DEV Community: Stephen Bawks The latest articles on DEV Community by Stephen Bawks (@stephenbawks). https://dev.to/stephenbawks https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F788288%2F5ed0317f-4397-4fc3-835a-c3c28eaeafed.png DEV Community: Stephen Bawks https://dev.to/stephenbawks en Transit Gateway Flow Logs Stephen Bawks Thu, 12 Oct 2023 18:26:24 +0000 https://dev.to/stephenbawks/transit-gateway-flow-logs-15ic https://dev.to/stephenbawks/transit-gateway-flow-logs-15ic <p>This one was not very well documented and I really struggled a little bit figuring this one out. Adding this to the collective internet intelligence in the hope that it will help someone out one day.... or just my future self (hello future self!). </p> <p>Adding Flow Logs to the AWS Transit Gateway was honestly easy enough to do. I pointed them to S3 and they started showing up. Easy done, nope. Querying the logs was a different story. Took me more than a day to get this all working the way I expected. </p> <p>Here is what I landed on<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="k">resource</span> <span class="s2">"aws_ec2_transit_gateway"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Super Awesome Transit Gateway"</span> <span class="nx">amazon_side_asn</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">amazon_side_asn</span> <span class="nx">dns_support</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">dns_support</span> <span class="nx">vpn_ecmp_support</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">vpn_ecmp_support</span> <span class="nx">default_route_table_association</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">default_route_table_association</span> <span class="nx">default_route_table_propagation</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">default_route_table_propagation</span> <span class="nx">auto_accept_shared_attachments</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">auto_accept_shared_attachments</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"flow_logs"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"tgw-flow-logs-super-awesome-tgw"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_flow_log"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">log_destination</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">flow_logs</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">log_destination_type</span> <span class="p">=</span> <span class="s2">"s3"</span> <span class="nx">traffic_type</span> <span class="p">=</span> <span class="s2">"ALL"</span> <span class="nx">transit_gateway_id</span> <span class="p">=</span> <span class="nx">aws_ec2_transit_gateway</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">max_aggregation_interval</span> <span class="p">=</span> <span class="mi">60</span> <span class="nx">destination_options</span> <span class="p">{</span> <span class="nx">file_format</span> <span class="p">=</span> <span class="s2">"parquet"</span> <span class="nx">hive_compatible_partitions</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">per_hour_partition</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>You can see that I landed on <code>Parquet</code> being the output format and I ended up also turning on Hive Compatible partitions because it makes queries in Athena quite a bit more efficient. </p> <p>Getting to the important parts, which was correctly setting up Athena and the queries for it. Below is a continuation of the same Terraform module adding in the important bits for Athena.</p> <p>Created a bucket and then an Athena workgroup to save the queries and results.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"athena_output"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"athena-</span><span class="k">${</span><span class="nx">aws_ec2_transit_gateway</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span><span class="k">}</span><span class="s2">"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_athena_workgroup"</span> <span class="s2">"tgw_workgroup"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"TransitGatewayFlowLogs"</span> <span class="nx">configuration</span> <span class="p">{</span> <span class="nx">enforce_workgroup_configuration</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">publish_cloudwatch_metrics_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">result_configuration</span> <span class="p">{</span> <span class="nx">output_location</span> <span class="p">=</span> <span class="s2">"s3://</span><span class="k">${</span><span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">athena_output</span><span class="p">.