The latest articles on DEV Community by Lucas Maltempi Monfardine (@monfardinel). https://dev.to/monfardinel https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F393811%2Fa694b272-2b72-48fd-a7b7-6f12d0516705.png https://dev.to/monfardinel en Lucas Maltempi Monfardine Tue, 23 Apr 2024 10:55:29 +0000 https://dev.to/monfardinel/configuring-eslint-for-aws-cdk-on-vscode-1lgf https://dev.to/monfardinel/configuring-eslint-for-aws-cdk-on-vscode-1lgf <p>If you, like me, landed on AWS-CDK from the flying world of Terraform and has a good taste for well-indented files, one of the first things you will notice is that for working with TypeScript, keeping your files looking clean and beauty is not as simple as installing a single VSCode plugin.<br> Wanna change that? Follow along.</p> <h2> Assumptions </h2> <p>The guide below assumes that you have already:</p> <ul> <li>VSCode installed</li> <li>Node installed</li> <li>NPM installed</li> <li>A CDK TypeScript project bootstraped</li> </ul> <h2> Project dependencies </h2> <p>Install ESLint packages<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> <span class="nt">-D</span> eslint-config-love </code></pre> </div> <p>Then, run the init config for ESLint:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx eslint <span class="nt">--init</span> </code></pre> </div> <p>It will ask you a couple of questions (pay attention to the browser/node one, as this allows you to pick both), ask you to install some dependencies, which you can confirm and finally genereate a <code>esling.config.mjs</code> file.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3t6ro5jwutl31fllp24l.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3t6ro5jwutl31fllp24l.png" alt="ESLint Init Config" width="800" height="489"></a></p> <p>The <code>esling.config.mjs</code> file can be adjusted later.</p> <h2> VSCode Extension </h2> <p>In VSCode Extensions marketplace, install the ESLint extension:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg6nftiwxtfu40jss2agh.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg6nftiwxtfu40jss2agh.png" alt="ESLint extension" width="800" height="225"></a></p> <h2> Customizing ESLint config </h2> <p>It takes some effort to put all the available settings of ESLint in place and get a decent result. You can check <br> <a href="https://github.com/mightyiam/eslint-config-love" rel="noopener noreferrer">eslint-config-love</a> for detailed instructions on how to create settings that match your needs.</p> <p>Or you can make use of the example below that has already some formatting standards setup and apply your changes as you identify them. Just save the content of this file into your <code>esling.config.mjs</code> and see what happens.</p> <p>For this to work, install some aditiona NPM packages:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> <span class="nt">-D</span> @stylistic/eslint-plugin @typescript-eslint/eslint-plugin @typescript-eslint/parser eslint-plugin-import eslint-import-resolver-typescript </code></pre> </div> <p><strong>Important note:</strong> as my CDK code usually stays on "infrastrusture" folder, extra parameter <code>tsconfigRootDir</code> is necessary to tell linter where to find <code>tsconfig.json</code> file. Else, linter won't be able to find the imports.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">import</span><span class="w"> </span><span class="err">stylisticPlugin</span><span class="w"> </span><span class="err">from</span><span class="w"> </span><span class="err">'@stylistic/eslint-plugin';</span><span class="w"> </span><span class="err">import</span><span class="w"> </span><span class="err">typescriptPlugin</span><span class="w"> </span><span class="err">from</span><span class="w"> </span><span class="err">'@typescript-eslint/eslint-plugin';</span><span class="w"> </span><span class="err">import</span><span class="w"> </span><span class="err">typescriptParser</span><span class="w"> </span><span class="err">from</span><span class="w"> </span><span class="err">'@typescript-eslint/parser';</span><span class="w"> </span><span class="err">import</span><span class="w"> </span><span class="err">importPlugin</span><span class="w"> </span><span class="err">from</span><span class="w"> </span><span class="err">'eslint-plugin-import';</span><span class="w"> </span><span class="err">import</span><span class="w"> </span><span class="err">globals</span><span class="w"> </span><span class="err">from</span><span class="w"> </span><span class="err">'globals';</span><span class="w"> </span><span class="err">export</span><span class="w"> </span><span class="err">default</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">ignores:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="err">'*.js'</span><span class="p">,</span><span class="w"> </span><span class="err">'!.projenrc.js'</span><span class="p">,</span><span class="w"> </span><span class="err">'*.d.ts'</span><span class="p">,</span><span class="w"> </span><span class="err">'node_modules/'</span><span class="p">,</span><span class="w"> </span><span class="err">'*.generated.ts'</span><span class="p">,</span><span class="w"> </span><span class="err">'coverage'</span><span class="p">,</span><span class="w"> </span><span class="err">'!.projenrc.ts'</span><span class="p">,</span><span class="w"> </span><span class="err">'!projenrc/**/*.ts'</span><span class="p">,</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">files:</span><span class="w"> </span><span class="p">[</span><span class="err">'**/*.</span><span class="p">{</span><span class="err">js</span><span class="p">,</span><span class="err">ts</span><span class="p">}</span><span class="err">'</span><span class="p">],</span><span class="w"> </span><span class="err">languageOptions:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">parser:</span><span class="w"> </span><span class="err">typescriptParser</span><span class="p">,</span><span class="w"> </span><span class="err">parserOptions:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">ecmaVersion:</span><span class="w"> </span><span class="mi">2020</span><span class="p">,</span><span class="w"> </span><span class="err">sourceType:</span><span class="w"> </span><span class="err">'module'</span><span class="p">,</span><span class="w"> </span><span class="err">project:</span><span class="w"> </span><span class="err">'./tsconfig.json'</span><span class="p">,</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="err">globals:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">...globals.jest</span><span class="p">,</span><span class="w"> </span><span class="err">...globals.node</span><span class="p">,</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="err">plugins:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">'@typescript-eslint':</span><span class="w"> </span><span class="err">typescriptPlugin</span><span class="p">,</span><span class="w"> </span><span class="err">import:</span><span class="w"> </span><span class="err">importPlugin</span><span class="p">,</span><span class="w"> </span><span class="err">'@stylistic':</span><span class="w"> </span><span