#aws - October 2022

Hi everyone,

I am trying to get the output of a command using aws sdk javascript v3. I am having trouble understanding how to get the output.

const client = new SSMClient({ region: "us-west-2" });
  const command = new SendCommandCommand(SSM_Command_Parameters);
  const response = await client.send(command);

  ssm_output_id = response.Command?.CommandId

I am getting the command id from this but I am unable to figure out how to get the actual output of the command. Any help will be appreciated

I’d say call listcommandinvocations.
https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_ListCommandInvocations.html

didn't send the output unfortunately

Have you investigated all of the data structure?

I have a question about ACM Private CA pricing if anyone knows: it's $400 per month per CA, right, but does that mean they charge you for each subordinate CA you add to your structure even in the same account/region? So if you have a security account with a root CA and 4 subordinate CAs that's $2000 per month? The pricing just gets worse and worse the more you try to follow general or PCA best practices...

Is there a way to effectively use cloudtrail logs to alert on suspicious logins or monitor login activity to console?

Hi! im using this module https://github.com/cloudposse/terraform-aws-ecs-codepipeline with codestar_connection_arn to use Github v2 and not the deprecated version, when i apply the changes, it always try to create 2 pipelines and fails because it cant create 2 pipelines with the same name... it is a bug or there is a way to fix it?

Does anybody have experience with AWS EKS using AWS EFS?

I need a place to store/read some data (5-10MB file) very fast
and have it available consistently on multiple pods.

what is the most elegant way to work with private hosted zones in organization? let's say we have a tool in account that needs to access resources in account b where account b uses private hosted zone.
is the only way is the following?
• authorize from account b so account a can add the vpc to the hosted zone
• add vcp to the hosted zone using account a iam role

What are some considerable parameters for tuning the PostgreSQL performance on RDS? Any suggestions based on implementations?

is there any issue with ohio a zone ? us-east-2a currently

I have a prometheus on a cluster and would like to monitor cluster b, when I create cluster b currently I modify the configmap and reload the prometheus to able to monitor the new cluster. since we are moving to organization based accounts, I need to do this modification from subaccount. My idea is to move the configmap to s3 and share it between accounts, so I can modify from account b without a permission request to the cluster A or account A ...
Do you know anything about how could I check the s3 modification. I found only to mount the s3 and use inotify. ... any other direct way ?:D

Hi, I’m receiving the following error -> Packet for query is too large (5,739,780 > 4,194,304).

When checking MySQL side, I saw the allowed values is between: 1024-1073741824
When I’m trying to increase it over this limit, it is not letting me. Any suggestions?

Couple EKS permission questions:
1. The IAM user which created the EKS cluster is given special permissions outside of aws-auth. Where can I observe that permission assignment?
2. What happens when that original IAM user is deleted , can that be done? (And if so, without anything else in aws-auth: presumably one completely loses access to the cluster, can it be regained?)

Hey all!
I need to create ReadWriteMany volume in my EKS env, I tried with gp2/gp3 StorageClass but I’m getting that error:

  Warning  ProvisioningFailed    9s (x6 over 76s)     persistentvolume-controller  Failed to provision volume with StorageClass "gp2": invalid AccessModes [ReadWriteMany]: only AccessModes [ReadWriteOnce] are supported

Does someone know how to create one?

Hello. Anyone know how to modify an existing S3 policy using the cloudfront-s3-cdn module?

I’m trying to use the cloudfront-s3-cdn module to create two CloudFront distros - pointing at different directories in the same S3 bucket.

I have successfully created the two CF distros, and have them pointing at the correct origins, and can see that the Response Header Policies are working correctly. The problem I am running into is I cannot figure out how to modify the existing S3 policy to allow the second CF distro access.

When I set override_origin_bucket_policy to true and run terraform plan it looks like the existing policy will be wiped out and automatically replaced (which would break the integration between the first CF distro and the bucket).

When I set additional_bucket_policy and run terraform plan it appears to have no effect.

See example code in thread 👇️

FYI: https://twitter.com/iamvlaaaaaaad/status/1584240466320850945

(I posted this in #aws and not #github-actions cause folks using other CIs can use the S3 caching too)

Hi,

I verified a domain initially a long time back in SES using 1024 bit dkim key. I now updated the key to 2048 bit. The issue is that out of three cname records, only one is showing key length as 2048 bit, another is showing length as 1024 bit and another is showing empty. The 1024 bit key is flagged by a bitsight report. Any help with this will be appreciated

I've got a weird one. We're using terraform-aws-eks-cluster (2.3.0), and terraform-aws-eks-iam-role (0.10.3). During an upgrade operation, the cluster wanted to update it's OIDC provider thumbprint.

  # module.eks_cluster.aws_iam_openid_connect_provider.default[0] will be updated in-place
  ~ resource "aws_iam_openid_connect_provider" "default" {
        id              = "arn:aws:iam::276255499768:oidc-provider/[REDACTED]
        tags            = {
            "Attributes"  = "cluster"
            "Environment" = "[REDACTED]"
            "Name"        = "[REDACTED]"
        }
      ~ thumbprint_list = [
          - "9e99a48a9960b14926bb7f3b02e22da2b0ab7280",
        ] -> (known after apply)
        # (4 unchanged attributes hidden)
    }

Didn't seem like a big deal, but plans were failing with the following:

Error: Invalid for_each argument

  on .terraform/modules/dev_services.eks_iam_role/main.tf line 79, in resource "aws_iam_policy" "service_account":
  79:   for_each    = var.aws_iam_policy_document != null ? toset(compact([module.service_account_label.id])) : []

The "for_each" value depends on resource attributes that cannot be determined
until apply, so Terraform cannot predict how many instances will be created.
To work around this, use the -target argument to first apply only the
resources that the for_each depends on.

It looks like eks-iam-role v1.0.0 might fix the for_each situation, is anyone able to confirm? What's really got me puzzled is, why is the thumbprint update affecting the iam-role module at all? As far as I can tell, a thumbprint list change doesn't change the value of eks_cluster_identity_oidc_issuer which passed into the module as eks_cluster_oidc_issuer_url

Has anybody observed differences between what IAM Policy Simulator reports as allowed vs what is truly allowed via the CLI?
Running via CLI:

aws sts assume-role --role-arn arn:aws:iam::MY_ACCOUNT:role/MY_ROLE --role-session-name test --source-identity MY_SOURCE_IDENTITY

Yields:

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::MY_ACCOUNT:user/MY_USER is not authorized to perform: sts:SetSourceIdentity on resource: arn:aws:iam::MY_ACCOUNT:role/MY_ROLE

Whilst IAM Policy Simulator, using exactly the same action (SetSourceIdentity) and role resource, as the same IAM user, reports allowed 🤔 (A separate AssumeRole action for that same role also shows as allowed in the simulator)

Hello Folks, is there a terraform module that any of you know of/use to create a tunnel via SSM?

Hello, we are planning to replicate our AWS RDS database into Azure for Disaster Recovery purposes, what would be the best service from AWS or Azure to achieve this task effectively?

FYI us-east-2 is having network issues