</td> <td>772.62033294</td> <td>...</td> <td>651.71042035</td> </tr> <tr> <td>333333333333</td> <td>account-3333</td> <td>4.6428</td> <td>5.1234</td> <td>7.8765</td> <td>...</td> <td>6.2234</td> </tr> <tr> <td>444444444444</td> <td>account-4444</td> <td>407.74542211</td> <td>420.12345211</td> <td>395.12499518</td> <td>...</td> <td>417.99454118</td> </tr> <tr> <td>555555555555</td> <td>account-5555</td> <td>386.78950595</td> <td>400.12500509</td> <td>352.89924506</td> <td>...</td> <td>370.75102656</td> </tr> <tr> <td>...</td> <td></td> <td></td> <td></td> <td></td> <td></td> <td></td> </tr> </tbody> </table></div> <p>An equivalent CSV can be downloaded from the AWS Cost Explorer console. This post describes how to retrieve the data daily automatically.</p> <h2> Example API Request </h2> <p>This is a minimal example of using AWS Lambda to retrieve the daily billing amount for the current month.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">boto3</span> <span class="k">def</span> <span class="nf">lambda_handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="n">today</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="n">date</span><span class="p">.</span><span class="nf">today</span><span class="p">()</span> <span class="n">start</span> <span class="o">=</span> <span class="n">today</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="n">day</span><span class="o">=</span><span class="mi">1</span><span class="p">).</span><span class="nf">strftime</span><span class="p">(</span><span class="sh">'</span><span class="s">%Y-%m-%d</span><span class="sh">'</span><span class="p">)</span> <span class="n">end</span> <span class="o">=</span> <span class="n">today</span><span class="p">.</span><span class="nf">strftime</span><span class="p">(</span><span class="sh">'</span><span class="s">%Y-%m-%d</span><span class="sh">'</span><span class="p">)</span> <span class="n">ce</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">'</span><span class="s">ce</span><span class="sh">'</span><span class="p">)</span> <span class="n">response</span> <span class="o">=</span> <span class="n">ce</span><span class="p">.</span><span class="nf">get_cost_and_usage</span><span class="p">(</span> <span class="n">TimePeriod</span><span class="o">=</span><span class="p">{</span> <span class="sh">'</span><span class="s">Start</span><span class="sh">'</span><span class="p">:</span> <span class="n">start</span><span class="p">,</span> <span class="sh">'</span><span class="s">End</span><span class="sh">'</span> <span class="p">:</span> <span class="n">end</span><span class="p">,</span> <span class="p">},</span> <span class="n">Granularity</span><span class="o">=</span><span class="sh">'</span><span class="s">DAILY</span><span class="sh">'</span><span class="p">,</span> <span class="n">Metrics</span><span class="o">=</span><span class="p">[</span> <span class="sh">'</span><span class="s">NetUnblendedCost</span><span class="sh">'</span> <span class="p">],</span> <span class="n">GroupBy</span><span class="o">=</span><span class="p">[</span> <span class="p">{</span> <span class="sh">'</span><span class="s">Type</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">DIMENSION</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">Key</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">LINKED_ACCOUNT</span><span class="sh">'</span> <span class="p">}</span> <span class="p">]</span> <span class="p">)</span> <span class="k">return</span> <span class="n">response</span><span class="p">[</span><span class="sh">'</span><span class="s">ResultsByTime</span><span class="sh">'</span><span class="p">]</span> </code></pre> </div> <p>One point to note is that there is a time lag before the cost for a given day is determined. For example, if the cost for April 25 is obtained on April 26, it may be less than the actual billing amount.</p> <p>The timing of when the AWS data will be updated is not disclosed, but it appears that on April 27, the costs for April 25 will be almost finalized.</p> <h2> Processing with Pandas </h2> <p>Since the API response is a nested JSON, we will consider an example of processing it into a CSV using Pandas.</p> <p>When using Pandas with AWS Lambda, Lambda Layers must be used.</p> <ul> <li>Since each element contains billing data daily, it is processed with a for statement one day at a time.</li> <li>After flattening the data using pandas.json_normalize, it is concatenated with the billing amount using pandas.concat.</li> <li>After further renaming the column to the billing date, the results are merged using the Account Id as the key. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="n">merged_cost</span> <span class="o">=</span> <span class="n">pandas</span><span class="p">.</span><span class="nc">DataFrame</span><span class="p">(</span> <span class="n">index</span><span class="o">=</span><span class="p">[],</span> <span class="n">columns</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">Account Id</span><span class="sh">'</span><span class="p">]</span> <span class="p">)</span> <span class="k">for</span> <span class="n">index</span><span class="p">,</span> <span class="n">item</span> <span class="ow">in</span> <span class="nf">enumerate</span><span class="p">(</span><span class="n">response</span><span class="p">):</span> <span class="n">normalized_json</span> <span class="o">=</span> <span class="n">pandas</span><span class="p">.</span><span class="nf">json_normalize</span><span class="p">(</span><span class="n">item</span><span class="p">[</span><span class="sh">'</span><span class="s">Groups</span><span class="sh">'</span><span class="p">])</span> <span class="n">split_keys</span> <span class="o">=</span> <span class="n">pandas</span><span class="p">.</span><span class="nc">DataFrame</span><span class="p">(</span> <span class="n">normalized_json</span><span class="p">[</span><span class="sh">'</span><span class="s">Keys</span><span class="sh">'</span><span class="p">].</span><span class="nf">tolist</span><span class="p">(),</span> <span class="n">columns</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">Account Id</span><span class="sh">'</span><span class="p">]</span> <span class="p">)</span> <span class="n">cost</span> <span class="o">=</span> <span class="n">pandas</span><span class="p">.</span><span class="nf">concat</span><span class="p">(</span> <span class="p">[</span><span class="n">split_keys</span><span class="p">,</span> <span class="n">normalized_json</span><span class="p">[</span><span class="sh">'</span><span class="s">Metrics.NetUnblendedCost.Amount</span><span class="sh">'</span><span class="p">]],</span> <span class="n">axis</span><span class="o">=</span><span class="mi">1</span> <span class="p">)</span> <span class="n">renamed_cost</span> <span class="o">=</span> <span class="n">cost</span><span class="p">.</span><span class="nf">rename</span><span class="p">(</span> <span class="n">columns</span><span class="o">=</span><span class="p">{</span><span class="sh">'</span><span class="s">Metrics.NetUnblendedCost.Amount</span><span class="sh">'</span><span class="p">:</span> <span class="n">item</span><span class="p">[</span><span class="sh">'</span><span class="s">TimePeriod</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">Start</span><span class="sh">'</span><span class="p">]}</span> <span class="p">)</span> <span class="n">merged_cost</span> <span class="o">=</span> <span class="n">pandas</span><span class="p">.</span><span class="nf">merge</span><span class="p">(</span><span class="n">merged_cost</span><span class="p">,</span> <span class="n">renamed_cost</span><span class="p">,</span> <span class="n">on</span><span class="o">=</span><span class="sh">'</span><span class="s">Account Id</span><span class="sh">'</span><span class="p">,</span> <span class="n">how</span><span class="o">=</span><span class="sh">'</span><span class="s">right</span><span class="sh">'</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">merged_cost</span><span class="p">)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Account Id ... 