IAM Policy to only allow requests coming through ECS - amazon-web-services

I am looking to implement an IAM policy for the following scenario:
┌──────────────┐
│ Internet │─ ┐
└──────────────┘
│ │
│
▼ │
┌──────────────┐
│ AlB │ │
└──────────────┘
│ │
│
┌────────┼───────┐ │
│ECS ▼ │
│┌──────────────┐│ │
││ Task ││
│└──────────────┘│ │
│ │ │
└────────┼───────┘ │
│
▼ │
┌──────────────┐
│ API GW │◀ ┘
└──────────────┘
I want to prevent users from accessing the API gateway directly. I want to create an IAM policy on the API gateway that will only accept requests coming via an ECS task. I was thinking of using the calledVia context key but this only seems to support a small list of services but not ECS.

Related

Im getting error on terraform while deploying module "apigwmethodintegration_token"

│ Error: Invalid template interpolation value
│
│ on main.tf line 390, in module "apigwmethodintegration_token":
│ 390: "token" = "arn:aws:apigateway:${var.region}:lambda:path/2015-03-31/functions/arn:aws:lambda:${var.region}:${data.aws_caller_identity.current.account_id}:function:${module.lambda_token.lambdafunction_name}/invocations"
│ ├────────────────
│ │ module.lambda_token.lambdafunction_name is tuple with 1 element
│
│ Cannot include the given value in a string template: string required.
╵
╷
│ Error: Invalid template interpolation value
│
│ on main.tf line 391, in module "apigwmethodintegration_token":
│ 391: "change-temp-password" = "arn:aws:apigateway:${var.region}:lambda:path/2015-03-31/functions/arn:aws:lambda:${var.region}:${data.aws_caller_identity.current.account_id}:function:${module.lambda_change_temp_password.lambdafunction_name}/invocations"
│ ├────────────────
│ │ module.lambda_change_temp_password.lambdafunction_name is tuple with 1 element
│
│ Cannot include the given value in a string template: string required.
At the offending lines, change:
module.lambda_token.lambdafunction_name to module.lambda_token.lambdafunction_name[0],
and module.lambda_change_temp_password.lambdafunction_name to module.lambda_change_temp_password.lambdafunction_name[0].

Terraform module for GCP secret module

Error: Unsupported block type
│
│ on ..\Terraform_1.0.0_Win_O\config\secret\secret.tf line 6, in module "secret_user_managed_replication":
│ 6: replication {
│
│ Blocks of type "replication" are not expected here.

Using CMake and not able to run program without getting "LINK : fatal error LNK1104: cannot open file 'src.lib'" error

