Questions tagged with DevOps

Hi AWS, I am trying to deploy a CloudFormation stack to create an IAM user and attach IAM policy to it based on account number. I have used two accounts i.e. Account1 and Account2. The three templates for policy1, policy2 and IAM user are provided below: # IAM POLICY1: ``` AWSTemplateFormatVersion: 2010-09-09 Description: > This template deploys AWS IAM policy to provide s3 access along with KMS Parameters: ReadOnlyBucketARN: Type: String Description: ARN of the buckets to grant read permissions s3WriteBucketAccess: Type: String Description: ARN of the buckets to grant write permissions KMSKeyArn: Type: String Description: Comma delimited list of KMS Key Arn(s) FuncUsername: Type: String Description: Name for Functional user Conditions: S3WriteBucketAccessProvided: !Not [!Equals [!Ref s3WriteBucketAccess, ""]] S3ReadBucketAccessProvided: !Not [!Equals [!Ref ReadOnlyBucketARN, ""]] KMSKeysProvided: !Not [!Equals [!Ref KMSKeyArn, ""]] Resources: AccessPolicy1: Type: AWS::IAM::ManagedPolicy Properties: ManagedPolicyName: !Sub ${FuncUsername}_access_policy1 PolicyDocument: Version: "2012-10-17" Statement: - !If - S3ReadBucketAccessProvided - Sid: "S3ReadAccess" Effect: "Allow" Action: - "s3:List*" - "s3:Get*" Resource: !Split - "," - !Ref ReadOnlyBucketARN - !Ref "AWS::NoValue" - !If - S3WriteBucketAccessProvided - Sid: "S3WriteAccess" Effect: "Allow" Action: - "s3:PutAnalyticsConfiguration" - "s3:AbortMultipartUpload" - "s3:PutBucketVersioning" - "s3:PutLifecycleConfiguration" - "s3:PutInventoryConfiguration" - "s3:DeleteObjectVersion" - "s3:RestoreObject" - "s3:DeleteObject" - "s3:DeleteObjectTagging" - "s3:PutObjectVersionTagging" - "s3:DeleteObjectVersionTagging" - "s3:PutObject*" - "s3:PutBucketNotification" Resource: !Split - "," - !Ref s3WriteBucketAccess - !Ref "AWS::NoValue" - !If - KMSKeysProvided - Sid: "KMSKeysAccess" Effect: "Allow" Action: - "kms:Decrypt" - "kms:Encrypt" - "kms:DescribeKey" - "kms:ReEncrypt*" - "kms:GenerateDataKey*" - "kms:RevokeGrant" - "kms:ListGrants" - "kms:CreateGrant" Resource: !Split - "," - !Ref KMSKeyArn - !Ref "AWS::NoValue" - Effect: "Allow" Action: - s3:ListAllMyBuckets - s3:HeadBucket Resource: "*" Condition: Bool: aws:SecureTransport: - True - Effect: "Allow" Action: - "kms:ListAliases" Resource: "*" Condition: Bool: aws:SecureTransport: - True Outputs: AccessPolicyArn: Value: !Ref AccessPolicy1 ``` # IAM POLICY2: ``` #version: 1.0 AWSTemplateFormatVersion: 2010-09-09 Description: > This template deploys an IAM policy for a functional user Parameters: FuncUsername: Type: String Description: Name for Functional user Resources: AccessPolicy2: Type: AWS::IAM::ManagedPolicy Properties: ManagedPolicyName: !Sub ${FuncUsername}_access_policy2 PolicyDocument: Version: '2012-10-17' Statement: - Sid: IAMAccess Effect: Allow Action: - iam:* Resource: "*" Outputs: AccessPolicy2Arn: Value: !Ref AccessPolicy2 ``` # IAM USER: ``` # version: 1.0 AWSTemplateFormatVersion: 2010-09-09 Description: > This Template Deploys Basic AWS Functional User along with s3 bucket read/write access Parameters: StackNameTag: Type: String Description: Name of stack as entered above TemplateUsedTag: Type: String Description: Template used in creating this stack FuncUsername: Type: String Description: Name for Functional user s3ReadBucketArn: Type: String Description: Comma delimited list of s3 bucket Arn for read access s3WriteBucketArn: Type: String Description: Comma delimited list of s3 bucket Arn for read/write access kmskeyArn: Type: String Description: Comma delimited list of kms key Arn PrimaryOwner: Type: String Description: Primary Owner for this user SecondaryOwner: Type: String Description: Secondary Owner for this user CostCentre: Type: String Description: Cost Centre BusinessUnit: Type: String Description: Business Unit Account1: Type: String Description: AWS Account1 Account2: Type: String Description: AWS Account2 Conditions: OnlyInAccount1: !Equals - !Ref Account1 - !Ref 'AWS::AccountId' OnlyInAccount2: !Equals - !Ref Account2 - !Ref 'AWS::AccountId' #OnlyInAccount1: !Not [!Equals [!Ref Account1, ""]] #OnlyInAccount2: !Not [!Equals [!Ref Account2, ""]] # Condition1and2: # Fn::And: # - Condition: OnlyInAccount1 # - Condition: OnlyInAccount2 Resources: FuncUser: Type: AWS::IAM::User Properties: UserName: !Ref FuncUsername ManagedPolicyArns: - Fn::GetAtt: - FuncUserPolicy - Outputs.AccessPolicyArn - Fn::GetAtt: - FuncUserPolicy2 - Outputs.AccessPolicy2Arn Tags: - Key: primary_owner Value: !Ref PrimaryOwner - Key: secondary_owner Value: !Ref SecondaryOwner - Key: cost_centre Value: !Ref CostCentre - Key: business_unit Value: !Ref BusinessUnit - Key: Creation_Stack Value: !Ref StackNameTag - Key: Stack_Template Value: !Ref TemplateUsedTag FuncUserPolicy: Type: AWS::CloudFormation::Stack Condition: OnlyInAccount1 UpdateReplacePolicy: Retain DeletionPolicy: Retain Properties: TemplateURL: https://aws-billing-report-csv-format-report.s3.amazonaws.com/create-iam-policy1.yaml Parameters: ReadOnlyBucketARN: !Ref s3ReadBucketArn s3WriteBucketAccess: !Ref s3WriteBucketArn KMSKeyArn: !Ref kmskeyArn FuncUsername: !Ref FuncUsername FuncUserPolicy2: Type: AWS::CloudFormation::Stack Condition: OnlyInAccount2 UpdateReplacePolicy: Retain DeletionPolicy: Retain Properties: TemplateURL: https://aws-billing-report-csv-format-report.s3.amazonaws.com/create-iam-policy2.yaml Parameters: FuncUsername: !Ref FuncUsername ``` As you can see in `IAM USER` template, the conditions which are commented when I was trying to deploy the stack using the above Conditions both the policy1 and policy2 are getting attached to the IAM user. But when I tried to modify the condition to attach a specific policy either policy1 or policy2 to the user in the given account it is giving me the following error: **Template format error: Unresolved resource dependencies [FuncUserPolicy2] in the Resources block of the template** Can someone help me in fixing this issue? Thankslg...

