How can I set CloudFront createInvalidation lambda params to remove all? - amazon-web-services

I'm serving some websites by S3 static hosting.
I want to remove all from the CloudFront distribution by createInvalidation method with lambda. (After running the pipeline to update those buckets.)
Q1. I'm confused which value is correct for Quantity in this case...
Q2. Can I use "/*" in the Items array as an item? or just "/*" string instead of the array?
Can I use incorrect huge number (ex, 1000 or 10000) for Quantity?
or Do I need to check the whole file counts in S3 bucket?
Because I need to add this lambda in a stepfunction state machine, using CLI is not a solution for me.
const invalidationParams = {
DistributionId: "XXXX",
InvalidationBatch: {
CallerReference: Date.now().toString(),
Paths: {
Quantity: ???,
Items: [
"/*", // maybe?
]
}
}
};
or... Do you recommend to use iteration of CLI command...?
Thanks in advance.

I was too hurry to create the question...
I tried to create the invalidations by CLI during the waiting,
and its response gave me the answer.
I got below by the CLI command aws cloudfront create-invalidation --distribution-id {DISTRIBUTION_ID} --paths "/*"
{
"Location": "https://cloudfront.amazonaws.com/blahblah",
"Invalidation": {
"Id": "blahblah",
"Status": "InProgress",
"CreateTime": "2021-10-07T14:01:42.406000+00:00",
"InvalidationBatch": {
"Paths": {
"Quantity": 1,
"Items": [
"/*"
]
},
"CallerReference": "cli-1633615280-121576"
}
}
}
So, it means, I can set the Quantity as 1 in lambda.
And also can use the "/*" in the array.
I added this for someone like me 😂

Related

AWS CLI --output text on a single line of first and second level json

I am trying to get a list of certificates (let's say 100) from AWS Certificates Manager with their Domain Name, Expiry Data, Validation Status and Validation Method with the aws cli command aws acm describe-certificate.
I tried nesting filtering and --ouput text but the output is on two lines. I guess the reason is that ValidationStatus and ValidationMethod are second level in the json ouput after Certificate/DomainValidationOptions.
How would it be possible to get the text ouput in a single line?
Like
foo.bar.com 2022-06-18T23:59:59+00:00 FAILED DNS
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/describe-certificate.html
This is the --output text
$ aws acm describe-certificate --certificate-arn arn:aws:acm:region:aws-account_id:certificate/xxxx --query Certificate.[DomainName,NotAfter,DomainValidationOptions[].[ValidationStatus,ValidationMethod]] --output text
foo.bar.com 2022-06-18T23:59:59+00:00
FAILED DNS
This is the --output json (default output)
aws acm describe-certificate --certificate-arn arn:aws:acm:region:aws-account_id:certificate/xxxx --query Certificate.[DomainName,NotAfter,DomainValidationOptions[].[ValidationStatus,ValidationMethod]]
[
"foo.bar.com",
2022-06-18T23:59:59+00:00,
[
[
"FAILED",
"DNS"
]
]
]
A way to achieve this is to flatten the array you are receiving from the AWS command, with the help of the JMESPath flatten operator — [] — in your query.
Having a query like this:
Certificate.[
DomainName,
NotAfter,
DomainValidationOptions[].[ValidationStatus, ValidationMethod]
][][]
Would give you, with one domain the JSON output
[
"www.example.com",
"2022-06-18T23:59:59+00:00",
"FAILED",
"DNS"
]
And end up on one line.
Now mind that, if you have more than one item in the DomainValidationOptions array, they will, then, all output on the same line, because you'll have one array with everything.
Example for two domains:
[
"www.example.com",
"2022-06-18T23:59:59+00:00",
"FAILED",
"DNS",
"FAILED",
"DNS"
]
See the DNS and ValidationStatus and ValidationMethod repeating for the two domains there?
What you might want to do, is to query the DomainName from the DomainValidationOptions, at least:
Certificate.[
NotAfter,
DomainValidationOptions[].[DomainName, ValidationStatus, ValidationMethod]
][][]
Which would still be on one line, but will get you the domain related to the validation:
[
"2022-06-18T23:59:59+00:00",
"www.example.com",
"FAILED",
"DNS",
"www.example.net",
"FAILED",
"DNS"
]
Some progress was made using John's suggestion.
By using "InUseBy[0]" and not only "InUseBy", I managed to output the "InUseBy" on the first line; otherwise it would be on the second line.
Also using "DomainValidationOptions[0].ValidationStatus" instead of "DomainValidationOptions.ValidationStatus" outputs this on the 2nd line instead of 3rd.
Still, I would like
"RenewalSummary.[RenewalStatus,DomainValidationOptions[0].ValidationStatus]"
to be output on the first line too. I noticed RenewalSummary is an object ,{}, not an array, [].
"RenewalSummary": {
"RenewalStatus": "PENDING_VALIDATION",
"DomainValidationOptions": [
{
"DomainName": "foo.bar.com",
"ValidationDomain": "foo.bar.com",
"ValidationStatus": "PENDING_VALIDATION",
"ResourceRecord": {
"Name": "_9d77eed0XXX66.foo.bar.com.",
"Type": "CNAME",
"Value": "_a5XXXX3.tgztlnjmjp.acm-validations.aws."
},
"ValidationMethod": "DNS"
}
],
"UpdatedAt": "2022-06-24T11:16:34.617000+00:00"
},
aws acm describe-certificate --certificate-arn arn:aws:acm:region:aws-account_id:certificate/xxxx --query Certificate.[DomainName,Issuer,Status,FailureReason,NotAfter,InUseBy[0],RenewalSummary.[RenewalStatus,DomainValidationOptions[0].ValidationStatus]] --output text
This is how the output looks now:
foo.bar.com Amazon ISSUED None 2022-06-18T23:59:59+00:00 arn:aws:elasticloadbalancing:eu-west-1:aws_account_id:loadbalancer/app/alb_foo_bar/XXX
PENDING_VALIDATION PENDING_VALIDATION

aws quicksight create-analysis cli command

We have two different accounts:
one for developing
another clien prod account
We have cloudformation templates to deploy resources, during developing new features firstly we test on dev and then deploy to prod. But with quicksight it not so easy, there are no cloudformation templates for quicksight. We need to reacreate all reports in prod account, manually it is very hard. I found QuickSight API and create-analysis command but I don't understand how I can create analysis via this command.
Maybe someone have examples or know how to create analysis with cli?
Slavik
It's not possible to create an entirely new analysis or dashboard via the API, however it is possible to promote these throughout the environments via the API. I found the following AWS blog post to be of some use:
AWS QuickSight Blog
Rich
First create an Analysis Template using:
aws quicksight create-template --aws-account-id 123456789123 --cli-input-json file://./create-template.json
You can use the following JSON (create-analysis-cli-input.json):
{
"AwsAccountId":"123456789123",
"AnalysisId":"TestAnalysis",
"Name":"TestAnalysis-Report",
"Parameters":{
"StringParameters":[
{
"Name":"Parameters1",
"Values":[
"All"
]
},
{
"Name":"Parameters2",
"Values":[
"All"
]
}
],
"IntegerParameters":[
{
"Name":"IntParameter1",
"Values":[
0
]
},
{
"Name":"IntParameter2",
"Values":[
1000
]
}
],
"DateTimeParameters":[
{
"Name":"Date1",
"Values":[
20160327
]
},
{
"Name":"Date2",
"Values":[
20160723
]
}
]
},
"Permissions":[
{
"Principal":"arn:aws:quicksight:ap-southeast-2:123456789123:user/default/user-qs",
"Actions":[
"quicksight:UpdateDataSourcePermissions",
"quicksight:DescribeDataSource",
"quicksight:DescribeDataSourcePermissions",
"quicksight:PassDataSource",
"quicksight:UpdateDataSource",
"quicksight:DeleteDataSource"
]
}
],
"SourceEntity":{
"SourceTemplate":{
"DataSetReferences":[
{
"DataSetPlaceholder":"Template-SRM-Payments Dataset",
"DataSetArn":"arn:aws:quicksight:ap-southeast-2:123456789123:dataset/abc"
},
{
"DataSetPlaceholder":"Template-SRM-DailyPayments Dataset",
"DataSetArn":"arn:aws:quicksight:ap-southeast-2:123456789123:dataset/def"
},
{
"DataSetPlaceholder":"Template-SRM-DateTable Dataset",
"DataSetArn":"arn:aws:quicksight:ap-southeast-2:123456789123:dataset/ghi"
}
],
"Arn":"arn:aws:quicksight:ap-southeast-2:123456789123:template/report-template"
}
},
"ThemeArn":"arn:aws:quicksight::aws:theme/SEASIDE",
"Tags":[
{
"Key":"Name",
"Value":"TestReport"
}
]
}
The CLI command to run is:
aws quicksight create-analysis --aws-account-id 123456789123 --cli-input-json file://./create-analysis-cli-input.json

