• Skip to main content

Uly.me

cloud engineer

  • Home
  • About
  • Archives

aws

AWS ELB SSL Listener

January 31, 2022

Here’s how to update SSL certificates to AWS ELB.

Import SSL certificate

aws acm import-certificate \
--certificate fileb://example.crt \
--private-key fileb://example.key \
--certificate-chain fileb://example-bundle.crt \
--tags Key=Name,Value=mydomain.com_20220107 \
--profile default

aws acm import-certificate \ --certificate fileb://example.crt \ --private-key fileb://example.key \ --certificate-chain fileb://example-bundle.crt \ --tags Key=Name,Value=mydomain.com_20220107 \ --profile default

Add SSL to a listener.

aws elbv2 add-listener-certificates \
--listener-arn arn:aws:elasticloadbalancing:us-east-1:xxxxxxxxxxxxx:listener/app/elbname/xxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxx \
--certificates CertificateArn=arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx \
--profile default

aws elbv2 add-listener-certificates \ --listener-arn arn:aws:elasticloadbalancing:us-east-1:xxxxxxxxxxxxx:listener/app/elbname/xxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxx \ --certificates CertificateArn=arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx \ --profile default

Modify listener. Set SSL certificate as default.

aws elbv2 modify-listener \
--listener-arn arn:aws:elasticloadbalancing:us-east-1:xxxxxxxxxxxxx:listener/app/elbname/xxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxx \
--certificates CertificateArn=arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx \
--profile default

aws elbv2 modify-listener \ --listener-arn arn:aws:elasticloadbalancing:us-east-1:xxxxxxxxxxxxx:listener/app/elbname/xxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxx \ --certificates CertificateArn=arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx \ --profile default

Remove SSL from a listener.

aws elbv2 remove-listener-certificates \
--listener-arn arn:aws:elasticloadbalancing:us-east-1:xxxxxxxxxxxxx:listener/app/elbname/xxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxx \
--certificates CertificateArn=arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx \
--profile default

aws elbv2 remove-listener-certificates \ --listener-arn arn:aws:elasticloadbalancing:us-east-1:xxxxxxxxxxxxx:listener/app/elbname/xxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxx \ --certificates CertificateArn=arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx \ --profile default

Filed Under: Linux Tagged With: add, aws, certificate, default, elb, listener, remove, ssl

Metadata URL

January 15, 2022

Here’s the metadata URLs for both AWS and GCP.

curl http://169.254.169.254/computeMetadata/v1/ -H "Metadata-Flavor: Google"
curl http://169.254.169.254/latest/meta-data/

curl http://169.254.169.254/computeMetadata/v1/ -H "Metadata-Flavor: Google" curl http://169.254.169.254/latest/meta-data/

Filed Under: Cloud Tagged With: aws, gcp, metadata, url

AWS Terraform Security Group

January 4, 2022

How to create AWS security groups using Terraform.

resource "aws_security_group" "my-security-group" {
  name        = "my-security-group"
  description = "allow ports"
  vpc_id      = aws_vpc.my-vpc.id
 
  ingress {
    description = "ping"
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
  ingress {
    description = "http"
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  ingress {
    description = "https"
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "ALL"
    cidr_blocks = ["0.0.0.0/0"]
  }
  tags = {
    Name = "my-security-group"
  }
}

resource "aws_security_group" "my-security-group" { name = "my-security-group" description = "allow ports" vpc_id = aws_vpc.my-vpc.id ingress { description = "ping" from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } ingress { description = "http" from_port = 80 to_port = 80 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } ingress { description = "https" from_port = 443 to_port = 443 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } egress { from_port = 0 to_port = 0 protocol = "ALL" cidr_blocks = ["0.0.0.0/0"] } tags = { Name = "my-security-group" } }

Filed Under: Cloud Tagged With: aws, create, security group, terraform

AWS ACM List Certificates

January 4, 2022

How to list SSL certificates in AWS Certificate Manager.

aws acm list-certificates

aws acm list-certificates

Result

{
    "CertificateSummaryList": [
        {
            "CertificateArn": "arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
            "DomainName": "mydomain.com"
        }
    ]
}

{ "CertificateSummaryList": [ { "CertificateArn": "arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "DomainName": "mydomain.com" } ] }

Describe details about the certificate.

aws acm describe-certificate \
--certificate-arn arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
--region us-east-1 \
--profile my-profile

aws acm describe-certificate \ --certificate-arn arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \ --region us-east-1 \ --profile my-profile

Filed Under: Cloud Tagged With: acm, aws, certificate, cli, ssl

AWS Search for RDS

January 3, 2022

Here’s a simple way to search for a RDS instance in AWS via CLI.

aws rds describe-db-instances \
--db-instance-identifier rds-instance-name \
--region us-east-1 \
--profile my-account

aws rds describe-db-instances \ --db-instance-identifier rds-instance-name \ --region us-east-1 \ --profile my-account

You may have to cycle through accounts and regions to find it.

