Workshops Classroomnotes 15/Dec/2022

Lab Setup

AWS CLI

• We will be creating 3 groups
  • Admin:
    • Permission for everything
  • tester:
    • Permission for reading specific services
  • dev:
    • Permission for read and create but not delete on specific services.
• We will configure admin as default profile in AWS CLI
• We will create two profiles test and dev
• Lets use paris region.
• Any stuff to copy paste throughout this class Refer Here
• Configure the aws cli
• Way to check if it working
  

Activity: Figure out the zones and local zones in paris region

• Aws cli:

aws ec2 describe-availability-zones

• Output options: Refer Here
  • json
  • table
  • text
  • yaml
• Redirect the output of the availability zones to some json file
• Upload this file to Refer Here

aws ec2 describe-availability-zones --query "AvailabilityZones[0].ZoneId"

• Get multiple values
  

Scenario-1

• Your organization is running a database in different account which is present is zone with id eu-w3-az1. You are also asked to create an ec2 instance in the same AZ. We need to figure out matching zone name
• Input => zone id
• Output => zone name

AvailabilityZones[?ZoneId=='euw3-az1'].ZoneName | [0]

aws ec2 describe-availability-zones --query "AvailabilityZones[?ZoneId=='euw3-az1'].ZoneName | [0]"

• Try Find the zone id for the zone name eu-west-3b

Activity 2: Find all the iam policies not created by Amazon

• First lets figure out a way to pull all the customer managed policies
• To filter output, try to follow the below approaches
  • see if any argument supports your filter
  • see if there is filter argument which can help
  • use jmes path to filter out based on output.
• In this case we have scope Refer Here

aws iam list-policies --scope Local

• Now we are asked to delete all the policies which are customer managed Refer Here
• We need policy arns
• Consider the following script

#!/bin/bash
policy_arn=$(aws iam list-policies --scope Local --query 'Policies[].Arn|[0]' --output text)
echo "found ${policy_arn}"
while [[ ! -z "$policy_arn" ]]
do
    # lets get first arn

    echo "The policy arn to be deleted is ${policy_arn}"
    aws iam delete-policy --policy-arn ${policy_arn} --output text
    echo "The policy arn is successfully deleted"
    policy_arn=$(aws iam list-policies --scope Local --query 'Policies[].Arn|[0]'  --output text)
done

• The problem with above approach is it might never end.
• other approach: Get all the policy arns into an array and write a while or foreach loop over array. This will never be infinite loop.

Activity 3 – Tagging and filtering the resources based on tags

• Resource Tags
  • helps in filtering the resources
  • filter the bills based on tags.
• Lets create an ec2 instance and then add the following tags
  • Project = qtworkshop
  • Env = test
  • team = qtaws
  • release = v1.0
    
• From cli
  
• Now try using aws ec2 create-tag for tagging your ec2 instance with the above tags.
• Refer Here for the script to tag ec2 resources.

Activity 4: Manage lifecycle of ec2 instance based on tag

• Try to stop all the ec2 instances where there is a tag called as Env with value test
• Refer Here

Actvitiy 5: Try stopping all the ec2 instances with some tag in all regions

• Refer Here for the script to stop all ec2 instances with a tag in all regions

Activity 6: Delete all rds instances which are in stopped state

• Refer Here for the script

Activity 7: Delete all the security groups in all regions

• Delete all the security groups in all regions in all vpcs except default

* Get vpc ids of the current region
* for each vpc id get all security group ids
* delete the security group if the name is not default or it is not default 
* Then do this activity for all the active regions in your account.

• Refer Here for the script created

Activity 8: Create a security group which opens all traffic

• Try to find a cli command to do this
• Then we will figure out to parametrize this.
• Refer Here for the security group rule