Tiago Rodrigues

Terraform AWS IAM Role Errors DNS

Tiago Rodrigues — Fri, 15 Mar 2024 10:31:37 GMT

This is not the first time, and if you are out there and seeing a similar error, this may be the soltuion you are looking for.

terraform plan

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: configuring Terraform AWS Provider: IAM Role (arn:aws:iam::111222333444:role/YourRole) cannot be assumed.
│
│ There are a number of possible causes of this - the most common are:
│   * The credentials used in order to assume the role are invalid
│   * The credentials do not have appropriate permission to assume the role
│   * The role ARN is not valid
│
│ AWS Error: operation error STS: AssumeRole, https response error StatusCode: 0, RequestID: , request send failed, Post "https://sts.eu-central-1.amazonaws.com/": dial tcp: lookup sts.eu-central-1.amazonaws.com on [2001:8a0:6727:d900::1]:53: no such host
│
│
│   with provider["registry.terraform.io/hashicorp/aws"],
│   on _provider.tf line 1, in provider "aws":
│    1: provider "aws" {
│
╵
╷
│ Error: configuring Terraform AWS Provider: IAM Role (arn:aws:iam::111222333444:role/YourRole) cannot be assumed.
│
│ There are a number of possible causes of this - the most common are:
│   * The credentials used in order to assume the role are invalid
│   * The credentials do not have appropriate permission to assume the role
│   * The role ARN is not valid
│
│ AWS Error: operation error STS: AssumeRole, https response error StatusCode: 0, RequestID: , request send failed, Post "https://sts.eu-central-1.amazonaws.com/": dial tcp: lookup sts.eu-central-1.amazonaws.com on [2001:8a0:6727:d900::1]:53: no such host
│
│
│   with provider["registry.terraform.io/hashicorp/aws"].dev,
│   on _provider.tf line 18, in provider "aws":
│   18: provider "aws" {

All my logins where right, I was using them all along, even more, I have a differnt CLI window open on my computer with the same login working just fine.

Then my eyes glased at something:

dial tcp: lookup sts.eu-central-1.amazonaws.com on [2001:8a0:6727:d900::1]:53: no such host

Hum, no such host? port 53 ? is this a DNS error?

I quickly changed my DNS from the default ISP (shame on you Altice) to CloudFlare ones:

1.1.1.1
1.0.0.1
2606:4700:4700::1111
2606:4700:4700::1001

Guess what, problem solved, my Terraform is working again, it was not an IAM error at all, it was all about the DNS caches on my ISP.

Next time you see a STS error, consider changing your DNS to a different provider and may save you some unicorn hunt.x

New AWS Game on AWSary v1.4.0

Tiago Rodrigues — Mon, 05 Feb 2024 13:39:55 GMT

🚀 Exciting News Alert! 🚀

I'm thrilled to announce the latest update to our AWSary mobile app - introducing a brand new feature that takes learning about AWS services to a whole new level: the AWSary Logo Challenge Game! 🎮💡

At AWS re:invent 2023 Guillermo Ruiz challenged me to tweak my app and add a game so he can use on AWS Summits and Cloud Days. "Do you want to get a t-shirt or socks, well you have 5 attempts to guess the AWS service name just looking at its logo."

In this fun and engaging game, you'll be put to the test as you're challenged to recall AWS service names just by looking at their logos. It's a fantastic way to sharpen your AWS knowledge while having a blast!

Whether you're new to AWS or a seasoned pro, the AWSary Logo Challenge Game offers something for everyone. It's a fantastic addition to our app, designed to make learning about AWS services more enjoyable and memorable.

Download the latest update of AWSary today on the App Store - let's see who's the ultimate AWS expert! 💪🔥

‎AWSary - AWS Dictionary

‎AWSary is the ultimate resource for AWS Cloud Consultants, students, and anyone looking to stay up-to-date with AWS services. With this app, you’ll have access to a comprehensive AWS dictionary, allowing you to easily search and learn about various AWS services. With this app, you’ll have access t…

App StoreTiago Rodrigues

Yet another AWS Terraform Backend on S3 + DynamoDB

Tiago Rodrigues — Fri, 02 Feb 2024 10:37:32 GMT

Every time I start an AWS project, I have the same issue, what Terraform backend to use?

