In waf-regional you can actually insert an IP in existing set but how I can do the same thing in WAFv2?
When I tried to do that it replaces the whole IP-set, I just want to add one IP in existing IP-set
After some research, I was able to do this with the existing API. Assign the values to all variables in starting of the script
# Get IP set
aws wafv2 get-ip-set --name=$NAME --scope REGIONAL --id=$ID --region $REGION > /root/IP_SET_OUTPUT
# Get token from the JSON
LOCK_TOKEN=$(jq -r '.LockToken' /root/IP_SET_OUTPUT)
# Get IP list from the JSON
arr=( $(jq -r '.IPSet.Addresses[]' /root/IP_SET_OUTPUT) )
# Add our ip to the list
arr+=( "${IP}/${BLOCK}" )
echo "${arr[#]}"
# Update IP set
aws wafv2 update-ip-set --name=$NAME --scope=REGIONAL --id=$ID --addresses "${arr[#]}" --lock-token=$LOCK_TOKEN --region=$REGION
You can't. The API was changed such that you cannot do delta change anymore.
You would need to do get-ip-set, make changes to the returned JSON model, and then call update-ip-set.
Related
I'm trying to get all the security groups that are open to "All traffic" from any IP address (0.0.0.0/0) For us, it means they haven't been correctly configured.
I found how to find those that contain a rule that allows SSH traffic (port 22) and a rule that allows traffic from all IP addresses (0.0.0.0/0)
I’ve tried it but I still don't have what I'm looking for : I want those who allows all protocols, all ports(all traffic) from 0.0.0.0.
Thanks for any suggestions.
aws ec2 describe-security-groups --filters Name=ip
permission.cidr,Values='0.0.0.0/0' Name=vpc-id,Values=XXXXX Name=ip-
permission.from-port,Values=* --query "SecurityGroups[*].
{Name:GroupName,ID:GroupId}" --output table
You're on the right track. If you use a -1 as the value for ip-permission.protocol it will return Security Groups open to all traffic.
I created this Security Group (delete immediately) as a test:
When I run the aws command with the above filter and the filter for CIDR = 0.0.0.0/0 as such:
aws ec2 --region eu-west-1 describe-security-groups --filter Name=ip-permission.protocol,Values=-1 Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}" --output table
It returned this output:
------------------------------------------------
| DescribeSecurityGroups |
+-----------------------+----------------------+
| ID | Name |
+-----------------------+----------------------+
| sg-0142cbca58aac3836 | delete immediately |
+-----------------------+----------------------+
UPDATE
To list generate a list of security groups that allow all outbound use the following:
aws ec2 describe-security-groups --filter Name=egress.ip-permission.protocol,Values=-1 Name=egress.ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}" --output table
I have the command to list all the RDS endpoints I have running in my aws account but I want to find RDS endpoint for RDS running in the same VPC as the ec2 instance I want to use it from.
I have multiple VPC's up with multiple RDS's so when I issue the command it gives me all the running RDS's. How can i filter this to just show me the one in the same VPC?
I run the command -
aws rds --region us-east-2 describe-db-instances --query "DBInstances[*].Endpoint.Address"
And I get -
"acme-networkstack.vbjrxfom0phf.us-east-2.rds.amazonaws.com",
"acme-aws-beta-network.vbjrxfom0phf.us-east-2.rds.amazonaws.com",
"acme-demo.vbjrxfom0phf.us-east-2.rds.amazonaws.com",
"acme-dev.vbjrxfom0phf.us-east-2.rds.amazonaws.com"
I only want the one endpoint that is in the same VPC as the instance I am running the CLI command from.
Thanks!
Ernie
Here's a little script that should do the trick, just replace the ec2 describe-instanceswith your rds cli command:
#!/bin/bash
mac=`curl -s http://169.254.169.254/latest/meta-data/mac`
vpcID=`curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/$mac/vpc-id`
aws ec2 describe-instances --region eu-west-1 --filter "Name=vpc-id,Values=$vpcID"
You're first curling the instance meta-data to find it's VpcId, and then filtering the outputs of your cli command to limit to a certain vpc.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html
https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-output.html
describe-db-instances has a limited set of filters which doesn't include the VPC. The solution I suggest uses a combination of the meta-data information from the host and jq to select only the endpoints that match the VPC.
