Uly.me

cloud engineer

create

AWS CloudFormation Security Group

AWS CloudFormation to create security groups. Includes self-refencing ingress and egress rules.

AWSTemplateFormatVersion: '2010-09-09'
Description: my-security-groups
######################################
Parameters:
  EC2Vpc:
    ConstraintDescription: Must be a valid VpcId
    Description: Select the VPC to use
    Type: AWS::EC2::VPC::Id
##############################################################################
Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
    - Label:
        default: VPC
      Parameters:
      - EC2Vpc
##############################################################################
Resources:
  EC2InstanceSecurityGroup1:
    Type: AWS::EC2::SecurityGroup
    Properties:
      VpcId: 
        Ref: EC2Vpc
      GroupDescription: my-security-group-1
      GroupName: my-security-group-1
      SecurityGroupIngress:
        - {CidrIp: 10.0.0.0/8,                        IpProtocol: tcp,  FromPort: '80',      ToPort: '80',    Description: 'HTTP'}  
      SecurityGroupEgress:
        - {CidrIp: 10.0.0.0/8,                        IpProtocol: udp,  FromPort: '123',     ToPort: '123',   Description: 'NTP'}  
        - {CidrIp: 10.0.0.0/8,                        IpProtocol: tcp,  FromPort: '53',      ToPort: '53',    Description: 'DNS'}
      Tags:
        - {Key: Name,         Value: 'my-security-group-1'}
  EC2InstanceSecurityGroup2:
    Type: AWS::EC2::SecurityGroup
    Properties:
      VpcId: 
        Ref: EC2Vpc
      GroupDescription: my-security-group-2
      GroupName: my-security-group-2
      SecurityGroupIngress:
        - {CidrIp: 0.0.0.0/0,                        IpProtocol: tcp,  FromPort: '443',     ToPort: '443',   Description: 'HTTP'}  
        - {CidrIp: 0.0.0.0/0,                        IpProtocol: icmp, FromPort: '-1',      ToPort: '-1',    Description: 'ICMP ping'}
      SecurityGroupEgress:
        - {CidrIp: 10.0.0.0/8,                       IpProtocol: udp,  FromPort: '123',     ToPort: '123',   Description: 'NTP'}  
        - {CidrIp: 10.0.0.0/8,                       IpProtocol: tcp,  FromPort: '53',      ToPort: '53',    Description: 'DNS'}
        - {CidrIp: 0.0.0.0/0,                        IpProtocol: icmp, FromPort: '-1',      ToPort: '-1',    Description: 'ICMP ping'}
      Tags:
        - {Key: Name,         Value: 'my-security-group-2'}
  MyIngressSelfAll:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: !Ref EC2InstanceSecurityGroup2
      SourceSecurityGroupId: !GetAtt EC2InstanceSecurityGroup2.GroupId
      IpProtocol: -1
      FromPort: 0
      ToPort: 65535
  MyEgressSelfAll:
    Type: AWS::EC2::SecurityGroupEgress
    Properties: 
      GroupId: !Ref EC2InstanceSecurityGroup2
      DestinationSecurityGroupId: !GetAtt EC2InstanceSecurityGroup2.GroupId
      IpProtocol: -1 
      FromPort: 0
      ToPort: 65535
##############################################################################
Outputs:
  SecurityGroupId:
    Description: The Security Group that was created
    Value: {Ref: EC2InstanceSecurityGroup1}
    Value: {Ref: EC2InstanceSecurityGroup2}
  StackName:
    Description: Name of this stack for Fn::ImportValue use by children of top level stack
    Value: {Ref: 'AWS::StackName'}

Create AWS VPC using Terraform

Creating a VPC in AWS using Terraform. The script will do the following:

  • Create a VPC
  • Create a Subnet
  • Create an Internet Gateway
  • Create a route in the default route table using the Internet Gateway

Contents of main.tf

terraform {
  required_providers {
    aws = {
      source = "hashicorp/aws"
    }
  }
}
 
provider "aws" {
  profile = "tfc"
  region  = "us-west-1"
}
 
resource "aws_vpc" "my-vpc" {
  cidr_block       = "10.0.4.0/24"
  instance_tenancy = "default"
  tags = {
    Name = "my-vpc"
  }
}
 
resource "aws_subnet" "my-subnet" {
  vpc_id            = aws_vpc.my-vpc.id
  cidr_block        = "10.0.4.0/24"
  availability_zone = "us-west-1a"
  tags = {
    Name = "my-subnet-us-west-1a"
  }
}
 
resource "aws_internet_gateway" "my-igw" {
  vpc_id = aws_vpc.my-vpc.id
  tags = {
    Name = "my-internet-gateway"
  }
}
 
resource "aws_default_route_table" "my-rt" {
  default_route_table_id = aws_vpc.my-vpc.default_route_table_id
  route {
    cidr_block = "0.0.0.0/0"
    gateway_id = aws_internet_gateway.my-igw.id
  }
  tags = {
    Name = "my-route-table"
  }
}

GCP Spot Instance

You can save anywhere from 60-91% using a spot instance. The downside is, the instance can be preempted anytime.

