I have created thing , certificates , policy and attached them successfully using python.
And i have founded a idea that instead of creating a policy for every new thing that is created , we can create a thing group and create a policy for that group and adding the thing to it and then share that group policy to every new thing we created.
I didn't have any idea on how to implement my idea and i keeps on searching for a reference to do that still i didn't find any usefull links or guides.If you know anything post that
Hi everyone after a long search i find the solution.
def add_thing_to_thing_group():
client = boto3.client('iot')
thing_group_name ='your thing group name'
thing_group_arn ='your thing group arn'
thing_name ='your thing name'
thing_arn ='your thing arn'
client.add_thing_to_thing_group(
thingGroupName= thing_group_name,
thingGroupArn= thing_group_arn,
thingName= thing_name,
thingArn= thing_arn
)
need boto3 package
thing group arn and thing arn are available in aws iot console
Related
I'm working on automating the rotation of my azure function app's host key, which is used to maintain a more secure connection between my API Management and my function apps. The issue is that I can not figure out how to accomplish this based on the lack of clear documentation. I found a document for how to create a key for a specific function within the function app, but not for the host level. I've tried using the web ui resource manager to figure out what the proper values are, but host seems to have no values available by GET request to help me see what the formatting needs to be. In fact, I can't find any reference to my function app's host keys anywhere in the resource manager UI. (Of course I can in the portal).
I don't care if it's powershell, bicep, ARM, terraform azapi, whatever, I'd just like to find a way to accomplish the creation of a new hostkey so that I can control it's rotation with terraform. Does anyone know how to accomplish this?
Right now my attempt looks like
resource "azapi_resource" "function_host_key" {
type = "Microsoft.Web/sites/host/functionkeys#2018-11-01"
name = "${azurerm_windows_function_app.api_function.name}-host-key"
parent_id = "${azurerm_windows_function_app.api_function.id}/host"
body = jsonencode({
properties = {
name = "test-key-terraform"
value = "asdfasdfasdfasdfasdfasdfasdf"
}
})
}
I also tried
resource "azapi_resource" "function_host_key" {
type = "Microsoft.Web/sites#2018-11-01"
name = "${azurerm_windows_function_app.api_function.name}-host-key"
parent_id = "${azurerm_windows_function_app.api_function.id}/functionsAppKeys"
location = var.region
}
since it said the body was invalid, but this also throws an error due to there being no body. I'm wondering if this just isn't possible.
I also just tried
resource "azapi_resource" "function_host_key" {
type = "Microsoft.Web/host/functionkeys#2018-11-01"
name = "${azurerm_windows_function_app.api_function.name}-host-key"
parent_id = "${azurerm_windows_function_app.api_function.id}/host"
location = var.region
}
and the result said that it was expecting
parent_id of `parent_id is invalid`: expect ID of `Microsoft.Web/host`
so I'm not sure what that parent_id should be.
I found an example through a bash/powershell script using the azure rest API, but I get a 403 error when I attempt to do it, I can only assume because my function app is secured, but I'm not sure a good way to determine that.
There must be a way to create a key programmatically...
UPDATE
I believe that this has been purposely made impossible now to do with terraform and I need to, as grose and backwards as it may be, use a CLI command in my pipeline. I understand you can do this, but it is (ofc my opinion) that if I am using terraform, I have terraform manage something, not have random CLI commands outside of terraform doing things that TF should be able to manage.
I created a key using az functionapp keys set and that worked, and the output explicitly stated that the type of resource which was created was Microsoft.Web/sites/host/functionKeys, so I went to the Azure Resource Explorer to see what versions were available for this type, since it clearly exists.. and found that nope, azure does not have it listed.
What confuses me is that I see this being done w/ ARM templates and I believe that my code matches theirs, just I'm using AZAPI.. and I get a not found error. Giving up for now
I have 5 different APIs in my Dev environment. This environment was built manually.
However, for the subsequent environments like Test, Pre-Prod, etc.. Terraform is being used.
Since I need to create each of the APIs in the subsequent environments, am extracting each of these APIs as a JSON file, making minor tweaks to the API URLs and importing it into the new environments.
The following is the process that am doing right now.