Filed Under: Cloud Tagged With: aws, cli, describe-instances, profile, rds, region, search

AWS CloudFormation Security Group

December 29, 2021

AWS CloudFormation to create security groups. Includes self-refencing ingress and egress rules.

AWSTemplateFormatVersion: '2010-09-09'
Description: my-security-groups
######################################
Parameters:
  EC2Vpc:
    ConstraintDescription: Must be a valid VpcId
    Description: Select the VPC to use
    Type: AWS::EC2::VPC::Id
##############################################################################
Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
    - Label:
        default: VPC
      Parameters:
      - EC2Vpc
##############################################################################
Resources:
  EC2InstanceSecurityGroup1:
    Type: AWS::EC2::SecurityGroup
    Properties:
      VpcId: 
        Ref: EC2Vpc
      GroupDescription: my-security-group-1
      GroupName: my-security-group-1
      SecurityGroupIngress:
        - {CidrIp: 10.0.0.0/8,                        IpProtocol: tcp,  FromPort: '80',      ToPort: '80',    Description: 'HTTP'}  
      SecurityGroupEgress:
        - {CidrIp: 10.0.0.0/8,                        IpProtocol: udp,  FromPort: '123',     ToPort: '123',   Description: 'NTP'}  
        - {CidrIp: 10.0.0.0/8,                        IpProtocol: tcp,  FromPort: '53',      ToPort: '53',    Description: 'DNS'}
      Tags:
        - {Key: Name,         Value: 'my-security-group-1'}
  EC2InstanceSecurityGroup2:
    Type: AWS::EC2::SecurityGroup
    Properties:
      VpcId: 
        Ref: EC2Vpc
      GroupDescription: my-security-group-2
      GroupName: my-security-group-2
      SecurityGroupIngress:
        - {CidrIp: 0.0.0.0/0,                        IpProtocol: tcp,  FromPort: '443',     ToPort: '443',   Description: 'HTTP'}  
        - {CidrIp: 0.0.0.0/0,                        IpProtocol: icmp, FromPort: '-1',      ToPort: '-1',    Description: 'ICMP ping'}
      SecurityGroupEgress:
        - {CidrIp: 10.0.0.0/8,                       IpProtocol: udp,  FromPort: '123',     ToPort: '123',   Description: 'NTP'}  
        - {CidrIp: 10.0.0.0/8,                       IpProtocol: tcp,  FromPort: '53',      ToPort: '53',    Description: 'DNS'}
        - {CidrIp: 0.0.0.0/0,                        IpProtocol: icmp, FromPort: '-1',      ToPort: '-1',    Description: 'ICMP ping'}
      Tags:
        - {Key: Name,         Value: 'my-security-group-2'}
  MyIngressSelfAll:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: !Ref EC2InstanceSecurityGroup2
      SourceSecurityGroupId: !GetAtt EC2InstanceSecurityGroup2.GroupId
      IpProtocol: -1
      FromPort: 0
      ToPort: 65535
  MyEgressSelfAll:
    Type: AWS::EC2::SecurityGroupEgress
    Properties: 
      GroupId: !Ref EC2InstanceSecurityGroup2
      DestinationSecurityGroupId: !GetAtt EC2InstanceSecurityGroup2.GroupId
      IpProtocol: -1 
      FromPort: 0
      ToPort: 65535
##############################################################################
Outputs:
  SecurityGroupId:
    Description: The Security Group that was created
    Value: {Ref: EC2InstanceSecurityGroup1}
    Value: {Ref: EC2InstanceSecurityGroup2}
  StackName:
    Description: Name of this stack for Fn::ImportValue use by children of top level stack
    Value: {Ref: 'AWS::StackName'}

