Skip to content

Instantly share code, notes, and snippets.

@geodis
Last active May 27, 2024 10:42
Show Gist options
  • Save geodis/3aa5c7895af093178ee3d095e28d428b to your computer and use it in GitHub Desktop.
Save geodis/3aa5c7895af093178ee3d095e28d428b to your computer and use it in GitHub Desktop.
aws-examples

Amazons Managed Instancecore

resource "aws_iam_role" "ssm_access" {
  name = "ssm_access"
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRole"
        Effect = "Allow"
        Sid    = ""
        Principal = {
          Service = "ec2.amazonaws.com"
        }
      },
    ]
  })
}
data "aws_iam_policy" "ssm_policy" {
  arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
}
resource "aws_iam_role_policy_attachment" "ssm-role-policy-attach" {
  role       = resource.aws_iam_role.ssm_access.name
  policy_arn = data.aws_iam_policy.ssm_policy.arn
}

resource "aws_instance" "jenkins_master" {
 ...
  iam_instance_profile        = aws_iam_role.ssm_access.name
 ...
 }

awscli assume role

GEKO_ACCOUNT_ID="1111111"
DEST_ACCOUNT_ID="222222222"
DEST_ASSUMED_ROLE="GekoRole"

aws sts assume-role \
--role-arn "arn:aws:iam::${GEKO_ACCOUNT_ID}:role/Role" \
--role-session-name awscli-session

export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s" \
$(aws sts assume-role \
--role-arn arn:aws:iam::${DEST_ACCOUNT_ID}:role/${DEST_ASSUMED_ROLE} \
--role-session-name user \
--query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
--output text))

Assume 2 - util para cloud shell

DEPLOY_ROLE="arn:aws:iam::1111111:role/role" aws sts assume-role --role-arn "$DEPLOY_ROLE" --role-session-name test > tmpfile

export AWS_ACCESS_KEY_ID=$(cat tmpfile | jq -c '.Credentials.AccessKeyId' | tr -d ") export AWS_SECRET_ACCESS_KEY=$(cat tmpfile | jq -c '.Credentials.SecretAccessKey' | tr -d ") export AWS_SESSION_TOKEN=$(cat tmpfile | jq -c '.Credentials.SessionToken' | tr -d ")

ecr login

regionID="eu-west-1"
aws_account_id="111111"

aws ecr get-login-password --region $(regionID) | docker login --username AWS --password-stdin $(aws_account_id).dkr.ecr.$(regionID).amazonaws.com

AWS IAM find a role that has a specific policy

aws iam list-entities-for-policy --policy-arn <arn_of_policy> [--entity-filter Role]

Task IAM role

curl 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI

Ejemplo para el acceso a una RDS privada (my_rds.eu-west-1.rds.amazonaws.com) mediante un portforwarding en una bastion EC2 linux (i-1111111111111111) usando el profile indicado (substituir %PROFILE% por aoc-valid-dev por ejemplo):

export AWS_PROFILE="%PROFILE%" aws ssm start-session --target i-1111111111111111 --document-name AWS-StartPortForwardingSessionToRemoteHost --parameters "portNumber"=["5432"],"host"=["my_rds.eu-west-1.rds.amazonaws.com"],"localPortNumber"=["5432"] --region eu-west-1

Fargate CPU and Memory ammounts

CPU value Memory value (MiB)
256 (.25 vCPU) 512 (0.5GB), 1024 (1GB), 2048 (2GB)
512 (.5 vCPU) 1024 (1GB), 2048 (2GB), 3072 (3GB), 4096 (4GB)
1024 (1 vCPU) 2048 (2GB), 3072 (3GB), 4096 (4GB), 5120 (5GB), 6144 (6GB), 7168 (7GB), 8192 (8GB)
2048 (2 vCPU) Between 4096 (4GB) and 16384 (16GB) in increments of 1024 (1GB)
4096 (4 vCPU) Between 8192 (8GB) and 30720 (30GB) in increments of 1024 (1GB)

Conditional output

output "secrets_arn" { value = (var.secrets != {}) ? one(aws_secretsmanager_secret_version.this[*].arn) : null }

