Uly.me

cloud engineer

aws

AWS ELB SSL Listener

Here’s how to update SSL certificates to AWS ELB.

Import SSL certificate

aws acm import-certificate \
--certificate fileb://example.crt \
--private-key fileb://example.key \
--certificate-chain fileb://example-bundle.crt \
--tags Key=Name,Value=mydomain.com_20220107 \
--profile default

Add SSL to a listener.

aws elbv2 add-listener-certificates \
--listener-arn arn:aws:elasticloadbalancing:us-east-1:xxxxxxxxxxxxx:listener/app/elbname/xxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxx \
--certificates CertificateArn=arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx \
--profile default

Modify listener. Set SSL certificate as default.

aws elbv2 modify-listener \
--listener-arn arn:aws:elasticloadbalancing:us-east-1:xxxxxxxxxxxxx:listener/app/elbname/xxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxx \
--certificates CertificateArn=arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx \
--profile default

Remove SSL from a listener.

aws elbv2 remove-listener-certificates \
--listener-arn arn:aws:elasticloadbalancing:us-east-1:xxxxxxxxxxxxx:listener/app/elbname/xxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxx \
--certificates CertificateArn=arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx \
--profile default

Metadata URL

Here’s the metadata URLs for both AWS and GCP.

curl http://169.254.169.254/computeMetadata/v1/ -H "Metadata-Flavor: Google"
curl http://169.254.169.254/latest/meta-data/

AWS Terraform Security Group

How to create AWS security groups using Terraform.

resource "aws_security_group" "my-security-group" {
  name        = "my-security-group"
  description = "allow ports"
  vpc_id      = aws_vpc.my-vpc.id
 
  ingress {
    description = "ping"
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
  ingress {
    description = "http"
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  ingress {
    description = "https"
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "ALL"
    cidr_blocks = ["0.0.0.0/0"]
  }
  tags = {
    Name = "my-security-group"
  }
}

AWS ACM List Certificates

How to list SSL certificates in AWS Certificate Manager.

aws acm list-certificates

Result

{
    "CertificateSummaryList": [
        {
            "CertificateArn": "arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
            "DomainName": "mydomain.com"
        }
    ]
}

Describe details about the certificate.

aws acm describe-certificate \
--certificate-arn arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
--region us-east-1 \
--profile my-profile

AWS Search for RDS

Here’s a simple way to search for a RDS instance in AWS via CLI.

aws rds describe-db-instances \
--db-instance-identifier rds-instance-name \
--region us-east-1 \
--profile my-account

You may have to cycle through accounts and regions to find it.

AWS CloudFormation Security Group

AWS CloudFormation to create security groups. Includes self-refencing ingress and egress rules.

AWSTemplateFormatVersion: '2010-09-09'
Description: my-security-groups
######################################
Parameters:
  EC2Vpc:
    ConstraintDescription: Must be a valid VpcId
    Description: Select the VPC to use
    Type: AWS::EC2::VPC::Id
##############################################################################
Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
    - Label:
        default: VPC
      Parameters:
      - EC2Vpc
##############################################################################
Resources:
  EC2InstanceSecurityGroup1:
    Type: AWS::EC2::SecurityGroup
    Properties:
      VpcId: 
        Ref: EC2Vpc
      GroupDescription: my-security-group-1
      GroupName: my-security-group-1
      SecurityGroupIngress:
        - {CidrIp: 10.0.0.0/8,                        IpProtocol: tcp,  FromPort: '80',      ToPort: '80',    Description: 'HTTP'}  
      SecurityGroupEgress:
        - {CidrIp: 10.0.0.0/8,                        IpProtocol: udp,  FromPort: '123',     ToPort: '123',   Description: 'NTP'}  
        - {CidrIp: 10.0.0.0/8,                        IpProtocol: tcp,  FromPort: '53',      ToPort: '53',    Description: 'DNS'}
      Tags:
        - {Key: Name,         Value: 'my-security-group-1'}
  EC2InstanceSecurityGroup2:
    Type: AWS::EC2::SecurityGroup
    Properties:
      VpcId: 
        Ref: EC2Vpc
      GroupDescription: my-security-group-2
      GroupName: my-security-group-2
      SecurityGroupIngress:
        - {CidrIp: 0.0.0.0/0,                        IpProtocol: tcp,  FromPort: '443',     ToPort: '443',   Description: 'HTTP'}  
        - {CidrIp: 0.0.0.0/0,                        IpProtocol: icmp, FromPort: '-1',      ToPort: '-1',    Description: 'ICMP ping'}
      SecurityGroupEgress:
        - {CidrIp: 10.0.0.0/8,                       IpProtocol: udp,  FromPort: '123',     ToPort: '123',   Description: 'NTP'}  
        - {CidrIp: 10.0.0.0/8,                       IpProtocol: tcp,  FromPort: '53',      ToPort: '53',    Description: 'DNS'}
        - {CidrIp: 0.0.0.0/0,                        IpProtocol: icmp, FromPort: '-1',      ToPort: '-1',    Description: 'ICMP ping'}
      Tags:
        - {Key: Name,         Value: 'my-security-group-2'}
  MyIngressSelfAll:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: !Ref EC2InstanceSecurityGroup2
      SourceSecurityGroupId: !GetAtt EC2InstanceSecurityGroup2.GroupId
      IpProtocol: -1
      FromPort: 0
      ToPort: 65535
  MyEgressSelfAll:
    Type: AWS::EC2::SecurityGroupEgress
    Properties: 
      GroupId: !Ref EC2InstanceSecurityGroup2
      DestinationSecurityGroupId: !GetAtt EC2InstanceSecurityGroup2.GroupId
      IpProtocol: -1 
      FromPort: 0
      ToPort: 65535
##############################################################################
Outputs:
  SecurityGroupId:
    Description: The Security Group that was created
    Value: {Ref: EC2InstanceSecurityGroup1}
    Value: {Ref: EC2InstanceSecurityGroup2}
  StackName:
    Description: Name of this stack for Fn::ImportValue use by children of top level stack
    Value: {Ref: 'AWS::StackName'}

AWS Copy Security Group

You can copy rules from a security group to a new security group created within the same Region.

Open the Amazon Elastic Compute Cloud (Amazon EC2) console.

  1. In the navigation pane, choose Security Groups.
  2. Select the security group you’d like to copy.
  3. For Actions, choose Copy to new.
  4. The Create Security Group dialog opens, and is populated with the rules from your existing security group.
  5. Specify a Security group name and Description for your new security group.
  6. For VPC, choose the ID of the VPC.
  7. Choose Create.

AWS Move Instance to Another Zone

Here’s how to move an AWS instance to another zone.

Stop the instance first.

aws ec2 stop-instances --instance-ids i-1234567890abcdef0

Create an AMI image.

aws ec2 create-image \
--instance-id i-1234567890abcdef0 \
--name "my-ami" \
--description "my-ami"

Create EC2 instance using Terraform. The contents of main.tf.

terraform {
  required_providers {
    aws = {
      source = "hashicorp/aws"
    }
  }
}
provider "aws" {
  profile = "default"
  region  = "us-east-1"
}
resource "aws_instance" "ulysses" {
  ami                           = "ami-1234567890abcdef0"
  key_name                      = "servers"
  iam_instance_profile          = "machine-role"
  instance_type                 = "t3.micro"
  subnet_id                     = "subnet-1234567890abcdef0"
  security_groups               = ["sg-1234567890abcdef0", "sg-1234567890abcdef1"]
  tags = {
    Name = "moving-instance"
    tag1 = "test1"
    tag2 = "test2"
  }
}

Launch it.

terraform init
terraform plan
terraform apply