Archive for March, 2018

In previous post we added linux node to Rundeck server.Now, we’ll add a Windows Server

Creating AD user

I’ll be adding Domain Controller to Rundeck, so i created Domain user and put it in Built-in Administrator group,username:rundeck@test.com

Capture.PNG

Installing OpenSSH server on Windows Server

In order to run inline scripts against Windows server we need password-less connection to Windows server (private/public key authentication), because Rundeck first copies script to remote node before executing it

Download OpenSSH server,unzip it and copy it to desired destination (i put it in C:\Program Files)

Capture.PNG

With powershell browse to unzipped folder and run ./install-sshd.ps1

Two services should be installed:sshd and ssh-agent,make sure both are running-set Startup type to Automatic

Capture.PNG

Open sshd_config_default file

Capture.PNG

edit is as following:

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey __PROGRAMDATA__/ssh/ssh_host_rsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_dsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_ecdsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:
RSAAuthentication yes
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
PermitRootLogin yes
StrictModes no
#MaxAuthTries 6
#MaxSessions 10
RhostsRSAAuthentication yes
PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile	.ssh/authorized_keys

#AuthorizedPrincipalsFile none

# For this to work you will also need host keys in %programData%/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem	sftp	sftp-server.exe

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server

In Rundeck user profile folder create folder .ssh

cd C:\Users\rundeck
mkdir .ssh

Create keypair on Rundeck server (if not created)

ssh-keygen

Copy  Rundeck public key (cat /root/.ssh/id_rsa.pub) to Windows machine to .ssh folder of rundeck user-authorized_keys file, if folder is not visible enable showing hidden folders and files

Capture.PNG

On Windows,make sure port 22 is opened, restart sshd,Restart-Service sshd

Try ssh connection to Windows server from Rundeck

ssh rundeck@192.168.0.13

You shouldn’t be asked for password

Capture.PNG

Creating project

Capture.PNG

Capture.PNG

Add node (resources.xml)

Linuxtopic/server.1key was created in previous post.

 

<node name=”dc” description=”My windows” tags=”node2″ hostname=”192.168.0.13″ osArch=”x86_64″ osFamily=”Windows” osName=”Windows Server 2016″ username=”rundeck” ssh-key-storage-path=”keys/Linuxtopic/server.1key” />

 

Password authentiation

If, for some reason Public key authentication doesn’t work (it happened to me with AWS EC2 Windows instance-Write Failed: broken pipe ) , we can try password authentication

 

0-1

 

Key Type: Password

 

0

Specify Password storage created in step above and password as SSH authentication

 

Capture

 

 

Untitled

 

resources.xml:

 

<node name=”windows” description=”My windows” tags=”node2″ hostname=”1.1.1.2″ osArch=”x86_64″ osFamily=”Windows” osName=”Windows Server 2016″ username=”rundeck” ssh-authentication=”password” ssh-password-storage-path=”keys/Windows” />

 

 

Creating Job

I added Powershell script to get AD user and to create OU

Capture.PNG

Capture.PNG

Capture.PNG

Advertisements

In previous article we created federation trust between Azure and AWS by creating Amazon user and used it’s credentials to create trust between Azure and AWS (automatic provisioning).This method has 2 main drawbacks: it takes a long time for Azure to retrive all IAM roles,and it’s not possible to provide more than 1 IAM credentials (situation when need to federate same Azure Enterprise application with 2 or more AWS accounts).Most of the steps are same as for manual provisioning but i’ll put it here again for the sake of transparency

Adding Amazon Application to Azure portal

On Azure portal Azure Active Directory-Enterprise Applications-All applications-New Application

1

In search box type Amazone-select Amazon Web Services (AWS)

2

On AWS app properties click on Single sign-on

3

Click Add attribute

4

Add attributes as in picture below

Attribute name Attribute value Namespace
RoleSessionName user.userprincipalname https://aws.amazon.com/SAML/Attributes
Role user.assignedroles https://aws.amazon.com/SAML/Attributes

 

 

5

In the SAML Signing Certificate section, select Metadata XML. Then save the metadata file on your computer.