class="err">stylisticPlugin</span><span class="p">,</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="err">settings:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">'import/parsers':</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">'@typescript-eslint/parser':</span><span class="w"> </span><span class="p">[</span><span class="err">'.ts'</span><span class="p">,</span><span class="w"> </span><span class="err">'.tsx'</span><span class="p">],</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="err">'import/resolver':</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">node:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="err">typescript:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">project:</span><span class="w"> </span><span class="err">'./tsconfig.json'</span><span class="p">,</span><span class="w"> </span><span class="err">alwaysTryTypes:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="err">rules:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">indent:</span><span class="w"> </span><span class="err">'off'</span><span class="p">,</span><span class="w"> </span><span class="err">'@/indent':</span><span class="w"> </span><span class="p">[</span><span class="err">'error'</span><span class="p">,</span><span class="w"> </span><span class="mi">2</span><span class="p">],</span><span class="w"> </span><span class="err">quotes:</span><span class="w"> </span><span class="p">[</span><span class="err">'error'</span><span class="p">,</span><span class="w"> </span><span class="err">'single'</span><span class="p">,</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">avoidEscape:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}],</span><span class="w"> </span><span class="err">'comma-dangle':</span><span class="w"> </span><span class="p">[</span><span class="err">'error'</span><span class="p">,</span><span class="w"> </span><span class="err">'always-multiline'</span><span class="p">],</span><span class="w"> </span><span class="err">'comma-spacing':</span><span class="w"> </span><span class="p">[</span><span class="err">'error'</span><span class="p">,</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">before:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="err">after:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}],</span><span class="w"> </span><span class="err">'no-multi-spaces':</span><span class="w"> </span><span class="p">[</span><span class="err">'error'</span><span class="p">,</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">ignoreEOLComments:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="p">}],</span><span class="w"> </span><span class="err">'array-bracket-spacing':</span><span class="w"> </span><span class="p">[</span><span class="err">'error'</span><span class="p">,</span><span class="w"> </span><span class="err">'never'</span><span class="p">],</span><span class="w"> </span><span class="err">'array-bracket-newline':</span><span class="w"> </span><span class="p">[</span><span class="err">'error'</span><span class="p">,</span><span class="w"> </span><span class="err">'consistent'</span><span class="p">],</span><span class="w"> </span><span class="err">'object-curly-spacing':</span><span class="w"> </span><span class="p">[</span><span class="err">'error'</span><span class="p">,</span><span class="w"> </span><span class="err">'always'</span><span class="p">],</span><span class="w"> </span><span class="err">'object-curly-newline':</span><span class="w"> </span><span class="p">[</span><span class="err">'error'</span><span class="p">,</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">multiline:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="err">consistent:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}],</span><span class="w"> </span><span class="err">'object-property-newline':</span><span class="w"> </span><span class="p">[</span><span class="err">'error'</span><span class="p">,</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">allowAllPropertiesOnSameLine:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}],</span><span class="w"> </span><span class="err">'keyword-spacing':</span><span class="w"> </span><span class="p">[</span><span class="err">'error'</span><span class="p">],</span><span class="w"> </span><span class="err">'brace-style':</span><span class="w"> </span><span class="p">[</span><span class="err">'error'</span><span class="p">,</span><span class="w"> </span><span class="err">'</span><span class="mi">1</span><span class="err">tbs'</span><span class="p">,</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">allowSingleLine:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}],</span><span class="w"> </span><span class="err">'space-before-blocks':</span><span class="w"> </span><span class="p">[</span><span class="err">'error'</span><span class="p">],</span><span class="w"> </span><span class="err">curly:</span><span class="w"> </span><span class="p">[</span><span class="err">'error'</span><span class="p">,</span><span class="w"> </span><span class="err">'multi-line'</span><span class="p">,</span><span class="w"> </span><span class="err">'consistent'</span><span class="p">],</span><span class="w"> </span><span class="err">'@stylistic/member-delimiter-style':</span><span class="w"> </span><span class="p">[</span><span class="err">'error'</span><span class="p">],</span><span class="w"> </span><span class="err">semi:</span><span class="w"> </span><span class="p">[</span><span class="err">'error'</span><span class="p">,</span><span class="w"> </span><span class="err">'always'</span><span class="p">],</span><span class="w"> </span><span class="err">'max-len':</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="err">'error'</span><span class="p">,</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">code:</span><span class="w"> </span><span class="mi">150</span><span class="p">,</span><span class="w"> </span><span class="err">ignoreUrls:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="err">ignoreStrings:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="err">ignoreTemplateLiterals:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="err">ignoreComments:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="err">ignoreRegExpLiterals:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="err">'quote-props':</span><span class="w"> </span><span class="p">[</span><span class="err">'error'</span><span class="p">,</span><span class="w"> </span><span class="err">'consistent-as-needed'</span><span class="p">],</span><span class="w"> </span><span class="err">'@typescript-eslint/no-require-imports':</span><span class="w"> </span><span class="p">[</span><span class="err">'error'</span><span class="p">],</span><span class="w"> </span><span class="err">'import/no-extraneous-dependencies':</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="err">'error'</span><span class="p">,</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">devDependencies:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="err">optionalDependencies:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="err">peerDependencies:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="err">'import/no-unresolved':</span><span class="w"> </span><span class="p">[</span><span class="err">'error'</span><span class="p">],</span><span class="w"> </span><span class="err">'import/order':</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="err">'warn'</span><span class="p">,</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">groups:</span><span class="w"> </span><span class="p">[</span><span class="err">'builtin'</span><span class="p">,</span><span class="w"> </span><span class="err">'external'</span><span class="p">],</span><span class="w"> </span><span class="err">alphabetize:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">order:</span><span class="w"> </span><span class="err">'asc'</span><span class="p">,</span><span class="w"> </span><span class="err">caseInsensitive:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="err">'no-duplicate-imports':</span><span class="w"> </span><span class="p">[</span><span class="err">'error'</span><span class="p">],</span><span class="w"> </span><span class="err">'no-shadow':</span><span class="w"> </span><span class="err">'off'</span><span class="p">,</span><span class="w"> </span><span class="err">'@typescript-eslint/no-shadow':</span><span class="w"> </span><span class="p">[</span><span class="err">'error'</span><span class="p">],</span><span class="w"> </span><span class="err">'key-spacing':</span><span class="w"> </span><span class="p">[</span><span class="err">'error'</span><span class="p">],</span><span class="w"> </span><span class="err">'no-multiple-empty-lines':</span><span class="w"> </span><span class="p">[</span><span class="err">'error'</span><span class="p">],</span><span class="w"> </span><span class="err">'@typescript-eslint/no-floating-promises':</span><span class="w"> </span><span class="p">[</span><span class="err">'error'</span><span class="p">],</span><span class="w"> </span><span class="err">'no-return-await':</span><span class="w"> </span><span class="err">'off'</span><span class="p">,</span><span class="w"> </span><span class="err">'@typescript-eslint/return-await':</span><span class="w"> </span><span class="p">[</span><span class="err">'error'</span><span class="p">],</span><span class="w"> </span><span class="err">'no-trailing-spaces':</span><span class="w"> </span><span class="p">[</span><span class="err">'error'</span><span class="p">],</span><span class="w"> </span><span class="err">'dot-notation':</span><span class="w"> </span><span class="p">[</span><span class="err">'error'</span><span class="p">],</span><span class="w"> </span><span class="err">'no-bitwise':</span><span class="w"> </span><span class="p">[</span><span class="err">'error'</span><span class="p">],</span><span class="w"> </span><span class="err">'@typescript-eslint/member-ordering':</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="err">'error'</span><span class="p">,</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">default:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="err">'public-static-field'</span><span class="p">,</span><span class="w"> </span><span class="err">'public-static-method'</span><span class="p">,</span><span class="w"> </span><span class="err">'protected-static-field'</span><span class="p">,</span><span class="w"> </span><span class="err">'protected-static-method'</span><span class="p">,</span><span class="w"> </span><span class="err">'private-static-field'</span><span class="p">,</span><span class="w"> </span><span class="err">'private-static-method'</span><span class="p">,</span><span class="w"> </span><span class="err">'field'</span><span class="p">,</span><span class="w"> </span><span class="err">'constructor'</span><span class="p">,</span><span class="w"> </span><span class="err">'method'</span><span class="p">,</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">files:</span><span class="w"> </span><span class="p">[</span><span class="err">'.projenrc.js'</span><span class="p">],</span><span class="w"> </span><span class="err">rules:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">'@typescript-eslint/no-require-imports':</span><span class="w"> </span><span class="err">'off'</span><span class="p">,</span><span class="w"> </span><span class="err">'import/no-extraneous-dependencies':</span><span class="w"> </span><span class="err">'off'</span><span class="p">,</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">]</span><span class="err">;</span><span class="w"> </span></code></pre> </div> <h2> Running the linter </h2> <p>Include a script to run eslint in your<code>package.json</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="nl">"eslint"</span><span class="p">:</span><span class="w"> </span><span class="s2">"npx eslint --ignore-pattern .ts,.tsx --fix --no-error-on-unmatched-pattern lib bin test"</span><span class="w"> </span></code></pre> </div> <p>After that, you can run <code>npm run eslint</code> for a list of files that don't match the pattern you defined. Happy coding.</p> typescript awscdk vscode eslint Lucas Maltempi Monfardine Tue, 16 Jan 2024 22:30:19 +0000 https://dev.to/monfardinel/encrypting-your-secrets-with-mozilla-sops-using-two-aws-kms-keys-1e3k https://dev.to/monfardinel/encrypting-your-secrets-with-mozilla-sops-using-two-aws-kms-keys-1e3k <p>This article can also be found on my <a href="https://github.com/monfardineL/dual-key-sops-encryption" rel="noopener noreferrer">GitHub</a>, along with Terraform code.</p> <h2> TL;DR </h2> <p>Just set two distinct KMS Keys ARN, comma separated, into the variable <code>SOPS_KMS_ARN</code> prior to using SOPS.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">SOPS_KMS_ARN</span><span class="o">=</span><span class="s2">"arn:aws:kms:us-east-1:656532927350:key/920aff2e-c5f1-4040-943a-047fa387b27e,arn:aws:kms:ap-southeast-1:656532927350:key/9006a8aa-0fa6-4c14-930e-a2dfb916de1d"</span> </code></pre> </div> <h2> Introduction </h2> <p>Sometimes pushing files to Git would be much easier than storing them in complex encryption management systems, but everyone knows it's not safe to push API Keys, passwords and private keys as plain text (neither base64) to Git, right?<br> To help on that mission, a very useful tool we can count on is Mozilla SOPS (read more below). And when you are working with multiple cloud accounts (like landing zone on AWS), or in different regions, you can include a extra layer of security by encrypting secrets with two distinct KMS keys. This way, if you ever lose access to one of your KMS keys, you will still be able to retrieve your secrets.</p> <h2> Mozilla SOPS </h2> <p><a href="https://github.com/getsops/sops" rel="noopener noreferrer">Mozilla SOPS</a> (Secrets OPerationS) is an open-source command-line tool for managing and storing secrets. It uses secure encryption methods to encrypt secrets at rest and decrypt them at runtime. SOPS supports a variety of key management systems, including AWS KMS, GCP KMS, Azure Key Vault, and PGP. It's particularly useful in a DevOps context where sensitive data like API keys, passwords, or certificates need to be securely managed and seamlessly integrated into application workflows.