#aws - December 2021

if we don't use tags on cloudwatch... can I still use the stringlike to limit log access? I see the describe part is global, but to get the log I would like to limit user to specified logstreamname (contains dev)

I can use ssm aws:domainJoin but it joins with the aws hostname, I tried using userdata with powershell Rename-Computer but stops the domain join... Does anyone know if there's an simple way to rename and join a windows instance to aws active directory?

anyone going to re:play at re:invent?

Hello #terraform-aws-modules

I am trying to create AWS organizations account via Terraform and further want to deploy resources in that using Azure DevOps pipeline.
I am still not that experienced with AWS IAM.
Modules are done , Account is provisioned ( using IAM user with appropriate rights ) now just confused with role assume or trust policies.
What should I really do in terraform context to achieve my resource deployment using the IAM user.

Any help would be greatly appreciated 🙂 Thank you

hi, I am a middle of process of migrating to AWS. But for licensing purposes we need to preserve the MAC address of an specific VM. Are there any way to migrate the VM to AWS and keep the Mac Address of the VM?

Anyone else notice that AWS Support request more info on every SES Production use request, no matter what is put in the original support ticket request?

Hi all, although we got 2 AZ's we have only 1 nat Gateway, and we now want to add a second on AZ B, do you know which is the best way to "predict" its costs?
Thanks 🙌

How to allow different group access different directories and command in EC2 machines? Using AWS Systems manager

Hi All , I'm getting a unable to load credentials from service endpoint while running a ecs task , the task role arn is set and the IAM role has permissions and has ecs-tasks in trust policy

Any help will be appreciated

Thanks

Question about the Cloudwatch Log Groups that are enabled by turning on RDS Enabling Exports (ie. alert, audit, listener,trace) . Do those log groups get the same tags as your RDS instance? It seems like they dont get tagged, we have to back and manually tag them. Instances are provisioned wiht terraform, therefore I absentmindedly assumed everything got tagged by default by virtue of a tags = var.tags param.

/aws/rds/instance/my-rds-db-01/alert
/aws/rds/instance/my-rds-db-01/audit
/aws/rds/instance/my-rds-db-01/listener
/aws/rds/instance/my-rds-db-01/trace

Hello everyone , any suggestions on this ? - https://sweetops.slack.com/archives/CCT1E7JJY/p1639116866191300

Hi all, can I post a websocket question? I will but if not the place please let me know I can remove but it's on AWS.

I have a websocket in api gateway connected to a lambda that looks like this:

const AWS = require('aws-sdk');
const amqp = require('amqplib');

const api = new AWS.ApiGatewayManagementApi({
endpoint: 'MY_ENDPOINT',
});

async function sendMsgToApp(response, connectionId) {
console.log('=========== posting reply');
const params = {
ConnectionId: connectionId,
Data: Buffer.from(response),
};
return api.postToConnection(params).promise();
}

let rmqServerUrl =
'MY_RMQ_SERVER_URL';
let rmqServerConn = null;

exports.handler = async event => {
console.log('websocket event:', event);
const { routeKey: route, connectionId } = event.requestContext;

switch (route) {
case '$connect':
console.log('user connected');
const creds = event.queryStringParameters.x;
console.log('============ x.length:', creds.length);
const decodedCreds = Buffer.from(creds, 'base64').toString('utf-8');
try {
const conn = await amqp.connect(
amqps://${decodedCreds}@${rmqServerUrl}
);
const channel = await conn.createChannel();
console.log('============ created channel successfully:');
rmqServerConn = conn;
const [userId] = decodedCreds.split(':');
const { queue } = await channel.assertQueue(userId, {
durable: true,
autoDelete: false,
});
console.log('============ userId:', userId, 'queue:', queue);
channel.consume(queue, msg => {
console.log('========== msg:', msg);
const { content } = msg;
const msgString = content.toString('utf-8');
console.log('========== msgString:', msgString);
sendMsgToApp(msgString, connectionId)
.then(res => {
console.log(
'================= sent queued message to the app, will ack, outcome:',
res
);
try {
channel.ack(msg);
} catch (e) {
console.log(
'================= error acking message:',
e
);
}
})
.catch(e => {
console.log(
'================= error sending queued message to the app, will not ack, error:',
e
);
});
});
} catch (e) {
console.log(
'=========== error initializing amqp connection',
e
);
if (rmqServerConn) {
await rmqServerConn.close();
}
const response = {
statusCode: 401,
body: JSON.stringify('failed auth!'),
};
return response;
}
break;
case '$disconnect':
console.log('user disconnected');
if (rmqServerConn) {
await rmqServerConn.close();
}
break;
case 'message':
console.log('message route');
await sendMsgToApp('test', connectionId);
break;
default:
console.log('unknown route', route);
break;
}
const response = {
statusCode: 200,
body: JSON.stringify('Hello from websocket Lambda!'),
};
return response;
};
The amqp connection is for a rabbitmq server that's provisioned by amazonmq. The problem I have is that messages published to the queue either do not show up at all in the .consume callback, or they only show up after the websocket is disconnected and reconnected. Essentially they're missing until a point much later after which they show up unexpectedly. That's within the websocket. Even when they do show up, they don't get sent to the client (app in this case) that's connected to the websocket. I've seen 2 different errors, but neither of them has been reproducible. The first was Channel ended, no reply will be forthcoming and the second was write ECONNRESET, and it's not clear how they would be causing this problem. What could be the problem here?

hi folks, not sure if this is the right channel to ask:

what sort of technique / pattern have you adopted to build golden AMIs (the easy phase) and roll it out/ upgrade when you are not in the world of stateless apps? And how does it dance with TF/ CFN + CD pipe ?

i've seen packer + codebuild + code pipeline + cfn but not very confident ...

Hey everyone. I have an NLB that points to a private haproxy instance using port 443. It works fine, but when i enable the target group attribute "Preserve client IP addresses" my NLB starts timing out on port 443. Any idea why that would happen?

i may have found the answer. Our haproxy is in our office private ip space; When client IP preservation is enabled, targets must be in the same VPC as the Network Load Balancer, and traffic must flow directly from the Network Load Balancer to the target.

I feel like this should be a simple solution but I've asked in multiple different places and have no answer yet so I'm getting desperate. We have our environments set up as Elastic Beanstalk applications. I was tasked with adding splunk universal forwarder to these applications through the use of .ebextensions shell scripts. It hasn't been an issue except for the fact that when using the aws cli to pull down the credentials file from s3 (aws s3api get-object) I sometimes get an error of: Partial credentials found in env, missing: AWS_SECRET_ACCESS_KEY. It's completely random which environments error and those that work fine. The shell script is being run by ec2-user, and on the servers that fail with that error, we can ssh into them and run the command as ec2 and it works without issue. Does anyone know what would cause this/how to even look into what would be causing it?

Is there an option to remove/modify task memory when using
https://github.com/cloudposse/terraform-aws-ecs-container-definition
I want to set only container hard memory, but not task memory

The reason why I’m asking is that I’ve set
container_memory = 1024
and I get this error:
The 'memory' setting for container is greater than for the task.
and in the plan logs I can see that memory = 512,
but I never explicitly set that in my TF files.

Folks, please find below my collection of AWS Twitter bots:

1. 🤖 MAMIP: Tweet every time a new or updated AWS IAM Managed Policy is detected, with associated git repository for history of policies.
◦ https://twitter.com/mamip_aws
2. 🔍️ MASE: Tweet every time a new AWS service or AWS region endpoint is detected on botocore GitHub repository
◦ https://twitter.com/mase_aws
Cheers,
zoph

Does anyone use boto3 in their CI/CD pipelines?

Is the general consensus that terraform, CDK, and other abstractions are more adoptable for enterprise? boto3 is often used to make your own tools that do the same thing as those more polished alternatives these days right?

I'm getting an error saying sandbox-uw-questions already exists in stack when deploying my CloudFormation Template. I even get this error after going in and deleting the bucket before deploying in the console.

AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Parameters:
  Environment:
    Type: String
  S3BucketName:
    Type: String
Resources:
  QuestionsBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Ref S3BucketName
  QuestionsFunction:
    Type: AWS::Serverless::Function
    Properties:
      Runtime: nodejs14.x
      Handler: index.handler
      Policies:
        - Version: "2012-10-17"
          Statement:
            - Effect: Allow
              Action:
                - s3:Get*
                - s3:List*
                - s3-object-lambda:Get*
                - s3-object-lambda:List*
              Resource:
                - !Sub "arn:aws:s3:::${S3BucketName}/*"
      InlineCode: !Sub |
        exports.handler = function(event, context) {
            console.log(event);
            return "${Environment}-uw-questions";
          };
      Events:
        S3Bucket:
          Type: S3
          Properties:
            Bucket: !Ref QuestionsBucket
            Events: s3:ObjectCreated:*