2022-04-25 0 000000000000 ... 15.4985752779 1 111111111111 ... 0.2176 2 222222222222 ... 6.5567854795 3 333333333333 ... 6.6300957379 4 444444444444 ... 8.2720868504 .. ... ... ... 19 777777777777 ... 10.0121863554 18 888888888888 ... 6.5976412116 20 999999999999 ... 6.493243618 [20 rows x 26 columns] </code></pre> </div> <h2> Example of Lambda function </h2> <p>After processing with for statement, the list of account names obtained from AWS Organizations API is merged and output in CSV.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">logging</span> <span class="kn">import</span> <span class="n">getLogger</span><span class="p">,</span> <span class="n">INFO</span> <span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">boto3</span> <span class="kn">import</span> <span class="n">pandas</span> <span class="kn">from</span> <span class="n">botocore.exceptions</span> <span class="kn">import</span> <span class="n">ClientError</span> <span class="n">logger</span> <span class="o">=</span> <span class="nf">getLogger</span><span class="p">()</span> <span class="n">logger</span><span class="p">.</span><span class="nf">setLevel</span><span class="p">(</span><span class="n">INFO</span><span class="p">)</span> <span class="k">def</span> <span class="nf">upload_s3</span><span class="p">(</span><span class="n">output</span><span class="p">,</span> <span class="n">key</span><span class="p">,</span> <span class="n">bucket</span><span class="p">):</span> <span class="k">try</span><span class="p">:</span> <span class="n">s3_resource</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">resource</span><span class="p">(</span><span class="sh">'</span><span class="s">s3</span><span class="sh">'</span><span class="p">)</span> <span class="n">s3_bucket</span> <span class="o">=</span> <span class="n">s3_resource</span><span class="p">.</span><span class="nc">Bucket</span><span class="p">(</span><span class="n">bucket</span><span class="p">)</span> <span class="n">s3_bucket</span><span class="p">.</span><span class="nf">upload_file</span><span class="p">(</span><span class="n">output</span><span class="p">,</span> <span class="n">key</span><span class="p">,</span> <span class="n">ExtraArgs</span><span class="o">=</span><span class="p">{</span><span class="sh">'</span><span class="s">ACL</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">bucket-owner-full-control</span><span class="sh">'</span><span class="p">})</span> <span class="k">except</span> <span class="n">ClientError</span> <span class="k">as</span> <span class="n">err</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="n">err</span><span class="p">.</span><span class="n">response</span><span class="p">[</span><span class="sh">'</span><span class="s">Error</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">Message</span><span class="sh">'</span><span class="p">])</span> <span class="k">raise</span> <span class="k">def</span> <span class="nf">get_ou_ids</span><span class="p">(</span><span class="n">org</span><span class="p">,</span> <span class="n">parent_id</span><span class="p">):</span> <span class="n">ou_ids</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">try</span><span class="p">:</span> <span class="n">paginator</span> <span class="o">=</span> <span class="n">org</span><span class="p">.</span><span class="nf">get_paginator</span><span class="p">(</span><span class="sh">'</span><span class="s">list_children</span><span class="sh">'</span><span class="p">)</span> <span class="n">iterator</span> <span class="o">=</span> <span class="n">paginator</span><span class="p">.</span><span class="nf">paginate</span><span class="p">(</span> <span class="n">ParentId</span><span class="o">=</span><span class="n">parent_id</span><span class="p">,</span> <span class="n">ChildType</span><span class="o">=</span><span class="sh">'</span><span class="s">ORGANIZATIONAL_UNIT</span><span class="sh">'</span> <span class="p">)</span> <span class="k">for</span> <span class="n">page</span> <span class="ow">in</span> <span class="n">iterator</span><span class="p">:</span> <span class="k">for</span> <span class="n">ou</span> <span class="ow">in</span> <span class="n">page</span><span class="p">[</span><span class="sh">'</span><span class="s">Children</span><span class="sh">'</span><span class="p">]:</span> <span class="n">ou_ids</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">ou</span><span class="p">[</span><span class="sh">'</span><span class="s">Id</span><span class="sh">'</span><span class="p">])</span> <span class="n">ou_ids</span><span class="p">.</span><span class="nf">extend</span><span class="p">(</span><span class="nf">get_ou_ids</span><span class="p">(</span><span class="n">org</span><span class="p">,</span> <span class="n">ou</span><span class="p">[</span><span class="sh">'</span><span class="s">Id</span><span class="sh">'</span><span class="p">]))</span> <span class="k">except</span> <span class="n">ClientError</span> <span class="k">as</span> <span class="n">err</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="n">err</span><span class="p">.</span><span class="n">response</span><span class="p">[</span><span class="sh">'</span><span class="s">Error</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">Message</span><span class="sh">'</span><span class="p">])</span> <span class="k">raise</span> <span class="k">else</span><span class="p">:</span> <span class="k">return</span> <span class="n">ou_ids</span> <span class="k">def</span> <span class="nf">list_accounts</span><span class="p">():</span> <span class="n">org</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">'</span><span class="s">organizations</span><span class="sh">'</span><span class="p">)</span> <span class="n">root_id</span> <span class="o">=</span> <span class="sh">'</span><span class="s">r-xxxx</span><span class="sh">'</span> <span class="n">ou_id_list</span> <span class="o">=</span> <span class="p">[</span><span class="n">root_id</span><span class="p">]</span> <span class="n">ou_id_list</span><span class="p">.</span><span class="nf">extend</span><span class="p">(</span><span class="nf">get_ou_ids</span><span class="p">(</span><span class="n">org</span><span class="p">,</span> <span class="n">root_id</span><span class="p">))</span> <span class="n">accounts</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">try</span><span class="p">:</span> <span class="k">for</span> <span class="n">ou_id</span> <span class="ow">in</span> <span class="n">ou_id_list</span><span class="p">:</span> <span class="n">paginator</span> <span class="o">=</span> <span class="n">org</span><span class="p">.</span><span class="nf">get_paginator</span><span class="p">(</span><span class="sh">'</span><span class="s">list_accounts_for_parent</span><span class="sh">'</span><span class="p">)</span> <span class="n">page_iterator</span> <span class="o">=</span> <span class="n">paginator</span><span class="p">.</span><span class="nf">paginate</span><span class="p">(</span><span class="n">ParentId</span><span class="o">=</span><span class="n">ou_id</span><span class="p">)</span> <span class="k">for</span> <span class="n">page</span> <span class="ow">in</span> <span class="n">page_iterator</span><span class="p">:</span> <span class="k">for</span> <span class="n">account</span> <span class="ow">in</span> <span class="n">page</span><span class="p">[</span><span class="sh">'</span><span class="s">Accounts</span><span class="sh">'</span><span class="p">]:</span> <span class="n">item</span> <span class="o">=</span> <span class="p">[</span> <span class="n">account</span><span class="p">[</span><span class="sh">'</span><span class="s">Id</span><span class="sh">'</span><span class="p">],</span> <span class="n">account</span><span class="p">[</span><span class="sh">'</span><span class="s">Name</span><span class="sh">'</span><span class="p">],</span> <span class="p">]</span> <span class="n">accounts</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">item</span><span class="p">)</span> <span class="k">except</span> <span class="n">ClientError</span> <span class="k">as</span> <span class="n">err</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="n">err</span><span class="p">.