Went to Resource groups in Azure
Then under API Management service > APIs, clicked on the necessary API
Now, clicked on the three dots next to the API that I need and clicked on Export
Selected OpenAPI v3 (JSON) format
Now, I'm using the extracted JSON file and using the Terraform code below to add it to the APIM
resource "azurerm_api_management_api" "example" {
name = "example-api"
resource_group_name = azurerm_resource_group.example.name
api_management_name = azurerm_api_management.example.name
revision = "1"
display_name = "Example API"
path = "api/path"
protocols = ["https"]
service_url = "https://actualURL-of-the-API"
import {
content_format = "openapi+json"
content_value = file("extracted-filename.json")
}
}
The issue here is:
Even though the API gets added to the APIM, this doesn't create all the data - like Webservice URL, Backend HTTP(s) endpoint
How do I go about doing this?
Are you locked into exporting the Json file and importing it on the other environments through Terraform?
The reason I ask is because I attempted something similar but decided to go another route.
Initially I created the API manually in a Dev environment. I then re-created the same API from the ground up using only Terraform. No Json export & import.
I then used that Terraform script to create my other environments.
That allowed me to bypass the import problem altogether since nothing is imported.
I have found that there are downsides to taking this approach; It is much less intuitive to author the API through the Terraform script than through the Azure GUI. This is therefore more time consuming. Especially since my initial API was discarded for the one generated with the Terraform script.
Additionally, I have had problems with Terraform diffs reporting example changes when there are none (I suspect the same problem is to be had when using the import method).
If you are wondering why I decided to go another route? The reason was twofold; Firstly, similar to you, I had trouble with getting the export/import to generate the API that I wanted. Secondly, I prefer not to rely on auto generated files.
We've been trying to add JWT auth on our 2.8.1 Apache Pulsar cluster and it seems to be working properly, except for permissions. So basically, the state we are right now is that:
Without token, client gets a 401
With a token, it can access but has a trouble producing or consuming, so we added this :
./bin/pulsar-admin --admin-url https://pulsar-xxx-broker.pulsar-xx.svc.cluster.local:8443 --auth-plugin org.apache.pulsar.client.impl.auth.AuthenticationToken --auth-params file:///pulsar/tokens/broker/token namespaces grant-permission "xxx-dev-FR/lol" --role pulsar-token- --actions produce,consume
And it was better, permissions seems to be pretty straightforward on namespaces and only consume,produce are allowed seeing the code. But then we hit that error:
org.apache.pulsar.client.admin.PulsarAdminException$NotAuthorizedException: Unauthorized to validateTopicPolicyOperation for operation [WRITE] on topic [persistent://xxx-dev-FR/ns-common-0.8.0/workflow-tag-new: com.xxx.xxx.commons.engine.workflow.xxxEngine] on policy [PARTITION]
So apparently we need some more permissions, so we looked into adding an admin role when creating the tenant and this is what we've done but unfortunately, it's not better.
Pulsar permissions schema
Do I miss something here?
Thanks a lot.
Kin
#Kin, from your example it seems you granting permission on one namespace xxx-dev-FR/lol but then trying to use a topic in a different namespace xxx-dev-FR/ns-common-0.8.0.
Yes it's true, but this was just an example sorry. I did launch the query grant permission command on the right namespace afterwards.
I feel like the grant-permission command is missing some permissions as only those two are available:
consume
produce
But apparently it doesn't work for changing a topic or namespace policy. Is there a way to make this work without being full admin?
edit : just in case it's not clear in my first post, while creating the tenants in pulsar-manager, we used the equivalent of this command:
./bin/pulsar-admin tenants create test --admin-roles <my_app_role>
You can validate below params are configured in broker.conf for all brokers, these are used when broker connects to other brokers
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderToken
(for below configs, subject of token and superUser should match)
brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationToken
brokerClientAuthenticationParameters={token}
superUserRoles={super-user}
Configure one from below, based on the key(symmetric or asymmetric) you have used to generate the token, this will be used to decode the token
tokenSecretKey=
tokenPublicKey=
I managed to fix the issue which was not working because of the Token subject not being the same as the role input in the tenant admin permissions. For instance in CLI it meant:
pulsarctl token create -a HS256 --secret-key-file SECRETKEY --subject xxx-admin 2> pulsar-token-xxx-admin
kubectl exec -it pulsar-xxxx-broker-0 -- bash
./bin/pulsar-admin --tls-allow-insecure --admin-url https://pulsar-xxx-broker.pulsar-xxxx.svc.cluster.local:8443 --auth-plugin org.apache.pulsar.client.impl.auth.AuthenticationToken --auth-params file:///pulsar/tokens/broker/token tenants create <my_tenant> --admin-roles xxx-admin
We also had to add the following in the broker's configuration:
"topicLevelPoliciesEnabled": "true"
"systemTopicEnabled": "true"
Bye and thanks for your help.