In other CI/CD environments like GitHub Actions, I was used to skip builds if push and pull requests have strings like [skip ci] in any commit message. Is there a way to set that behavior in the Source stage of a pipeline with CodeCommit as the Action provider? Or at least a workaround inside the Build? The lack of this feature could be a deal breaker for my project needs.lg...

Hi AWS, I have created an EC2 instance and its key pair using terraform code. The terraform code for the same is: ``` resource "aws_instance" "test_ec2_instance_production" { ami = var.ami_id instance_type = var.instance_type subnet_id = aws_subnet.public_subnet.0.id vpc_security_group_ids = [aws_security_group.test_security.id] tags = { Name = "${var.default_tags.project_name}-${var.default_tags.environment}-ec2-instance" } key_name = var.generated_key_name associate_public_ip_address = true monitoring = true } // Create key-pair for EC2 instance resource "tls_private_key" "prod_key" { algorithm = "RSA" rsa_bits = 4096 } resource "aws_key_pair" "generated_key" { key_name = var.generated_key_name public_key = tls_private_key.prod_key.public_key_openssh provisioner "local-exec" { command = <<-EOT echo '${tls_private_key.prod_key.private_key_pem}' > test-prod-keypair.pem chmod 400 test-prod-keypair.pem EOT } } ``` I have generated the keys using the command ssh-keygen -t rsa -m PEM. Now I am trying to provide the private key in the SSH server configuration setting of Jenkins and I am getting this error: **jenkins.plugins.publish_over.BapPublisherException: Failed to connect and initialize SSH connection Message [Auth fail]** Also I am not able to login into the EC2 using SSH connection command as the key is broken and getting this error: **ec2-user@ec2-x-xxx-xx-xxx.us-east-2.compute.amazonaws.com: Permission denied (publickey,gssapi-keyex,gssapi-with-mic)** Now the issue is this is a production environment and the key is broken. Is there any way to replace the key with a new one without terminating the instance as long way down I need to have a proper RSA key which I can add in the Jenkins SSH remote host to build my pipeline. Also you know Jenkins don't accept Open SSH key format. Also I need to know the steps to generate the rsa key and to copy the key file into the .pem file which we are going to use for ssh connection with EC2. Please help!lg...

In my CDK project, I use a lot of Docker images for various services. These images are for different platforms, since Fargate doesn't support Spot ARM64. Building all of these images on my own machine (an Apple M1 Pro) can be quite cumbersome. Out of curiosity, I was wondering if there is a convenient way to build these Docker images on AWS. Ideally, when I run 'cdk deploy --all', it would upload my assets to AWS, build the Docker images, and publish the results on ECR. Do you have any ideas on how I could achieve this?lg...

