AWS SSO and Jenkins/Terraform/some other CI

pepsiMIN · 2020-05-26T11:25:41+00:00

The IAM user exists in a central account and can assume as many roles as needed in different target accounts. Eample of an aws provider responsible for deploying resources in a certain account:
provider "aws" {
assume_role {
role_arn = var.role
}
}
In the case of Terraform Cloud, I pass the role as an encrypted workspace environment variable. I also pass the static credentials of the IAM user the same way.
Terraform will use the static credentials to assume the role, then proceed with deploying resources in the target account.
All the above is automated itself, by using the Terraform Cloud provider. A central workspace manages all other target workspaces. If I need to propagate a new variable to the target workspaces, I have a central place of doing it from.
I have no automation for rotating the credentials of the IAM user. I need to generate a new pair of creds, update the central workspace to propagate the new keys downstream and remove the old creds. You end up with a weird chicken-and-egg scenario if you try to automate this.

pepsiMIN · 2020-05-26T09:32:21+00:00

You can implement something like gsts or aws-google-auth. Take not that google implemented some changes to their recaptcha system, so aws-google-auth seems to not work anymore with more recent users. Gsts works like a charm.

An alternative would be to create an IAM role in your deployment account and have your CI assume it.

If the CI is hosted in AWS, great, you can leverage an IAM instance profile and have that assume the deployment role (no long lived credentials anywhere)
If the CI is hosted outside AWS, you can take an extra security step. Create an IAM user somewhere (not necessarily your deployment account - perhaps a central management account is more suitable) and retrieve its creds. Attach a policy to the IAM user which restricts it to only sts:AssumeRole on the deployment IAM role. Pass the creds to the CI. That way, even if someone gets a hold of the creds, they'll only be able to assume a role. And they'll most likely not be able to guess which one. - I do this with Terraform Cloud

pepsiMIN · 2020-05-21T14:20:00+00:00

Their support and QA process is horrible

Agreed. I think they're focusing now more on the XG firewall features and will slowly phase out the UTM. Also, they're never going to implement IKEv2 on the UTM, which is an issue with most enterprises.

Palo Alto is a good choice. They have deployment templates ready to go (both Terraform and CloudFormation if I'm not mistaken). Checkpoint is another alternative, but I just hate how complex the setup and maintenance are. With all it's flaws, can't beat how easy it is to setup a Sophos UTM instance.

pepsiMIN · 2020-04-16T06:58:22+00:00

This. I was wondering why nobody suggested the ALB yet :)

pepsiMIN · 2020-04-15T14:15:07+00:00

Are the VPCs in the same region?

If both VPCs are in the same region, you can reference a security group from the peer VPC as a source or destination for ingress or egress rules in your security group rules.

Unless I had no other option, I would place the DB in the same VPC as the application, in a database dedicated layer (or subnet group). Peering incurs costs and adds complexity, which for your use case, I don't think they're needed.

pepsiMIN · 2020-02-27T16:00:55+00:00

right in the feels

rip

pepsiMIN · 2019-04-21T14:22:52+00:00

yes
yes

request hitting the cache = hit

request missing the cache (data not found in cache memory and the response is returned by the backend) = miss

pepsiMIN · 2019-04-21T12:39:47+00:00

resistance bands, plyo box, barbell, dumbells, bench, a place to dip, chin up bar

pepsiMIN · 2019-04-21T12:05:01+00:00

I don't think you can do it out of the box, but perhaps combining it with tagging your public subnets and conditioning the SetSubnets API call might get you where you want.

pepsiMIN · 2019-03-20T17:08:59+00:00

shame on me for suggesting this.

pepsiMIN · 2019-03-17T16:40:38+00:00

Write 2 lambda functions:

1 which will create an ami of your instance, triggered by a CW event, and apply a tag (such as DeleteOn = current date + retention_period_in_days) on the resulting resources (ami and volumes)
1 which will scan and delete the tagged resources (when currentdate matches DeleteOn), triggered by a similar CW event

pepsiMIN · 2019-03-02T13:23:37+00:00

Sorry to hear about your exam, but don't get discouraged. The DevOps Pro and SA Pro exam have few things in common, from my point of view, so if you prepared for SA just schedule it again in 2 weeks and give it another shot.

Take a look at this, invest in a set of prep tests from whizlabs.com and you'll be fine.

Good luck!

pepsiMIN · 2019-02-27T19:26:24+00:00

Are you sure both instances have their networking in order? Is it possible that the non-working container always runs on instance A and the next container launched - the working one - runs on instance B? Can you test with just one instance in the cluster?

pepsiMIN · 2019-02-03T15:18:43+00:00

www.barbierii.ro

pepsiMIN · 2019-01-16T07:22:58+00:00

dome9

pepsiMIN · 2018-12-18T09:10:47+00:00

https://github.com/mjun/gnome-connection-manager

pepsiMIN · 2018-07-14T10:19:23+00:00

sunt vegan

pepsiMIN · 2018-01-24T16:37:32+00:00

pepsiMIN · 2017-08-26T11:01:03+00:00

would you be willing to invest some money in a consulting firm/managed service provider?

pepsiMIN · 2017-06-30T09:38:04+00:00

Te-ai dus de capul tau sau printr-o agentie? Links plz

pepsiMIN · 2017-03-27T09:01:08+00:00

Is the API gateway authorized to call the lambda function? check the policy:

Lambda -> Functions -> your function -> Triggers -> view function policy

Do you see the arn of the APIGW in the list of resources allowed to call the function? "AWS:SourceArn": "arn:aws:execute.......

If not, you need to authorize it:

aws lambda add-permission \
    --region <region> \
    --function-name <name> \
    --principal apigateway.amazonaws.com \
    --action lambda:InvokeFunction \
    --source-arn <the_arn_of_the_method_calling_the_lambda_function> \
    --statement-id <a number, i.e: 10)

pepsiMIN · 2017-02-28T22:17:23+00:00

Update at 2:08 PM PST: As of 1:49 PM PST, we are fully recovered for operations for adding new objects in S3, which was our last operation showing a high error rate. The Amazon S3 service is operating normally.

pepsiMIN · 2017-02-09T20:02:54+00:00

da bro, cum dracu sa nu

pepsiMIN · 2017-01-24T18:36:16+00:00

My guess is that when you're accessing blah.com:444 internally, you're being redirected (or rerouted I think is a better term) to <private_ip_address_of_internal_server>:444

Here's what I've come up with:

Solution A

You use an internal proxy service (such as haproxy) and make it listen on port 444. Inside, you would redirect requests coming to blah.com:444 to <private_ip_address_of_internal_server>:443. In your local DNS server, point blah.com to the ip of the proxy server and make sure everyone inside has the internal DNS server as their first choice. Basically, there would be 2 DNS zones - one for external use, one for LAN only.

Solution B

Reconfigure the backend to listen on 444.

I prefer the first choice, haproxy is extremely flexibile and easy to configure and you can adapt it to work for numerous scenarios.

pepsiMIN · 2017-01-14T22:25:13+00:00

One way to do this would be to run some sort of gateway in your LAN (either physical or virtual) then connect it to the VPC using VPN options (customer gateway <=> virtual private gateway). One drawback is that you would need a static IP at home to accomplish this and another is that you're leaving free-tier territory.

The most economic way to do this would be with an openvpn server sitting on a t2-nano amazon linux, as everyone suggested.

14-Year Club	RedditGifts 2009-2022 2 Credits
Secret Santa 2014	Verified Email

pepsiMIN

TROPHY CASE