</span><span class="nx">bucket</span><span class="k">}</span><span class="s2">/output/"</span> <span class="nx">encryption_configuration</span> <span class="p">{</span> <span class="nx">encryption_option</span> <span class="p">=</span> <span class="s2">"SSE_S3"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Now we get to the juicy parts. Once again, below is also the same module but adding in the Athena queries. I have gone and created three different queries. </p> <ol> <li>Creating the Flow Logs table in Athena.</li> <li>Update the Metadata in the Athena Table for the correct Hive Table partitions for the Parquet format.</li> <li>Query the Flow Logs for a specific VPC ID to see what its talking to. This one you may want to tailor a bit to fit your needs so your mileage may vary. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_athena_named_query"</span> <span class="s2">"create_flow_table"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"Create Flow Logs Table"</span> <span class="nx">workgroup</span> <span class="p">=</span> <span class="nx">aws_athena_workgroup</span><span class="p">.</span><span class="nx">tgw_workgroup</span><span class="p">.</span><span class="nx">name</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Create the flow logs table in Athena"</span> <span class="nx">database</span> <span class="p">=</span> <span class="nx">aws_athena_database</span><span class="p">.</span><span class="nx">flow_logs</span><span class="p">.</span><span class="nx">name</span> <span class="nx">query</span> <span class="p">=</span> <span class="o">&lt;&lt;</span><span class="no">EOT</span><span class="sh"> CREATE EXTERNAL TABLE IF NOT EXISTS tgwflowlogs ( version int, resource_type string, account_id string, tgw_id string, tgw_attachment_id string, tgw_src_vpc_account_id string, tgw_dst_vpc_account_id string, tgw_src_vpc_id string, tgw_dst_vpc_id string, tgw_src_subnet_id string, tgw_dst_subnet_id string, tgw_src_eni string, tgw_dst_eni string, tgw_src_az_id string, tgw_dst_az_id string, tgw_pair_attachment_id string, srcaddr string, dstaddr string, srcpor int, dstport int, protocol bigint, packet bigint, bytes bigint, start bigint, `end` bigint, log_status string, type string, packets_lost_no_route bigint, packets_lost_blackhole bigint, packets_lost_mtu_exceeded bigint, packets_lost_ttl_expired bigint, tcp_flags int, region string, flow_direction string, pkt_src_aws_service string, pkt_dst_aws_service string ) PARTITIONED BY ( `aws-account-id` string, `aws-service` string, `aws-region` string, `year` string, `month` string, `day` string, `hour` string ) ROW FORMAT SERDE 'org.apache.hadoop.hive.ql.io.parquet.serde.ParquetHiveSerDe' STORED AS INPUTFORMAT 'org.apache.hadoop.hive.ql.io.parquet.MapredParquetInputFormat' OUTPUTFORMAT 'org.apache.hadoop.hive.ql.io.parquet.MapredParquetOutputFormat' LOCATION 's3://${aws_s3_bucket.flow_logs.id}/AWSLogs/' TBLPROPERTIES ( 'EXTERNAL'='true', 'skip.header.line.count'='1' ) </span><span class="no"> EOT </span><span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_athena_named_query"</span> <span class="s2">"update_metadata"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"Update Metadata in Catalog"</span> <span class="nx">workgroup</span> <span class="p">=</span> <span class="nx">aws_athena_workgroup</span><span class="p">.</span><span class="nx">tgw_workgroup</span><span class="p">.</span><span class="nx">name</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Update the metadata in the catalog after you add Hive compatible partitions"</span> <span class="nx">database</span> <span class="p">=</span> <span class="nx">aws_athena_database</span><span class="p">.</span><span class="nx">flow_logs</span><span class="p">.</span><span class="nx">name</span> <span class="nx">query</span> <span class="p">=</span> <span class="s2">"MSCK REPAIR TABLE tgwflowlogs"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_athena_named_query"</span> <span class="s2">"vpc_query"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"VPC ID Query"</span> <span class="nx">workgroup</span> <span class="p">=</span> <span class="nx">aws_athena_workgroup</span><span class="p">.</span><span class="nx">tgw_workgroup</span><span class="p">.</span><span class="nx">name</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Select the VPC ID, source IP address, destination IP address, and total bytes transferred for each flow log record."</span> <span class="nx">database</span> <span class="p">=</span> <span class="nx">aws_athena_database</span><span class="p">.</span><span class="nx">flow_logs</span><span class="p">.