RB nitrocode

Cell based architecture to reduce traffic over azs
Ipv6 to remove nats
Nat instances using alternat
S3 bucket key enablement for encrypted buckets to reduce kms
Savings plans instead of reserved instances
Restricting services and regions by scps
Aws budgets on cost and usage
Using nlbs instead of albs
Rightsizing
Spot instances

Use Kandji to run local homebrew commands

The current script simply uses kandji to run local homebrew to upgrade xz if it's vulnerable.

This is very useful if kandji was not used to provision homebrew and was installed by the user.

The way it works is

Get the prefix of homebrew which is different if on arm or x86
Determine the user that installed homebrew

Renovatebot Cheat Sheet

Run locally

docker run --rm -ti \
  -e LOG_LEVEL=debug \
  -e GITHUB_COM_TOKEN="$GITHUB_COM_TOKEN" \
  -v /tmp:/tmp \
 -v $(pwd):/usr/src/app \

AWS Cheat Sheet

Just some quick cli commands to help in specific situations

Get max asg desired capacity over a period

This grabs the max desired capacity in the last 30 days then uses jmespath max to get the max of the returned time series.

aws cloudwatch get-metric-statistics \

data "aws_iam_policy_document" "hello" {
  statement {
    sid       = "VisualEditor0"
    effect    = "Allow"
    resources = ["arn:<PARTITION>:ec2:<REGION>:<ACCOUNT_ID>:instance/${ec2:InstanceID}"]
    actions   = ["ec2:CreateTags"]

multi account role assumption

Here are the steps

Identify an ingress aws account for your primary aws role (where atlantis first assumes a role)
Create standard iam roles across each aws account that allows the role from 1 (primary aws role) to assume these new roles
Stand up atlantis and have it assume role 1 (primary aws role) by default
Use the terraform block in each terraform root dir to assume the appropriate role. If you do not have an internal account map module, you can hard code the role_arn in the aws provider block.

1password-cli (op) cheatsheet

This came in handy when rummaging, managing, deduplicating, and improving the health of a company 1password

List all vault names

op vault list | cut -d' ' -f4- | sed 's,^ ,,g'

Use OPA on Terraform HCL code

Sample terraform with a resource that we'd like to catch

# main.tf
resource "null_resource" "default" {
  provisioner "local-exec" {
    command = "sh -c 'echo hi'"
  }

Atlantis with awscli v2

Commands

Download the Dockerfile

wget https://gist.githubusercontent.com/nitrocode/62505b0623cd9bf27e4b39a3f98412f5/raw/Dockerfile

	#!/bin/bash

	# Thanks to Andrew Zhang in hangops on 2024-10-18

	# Get the battery percentage
	battery_info=$(pmset -g batt)
	battery_discharging=$(echo "$battery_info" \| grep discharging -c)
	battery_percentage=$(echo "$battery_info" \| grep -o "[0-9]*%" \| tr -d '%')

	# Check if the battery percentage is less than threshold