I love the AWS S3 + DynamoDB backend solution but this just covers the basics, you want your Terraform State to be protected from client misbehavior or human error. Yes, I've been on the end of the call where the customer used cloud-nuke against the Terraform S3 bucket and we got a drift for the whole project. (yes I managed to import and recreate .tfstate for 500+ resources of the landing zone + applications accounts)

So every time I start a new project I hope to find some simple module that gives some extra protection as the S3 version enabled, deletion protection policy, object lock, DynamoDB table with point-in-time recovery, kms encryption, and so on.

Today I decided to make yet another attempt at solving this well, hope it is beneficial for others as well and that we can over time keep improving this module.

https://registry.terraform.io/modules/tigpt/remote-state-s3-dynamodb-backend/aws/latest

Let's break it down on how to use it:

module "remote-state-s3-dynamodb-backend" {
  source  = "tigpt/remote-state-s3-dynamodb-backend/aws"
  version = "1.0.1"

  name = "my-terraform-backend"

  tags = {
    terraform = "true"
  }
}

So you call the module with source and pin a version, of course.
Then you name it, this should have some project related name, example business unit or account, I like to name something like landingzone or network-production, even application-dev.

You can as well pass some tags because everyone loves tags and they are an important asset.

Let's break out the module into parts:

├── dynamodb.tf
├── outputs.tf
├── random.tf
├── s3.tf
├── variables.tf
└── versions.tf

Each file should be self-explanatory, but let's dig into them, DynamoDB first.

#############################
#--- DynamoDB State Lock ---#
#############################

module "dynamodb_table" {
  source  = "terraform-aws-modules/dynamodb-table/aws"
  version = "4.0.0"

  name     = "tf-${var.name}-${random_integer.random.id}-locktable"
  hash_key = "LockID"

  attributes = [
    {
      name = "LockID"
      type = "S"
    }
  ]

  deletion_protection_enabled    = true
  point_in_time_recovery_enabled = true

  server_side_encryption_enabled     = true
  server_side_encryption_kms_key_arn = aws_kms_key.dynamodb.arn

  tags = merge(
    var.tags,
    {
      "Name" = format("%s", var.name)
    },
  )
}

resource "aws_kms_key" "dynamodb" {
  description             = "KMS key is used to encrypt bucket objects"
  deletion_window_in_days = 7

  tags = merge(
    var.tags,
    {
      "Name" = format("%s", var.name)
    },
  )
}

I love the Terraform AWS modules so we leverage them as much as possible to make the DynamoDB table, we then add some naming conventions to the input name that comes from the variables.tf as well as a random generated from random.tf to make sure names are unique (especially important for S3).

Then it's time to configure deletion_protection, point_in_time_recovery as well as encritpions with KMS key that we create.

Next the s3.tf

###########################
#--- S3 Backend Bucket ---#
###########################

module "s3_bucket" {
  source  = "terraform-aws-modules/s3-bucket/aws"
  version = "4.1.0"

  bucket = "tf-${var.name}-${random_integer.random.id}-state"
  acl    = "private"

  object_lock_enabled = true
  control_object_ownership          = true
  object_ownership                  = "ObjectWriter"
  attach_deny_incorrect_kms_key_sse = true
  allowed_kms_key_arn               = aws_kms_key.objects.arn

  server_side_encryption_configuration = {
    rule = {
      apply_server_side_encryption_by_default = {
        kms_master_key_id = aws_kms_key.objects.arn
        sse_algorithm     = "aws:kms"
      }
    }
  }

  force_destroy = true

  versioning = {
    enabled = true
  }
  attach_policy = true
  policy        = <

Once again we start with the Terraform AWS modules of S3 and configure the bucket as private as well as activate object_lock, versioning, kms encryption but what I want and don't see a lot in other modules out there is a S3:DeleteBucket a policy that prevents all principals from deleting the bucket.

Well, I could do more, like an S3 bucket replication policy to a bucket on another account, but some people consider this overkill, so I do it specifically only for the projects/clients that want it.

Feel free to fork it and do a pull request for any change you consider necessary, I will keep this going as my default AWS S3 backend and keep evolving it as feel necessary.