Dear Team, Is there any estimated date when AWS Elastic Beanstalk Service will be available in UAE / me-central-1 Region? I see many relevant services but could not see it's working. Best Regardslg...

We are, as of an hour ago, getting the following error on all of out environments (multiple AWS accounts). Everything was working fine 6 hours ago. No changes to configuration of CodeDeploy or Autoscaling Groups have been made today. The deployment failed because a non-empty field was discovered on your Auto Scaling group that Code Deploy does not currently support copying. Unsupported fields: [DescribeAutoScalingGroupsResponse.DescribeAutoScalingGroupsResult.AutoScalingGroups.member.TrafficSources.member.Type] Are there any issues here that AWS are aware of? If not how to I see that the value of the variable is?lg...

Hello! I downloaded the AWS Client VPN for Mac and the installation failed (see photo below). I did not change any default settings when going through the installation steps -- I simply agreed to the terms and kept on clicking the "next" button. I am running a macOS Ventura version 13.2.1. I also tried restarting my computer. Same issue. The installation failed. Any advice would be much appreciated, thanks! lg...

I'm trying to run integration tests with the dynamodb-local docker container with CodeBuild my CodePipeline. I'm able to build the container and `docker ps` shows the container is running. I can run my unit tests that don't use the container. If I `curl https://localhost:8000` I'm getting the `MissingAuthenticationToken` response that is expected. But when I try to create a table in my test fixtures or try `aws dynamodb list-tables --endpoint-url http://localhost:8000` I'm getting a ReadTimeout Error.lg...

I am trying to deploy a Landing zone from my CLI using the LZA cloudformation tempelate and the AWS github repo: https://github.com/awslabs/landing-zone-accelerator-on-aws#aws-acceleratorconfig and I am stuck at a parameter field which I do not know what it is refering to. I have made the section bold (AcceleratorQualifier,ParameterValue=<Accelerator_Qualifier>), I would appreciate it if someone could explain to me what value I need to input in that section. Many Thanks ``` aws cloudformation create-stack --stack-name AWSAccelerator-InstallerStack --template-body file://cdk.out/AWSAccelerator-InstallerStack.template.json \ --parameters ParameterKey=RepositoryName,ParameterValue=<Repository_Name> \ ParameterKey=RepositoryBranchName,ParameterValue=<Branch_Name> \ ParameterKey=**AcceleratorQualifier,ParameterValue=<Accelerator_Qualifier> \** ParameterKey=ManagementAccountId,ParameterValue=<Management_Id> \ ParameterKey=ManagementAccountEmail,ParameterValue=<Management_Email> \ ParameterKey=ManagementAccountRoleName,ParameterValue= \ ParameterKey=LogArchiveAccountEmail,ParameterValue=<LogArchive_Email> \ ParameterKey=AuditAccountEmail,ParameterValue=<Audit_Email> \ ParameterKey=EnableApprovalStage,ParameterValue=Yes \ ParameterKey=ApprovalStageNotifyEmailList,ParameterValue=comma-delimited-notify-emails \ ParameterKey=ControlTowerEnabled,ParameterValue=Yes \ --capabilities CAPABILITY_IAM ```lg...

I am trying to get SSL certificate with let's encrypt nginx. First, I added epel using the commands ```$ wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm``` and ```$ sudo rpm -ihv --nodeps ./epel-release-latest-8.noarch.rpm``` and it was added with no problem then I used ``` sudo yum install python3-certbot-nginx``` and got the error message: ``` Problem: package certbot-1.22.0-1.el8.noarch requires python3-certbot = 1.22.0-1.el8, but none of the providers can be installed - conflicting requests - nothing provides python3.6dist(setuptools) >= 39.0.1 needed by python3-certbot-1.22.0-1.el8.noarch - nothing provides python3.6dist(cryptography) >= 2.5.0 needed by python3-certbot-1.22.0-1.el8.noarch - nothing provides python3.6dist(configobj) >= 5.0.6 needed by python3-certbot-1.22.0-1.el8.noarch - nothing provides python3.6dist(distro) >= 1.0.1 needed by python3-certbot-1.22.0-1.el8.noarch - nothing provides /usr/bin/python3.6 needed by python3-certbot-1.22.0-1.el8.noarch - nothing provides python3.6dist(pytz) needed by python3-certbot-1.22.0-1.el8.noarch - nothing provides python(abi) = 3.6 needed by python3-certbot-1.22.0-1.el8.noarch (try to add '--skip-broken' to skip uninstallable packages) ``` I also tried ``` sudo dnf install python3-certbot-nginx ``` I learned i may need a Code ready builder but haven't been able to install it. Please how can I get it. If that is not the issue, please what I'm I doing wrong and how can I resolve it?lg...

Not able to clone a specific codecommit repository, getting below error: fatal: unable to access 'URL': The requested URL returned error: 403 Donelg...

Getting Below Error Message mysqli_real_connect(): php_network_getaddresses: getaddrinfo failed: Name or service not knownlg...