</span><span class="nx">name</span> <span class="nx">query</span> <span class="p">=</span> <span class="o">&lt;&lt;</span><span class="no">EOT</span><span class="sh"> SELECT tgw_src_vpc_id AS "VPC ID", srcaddr AS "Source Address", dstaddr AS "Destination Address", dstport as "Destination Port", SUM(bytes) AS "Total Bytes" FROM "${aws_athena_database.flow_logs.name}".tgwflowlogs WHERE tgw_src_vpc_id = 'replace-vpc-id-here' GROUP BY tgw_src_vpc_id, srcaddr, dstaddr, dstport LIMIT 100 </span><span class="no"> EOT </span><span class="p">}</span> </code></pre> </div> <p>Once you deploy this it will set up your TGW and attach the flow logs. Those logs will be outputted to the S3 bucket in Parquet format.</p> <p>You should be able to go into Athena and in the Query Editor, you will see the <code>Workgroup</code> dropdown menu where you can change that to be the workgroup that was created via the Terraform above. It is named <code>TransitGatewayFlowLogs</code> (assuming you did not change it).</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--X-1fhSLL--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/qbr6qehgt9o4sudugzah.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--X-1fhSLL--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/qbr6qehgt9o4sudugzah.png" alt="Athena Workgroup" width="800" height="97"></a></p> <p>Once you select that workgroup, you will then be able to go to the <code>Saved Queries</code> tab and see the three queries that were also created from the Terraform.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--b-9P_drQ--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/k1shj14ptv0mlube8n0z.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--b-9P_drQ--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/k1shj14ptv0mlube8n0z.png" alt="Athena Saved Queries" width="800" height="228"></a></p> <p>You should then select The <code>Create Flow Logs Table</code> and run that query. That will create the Athena table for you.</p> <p>Once you do that, go back to the Saved Queries and select the <code>Update Metadata in Catalog</code> and run that. That will make sure the table is set up correctly for the Parquet Hive partitions.</p> <p>After you do that, you can then load up the last saved query <code>VPC ID Query</code>. One important note about that last query. In there, I have placed a placeholder <code>replace-vpc-id-here</code> bit where you will want to put in a real VPC ID. </p> <p>Once you do that, you should be able to query the Transit Gateway Flow logs. </p> transitgateway aws flow logs VPC Layouts .... Easy Way Stephen Bawks Thu, 20 Apr 2023 11:53:35 +0000 https://dev.to/stephenbawks/vpc-layouts-easy-way-3kh6 https://dev.to/stephenbawks/vpc-layouts-easy-way-3kh6 <p>Choosing the "correct" AWS VPC layout can sometimes be pretty tricky. You cannot make many changes of any real value once you pick the size of your VPC and where you decide to break apart your subnets. On top of that, VPC layouts and subnetting can be difficult. </p> <p>I created something similar to this but with logic all built into a Terraform module. However, trying to put any complex logic in Terraform can be a test of will power and often feels like a square-peg-round-hole situation. Recently I was trying to update it with some additional logic to make it a little more flexible. There were a few curse words used, then finally I took a step back to ask myself if there could be a better way to do this. </p> <p>I present my solution and presenting it to you with the hope that it could help other people with their VPC design and layouts. I would love to get some feedback as well.</p> <h2> API Getting Started </h2> <p><code>POST: https://api.rusticators.dev/v1/vpc</code></p> <h3> Body </h3> <p>There are only three required parameters you need to pass in with your request body. There is a fourth optional value that defaults to false if you do not specify it but we will get to that below.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"vpc_type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"a"</span><span class="p">,</span><span class="w"> </span><span class="nl">"cidr_block"</span><span class="p">:</span><span class="w"> </span><span class="s2">"10.144.0.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"subnet_mask"</span><span class="p">:</span><span class="w"> </span><span class="mi">22</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h4> Important Notes </h4> <ul> <li>VPC Types available so far are <code>a</code> and <code>b</code>.</li> <li>The VPC subnet size can be anything between a <code>/16</code> all the way through a <code>/24</code>.