RUN TCP/IP | Morgan Lucas is Tech Blogging

9/20: The open source version of Terraform is now OpenTofu   I swear, this is not a recurring series. The problem just -- finally -- got solved. Part 2 is over here . I went back to tfsec after seeing the simple start guide posted here , by Liam Galvin at Ghost Security. There are two aspects of my code:  Allow buckets starting with [word]  deny buckets that don't start with [word].  The initial guide only has "don't allow buckets that are exactly named this", but that's all I needed to actually get going! The problems could have been; The rego file and the terraform file don't play well in the same folder. Having the options in two separate subfolders helped even though there was a command that I used to read both files in the same folder. Trivy ... I don't know. Maybe the metadata setup was incorrect - but if it's set up as comments -- readable by the program but not acknowledged in the rego -- who knows. I can work on that in the future. The code w

9/20: The open source version of Terraform is now  OpenTofu    Part one is over here . This comes as the 3rd tool in a long line of tools I am using to make Terraform (OpenTofu) code consistent. I went back to the Styra Academy courses for OPA Policy Writing. I am a very "Just show me the general idea, and I can probably figure it out", and I am reasonable enough to say that it didn't work this time, and I had to take the slow road. Good start; Trivy told us where it installed; trivy info installed /usr/local/bin/trivy /Users/morganza/Library/Caches/trivy the homebrew package had an outdated version, so I had to install v. 0.40.0 myself and link it to the previously installed 0.18.0 I believe -- See the GitHub discussion here . We are now back to rego, but fortunately, Trivy works as intended when you run it locally with the following command; trivy conf --policy . --namespaces morganza . There was an odd combination of YAML with a bit of rego involved for tfsec -- can

9/20: The open source version of Terraform is now  OpenTofu     Sometimes, I write articles even when things don't work. It's about showing a learning process.  Using IaC means consistency, and one thing you don't want to do is have 5 open S3 buckets on AWS that anyone on the internet can reach.  That's where tools such as Terrascan and Tfsec come in, where we can make our own policies and rules to be checked against our code before we init.  As this was contract work, I can't show you the exact code used, but I can tell you that this blog post by Cesar Rodriguez of Cloud Security Musings was quite helpful, as well as this one by Chris Ayers . The issue is using Rego; I found a cool VS Code Extension; Terrascan Rego Editor , as well as several courses on Styra Academy; Policy Authoring and Policy Essentials . The big issue was figuring out how to tell Terrascan to follow a certain policy; I made it, put it in a directory, and ran the program while in that directory

 This is a way to manage your cloud setup and use patch your AWS infrastructure in a way that meets certain parameters. There are multiple operating systems you can choose from; It's the equivalent of saying "Hey, I have a Linux machine here; So search though all of the Linux options only and see if my particular Instance needs a patch." Or "Here's a group of Windows Servers; Check for patches once a week and let me know." If you have multiple instances with multiple instances, you can put those into Patch Groups and designate a OS to each, however, an instance can only be in one AWS Patch Group (PG) at a time. The most challenging part was simply setting things up. I did this in two accounts: In my root account, with the help of this video on YouTube, I simply put in instances, applied patches easily. In an IAM account, I had to have multiple permissions, and even then it took about 2 days for the instances to be acknowledged and for me to have patches atta

 The cool thing is, I was contracted to make these videos in collaboration with CloudAvail Technology Consulting to help people decide which service they wanted to use for their logging - AWS CloudWatch, AWS CloudWatch Insights, DataDog, or New Relic. I'm searching through nginx logs. I have accompanying videos of each service that you can find on the CloudAvail Youtube page; See these links to go to the DataDog and NewRelic posts.   The idea was to be subjective in the videos, but I can be objective on my personal blog.     CloudWatch     The syntax is odd, but easy to grasp. Sort log data by IP addresses, message codes, and status codes. The simplest query system, but not quite robust.   Insights       The syntax has changed - Vastly. I see major SQL influences. You can see that in how the parse function works - in this case, it's often taken pieces of a pre-existing standard - in this case, message - and breaking them into their own categories you can reference.    The funct

 Want to share this easily?  Check out the Notion page. By Morgan Lucas (she/her) from this video by Johnny Chivers We use data migration services to, well, migrate data. But why would we want to do this?  Perhaps... We're moving our business to the cloud, and need to shift all of that cold storage we have onsite. We want to use it as a backup in cause our infrastructure is out of commission. We could have information to share with a 3rd party, and instead of giving access to on-site databases, we put it on AWS to share. Nevertheless, let's recap what I've done. Created publicly accessible, password-protected database with Amazon Aurora with PostgreSQL Compatibility to migrate to Amazon Dynamo DB Managed inbound rules of security group to limit access Used open source software HeidiDB to interact with database via a TCP/IP session and specific URL for DB (Not shown here for security)     Connected to Aurora PostgreSQL Database ran queries that deleted and created tables