Create a spot instance.

gcloud beta compute instances create spot-example \
--provisioning-model=SPOT \
--instance-termination-action=STOP \
--image-project=ubuntu-os-cloud \
--image-family=ubuntu-2004-lts \
--machine-type=e2-micro \
--project=your-project-id \
--zone=us-central1-a

Delete instance.

gcloud compute instances delete spot-example \
--project=your-project-id \
--zone=us-central1-a

Terraform AWS Security Group

How to create a security group in AWS via Terraform.

terraform {
  required_providers {
    aws = {
      source = "hashicorp/aws"
    }
  }
}
 
provider "aws" {
  profile = "default"
  region  = "us-east-1"
}
 
resource "aws_security_group" "my_sg" {
  vpc_id       = "vpc-xxxxxxxxxxxxxxxxx"
  name         = "My Security Group"
  description  = "My Security Group"
  ingress {
	from_port   = 8088
	to_port     = 8088
        protocol    = "tcp"
        cidr_blocks = ["0.0.0.0/0"]
  }
  egress {
        from_port   = 0
        to_port     = 0
        protocol    = "-1"
        cidr_blocks = ["0.0.0.0/0"]
  }
  tags = {
        Name = "My Security Group"
  }  
}

Terraform AWS S3

How to create S3 bucket via Terraform.

erraform {
  required_providers {
    aws = {
      source = "hashicorp/aws"
    }
  }
}
 
provider "aws" {
  profile = "default"
  region  = "us-east-1"
}
 
resource "aws_s3_bucket" "bucket" {
  bucket = "my-ulysses-bucket"
  acl    = "private"
 
  tags = {
    Name        = "My Ulysses bucket"
    Environment = "Dev"
  }
}
 
resource "aws_s3_bucket_public_access_block" "example" {
  bucket = aws_s3_bucket.bucket.id
  block_public_acls = true
  block_public_policy = true
  ignore_public_acls = true
  restrict_public_buckets = true
}

Create Local Yum Repo

Here’s how to create a local yum repo.

Install Apache.

sudo yum install httpd
sudo systemctl start httpd
sudo systemctl enable httpd
sudo systemctl status httpd

Install the repo packages.

sudo yum install createrepo yum-utils

Create repo directories.

sudo mkdir /var/www/html/{baseos,extras,appstream,epel}

Sync the repos.

sudo yum reposync -p=/var/www/html --repoid=baseos --download-metadata
sudo yum reposync -p=/var/www/html --repoid=extras --download-metadata
sudo yum reposync -p=/var/www/html --repoid=appstream --download-metadata
sudo yum reposync -p=/var/www/html --repoid=epel --download-metadata

Create a new repo.

sudo createrepo /var/www/html/

Setup a local repo.

sudo nano /etc/yum.repos.d/local.repo

Contents of local.repo.

local-base]
name=Yum Local Base
baseurl=http://10.10.0.20:80/base
enabled=1
gpgcheck=0
[local-extras]
name=Yum Local Extras
baseurl=http://10.10.0.20:80/extras
enabled=1
gpgcheck=0
[local-appstream]
name=Yum Local Appstream
baseurl=http://10.10.0.20:80/appstream
enabled=1
gpgcheck=0
[local-epel]
name=Yum Local Epel
baseurl=http://10.10.0.20:80/epel
enabled=1
gpgcheck=0

Confirm new repo is in the repolist.

sudo yum repolist

Useradd With Specific uid and guid

Here’s the command to create a Linux user with a specific user id and group id.

sudo groupadd -r -g 1234567 username
sudo useradd -r -u 1234567 -g 1234567 -m -d /home/username -s /bin/bash nexus -c "my new account"

Bash Aliases

Create an alias.

alias gcloud='docker run --rm -ti --volumes-from gcloud-config google/cloud-sdk:latest gcloud'

Remove an alias.

unalias gcloud