I'm trying to get my head around CMake and have been testing it out in Visual Studio Code on Windows 10 with a simple project that has a couple of header files and compiles with no issues when done manually. I've run cmake .. successfully from the build folder, but upon running cmake --build . I get the above error in reference to my weight_converter.vcxproj file.
I've done a load of searching online but can't find anything that answers what is going on.
From other results I've seen some suggestions in Visual Studio to add <file>.lib to Project Options -> Linker -> Input -> Additional Dependencies on visual studio, but I'm on visual studio code and can't find a corresponding setting. I've found the .vcxproj file in my project, and although I don't really know what's going on in it, src.lib is written next to the <Link>/<AdditionalDependencies> headings.
This is my main CMakeLists.txt file contents for reference:
# set minimum CMake version, project name, and C++ standard
cmake_minimum_required(VERSION 3.19.4)
project("weight_converter")
add_subdirectory(src)
add_executable(weight_converter weight_converter.cpp )
target_include_directories("${PROJECT_NAME}" PUBLIC "${PROJECT_BINARY_DIR}" "${PROJECT_SOURCE_DIR}/src")
file(MAKE_DIRECTORY ${CMAKE_SOURCE_DIR}/bin)
set(CMAKE_RUNTIME_OUTPUT_DIRECTORY ${CMAKE_SOURCE_DIR}/bin )
file(MAKE_DIRECTORY ${CMAKE_SOURCE_DIR}/lib)
SET(LIBRARY_OUTPUT_PATH ${CMAKE_SOURCE_DIR}/lib)
target_link_libraries("${PROJECT_NAME}" PUBLIC src)
And this is the CMakeLists.txt file in my src folder:
add_library(imperial_to_metric imperial_to_metric.cpp)
add_library(metric_to_imperial metric_to_imperial.cpp)
This is my project structure if it matters:
├───.vscode
├───bin
│ └───Debug
├───build
│ ├───.cmake
│ │ └───api
│ │ └───v1
│ │ ├───query
│ │ │ └───client-vscode
│ │ └───reply
│ ├───CMakeFiles
│ │ ├───3.19.4
│ │ │ ├───CompilerIdC
│ │ │ │ ├───Debug
│ │ │ │ │ └───CompilerIdC.tlog
│ │ │ │ └───tmp
│ │ │ ├───CompilerIdCXX
│ │ │ │ ├───Debug
│ │ │ │ │ └───CompilerIdCXX.tlog
│ │ │ │ └───tmp
│ │ │ └───x64
│ │ │ └───Debug
│ │ │ └───VCTargetsPath.tlog
│ │ ├───CMakeTmp
│ │ └───fa0880fffde885133f10c0b2cfeb0cbc
│ ├───Debug
│ ├───src
│ │ ├───CMakeFiles
│ │ ├───Debug
│ │ ├───imperial_to_metric.dir
│ │ │ └───Debug
│ │ │ └───imperial.31E5CD06.tlog
│ │ └───metric_to_imperial.dir
│ │ └───Debug
│ │ └───metric_t.0BAA5631.tlog
│ ├───weight_converter.dir
│ │ └───Debug
│ │ └───weight_converter.tlog
│ └───x64
│ └───Debug
│ └───ZERO_CHECK
│ └───ZERO_CHECK.tlog
├───lib
├───src
│ └───CMakeLists.txt
│ └───imperial_to_metric.cpp
│ └───metric_to_imperial.cpp
│ └───imperial_to_metric.h
│ └───metric_to_imperial.h
│
├───CMakeLists.txt
└───weight_converter.cpp
The underlying problem is this:
target_link_libraries("${PROJECT_NAME}" PUBLIC src)
This tells CMake to link to a library named src. However in the src/CMakeLists.txt the libraries are called. imperial_to_metric and metric_to_imperial
add_library(imperial_to_metric imperial_to_metric.cpp)
add_library(metric_to_imperial metric_to_imperial.cpp)
So what one probably wants is
target_link_libraries("${PROJECT_NAME}" PUBLIC imperial_to_metric metric_to_imperial)
A minor nit, but it is often better practice to have the library targets specify the build requirements. So instead of:
target_include_directories("${PROJECT_NAME}" PUBLIC "${PROJECT_BINARY_DIR}" "${PROJECT_SOURCE_DIR}/src")
one would have the following in src/CMakeLists.txt
target_include_directories(metric_to_imperial PUBLIC ".")
target_include_directories(imperial_to_metric PUBLIC ".")
This way any consumer of imperial_to_metric gets the needed include directories simply by the target_link_libraries command.

Why the count of messages are not same when I pull messages using gcloud cli?