According to the documentation, there is already a Gitlab provider in Terraform. However, I can't find a way to create/update secrets in a project. Is that possible? Is there a related upcoming feature?
This would really help us in our work, as many output variables of terraform are required to configure other CI deployments we have.
We are using AWS, and some output variables like IAM credentials or subnet IDs cannot be assumed or deduced easily and at the moment we are struggling to find a way to forward them to our other tools.
Being able to do something like:
provider "gitlab" {
token = "${var.gitlab_token}"
url = "${var.gitlab_url}"
}
# Add a project secret
resource "gitlab_project_secret" "my_project_secret" {
project_name = "my_project"
secret_key = "${env}_AWS_SECRET_ACCESS_KEY"
secret_value = ""${module.my_iam_user_module.secret_access_key}"
}
Would save us a lot of pain.
It can't be done just yet although there is an open issue for it with a comment saying that someone was planning to start working on it a few months ago.
The Gitlab provider uses the upstream xanzy/go-gitlab project which does have support for project variables so it shouldn't be too much work to add it. If you are at all comfortable writing Go and/or have contributed to a Terraform provider before then it might be worth picking it up yourself considering the lack of updates on that issue.
I have several different services running the same code base as windows azure worker roles.
I'm trying to test and see if the currently executing code is running in a specific instance. If I call to this in the management API:
HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create(
new Uri("https://management.core.windows.net/" + subscriptionId + "/services/hostedservices/<<servicename>>/deploymentslots/production?embed-detail=true"));
I get a response like this:
<Deployment xmlns="http://schemas.microsoft.com/windowsazure" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<Name>c8bd3b12f1bc4e0db9d8c1d59e97e48b</Name>
<DeploymentSlot>Production</DeploymentSlot>
<PrivateID>d1ea61e367e84aedb68de97eded3e896</PrivateID>
<Status>Running</Status>
<Label>SXRlbVVwZGF0ZXIgLSAzLzEzLzIwMTMgMTA6NDQ6MTUgQU0=</Label>
<Url>http://itemupdater3.cloudapp.net/</Url>
<RoleInstanceList>
<RoleInstance>
<RoleName>UpdateItems</RoleName>
<InstanceName>UpdateItems_IN_0</InstanceName>
<InstanceStatus>Ready</InstanceStatus>
</RoleInstance>
</RoleInstanceList>
<UpgradeDomainCount>1</UpgradeDomainCount>
<RoleList>
<Role>
<RoleName>UpdateItems</RoleName>
<OsVersion>WA-GUEST-OS-1.22_201302-02</OsVersion>
</Role>
</RoleList>
</Deployment>
I'm trying to test and see if the currently executing code has the same ID as this response.
If I compare:
xml["Deployment"]["Name"].InnerText;
To
RoleEnvironment.CurrentRoleInstance.Role.Instances[0].Id;
It never matches. How do I match something from the C# to the ID returned from the API?
Thanks!
You're trying to compare the name of the deployment (typically a single guid-like string, unique every time you redeploy) to the name of the instance (follows a pattern of RoleName_IN_xxx). They will never match.
I'm not 100% sure what you're trying to do, but the call to Service Management API will never give you information on your current instance - because it does not know where you run from; you can even call the API from non-Azure resources. It will simply give you data about the whole subscription.
RoleEnvironment.CurrentRoleInstance.Id will provide you with the ID of the current instance.
kevin, use the RoleEnvironment.DeploymentId instead of the RoleEnvironment.CurrentRoleInstance. This will allow you to compare what is currently running with what you get from the service management API.