</li> </ul> <h3> API Response </h3> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"public"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"10.144.0.0/26"</span><span class="p">,</span><span class="w"> </span><span class="s2">"10.144.0.64/26"</span><span class="p">,</span><span class="w"> </span><span class="s2">"10.144.0.128/26"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"private"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"10.144.1.0/24"</span><span class="p">,</span><span class="w"> </span><span class="s2">"10.144.2.0/24"</span><span class="p">,</span><span class="w"> </span><span class="s2">"10.144.3.0/24"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The way this works is that you can use any 10.x range to create a VPC and it will calculate the appropriate subnet layout depending on what VPC Type you select.</p> <p>There are a few different layouts that I have found to work well. The catch with subnet math is that most of the time it does not play well with being able to use the full amount of IP space. Add in the fact that each subnet in AWS has an overhead of 5 IPs that are unusable as they are reserved for AWS networking reasons. There is a little trade-off or balance between trying to achieve the most amount of unusable space while also providing a VPC layout that offers up some protection for "blast radius" and general high availability best practices.</p> <p>Typically I generally recommend a VPC with three availability zones. This would be a VPC Type <code>A</code>. However there are a few locations where three is not always possible. I have also included a VPC layout that is built around 2 availability zones. This would be VPC Type <code>B</code></p> <h2> How Can I Use This? </h2> <p>So you may be asking, how does this relate back to Terraform? Here is where I propose how this can then be pulled back in Terraform and consumed as a resource.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">data</span> <span class="s2">"http"</span> <span class="s2">"vpc_layout"</span> <span class="p">{</span> <span class="nx">url</span> <span class="p">=</span> <span class="s2">"https://api.rusticators.dev/v1/vpc"</span> <span class="nx">method</span> <span class="p">=</span> <span class="s2">"POST"</span> <span class="nx">request_body</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="s2">"vpc_type"</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">vpc_type</span><span class="p">,</span> <span class="s2">"cidr_block"</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">cidr_block</span><span class="p">,</span> <span class="s2">"subnet_mask"</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">subnet_mask</span><span class="p">,</span> <span class="s2">"ephemeral"</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">ephemeral_subnet</span> <span class="p">})</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_vpc"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cidr_block</span><span class="k">}</span><span class="s2">/</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">subnet_mask</span><span class="k">}</span><span class="s2">"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"public_subnets"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">toset</span><span class="p">(</span><span class="nx">jsondecode</span><span class="p">(</span><span class="k">data</span><span class="p">.</span><span class="nx">http</span><span class="p">.</span><span class="nx">vpc_layout</span><span class="p">.</span><span class="nx">response_body</span><span class="p">).</span><span class="nx">public</span><span class="p">)</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"private_subnets"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">toset</span><span class="p">(</span><span class="nx">jsondecode</span><span class="p">(</span><span class="k">data</span><span class="p">.</span><span class="nx">http</span><span class="p">.</span><span class="nx">vpc_layout</span><span class="p">.</span><span class="nx">response_body</span><span class="p">).</span><span class="nx">private</span><span class="p">)</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"private_subnets"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">toset</span><span class="p">(</span><span class="nx">jsondecode</span><span class="p">(</span><span class="k">data</span><span class="p">.</span><span class="nx">http</span><span class="p">.</span><span class="nx">vpc_layout</span><span class="p">.</span><span class="nx">response_body</span><span class="p">).</span><span class="nx">private</span><span class="p">)</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"ephemeral_subnet"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">ephemeral_subnet</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">toset</span><span class="p">(</span><span class="nx">jsondecode</span><span class="p">(</span><span class="k">data</span><span class="p">.</span><span class="nx">http</span><span class="p">.</span><span class="nx">vpc_layout</span><span class="p">.