Develop Reference

Describe EBS details volume with AWSCLI

I need to list all owner's aws ami and any details about it.
The following line returns the image_id, CreationDate, Name and organized by CreationDate:
aws ec2 describe-images --owners --query 'Images[*].[ImageId, CreationDate, Name]' | sort_by(#, &[1])' --output text
But, i need any information about BlockDevicesMapping like an Ebs volume [snapshot id, Volume size e etc...]
I did the following line aws ec2 describe-images --owners --query 'Images[*].[ImageId, CreationDate, Name, BlockDeviceMappings:[Ebs:{SnapshotID}]] --output text. But, the search on terminal stopped.
I tried a lot of ways.
Thank's for help-me.

The output from describe-images is as follows.
{
"Images": [
{
"VirtualizationType": "hvm",
"Description": "Provided by Red Hat, Inc.",
"PlatformDetails": "Red Hat Enterprise Linux",
"EnaSupport": true,
"Hypervisor": "xen",
"State": "available",
"SriovNetSupport": "simple",
"ImageId": "ami-1234567890EXAMPLE",
"UsageOperation": "RunInstances:0010",
"BlockDeviceMappings": [
{
"DeviceName": "/dev/sda1",
"Ebs": {
"SnapshotId": "snap-111222333444aaabb",
"DeleteOnTermination": true,
"VolumeType": "gp2",
"VolumeSize": 10,
"Encrypted": false
}
}
],
"Architecture": "x86_64",
"ImageLocation": "123456789012/RHEL-8.0.0_HVM-20190618-x86_64-1-Hourly2-GP2",
"RootDeviceType": "ebs",
"OwnerId": "123456789012",
"RootDeviceName": "/dev/sda1",
"CreationDate": "2019-05-10T13:17:12.000Z",
"Public": true,
"ImageType": "machine",
"Name": "RHEL-8.0.0_HVM-20190618-x86_64-1-Hourly2-GP2"
}
]
}
As you see, BlockDeviceMappings is an array, so you should flatten it first before you attempt to access its objects.
I would suggest specifying --owners 12347989. If you attempt to get all amis of all owners, terminal will hang. I ran the below command with my accountId and got the desired output, but if I don't specify owner, my terminal just hangs.
Try this:
aws ec2 describe-images --owners amazon --query 'Images[*].[ImageId, CreationDate, Name, BlockDeviceMappings[0].DeviceName, BlockDeviceMapping[0].VolumeSize, BlockDeviceMappings[0].SnapshotId]' --output text

Get zone id for an exisiting zone or create a new zone with zone name

I am using cdktf to generate terraform code, and want to get the zone_id for an existing zone so I can create new records in it.
"aws_route53_zone": {
"typescript-aws_get_zone_id_C1732EA4": {
"name": "mydomain.com",
"//": {
"metadata": {
"path": "custom_stack/typescript-aws/get_zone_id",
"uniqueId": "typescript-aws_get_zone_id_C1732EA4"
}
}
}
},
...
"aws_route53_record": {
"typescript-aws_aws_cloudfront_mydomaincom_aws_cloudfront_mydomaincom_record_5E08FD7F": {
"name": "mydomain.com",
"type": "A",
"zone_id": "${aws_route53_zone.typescript-aws_get_zone_id_C1732EA4.zone_id}",
"alias": [
{
"evaluate_target_health": false,
"name": "${aws_cloudfront_distribution.typescript-aws_aws_cloudfront_mydomaincom_4EF84BC8.domain_name}",
"zone_id": "${aws_cloudfront_distribution.typescript-aws_aws_cloudfront_mydomaincom_4EF84BC8.hosted_zone_id}"
}
],
"//": {
"metadata": {
"path": "custom_stack/typescript-aws/aws_cloudfront_mydomain.com/aws_cloudfront_mydomain.com_record",
"uniqueId": "typescript-aws_aws_cloudfront_mydomaincom_aws_cloudfront_mydomaincom_record_5E08FD7F"
}
}
},
However, this always creates a new zone (whose name matches an exisiting zone, but both have separate zone ids.
I referred to this question ( Fetch zone_id of hosted domain on route53 using terraform ) but seems like the flag suggested in the approved answer is no longer available? At least not as per the docs ( https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone )

In Terraform resources create resources and data sources load the data. You should be able to use data_route53_zone, which should be aws.route53. DataAwsRoute53Zone.

How do I replace a Policy Record with a simple A record that points to a CloudFront Distribution without traffic interruption?

My first question would be, what's the best way to do this? It looks to me like the only way to do it without interrupting traffic would be through the AWS CLI, but if there's an easier way I'm all ears! If the CLI is the way to do it, I'm running into issues with the following command:
aws route53 change-resource-record-sets --hosted-zone-id XXXXXXXXXXXX --change-batch file://update-record.json
The update-record.json contains the following:
{
"Comment": "Swaps the Policy Record for a simple routing policy",
"Changes": [
{
"Action": "UPSERT",
"ResourceRecordSet": {
"Name": "www.example.com",
"Type": "A",
"AliasTarget": {
"HostedZoneId": "XXXXXXXXXXXX",
"DNSName": "xxxxxxxxxxxxx.cloudfront.net",
"EvaluateTargetHealth": false
}
}
}
]
}
The error I'm getting is:
An error occurred (InvalidChangeBatch) when calling the ChangeResourceRecordSets operation: [Tried to create an alias that targets xxxxxxxxxxxxx.cloudfront.net., type A in zone XXXXXXXXXXXX, but the alias target name does not lie within the target zone, Tried to create an alias that targets xxxxxxxxxxxxx.cloudfront.net., type A in zone XXXXXXXXXXXX, but that target was not found]
The Hosted Zone ID for the record in the account is accurate, as is the distribution DNS name. The record name, www.example.com, also exists in the account. The distribution has an alternate domain name (CNAME) of www.example.com.
I've also tried doing the change as a delete and create, rather than an upsert:
{
"Comment": "Swaps the Policy Record for a simple routing policy",
"Changes": [
{
"Action": "DELETE",
"ResourceRecordSet": {
"Name": "www.example.com.",
"Type": "A",
"TrafficPolicyInstanceId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}
},
{
"Action": "CREATE",
"ResourceRecordSet": {
"Name": "www.example.com.",
"Type": "A",
"AliasTarget": {
"HostedZoneId": "XXXXXXXXXXXX",
"DNSName": "xxxxxxxxxxxxx.cloudfront.net",
"EvaluateTargetHealth": false
}
}
}
]
}
Doing this in two steps yields the same error message.

Each domain and subdomain in Route 53 is considered a "Hosted Zone", and as such has a "Hosted Zone ID". However, while the change-resource-record-sets documentation is extensive, it's not very clear about Alias records that point to a CloudFront distribution. I had to dig deeper, and look into the documentation around AliasTarget specifically. There, the documentation states:
Specify Z2FDTNDATAQYW2. This is always the hosted zone ID when you create an alias record that routes traffic to a CloudFront distribution.
This means that even though I was trying to create an Alias record in the hosted zone with an id of XXXXXXXXXXXX, the ID to use for any Alias record pointing to any CloudFront distribution is Z2FDTNDATAQYW2. Changing the update-record.json to the following works:
{
"Comment": "Swaps the Policy Record for a simple routing policy",
"Changes": [
{
"Action": "DELETE",
"ResourceRecordSet": {
"Name": "www.example.com.",
"Type": "A",
"TrafficPolicyInstanceId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}
},
{
"Action": "CREATE",
"ResourceRecordSet": {
"Name": "www.example.com.",
"Type": "A",
"AliasTarget": {
"HostedZoneId": "Z2FDTNDATAQYW2",
"DNSName": "xxxxxxxxxxxxx.cloudfront.net",
"EvaluateTargetHealth": false
}
}
}
]
}
Doing this as a change-resource-record-set prevents interruption in traffic, as:
Change batches are considered transactional changes. Route 53 validates the changes in the request and then either makes all or none of the changes in the change batch request. This ensures that DNS routing isn't adversely affected by partial changes to the resource record sets in a hosted zone.