5-1

5-2

Then click Save

5-3

AWS Console:Creating Provider and IAM role

In AWS console we need to add Provider, IAM role and policy

Select Identity and access management-IAM

6

Identity Providers-Create Provider

7

Choose SAML as Provider Type,set name and browse for metadata file downloaded from Azure portal

9

10

Still in IAM Click Roles-Create Role

11

Select Saml 2.0 Federation-SAML provider-provider we created earlier-Allow programatic and AWS Management Console Access (Attribute and Value fields populate automatically)

12

In Attach permission policies click Next:Review

13

In Create Role create as many roles as you need

14

Besides Azure_Role, i created another one and attached one IAM policy, we’ll map this role to another Azure AD Group

Untitled

Azure portal:Create User and Group-add user to group

In this section we’ll map Azure AD group to AWS role we just created (Azure_Role)

Creating new user:

Azure Active Directory-Users-All Users:

26

Create user

27

Creating AD group

Azure Active Directory-Groups

Untitled

Specify Group Type,name-Membership Type:Assigned-specify user(s) to add to group-Select-Create

Untitled

In the same way i created another Azure AD group (AWS_Second_Test_Group) to map it with another IAM role we created earlier (AWS_Second_Test_Role), i added Don.Hall user to this group too

Editing Azure Active directory manifest file

Manifest file is a JSON file that represents application’s identity configuration.We’ll edit this file to map Azure AD group with AWS IAM Role.Access scopes and roles are exposed through this file

In Azure portal, in search box type App Registrations-Select Amazon Web Services (AWS)

Untitled.png

Click on Manifest

Untitled

Now, we’ll map IAM AWS roles to Azure AD groups:

IAM Role name Azure AD Group Name
 Azure_Role Azure_AD_Group
AWS_Second_Test_Role AWS_Second_Test_Group

Ideally, names of IAM Roles and groups should be the same to avoid confusion

In order to edit manifest file we need to obtanin IAM Role ARN,AWS Identity provider ARN and Azure AD group ID (Azure AD Group ID must be unique-as a rule of thumb i just changed last 2 digits)

Capture

AWS IAM role ARN:

Untitled.png

Untitled.png

AWS Identity provider ARN:

Untitled

Azure Group’s ID:

Click on group-Properties:

Capture

Untitled

Remember, Azure AD group ID’s needs to be unique, so change last digit(s) values

These 2 sections are added to manifest file:

displayName:Name of Azure AD group

id:id of Azure AD group (changes last 2 digits-needs to be unique)

value:AWS IAM role ARN,AWS identity provider ARN

"appRoles": [
    {
      "allowedMemberTypes": [
        "User"
      ],
      "displayName": "AWS_Second_Test_Group",
      "id": "faa9acbc-49db-4a04-9a66-2050998f1c15",
      "isEnabled": true,
      "description": "Azure AD Second group",
      "value": "arn:aws:iam::233135199200:role/AWS_Second_Test_Role,arn:aws:iam::233135199200:saml-provider/WindowsAD"
    },
    {
      "allowedMemberTypes": [
        "User"
      ],
      "displayName": "Azure_AD_Group",
      "id": "b40569c7-ebf0-4c32-959c-b0b3b1cbfc12",
      "isEnabled": true,
      "description": "Azure AD First group",
      "value": "arn:aws:iam::233135199200:role/Azure_Role,arn:aws:iam::233135199200:saml-provider/WindowsAD"
    },

If we need to map more roles to groups we just need to add allowedMemberTypes sections (separate each one with comma)

Here is complete manifest file:

{
  "appId": "1def2fa6-5467-4565-b3f0-e598b3007b42",
  "appRoles": [
    {
      "allowedMemberTypes": [
        "User"
      ],
      "displayName": "AWS_Second_Test_Group",
      "id": "faa9acbc-49db-4a04-9a66-2050998f1c15",
      "isEnabled": true,
      "description": "Azure AD Second group",
      "value": "arn:aws:iam::233135199200:role/AWS_Second_Test_Role,arn:aws:iam::233135199200:saml-provider/WindowsAD"
    },
    {
      "allowedMemberTypes": [
        "User"
      ],
      "displayName": "Azure_AD_Group",
      "id": "b40569c7-ebf0-4c32-959c-b0b3b1cbfc12",
      "isEnabled": true,
      "description": "Azure AD First group",
      "value": "arn:aws:iam::233135199200:role/Azure_Role,arn:aws:iam::233135199200:saml-provider/WindowsAD"
    },
    {
      "allowedMemberTypes": [
        "User"
      ],
      "displayName": "msiam_access",
      "id": "7dfd756e-8c27-4472-b2b7-38c17fc5de5e",
      "isEnabled": true,
      "description": "msiam_access",
      "value": null
    }
  ],
  "availableToOtherTenants": false,
  "displayName": "Amazon Web Services (AWS)",
  "errorUrl": null,
  "groupMembershipClaims": null,
  "optionalClaims": null,
  "acceptMappedClaims": null,
  "homepage": "https://signin.aws.amazon.com/saml?metadata=aws|ISV9.1|primary|z",
  "informationalUrls": {
    "privacy": null,
    "termsOfService": null
  },
  "identifierUris": [
    "http://awsDC46DF5ECB354EEA858E81622348A0BE",
    "http://instanceid_8b1025e4-1dd2-430b-a150-2ef79cd700f5_EAAEA402D2364790A14A5099A13A3B7E",
    "http://aws/d38c1eb9-ca01-420f-a982-210c0583dc49"
  ],
  "keyCredentials": [],
  "knownClientApplications": [],
  "logoutUrl": null,
  "oauth2AllowImplicitFlow": false,
  "oauth2AllowUrlPathMatching": false,
  "oauth2Permissions": [
    {
      "adminConsentDescription": "Allow the application to access Amazon Web Services (AWS) on behalf of the signed-in user.",
      "adminConsentDisplayName": "Access Amazon Web Services (AWS)",
      "id": "e81ccfaa-9095-4cbc-87fe-10538a57f314",
      "isEnabled": true,
      "type": "User",
      "userConsentDescription": "Allow the application to access Amazon Web Services (AWS) on your behalf.",
      "userConsentDisplayName": "Access Amazon Web Services (AWS)",
      "value": "user_impersonation"
    }
  ],
  "oauth2RequirePostResponse": false,
  "objectId": "dd1dc07d-87dc-48bb-9fd3-1c0274c789a5",
  "parentalControlSettings": {
    "countriesBlockedForMinors": [],
    "legalAgeGroupRule": "Allow"
  },
  "passwordCredentials": [],
  "publicClient": false,
  "replyUrls": [
    "https://signin.aws.amazon.com/saml"
  ],
  "requiredResourceAccess": [],
  "samlMetadataUrl": null
}

Azure Active Directory-Enterprise Applications-Amazon Web Services (AWS)-Users and Groups-Add User

Capture.PNG

In Users section Assign user- in Roles section new roles should appear-select role

Capture

And assign it

Capture

Capture

Make sure manual provision method is selected (Amazon Web Services (AWS)-Provisioning

Capture

Testing access to AWS console

Don.Hall should be able now to acces to Amazon Web Console

Go to http://myapps.microsoft.com, log in as Don.Hall

click on Amazon Web Service, you should be able to sign in automatically to AWS console

31

 

Capture

In this article we’ll create Azure AD User and log him in into Amazon Web Console using single sign-on

Adding Amazon Application to Azure portal

Azure Active Directory-Enterprise Applications-All applications-New Application

1

In search box type Amazone-select Amazon Web Services (AWS)

2

On AWS app properties click on Single sign-on

3

Click Add attribute

4

Add attributes as in picture below

Attribute name Attribute value Namespace
RoleSessionName user.userprincipalname https://aws.amazon.com/SAML/Attributes
Role user.assignedroles https://aws.amazon.com/SAML/Attributes

 

5.png

In the SAML Signing Certificate section, select Metadata XML. Then save the metadata file on your computer.

5-1

5-2

Then click Save

5-3

Configuring AWS part

In AWS console we need to add Provider, IAM role and policy

Select Identity and access management-IAM

6

Identity Providers-Create Provider

7.png

Choose SAML as Provider Type,set name and browse for metadata file downloaded from Azure portal

9

10

Still in IAM Click Roles-Create Role

11

Select Saml 2.0 Federation-SAML provider-provider we created earlier-Allow programatic and AWS Management Console Access (Attribute and Value fields populate automatically)

12

In Attach permission policies click Next:Review

13

In Create Role create as many roles as you need

14

Creating Policy

Policies-Create policy (this policy will grab all IAM roles from AWS account)

15

Click JSON tab and paste following code:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListRoles"
],
"Resource": "*"
}
]
}

 

 

16

17

Creating new AWS user

We need to create new user,attach policy we just created,get credentials so we can submit it to Azure AWS application so we can get all Amazon AWS roles

18

19

20

Download CSV file (Access and shared access keys are there)