</span><span class="nx">response_body</span><span class="p">).</span><span class="nx">ephemeral</span><span class="p">)</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span> <span class="nx">Value</span> <span class="p">}</span> </code></pre> </div> <p>The beauty of potentially doing it this way is that it just a simple for loop and no matter how many subnets you have it will create them all with the single resource.</p> <h3> Ephemeral Subnets </h3> <p>There is the extra boolean option for creating an ephemeral subnet. The subnet itself does not dissapear or go away. Named it that way because its intention is mainly for workloads or instances that may be for temporary operations or things you just need to spin up and spin down for testing. A classic example may be a jumpbox. </p> <p>Secondary to this is that most of the time CIDR math does not always play nicely with the complete address space you have for your VPC. More often than not it leaves "extra" space that is tough to use in any meaningful format. </p> <p>This is where the ephemeral subnets come from. The extra space that is left over but can still be utilized for something otherwise its going to be wasted. </p> <p>With all the VPC layouts so far, there is only one ephemeral subnet that will be created. It is in only one availability zone so its highly recommended that you use it for temporary stuff since its not truly going to be "highly available". </p> <p>They can be provisioned just by adding in the <code>ephemeral</code> attribute to the body of your request. It is optional of course and does not have to be specified and its <code>false</code> by default.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"vpc_type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"a"</span><span class="p">,</span><span class="w"> </span><span class="nl">"cidr_block"</span><span class="p">:</span><span class="w"> </span><span class="s2">"10.144.0.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"subnet_mask"</span><span class="p">:</span><span class="w"> </span><span class="mi">20</span><span class="p">,</span><span class="w"> </span><span class="nl">"ephemeral"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Final Thoughts </h2> <p>I have tried quite a few different VPC layouts over the years and I have landed on these since its gives me the highest amount of IP's utilized inside the VPC with minimal amount of waste. With every subnet you create in AWS land there is always going to be 5 IP's that are used for networking purposes. The more subnets you create the more you lose just to overhead.</p> <p>Going to be working on the formal documentation on this and hope to have that finished here soon so I will come back and update this when its out there. </p> <p>The quest with this is a pretty simple one and I hope it can help someone out here in the future. I am curious if someone has thoughts so do not hesistate to message me and I am open to feedback.</p> terraform aws serverless Pulumi - Python - Docker Stephen Bawks Sun, 01 Jan 2023 14:59:57 +0000 https://dev.to/stephenbawks/pulumi-python-docker-36c7 https://dev.to/stephenbawks/pulumi-python-docker-36c7 <p>I do love Pulumi and Python. Working on a few things lately and fought with the Docker build options, getting it working the way I wanted. </p> <p>The Docker module for Pulumi does not have the greatest documentation and I felt the need to write this up real quick hopefully someone can find it useful.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">pulumi</span> <span class="kn">import</span> <span class="n">pulumi_aws</span> <span class="k">as</span> <span class="n">aws</span> <span class="kn">import</span> <span class="n">pulumi_aws_native</span> <span class="k">as</span> <span class="n">aws_native</span> <span class="kn">import</span> <span class="n">pulumi_docker</span> <span class="k">as</span> <span class="n">docker</span> <span class="c1"># ---------------------------------------------------------------- # Pull Stack Variables from Config File # ---------------------------------------------------------------- </span> <span class="n">CONFIG</span> <span class="o">=</span> <span class="n">pulumi</span><span class="p">.</span><span class="nc">Config</span><span class="p">()</span> <span class="n">account_id</span> <span class="o">=</span> <span class="p">(</span><span class="n">aws</span><span class="p">.</span><span class="nf">get_caller_identity</span><span class="p">()).</span><span class="n">account_id</span> <span class="n">region</span> <span class="o">=</span> <span class="p">(</span><span class="n">aws</span><span class="p">.</span><span class="nf">get_region</span><span class="p">()).</span><span class="n">name</span> <span class="n">untagged_days</span> <span class="o">=</span> <span class="mi">14</span> <span class="n">life_cycle_policy</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span> <span class="sh">"</span><span class="s">rules</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="sh">"</span><span class="s">rulePriority</span><span class="sh">"</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="sh">"</span><span class="s">description</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Expire images older than 30 days</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">selection</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">tagStatus</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">untagged</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">countType</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">sinceImagePushed</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">countUnit</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">days</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">countNumber</span><span class="sh">"</span><span class="p">:</span> <span class="n">untagged_days</span> <span class="p">},</span> <span class="sh">"</span><span class="s">action</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">expire</span><span class="sh">"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="c1"># https://www.pulumi.com/registry/packages/aws-native/api-docs/ecr/repository/ </span><span class="n">ecr_repository</span> <span class="o">=</span> <span class="n">aws_native</span><span class="p">.</span><span class="n">ecr</span><span class="p">.</span><span class="nc">Repository</span><span class="p">(</span> <span class="sh">"</span><span class="s">ecr-repository</span><span class="sh">"</span><span class="p">,</span> <span class="n">image_scanning_configuration</span><span class="o">=</span><span class="n">aws_native</span><span class="p">.</span><span class="n">ecr</span><span class="p">.</span><span class="nc">RepositoryImageScanningConfigurationArgs</span><span class="p">(</span> <span class="n">scan_on_push</span><span class="o">=</span><span class="bp">True</span> <span class="p">),</span> <span class="n">lifecycle_policy</span><span class="o">=</span><span class="n">aws_native</span><span class="p">.</span><span class="n">ecr</span><span class="p">.</span><span class="nc">RepositoryLifecyclePolicyArgs</span><span class="p">(</span> <span class="n">lifecycle_policy_text</span><span class="o">=</span><span class="n">life_cycle_policy</span> <span class="p">)</span> <span class="p">)</span> <span class="c1"># https://www.pulumi.com/registry/packages/aws/api-docs/ecr/getauthorizationtoken/ </span><span class="n">ecr_token</span> <span class="o">=</span> <span class="n">aws</span><span class="p">.</span><span class="n">ecr</span><span class="p">.</span><span class="nf">get_authorization_token</span><span class="p">()</span> <span class="c1"># https://www.pulumi.com/registry/packages/docker/api-docs/image/ </span><span class="n">container</span> <span class="o">=</span> <span class="n">docker</span><span class="p">.</span><span class="nc">Image</span><span class="p">(</span> <span class="sh">"</span><span class="s">build-container</span><span class="sh">"</span><span class="p">,</span> <span class="n">image_name</span><span class="o">=</span><span class="n">ecr_repository</span><span class="p">.</span><span class="n">repository_uri</span><span class="p">,</span> <span class="n">build</span><span class="o">=</span><span class="n">docker</span><span class="p">.</span><span class="nc">DockerBuild</span><span class="p">(</span> <span class="n">context</span><span class="o">=</span><span class="sh">"</span><span class="s">./src/api</span><span class="sh">"</span> <span class="p">),</span> <span class="n">registry</span> <span class="o">=</span> <span class="n">docker</span><span class="p">.</span><span class="nc">ImageRegistry</span><span class="p">(</span> <span class="n">server</span> <span class="o">=</span> <span class="n">ecr_repository</span><span class="p">.</span><span class="n">repository_uri</span><span class="p">.</span><span class="nf">apply</span><span class="p">(</span><span class="k">lambda</span> <span class="n">uri</span><span class="p">:</span> <span class="n">uri</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">)[</span><span class="mi">0</span><span class="p">]),</span> <span class="n">username</span> <span class="o">=</span> <span class="n">ecr_token</span><span class="p">.</span><span class="n">user_name</span><span class="p">,</span> <span class="n">password</span> <span class="o">=</span> <span class="n">ecr_token</span><span class="p">.