{
"family": "",
"taskRoleArn": "",
"executionRoleArn": "",
"networkMode": "none",
"containerDefinitions": [
{
"name": "",
"image": "",
"repositoryCredentials": {
"credentialsParameter": ""
},
"cpu": 0,
"memory": 0,
"memoryReservation": 0,
"links": [
""
],
"portMappings": [
{
"containerPort": 0,
"hostPort": 0,
"protocol": "tcp"
}
],
"essential": true,
"entryPoint": [
""
],
"command": [
""
],
"environment": [
{
"name": "",
"value": ""
}
],
"environmentFiles": [
{
"value": "",
"type": "s3"
}
],
"mountPoints": [
{
"sourceVolume": "",
"containerPath": "",
"readOnly": true
}
],
"volumesFrom": [
{
"sourceContainer": "",
"readOnly": true
}
],
"linuxParameters": {
"capabilities": {
"add": [
""
],
"drop": [
""
]
},
"devices": [
{
"hostPath": "",
"containerPath": "",
"permissions": [
"read"
]
}
],
"initProcessEnabled": true,
"sharedMemorySize": 0,
"tmpfs": [
{
"containerPath": "",
"size": 0,
"mountOptions": [
""
]
}
],
"maxSwap": 0,
"swappiness": 0
},
"secrets": [
{
"name": "",
"valueFrom": ""
}
],
"dependsOn": [
{
"containerName": "",
"condition": "COMPLETE"
}
],
"startTimeout": 0,
"stopTimeout": 0,
"hostname": "",
"user": "",
"workingDirectory": "",
"disableNetworking": true,
"privileged": true,
"readonlyRootFilesystem": true,
"dnsServers": [
""
],
"dnsSearchDomains": [
""
],
"extraHosts": [
{
"hostname": "",
"ipAddress": ""
}
],
"dockerSecurityOptions": [
""
],
"interactive": true,
"pseudoTerminal": true,
"dockerLabels": {
"KeyName": ""
},
"ulimits": [
{
"name": "nofile",
"softLimit": 0,
"hardLimit": 0
}
],
"logConfiguration": {
"logDriver": "splunk",
"options": {
"KeyName": ""
},
"secretOptions": [
{
"name": "",
"valueFrom": ""
}
]
},
"healthCheck": {
"command": [
""
],
"interval": 0,
"timeout": 0,
"retries": 0,
"startPeriod": 0
},
"systemControls": [
{
"namespace": "",
"value": ""
}
],
"resourceRequirements": [
{
"value": "",
"type": "InferenceAccelerator"
}
],
"firelensConfiguration": {
"type": "fluentbit",
"options": {
"KeyName": ""
}
}
}
],
"volumes": [
{
"name": "",
"host": {
"sourcePath": ""
},
"configuredAtLaunch": true,
"dockerVolumeConfiguration": {
"scope": "shared",
"autoprovision": true,
"driver": "",
"driverOpts": {
"KeyName": ""
},
"labels": {
"KeyName": ""
}
},
"efsVolumeConfiguration": {
"fileSystemId": "",
"rootDirectory": "",
"transitEncryption": "DISABLED",
"transitEncryptionPort": 0,
"authorizationConfig": {
"accessPointId": "",
"iam": "ENABLED"
}
},
"fsxWindowsFileServerVolumeConfiguration": {
"fileSystemId": "",
"rootDirectory": "",
"authorizationConfig": {
"credentialsParameter": "",
"domain": ""
}
}
}
],
"placementConstraints": [
{
"type": "memberOf",
"expression": ""
}
],
"requiresCompatibilities": [
"EC2"
],
"cpu": "",
"memory": "",
"tags": [
{
"key": "",
"value": ""
}
],
"pidMode": "task",
"ipcMode": "task",
"proxyConfiguration": {
"type": "APPMESH",
"containerName": "",
"properties": [
{
"name": "",
"value": ""
}
]
},
"inferenceAccelerators": [
{
"deviceName": "",
"deviceType": ""
}
],
"ephemeralStorage": {
"sizeInGiB": 0
},
"runtimePlatform": {
"cpuArchitecture": "X86_64",
"operatingSystemFamily": "WINDOWS_SERVER_20H2_CORE"
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment