curl -Ls https://gist.githubusercontent.com/atheiman/45e45ada59e558b21f951d8e81faf345/raw/cloudshell-setup.sh?$RANDOM | bash
atheiman
/ 1-config.tf
Last active
December 4, 2024 01:18
AWS Config custom policy rule using Guard to evaluate tag compliance. Deployed as an OrganizationConfigRule w/ Terraform
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| terraform { | |
| required_providers { | |
| aws = { | |
| source = "hashicorp/aws" | |
| version = ">= 5.0" | |
| } | |
| } | |
| } | |
| resource "aws_config_organization_custom_policy_rule" "required_tags" { |
atheiman
/ config_tag_compliance.tf
Last active
December 4, 2024 01:18
Terraform to deploy a Config custom rule w/ Lambda function to evaluate resource tag compliance
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| terraform { | |
| required_providers { | |
| aws = { | |
| source = "hashicorp/aws" | |
| version = ">= 5.0" | |
| } | |
| } | |
| } | |
| data "aws_partition" "current" {} |
atheiman
/ config_aggregator_rule_compliance_query.py
Created
October 15, 2024 21:52
Query an AWS Config aggregator for rule compliance and write the results to a CSV file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import json | |
| import boto3 | |
| import botocore | |
| import os | |
| import datetime | |
| import re | |
| import csv | |
| from functools import lru_cache | |
| sts = boto3.client("sts") |
atheiman
/ config_evaluation.py
Last active
December 4, 2024 01:19
AWS Config custom rule for resource tag compliance evaluation. Deployed as CloudFormation stacks.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # See documented events sent by Config here: https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules_example-events.html | |
| # | |
| # It is much easier to write evaluations for rules using ConfigurationItemChangeNotification and | |
| # OversizedConfigurationItemChangeNotification. These notifications include the resource as recorded | |
| # by Config. The Lambda function can review the resource config json and submit an evaluation for | |
| # the resource. | |
| # | |
| # ScheduledNotification events are not specific to a resource, the event only includes | |
| # the account id and rule name. Lambda functions must list all the resources in the account using | |
| # service apis, call the appropriate apis to evaluate the resources config, and then submit |
atheiman
/ config_aggregator_query.py
Last active
December 4, 2024 01:19
Example of querying AWS Config aggregator using Python and boto3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| # Example usage: | |
| # | |
| # ~ $ export AWS_PROFILE=organization-management-account | |
| # ~ $ export AGGREGATOR_NAME=my-config-aggregator | |
| # ~ $ python ~/tmp/config_aggregator_query.py | |
| # 53 resources inspected | |
| # |
atheiman
/ template.yml
Last active
August 14, 2024 10:34
CloudFormation template to create a CodeCommit repo and CodeBuild CI/CD. Updates to the main branch and pull requests trigger builds. Feature branch build status is commented on pull requests.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Usage examples: | |
| # | |
| # Create a new CodeCommit repository with CodeBuild CI/CD | |
| # | |
| # aws cloudformation deploy \ | |
| # --stack-name my-new-project \ | |
| # --template-file ./template.yml \ | |
| # --capabilities CAPABILITY_IAM \ | |
| # --parameter-overrides 'RepositoryDescription=My new project description' | |
| # |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Install GNU parallel in a CentOS-based docker container (e.g. for CI/CD) | |
| # install needed dependencies | |
| yum install -q -y bzip2 tar make perl | |
| # download source | |
| curl -s -L -o /tmp/parallel.tar.bz2 https://ftpmirror.gnu.org/parallel/parallel-latest.tar.bz2 | |
| # extract source | |
| tar -C /tmp -xjf /tmp/parallel.tar.bz2 | |
| # navigate into extracted source | |
| cd /tmp/parallel-* | |
| # build and install |
atheiman
/ openssl-create-ca-and-server-cert.sh
Last active
February 11, 2024 01:25
Generate a CA cert and private key, then issue a cert to a server
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| set -eux | |
| CA_FILE_PREFIX="${CA_FILE_PREFIX:-"example-corp-ca"}" | |
| CA_CN="${CA_CN:-"Example Corp CA"}" | |
| CA_SUBJ="${CA_SUBJ:-"/C=US/O=Example Corp/CN=${CA_CN}"}" | |
| SERVER_CN="${SERVER_CN:-"server.example.com"}" | |
| SERVER_FILE_PREFIX="${SERVER_FILE_PREFIX:-"${SERVER_CN}"}" | |
| SERVER_SUBJ="${SERVER_SUBJ:-"/C=US/O=Example Corp/CN=${SERVER_CN}"}" |
atheiman
/ 2x2Vpc.yaml
Last active
November 3, 2020 06:19
VPC with generated CIDR block determined by AWS account ID + Region. 4 subnets (Public/Private, 2 AZs).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Description: > | |
| Builds a basic /24 2x2 VPC (Public/Private, 2 AZs). The VPC CIDR block is determined by a combination | |
| of the account ID and Region, giving a _very strong_ probability of a unique range within an | |
| Organization. | |
| Parameters: | |
| VpcNameTag: | |
| Type: String | |
| Default: 2x2 | |
| VpcCidrSuffix: |
NewerOlder