copied from https://gist.github.com/mafonso/7ee51981581f544ed52c
#!/usr/bin/env bash for user in $(aws iam list-users --output text | awk '{print $NF}'); do aws iam list-access-keys --user $user --output text test $? -gt 128 && exit done
Last active
May 19, 2022 23:13
-
-
Save ryuheechul/b2301f0ed9714b98bb410a567b683b2f to your computer and use it in GitHub Desktop.
aws cli usages
An example of few scripts that follows - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html
#!/usr/bin/env bash
aws configservice get-compliance-details-by-config-rule --config-rule-name=ec2-imdsv2-check \
| jq '.EvaluationResults' \
| jq 'map(select(.ComplianceType == "NON_COMPLIANT"))' \
| jq -r '.[].EvaluationResultIdentifier.EvaluationResultQualifier.ResourceId'#!/usr/bin/env bash
echo "fetching instance ids for new changes to apply"
ids="$(./list.sh | xargs)"
echo "going to enforce IMDSv2"
region="whatever-your-region" # ex) region="eu-west-1"
for instance_id in "${ids}"; do
aws ec2 modify-instance-metadata-options \
--region "${region}" --instance-id "${instance_id}" \
--http-token required \
--http-endpoint enabled
done
echo "now verifying the results"
aws ec2 describe-instances --instance-ids ${ids} \
| jq '.Reservations[].Instances[].MetadataOptions' \
| jq 'if .HttpTokens == "required" and .HttpEndpoint == "enabled" then "success" else "fail" end'Disabling IMDSv1 is actually more complicated to do it right than it initially seems and it can involve unexpected outages. Watch https://www.youtube.com/watch?v=bi3bIs92xE0 for more detail.
Use lightsail instance as docker daemon on demand and purge as the instance is not needed after
Sometimes Docker Desktop on M1 machines doesn't handle amd64 images very well. Thus, intel based daemon might be useful.
This method probably doesn't suit for long lasting instances and frequent destruction of instances will result in unnecessary network usages as downloading docker images can take up giga bytes at a time easily.
# Makefile
instance-name = your-instance-name
key-pair-name = id_ed25519 # a key pair name if you uploaded the public key to lightsail in advance - which makes it a lot smoother
.PHONY: galaxy-docker
galaxy-docker:
ansible-galaxy install geerlingguy.docker
.PHONY: inventory
inventory:
$(MAKE) --no-print-directory lightsail-ip | tr -d '\n' > inventory
echo ' ansible_user=ubuntu ansible_become=true' >> inventory
ansible-inventory -i inventory --list
.PHONY: playbook
playbook:
ansible-playbook -i inventory playbook.yaml
# whatever spec make sense to you
.PHONY: lightsail
lightsail:
AWS_DEFAULT_REGION=us-west-2 \
aws lightsail create-instances \
--instance-names=$(instance-name) \
--blueprint-id=ubuntu_20_04 \
--bundle-id=xlarge_2_0 \
--availability-zone=us-west-2a \
--key-pair-name=$(key-pair-name)
.PHONY: lightsail-delete
lightsail-delete:
AWS_DEFAULT_REGION=us-west-2 \
aws lightsail delete-instance --instance-name=$(instance-name)
.PHONY: lightsail-ip
lightsail-ip:
@AWS_DEFAULT_REGION=us-west-2 \
aws lightsail get-instance \
--instance-name=$(instance-name) \
| jq -r '.instance.publicIpAddress'
.PHONY: lightsail-instances
lightsail-instances:
AWS_DEFAULT_REGION=us-west-2 aws lightsail get-instances# playbook.yaml
# based on https://github.com/geerlingguy/ansible-role-docker
- hosts: all
roles:
- geerlingguy.docker
vars:
docker_users:
- ubuntu## usages
# create instance
make lightsail
# create inventory based on lightsail instances ip
make inventory
# install docker via the playbook
make playbook
# to debug
make lightsail-instances
# to clean up
make lightsail-delete
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment