Nishad Saithaly mailman-2097

## Arch Install x86
----------
## Please do not copy paste commands blindly. Make your own runsheet.

----------
## Auto

$ ping archlinux.org
$ pacman -Sy archlinux-keyring
$ archinstall

## AD-XX-template.md

      
              1 file
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                mailman-2097
                / AD-XX-template.md
            
            
              Created
              July 25, 2022 03:11
                — forked from FaKleiser/AD-XX-template.md
            
              
                Architecture Decision Template: https://www.fabian-keller.de/blog/documenting-architecture-decisions
              
          
    AD-XX: <TOPIC - short, concise summary>


Date: <DATE - when the decision was made>
Driver: <DRIVER - list a single person driving consenus and decision making>
Stakeholders: <STAKEHOLDERS - list all relevant stakeholders affected by this decision>
Status: [PROPOSED | DECIDED | SUPERSEDED]
Categories: <CATEGORIES - use a simple grouping to help organize the set of decisions (e.g. backend, payment, user management, ...)>
Outcome: <OUTCOME - once decided, provide a short summary of the decision outcome here>

Context


## gist:83db7c62dc5eb846386f17d97f467642
Be very clear on who your stakeholders are. If unsure, ask

Proactively bring impacted parties into the fold

Look for win-win-wins (Customers, Your team, Yourself personally)

Overcommunicate. Set Agenda’s & Send out Minutes for all Customer meetings

Be aware of political implications of everything you do

## gist:c61a99b02f8ad38becb073a0eed74a72
It looks like proxy is aborting connection. After some debugging using openssl, tcpdump and curl, I observed that the rhui3 server is rejecting the SSL connection if we connect via https_proxy (NAT) without a valid certificate.

I could see that this instance is connecting to the outside world via squid proxy's network interface (eni-04555c95115a75e50.  Looking at the squid configuration, I assume that you might have setup transparent squid proxy as per the following blog post. So you dont have to explicitly define proxy variables in redhat instance.

https://aws.amazon.com/blogs/security/how-to-add-dns-filtering-to-your-nat-instance-with-squid/

I would suggest you to update your proxy configuration to bypass ssl certificate validation as given below and check if yum update works.

1. Append the following line to your squid configuration file

## Vagrantfile
# -*- mode: ruby -*-
# vi: set ft=ruby :

IP_SRVR = "192.168.76.76"


VAGRANTFILE_API_VERSION = "2"
BOX_IMAGE = "geerlingguy/ubuntu1804"
SRVR_COND = true

## Sample_iam_1.tf
# -----------------------
# Inline Policy
# -----------------------

resource "aws_iam_role" "iam_ser" {
  name_prefix          = "svc-${var.workload_name}-bake"
  permissions_boundary = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/WorkloadPermissionsBoundary"
  assume_role_policy = jsonencode({
    "Version" : "2012-10-17",
    "Statement" : [

## zipfile.tf
locals {
  common_files   = [formatlist("%s/%s", "src/common", fileset("${path.module}/src/common", "*.*"))]
  helpers_files  = [formatlist("%s/%s", "src/helpers", fileset("${path.module}/src/helpers", "*.*"))]
  starter_files  = [formatlist("%s/%s", "src/starter", fileset("${path.module}/src/starter", "*.*"))]
  combined_files = flatten(concat(local.common_files, local.helpers_files, local.starter_files))
}

data "template_file" "t_file" {
  count = length(local.combined_files)
  template = "${file(element(local.combined_files, count.index))}"

## kms_policy.tf
data "aws_iam_policy_document" "kms_policy" {
  statement {
    sid       = "Enable Root user permissions"
    effect    = "Allow"
    actions   = ["kms:*"]
    resources = ["*"]
    principals {
      type = "AWS"
      identifiers = [
        "arn:aws:iam::${local.account_id}:root",

## cert-based-winrm-auth.ps1
#region Ensure the WinRm service is running
Set-Service -Name "WinRM" -StartupType Automatic
Start-Service -Name "WinRM"
#endregion