ECS CLI - You cannot specify an IAM role for services that require a service linked role

I'm trying to deploy a container to ECS (Fargate) via aws cli. I'm able to create the task definition successfully, the problem comes when I want to add a new service to my Fargate cluster.
This is the command a execute:
aws ecs create-service --cli-input-json file://aws_manual_cfn/ecs-service.json
This is the error that I'm getting:
An error occurred (InvalidParameterException) when calling the CreateService operation: You cannot specify an IAM role for services that require a service linked role.`
ecs-service.json
{
"cluster": "my-fargate-cluster",
"role": "AWSServiceRoleForECS",
"serviceName": "dropinfun-spots",
"desiredCount": 1,
"launchType": "FARGATE",
"networkConfiguration": {
"awsvpcConfiguration": {
"assignPublicIp": "ENABLED",
"securityGroups": ["sg-06d506f7e444f2faa"],
"subnets": ["subnet-c8ffcbf7", "subnet-1c7b6078", "subnet-d47f7efb", "subnet-e704cfad", "subnet-deeb43d1", "subnet-b59097e8"]
}
},
"taskDefinition": "dropinfun-spots-task",
"loadBalancers": [
{
"targetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:************:targetgroup/dropinfun-spots-target-group/c21992d4a411010f",
"containerName": "dropinfun-spots-service",
"containerPort": 80
}
]
}
task-definition.json
{
"family": "dropinfun-spots-task",
"executionRoleArn": "arn:aws:iam::************:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS",
"memory": "0.5GB",
"cpu": "256",
"networkMode": "awsvpc",
"requiresCompatibilities": [
"FARGATE"
],
"containerDefinitions": [
{
"name": "dropinfun-spots-service",
"image": "************.dkr.ecr.us-east-1.amazonaws.com/dropinfun-spots-service:latest",
"memory": 512,
"portMappings": [
{
"containerPort": 80
}
],
"essential": true
}
]
}
Any idea on how to manage this linked-role error?

Since you are trying to create Fargate launch type tasks, you set the network mode to awsvpc mode in task definition (Fargate only support awsvpc mode).
In your ecs-service.json, I can see that it has "role": "AWSServiceRoleForECS". It seems that you are trying to assign a service role for this service. AWS does not allow you to specify an IAM role for services that require a service linked role.
If you assigned the service IAM role because you want to use a load balancer, you can remove it. Because task definition that use awsvpc network mode use service-linked role, which is created for you automatically[1].
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using-service-linked-roles.html#create-service-linked-role

Instead of specifying "role": "AWSServiceRoleForECS"
you can specify taskRoleArn in addition to executionRoleArn if you want to assign a specific role to your service (container). It will be useful if you want your container to access other AWS services on your behalf.
task-definition.json
{
"family": "dropinfun-spots-task",
"executionRoleArn": "arn:aws:iam::************:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS",
"taskRoleArn" : "here_you_can_define_arn_of_a_specific_iam_role"
"memory": "0.5GB",
"cpu": "256",
"networkMode": "awsvpc",
"requiresCompatibilities": [
"FARGATE"
],
"containerDefinitions": [
{
"name": "dropinfun-spots-service",
"image": "************.dkr.ecr.us-east-1.amazonaws.com/dropinfun-spots-service:latest",
"memory": 512,
"portMappings": [
{
"containerPort": 80
}
],
"essential": true
}
]
}
off-note: It is very bad practice to post aws account_id :"{

CloudFormation without snapshot

Cloudformation created a template for us which specifies both the AMI instance to start from, and also the snapshot ID of that AMI instance.
We create our base AMI instance with Packer, which reports the AMI instance it creates, but does not report the snapshot associated - we find that in the Amazon UI.
Can the Cloudformation template be modified so it does not specify the snapshot ID? Can you give an example of the stanza?

Sure you can! For example, something like this would work:
"Resources": {
"someEC2": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": "...valid_ami_id...",
"InstanceType": "m3.medium",
"KeyName": "...",
"Monitoring": "false",
"NetworkInterfaces": [
{
...
}
],
"BlockDeviceMappings": [
{
"DeviceName": "/dev/sda",
"Ebs": {
"VolumeSize": 10
}
}
]
}
}
}