First, You can get the VPC ID as suggested by WarrenG.
#!/bin/bash
mac=`curl -s http://169.254.169.254/latest/meta-data/mac`
VPC_ID=`curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/$mac/vpc-id`
Then uses the AWS CLI in combination with jq to derive your desired output.
aws rds describe-db-instances | jq -r --arg VPC_ID "VPC_ID" '.DBInstances[] |select (.DBSubnetGroup.VpcId==$VPC_ID) | .Endpoint.Address'
I haven't run this from a script but it works from the command line. If it doesn't work in a script let me know.
References
https://docs.aws.amazon.com/cli/latest/reference/rds/describe-db-instances.html
Passing bash variable to jq select
When swapping the production slot with a staging slot for a Azure App Service through the portal you get a little warning in case the configs differ between the slots.
I would like to get the same warning when I swap from command line (for example with az in bash), is that possible, and if so how to do it?
There does not seem to be any way to get a confirmation before the swap is completed using Azure CLI.
If you want a confirmation dialog you need to script it separately, e.g. like this
read -r -p "Are you sure? [y/N] " response
if [[ "$response" =~ ^([yY][eE][sS]|[yY])+$ ]]
then
az webapp deployment slot swap -g MyResourceGroup -n MyUniqueApp --slot staging --target-slot production
fi
References
see this page for more info about the swapping slots using the cli.
and this page for details on conditionally executing statements in bash
Managed to do that using the Azure CLI and jq (install it first). That's the same call Azure portal does when doing the preview. So, I've added the Azure CLI task and then:
echo Phase One changes
az rest -m post -u https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/<your_rg>/providers/Microsoft.Web/sites/<your_webapp_name>/slots/<slot_name>/slotsdiffs?api-version=2016-08-01 --body {\"targetSlot\":\"production\"} | jq -r "[.value[].properties | select(.diffRule == \"SlotSettingsMissing\") | .description ] | join(\";\")"
echo Phase Two changes
az rest -m post -u https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/<your_rg>/providers/Microsoft.Web/sites/<your_webapp_name>/slots/<slot_name>/slotsdiffs?api-version=2016-08-01 --body {\"targetSlot\":\"production\"} | jq -r "[.value[].properties | select(.diffRule != \"SlotSettingsMissing\") | .description ] | join(\";\")"
Note, that the {subscriptionId} will be substituted so no need to do it manually. Other parameters in <> should be provided anyhow.
In the end I made a extension to the az cli that compares and diffs the configs. Was after all not very difficult to do, and at the same time I could extend its functionality a little bit and make it possible to also diff configs between different web apps, for example useful when the same service is deployed in more than one region.
(this extension is at the moment not publicly available anywhere, but could maybe if there was interest)
I have deployed an Amazon EC2 cluster of 3 Ubuntu machines (2 of them make up the cluster and the last one is just a client who submits jobs and manages their storage). I connect to all of them via password-less SSH.
