ryuheechul/external.md

## external.md

      
    Raw
  

              external.md
            
          
    List IAM access keys

copied from https://gist.github.com/mafonso/7ee51981581f544ed52c

#!/usr/bin/env bash
for user in $(aws iam list-users --output text | awk '{print $NF}'); do
    aws iam list-access-keys --user $user --output text
    test $? -gt 128 && exit
done


## imdsv2.md

      
    Raw
  

              imdsv2.md
            
          
    An example of few scripts that follows - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html
Deps


jq
aws cli v2

list.sh

#!/usr/bin/env bash

aws configservice get-compliance-details-by-config-rule --config-rule-name=ec2-imdsv2-check \
	| jq '.EvaluationResults' \
	| jq 'map(select(.ComplianceType == "NON_COMPLIANT"))' \
	| jq -r '.[].EvaluationResultIdentifier.EvaluationResultQualifier.ResourceId'
enable-and-verify.sh

#!/usr/bin/env bash

echo "fetching instance ids for new changes to apply"

ids="$(./list.sh | xargs)"

echo "going to enforce IMDSv2"

region="whatever-your-region" # ex) region="eu-west-1"

for instance_id in "${ids}"; do
	aws ec2 modify-instance-metadata-options \
	--region "${region}" --instance-id "${instance_id}" \
	--http-token required \
	--http-endpoint enabled
done

echo "now verifying the results"

aws ec2 describe-instances --instance-ids ${ids} \
	| jq '.Reservations[].Instances[].MetadataOptions' \
	| jq 'if .HttpTokens == "required" and .HttpEndpoint == "enabled" then "success" else "fail" end'
Disabling IMDSv1 is actually more complicated to do it right than it initially seems and it can involve unexpected outages.
Watch https://www.youtube.com/watch?v=bi3bIs92xE0 for more detail.

  
## lightsail-as-docker-daemon.md

      
    Raw
  

              lightsail-as-docker-daemon.md
            
          
    What?

Use lightsail instance as docker daemon on demand and purge as the instance is not needed after
Why?

Sometimes Docker Desktop on M1 machines doesn't handle amd64 images very well.
Thus, intel based daemon might be useful.
Caveats

This method probably doesn't suit for long lasting instances and frequent destruction of instances will result in unnecessary network usages as downloading docker images can take up giga bytes at a time easily.
Snippets

# Makefile

instance-name = your-instance-name
key-pair-name = id_ed25519 # a key pair name if you uploaded the public key to lightsail in advance - which makes it a lot smoother

.PHONY: galaxy-docker
galaxy-docker:
	ansible-galaxy install geerlingguy.docker

.PHONY: inventory
inventory:
	$(MAKE) --no-print-directory lightsail-ip | tr -d '\n' > inventory
	echo ' ansible_user=ubuntu ansible_become=true' >> inventory
	ansible-inventory -i inventory --list

.PHONY: playbook
playbook:
	ansible-playbook -i inventory playbook.yaml

# whatever spec make sense to you
.PHONY: lightsail
lightsail:
	AWS_DEFAULT_REGION=us-west-2 \
		aws lightsail create-instances \
		--instance-names=$(instance-name) \
		--blueprint-id=ubuntu_20_04 \
		--bundle-id=xlarge_2_0 \
		--availability-zone=us-west-2a \
		--key-pair-name=$(key-pair-name)

.PHONY: lightsail-delete
lightsail-delete:
	AWS_DEFAULT_REGION=us-west-2 \
		aws lightsail delete-instance --instance-name=$(instance-name)

.PHONY: lightsail-ip
lightsail-ip:
	@AWS_DEFAULT_REGION=us-west-2 \
		 aws lightsail get-instance \
		 --instance-name=$(instance-name) \
		 | jq -r '.instance.publicIpAddress'

.PHONY: lightsail-instances
lightsail-instances:
	AWS_DEFAULT_REGION=us-west-2 aws lightsail get-instances
# playbook.yaml
# based on https://github.com/geerlingguy/ansible-role-docker

- hosts: all
  roles:
    - geerlingguy.docker
  vars:
    docker_users:
    - ubuntu
## usages

# create instance
make lightsail

# create inventory based on lightsail instances ip
make inventory

# install docker via the playbook
make playbook

# to debug
make lightsail-instances

# to clean up
make lightsail-delete