Ryan Lane ryan-lane
ryan-lane
/ gist:b23c4536f1a8eeac69a6050601429f77
Created
June 20, 2017 21:25
example confidant config file
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| default: | |
| url: https://confidant.example.com | |
| auth_key: alias/confidant-production | |
| auth_context: | |
| # from context will be auto-set | |
| to: confidant-production | |
| user_type: user | |
| token_cache_file: '/Users/myhomedir/.confidant_token' | |
| region: us-east-1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Ensure {{ grains.workers.web.cluster_name }} asg exists: | |
| boto_asg.present: | |
| - name: {{ grains.workers.web.cluster_name }} | |
| - launch_config_name: {{ grains.workers.web.cluster_name }} | |
| - launch_config: | |
| - image_id: {{ pillar.ec2_ami.iad.ubuntu14.hvm_ssd }} | |
| - key_name: sshunusablekey | |
| - security_groups: | |
| - {{ grains.service_name }} | |
| - instance_profile_name: {{ grains.workers.web.cluster_name }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Ensure {{ grains.workers.web.cluster_name }} elb exists: | |
| boto_elb.present: | |
| - name: {{ grains.workers.web.cluster_name }} | |
| - listeners: | |
| - elb_port: 80 | |
| instance_port: 80 | |
| elb_protocol: HTTP | |
| - elb_port: 443 | |
| instance_port: 80 | |
| elb_protocol: HTTPS |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Ensure elb-external security group exists: | |
| boto_secgroup.present: | |
| - name: elb-external | |
| - description: elb-external | |
| - rules: | |
| - ip_protocol: tcp | |
| from_port: 80 | |
| to_port: 80 | |
| cidr_ip: | |
| - 0.0.0.0/0 |
ryan-lane
/ call-awseipext.py
Last active
August 1, 2016 03:04
Call to awseipext lambda with KMS auth token
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import json | |
| import boto3 | |
| payload = { | |
| 'action': 'associate', | |
| 'resource': '52.0.0.1', | |
| 'instance_id': 'i-12345', | |
| 'username': username, | |
| 'token': token | |
| } |
ryan-lane
/ generate-token.py
Last active
August 1, 2016 03:05
Token and username generation for KMS authentication
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import kmsauth | |
| generator = kmsauth.KMSTokenGenerator( | |
| # KMS key to use for authentication to the lambda | |
| 'alias/awseipext-production-iad', | |
| # Encryption context to use | |
| { | |
| # We're authenticating to this service | |
| 'to':'awseipext-production-iad', | |
| # It's from this IAM role |
ryan-lane
/ decrypt-policy.json
Last active
August 1, 2016 01:11
Extended KMS authentication encrypt policy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Action": [ | |
| "kms:Decrypt", | |
| "kms:DescribeKey" | |
| ], | |
| "Effect": "Allow", | |
| "Resource": "arn:aws:kms:us-east-1:12345:key/1234abcd-12ab-34cd-56ef-1234567890ab", |
ryan-lane
/ encrypt-policy.json
Last active
August 1, 2016 03:03
Extended KMS authentication encrypt policy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Action": [ | |
| "lambda:Invoke*" | |
| ], | |
| "Effect": "Allow", | |
| "Resource": "arn:aws:lambda:us-east-1:12345:function:awseipext-production-iad" | |
| }, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import boto3 | |
| client = boto3.client('dynamodb') | |
| client.describe_table(TableName='confidant') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Shady looking variables, with high entropy values | |
| ACCESS_TOKEN = 'lWxxtmzKD78tmCP8tIcQ' | |
| ACCESS_TOKEN_SECRET = 'l6q3ztS5pMz5i62WvovPyrAAjRfczKIHtmv' | |
| # Innocent looking variable, but shady looking dict key with a high | |
| # entropy value. | |
| INNOCENT_DICT = {'secret1': 'O80NhqsbKahKnqioQdv7'} | |
| def check_password(password): | |
| # Comparison with a high entropy string |
NewerOlder