21

In Azure portal,in AWS app properties click Provisioning-for client secret enter AWS user access key,for Sercret token enter AWS user secret and click Test Connection

22

Scroll down, set On for Provision status then click Save

23

Creating Azure AD  user

Azure Active Directory-Users-Al Users

26

Create user

27

Enabling Azure Single sign-on for user

In AWS application properties select Users and Groups

28

Select user and click Select button

29

Click assign

30

Testing access to AWS console

Don.Hall should be able now to acces to Amazon Web Console

Go to http://myapps.microsoft.com, log in as Don.Hall

click on Amazon Web Service, you should be able to sign in automatically to AWS console

 

31

 

32

 

 

 

 

In this post we’ll get IAM reports using AWS CLI.

 #get IAM Users——————————————————

yes | cp -rf /media/IAM_REPORT/IAM_REPORT_users.csv /media/IAM_REPORT/IAM_REPORT_users_old.csv

aws iam list-users>/media/IAM_REPORT/users.json

jq -r ‘.Users[] | [.UserName] | @csv’ /media/IAM_REPORT/users.json > /media/IAM_REPORT/users.csv

{ echo “Users”; cat /media/IAM_REPORT/users.csv; } > /media/IAM_REPORT/IAM_REPORT_users.csv

comm -13 <(sort /media/IAM_REPORT/IAM_REPORT_users.csv) /media/IAM_REPORT/IAM_REPORT_users_changes.txt

#get IAM Groups———————————————————————-

yes | cp -rf /media/IAM_REPORT/IAM_REPORT_groups.csv /media/IAM_REPORT/IAM_REPORT_groups_old.csv

aws iam list-groups>/media/IAM_REPORT/groups.json

jq -r ‘.Groups[] | [.GroupName] | @csv’ /media/IAM_REPORT/groups.json > /media/IAM_REPORT/groups.csv

{ echo “Groups”; cat /media/IAM_REPORT/groups.csv; } > /media/IAM_REPORT/IAM_REPORT_groups.csv

comm -23 <(sort /media/IAM_REPORT/IAM_REPORT_groups.csv) /media/IAM_REPORT/IAM_REPORT_groups_changes.txt

#Get users with associated policies——————————————-

echo yes | cp /media/IAM_REPORT/IAM_REPORT_users_policies.csv /media/IAM_REPORT/IAM_REPORT_users_policies_old.csv

aws iam get-account-authorization-details > /media/IAM_REPORT/output.json

jq -r ‘.UserDetailList[] | .UserName as $u | .AttachedManagedPolicies[] | [$u, .PolicyName] | @csv’ /media/IAM_REPORT/output.json > /media/IAM_REPORT/userpolicies.csv

{ echo “Users,Policy”; cat /media/IAM_REPORT/userpolicies.csv; } > /media/IAM_REPORT/IAM_REPORT_users_policies.csv

comm -23 <(sort /media/IAM_REPORT/IAM_REPORT_users_policies.csv) /media/IAM_REPORT/IAM_REPORT_users_policies_changes.txt

#Get Groups with associated policies —————

echo yes | cp /media/IAM_REPORT/IAM_REPORT_group_policies.csv /media/IAM_REPORT/IAM_REPORT_group_policies_old.csv

jq -r ‘.GroupDetailList[] | .GroupName as $u | .AttachedManagedPolicies[] | [$u, .PolicyName] | @csv’ /media/IAM_REPORT/output.json > /media/IAM_REPORT/grouppolicies.csv

{ echo “Groups,Policies”; cat /media/IAM_REPORT/grouppolicies.csv; } > /media/IAM_REPORT/IAM_REPORT_group_policies.csv

comm -23 <(sort /media/IAM_REPORT/IAM_REPORT_group_policies.csv) /media/IAM_REPORT/IAM_REPORT_group_policies_changes.txt

#Roles assigned to policies———————————————

echo yes | cp /media/IAM_REPORT/IAM_REPORT_role_policies.csv /media/IAM_REPORT/IAM_REPORT_role_policies_old.csv

jq -r ‘.RoleDetailList | map(select(.AttachedManagedPolicies | length > 0))[] | .RoleName as $r | .AttachedManagedPolicies[] | [$r, .PolicyName] | @csv’ /media/IAM_REPORT/output.json>/media/IAM_REPORT/rolepolicy.csv