</span><span class="n">response</span><span class="p">[</span><span class="sh">'</span><span class="s">Error</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">Message</span><span class="sh">'</span><span class="p">])</span> <span class="k">raise</span> <span class="k">else</span><span class="p">:</span> <span class="k">return</span> <span class="n">accounts</span> <span class="k">def</span> <span class="nf">get_cost_json</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">end</span><span class="p">):</span> <span class="n">ce</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">'</span><span class="s">ce</span><span class="sh">'</span><span class="p">)</span> <span class="n">response</span> <span class="o">=</span> <span class="n">ce</span><span class="p">.</span><span class="nf">get_cost_and_usage</span><span class="p">(</span> <span class="n">TimePeriod</span><span class="o">=</span><span class="p">{</span> <span class="sh">'</span><span class="s">Start</span><span class="sh">'</span><span class="p">:</span> <span class="n">start</span><span class="p">,</span> <span class="sh">'</span><span class="s">End</span><span class="sh">'</span> <span class="p">:</span> <span class="n">end</span><span class="p">,</span> <span class="p">},</span> <span class="n">Granularity</span><span class="o">=</span><span class="sh">'</span><span class="s">DAILY</span><span class="sh">'</span><span class="p">,</span> <span class="n">Metrics</span><span class="o">=</span><span class="p">[</span> <span class="sh">'</span><span class="s">NetUnblendedCost</span><span class="sh">'</span> <span class="p">],</span> <span class="n">GroupBy</span><span class="o">=</span><span class="p">[</span> <span class="p">{</span> <span class="sh">'</span><span class="s">Type</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">DIMENSION</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">Key</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">LINKED_ACCOUNT</span><span class="sh">'</span> <span class="p">}</span> <span class="p">]</span> <span class="p">)</span> <span class="k">return</span> <span class="n">response</span><span class="p">[</span><span class="sh">'</span><span class="s">ResultsByTime</span><span class="sh">'</span><span class="p">]</span> <span class="k">def</span> <span class="nf">lambda_handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="n">today</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="n">date</span><span class="p">.</span><span class="nf">today</span><span class="p">()</span> <span class="n">start</span> <span class="o">=</span> <span class="n">today</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="n">day</span><span class="o">=</span><span class="mi">1</span><span class="p">).</span><span class="nf">strftime</span><span class="p">(</span><span class="sh">'</span><span class="s">%Y-%m-%d</span><span class="sh">'</span><span class="p">)</span> <span class="n">end</span> <span class="o">=</span> <span class="n">today</span><span class="p">.</span><span class="nf">strftime</span><span class="p">(</span><span class="sh">'</span><span class="s">%Y-%m-%d</span><span class="sh">'</span><span class="p">)</span> <span class="n">key</span> <span class="o">=</span> <span class="sh">'</span><span class="s">daily-cost-</span><span class="sh">'</span> <span class="o">+</span> <span class="n">today</span><span class="p">.</span><span class="nf">strftime</span><span class="p">(</span><span class="sh">'</span><span class="s">%Y-%m</span><span class="sh">'</span><span class="p">)</span> <span class="o">+</span> <span class="sh">'</span><span class="s">.csv</span><span class="sh">'</span> <span class="n">output_file</span> <span class="o">=</span> <span class="sh">'</span><span class="s">/tmp/output.csv</span><span class="sh">'</span> <span class="n">bucket</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">'</span><span class="s">BUCKET</span><span class="sh">'</span><span class="p">]</span> <span class="n">account_list</span> <span class="o">=</span> <span class="n">pandas</span><span class="p">.</span><span class="nc">DataFrame</span><span class="p">(</span><span class="nf">list_accounts</span><span class="p">(),</span> <span class="n">columns</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">Account Id</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">Account Name</span><span class="sh">'</span><span class="p">])</span> <span class="n">daily_cost_list</span> <span class="o">=</span> <span class="nf">get_cost_json</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">end</span><span class="p">)</span> <span class="n">merged_cost</span> <span class="o">=</span> <span class="n">pandas</span><span class="p">.</span><span class="nc">DataFrame</span><span class="p">(</span> <span class="n">index</span><span class="o">=</span><span class="p">[],</span> <span class="n">columns</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">Account Id</span><span class="sh">'</span><span class="p">]</span> <span class="p">)</span> <span class="k">for</span> <span class="n">index</span><span class="p">,</span> <span class="n">item</span> <span class="ow">in</span> <span class="nf">enumerate</span><span class="p">(</span><span class="n">daily_cost_list</span><span class="p">):</span> <span class="n">normalized_json</span> <span class="o">=</span> <span class="n">pandas</span><span class="p">.</span><span class="nf">json_normalize</span><span class="p">(</span><span class="n">item</span><span class="p">[</span><span class="sh">'</span><span class="s">Groups</span><span class="sh">'</span><span class="p">])</span> <span class="n">split_keys</span> <span class="o">=</span> <span class="n">pandas</span><span class="p">.</span><span class="nc">DataFrame</span><span class="p">(</span> <span class="n">normalized_json</span><span class="p">[</span><span class="sh">'</span><span class="s">Keys</span><span class="sh">'</span><span class="p">].</span><span class="nf">tolist</span><span class="p">(),</span> <span class="n">columns</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">Account Id</span><span class="sh">'</span><span class="p">]</span> <span class="p">)</span> <span class="n">cost</span> <span class="o">=</span> <span class="n">pandas</span><span class="p">.</span><span class="nf">concat</span><span class="p">(</span> <span class="p">[</span><span class="n">split_keys</span><span class="p">,</span> <span class="n">normalized_json</span><span class="p">[</span><span class="sh">'</span><span class="s">Metrics.NetUnblendedCost.Amount</span><span class="sh">'</span><span class="p">]],</span> <span class="n">axis</span><span class="o">=</span><span class="mi">1</span> <span class="p">)</span> <span class="n">renamed_cost</span> <span class="o">=</span> <span class="n">cost</span><span class="p">.</span><span class="nf">rename</span><span class="p">(</span> <span class="n">columns</span><span class="o">=</span><span class="p">{</span><span class="sh">'</span><span class="s">Metrics.NetUnblendedCost.Amount</span><span class="sh">'</span><span class="p">:</span> <span class="n">item</span><span class="p">[</span><span class="sh">'</span><span class="s">TimePeriod</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">Start</span><span class="sh">'</span><span class="p">]}</span> <span class="p">)</span> <span class="n">merged_cost</span> <span class="o">=</span> <span class="n">pandas</span><span class="p">.</span><span class="nf">merge</span><span class="p">(</span><span class="n">merged_cost</span><span class="p">,</span> <span class="n">renamed_cost</span><span class="p">,</span> <span class="n">on</span><span class="o">=</span><span class="sh">'</span><span class="s">Account Id</span><span class="sh">'</span><span class="p">,</span> <span class="n">how</span><span class="o">=</span><span class="sh">'</span><span class="s">outer</span><span class="sh">'</span><span class="p">)</span> <span class="n">daily_cost</span> <span class="o">=</span> <span class="n">pandas</span><span class="p">.</span><span class="nf">merge</span><span class="p">(</span><span class="n">account_list</span><span class="p">,</span> <span class="n">merged_cost</span><span class="p">,</span> <span class="n">on</span><span class="o">=</span><span class="sh">'</span><span class="s">Account Id</span><span class="sh">'</span><span class="p">,</span> <span class="n">how</span><span class="o">=</span><span class="sh">'</span><span class="s">right</span><span class="sh">'</span><span class="p">)</span> <span class="n">daily_cost</span><span class="p">.</span><span class="nf">to_csv</span><span class="p">(</span><span class="n">output_file</span><span class="p">,</span> <span class="n">index</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="nf">upload_s3</span><span class="p">(</span><span class="n">output_file</span><span class="p">,</span> <span class="n">key</span><span class="p">,</span> <span class="n">bucket</span><span class="p">)</span> </code></pre> </div> <p>Now all that is left is setting an arbitrary startup schedule in EventBridge and a Lambda function as the target.</p> aws python costexplorer billing Configure actions-runner-controller with proxy in private EKS cluster hayao-k Sun, 12 Jun 2022 17:31:07 +0000 https://dev.to/aws-builders/configure-actions-runner-controller-with-proxy-in-private-eks-cluster-36ff https://dev.to/aws-builders/configure-actions-runner-controller-with-proxy-in-private-eks-cluster-36ff <h2> Goals of this post </h2> <ul> <li>Run actions-runner-controller on Private EKS cluster</li> <li>Communication with GitHub API is through on-premises proxy server</li> </ul> <p>This post is validated with the following configuration.</p> <ul> <li>Amazon EKS: Kubernetes 1.22</li> <li>actions-runner-controller: v0.23.0</li> <li>cert-manager v1.8.0</li> <li>eksctl: 0.93.0</li> <li>kubectl: v1.21.2</li> <li>AWS CLI: 2.5.7</li> </ul> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk072j91r6csx0kfrwn2x.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk072j91r6csx0kfrwn2x.png" alt="Image description" width="800" height="507"></a> </p> <h2> What is actions-runner-controller? </h2> <p>Controller for operating GitHub Actions self-hosted runners on Kubernetes cluster.</p> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://res.cloudinary.com/practicaldev/image/fetch/s--A9-wwsHG--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev.to/assets/github-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/actions" rel="noopener noreferrer"> actions </a> / <a href="https://github.com/actions/actions-runner-controller" rel="noopener noreferrer"> actions-runner-controller </a> </h2> <h3> Kubernetes controller for GitHub Actions self-hosted runners </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"> <div class="markdown-heading"> <h1 class="heading-element">Actions Runner Controller (ARC)</h1> </div> <p><a href="https://bestpractices.coreinfrastructure.org/projects/6061" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/91aef1cbaa47d81418ae9eff66980263c4ebc8160ec89ec1549737f429bef62c/68747470733a2f2f626573747072616374696365732e636f7265696e6672617374727563747572652e6f72672f70726f6a656374732f363036312f6261646765" alt="CII Best Practices"></a> <a href="https://github.com/jonico/awesome-runners" rel="noopener noreferrer"><img src="https://camo.githubusercontent.com/d7e33be9189ff01400ffec9fd85aeb7a4a871eab0f17e262005de81b0fd3dcf6/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6c69737465642532306f6e2d617765736f6d652d2d72756e6e6572732d626c75652e737667" alt="awesome-runners"></a> <a href="https://artifacthub.io/packages/search?repo=actions-runner-controller" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/d594cc8e271193357e6f87f158089e681fca0e177a2739f27bf89a8377684e93/68747470733a2f2f696d672e736869656c64732e696f2f656e64706f696e743f75726c3d68747470733a2f2f61727469666163746875622e696f2f62616467652f7265706f7369746f72792f616374696f6e732d72756e6e65722d636f6e74726f6c6c6572" alt="Artifact Hub"></a></p> <div class="markdown-heading"> <h2 class="heading-element">About</h2> </div> <p>Actions Runner Controller (ARC) is a Kubernetes operator that orchestrates and scales self-hosted runners for GitHub Actions.</p> <p>With ARC, you can create runner scale sets that automatically scale based on the number of workflows running in your repository, organization, or enterprise. Because controlled runners can be ephemeral and based on containers, new runner instances can scale up or down rapidly and cleanly. For more information about autoscaling, see <a href="https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/autoscaling-with-self-hosted-runners" rel="noopener noreferrer">"Autoscaling with self-hosted runners."</a></p> <p>You can set up ARC on Kubernetes using Helm, then create and run a workflow that uses runner scale sets. For more information about runner scale sets, see <a href="https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller#runner-scale-set" rel="noopener noreferrer">"Deploying runner scale sets with Actions Runner Controller."</a></p> <div class="markdown-heading"> <h2 class="heading-element">People</h2> </div> <p>Actions Runner Controller (ARC) is an open-source project currently developed and maintained in collaboration with the GitHub Actions team, external maintainers @mumoshu and @toast-gear, various <a href="https://github.com/actions/actions-runner-controller/graphs/contributors" rel="noopener noreferrer">contributors</a>, and the <a href="https://github.com/actions/actions-runner-controller/discussions" rel="noopener noreferrer">awesome community</a>.</p> <p>If you think the…</p> </div> </div> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/actions/actions-runner-controller" rel="noopener noreferrer">View on GitHub</a></div> </div> <p>The following describes the flow of building actions-runner-controller on private EKS cluster.</p> <h2> Create private EKS Cluster </h2> <p>Set up kubectl, eksctl, and AWS CLI in your working environment in advance. See below for detailed instructions.</p> <p><strong>kubectl:</strong> <a href="https://kubernetes.io/docs/tasks/tools/" rel="noopener noreferrer">https://kubernetes.io/docs/tasks/tools/</a></p> <p><strong>eksctl:</strong> <a href="https://docs.aws.amazon.com/eks/latest/userguide/eksctl.html" rel="noopener noreferrer">https://docs.aws.amazon.com/eks/latest/userguide/eksctl.html</a></p> <p><strong>AWS CLI:</strong> <a href="https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html" rel="noopener noreferrer">https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html</a></p> <p>Please refer to the following document to create a private cluster with eksctl.</p> <p><a href="https://eksctl.io/usage/eks-private-cluster/" rel="noopener noreferrer">https://eksctl.io/usage/eks-private-cluster/</a></p> <p>In this case, created an EKS cluster using the following config file.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">eksctl.io/v1alpha5</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterConfig</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">actions-runner</span> <span class="na">region</span><span class="pi">:</span> <span class="s">ap-northeast-1</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1.22"</span> <span class="na">privateCluster</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">skipEndpointCreation</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">vpc</span><span class="pi">:</span> <span class="na">subnets</span><span class="pi">:</span> <span class="na">private</span><span class="pi">:</span> <span class="na">ap-northeast-1a</span><span class="pi">:</span> <span class="na">id</span><span class="pi">:</span> <span class="s">subnet-xxxxxxxxxxxxxxxxx</span> <span class="na">ap-northeast-1c</span><span class="pi">:</span> <span class="na">id</span><span class="pi">:</span> <span class="s">subnet-yyyyyyyyyyyyyyyyy</span> <span class="na">ap-northeast-1d</span><span class="pi">:</span> <span class="na">id</span><span class="pi">:</span> <span class="s">subnet-zzzzzzzzzzzzzzzzz</span> </code></pre> </div> <p>For a private EKS cluster, the following VPC endpoints are required.</p> <ul> <li>ECR (<code>ecr.api</code>, <code>ecr.dkr</code>)</li> <li>S3 (Gateway)</li> <li>EC2 </li> <li>STS </li> <li>CloudWatch Logs</li> </ul> <p>If you enable a private cluster with eksctl (<code>privateCluster.enabled</code>), these endpoints will be created automatically. </p> <p>In this case, I had a requirement to use a VPC already connected via Direct Connect, so skip endpoint creation with <code>privateCluster.skipEndpointCreation</code> to use the existing VPC and endpoints.</p> <p><strong>NOTE:</strong> if you specify an existing VPC, eksctl will edit the route table.</p> <p>However, if the subnet is associated with the main route table, eksctl will not edit the route table and will fail to create the cluster. Therefore, it is necessary to create and associate a route table explicitly.</p> <p>eksctl communicates with the AWS API via a proxy server. However, communication to private EKS cluster endpoints does not use a proxy server, so the following environment variable should be set.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">https_proxy</span><span class="o">=</span>http://xxx.xxx.xxx.xxx:yyyy <span class="nb">export </span><span class="nv">no_proxy</span><span class="o">=</span>.eks.amazonaws.com </code></pre> </div> <p>The following command creates a cluster. Creating a private cluster takes longer than creating a regular cluster. This configuration took about 22 minutes, but if you are creating VPC or VPC endpoints, it will take even longer, so adjust the timeout value.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>eksctl create cluster <span class="nt">--timeout</span> 30m <span class="nt">-f</span> private-cluster.yaml </code></pre> </div> <h2> Register Managed Node Groups </h2> <p>Add UserData to the launch template used by the managed node group and configure the Docker daemon to use a proxy.</p> <p>This template is based on the following blog.</p> <p><a href="https://yomon.hatenablog.com/entry/2020/10/eks_docker_inside_proxy#%E3%83%9E%E3%83%8D%E3%83%BC%E3%82%B8%E3%83%89%E5%9E%8B%E3%83%8E%E3%83%BC%E3%83%89%E3%82%B0%E3%83%AB%E3%83%BC%E3%83%97%E3%81%ABProxy%E8%A8%AD%E5%AE%9A" rel="noopener noreferrer">https://yomon.hatenablog.com/entry/2020/10/eks_docker_inside_proxy#%E3%83%9E%E3%83%8D%E3%83%BC%E3%82%B8%E3%83%89%E5%9E%8B%E3%83%8E%E3%83%BC%E3%83%89%E3%82%B0%E3%83%AB%E3%83%BC%E3%83%97%E3%81%ABProxy%E8%A8%AD%E5%AE%9A</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">AWSTemplateFormatVersion</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2010-09-09"</span> <span class="na">Parameters</span><span class="pi">:</span> <span class="na">ClusterIp</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">ProxyIP</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">ProxyPort</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">Number</span> <span class="na">SshKeyPairName</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Resources</span><span class="pi">:</span> <span class="na">EKSManagedNodeInPrivateNetworkLaunchTemplate</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::LaunchTemplate</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">LaunchTemplateName</span><span class="pi">:</span> <span class="s">eks-managednodes-in-private-network</span> <span class="na">LaunchTemplateData</span><span class="pi">:</span> <span class="na">InstanceType</span><span class="pi">:</span> <span class="s">t3.small</span> <span class="na">KeyName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">SshKeyPairName</span> <span class="na">TagSpecifications</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">ResourceType</span><span class="pi">:</span> <span class="s">instance</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">actions-runner-nodegroup</span> <span class="pi">-</span> <span class="na">ResourceType</span><span class="pi">:</span> <span class="s">volume</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">actions-runner-nodegroup</span> <span class="na">UserData</span><span class="pi">:</span> <span class="kt">!Base64</span> <span class="s2">"</span><span class="s">Fn::Sub"</span><span class="err">:</span> <span class="pi">|</span> <span class="s">Content-Type: multipart/mixed; boundary="==BOUNDARY=="</span> <span class="s">MIME-Version: 1.0</span> <span class="s">--==BOUNDARY==</span> <span class="s">Content-Type: text/cloud-boothook; charset="us-ascii"</span> <span class="s">#Set the proxy hostname and port</span> <span class="s">PROXY=${ProxyIP}:${ProxyPort}</span> <span class="s">MAC=$(curl -s http://169.254.169.254/latest/meta-data/mac/)</span> <span class="s">VPC_CIDR=$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/$MAC/vpc-ipv4-cidr-blocks | xargs | tr ' ' ',')</span> <span class="s">#Create the docker systemd directory</span> <span class="s">mkdir -p /etc/systemd/system/docker.service.d</span> <span class="s">#Configure docker with the proxy</span> <span class="s">cloud-init-per instance docker_proxy_config tee &lt;&lt;EOF /etc/systemd/system/docker.service.d/http-proxy.conf &gt;/dev/null</span> <span class="s">[Service]</span> <span class="s">Environment="HTTP_PROXY=http://$PROXY"</span> <span class="s">Environment="HTTPS_PROXY=http://$PROXY"</span> <span class="s">Environment="NO_PROXY=${ClusterIp},$VPC_CIDR,localhost,127.0.0.1,169.254.169.254,.internal,s3.amazonaws.com,.s3.ap-northeast-1.amazonaws.com,api.ecr.ap-northeast-1.amazonaws.com,dkr.ecr.ap-northeast-1.amazonaws.com,ec2.ap-northeast-1.amazonaws.com,ap-northeast-1.eks.amazonaws.com"</span> <span class="s">EOF</span> <span class="s">#Reload the daemon and restart docker to reflect proxy configuration at launch of instance</span> <span class="s">cloud-init-per instance reload_daemon systemctl daemon-reload </span> <span class="s">cloud-init-per instance enable_docker systemctl enable --now --no-block docker</span> <span class="s">--==BOUNDARY==</span> </code></pre> </div> <p>After creating the launch template, create a Managed Node Group with the following config file.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">eksctl.io/v1alpha5</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterConfig</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">actions-runner</span> <span class="na">region</span><span class="pi">:</span> <span class="s">ap-northeast-1</span> <span class="na">managedNodeGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">t3s-proxy</span> <span class="na">desiredCapacity</span><span class="pi">:</span> <span class="m">1</span> <span class="na">privateNetworking</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">launchTemplate</span><span class="pi">:</span> <span class="na">id</span><span class="pi">:</span> <span class="s">lt-xxxxxxxxxxxxxxxxx</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1"</span> </code></pre> </div> <p>Run <code>create nodegroup</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>eksctl create nodegroup <span class="nt">-f</span> nodegroup.yaml </code></pre> </div> <h2> Installing actions-runner-controller </h2> <p>actions-runner-controller uses cert-manager to manage certificates for Admission Webhooks, so it must be installed in advance.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> https://github.com/cert-manager/cert-manager/releases/download/v1.8.0/cert-manager.yaml </code></pre> </div> <p>To use actions-runner-controller in a proxy environment, it is necessary to configure the proxy server information in the following three locations.