Different Perspective!

Tuesday, 19 December 2023

Data Integrity Kafka

#!/bin/bash

brokers1=localhost-src:9092

brokers2=localhost-dest:9092

numberofpart=$(kafka-topics.sh --bootstrap-server $brokers1 --describe --topic $1 | grep PartitionCount | awk '{print $6}')

echo ""

echo "Topic $1 has total $numberofpart partition(s)"

echo ""

echo "Now Checking newest msg from every partition"

echo ""

echo "------------------------------------------------------------------------------------------------------------------"

echo "------------------------------------------------------------------------------------------------------------------"

for (( c=0; c<$numberofpart; c++ ))

srcvalue=$(kcat -q -C -b $brokers1 -t $1 -p $c -o -1 -e | md5sum | sed s/'\s'//g)

destvalue=$(kcat -q -C -b $brokers2 -t $1 -p $c -o -1 -e | md5sum| sed s/'\s'//g)

if [ "$srcvalue" = "$destvalue" ]; then

echo " $c $srcvalue $destvalue Match"

else

echo " $c $srcvalue $destvalue No Match"

done

echo ""

echo "Now Checking oldest msg from every partition"

echo ""

echo "------------------------------------------------------------------------------------------------------------------"

echo "------------------------------------------------------------------------------------------------------------------"

for (( c=0; c<$numberofpart; c++ ))

srcvalue=$(kcat -q -C -b $brokers1 -t $1 -p $c -o beginning -c 1 -e | md5sum | sed s/'\s'//g)

destvalue=$(kcat -q -C -b $brokers2 -t $1 -p $c -o beginning -c 1 -e | md5sum| sed s/'\s'//g)

if [ "$srcvalue" = "$destvalue" ]; then

echo " $c $srcvalue $destvalue Match"

else

echo " $c $srcvalue $destvalue No Match"

done

echo ""

Tuesday, 7 June 2022

Waf-v2 as module

module "aws_wafv2_web_acl_waf" {

source = "umotif-public/waf-webaclv2/aws"

version = "~> 3.0.0"

name_prefix = "${var.environment}_WAF"

description = "${var.environment}_WAF"

scope = var.scope

create_alb_association = false

allow_default_action = true # set to allow if not specified

tags = {

product-name = "common"

}

visibility_config = {

cloudwatch_metrics_enabled = true

metric_name = "${var.environment}_WAF"

sampled_requests_enabled = true

}

rules = [

for rule in var.managed_rules :

{

name = rule.rule_name

priority = index(var.managed_rules[*].rule_name, rule.rule_name)

override_action = rule.mode == "allow" ? "count" : "none"

visibility_config = {

cloudwatch_metrics_enabled = true

metric_name = rule.rule_name

sampled_requests_enabled = true

}

managed_rule_group_statement = {

name = rule.rule_name

vendor_name = rule.provider_name

excluded_rule = rule.exceptions

}

]

}

-----------------------------------------------------------------------------------------------------------------------------

managed_rules = [

{

provider_name = "F5"

rule_name = "OWASP_Managed"

exceptions = [

"rule_XSS_script_tag__Parameter__AllQueryArguments_Body",

"rule_div_tag__behavior__Parameter__AllQueryArguments_Body",

"rule_Java_code_injection___org_apache_commons_collections_AllQueryArguments_Body"

]

mode = "allow"

{

provider_name = "AWS"

rule_name = "AWSManagedRulesAnonymousIpList"

exceptions = ["HostingProviderIPList"]

mode = "block"

{

provider_name = "AWS"

rule_name = "AWSManagedRulesAmazonIpReputationList"

exceptions = []

mode = "block"

}

]

-----------------------------------------------------------------------------------------------------------------------------

variable "environment" {

description = "The name of the environment"

type = string

}

variable "scope" {

description = "The name of resource CLOUDFRONT/REGIONAL only options (if regional declare in tf vars file)"

type = string

default = "CLOUDFRONT"

}

variable "managed_rules" {

description = "the managed rules name in order (make sure not to cross 1500 wcu's)"

type = list(object({

provider_name = string

rule_name = string

exceptions = list(string)

mode = string

}))

}

Monday, 9 May 2022

Waf-v2 as resource

resource "aws_wafv2_web_acl" "web_acl_rules" {

name = var.web_acl_name

description = var.web_acl_name

scope = var.scope

tags = {

product-name = "common"

}

default_action {

allow {

}

visibility_config {

cloudwatch_metrics_enabled = true

metric_name = var.web_acl_name

sampled_requests_enabled = true

}

dynamic "rule" {

for_each = var.managed_rules

content {

name = "${var.web_acl_name}-${rule.value.rule_name}"

priority = rule.key

override_action {

dynamic "none" {

for_each = rule.value.mode == "block" ? [1] : []

content {}

}

dynamic "count" {

for_each = rule.value.mode == "count" ? [1] : []

content {}

}

statement {

managed_rule_group_statement {

name = rule.value.rule_name

vendor_name = rule.value.provider_name

dynamic "excluded_rule" {

for_each = rule.value.exceptions

content {

name = excluded_rule.value

}

visibility_config {

cloudwatch_metrics_enabled = true

metric_name = "${var.web_acl_name}-${rule.value.rule_name}"

sampled_requests_enabled = true

}

-----------------------------------------------------------------------------------------------------------------------------

scope = "REGIONAL"

managed_rules = [

{

provider_name = "F5"

rule_name = "OWASP_Managed"

exceptions = ["rule_XML_External_Entity__XXE__injection_attempt__Content__AllQueryArguments_Body"]

mode = "allow"

{

provider_name = "AWS"

rule_name = "AWSManagedRulesAnonymousIpList"

exceptions = ["HostingProviderIPList"]

mode = "block"

{

provider_name = "AWS"

rule_name = "AWSManagedRulesAmazonIpReputationList"

exceptions = []

mode = "block"

}

]

-----------------------------------------------------------------------------------------------------------------------------

variable "environment" {

description = "The name of the environment"

type = string

}

variable "scope" {

description = "The name of resource CLOUDFRONT/REGIONAL only options (if regional declare in tf vars file)"

type = string

default = "CLOUDFRONT"

}

variable "managed_rules" {

description = "the managed rules name in order (make sure not to cross 1500 wcu's)"

type = list(object({

provider_name = string

rule_name = string

exceptions = list(string)

mode = string

}))

}

Wednesday, 22 December 2021

CircleCI Orbs

version: '2.1'

orbs:

aws-s3: circleci/aws-s3@3.0

jobs:

s3_sync_dev:

docker:

- image: 'cimg/python:3.10'

resource_class: small

steps:

- checkout

- aws-s3/sync:

aws-access-key-id: ACCESS_ID_DEV

aws-secret-access-key: SECRET_KEY_DEV

aws-region: AWS_REGION_DEV

from: .

to: 's3://ansible-bucket-test'

- run: aws --version

s3_sync_prod:

docker:

- image: 'cimg/python:3.10'

resource_class: small

steps:

- checkout

- aws-s3/sync:

aws-access-key-id: ACCESS_ID_PROD

aws-secret-access-key: SECRET_KEY_PROD

aws-region: AWS_REGION_PROD

from: .

to: 's3://ansible-bucket-prod'

- run: aws --version

workflows:

s3-execution:

jobs:

- s3_sync_dev:

filters:

branches:

only: dev

- s3_sync_prod:

filters:

branches:

only: prod

Terraform user with secrets in aws secret manager

data "aws_iam_policy_document" "ci_user_s3_policy" {

statement {

actions = [

"s3:DeleteObject",

"s3:DeleteObjectTagging",

"s3:DeleteObjectVersion",

"s3:DeleteObjectVersionTagging",

"s3:ListBucket",

"s3:GetObject*",

"s3:PutObject*",

"s3:ReplicateObject",

"s3:RestoreObject"

]

resources = [

"arn:aws:s3:::ansible-bucket-${var.environment}/*",

"arn:aws:s3:::ansible-bucket-${var.environment}"

]

}

variable "environment" {

type = string

}

variable "vaultpass" {

type = string

}

resource "aws_s3_bucket" "ansible_bucket" {

bucket = "ansible-bucket-${var.environment}"

acl = "private"

force_destroy = true

}

resource "aws_iam_user" "user" {

name = "ansible-ci-upload"

}

resource "aws_iam_access_key" "ansible_repo" {

user = aws_iam_user.user.name

}

resource "aws_iam_policy" "ci_user_s3_policy" {

policy = data.aws_iam_policy_document.ci_user_s3_policy.json

}

resource "aws_iam_user_policy_attachment" "attach-policy" {

user = aws_iam_user.user.name

policy_arn = aws_iam_policy.ci_user_s3_policy.arn

}

resource "aws_secretsmanager_secret" "ansible_credentials" {

name = "ansible-circleci-user-creds"

}

resource "aws_secretsmanager_secret" "ansible_git_credentials" {

name = "ansible-git-creds"

}

resource "aws_secretsmanager_secret_version" "ansible_credentials" {

secret_id = aws_secretsmanager_secret.ansible_credentials.id

secret_string = jsonencode({

access_key = aws_iam_access_key.ansible_repo.id

access_secret = aws_iam_access_key.ansible_repo.secret

vault_pass = var.vaultpass

})

}

resource "aws_secretsmanager_secret_version" "ansible_credentials_key" {

secret_id = aws_secretsmanager_secret.ansible_git_credentials.id

secret_string = file("/mnt/workspace/AnsibleMaster.pem")

}

Thursday, 29 April 2021

Move Existing data to Glacier

#!/bin/bash

> filelist

aws sts get-caller-identity

TARGETBUCKET=$1

echo ''

echo $TARGETBUCKET

echo ''

aws s3 ls $TARGETBUCKET --recursive | awk '{ print $4 }' >> filelist

while read objname

aws s3api copy-object --copy-source $TARGETBUCKET/${objname} --bucket $TARGETBUCKET --storage-class GLACIER --key ${objname}

done < filelist

aws s3api list-objects --bucket $TARGETBUCKET --query 'Contents[].{Key: Key, SC: StorageClass}' --output table

Thursday, 11 February 2021

LVM Shorthand

LVM Creation

sudo pvcreate /dev/sda /dev/sdb

sudo vgcreate LVMVolGroup /dev/sda /dev/sdb

sudo lvcreate -L 10G -n test1 LVMVolGroup

sudo lvcreate -l 100%FREE -n test2 LVMVolGroup

sudo mkfs -t ext4 /dev/LVMVolGroup/test1

sudo mkfs -t ext4 /dev/LVMVolGroup/test2

sudo mkdir /vol1

sudo mkdir /vol2

sudo mount /dev/LVMVolGroup/test1 /vol1

sudo mount /dev/LVMVolGroup/test2 /vol2

echo "/dev/LVMVolGroup/test1 /vol1 auto noatime 0 0" | sudo tee -a /etc/fstab

echo "/dev/LVMVolGroup/test2 /vol2 auto noatime 0 0" | sudo tee -a /etc/fstab

sudo mount -a

sudo reboot

Useful Commands:

pvdisplay

vgdiaplay

lvdisplay