AWS re:cap 2023
Tiago Rodrigues — Mon, 29 Jan 2024 19:50:00 GMT
This week we had AWS re:cap in Lisbon, we had bad luck organising the event on the same day as the two major football teams in Lisbon played, Sporting and Benfica, but the core people attended the event anyway in Academia de Código office.
It was so great to have finally María Encinar and Guillermo Ruiz in Lisbon, just to celebrate our 10th AWS User Group Lisbon event in 10 months.
Shout out to all AWS UG Leaders who have been doing a great job, but especially for  Martin Müller has been a rock star keeping pushing the events.
We had some drinks afterward and shared experiences outside AWS world as well, it was awesome.



AWSary on Android
Tiago Rodrigues — Fri, 08 Dec 2023 09:27:00 GMT
AWSary - Apps on Google Play
AWS services dictionary
Apps on Google PlayLuiz Calderaro
Finally, AWSary is available on Android.
About 4 Months ago, Luiz Calderaro approached me to help port AWSary to Android, and I couldn't be more thrilled.
Luiz has found some time here and there to sync with me and in no time we had an Android POC up and running. After some fine-tuning, we have today almost 100% feature parity between the 2 versions and I'm happy to share that AWSary is available on Google Play.
Luiz is a true professional, fully autonomous, and just checking with me on some core ideas. We would not have an Android version if it wasn't for Luiz, all props go to him!
If you have an Android phone or tablet, test it out and share your feedback with us. We will make the source code public like the iOS version in the next months.


AWS re:invent 2023
Tiago Rodrigues — Sun, 03 Dec 2023 19:52:00 GMT
This was my first re:invent and boy, oh boy, it was overwhelming in a good way. I want more!
It was my first time outside of Europe, and I have to say, jetlag is a real thing, with 8 hours difference I was waking up at 3 am every day and trying to enjoy the full day as if it was nothing, and you know what, the time just flys by in re:invent Las Vegas.
I was in re:invent as invite from ABW Grant, THANKS AWS Comunity Builder program for allowing me to have this experience, I sadly can't afford from my own finances to justify a 7.000€ trip to Las Vegas, but if it's worth it, I definitly belive so.
You can have a lot of the AWS experience on YouTube but there is something that you can't replicate remotely, the vibe of all these AWS Comunity Builders, AWS Heros, and Amazonians who just want to share as much as possible, they want you to grow with them, they want your success!
I was lucky to meet other AAIs share my experiences as an AAI and learn from them as well.
No matter where you come from, or who you are, AWS re:invent will transform your cloud career to the next level.
If you can afford it, just don't think twice and go!
If you can't afford it, keep contributing to the community and you will see that like what happened to me, you may as well be elected to the AWS ABW Grant and have this once-in-a-lifetime opportunity.
Because pictures are worth thousands of words, here are some for you:



CloudFront and the Wild West of the Internet
Tiago Rodrigues — Wed, 15 Nov 2023 22:10:00 GMT
The internet is truly amazing, but it is a Wild West.
The other day I was looking at my CloudFront Popular objects and was supper curious, this is pointing to an S3 bucket with some static images and polly mp3 that are serving the mobile app.
What wp-login.php and server-status or login.action.
The internet is a true place without many laws and if you have any IP or domain up and running, some crawler or bot will immediately try to find vulnerabilities and brute-force / exploit them.
Be aware, build safe infrastructure, hide vulnerabilities, and leverage AWS services like S3 and CloudFront, WAF and AWS Shield, load balancers, and private subnets. open as little as possible the ports and let the outlaws out of your walled garden. They are there and are not your friends.
Stay safe!



AWS Cloud Experience Portugal 2023
Tiago Rodrigues — Tue, 10 Oct 2023 21:34:00 GMT
This year on Cloud Experience Portugal, I was invited by AWS to step up on the stage and talk about AWS cloud in my carrier, in Portuguese 🥳
When looking back, I realized what a journey has been. From casual running some virtual machines on ec2 to being a Champion AAI and an AWS User Group Leader, a Community Builder, and dreaming I will eventually join the Heros group (one can dream).
Actually what I like the most about my career is that is full of stories about how "it's not a zero-sum game", we can grow by helping others to grow as well. I love to share my knowledge and experiences, with friends, colleagues, clients, with strangers. Just ask me something and I will do my best to help you out.
I love these blurry pictures, because they tell a story, a story of someone that was using the same tool to solve all the problems, and now, with AWS have a big toolbox to use specialized tools to solve each problem.
I love how things sometimes deviate from the perfect project and you are in firefighter mode, but even so, you can leverage the expertise of the cloud providers to add value to your business and solve clients' problems.
I can't wait for the Cloud Experience Portugal 2024, to listen to other's stories and learn from them, but also connect and accelerate the ones that are just getting started.



