Шn additional policies, you can add one IP address or range. but how to check list of IP addresses?
I tried to add multiple conditional groups to one policy. ( https://apim.docs.wso2.com/en/latest/design/rate-limiting/access-control/ )
Case 1. Works
policy name = projectName
Conditional Group 1 : ip = 10.10.0.12
Case 2. Not Works
policy name = projectName
Conditional Group 1 : ip = 10.10.0.12
Conditional Group 2 : ip = 93.10.0.12
p.s. If add Conditional groups with different IP addresses, - that works how "AND" (not how OR) - verified
If you are trying to add IP addresses for an Advance Rate Limiting Policy, have you tried to add multiple conditional groups? You can add more than one per policy.
works with these combinations of parameters
Related
Not sure if it is possible to do, but I am trying to retrieve a list of default VPCs and the respective accounts from AWS Config advanced queries.
I have the following query that gives me the result of all the accounts if they have default VPC and the resources that are attached to those default VPCs
SELECT
accountId,
awsRegion,
configuration.vpcId,
relationships
WHERE
resourceType = 'AWS::EC2::VPC'
AND configuration.isDefault = TRUE
AND relationships.resourceType IN (
'AWS::EC2::Instance',
'AWS::EC2::InternetGateway',
'AWS::EC2::NetworkACL',
'AWS::EC2::RouteTable',
'AWS::EC2::Subnet',
'AWS::EC2::SecurityGroup'
)
What I want to achieve further is that the result set should be filtered more based on the properties of relationships.
For example I only want to return a VPC record if the resource 'AWS::EC2::Subnet' has property defaultForAz set to true
Another example is to limit records where the 'AWS::EC2::RouteTable' has configuration configuration.associations.main is set to true.
Right now it selects all default VPCs from organisation member accounts.
I am also happy to know any other better approach
When trying to create elb(classic load balancer) in AWS via terraform, I am sending a list of public subnet ids that were created from another module. In this case I have 4 subnets which are spanned across 3 az's. I have 2 subnets from az-1a when I am trying to run the terraform , I get an error saying same az can't be used twice for ELB
resource "aws_elb" "loadbalancer" {
name = "loadbalancer-terraform"
subnets = var.public_subnets
listener {
instance_port = 80
instance_protocol = "http"
lb_port = 80
lb_protocol = "http"
}
depends_on = [aws_autoscaling_group.private_ec2]
}
Is there any way where I can select subnets from the given list in such a way I can only get subnet id's from distinct AZ's .
subnetid1 -- az1-a
subnetid2 -- az1-b
subnetid3 -- az1-c
subnetid4 -- az1-a
now I need to get an output either subnet-1,2 and 3 or subnet-2,3 and 4.
It sounds like this problem decomposes into two smaller problems:
Determine the availability zone of each of the subnets.
For each distinct availability zone, choose any one of the subnets that belongs to it. (I'm assuming here that there is no reason to prefer one subnet over another if both are in the same AZ.)
For step one, if we don't already have the subnets in question managed by the current configuration (which seems to be the case here -- you are receiving them from an input variable) then we can use the aws_subnet data source to read information about a subnet given its ID. Because you have more than one subnet here, we'll use resource for_each to look up each one.
data "aws_subnet" "public" {
for_each = toset(var.public_subnets)
id = each.key
}
The above will make data.aws_subnet.public appear as a map from subnet id to subnet object, and the subnet objects each have availability_zone attributes specifying which zone each subnet belongs to. For our second step it's more convenient to invert that mapping, so that the keys are availability zones and the values are subnet ids:
locals {
availability_zone_subnets = {
for s in data.aws_subnet.public : s.availability_zone => s.id...
}
}
The above is a for expression, which in this case is using the ... suffix to activate grouping mode, because we're expecting to find more than one subnet per availability zone. As a result of this, local.availability_zone_subnets will be a map from availability zone name to a list of one or more subnet ids, like this:
{
"az1-a" = ["subnetid1", "subnetid4"]
"az1-b" = ["subnetid2"]
"az1-c" = ["subnetid3"]
}
This gets us the information we need to implement the second part of the problem: choosing any one of the elements from each of those lists. The easiest definition of "any one" is to take the first one, by using [0] to take the first element.
resource "aws_elb" "loadbalancer" {
depends_on = [aws_autoscaling_group.private_ec2]
name = "loadbalancer-terraform"
subnets = [for subnet_ids in local.availability_zone_subnets : subnet_ids[0]]
listener {
instance_port = 80
instance_protocol = "http"
lb_port = 80
lb_protocol = "http"
}
}
There are some caveats of the above solution which are important to consider:
Taking the first element of each list of subnet ids means that the configuration could potentially be sensitive to the order of elements in var.public_subnets, but this particular combination above implicitly avoids that with the toset(var.public_subnets) in the initial for_each, which discards the original ordering of var.public_subnets and causes all of the downstream expressions to order the results by a lexical sort of the subnet ids. In other words, this will choose the subnet whose id is the "lowest" when doing a lexical sort.
