# AWS

Anything related to AWS work I've come across

# AWS CLI

Install AWS CLI on Linux instances

# RHEL/Centos
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
./aws/install

And on Windows servers

Install-PackageProvider -Name NuGet -Force
Install-Module -Name AWS.Tools.Installer -Force

# EC2 Instance

Launch EC2 instance using aws cli and passing mandatory tags for both instance and volume.

ami_id="ami-a123456789bcdef"
security_groups_list="sg-abcdefghigkl sg-1234567890abcdf"
subnet_id="subnet-01234567890"

# Linux instance in us-east-1
aws ec2 run-instances --image-id $ami_id --count 1 \
    --instance-type t2.large \
    --key-name pascal \
    --security-group-ids $security_groups_list \
    --subnet-id $subnet_id \
    --iam-instance-profile '{"Name": "my_instance_profile_name"}' \
    --tag-specification '[
        {
            "ResourceType":"instance",
            "Tags":[
            {"Key":"Name","Value":"example-test-instance-name"},
            {"Key":"BusinessUnit","Value":"IT"},
            {"Key":"Department","Value":"IT"},
            {"Key":"ApplicationName","Value":"test"},
            {"Key":"Env","Value":"DevTest"},
            {"Key":"AppID","Value":"APP000"},
            {"Key":"CostCenter","Value":"TST000"}
        ]
        },
        {
            "ResourceType":"volume",
            "Tags":[
            {"Key":"Name","Value":"example-test-instance-name"},
            {"Key":"BusinessUnit","Value":"IT"},
            {"Key":"Department","Value":"IT"},
            {"Key":"ApplicationName","Value":"test"},
            {"Key":"Env","Value":"DevTest"},
            {"Key":"AppID","Value":"APP000"},
            {"Key":"CostCenter","Value":"TST000"}
        ]
        }
    ]'|jq

# Secret Manager

Using secret manager to retrieve password from an EC2 instance, provided it has the right instance profile attached.

This example demonstrate how to join a Linux instance to the domain.

ad_username="_ad_username"
#Get secret via awscli and join domain
password=$(/usr/local/bin/aws secretsmanager get-secret-value --secret-id sem-ad-domainjoin-secret --query SecretString --output text | jq -r .${ad_username})
echo $password | realm join -U ${ad_username} example.com

For Windows, getting the secret from secret manager.

$SecretObj = Get-SECSecretValue -SecretId sem-ad-domainjoin-secret -Select SecretString | ConvertFrom-Json
$Password = $SecretObj._ad_username | ConvertTo-SecureString -AsPlainText -Force

# Termination protection

Remove termination protection for specific TAG instances

for id in `aws ec2 describe-instances --filters "Name=tag:Name,Values=LINUX_DEV*"|jq|grep InstanceId|awk -F\" '{print $4}'`; do aws ec2 modify-instance-attribute --no-disable-api-termination --instance-id $id | jq; done

# SSM Commands

If your instances have SSM agent installed and it's your only connectivity access, you can execute specific commands on a list of instances using aws ssm

aws ssm send-command \
--instance-ids i-abcd123456 i-123456abcdef i-zxcvb12345 \
--document-name "AWS-RunShellScript" \
--parameters "commands=[\"echo -e 'server_user\tALL=(ALL)\tNOPASSWD:ALL' >> /etc/sudoers\", \"echo 'Jobs done'\"]" |jq

# FSx

Creating new shares on an FSx server using Powershell commands:

$FSX_SERVER_NAME = "amznfsxabcdefg.example.com"
$FSX_SERVER_NAME_endpoint = "amznfsxxyz123456.example.com"
# CREATING CREDENTIALS
[string][ValidateNotNullOrEmpty()] $password = 'very_secret_password'
[SecureString] $password = ConvertTo-SecureString -String $password -AsPlainText -Force
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "_ad_username_",$password

# Create an array of folders
$folders = @("sun", "mercury", "venus", "earth", "mars", "jupiter", "saturn", "neptune", "uranus", "pluto")
# Perform iteration to create the same file in each folder
foreach ($share in $folders) {
    $folder_name = $share.ToUpper()
    New-Item -Type Directory -Path \\$FSX_SERVER_NAME_endpoint\D$\share\$folder_name
    Invoke-Command -ComputerName $FSX_SERVER_NAME -ConfigurationName FSxRemoteAdmin -ArgumentList $share -ScriptBlock {New-FSxSmbShare -Name "$args" -Path "D:\share\$Using:folder_name" -ContinuouslyAvailable $True -Credential $Using:credential} 
    Invoke-Command -ComputerName $FSX_SERVER_NAME -ConfigurationName FSxRemoteAdmin -ArgumentList $share -scriptblock {Grant-FSxSmbShareAccess -AccountName example.com\_ad_username_ -Name "$args" -AccessRight Full -Force}
}

# Datasync

AWS Datasync matches a source and destination locations when creating a tasks. During migration, having multiple folders to migrate can be automated using the script below.

This example shows the syncing of multiple folders from an on-prem server to an existing AWS FSx, including tagging.

#!/bin/bash

domain_name="example.domain.name"
source_hostname="SourceServerName"
source_ad_username="_ad_username"
source_ad_password="_ad_user_password"

agent_arn="arn:aws:datasync:eu-central-1:123456789123:agent/agent-0a1234567890abcde"

for folder in 'Sun' 'Mercury' 'Venus' 'Earth'; do
source=`aws datasync create-location-smb \
--subdirectory "/$folder" \
--server-hostname $source_hostname \
--user $source_ad_username \
--domain $domain_name \
--password $source_ad_password \
--agent-arns $agent_arn \
--tags '[
        {"Key":"BusinessUnit","Value":"IT"},
        {"Key":"Department","Value":"IT"},
        {"Key":"ManagedBy","Value":"No"},
        {"Key":"ApplicationName","Value":"Example Sync"},
        {"Key":"Env","Value":"Prod"},
        {"Key":"AppID","Value":"APP0001234"},
        {"Key":"CostCenter","Value":"ABC12345"}
    ]' | jq .LocationArn | sed 's/"//g'`

echo $source

destination=`aws datasync create-location-fsx-windows \
--subdirectory "/$folder" \
--fsx-filesystem-arn arn:aws:fsx:eu-central-1:123456789123:file-system/fs-0a1234567890abcde \
--security-group-arns \
    arn:aws:ec2:eu-central-1:123456789123:security-group/sg-0a1234567890abcde \
    arn:aws:ec2:eu-central-1:123456789123:security-group/sg-0a1234567890abcde \
    arn:aws:ec2:eu-central-1:123456789123:security-group/sg-0a1234567890abcde \
--user $source_ad_username \
--domain $domain_name \
--password $source_ad_password \
--tags '[
        {"Key":"BusinessUnit","Value":"IT"},
        {"Key":"Department","Value":"IT"},
        {"Key":"ManagedBy","Value":"No"},
        {"Key":"ApplicationName","Value":"Example Sync"},
        {"Key":"Env","Value":"Prod"},
        {"Key":"AppID","Value":"APP0001234"},
        {"Key":"CostCenter","Value":"ABC12345"}
    ]' | jq .LocationArn | sed 's/"//g'`

echo $destination

aws datasync create-task \
--source-location-arn $source \
--destination-location-arn $destination \
--tags '[
        {"Key":"BusinessUnit","Value":"IT"},
        {"Key":"Department","Value":"IT"},
        {"Key":"ManagedBy","Value":"No"},
        {"Key":"ApplicationName","Value":"Example Sync"},
        {"Key":"Env","Value":"Prod"},
        {"Key":"AppID","Value":"APP0001234"},
        {"Key":"CostCenter","Value":"ABC12345"}
    ]' | jq
done

# STS message

message="encoded_message_here"
aws sts decode-authorization-message --encoded-message $message --query DecodedMessage --output text | jq

← Ansible Linux →