</p> <h2> Setting things up </h2> <p>This example uses Terraform to configure AWS KMS Keys with a policy that permits them to be accessible by other AWS accounts. The same can be done with CloudFormation, directly on AWS Console or even AWS CLI.</p> <p>Starting by the "root" account, the one that will store our "emergency" key, we gonna need:</p> <ul> <li>A KMS Key dedicated to SOPS </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_kms_key"</span> <span class="s2">"sops"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"SOPS encryption KMS Key"</span> <span class="nx">deletion_window_in_days</span> <span class="p">=</span> <span class="mi">10</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_kms_alias"</span> <span class="s2">"sops"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"alias/sops-key"</span> <span class="nx">target_key_id</span> <span class="p">=</span> <span class="nx">aws_kms_key</span><span class="p">.</span><span class="nx">sops</span><span class="p">.</span><span class="nx">key_id</span> <span class="p">}</span> </code></pre> </div> <ul> <li>And a policy that allows this key to be used by other accounts </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_kms_key_policy"</span> <span class="s2">"sops_kms_policy"</span> <span class="p">{</span> <span class="nx">key_id</span> <span class="p">=</span> <span class="nx">aws_kms_key</span><span class="p">.</span><span class="nx">sops</span><span class="p">.</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Id</span> <span class="p">=</span> <span class="s2">"sops-kms-foreign-accounts"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"kms:*"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">AWS</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">principals</span> <span class="p">}</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"Enable other accounts IAM Users to use this key"</span> <span class="p">},</span> <span class="p">]</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>With the use of locals, we can concatenate multiple accounts, so if you have a Platform team managing accounts for your company, new accounts can be easily included there.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">locals</span> <span class="p">{</span> <span class="nx">principals</span> <span class="p">=</span> <span class="nx">concat</span><span class="p">([</span><span class="s2">"arn:aws:iam::${var.accountID}:root"</span><span class="p">],</span> <span class="p">[</span><span class="nx">for</span> <span class="nx">id</span> <span class="nx">in</span> <span class="nx">var</span><span class="p">.</span><span class="nx">kms_principals_acc_ids</span> <span class="err">:</span> <span class="s2">"arn:aws:iam::${id}:root"</span><span class="p">])</span> <span class="p">}</span> </code></pre> </div> <p>Now we need a KMS Key in our main account, that don't need to be shared for this use case, and the standard code will work<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_kms_key"</span> <span class="s2">"sops"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"SOPS encryption KMS Key"</span> <span class="nx">deletion_window_in_days</span> <span class="p">=</span> <span class="mi">10</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_kms_alias"</span> <span class="s2">"sops"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"alias/sops-key"</span> <span class="nx">target_key_id</span> <span class="p">=</span> <span class="nx">aws_kms_key</span><span class="p">.</span><span class="nx">sops</span><span class="p">.</span><span class="nx">key_id</span> <span class="p">}</span> </code></pre> </div> <h2> Usage </h2> <p>Now that we have both keys created, getting their ARNs is the next step. In this approach, our KMS keys ARN have the same alias, being the <code>account ID</code> the only value that will change between them. So, assuming our Account A has the ID <code>123456789012</code> and our account B has the ID <code>012345678901</code>, our matching Keys would be:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Account A: arn:aws:kms:eu-west-1:123456789012:alias/sops-key Account B: arn:aws:kms:eu-west-1:012345678901:alias/sops-key </code></pre> </div> <p>Next step is export both ARNs, comma-separated, as value of <code>SOPS_KMS_ARN</code> variable.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">SOPS_KMS_ARN</span><span class="o">=</span>arn:aws:kms:eu-west-1:123456789012:alias/sops-key,arn:aws:kms:eu-west-1:012345678901:alias/sops-key </code></pre> </div> <p>Last, just run SOPS, specifying the file you want to create or edit. SOPS supports YAML and JSON, and will always encrypt the values, but not the keys in your file.<br> The following command creates a new file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>sops example.yaml.enc </code></pre> </div> <p>And then we can store our values.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">data</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">some</span> <span class="pi">-</span> <span class="s">array</span> <span class="pi">-</span> <span class="s">elements</span> </code></pre> </div> <p>After closing the editor, our file will look something like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">data</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ENC[AES256_GCM,data:v8jQ=,iv:HBE=,aad:21c=,tag:gA==]</span> <span class="pi">-</span> <span class="s">ENC[AES256_GCM,data:X10=,iv:o8=,aad:CQ=,tag:Hw==]</span> <span class="pi">-</span> <span class="s">ENC[AES256_GCM,data:KN=,iv:160=,aad:fI4=,tag:tNw==]</span> <span class="na">sops</span><span class="pi">:</span> <span class="na">kms</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">created_at</span><span class="pi">:</span> <span class="m">1441570389.775376</span> <span class="na">enc</span><span class="pi">:</span> <span class="s">CiC....Pm1Hm</span> <span class="na">arn</span><span class="pi">:</span> <span class="s">arn:aws:kms:eu-west-1:123456789012:alias/sops-key</span> <span class="pi">-</span> <span class="na">created_at</span><span class="pi">:</span> <span class="m">1441570391.925734</span> <span class="na">enc</span><span class="pi">:</span> <span class="s">Ci...awNx</span> <span class="na">arn</span><span class="pi">:</span> <span class="s">arn:aws:kms:eu-west-1:012345678901:alias/sops-key</span> </code></pre> </div> <p>And it will be ready to be pushed to your Git repository, with no risk to the integrity of the data. </p> <p>Hint: for fast decryption, you can use <code>-d</code> parameter and get the file contents printed into the console, or redirected to another file.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>sops <span class="nt">-d</span> example.yaml.enc <span class="o">&gt;</span> example.yaml </code></pre> </div> <h2> Protecting Terraform variables </h2> <p>Assuming we could have sensitive values in our Terraform variables, we can make use of SOPS to protect these variables, making them readable locally or in a pipeline only for users with access to our KMS Keys. To do that the first step is to convert our variables file from HCL to JSON, which is a file format supported by both Terraform and SOPS.<br><br> Once the values are stored as JSON, the procedure is the same as above.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>sops variables/production.tfvars.json.enc </code></pre> </div> <p>With the decripted values, Terraform will accept them as input, just like the HCL:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>sops <span class="nt">-d</span> variables/production.tfvars.json.enc <span class="o">&gt;</span> variables/production.tfvars.json terraform plan <span class="nt">-var-file</span><span class="o">=</span>variables/production.tfvars.json <span class="nt">-out</span> tfplan </code></pre> </div> <h2> Tips </h2> <h3> Use VSCode as editor </h3> <p>SOPS supports many text editors to manipulate your secrets. If you are a lover of VSCode, the following command will bring it up as editor for the SOPS file you want to edit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">EDITOR</span><span class="o">=</span><span class="s2">"code --wait"</span> sops variables/production.tfvars.json.enc </code></pre> </div> <h3> Dynamic accounts </h3> <p>In my use cases, my Account A always tends to be static, but the ID for Account B usually changes. The code below can help getting the right account ID, along with the static one, in such case. The only requirements are AWS CLI, previous AWS authentication and the jq tool.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">SOPS_KMS_ARN</span><span class="o">=</span><span class="s2">"arn:aws:kms:eu-west-1:</span><span class="si">$(</span>aws sts get-caller-identity <span class="nt">--output</span> json | jq <span class="s1">'.Account'</span> <span class="nt">-r</span><span class="si">)</span><span class="s2">:alias/sops-key,arn:aws:kms:eu-west-1:123456789012:alias/sops-key"</span> </code></pre> </div> <h3> hcl2json </h3> <p>If you have a big HCL file that you want to convert to JSON, <a href="https://github.com/tmccombs/hcl2json" rel="noopener noreferrer">hcl2json</a> may be the perfect tool to help you on that task.</p> sops terraform aws kms Lucas Maltempi Monfardine Thu, 11 Jan 2024 21:09:38 +0000 https://dev.to/monfardinel/redundant-site-to-site-ipsecvpn-between-aws-and-pfsense-539l https://dev.to/monfardinel/redundant-site-to-site-ipsecvpn-between-aws-and-pfsense-539l <p>Disclaimer: this article was published originally on Medium, in December 2021 and may not be 100% up to date.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F63pucub9yv472gtvbfia.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F63pucub9yv472gtvbfia.png" width="650" height="450"></a></p> <p>While setting up a IPSec tunnel between an AWS VPC and a pfSense gateway is simple at first look, there’s a little trick to make it work with both tunnels provided by AWS active at same time, working with VTI tunnels.</p> <p>Here’s a simple guide, if you ever need to connect your local network to a AWS VPC.</p> <h1> Part 1: Amazon side </h1> <p>First, let’s set things up on Amazon side. Go to VPC menu, then to Customer Gateways and Create Customer Gateway</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2iz4idnm8698esv719lh.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2iz4idnm8698esv719lh.png" width="165" height="63"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F66jwsheabtpqnh13mqpk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F66jwsheabtpqnh13mqpk.png" width="192" height="175"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmb6gmj3491m8z37jxd36.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmb6gmj3491m8z37jxd36.png" width="257" height="72"></a></p> <p>On the new Customer Gateway screen, set a name for your gateway, choose Static Routing and insert your static public IP address (the one that will be used as gateway on your IPSec tunnel). Then, create the Customer Gateway.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz67xm5rwjmke2r44n1tm.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz67xm5rwjmke2r44n1tm.png" width="800" height="313"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2u243vc6bc8ro9mpd098.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2u243vc6bc8ro9mpd098.png" width="800" height="191"></a></p> <p>You can check the State to make sure it’s available.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fivrekqhpqk6aegm5lcns.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fivrekqhpqk6aegm5lcns.png" width="800" height="64"></a></p> <p>Now, got to Virtual Private Gateways menu and create a new Virtual Private Gateway.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fskeudaxg36p5186w4po2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fskeudaxg36p5186w4po2.png" width="191" height="179"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fejn76enl8nd94d689vw5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fejn76enl8nd94d689vw5.png" width="" height=""></a></p> <p>Name tag field is optional, and for ASN, pick Amazon Default ASN.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5uymmpgyhzedmbgvyjyv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5uymmpgyhzedmbgvyjyv.png" width="800" height="164"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc53mt7r8ua8dglzbqai4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc53mt7r8ua8dglzbqai4.png" width="800" height="187"></a></p> <p>The Virtual Private Gateway will be created on a detached state.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff58afluu595zo81td1ty.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff58afluu595zo81td1ty.png" width="800" height="115"></a></p> <p>Then, select the Virtual Private Gateway you just created, go to the Actions menu and select Attach to VPC.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmh2jvxixrm7p6qjszh4b.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmh2jvxixrm7p6qjszh4b.png" width="498" height="165"></a></p> <p>On the next screen, select the VPC you want to connect with your local network and click on Yes, Attach.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F61nvkrkoso9y767944tc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F61nvkrkoso9y767944tc.png" width="800" height="164"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvxrnn3ng9n00215762qn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvxrnn3ng9n00215762qn.png" width="783" height="168"></a></p> <p>After a while, it will change the state from attaching to attached.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnvuv8o18a10mh35k11qs.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnvuv8o18a10mh35k11qs.png" width="501" height="169"></a></p> <p>Then, move to Site-to-Site VPN Connections and Create VPN Connection.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fznnbev1irhavoct5kiib.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fznnbev1irhavoct5kiib.png" width="192" height="177"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcd8sog5av9usvg0mc4ip.