AWSTemplateFormatVersion: '2010-09-09' Description: my-security-groups ###################################### Parameters: EC2Vpc: ConstraintDescription: Must be a valid VpcId Description: Select the VPC to use Type: AWS::EC2::VPC::Id ############################################################################## Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: VPC Parameters: - EC2Vpc ############################################################################## Resources: EC2InstanceSecurityGroup1: Type: AWS::EC2::SecurityGroup Properties: VpcId: Ref: EC2Vpc GroupDescription: my-security-group-1 GroupName: my-security-group-1 SecurityGroupIngress: - {CidrIp: 10.0.0.0/8, IpProtocol: tcp, FromPort: '80', ToPort: '80', Description: 'HTTP'} SecurityGroupEgress: - {CidrIp: 10.0.0.0/8, IpProtocol: udp, FromPort: '123', ToPort: '123', Description: 'NTP'} - {CidrIp: 10.0.0.0/8, IpProtocol: tcp, FromPort: '53', ToPort: '53', Description: 'DNS'} Tags: - {Key: Name, Value: 'my-security-group-1'} EC2InstanceSecurityGroup2: Type: AWS::EC2::SecurityGroup Properties: VpcId: Ref: EC2Vpc GroupDescription: my-security-group-2 GroupName: my-security-group-2 SecurityGroupIngress: - {CidrIp: 0.0.0.0/0, IpProtocol: tcp, FromPort: '443', ToPort: '443', Description: 'HTTP'} - {CidrIp: 0.0.0.0/0, IpProtocol: icmp, FromPort: '-1', ToPort: '-1', Description: 'ICMP ping'} SecurityGroupEgress: - {CidrIp: 10.0.0.0/8, IpProtocol: udp, FromPort: '123', ToPort: '123', Description: 'NTP'} - {CidrIp: 10.0.0.0/8, IpProtocol: tcp, FromPort: '53', ToPort: '53', Description: 'DNS'} - {CidrIp: 0.0.0.0/0, IpProtocol: icmp, FromPort: '-1', ToPort: '-1', Description: 'ICMP ping'} Tags: - {Key: Name, Value: 'my-security-group-2'} MyIngressSelfAll: Type: AWS::EC2::SecurityGroupIngress Properties: GroupId: !Ref EC2InstanceSecurityGroup2 SourceSecurityGroupId: !GetAtt EC2InstanceSecurityGroup2.GroupId IpProtocol: -1 FromPort: 0 ToPort: 65535 MyEgressSelfAll: Type: AWS::EC2::SecurityGroupEgress Properties: GroupId: !Ref EC2InstanceSecurityGroup2 DestinationSecurityGroupId: !GetAtt EC2InstanceSecurityGroup2.GroupId IpProtocol: -1 FromPort: 0 ToPort: 65535 ############################################################################## Outputs: SecurityGroupId: Description: The Security Group that was created Value: {Ref: EC2InstanceSecurityGroup1} Value: {Ref: EC2InstanceSecurityGroup2} StackName: Description: Name of this stack for Fn::ImportValue use by children of top level stack Value: {Ref: 'AWS::StackName'}

Filed Under: Cloud Tagged With: aws, cloudformation, create, security groups

AWS Copy Security Group

December 28, 2021

You can copy rules from a security group to a new security group created within the same Region.

Open the Amazon Elastic Compute Cloud (Amazon EC2) console.

  1. In the navigation pane, choose Security Groups.
  2. Select the security group you’d like to copy.
  3. For Actions, choose Copy to new.
  4. The Create Security Group dialog opens, and is populated with the rules from your existing security group.
  5. Specify a Security group name and Description for your new security group.
  6. For VPC, choose the ID of the VPC.
  7. Choose Create.

Filed Under: Cloud Tagged With: aws, clone, copy, firewall, security groups, vpc

AWS Move Instance to Another Zone

December 23, 2021

Here’s how to move an AWS instance to another zone.

Stop the instance first.

aws ec2 stop-instances --instance-ids i-1234567890abcdef0

aws ec2 stop-instances --instance-ids i-1234567890abcdef0

Create an AMI image.

aws ec2 create-image \
--instance-id i-1234567890abcdef0 \
--name "my-ami" \
--description "my-ami"

aws ec2 create-image \ --instance-id i-1234567890abcdef0 \ --name "my-ami" \ --description "my-ami"

Create EC2 instance using Terraform. The contents of main.tf.

terraform {
  required_providers {
    aws = {
      source = "hashicorp/aws"
    }
  }
}
provider "aws" {
  profile = "default"
  region  = "us-east-1"
}
resource "aws_instance" "ulysses" {
  ami                           = "ami-1234567890abcdef0"
  key_name                      = "servers"
  iam_instance_profile          = "machine-role"
  instance_type                 = "t3.micro"
  subnet_id                     = "subnet-1234567890abcdef0"
  security_groups               = ["sg-1234567890abcdef0", "sg-1234567890abcdef1"]
  tags = {
    Name = "moving-instance"
    tag1 = "test1"
    tag2 = "test2"
  }
}

terraform { required_providers { aws = { source = "hashicorp/aws" } } } provider "aws" { profile = "default" region = "us-east-1" } resource "aws_instance" "ulysses" { ami = "ami-1234567890abcdef0" key_name = "servers" iam_instance_profile = "machine-role" instance_type = "t3.micro" subnet_id = "subnet-1234567890abcdef0" security_groups = ["sg-1234567890abcdef0", "sg-1234567890abcdef1"] tags = { Name = "moving-instance" tag1 = "test1" tag2 = "test2" } }

Launch it.

terraform init
terraform plan
terraform apply

terraform init terraform plan terraform apply

Filed Under: Cloud Tagged With: aws, ec2, instance, move, zone

  • « Go to Previous Page
  • Go to page 1
  • Go to page 2
  • Go to page 3
  • Go to page 4
  • Interim pages omitted …
  • Go to page 19
  • Go to Next Page »
  • Home
  • About
  • Archives

Copyright © 2023