Right now this following code segment will list the 'Name' tag of the resource of any instance that doesn't have a 'Grant' tag.
for region in `aws ec2 describe-regions --output text | cut -f3`
do
aws ec2 describe-instances \
--region $region \
--output text \
--query 'Reservations[].Instances[?!not_null(Tags[?Key == `Grant`].Value)] | [].Tags[?Key==`Name`].Value'
done
I've tried a few ways to get the Public IP address but I keep getting errors for bad syntax.
Is it possible to pull in the Public IP here?
Yes, It is possible to pull the PublicIp address along with the Tags value.
Replace query syntax as below,
--query 'Reservations[].Instances[?!not_null(Tags[?Key == `Grant`].Value)] | [].[PublicIpAddress, Tags[?Key==`Name`].Value]'
Related
I try to list all my AutoScalingGroups with "Desiredcapacity" = 3.
I can run this but it gives me all ASG back and it's to many.
aws autoscaling describe-auto-scaling-groups --query "AutoScalingGroups[*].{NAME:AutoScalingGroupName,DesiredCapacity:DesiredCapacity} | sort_by([], &DesiredCapacity)" --profile MyProfile --output table
I tried :
aws autoscaling describe-auto-scaling-groups --query "AutoScalingGroups[?DesiredCapacity == '3'].{NAME:AutoScalingGroupName,DesiredCapacity:DesiredCapacity} | sort_by([], &DesiredCapacity)" --profile MyProfile --output table
I dont get any error msg but it does not return anything, as it should
I actually improved my search and find a solution.
aws autoscaling describe-auto-scaling-groups --query 'AutoScalingGroups[?DesiredCapacity>=`3`].[AutoScalingGroupName,DesiredCapacity,MinSize,MaxSize]' --output table --profile MyProfile
is exactly what i want.
I'm trying to get all the security groups that are open to "All traffic" from any IP address (0.0.0.0/0) For us, it means they haven't been correctly configured.
I found how to find those that contain a rule that allows SSH traffic (port 22) and a rule that allows traffic from all IP addresses (0.0.0.0/0)
I’ve tried it but I still don't have what I'm looking for : I want those who allows all protocols, all ports(all traffic) from 0.0.0.0.
Thanks for any suggestions.
aws ec2 describe-security-groups --filters Name=ip
permission.cidr,Values='0.0.0.0/0' Name=vpc-id,Values=XXXXX Name=ip-
permission.from-port,Values=* --query "SecurityGroups[*].
{Name:GroupName,ID:GroupId}" --output table
You're on the right track. If you use a -1 as the value for ip-permission.protocol it will return Security Groups open to all traffic.
I created this Security Group (delete immediately) as a test:
When I run the aws command with the above filter and the filter for CIDR = 0.0.0.0/0 as such:
aws ec2 --region eu-west-1 describe-security-groups --filter Name=ip-permission.protocol,Values=-1 Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}" --output table
It returned this output:
------------------------------------------------
| DescribeSecurityGroups |
+-----------------------+----------------------+
| ID | Name |
+-----------------------+----------------------+
| sg-0142cbca58aac3836 | delete immediately |
+-----------------------+----------------------+
UPDATE
To list generate a list of security groups that allow all outbound use the following:
aws ec2 describe-security-groups --filter Name=egress.ip-permission.protocol,Values=-1 Name=egress.ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}" --output table
I run this command and it works :
aws elb describe-load-balancers --query 'LoadBalancerDescriptions[?VPCId==`vpc-#########`]|[].LoadBalancerName' --region us-east-2
If I try and use an environemnt variable it does not work :
aws elb describe-load-balancers --query 'LoadBalancerDescriptions[?VPCId==`$VPC_ID`]|[].LoadBalancerName' --region us-east-2
I know that VPC_ID is valid - echo $VPC_ID returns the correct value
What am I not seeing?
Thanks!!!!!
I also tried this command with the same results :
This works fine :
aws elb describe-load-balancers --output text --query 'LoadBalancerDescriptions[?Instances[?InstanceId==`i-0############`]].[LoadBalancerName]' --region us-east-2
This returns nothing :
aws elb describe-load-balancers --output text --query 'LoadBalancerDescriptions[?Instances[?InstanceId=="$InstanceID"]].[LoadBalancerName]' --region us-east-2
I know that the environment variable $InstanceID is populated and correct - I perform an echo $InstanceID and get the correct ID output.
Got it!!
The environment variable need to be in brackets - { }
This works -
aws elb describe-load-balancers --output text --query "LoadBalancerDescriptions[?Instances[?InstanceId=='${InstanceID}']].LoadBalancerName" --region us-east-2
I am able to reproduce this using the following:
export MY_VPC_ID=vpc-1234
echo 'LoadBalancerDescriptions[?VPCId==`$MY_VPC_ID`]|[].LoadBalancerName'
OUTPUT:
LoadBalancerDescriptions[?VPCId==`$MY_VPC_ID`]|[].LoadBalancerName
I believe this has to do with how bash interprets quotes as shown in this other post
Evaluating variables in a string
Can you try using this?
echo "LoadBalancerDescriptions[?VPCId==\"$MY_VPC_ID\"]|[].LoadBalancerName"
OUTPUT:
LoadBalancerDescriptions[?VPCId=="vpc-1234"]|[].LoadBalancerName
I have the command to list all the RDS endpoints I have running in my aws account but I want to find RDS endpoint for RDS running in the same VPC as the ec2 instance I want to use it from.
I have multiple VPC's up with multiple RDS's so when I issue the command it gives me all the running RDS's. How can i filter this to just show me the one in the same VPC?
I run the command -
aws rds --region us-east-2 describe-db-instances --query "DBInstances[*].Endpoint.Address"
And I get -
"acme-networkstack.vbjrxfom0phf.us-east-2.rds.amazonaws.com",
"acme-aws-beta-network.vbjrxfom0phf.us-east-2.rds.amazonaws.com",
"acme-demo.vbjrxfom0phf.us-east-2.rds.amazonaws.com",
"acme-dev.vbjrxfom0phf.us-east-2.rds.amazonaws.com"
I only want the one endpoint that is in the same VPC as the instance I am running the CLI command from.
Thanks!
Ernie
Here's a little script that should do the trick, just replace the ec2 describe-instanceswith your rds cli command:
#!/bin/bash
mac=`curl -s http://169.254.169.254/latest/meta-data/mac`
vpcID=`curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/$mac/vpc-id`
aws ec2 describe-instances --region eu-west-1 --filter "Name=vpc-id,Values=$vpcID"
You're first curling the instance meta-data to find it's VpcId, and then filtering the outputs of your cli command to limit to a certain vpc.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html
https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-output.html
describe-db-instances has a limited set of filters which doesn't include the VPC. The solution I suggest uses a combination of the meta-data information from the host and jq to select only the endpoints that match the VPC.
First, You can get the VPC ID as suggested by WarrenG.
#!/bin/bash
mac=`curl -s http://169.254.169.254/latest/meta-data/mac`
VPC_ID=`curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/$mac/vpc-id`
Then uses the AWS CLI in combination with jq to derive your desired output.
aws rds describe-db-instances | jq -r --arg VPC_ID "VPC_ID" '.DBInstances[] |select (.DBSubnetGroup.VpcId==$VPC_ID) | .Endpoint.Address'
I haven't run this from a script but it works from the command line. If it doesn't work in a script let me know.
References
https://docs.aws.amazon.com/cli/latest/reference/rds/describe-db-instances.html
Passing bash variable to jq select
I'm wondering how can I retrieve scale set VM's private IP address with Terraform-provider-azurerm. I think there are no resources nor data resources directly return VM IP's.
One option I tried was generate shellscript via template resource.
# get_vmss_privateip.tpl
#!/bin/bash
cap=`az vmss show \
--resource-group ${resource_group} \
--subscription ${subscription} \
--name ${name} \
--query 'sku.capacity'`
for i in `seq 1 $cap`
do
az resource show \
--resource-group ${resource_group} \
--resource-type Microsoft.Compute/virtualMachineScaleSets \
--api-version 2017-03-30 \
--name ${name}/virtualMachines/$i/networkInterfaces \
--query 'value[0].properties.ipConfigurations[0].properties' \
| jq -c '{privateIPAddress}'
done
then run terraform to generate sh.
data "template_file" "private_ip_scripts" {
template = "${file("templates/get_vmss_privateip.tpl")}"
vars {
resource_group = "${data.azurerm_resource_group.current.name}"
subscription = "${data.azurerm_subscription.current.subscription_id}"
name = "${azurerm_virtual_machine_scale_set.test.name}"
}
}
resource "local_file" "test_private_ip_scripts" {
filename = "scripts/get_vmss_instance_private_ip.sh"
content = "${data.template_file.manage_private_ip_scripts.rendered}"
}
But this approach is too far from goal, and I do want to use private IP's in the terraform, not outside terraform.
Do anyone have much better ideas?
EDIT 2018/11/2
I've done via external data resource.
data "external" "vmss_test_private_ip" {
program = ["bash", "${local_file.test_private_ip_scripts.filename}"]
}
output hoge {
value = "${data.external.vmss_test_private_ip.result}"
}
This type of resource can be imported into TF Scale Set. So this is one option, only hassle is there are a lot of attributes and importing introduces other issues. I've found one or two things that aren't exposed as data resources in the AzureRM provider. Might be worth adding a request to the GitHub repo?
Regards,