What happens is that every time I restart these machines they get new public hostnames from Amazon which I want to replace in my SSH configuration file located in ~/.ssh/config
So far, I figured out a way to get their names and hostnames using Amazon CLI with the following command at my local machine (CentOS 7):
aws ec2 describe-instances --query "Reservations[*].Instances[*].[PublicDnsName,Tags]" --output=text | grep -vwE "None"
This prints something like
ec2-XX-XX-XXX-XXX.us-east-2.compute.amazonaws.com
Name datanode1
ec2-YY-YY-YYY-YYY.us-east-2.compute.amazonaws.com
Name namenode
ec2-ZZ-ZZ-ZZZ-ZZZ.us-east-2.compute.amazonaws.com
Name client
i.e. the hostname, a new line, the corresponding name and so on. The IP fields above like XX-XX-XXX-XXX and so on, are basically 4 hyphen separated numbers of 2 or 3 digits. The grep command I have simply removes the last useless line. Now I want to find a way to replace these hostnames to the SSH configuration file or maybe regenerate it, which looks like
Host namenode
HostName ec2-YY-YY-YYY-YYY.us-east-2.compute.amazonaws.com
User ubuntu
IdentityFile ~/.ssh/mykey.pem
Host datanode1
HostName ec2-XX-XX-XXX-XX.us-east-2.compute.amazonaws.com
User ubuntu
IdentityFile ~/.ssh/mykey.pem
Host client
HostName ec2-ZZ-ZZ-ZZZ-ZZZ.us-east-2.compute.amazonaws.com
User ubuntu
IdentityFile ~/.ssh/mykey.pem
Please note that I don't know how the Amazon CLI command sorts the output. But of course, I can change the order of the machines in my SSH file or maybe it is a good idea to delete it and recreate it.
Below is what I finally figured out and it works. This is Bash script you can just save as .sh file like script.sh and execute. If it can't run simply do chmod +x script.sh. I have added comments to clarify what I am doing.
#Ask Amazon CLI for your hostnames, remove the last line, replace the "Name\t" with "", combine every 2 consecutive lines and save to a txt file
aws ec2 describe-instances --query "Reservations[*].Instances[*].[PublicDnsName,Tags]" --output=text | grep -vwE "None" | sed 's/Name\t//g' | sed 'N;s/\n/ /' > 'ec2instances.txt';
#Change the following variables based on your cluster
publicKey="mykey.pem";
username="ubuntu";
#Remove any preexisting SSH configuration file
rm config
touch config
while read line
do
#Read the line, keep the 1st word and save it as the public DNS
publicDns=$(echo "$line" | cut -d " " -f1);
#Read the line, keep the 2nd word and save it as the hostname you will be using locally to connect to your Amazon EC2
instanceHostname=$(echo "$line" | cut -d " " -f2);
#OK, we are now ready to store to SSH known hosts
sshEntry="Host $instanceHostname\n";
sshEntry="$sshEntry HostName $publicDns\n";
sshEntry="$sshEntry User $username\n";
sshEntry="$sshEntry IdentityFile ~/.ssh/$publicKey\n";
#Attach to the EOF, '-e' enables interpretation of backslash escapes
echo -e "$sshEntry" >> config
#Below is the txt file you will be traversing in the loop
done < ec2instances.txt
#Done
rm ~/.ssh/config
mv config ~/.ssh/config
rm ec2instances.txt
I had been not able to create a new CNAME for a specific managed-zone.
I can see there are examples for A and TXT entries like:
$ gcloud dns record-sets transaction add -z MANAGED_ZONE \
--name my.domain. --ttl 1234 --type A "1.2.3.4"
$ gcloud dns record-sets transaction add -z MANAGED_ZONE \
--name my.domain. --ttl 2345 --type TXT "Hello world" "Bye \
world"
But I keep getting too few arguments error.
Currently I'm issuing:
$ gcloud dns record-sets -z=MYZONE transaction add\
--name="NAME" --type=CNAME --ttl 3600 --rrdatas="DEST"
I guess the issue is related to the rrdatas field but I have been unable to find any documentation.
The command does not have a rrdatas flag. You can just put the value you want for rrdatas at the end of the command as a positional argument. Also, note that the -z zone flag should be provided after all the commands. So:
$ gcloud dns record-sets -z=MYZONE transaction add --type=CNAME \
--name="www.example.com." --ttl 3600 --rrdatas="target.example.com."
should be changed to this:
$ gcloud dns record-sets transaction add -z=MYZONE --type=CNAME \
--name="www.example.com." --ttl 3600 "target.example.com."
According to the record types documented on the API, note that the rrdatas value should point to a valid record or must end with periods (.) in the case of fully-qualified DNS names.