{ echo “Role,Policy”; cat /media/IAM_REPORT/rolepolicy.csv; } > /media/IAM_REPORT/IAM_REPORT_role_policies.csv

comm -23 <(sort /media/IAM_REPORT/IAM_REPORT_role_policies.csv) /media/IAM_REPORT/IAM_REPORT_role_policies_changes.txt

#Get IAM roles for group/user——————————————————-

echo yes | cp /media/IAM_REPORT/IAM_REPORT_role_assignment.csv /media/IAM_REPORT/IAM_REPORT_role_assignment_old.csv

jq -rc ‘.RoleDetailList | map(select((.AssumeRolePolicyDocument.Statement | length > 0) and (.AssumeRolePolicyDocument.Statement[].Principal.Service) or (.AssumeRolePolicyDocument.Statement[].Principal.AWS) or (.AssumeRolePolicyDocument.Statement[].Principal.Federated) or (.AttachedManagedPolicies | length >0) or (.RolePolicyList | length > 0)) )[] | [.RoleName,([.RolePolicyList[].PolicyName,([.AttachedManagedPolicies[].PolicyName] | join(“–“))] | join(” “)),(.AssumeRolePolicyDocument.Statement[] | .Principal.Federated + “” + (.Principal.Service | if type == “array” then join(“–“) else . end) + “”+.Principal.AWS)] | @csv’ /media/IAM_REPORT/output.json>/media/IAM_REPORT/roleassign.csv

#awk ‘BEGIN{ FS=OFS=”,” }$2 ~ /^”arn:aws:iam:/{ $2 = “,”$2 }1’ /media/IAM_REPORT/roles.csv>/media/IAM_REPORT/roleassign.csv

{ echo “Role,Policy,User/Group/Service”; cat /media/IAM_REPORT/roleassign.csv; } > /media/IAM_REPORT/IAM_REPORT_role_assignment.csv

comm -23 <(sort /media/IAM_REPORT/IAM_REPORT_role_assignment.csv) /media/IAM_REPORT/IAM_REPORT_role_assignemnt_changes.txt

#zip files———————————————————-

find /media/IAM_REPORT/*.txt -maxdepth 1 -size +0 -print | zip /tmp/IAM_REPORT.zip -@ /media/IAM_REPORT/IAM_REPORT_role_policies.csv /media/IAM_REPORT/IAM_REPORT_group_policies.csv /media/IAM_REPORT/IAM_REPORT_groups.csv /media/IAM_REPORT/IAM_REPORT_users.csv /media/IAM_REPORT/IAM_REPORT_users_policies.csv /media/IAM_REPORT/IAM_REPORT_role_assignment.csv

#send email

echo “IAM Reports-IAM_REPORT” | mail -r rundeck@company.com -s “AWS IAM reports ” -a /tmp/IAM_REPORT.zip “user@company.com”

########This section creates HTML mail and sends report as message body

#prepare HTML

#PYTHON_ARG=”$1″ python – <<END
#!/usr/bin/python

#import pandas as pd
#import sys
#import json
#sys.stdout = open('/media/IAM_REPORT/group_policy.html','wt')

#df = pd.read_csv('/media//IAM_REPORT/IAM_REPORT_group_policies.csv')
#pd.set_option('display.max_colwidth', -1)
#pd.DataFrame({'a': [1, 2]}).to_html()
#print(df.to_html(index=False))
#END

#PYTHON_ARG="$1" python – <<END
#!/usr/bin/python

#import pandas as pd
#import sys
#import json
#sys.stdout = open('/media/IAM_REPORT/groups.html','wt')

#df = pd.read_csv('/media/IAM_REPORT/IAM_REPORT_groups.csv')
#pd.set_option('display.max_colwidth', -1)
#pd.DataFrame({'a': [1, 2]}).to_html()
#print(df.to_html(index=False))
#END

#PYTHON_ARG="$1" python – <<END
#!/usr/bin/python

#import pandas as pd
#import sys
#import json
#sys.stdout = open('/media/IAM_REPORT/roles_assign.html','wt')

#df = pd.read_csv('/media/IAM_REPORT/IAM_REPORT_role_assignment.csv')
#pd.set_option('display.max_colwidth', -1)
#pd.DataFrame({'a': [1, 2]}).to_html()

#print(df.to_html(index=False))

#END

#PYTHON_ARG="$1" python – <<END
#!/usr/bin/python

#import pandas as pd
#import sys
#import json
#sys.stdout = open('/media/IAM_REPORT/roles.html','wt')