It's very strange.
I use gcloud pubsub subscriptions pull message-blocking-SUB --limit 10 try to pull messages from message-blocking-SUB subscription.
Here is the results:
☁ nodejs-gcp [master] ⚡ gcloud pubsub subscriptions pull message-blocking-SUB --limit 10
┌──────────────────────────────────────────┬─────────────────┬────────────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ DATA │ MESSAGE_ID │ ATTRIBUTES │ ACK_ID │
├──────────────────────────────────────────┼─────────────────┼────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ {"data":"Hello, world! - 1543554888273"} │ 283307349579869 │ │ QV5AEkw2B0RJUytDCypYEU4EISE-MD5FU0RQBhYsXUZIUTcZCGhRDk9eIz81IChFEAtTE1FcdhNCEGgzXHUHUQ0YdHpndmoLFAJTFFl-VVsJPGh-Y3cPUg4ZdX5lfG9dGgkETHvi4M-dxOksZhg9XBJLLD5-PTJF │
└──────────────────────────────────────────┴─────────────────┴────────────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
☁ nodejs-gcp [master] ⚡ gcloud pubsub subscriptions pull message-blocking-SUB --limit 10
┌──────────────────────────────────────────┬─────────────────┬────────────┬────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ DATA │ MESSAGE_ID │ ATTRIBUTES │ ACK_ID │
├──────────────────────────────────────────┼─────────────────┼────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ {"data":"Hello, world! - 1543555283170"} │ 283307447044599 │ │ XkASTDYHRElTK0MLKlgRTgQhIT4wPkVTRFAGFixdRkhRNxkIaFEOT14jPzUgKEUQC1MTUVx1E0wQaV0zdQdRDRlze2ZzaVsTBlNBVXRfURsfWVx-SgVZDhpyemVxbVoXBQdMWlbD5I-Lod0sZhs9XBJLLD5-PTJFQQ │
│ {"data":"Hello, world! - 1543555288172"} │ 283307327268587 │ │ XkASTDYHRElTK0MLKlgRTgQhIT4wPkVTRFAGFixdRkhRNxkIaFEOT14jPzUgKEUQC1MTUVx1E0wQaV0zdQdRDRlze2ZzaVsTBlNBVXReURsfWVx-SgVZDhpyemJ3bVgVCQdNVFbD5I-Lod0sZhs9XBJLLD5-PTJFQQ │
│ {"data":"Hello, world! - 1543555293176"} │ 283307486528068 │ │ XkASTDYHRElTK0MLKlgRTgQhIT4wPkVTRFAGFixdRkhRNxkIaFEOT14jPzUgKEUQC1MTUVx1E0wQaV0zdQdRDRlze2ZzaVsTBlNBVXRdURsfWVx-SgVZDhpyemV9bF8RCQJDW1bD5I-Lod0sZhs9XBJLLD5-PTJFQQ │
└──────────────────────────────────────────┴─────────────────┴────────────┴────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
☁ nodejs-gcp [master] ⚡ gcloud pubsub subscriptions pull message-blocking-SUB --limit 10
┌───────────────────────────────┬─────────────────┬────────────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ DATA │ MESSAGE_ID │ ATTRIBUTES │ ACK_ID │
├───────────────────────────────┼─────────────────┼────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Hello, world! - 1543547000557 │ 283191392654279 │ │ QV5AEkw2B0RJUytDCypYEU4EISE-MD5FU0RQBhYsXUZIUTcZCGhRDk9eIz81IChFEAtTE1FcdhNMEG4zXHUHUQ0YdHpnd2NYEgkCTFl-VVsJPGh-Y3cPUgwQc35od2xfFwMFTHvi4M-dxOksZhg9XBJLLD5-PTJF │
│ Hello, world! - 1543547015562 │ 283191378142602 │ │ QV5AEkw2B0RJUytDCypYEU4EISE-MD5FU0RQBhYsXUZIUTcZCGhRDk9eIz81IChFEAtTE1FcdhNMEG4zXHUHUQ0YdHpnd2NYEgkCTFl_VVsJPGh-Y3cPUgwQc35mfWteEQcCR3vi4M-dxOksZhg9XBJLLD5-PTJF │
│ Hello, world! - 1543547020563 │ 283191323745952 │ │ QV5AEkw2B0RJUytDCypYEU4EISE-MD5FU0RQBhYsXUZIUTcZCGhRDk9eIz81IChFEAtTE1FcdhNMEG4zXHUHUQ0YdHpnd2NYEgkCTFl8VVsJPGh-Y3cPUgwQc35jdm1eFggHR3vi4M-dxOksZhg9XBJLLD5-PTJF │
└───────────────────────────────┴─────────────────┴────────────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
☁ nodejs-gcp [master] ⚡ gcloud pubsub subscriptions pull message-blocking-SUB --limit 10
┌──────────────────────────────────────────┬─────────────────┬────────────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ DATA │ MESSAGE_ID │ ATTRIBUTES │ ACK_ID │
├──────────────────────────────────────────┼─────────────────┼────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ {"data":"Hello, world! - 1543554888273"} │ 283307349579869 │ │ QV5AEkw2B0RJUytDCypYEU4EISE-MD5FU0RQBhYsXUZIUTcZCGhRDk9eIz81IChFEAtTE1FcdhNCEGgzXHUHUQ0YdHpndmoLFAJTFFl-VVsJPGh-Y3cPUg4ZdX5lfG9dGgkETHvi4M-dxOksZhg9XBJLLD5-PTJF │
└──────────────────────────────────────────┴─────────────────┴────────────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
☁ nodejs-gcp [master] ⚡
My message queue has three messages.
I run this command four times. It seems that the result is different for each time.
I expect the results should be always three messages.
I don't understand.
Are you sure your subscription only has 3 messages? Your 'data' values shows otherwise.
{"data":"Hello, world! - 1543555283170"} │ 283307447044599
{"data":"Hello, world! - 1543555288172"} │ 283307327268587
{"data":"Hello, world! - 1543555293176"} │ 283307486528068
{"data":"Hello, world! - 1543554888273"} │ 283307349579869
Hello, world! - 1543547000557 │ 283191392654279
Hello, world! - 1543547015562 │ 283191378142602
Hello, world! - 1543547020563 │ 283191323745952
I suspect some of your confusion is that when you pull the messages without acking them they're not available for some period of time, I believe the default is 10s or so. Pubsub is assuming whatever pulled the messages is still doing work and may ack the message soon. Until that window of time passes you'll only see new messages, or ones whose delivery window has expired.