</p> <ol> <li>manager container of controller-manager</li> <li>runner container of RunnerDeployment</li> <li>sidecar (dind) container of RunnerDeployment</li> </ol> <p>I deployed actions-runner-controller with kubectl this time.</p> <p><code>1</code> sets the https_proxy environment variable to the Deployment definition of controller-manager.<br> <code>2</code> and <code>3</code> set the https_proxy environment variable to the definition of RunnerDeployment.</p> <p>Edit the manifest file of actions-runner-controller as follows.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight diff"><code><span class="p">33836 spec: 33837 containers: 33838 - args: 33839 - --metrics-addr=127.0.0.1:8080 33840 - --enable-leader-election 33841 command: 33842 - /manager 31843 env: 31844 - name: GITHUB_TOKEN 31845 valueFrom: 31846 secretKeyRef: 31847 key: github_token 31848 name: controller-manager 31849 optional: true 31850 - name: GITHUB_APP_ID 31851 valueFrom: 31852 secretKeyRef: 31853 key: github_app_id 31854 name: controller-manager 31855 optional: true 31856 - name: GITHUB_APP_INSTALLATION_ID 31857 valueFrom: 31858 secretKeyRef: 31859 key: github_app_installation_id 31860 name: controller-manager 31861 optional: true 31862 - name: GITHUB_APP_PRIVATE_KEY 31863 value: /etc/actions-runner-controller/github_app_private_key </span><span class="gi">+ 31864 - name: http_proxy + 31865 value: "http://xxx.xxx.xxx.xxx:xxxx" + 31866 - name: https_proxy + 31867 value: "http://xxx.xxx.xxx.xxx:xxxx" + 31868 - name: no_proxy + 31869 value: "172.20.0.1,*.eks.amazonaws.com" </span><span class="p">31870 image: summerwind/actions-runner-controller:v0.22.3 31871 name: manager </span></code></pre> </div> <p>Run <code>kubectl create</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create <span class="nt">-f</span> actions-runners-controller.yaml </code></pre> </div> <p><strong>NOTE:</strong> Due to a known issue with Kubernetes, we must use <code>create</code> (or <code>replace</code> when updating) instead of <code>apply</code>.</p> <p><a href="https://github.com/actions-runner-controller/actions-runner-controller/issues/1317" rel="noopener noreferrer">https://github.com/actions-runner-controller/actions-runner-controller/issues/1317</a></p> <p>GitHub API can be authenticated using the GitHub App or Personal Access Token (PAT).</p> <p>In this case, we use PAT authentication. Set the appropriate scope for the token depending on the type of runner and create a secret.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create secret generic controller-manager <span class="se">\</span> <span class="nt">-n</span> actions-runner-system <span class="se">\</span> <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">github_token</span><span class="o">=</span><span class="k">${</span><span class="nv">GITHUB_TOKEN</span><span class="k">}</span> </code></pre> </div> <p><strong>NOTE:</strong> PAT must be pre-authorized before accessing an Organization with SAML SSO configured.</p> <p><a href="https://docs.github.com/ja/enterprise-cloud@latest/authentication/authenticating-with-saml-single-sign-on/authorizing-a-personal-access-token-for-use-with-saml-single-sign-on" rel="noopener noreferrer">https://docs.github.com/ja/enterprise-cloud@latest/authentication/authenticating-with-saml-single-sign-on/authorizing-a-personal-access-token-for-use-with-saml-single-sign-on</a></p> <p>RunnerDeployment is defined below.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">actions.summerwind.dev/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">RunnerDeployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">runner-deploy</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">template</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">enterprise</span><span class="pi">:</span> <span class="s">&lt;enterprise-name&gt;</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">runner-container</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">RUNNER_FEATURE_FLAG_EPHEMERAL</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http_proxy</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">http://xxx.xxx.xxx.xxx:yyyy"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">https_proxy</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">http://xxx.xxx.xxx.xxx:yyyy"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">no_proxy</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">172.20.0.1,10.1.2.0/24,*.eks.amazonaws.com"</span> <span class="na">dockerEnv</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http_proxy</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">http://xxx.xxx.xxx.xxx:yyyy"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">https_proxy</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">http://xxx.xxx.xxx.xxx:yyyy"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">no_proxy</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">172.20.0.1,10.1.2.0/24,*.eks.amazonaws.com"</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">actions.summerwind.dev/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">HorizontalRunnerAutoscaler</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">runner-deployment-autoscaler</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">scaleDownDelaySecondsAfterScaleOut</span><span class="pi">:</span> <span class="m">300</span> <span class="na">scaleTargetRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">runner-deploy</span> <span class="na">minReplicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">maxReplicas</span><span class="pi">:</span> <span class="m">5</span> <span class="na">metrics</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">type</span><span class="pi">:</span> <span class="s">PercentageRunnersBusy</span> <span class="na">scaleUpThreshold</span><span class="pi">:</span> <span class="s1">'</span><span class="s">0.75'</span> <span class="na">scaleDownThreshold</span><span class="pi">:</span> <span class="s1">'</span><span class="s">0.25'</span> <span class="na">scaleUpFactor</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2'</span> <span class="na">scaleDownFactor</span><span class="pi">:</span> <span class="s1">'</span><span class="s">0.5'</span> </code></pre> </div> <p>When a container is used in a GitHub Actions job, the docker container for dind, launched as a RunnerDeployment sidecar, is used. Specify dockerEnv so that this dind container can perform image pulls.</p> <p>After deployment, confirm that the pod is successfully started and is visible from GitHub.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> RunnerDeployment.yaml <span class="nv">$ </span>kubectl get pod NAME READY STATUS RESTARTS AGE pod/runner-deploy-xxxxx-xxxxx 2/2 Running 0 53s </code></pre> </div> <p>If controller-manager does not start properly, check the settings in <code>1</code> or GitHub; if Runner does not start properly, check the settings in <code>2</code> or <code>3</code>.</p> aws kubernetes amazoneks githubaction Differences between Amazon ECR and Inspector image scanning capabilities hayao-k Thu, 27 Jan 2022 14:42:16 +0000 https://dev.to/aws-builders/differences-between-amazon-ecr-and-inspector-image-scanning-capabilities-3hej https://dev.to/aws-builders/differences-between-amazon-ecr-and-inspector-image-scanning-capabilities-3hej <h2> Introduction </h2> <p>At AWS re:Invent 2021, the vulnerability management service Amazon Inspector was redesigned and released as the all-new Amazon Inspector (v2). The new Inspector not only scans EC2 but also scans container images stored in Amazon ECR.</p> <p><strong>Improved, Automated Vulnerability Management for Cloud Workloads with a New Amazon Inspector</strong><br> <a href="https://aws.amazon.com/jp/blogs/aws/improved-automated-vulnerability-management-for-cloud-workloads-with-a-new-amazon-inspector/" rel="noopener noreferrer">https://aws.amazon.com/jp/blogs/aws/improved-automated-vulnerability-management-for-cloud-workloads-with-a-new-amazon-inspector/</a></p> <h2> Differences </h2> <p>With the introduction of image scanning by Inspector, the ECR scanning function is now called Basic scanning, while the Inspector scanning function is called Enhanced scanning. The main differences between Basic scanning and Enhanced scanning are as follows.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th></th> <th>Basic scanning</th> <th>Enhanced scanning</th> </tr> </thead> <tbody> <tr> <td>Vulnerability Detection Target</td> <td>OS packages only</td> <td>OS and programming language packages</td> </tr> <tr> <td>Vulnerability Detection Timing</td> <td>When the image is pushed</td> <td>When vulnerabilities occur</td> </tr> <tr> <td>Pricing</td> <td>Free</td> <td>Not free</td> </tr> <tr> <td>Amazon EventBrdige Integration</td> <td>Yes (Scan result summary only)</td> <td>yes</td> </tr> <tr> <td>AWS Security Hub Integration</td> <td>No</td> <td>Yes</td> </tr> <tr> <td>AWS Organizations Integration</td> <td>No</td> <td>Yes</td> </tr> </tbody> </table></div> <h3> Vulnerability Detection Target </h3> <p>Basic scanning provides a scan using the CVE database of the open-source Clair project. Only OS packages are targeted for vulnerability detection.</p> <p>Enhanced scanning is capable of detecting vulnerabilities in programming language packages in addition to OS packages. Supported programming languages are as follows.</p> <ul> <li>C#</li> <li>Golang</li> <li>Java</li> <li>JavaScript</li> <li>PHP</li> <li>Python</li> <li>Ruby</li> <li>Rust</li> </ul> <blockquote> <p><a href="https://docs.aws.amazon.com/inspector/latest/user/supported.html" rel="noopener noreferrer">Supported operating systems and programming languages</a></p> </blockquote> <h3> Vulnerability Detection Timing </h3> <p>Basic scanning can be triggered when an image is pushed (Scan on push) or manually. Manual scans are limited to once every 24 hours for each image.</p> <p>For Enhanced scanning, continuous scans can be used for repositories. Continuous scanning automatically scans whenever an image is pushed and whenever the Amazon Inspector vulnerability database is updated. This means that vulnerabilities can be detected at about the same time as vulnerability information is updated.</p> <p>For Enhanced scanning, you can define whether you want to enable continuous scanning or only scan on push in the repository name scan filter. Manual scan execution is not possible with Enhanced scanning.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--pK-cyqUh--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://cdn.hashnode.com/res/hashnode/image/upload/v1643262223990/O0VnIJyA-.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--pK-cyqUh--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://cdn.hashnode.com/res/hashnode/image/upload/v1643262223990/O0VnIJyA-.png" alt="image.png" width="800" height="629"></a></p> <h3> Pricing </h3> <p>Basic scanning is free of charge, but Enhanced scanning is a paid feature, with the following monthly fees for the Tokyo region as of 12/2021</p> <ul> <li>Per first container image scanned during a push to ECR: $0.11</li> <li>Number of Continuous scans for a container image: $0.01 per scan</li> </ul> <blockquote> <p>Pricing page: <a href="https://aws.amazon.com/inspector/pricing/" rel="noopener noreferrer">https://aws.amazon.com/inspector/pricing/</a></p> </blockquote> <h3> Integration with Amazon EventBridge </h3> <p>When Basic scanning is complete, an event is sent to EventBridge, and you can get a summary of the scan results.</p> <blockquote> <p><a href="https://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr-eventbridge.html" rel="noopener noreferrer">Amazon ECR events and EventBridge</a></p> </blockquote> <p>Enhanced scanning is enabled, the following events are sent to EventBridge.</p> <ul> <li>Event for a repository scan frequency change</li> <li>Event for an initial image scan (equivalent to a Basic scanning)</li> <li>Event for an image scan finding update (created, updated, closed) </li> </ul> <p>Enhanced scanning differs from Basic scanning in that an event is issued each time a vulnerability is found. For more details, please refer to the following document.</p> <blockquote> <p><a href="https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning-enhanced.html#image-scanning-enhanced-events" rel="noopener noreferrer">Enhanced scanning</a></p> </blockquote> <h3> Integration with AWS Security Hub </h3> <p>In environments where AWS Security Hub is enabled, integration with Amazon Inspector is also automatically enabled. Vulnerabilities discovered by Enhanced scanning are automatically sent to AWS Security Hub and can be included in existing security operations workflows.</p> <blockquote> <p><a href="https://docs.aws.amazon.com/inspector/latest/user/securityhub-integration.html" rel="noopener noreferrer">Integration with AWS Security Hub</a></p> </blockquote> <h3> AWS Organizations support </h3> <p>New Amazon Inspector also supports integration with AWS Organizations. Delegated administrator accounts can enable EC2 scans and ECR scans (Enhanced scanning) for all member accounts in an organization to manage vulnerabilities. It also supports the automatic activation of new accounts added to the organization.</p> <blockquote> <p><a href="https://docs.aws.amazon.com/inspector/latest/user/adding-member-accounts.html" rel="noopener noreferrer">Enabling scans for member accounts</a></p> </blockquote> <h2> Points to note when using Enhanced scanning </h2> <h3> Manually scanning cannot be performed </h3> <p>Manually scanning cannot be performed in an environment with Enhanced scanning enabled.</p> <h3> Per-repository scan settings deprecated </h3> <p>Setting up a repository-level image scan has been deprecated. The use of scan filters is recommended even when using Basic scanning. The scan filter settings will take precedence if the repository-level and the registry scan filters are set. Continuous Scan setting for Enhanced Scanning can only be specified in the scan filter.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--OGSKCYpy--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://cdn.hashnode.com/res/hashnode/image/upload/v1643265515196/iWL-wqc7I.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--OGSKCYpy--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://cdn.hashnode.com/res/hashnode/image/upload/v1643265515196/iWL-wqc7I.png" alt="image.png" width="800" height="282"></a></p> <h3> Continuous scanning is available up to 30 days after the image is pushed </h3> <p>When a continuous scan is configured, the image will be scanned for 30 days after being pushed to the repository. If the image has not been updated in the last 30 days, the continuous scan for that image will be paused.</p> <h3> Basic scanning cannot be used together </h3> <p>The scan settings are for the entire registry. It is not possible to switch the scan type for each repository. Also, if you enable Enhanced scanning, you will not see the results of previous Basic scanning in the console.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--O0dlHMhm--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://cdn.hashnode.com/res/hashnode/image/upload/v1643273279763/KvagriZ9mn.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--O0dlHMhm--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://cdn.hashnode.com/res/hashnode/image/upload/v1643273279763/KvagriZ9mn.png" alt="image.png" width="800" height="266"></a></p> <p>The results are not lost, and you can refer to them again by changing the scan type back to Basic scanning.</p> <h2> Try Enhanced scanning </h2> <h3> Settings </h3> <p>From the Private registry in the Amazon ECR console, click Edit for Scanning.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--dPIrgF0j--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://cdn.hashnode.com/res/hashnode/image/upload/v1643273468452/beZAMBm1B.