#df = pd.read_csv('/media/IAM_REPORT/IAM_REPORT_role_policies.csv')
#pd.set_option('display.max_colwidth', -1)
#pd.DataFrame({'a': [1, 2]}).to_html()

#print(df.to_html(index=False))

#END
#PYTHON_ARG="$1" python – <<END
#!/usr/bin/python

#import pandas as pd
#import sys
#import json
#sys.stdout = open('/media/IAM_REPORT/user_policy.html','wt')

#df = pd.read_csv('/media/IAM_REPORT/IAM_REPORT_users_policies.csv')
#pd.set_option('display.max_colwidth', -1)
#pd.DataFrame({'a': [1, 2]}).to_html()

#print(df.to_html(index=False))

#END

#PYTHON_ARG="$1" python – <<END
#!/usr/bin/python

#import pandas as pd
#import sys
#import json
#sys.stdout = open('/media/IAM_REPORT/users.html','wt')

#df = pd.read_csv('/media/IAM_REPORT/IAM_REPORT_users.csv')
#pd.set_option('display.max_colwidth', -1)
#pd.DataFrame({'a': [1, 2]}).to_html()
#print(df.to_html(index=False))
#END

#Add labels to html files————————————————

#echo -e "
\n\t
IAM Groups

\n\t
\n$(cat #/media/IAM_REPORT/groups.html)” > /media/IAM_REPORT/groups.html

#echo -e ”
\n\t
IAM Group Policies

\n\t
\n$(cat /media/IAM_REPORT/group_policy.html)” > /media/IAM_REPORT/group_policy.html

#echo -e ”
\n\t
IAM Roles Assignment

\n\t
\n$(cat /media/IAM_REPORT/roles_assign.html)” > /media/IAM_REPORT/roles_assign.html

#echo -e ”
\n\t
IAM Roles

\n\t
\n$(cat /media/IAM_REPORT/roles.html)” > /media/IAM_REPORT/roles.html

#echo -e ”
\n\t
IAM User Policies

\n\t
\n$(cat /media/IAM_REPORT/user_policy.html)” > /media/IAM_REPORT/user_policy.html

#echo -e ”
\n\t
IAM Users

\n\t
\n$(cat /media/IAM_REPORT/users.html)” > /media/IAM_REPORT/users.html

#Find changes if files (if any)—————————————————-

#find /media/IAM_REPORT/*.txt -maxdepth 1 -size +0 -print -exec cat {} \; > /media/IAM_REPORT/changes.txt

#if [ -s /media/IAM_REPORT/changes.txt ]
#then
#sed -i ‘s%^\/media/IAM_REPORT/%%;s/\.txt$//’ /media/IAM_REPORT/changes.txt>/media/IAM_REPORT/changes.txt
#PYTHON_ARG=”$1″ python – <<END
#!/usr/bin/python

#contents = open("/media/IAM_REPORT/changes.txt","r")
#with open("/media/IAM_REPORT/changes.html", "w") as e:
#for lines in contents.readlines():
#e.write("

" + lines + "

\n”)
#END

#echo -e ”
\n\t
Changes

\n\t
\n$(cat /media/IAM_REPORT/changes.html)” > /media/IAM_REPORT/changes.html

#cat /media/IAM_REPORT/mailheader /media/IAM_REPORT/changes.html /media/IAM_REPORT/users.html /media/IAM_REPORT/user_policy.html /media/IAM_REPORT/groups.html /media/IAM_REPORT/group_policy.html /media/IAM_REPORT/roles.html /media/IAM_REPORT/roles_assign.html | sendmail -t

#else
#cat /media/IAM_REPORT/mailheader /media/IAM_REPORT/no_changes.html /media/IAM_REPORT/users.html /media/IAM_REPORT/user_policy.html /media/IAM_REPORT/groups.html /media/IAM_REPORT/group_policy.html /media/IAM_REPORT/roles.html /media/IAM_REPORT/roles_assign.html | sendmail -t
fi

mailheader file content:

To: user@company.com
From: someuser@example.com
Subject: AWS IAM Reports
Content-Type: text/html

In previous post we created only one subtask for one issue. What in situations when need to create subtasks for issues without subtasks ?.Unfortunately, there is no native  JQL function that can verify if an issue has or hasn’t a subtask.JIRA has third party add-ons that extend Jira’s functionality.
This python script will return JIRA key’s for tasks without subtasks and create subtask for it:

#!/usr/bin/python
import sys
import json
import re
import requests
import os
import urllib2
import argparse
from json_tricks import dump,dumps

password = str(sys.argv[1])

headers = {
'Content-Type': 'application/json',
}

params = (
('jql', 'project="Technology" AND summary~"New User*" AND issuetype="Task" AND status!="DONE"'),
)

response = requests.get('https://jira.corp.company.com/rest/api/2/search', headers=headers, params=params, auth=('user', password))

 
datapath = '/var/lib/rundeck/1.json'
data = json.load(open(datapath))

for issue in data['issues']:
if len(issue['fields']['subtasks']) == 0:
        line = issue['key']
        headers = {"Content-Type": "application/json"}
        data = {"fields": {"project": {"key": "TECH"},"parent": {"key": line.rstrip()},"summary": "Create user account in Local AD. ","description": "Create user account in Local AD.",
       "issuetype": {"name": "Sub-task"},"customfield_10107": {"id": "10400"}}}
        response = requests.post("https://jira.corp.company.com/rest/api/latest/issue/",
        headers=headers,data=json.dumps(data),auth=('user', password))

A VPC Peering is a networking connection between two VPCs that enables routing traffic between them.Instances between VPC’s can communicate using private IP’s,instead of public.

In this example one AWS account is presented with Google Chrome (Requester-AWS account which requests VPC peering,and another with Mozilla Firefox-Accepter-AWS account which needs to accept peering request;)

Requester settings

I created VPC (for detailed steps take a look here).  Take especial care not to have same IP ranges in both VPCs, it wont work.

In this example i created a VPC with 10.1.0.0/16 range and 10.1.1.0/24 subnet

 

1

Creating VPC peering

Now we’ll create VPC peering between Custom VPC (10.1.1.0/24-Requester) and default VPC in another AWS account (172.31.0.0/16-Accepter)

From VPC dashboard:-Peering Connection-Create Peering Connection

1

 

Put a name-specify local VPC-Another account (specify AWS ID of remote account-Accepter)-Region and remote VPC ID and click Create Peering Connection

 

1

 

Remote VPC ID

1

 

 

 

1

Accepter settings:

Now, on Accepter AWS account (to which we want create VPC peer to) console Accept VPC peering connection

1.PNG

 

Modifying Route tables

One step remains-we now need to modify routing tables to allow remote networks:

On Requester:

Local network is 10.1.1.0/24 and remote is 172.31.0.0/16, so we need to associate that network with VPC peer we just created.From VPC dashboard-Route Tables-click on Routes tab-Edit-add another route

1

 

On Accepter AWS console,remote network is 10.1.1.0/24 so associate that network to VPC peer

1.PNG

Now create new EC2 instance and assign it to Custom VPC,machine on this VPC should communicate with EC2 on another AWS accounts using private IP addresses.

 

 

 

 

 

 

 

 

Chocolatey AU module is great for automatically updating multiple package files, but all files are downloaded to temp folder, as result, user needs to have internet connection so he can download newest packages.This Powershell script will copy setup files to respective tools folder

#delete old setup files downloaded by AU module (downloaded to temp folder)

Get-ChildItem -Path "Z:\*\tools\*" -filter *.exe | Remove-Item -Force -Recurse

 

#Delete content of TEMP folder (where chocolatey module stores packages)

Set-Location $env:TEMP
Remove-Item * -recurse -force

 

#Update all packages

 

Z:

updateall

#Copy new exe/MSI to respective directory and create packages

 

#ccleaner

$file=Get-ChildItem -Path $env:TMP -recurse -Filter cc*.exe
$filename=$file.FullName
copy-item $filename Z:\Ccleaner\tools\ccleaner.exe
cd Z:\ccleaner
choco pack


#VLC Player

$file=Get-ChildItem -Path $env:TMP -recurse -Filter vlc*.exe
$filename=$file.FullName
copy-item $filename Z:\VideoLAN\tools\vlcplayer.exe

cd Z:\VideLAN

choco pack

#WINRAR

$file=Get-ChildItem -Path $env:TMP -recurse -Filter winrar*.exe
$filename=$file.FullName
copy-item $filename Z:\WinRAR\tools\winrar.exe
cd Z:\WinRar
choco pack

#Same for all packages......