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcd8sog5av9usvg0mc4ip.png" width="527" height="128"></a></p> <p>For the new VPN Connection, choose a name and pick the previously created Virtual Private Gateway and Customer Gateway. On Static IP Prefixes insert each network on your local side that will need to be accessed by AWS resources.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn90atwnmu35pdd5cq9nh.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn90atwnmu35pdd5cq9nh.png" width="794" height="850"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7lxag2no2h1lsk1png04.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7lxag2no2h1lsk1png04.png" width="800" height="434"></a></p> <p>Leave all the other options as default and then create the VPN Connection.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F75m36fsrir09p4cvyp3b.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F75m36fsrir09p4cvyp3b.png" width="800" height="187"></a></p> <p>On the next screen it will appear as pending, and after a while, will change to available.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6lic8gyv8drfvwvjmh08.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6lic8gyv8drfvwvjmh08.png" width="671" height="82"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpx6ag5t980uz2undepkj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpx6ag5t980uz2undepkj.png" width="675" height="128"></a></p> <p>Select the connection, go to Tunne Details, save the network CIDRs in there, that will be used later.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbb2ch7vel3agfoyl6v45.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbb2ch7vel3agfoyl6v45.png" width="800" height="274"></a></p> <p>Go to Static Routes tab and check if your local network is there.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzz5xtvtxqsvoiqlodg85.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzz5xtvtxqsvoiqlodg85.png" width="542" height="228"></a></p> <p>At the top of the screen, click into Download Configuration button, choose pfSense and save the provided TXT that will be used on the next steps.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh7f8iu0pgcntm7158h4x.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh7f8iu0pgcntm7158h4x.png" width="379" height="151"></a></p> <p>Still into AWS Console, go to Route Tables and find the Route Table in use by your VPC.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flsm6d14lh00zwszdcbbn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flsm6d14lh00zwszdcbbn.png" width="180" height="171"></a></p> <p>After selecting the proper Route Table, go to Route Propagation tab and click Edit route propagation. Check the Propagate box and save.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqgz3dr75hcpmm80arcj4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqgz3dr75hcpmm80arcj4.png" width="800" height="357"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fma9li1awt0xglax0l9t0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fma9li1awt0xglax0l9t0.png" width="582" height="164"></a></p> <p>Validate if the Propagate field changed to Yes on the previous screen.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frltpvgc2vtttoijcolqn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frltpvgc2vtttoijcolqn.png" width="471" height="144"></a></p> <p>Steps on Amazon are completed.</p> <h1> Part 2: pfSense side </h1> <ul> <li> Go to VPN &gt; IPSec &gt; Add P1 as you would normally do.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcata6pl4jvw7ewpah28u.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcata6pl4jvw7ewpah28u.png" width="294" height="167"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fun9ihy4lm7mjgovwn345.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fun9ihy4lm7mjgovwn345.png" width="300" height="107"></a></p> <ul> <li> Use the instructions provided on the downloaded file to fill the P1 tunnel settings.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fglu5iv0uqm3mwj8ym6ah.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fglu5iv0uqm3mwj8ym6ah.png" width="766" height="422"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F69ygl8bhjrfcw658k18s.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F69ygl8bhjrfcw658k18s.png" width="684" height="366"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1hpzmlpf8pnt82wqzy80.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1hpzmlpf8pnt82wqzy80.png" width="800" height="173"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpy8r6yjaggh4eauiw7ce.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpy8r6yjaggh4eauiw7ce.png" width="791" height="603"></a></p> <p>Save the settings matching what was provided and then Apply Changes on pfSense. P1 tunnels won’t be triggered until a P2 tunnel is set up.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxrj2folsrr9fez687nuv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxrj2folsrr9fez687nuv.png" width="800" height="104"></a></p> <p>To the next step, add a P2 tunnel:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft437j3futcodmczowgm1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft437j3futcodmczowgm1.png" width="186" height="83"></a></p> <p>Now, the trick:</p> <p>Instead of picking Tunnel IPv4, set mode as Routed (VTI). Now we gonna use the Tunnel IPs provided on the AWS console.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhgyblkau1aekv4u29df4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhgyblkau1aekv4u29df4.png" width="167" height="98"></a></p> <p>Since each block is a /30, IPs are distributed as follows:</p> <p>First IP: 169.254.43.192 — Network</p> <p>Second IP: 169.254.43.193 — Is used on AWS side</p> <p>Third IP: 169.254.43.194 — The one that should be used on pfSense</p> <p>Fourth IP: 169.254.43.195 — Broadcast</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe0rw0xezqxodkim80dpb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe0rw0xezqxodkim80dpb.png" width="800" height="248"></a></p> <p>Other settings are default as provided by AWS on the TXT file</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F713hw9s5jydcjmysxeo5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F713hw9s5jydcjmysxeo5.png" width="800" height="615"></a></p> <p>To keep the tunnel UP, set ping to the AWS side IP</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flj5dwxmp1inw9ickgoxx.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flj5dwxmp1inw9ickgoxx.png" width="701" height="167"></a></p> <p>Repeat the same process for the second tunnel.</p> <p>Now, go to Interfaces &gt; Assignments</p> <p>There you’ll have two new virtual network ports that you must add as interface</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmss8th2d5h5mf8nx6e1d.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmss8th2d5h5mf8nx6e1d.png" width="702" height="143"></a></p> <p>They will be created as new OPT interfaces, and must be renamed and enabled. It’s also a good idea to rename them to something related to the tunnel they belong to.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2l3y3zu24kjp16jzum6u.