Reg exp to match a specific HTTP response code in apache or nginx server logs

I am looking for a regexp that could match a specific response code (error code) in apache or nginx webserver logs.
10.80.248.64 - - [02/Nov/2012:15:04:40 +0000] "GET //browse/OS HTTP/1.1" 404 497 "-" "-"
10.220.64.11 - - [02/Nov/2012:15:04:54 +0000] "GET / HTTP/1.0" 200 491 "-" "Wget/1.12 (linux-gnu)"
10.80.16.66 - - [29/Oct/2012:11:09:11 +0000] "GET / HTTP/1.1" 302 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:7.0.1) Gecko/20100101 Firefox/7.0.1"
The reg exp should be able to match lines with a specific error code like 404, 200 or 302.
Use regex pattern
^[^"]*"[^"]*\sHTTP\/[\d.]+"\s+(?:200|302|404)\s.*$
└─┬─┘│└─┬─┘└┤└────┬─────┘│└┬┘└──────┬──────┘└┤└┤
│ │ │ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │ │ └─ anything (including nothing)
│ │ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │ └─ one space (white-space character)
│ │ │ │ │ │ │ │
│ │ │ │ │ │ │ └─ 200 or 302 or 404
│ │ │ │ │ │ │
│ │ │ │ │ │ └─ one or more spaces (white-space characters)
│ │ │ │ │ │
│ │ │ │ │ └─ one double-quote character
│ │ │ │ │
│ │ │ │ └─ HTTP/ followed by a combination of digit(s) and/or dot(s)
│ │ │ │
│ │ │ └─ one space (white-space character)
│ │ │
│ │ └─ anything (including nothing) but double-quote character(s)
│ │
│ └─ one double-quote character
│
└─ anything (including nothing) but double-quote character(s)