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--dPIrgF0j--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://cdn.hashnode.com/res/hashnode/image/upload/v1643273468452/beZAMBm1B.png" alt="image.png" width="800" height="612"></a></p> <p>Select Enhanced scanning as the scan type. Note that this is a setting for the registry, so it cannot be used in conjunction with the basic scan. For both continuous scan and scan on push, you can use scan filters to narrow down the repositories to be scanned. In this example, we set the filter to target repository names starting with test/, but you can also target all repositories.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--Wv2hcR-d--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://cdn.hashnode.com/res/hashnode/image/upload/v1643273602676/22PqR5uMg.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--Wv2hcR-d--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://cdn.hashnode.com/res/hashnode/image/upload/v1643273602676/22PqR5uMg.png" alt="image.png" width="800" height="862"></a></p> <p>Click Confirm when you see a message about additional charges for Enhanced scanning.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--BPRb9hr9--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://cdn.hashnode.com/res/hashnode/image/upload/v1643273670850/ofdoYBqa2J.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--BPRb9hr9--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://cdn.hashnode.com/res/hashnode/image/upload/v1643273670850/ofdoYBqa2J.png" alt="image.png" width="800" height="330"></a></p> <p>Make sure that the scan settings have changed from Basic to Enhanced version.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--iWp7fiS5--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://cdn.hashnode.com/res/hashnode/image/upload/v1643273773662/KLyugvvfI.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--iWp7fiS5--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://cdn.hashnode.com/res/hashnode/image/upload/v1643273773662/KLyugvvfI.png" alt="image.png" width="800" height="258"></a></p> <p>If you check the Account management page of the new Inspector console, you will see that ECR container scanning is Enabled.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--AgB2wSvm--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://cdn.hashnode.com/res/hashnode/image/upload/v1643273825663/4ZeOn_B0y.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--AgB2wSvm--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://cdn.hashnode.com/res/hashnode/image/upload/v1643273825663/4ZeOn_B0y.png" alt="image.png" width="800" height="238"></a></p> <p>You can also check the coverage of repositories that have Enhanced scanning enabled in the Inspector dashboard. Four repositories in this environment had "scan on push" enabled in Basic scanning, so it has been carried over. Since the per-repository image scan setting has been deprecated, it is preferable to disable and use scan filters to manage the coverage.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--YTVaeHpc--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://cdn.hashnode.com/res/hashnode/image/upload/v1643274977315/8rROpeINY-.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--YTVaeHpc--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://cdn.hashnode.com/res/hashnode/image/upload/v1643274977315/8rROpeINY-.png" alt="image.png" width="800" height="233"></a></p> <h3> Operation check </h3> <p>Let's push the image. Since Enhanced scanning can detect language-specific vulnerabilities, I used a container image of a Java application. Enter the repository name to match the scan filter you have just set.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--ZUQ48YaW--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://cdn.hashnode.com/res/hashnode/image/upload/v1643275111607/AbsqNENH-.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--ZUQ48YaW--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://cdn.hashnode.com/res/hashnode/image/upload/v1643275111607/AbsqNENH-.png" alt="image.png" width="800" height="628"></a></p> <p>You will see that the scan frequency for the created repository is set to Continuous.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--sPLLRG6G--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://cdn.hashnode.com/res/hashnode/image/upload/v1643275157623/uzj19Jgzb.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--sPLLRG6G--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://cdn.hashnode.com/res/hashnode/image/upload/v1643275157623/uzj19Jgzb.png" alt="image.png" width="800" height="181"></a></p> <p>I pushed an image containing an old Java application for testing to detect the vulnerability.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>aws ecr get-login-password | docker login <span class="nt">--username</span> AWS <span class="nt">--password-stdin</span> 123456789012.dkr.ecr.ap-northeast-1.amazonaws.com Login Succeeded <span class="nv">$ </span>docker tag <span class="nb">test</span>/java-sample-app:v1.1.0 123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/test/java-sample-app:v1.1.0 <span class="nv">$ </span>docker push 123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/test/java-sample-app:v1.1.0 The push refers to repository <span class="o">[</span>123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/test/java-sample-app] c5baabd61e59: Pushed 88e64033fc7f: Pushed 0466be121ce3: Pushed b87942114db6: Pushed v1.1.0: digest: sha256:69a58fe6b25d21015da0f170ffa6934f2ec2827562238ecbde902ldkgi2d082b size: 1165 </code></pre> </div> <p>If you check the Inspector console, you will see that it detects quite many vulnerabilities.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--CrPKxFlm--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://cdn.hashnode.com/res/hashnode/image/upload/v1643275275589/ljSJCQuEe.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--CrPKxFlm--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://cdn.hashnode.com/res/hashnode/image/upload/v1643275275589/ljSJCQuEe.png" alt="image.png" width="800" height="402"></a></p> <p>Let's look at one of the critical vulnerabilities from All Findings. We are detecting a vulnerability in Jackson, a library for processing JSON in Java. Basic scanning does not detect vulnerabilities in programming language packages such as this.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--yjdU9JXY--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://cdn.hashnode.com/res/hashnode/image/upload/v1643275443774/dt8ILsUha.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--yjdU9JXY--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://cdn.hashnode.com/res/hashnode/image/upload/v1643275443774/dt8ILsUha.png" alt="image.png" width="800" height="384"></a></p> <p>The results were also linked to Security Hub.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--yDyslDrq--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://cdn.hashnode.com/res/hashnode/image/upload/v1643275482845/YVtKPHGQx.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--yDyslDrq--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://cdn.hashnode.com/res/hashnode/image/upload/v1643275482845/YVtKPHGQx.png" alt="image.png" width="800" height="269"></a></p> <h3> Enhanced scanning be performed on an existing image? </h3> <p>When I enabled Enhanced Scanning, I noticed that the initial scan is also performed on some images stored in the existing repository. As far as I can tell, the initial scan will be performed on the stored images if the following conditions are met.</p> <ul> <li>The repository is the target of a continuous scan</li> <li>The image has been pushed within 30 days</li> </ul> <h2> Official Documents </h2> <ul> <li><a href="https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html" rel="noopener noreferrer">Image scanning</a></li> <li><a href="https://docs.aws.amazon.com/inspector/latest/user/enable-disable-scanning-ecr.html" rel="noopener noreferrer">Scanning Amazon ECR container images with Amazon Inspector</a></li> </ul> aws docker security ecr