  By Morgan Lucas, From Adrian Cantrill’s More Than Certified / GitHub . Find the Notion Page HERE . Pictured: Someone who would get use out of the app. Technologies used: AWS, Lambda, Step Functions, API Gateway, S3, SNS & SES. What Is This?: A small app for pets to both you for cuddles that will send an alert to a phone and an email address. Both points of contact must be opted into first. Stage 1 I register 4 objects - Two email addresses (sending messages, receiving messages) and 2 phone numbers (one to receive SMS [text messages], and an origination number. Stage 2 I used CloudFormation (again, our old friend) to create an IAM role that email_reminder_lambda uses to interact with other AWS services. Really beats searching through the policies! In the Lambda console, I create a function that uses Python 3.9 rundown and use the LambdaRole created via CloudFormation. There are multiple entries called some variation of LambdaRole, so look for the one with SES/SNS and Cloud

Want to see a better formatted version of this post? Check my Notion !   Created development environment using AWS and Terraform including a route table, internet gateway, security group, public subnet, and EC2 instance, using templates, provisioners, and key generation for remote access. NEW Concepts Learned aws_ami  A data segment instead of resource that pulls an owner number, filters by name (with  Userdata Made it a template file, it bootstaps the instance as well as installing the docker engine. AMI searcher in EC2 Console Going to search the AMI in the Instance Launcher, then returning to EC2 console to search it for the owner number and other info. ssh-keygen I used PuTTy for previous keys. Terraform’s homemade File function For relative file paths for shorter access The .tpl extension Makes templates that map to certain sections of the main code. Usually using ${ } , but that’s also very module-esque, I feel. Call it with templatefile() Provisioners I think it’s u

Wanted to try Cloud9 but didn't feel like making an EC2 instance in the GUI. So I made a Terraform file instead, remade a default VPC, and it took 20 minutes of troubleshooting. #AWS — Morgan (@runtcpip) February 1, 2022 9/20/2023: The open source version of Terraform is now  OpenTofu     👉🏾 Find the Notion page of this post here , if it's easier for you. It certainly looks nicer!   Setup: An EC2 instance A reference to the default VPC, which I had to remake, as I had deleted mine.    Downloading Terraform into Cloud9: Instructions here . Done and Done. Now, How About Using It? The kicker (or blessing) is that Cloud9 doesn't auto save, like I’ve set my VSCode up to do. Had to do a lot of manual saving, but it wasn’t a struggle. The lock file is created, but I don't see it in my file system to the left until resources have been pushed, so I made a simple bucket to try it out. Because this instance is attached to my AWS account, I suppose anything I make within th

Follow along with more DevOps stuff! It's not only CloudFormation and YAML we can use to build infrastructure in AWS - The ever-popular Python is here. I like how the docs say it should take around 6 minutes, and I'm here on maybe...minute 34 waiting for packages to finish installing. I'm sure it doesn't account for setup, but for a while, I was concerned I had misconfigured something. No, there are just a ton of packages to download.   Node.js had to not only open Powershell, but update my chocolatey and some VS Code components. Importing Python packages happens in consoles/terminals . You have to import them each session.  So, I open a terminal in VS Code to install this Pipenv Virtual Environment Package in theory. The hardest part is always installing Python packages, as I never remember what command works in Windows Terminal.  It's never pip install or apt-get, but 'python -m pip install [package], when you are not in the Python prompt. Now, into the cmd

9/20/2023: The open source version of Terraform is now  OpenTofu  Terraform (now OpenTofu) for AWS is somewhat clearer than Terraform for Azure - easier to grasp than YAML and it's finicky formatting. After pushing some DevOps Terraform (TF) configurations live to AWS, I wondered if I could push a static webpage. Situation - Why Would You Use This? To quickly spin up the front-end for a simple webpage that might take user input after attaching it to back end services that accept and hold the data.  What Other Options Are There? I've documented hosting static webpages through Azure before on here through various methods - The process is somewhat intensive and relies strongly on interconnected systems. GitHub to host the code Azure Webapps to take the code and display it Another option would be using Netlify,  but that works best for truly single-page apps like this . It looks like it has different pages to the untrained eye, but it's only one. Task - How Is It Done? Here, t

  There was an AWS outage a few days ago; You were probably impacted in one way or another. If any of my appliances would ever e-mail me, I think I'd die of shock. Every thing from Disney+ to McDonalds was affected, as US-East-1 was US-East-None for a few hours. Even Amazon delivery drivers and warehouse workers couldn't complete their breakneck, no bathroom, tasks. My Alexa couldn't reach AWS. "Guess I better attach it to the new hotspot..." I thought, before moving on with my day and not doing that. Turns out, my hotspot wasn't the issue.

There's always a video to watch. Things to learn, labs to try - and a thought hit - What service does AWS provide that allows users to log in with Two Factor Authentication (2FA)? A refresher; 2FA is a combination of what you know, who you are, what you have - and in the future, probably what you ate for breakfast - to log into sensitive systems.  As of 2021, Google made 2FA mandatory for logging in to your Google accounts For the DoD folks out there, that keycard you use to log into a computer is a form of 2FA.  A fingerprint scanner, or an authentication app on your phone also count. Back to the question - Does AWS have options for 2FA if you use their Directory options?

  Want to share this page easily?  Here's a Notion Page .   A big shoutout to Pluralsight for their free weekend, and James Millar for a great introductory course . For the longest time, I couldn't see how people found this easy, but this helped. (Why did we make up so many programming languages that only work based upon the correct formatting of spaces and tabs? Readability is important, but when you're just beginning, how I learn, I'm interested in 'it works' first and 'it's pretty' second).   The (paid) project: Create an Instance that has basic security rules from a security group it's in. The most difficult part was learning the tool and the formatting. This was much easier in Terraform (Now OpenTofu) for AWS, but this time we wanted to use CloudFormation.   The Numbers: Resources Created: At least 11 VPC MacOSImageID* MacOSInstanceKeyName* InternetGateway PublicInternetRoute VPCGatewayAttachment PublicInternetRouteTable PublicSubnet01 P

  Or, at least learning more about each. And self-learning is the important part, right? And welcome back to not only AWS, but Docker as well. This is a bit of an older post, as I have more experience with Terraform's containerized environments in Azure over AWS. Instructions There is a Console First Run Wizard, here . I have an exceedingly vague idea of what this means in full. Cluster is essentially the pack of what you need to run something. Bing (Yes, Bing), says it's a 'logical grouping of tasks or services'. So 'containers' are the 'physical' grouping, if we consider 'physical = code'. We can define a service, which allows us to run and maintain a specified number of simultaneous instances of a task definition. It sounds a little like a limited pool of IP addresses. This is the free tier, AWS only gives us one. The instructions emphasize Elastic Load Balancing...which took me a while to realize and find. And now the

Article  If you aren't familiar with Route 53 on AWS, it's a Domain Management module.  So, the DDoS attack battered the records that tie IP addresses to FQDNs. From 6:30pm BST on Tuesday, a handful of customers suffered an outage to services while the attack persisted, lasting until approximately 2:30am on Wednesday morning, when services to the Route 53 DNS were restored. This was the equivalent of a full working day in some parts of the US. Amazon also encouraged users to specify the region their bucket was in when trying to update the configuration of clients. What have we learned? Anything can be attacked. Hopefully, you didn't have to learn that, as that is the mantra of anyone working in IT (Right after "It's always DNS").  After all, there is no cloud, it's just someone else's computer: You still need backups , though I admit I'm not sure how you'd store DNS records (Though I can configure them in Cisco Command Line

Instructions: Here Technologies; Node.js AWS CodeStar AWS Cloud9 Node.js is running Javascript on Chrome's V8 engine that is event-driven. I used it quite a bit in the past year without actually understanding what it truly does - Run Javascript without a browser. Including applications that use JS. According to the instructions above, Cloud9 is an IDE (Integraded Development Enviroment) where you write, run, and debug code of popular programming languages. CodeStar builds and deploys the applications: "Create service role?" "Why yes, I believe I will." The above image is from the instructions linked above. On the project template page, I pick Node.js: Then I name it 'nodejs-serverless-project' 'serverless-brooklyn' It's not as if the name prevents the tutorial from working, right? And I select AWS CodeCommit. CodeStar will set up a complete integration pipeline (While monitoring with CloudWatch), Co

Haven't practiced this in a few months. Back to establish the basics. Before, I just jumped into the available white papers on Amazon's site. While informative, a lot of it went over my head. Learning the simpler things such as using EC2, Linux, and puTTY works to make the information stick. I'm using the yearly free tier of AWS for practice. Many things are run on Amazon's infrastructure - like Netflix. Have to keep up with that! But how do you use puTTY to connect to your Instance? You change the key Amazon gives you (.pem) to one with a .ppk extension using puTTYGen. Key blocked. Then you use said adjusted key, your given login name, and your public DNS IPv4 chain-code thing on your EC2 Management page (the blanked out square under 'Host Name (or IP Address)'). DNS IPv4 Chain-Code blocked. We have connectivity! What happened? I spun up a Virtual Machine on EC2 / AWS, installed an Amazon-variant of Linux, and SSH'd into it with pu

The Price Is…. Varied. How it works is more important than how it’s priced at this point, so this will be brief(er). E2 and RDS have Reserved Capacity, save up to 75% over the equivalent of on-demand capacity. Instances are;

Or; How to Stream Video within Network Confines (And prevent piracy). How it’s Delivered   Content ————> Consumer Compression happens. Packaging happens based upon protocols. How does it adapt to the variation in network speeds?