</span><span class="n">password</span><span class="p">,</span> <span class="p">),</span> <span class="n">opts</span><span class="o">=</span><span class="n">pulumi</span><span class="p">.</span><span class="nc">ResourceOptions</span><span class="p">(</span><span class="n">parent</span><span class="o">=</span><span class="n">ecr_repository</span><span class="p">)</span> <span class="p">)</span> </code></pre> </div> javascript startup Loops... where we are going we don't need loops Stephen Bawks Fri, 29 Jul 2022 00:46:42 +0000 https://dev.to/stephenbawks/loops-where-we-are-going-we-dont-need-loops-10od https://dev.to/stephenbawks/loops-where-we-are-going-we-dont-need-loops-10od <p>Here is hopefully the first of many... on several different coding and IAC topics. </p> <p>There is nothing against loops, however one of the main challenges with them is sometimes it can be especially difficult to iterate through when you may have several conditional <code>if</code> statements or different bits of logic happening in the loop.</p> <p>Wanted to touch on <code>map()</code> in Python. As its one of my new favorite things to reduce some of the amount of code when it concerns needing a <code>for</code> loop.</p> <p>The <code>map()</code> is defined as the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>map(function, iterable[, iterable1, iterable2,..., iterableN]) </code></pre> </div> <p>With the <code>map()</code> function, you can see that there is two things going on here. There is a function and then an object that you are passing in. The object you are passing in can also be a <code>list</code>, <code>tuple</code>, etc.</p> <p>In my example, I am taking in a list of scopes that is coming from a variables file that is being passed in to be consumed for an infrastructure as code module. I need to format the scopes in a certain fashion that will then be applied to an API Gateway.</p> <p>In the example below I have a pretty simple amount of code that I have used to format, parse and structure a set of scopes that I needed to be applied to my API.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">API_SCOPES</span> <span class="o">=</span> <span class="s">"read:stuff, write:stuff, delete:stuff"</span> </code></pre> </div> <p>Just to add in some extra protections where someone may have added some white space, aka spaces, into the string. I added an extra statement to remove any additional spacing and then I am spliting on commas.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="p">[</span><span class="s">'read:stuff'</span><span class="p">,</span> <span class="s">'write:stuff'</span><span class="p">,</span> <span class="s">'delete:stuff'</span><span class="p">]</span> </code></pre> </div> <p>The result is a <code>list</code> that has all of the scopes from the original comma separated string.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">API_SCOPES</span> <span class="o">=</span> <span class="s">"read:stuff, write:stuff, delete:stuff"</span> <span class="n">DOMAIN_NAME</span> <span class="o">=</span> <span class="s">"api.example.com"</span> <span class="k">def</span> <span class="nf">api_authorization_scopes</span><span class="p">(</span><span class="n">name</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="s">""" Takes a string of scopes and returns a list of properly formatted scopes. Args: name (str): The scope string Returns: Optional[str]: Formatted scope string """</span> <span class="k">return</span> <span class="sa">f</span><span class="s">"https://</span><span class="si">{</span><span class="n">DOMAIN_NAME</span><span class="si">}</span><span class="s">/</span><span class="si">{</span><span class="n">name</span><span class="si">}</span><span class="s">"</span> <span class="n">parsed_scopes</span> <span class="o">=</span> <span class="n">API_SCOPES</span><span class="p">.</span><span class="n">replace</span><span class="p">(</span><span class="s">' '</span><span class="p">,</span> <span class="s">''</span><span class="p">).</span><span class="n">split</span><span class="p">(</span><span class="s">","</span><span class="p">)</span> <span class="n">allowed_oauth_scopes</span> <span class="o">=</span> <span class="nb">map</span><span class="p">(</span><span class="n">api_authorization_scopes</span><span class="p">,</span> <span class="n">parsed_scopes</span><span class="p">)</span> </code></pre> </div> <p>This results in a <code>map</code> object that I can output as a list and it looks like the following.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="p">[</span><span class="s">'https://api.example.com/read:stuff'</span><span class="p">,</span> <span class="s">'https://api.example.com/write:stuff'</span><span class="p">,</span> <span class="s">'https://api.example.com/delete:stuff'</span><span class="p">]</span> </code></pre> </div>