#region Enable PS remoting
if (-not (Get-PSSessionConfiguration) -or (-not (Get-ChildItem WSMan:\localhost\Listener))) {
    Enable-PSRemoting -SkipNetworkProfileCheck -Force
}
#endregion

## SampleYamlParser.py
"""
This is a work in progress. But a good place to start for manipulating YAML with python.
Ex: for the below input yaml it will replace the variables in resource string with values provided in context.
---
action:
    resource: mysql://${db_user}:${db_pass}@${db_host}:3306/wordpress
    context: {db_pass: ch33s3, db_user: lchan, db_host: localhost }

"""
#!/usr/bin/env python
	----------
	## Please do not copy paste commands blindly. Make your own runsheet.

	----------
	## Auto

	$ ping archlinux.org
	$ pacman -Sy archlinux-keyring
	$ archinstall
	Be very clear on who your stakeholders are. If unsure, ask

	Proactively bring impacted parties into the fold

	Look for win-win-wins (Customers, Your team, Yourself personally)

	Overcommunicate. Set Agenda’s & Send out Minutes for all Customer meetings

	Be aware of political implications of everything you do
	It looks like proxy is aborting connection. After some debugging using openssl, tcpdump and curl, I observed that the rhui3 server is rejecting the SSL connection if we connect via https_proxy (NAT) without a valid certificate.

	I could see that this instance is connecting to the outside world via squid proxy's network interface (eni-04555c95115a75e50. Looking at the squid configuration, I assume that you might have setup transparent squid proxy as per the following blog post. So you dont have to explicitly define proxy variables in redhat instance.

	https://aws.amazon.com/blogs/security/how-to-add-dns-filtering-to-your-nat-instance-with-squid/

	I would suggest you to update your proxy configuration to bypass ssl certificate validation as given below and check if yum update works.

	1. Append the following line to your squid configuration file
	# -- mode: ruby --
	# vi: set ft=ruby :

	IP_SRVR = "192.168.76.76"


	VAGRANTFILE_API_VERSION = "2"
	BOX_IMAGE = "geerlingguy/ubuntu1804"
	SRVR_COND = true
	# -----------------------
	# Inline Policy
	# -----------------------

	resource "aws_iam_role" "iam_ser" {
	name_prefix = "svc-${var.workload_name}-bake"
	permissions_boundary = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/WorkloadPermissionsBoundary"
	assume_role_policy = jsonencode({
	"Version" : "2012-10-17",
	"Statement" : [
	locals {
	common_files = [formatlist("%s/%s", "src/common", fileset("${path.module}/src/common", "."))]
	helpers_files = [formatlist("%s/%s", "src/helpers", fileset("${path.module}/src/helpers", "."))]
	starter_files = [formatlist("%s/%s", "src/starter", fileset("${path.module}/src/starter", "."))]
	combined_files = flatten(concat(local.common_files, local.helpers_files, local.starter_files))
	}

	data "template_file" "t_file" {
	count = length(local.combined_files)
	template = "${file(element(local.combined_files, count.index))}"
	data "aws_iam_policy_document" "kms_policy" {
	statement {
	sid = "Enable Root user permissions"
	effect = "Allow"
	actions = ["kms:*"]
	resources = ["*"]
	principals {
	type = "AWS"
	identifiers = [
	"arn:aws:iam::${local.account_id}:root",
	#region Ensure the WinRm service is running
	Set-Service -Name "WinRM" -StartupType Automatic
	Start-Service -Name "WinRM"
	#endregion

	#region Enable PS remoting
	if (-not (Get-PSSessionConfiguration) -or (-not (Get-ChildItem WSMan:\localhost\Listener))) {
	Enable-PSRemoting -SkipNetworkProfileCheck -Force
	}
	#endregion
	"""
	This is a work in progress. But a good place to start for manipulating YAML with python.
	Ex: for the below input yaml it will replace the variables in resource string with values provided in context.
	---
	action:
	resource: mysql://${db_user}:${db_pass}@${db_host}:3306/wordpress
	context: {db_pass: ch33s3, db_user: lchan, db_host: localhost }

	"""
	#!/usr/bin/env python