Ho to fix aws-cli cloudfront update distribution command?

I have been trying to execute below command but it resulted in an error
aws cloudfront update-distribution --id E29BDBENPXM1VE \
--Origins '{ "Items": [{
"OriginPath": "",
"CustomOriginConfig": {
"OriginSslProtocols": {
"Items": [
"TLSv1",
"TLSv1.1",
"TLSv1.2"
],
"Quantity": 3
}
}
}
]
}'
ERROR::: Unknown options: { "Items": [{
"OriginPath": "",
"CustomOriginConfig": {
"OriginSslProtocols": {
"Items": [
"TLSv1",
"TLSv1.1",
"TLSv1.2"
],
"Quantity": 3
}
}
}
]
}, --Origins
I have to remove cloudfront : OriginSslProtocols:SSLv3
aws cloudfront update-distribution --id E29BDBENPXM1VE \
--Origins '{ "Items": [{
"OriginPath": "",
"CustomOriginConfig": {
"OriginSslProtocols": {
"Items": [
"TLSv1",
"TLSv1.1",
"TLSv1.2"
],
"Quantity": 3
}
}
}
]
}'
1) How to fix above code,if not possible if there any command other than below command to disable/remove OriginSslProtocols:SSLv3
aws cloudfront update-distribution --id E29BDBENPXM1VE --distribution-config file://secure-ssl.json --if-match E35YV3CGILXQDJ
You are using the right command and it should be possible to do what you want.
However, it is slightly more complicated.
The corresponding reference page for the cli command aws cloudfront update-distribution says:
When you update a distribution, there are more required fields than when you create a distribution.
That is why you must follow the steps which are given in the cli reference [1]:
Submit a GetDistributionConfig request to get the current configuration and an Etag header for the distribution.
Update the XML document that was returned in the response to your GetDistributionConfig request to include your changes.
Submit an UpdateDistribution request to update the configuration for your distribution:
In the request body, include the XML document that you updated in Step 2. The request body must include an XML document with a DistributionConfig element.
Set the value of the HTTP If-Match header to the value of the ETag header that CloudFront returned when you submitted the GetDistributionConfig request in Step 1.
Review the response to the UpdateDistribution request to confirm that the configuration was successfully updated.
Optional: Submit a GetDistribution request to confirm that your changes have propagated. When propagation is complete, the value of Status is Deployed .
Fore info about the correct xml format is given in the CloudFront API Reference [2].
References
[1] https://docs.aws.amazon.com/cli/latest/reference/cloudfront/update-distribution.html
[2] https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateDistribution.html

aws cloudformation WAF geo location condition

Trying to create a cloud formation template to configure WAF with geo location condition. Couldnt find the right template yet. Any pointers would be appreciated.
http://docs.aws.amazon.com/waf/latest/developerguide/web-acl-geo-conditions.html
Unfortunately, the actual answer (as of this writing, July 2018) is that you cannot create geo match sets directly in CloudFormation. You can create them via the CLI or SDK, then reference them in the DataId field of a WAFRule's Predicates property.
Creating a GeoMatchSet with one constraint via CLI:
aws waf-regional get-change-token
aws waf-regional create-geo-match-set --name my-geo-set --change-token <token>
aws waf-regional get-change-token
aws waf-regional update-geo-match-set --change-token <new_token> --geo-match-set-id <id> --updates '[ { "Action": "INSERT", "GeoMatchConstraint": { "Type": "Country", "Value": "US" } } ]'
Now reference that GeoMatchSet id in the CloudFormation:
"WebAclGeoRule": {
"Type": "AWS::WAFRegional::Rule",
"Properties": {
...
"Predicates": [
{
"DataId": "00000000-1111-2222-3333-123412341234" // id from create-geo-match-set
"Negated": false,
"Type": "GeoMatch"
}
]
}
}
There is no documentation for it, but it is possible to create the Geo Match in serverless/cloudformation.
Used the following in serverless:
Resources:
Geos:
Type: "AWS::WAFRegional::GeoMatchSet"
Properties:
Name: geo
GeoMatchConstraints:
- Type: "Country"
Value: "IE"
Which translated to the following in cloudformation:
"Geos": {
"Type": "AWS::WAFRegional::GeoMatchSet",
"Properties": {
"Name": "geo",
"GeoMatchConstraints": [
{
"Type": "Country",
"Value": "IE"
}
]
}
}
That can then be referenced when creating a rule:
(serverless) :
Resources:
MyRule:
Type: "AWS::WAFRegional::Rule"
Properties:
Name: waf
Predicates:
- DataId:
Ref: "Geos"
Negated: false
Type: "GeoMatch"
(cloudformation) :
"MyRule": {
"Type": "AWS::WAFRegional::Rule",
"Properties": {
"Name": "waf",
"Predicates": [
{
"DataId": {
"Ref": "Geos"
},
"Negated": false,
"Type": "GeoMatch"
}
]
}
}
I'm afraid that your question is too vague to solicit a helpful response. The CloudFormation User Guide (pdf) defines many different WAF / CloudFront / R53 resources that will perform various forms of geo match / geo blocking capabilities. The link you provide seems a subset of Web Access Control Lists (Web ACL) - see AWS::WAF::WebACL on page 2540.
I suggest you have a look and if you are still stuck, actually describe what it is you are trying to achieve.
Note that the term you used: "geo location condition" doesn't directly relate to an AWS capability that I'm aware of.
Finally, if you are referring to https://aws.amazon.com/about-aws/whats-new/2017/10/aws-waf-now-supports-geographic-match/, then the latest Cloudformation User Guide doesn't seem to have been updated yet to reflect this.

AWS put-bucket-notification-configuration won't let me use "Filter"

The command I use:
aws s3api put-bucket-notification-configuration --bucket bucket-name --notification-configuration file:///Users/chris/event_config.json
Works fine if I take out the "Filter" key. As soon as I add it in, I get:
Parameter validation failed:
Unknown parameter in NotificationConfiguration.LambdaFunctionConfigurations[0]: "Filter", must be one of: Id, LambdaFunctionArn, Events
Here's my JSON file:
{
"LambdaFunctionConfigurations": [
{
"LambdaFunctionArn": "arn:aws:lambda:us-east-1:000000000:function:name",
"Events": [
"s3:ObjectCreated:*"
],
"Filter": {
"Key": {
"FilterRules": [
{
"Name": "prefix",
"Value": "images/"
}
]
}
}
}
]
}
When I look at the command's docs (http://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-notification-configuration.html), I don't see any mistake. I've tried copy/pasting, carefully looking over, etc... Any help would be greatly appreciated!
You need to be running at least version 1.7.46 of aws-cli, released 2015-08-20.
This release adds Amazon S3 support for event notification filters and fixes some issues.
https://aws.amazon.com/releasenotes/CLI/3585202016507998
The aws-cli utility contains a lot of built-in intelligence and validation logic. New features often require the code in aws-cli to be updated, and Filter on S3 event notifications is a relatively recent feature.
See also: https://aws.amazon.com/blogs/aws/amazon-s3-update-delete-notifications-better-filters-bucket-metrics/