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2l3y3zu24kjp16jzum6u.png" width="557" height="92"></a><br> <a href="https://miro.medium.com/v2/resize:fit:640/format:webp/1*I8SxP2H6FCdsHcfSoYotrQ.png" rel="noopener noreferrer">https://miro.medium.com/v2/resize:fit:640/format:webp/1*I8SxP2H6FCdsHcfSoYotrQ.png</a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl96hmqeo3qw6mn16k4uf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl96hmqeo3qw6mn16k4uf.png" width="206" height="103"></a></p> <p>After a while both tunnels will be up. You can validate that on AWS console.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn7qin5c73z2w0lfa1962.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn7qin5c73z2w0lfa1962.png" width="583" height="138"></a></p> <p>For the last step, it’s important to set the routes on pfSense, so it will know how to reach private IPs on the other side of the tunnel. For that, go to System &gt; Routing</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjgqurxji91j5ft5ic8mh.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjgqurxji91j5ft5ic8mh.png" width="162" height="306"></a></p> <p>Another important trick: to set routing, if your VPC has a CIRD /16 for example, one of the gateways will have the destination network matching the VPC IP and CIRD, and the second one will have two networks /17.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr2csr1kscib1gg2g47a3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr2csr1kscib1gg2g47a3.png" width="800" height="336"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0swyz9grlxhxym3pe280.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0swyz9grlxhxym3pe280.png" width="800" height="160"></a></p> <p>This way, the traffic will flow only through tunnel A. However, if it fails, it will be automatically routed through tunnel B.</p> <p>Don’t forget to create a firewall rule on IPSec if you don’t have it already</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fagctcmgyg030lazxlkjw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fagctcmgyg030lazxlkjw.png" width="781" height="174"></a></p> <p>And also don’t forget to set a security group to allow incoming connections to your AWS instances from your local network IPs.</p> networking vpn ipsec pfsense Lucas Maltempi Monfardine Wed, 10 Jan 2024 21:57:10 +0000 https://dev.to/monfardinel/okd4-integration-with-active-directory-f54 https://dev.to/monfardinel/okd4-integration-with-active-directory-f54 <p>Disclaimer: this article was published originally on Medium, in March 2021 and may not be 100% up to date.</p> <h2> Quick guide on integrating a OKD4 cluster to login with Active Directory </h2> <p>Before going to OKD, it’s better gather the following information:</p> <ul> <li> A dedicated AD service account (for binding purposes) with complete DN;</li> <li> Domain name or AD IP;</li> <li> Complete DN of a “control group” with users allowed to log in;</li> <li> Complete DN of groups you want to sync.</li> </ul> <p>Now to OKD: start by creating a secret for your LDAP Service Account password:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>oc create secret generic ldap-secret --from-literal=bindPassword=&lt;LDAP SA password&gt; -n openshift-config </code></pre> </div> <p>Next, let’s update the cluster authentication methods. This YAML will change existing OAuth cluster settings existing on openshift-config namespace:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>apiVersion: config.openshift.io/v1 kind: OAuth metadata: name: cluster namespace: openshift-config spec: identityProviders: - name: ldapidp mappingMethod: claim type: LDAP ldap: attributes: id: - sAMAccountName email: - mail name: - displayName preferredUsername: - cn bindDN: "CN=OKD,OU=ServiceAccounts,OU=Users,DC=domain,DC=com" bindPassword: name: ldap-secret insecure: true url: "ldap://&lt;ip-or-ad-domain&gt;:389/OU=Users,DC=domain,DC=com?sAMAccountName?sub?(memberof=CN=okd-users,OU=groups,DC=domain,DC=com)" </code></pre> </div> <p>Fields to change:</p> <ul> <li> bindDN: replace with your LDAP Service Account complete DN</li> <li> URL: replace with your server and the OU where your users are located on LDAP server.</li> <li> The last part of the URL sets that only members of the group “okd-users” will be able to log-in. You can remove that if you want.</li> </ul> <p>Then apply the file you generated:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>oc apply -f path/to/ldap-auth.yaml </code></pre> </div> <p>After applying, wait for the redeploy of authentication pods and you should be able to log in using your LDAP account.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnrqivl45eboyweolmm60.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnrqivl45eboyweolmm60.png" alt="OKD login screen will show ldapidp provider." width="763" height="288"></a></p> <h1> Group Sync </h1> <p>For the group sync, there’s two needed files: ldap-group-sync.yaml and whitelist.txt<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>kind: LDAPSyncConfig apiVersion: v1 url: ldap://&lt;ip-or-ad-domain&gt;:389 insecure: true bindDN: CN=OKD,OU=ServiceAccounts,OU=Users,DC=domain,DC=com bindPassword: '&lt;AD Service Account Password&gt;' groupUIDNameMapping: "CN=okd-admins,OU=Groups,DC=domain,DC=com": okd-admins "CN=okd-project1-users,OU=Groups,DC=domain,DC=com": okd-project1-users augmentedActiveDirectory: groupsQuery: derefAliases: never pageSize: 0 groupUIDAttribute: dn groupNameAttributes: \[ cn \] usersQuery: baseDN: "OU=Users,DC=domain,DC=com" scope: sub derefAliases: never filter: (objectclass=person) pageSize: 0 userNameAttributes: \[ cn \] groupMembershipAttributes: \[ "memberOf:1.2.840.113556.1.4.1941:" \] </code></pre> </div> <p>Fields to change:</p> <ul> <li> URL: replace with your AD server IP or domain</li> <li> bindDN: replace with previously created service account</li> <li> bindPassword: the service account password</li> <li> groupUIDNameMapping: insert as many groups as you need</li> <li> baseDN: replace with baseDN of your AD users</li> </ul> <p>On the whitelist.txt file, insert the previously mentioned groups, one per line:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>CN=okd-admins,OU=Groups,DC=domain,DC=com CN=okd-project1-users,OU=Groups,DC=domain,DC=com </code></pre> </div> <p>After finishing the files edit, do a dry run to validade:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>oc adm groups sync --whitelist=whitelist.txt --sync-config=ldap-group-sync.yam </code></pre> </div> <p>If everything goes well, add the “confirm” flag to process the changes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>oc adm groups sync --whitelist=whitelist.txt --sync-config=ldap-group-sync.yaml --confirm </code></pre> </div> <p>Check if your groups appeared on the console and then add the needed RoleBindings to them, accordingly:</p> <p>Binding cluster-admin role to okd-admins group.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzj9wam1munzvxtpw1xaq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzj9wam1munzvxtpw1xaq.png" alt="This step is done." width="800" height="286"></a></p> <h1> Group Sync automation </h1> <p>You could sync your groups manually whenever you need, or maybe schedule a cron in any host to do that. But there’s a cooler way. Let’s schedule a cronJob inside OKD cluster to constantly check for changes on your groups.