avoidik

Rationale

This snippet is a sample showing how to implement CloudWatch Logs streaming to ElasticSearch using terraform. I wrote this gist because I didn't found a clear, end-to-end example on how to achieve this task. In particular, I understood the resource "aws_lambda_permission" "cloudwatch_allow" part by reading a couple of bug reports plus this stackoverflow post.

The js file is actually the Lambda function automatically created by AWS when creating this pipeline through the web console. I only added a endpoint variable handling so it is configurable from terraform.

avoidik

using System;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using Fiddler;

[assembly: Fiddler.RequiredVersion("2.5.0.0")]
namespace ClientCertPicker
{
    public class ClientCertPicker: IFiddlerExtension
    {

avoidik

Install mingw using msys2 into c:\Tools\msys64\

• install msys2
• execute msys2_shell and then pacman -S mingw-w64-x86_64-gcc to install GCC
• then perform pacman -S mingw-w64-x86_64-sqlite3 to install sqlite3 native library
• add c:\Tools\msys64\mingw64\bin to PATH environment

avoidik

#!/usr/bin/env bash

function walk() {
  for secret in $(vault list $1 | tail -n +3)
  do
    if [[ ${secret} == *"/" ]] ; then
      walk "${1}${secret}"
    else
      echo "${1}${secret}"
    fi

avoidik

A Walk through of Key Rotation of a HashiCorp VAULT cluster using AWS KMS to AutoUnseal

PGP (Keybase) is used to encrypt the recovery keys

Built base environment using HashiCorp's Learn Website

ubuntu@ip-192-168-100-194:~$ export VAULT_ADDR=http://127.0.0.1:8200

ubuntu@ip-192-168-100-194:~$ vault status

avoidik

About

AWS provides a mechanism for temporarily assuming another role within their API system. While it is not a technically hard process it can be convoluted and hard to understand. This document aims to both make it easier to follow along with as well as give an in depth explanation of some of the underpinnings of the Bourne Again Shell (aka BASH) which can make this easier to utilize on a day to day basis.

Explanation

Below is an overexplained version of the following process:

1. Using credentials stored in ~/.aws/credentials as a "profile" which are then understood by the AWS command line tools
2. Using those AWS credentials, temporarily assume a role using the AWS Security Token Service (STS) to get temporary

avoidik

AWS CLI JMESPath cheatsheet

Random recipes of JMESPath for the AWS CLI tools that I might have written or stumbled upon.

• Examples
  • Return listing of all available AWS regions
  • Test if specific Lambda function exists?
  • List all Route 53 record names and their type for a zone
  • List all CloudWatch log groups
  • List all CloudWatch log groups with event expiry
  • Status of CloudFormation stack

avoidik

#!/bin/bash

PROMPT_DIRTRIM=2

         RED="\[\033[0;31m\]"
      YELLOW="\[\033[1;33m\]"
       GREEN="\[\033[0;32m\]"
        BLUE="\[\033[0;34m\]"
  LIGHT_BLUE="\[\033[1;34m\]"
   LIGHT_RED="\[\033[1;31m\]"

avoidik

# JOSE header and JWT payload
HEADER='{"alg": "ES256","typ": "JWT"}'
PAYLOAD='{"sub": "1234567890","name": "John Doe"}'
 
# Create a key in Vault.
vault write transit/keys/mykey exportable=true type=ecdsa-p256
 
# Prepare header and payload for signing
HEADER_B64=$(echo $HEADER | openssl base64 -A)
PAYLOAD_B64=$(echo $PAYLOAD | openssl base64 -A)

avoidik

package main

import (
	"fmt"
	"log"

	"github.com/hashicorp/vault/api"
)

var client *api.Client