I don't really like it when that sort of decision is left implicit, because it can be confusing to future maintainers who might change the design and be surprised to see it now choosing a different subnet for each availability zone. I can see a couple different ways to mitigate that, and I'd probably do both if I were writing a long-lived module:
Make sure variable "public_subnets" has type = set(string) for its type constraint, rather than type = list(string), to be explicit that this module discards the ordering of the subnets as given by the caller. If you do this, you can change toset(var.public_subnets) to just var.public_subnets, because it will already be a set.
In the final for expression to choose the first subnet for each availability zone, include an explicit call to sort. This call is redundant with how the rest of this is implemented in my example, but I think it's a good clue to a future reader that it's using a lexical sort to decide which of the subnets to use:
subnets = [
for subnet_ids in local.availability_zone_subnets : sort(subnet_ids)[0]
]
Neither of those changes will actually affect the behavior immediately, but additions like this can be helpful to future maintainers as they read a module they might not be previously familiar with, so they don't need to read the entire module to understand a smaller part of it.
This is what I am trying to do. I have 2 auto scaling groups created with Terraform. One is starting 3 EC2 instances in three different availability zones, with public IP addresses. The other auto scaling group is starting 3 EC2 instances in three different availability zones, with private IP addresses I am trying to set up a unique "Name" tag for each instance. In Terraform, I see the auto scaling resource has a tag block, but at apply the same tag is applied to all 3 instances. Also, I tried setting up my code to where one auto scaling group can launch all my instances (both public & private), but am having trouble looping with the 'for' expression in my vpc_zone_identifier statement. This issue is forcing me to create a second auto scaling group for the private instances. Any advice would be helpful in combining these auto scaling groups and how to tag each instance with a unique tag.
resource "aws_autoscaling_group" "public" {
name = "${var.main_as}-Public"
launch_configuration = aws_launch_configuration.main.id
vpc_zone_identifier = [
for subnet in aws_subnet.public : subnet.id
]
min_size = 3
max_size = 3
}
resource "aws_autoscaling_group" "private" {
name = "${var.main_as}-Private"
launch_configuration = aws_launch_configuration.main.id
vpc_zone_identifier = [
for subnet in aws_subnet.private : subnet.id
]
min_size = 3
max_size = 3
}
With an autoscaling group you should not be trying to generate unique names for all instances, in fact this leads into the methodology of pets vs cattle. By naming resources they become precious and can lead into designs whereby you have a single point of failure.
In practice this can be hard for certain realms (such as Databases) but you should try to build your architecture to be immutable especially in an autoscaling group whereby instances can be replaced (even if you have a min and max the same size, any underlying host failures will launch a new instance to replace).
By having your infrastructure being immutable your architecture will be more resilient to unknown events and will enforce best practices for server builds.
If you need an identifier for the instance, rather than using the tag I would recommend using the instance ID as this will always be unique for your hosts.
Otherwise if you want to still use an Autoscaling group with unique name tags for the hosts you will need to create an event for during the launch of the host. This would then need trigger a Lambda which would programmatically update the EC2 instance and assign it a unique name.
I'm trying to find security group ID in metadata, but there is only a name of the group.
The get the name with curl like this:
curl http://169.254.169.254/latest/meta-data/security-groups/
RESULT
some-secgroup-name
I need the ID like this one sg-1234567911
Any Idea how to I find in metadata (whitout CLI)?
You'll need the MAC address of the instance. To obtain that you can do a curl using the metadata url:
http://169.254.169.254/latest/meta-data/mac
Once you have that, you can get the security groups from the network section:
http://169.254.169.254/latest/meta-data/network/interfaces/macs/<your_mac>/security-group-ids
Ref: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories
Is it possible to find duplications in the security groups in AWS?
For example :
Security group 1 has :
198.168.5.2/24 ,
192.168.4.2/24 ,
172.54.60.12/24
Security group 2 has :
192.168.4.2/24 ,
172.54.60.12/24 ,
52.43.56.98/32
As you can see there are two exact same IPs in both SGs. Can this be done through AWS Cli ?
Yes, you can use the ip-permission.cidr filter for this. From the documentation:
ip-permission.cidr - An IPv4 CIDR range that has been granted permission in a security group rule.
So you can use this to specify the CIDR range you want to check for, and it will list only the security groups containing a rule matching that CIDR range.
Example command:
aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values=172.54.60.12/24
Further reading:
AWS Documentation - aws ecs describe-security-groups
AWS Documentation - Using Shorthand Syntax with the AWS Command Line Interface