</p> <p>Start by creating a project “ldap-sync” and a Cluster Role that will give the propper permissions for the job to complete the task:</p> <p>Create a file rbac-ldap-group-sync.yaml:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: ldap-group-sync rules: \- apiGroups: - user.openshift.io resources: - groups verbs: - create - update - patch - delete - get - list </code></pre> </div> <p>Then run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>oc apply rbac-ldap-group-sync.yaml </code></pre> </div> <p>Next, create the cronjob-ldap-group-sync.yaml:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>apiVersion: batch/v1beta1 kind: CronJob metadata: name: ldap-group-sync namespace: ldap-sync spec: schedule: '[@hourly](http://twitter.com/hourly)' suspend: false jobTemplate: spec: template: spec: template: metadata: creationTimestamp: null spec: restartPolicy: Never serviceAccountName: ldap-sync schedulerName: default-scheduler terminationGracePeriodSeconds: 30 securityContext: {} containers: - name: oc-cli image: registry.redhat.io/openshift4/ose-cli command: - /bin/oc - adm - groups - sync - '--whitelist=/ldap-sync/whitelist.txt' - '--sync-config=/ldap-sync/ldap\_group\_sync.yaml' - '--confirm' volumeMounts: - name: config readOnly: true mountPath: /ldap-sync/ serviceAccount: ldap-sync volumes: - name: config secret: secretName: ldap-sync defaultMode: 420 dnsPolicy: ClusterFirst </code></pre> </div> <p>And then create the task:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>oc apply -f cronjob-ldap-group-sync.yaml </code></pre> </div> <p>On OKD console you can see the history of events generated by the job.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5r10j4l2c761ubo8obnw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5r10j4l2c761ubo8obnw.png" width="800" height="361"></a></p> <p>Tips:</p> <ul> <li> You can change the schedule from ‘@hourly’ to any valid Linux cron expression.</li> <li> If you receive any errors on runnin the cron job, check if the serviceAccount line is present on the Cron Job in the OKD UI.</li> </ul> okd kubernetes ldap openshift Lucas Maltempi Monfardine Thu, 28 Dec 2023 13:31:15 +0000 https://dev.to/monfardinel/bamboo-the-worst-cicd-tool-i-ever-had-the-pleasure-to-work-with-dj6 https://dev.to/monfardinel/bamboo-the-worst-cicd-tool-i-ever-had-the-pleasure-to-work-with-dj6 <p>Being I a very experienced professional in automation area, with many years of knowledge in a vast majority of marketing leader CI/CD Tools, like Gitlab-CI (ok, Gitlab-CI, mostly), I've recently got challenged to build some pipelines using this fantastic Atlassian tool: Bamboo.<br> Why? Because that's what the company uses and pays for, and it's the one I'm allowed to use.<br> Below I'll present a few things that I've discovered regarding this <del>schizophrenic</del> wonderful tool.</p> <h2> GUI Editor </h2> <p>If you are a experienced DevOps, there's probably a feature you like a lot and miss in all those simple, lightweight, cool CLI tools. That's it: a Graphical User Interface. Well, fear no more. Atlassian has put a lot of effort into building a very fast, practical and beautiful way to graphically edit your pipelines directly on Bamboo web interface. This way you can configure your pipeline just by click-click-click, drag, and always be unsure if the outcome will be as expected.<br> The only good thing on that is: you can export your pipeline to YAML (or Java) after it's done.</p> <h2> Encrypted Secrets </h2> <p>If you are creating your pipeline directly in the UI, you can just paste sensitive data in the Variables menu rows, and if Bamboo thinks the data is sensitive, based in the name of the variable (it MUST contain "password", "passphrase", "secret" or "sshkey" in the name) it will automatically convert the value to a encrypted secret for you.<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fydra7b7eamt9j5bok4w1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fydra7b7eamt9j5bok4w1.png" alt="Plan variables" width="800" height="149"></a><br> Now, if you are coding your pipeline (YAML, Java), what would be better than using the same variables menu and just inject the values in the runtime? Exactly: Put encoded values in your YAML. <br> Bamboo has a very unique system for <a href="https://confluence.atlassian.com/bamboo0902/bamboo-specs-encryption-1236932425.html" rel="noopener noreferrer">secrets encryption</a>, where you insert your original value and it will be converted to some hashed value that looks like a standard text concatenated to some base64. Don't fool yourself, the value is encrypted with a key unique to your server, and won't work in any other instance of Bamboo.<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvjs98463m8umjiubsc2i.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvjs98463m8umjiubsc2i.png" alt="Secret encryption" width="800" height="296"></a><br> Ok, now I can get this value and use anywhere I want on my YAML, right?<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fylrbqj7qzy89nfdyweqi.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fylrbqj7qzy89nfdyweqi.png" alt="Right, Bamboo?" width="800" height="800"></a><br> Yeah, kinda. But you MUST follow the same rules applied to the UI. That means, if you define your variable like this, it will never be decrypted/usable.<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftys7h7hgqepqnpnbtthz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftys7h7hgqepqnpnbtthz.png" alt="Won't work" width="713" height="69"></a><br> Now, if you just include <strong>secret</strong> in the name of the variable, you can see the magic happen in your pipeline.<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F27rqou0sd28wtt9dl3dp.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F27rqou0sd28wtt9dl3dp.png" alt="Will work" width="790" height="64"></a><br> Fantastic, isn't it?</p> <h2> Cache </h2> <p>Not much to write about this topic. If yo are building a CI pipeline, you want it to be as fast as it can. How can you save a lot of time from downloading dependencies everytime you run a build? Cache.<br> So, what about cache in Bamboo? It DOES-NOT-EXIST. Simply like that, nothing else to say.</p> <h2> Permission granularity </h2> <p>This may be a good feature, depending on the way you look. But listen:</p> <ul> <li>You have a project inside Bamboo. You gotta include users (or groups) and grant them permissions there.</li> <li>Then you have repositories, which are linked to your Git. And you gotta set permission to who can see the repositories you included in your project. And you have to also specify which users and groups can see each of the repositories you have included, despite having previously set permissions at project level.</li> <li>Now you get your project, and your repository, and you want to configure a plan. Guess what? Exactly. You have to set the same permissions again. Why? Well, somebody thought it was a good idea.</li> </ul> <h2> WIP </h2> bamboo cicd pipeline