DeepRacer Day
Tiago Rodrigues — Sat, 07 Oct 2023 21:52:00 GMT
Today I was part of the team organising a DeepRacer Day with SIXT. 
It is awesome to share some of the experiences and help others start on the Cloud Journey.
As I won 1st place on AWS DeepRacer Madrid 2022, tecRacer kind of nominated me as the DeepRacer guy.
Once we knew that SIXT was getting the Machine Learning team into AWS, we could not find a better excuse to do a DeepRacer Day together with SIXT.
It was very fun after all and we made a public event open to anyone in Lisbon to get to know more about AWS and DeepRacer, about 50 people participated in a full-day event, joining in and out, it was so great to see people eager to learn about AWS and how they can bring their knowledge to the cloud to accelerate the time to market.



AWAsary v1.3.0
Tiago Rodrigues — Mon, 02 Oct 2023 18:37:00 GMT
‎AWSary - AWS Dictionary
‎AWSary is the ultimate resource for AWS Cloud Consultants, students, and anyone looking to stay up-to-date with AWS services. With this app, you’ll have access to a comprehensive AWS dictionary, allowing you to easily search and learn about various AWS services. With this app, you’ll have access t…
App StoreTiago Rodrigues
Release v1.3.0 · AWSary/AWSary-iOS
New Features You can now enable a label bellow the service logo, making your AWS Architecture Diagrams more readable.Also added Polly reading out AWS service names, because why not ?
GitHubAWSary
Major update to the App, I've been working on how to get compressed icons (smaller app footprint) without loss of image quality, I also fine-tuned the icon sizes once dragged into a diagram before the images were too big.
On top of that now there is a toggle in settings that allows you to label the icons with the service name on your diagrams to make your diagrams more readable, see the example image below:
This was not an easy task but the result is just awesome.
I also added Amazon Polly to pronounce the service names, it is much better than I expected, congrats to Polly for the great pronunciation, please try it yourself in the App.
By the way, these Polly audio files are being served by AWS S3 with CloudFront CDN and it works like a charm.


AWS GuardDuty is an Angel
Tiago Rodrigues — Thu, 21 Sep 2023 21:13:00 GMT
A few weeks ago a client asked me: "Hey, can you please create a dev machine on our POC account, we want an internet-facing server with RDP opened on port 3389 for a small test and an RDS Database connected to it, just go simple, ClickOps to test out something"
I immediately said: Careful RDP is typically a target port, and you should use AWS SSM (AWS Systems Manager) to access the machine, you can even enable RDP through session manager by configuring a proxy on the localhost if needed. 
No no, that's too complicated, this is just for a few days, then we kill the machine.
Long story short, the machine stayed running and they assumed this was already production ready... Clients... 
A few days in, this message came out of the blue, thanks GuardDuty once again saving the day.
Hello.

We recieved the following GuardDuty Alarm.

94.232.42.99 is performing RDP brute force attacks against i-XXXXXXXXXX.","description":"94.232.42.99 is performing RDP brute force attacks against i-XXXXXXXXXX. Brute force attacks are used to gain unauthorized access to your instance by guessing the RDP password.
UnauthorizedAccess:EC2/RDPBruteForce
Resource affected
Resource role TARGET
Resource type Instance
Port 3389
Port name RDP

Instance details
Instance ID i-XXXXXXXXXX (XXXXXXXXXX_dev)
Instance type t3.medium
Instance state running
Availability zone eu-west-1a

If we check the Security Rules for this Instance, it showsthat Port 3389 is open for the world.
This Alarm reocures every few days.
Is it necesary for this port to be open? Can we regulate Acces with a Whitelist (IP based) or can it be closed?
If nothing of the suggested solutions is aplicable, can we block this kind of alarm to minimized unnesecary communikation?
A malicious IP was brute forcing the RDP port of the machine and it was a matter of time until they eventually got access to the machine. If it was not for GuardDuty we could not have noticed the issue until it was too late and someone gained access to the infrastructure and did all the possible damage. 
Thanks to GuardDuty I immediately called the client, hey this is happening, do you wanna try SSM now?
The answer was... ah not really, what's the other options?
Well, don't whitelist this port to the world (0.0.0.0/0) at least have a single public IP able to target the port and restrict the security group on this port to a /32.
Ok, but this is an external consultant company, we want them to update the IP when they access it, but not touch the rest of the infrastructure.
No problem, AWS IAM Policy to the resque.
Create a user, create, create a prefix list, associate the prefix list to the security group, and create a policy to allow the user to update only its prefix list and nothing else.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:GetManagedPrefixListAssociations",
                "ec2:GetManagedPrefixListEntries",
                "ec2:ModifyManagedPrefixList",
                "ec2:RestoreManagedPrefixListVersion"
            ],
            "Resource": [
                "arn:aws:ec2:eu-west-1:ACCOUNT_ID:prefix-list/pl-XXXXXXXXX"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "ec2:DescribeManagedPrefixLists",
            "Resource": "*"
        }
    ]
}
15 minutes later, the RDP port was at least closed to a single IP and reduced the security vector to a minimal target. I still believe that the best way is just to not open ports to the internet and use AWS SSM, but I'm not scared this machine will be a target anymore. 
I also sleep well knowing that AWS GuardDutty has my back covered 24 hours per day and will probably email me in case something is about to go wrong. Thanks, AWS for making my life on the internet much easier.


AWAsary v1.2.2
Tiago Rodrigues — Tue, 22 Aug 2023 18:36:00 GMT
‎AWSary - AWS Dictionary
‎AWSary is the ultimate resource for AWS Cloud Consultants, students, and anyone looking to stay up-to-date with AWS services. With this app, you’ll have access to a comprehensive AWS dictionary, allowing you to easily search and learn about various AWS services. With this app, you’ll have access t…
App StoreTiago Rodrigues
Release v1.2.2 · AWSary/AWSary-iOS
What’s Changed Link to appstore rating by @tigpt in #99accentColor orange by @tigpt in #102Cta improve by @tigpt in #104 and #106 Full Changelog: v1.2.1...v1.2.2
GitHubAWSary
Add an option for users to send feedback by email.


Python Amazon Polly
Tiago Rodrigues — Tue, 08 Aug 2023 20:58:00 GMT
By now if you have been following my blog, you know about AWSary.
What if we could generate sound out of text, what if I could "magically" have AWS generate all AWS Services names in voice format so I know how to pronounce them?
First we importo boto3 the AWS SDK for Python.
import boto3
Then we load initiate a DynamoDB client as well as a Polly client.
dynamodb = boto3.resource('dynamodb', region_name='eu-west-1')
table = dynamodb.Table('AWSary-services')
polly_client = boto3.client('polly')
Now that we have the clients, let's scan the table for some items, since we want all of them
response = table.scan()
items = response['Items']
For each item in the table that we scanned, let's print out to the CLI just for feedback, then call polly client and save the result on a file in the local disk, we will use this later to copy for our S3 to serve with CloudFront on the iOS Mobile Application.
for item in items:
    print("Start working on: " + item['name'])
    service_name = item['longName']
    response = polly_client.synthesize_speech(VoiceId='Brian', OutputFormat='mp3', Text=service_name)

    file = open('speech/' + item['name'].replace(' ','_') + '_Brian_' + 'en-GB' + '.mp3', 'wb')
    file.write(response['AudioStream'].read())
    file.close()
    print("Done with: " + item['name'])
Let's look at everything together:
AWSary-iOS/utils/polly.py at main · AWSary/AWSary-iOS
AWS Dictionary iOS App. Contribute to AWSary/AWSary-iOS development by creating an account on GitHub.
GitHubAWSary
import boto3

dynamodb = boto3.resource('dynamodb', region_name='eu-west-1')
table = dynamodb.Table('AWSary-services')
polly_client = boto3.client('polly')

response = table.scan()
items = response['Items']

for item in items:
    print("Start working on: " + item['name'])
    service_name = item['longName']
    response = polly_client.synthesize_speech(VoiceId='Brian', OutputFormat='mp3', Text=service_name)

    file = open('speech/' + item['name'].replace(' ','_') + '_Brian_' + 'en-GB' + '.mp3', 'wb')
    file.write(response['AudioStream'].read())
    file.close()
    print("Done with: " + item['name'])
What should I do next, open an issue and let me know your ideas:
Issues · AWSary/AWSary-iOS
AWS Dictionary iOS App. Contribute to AWSary/AWSary-iOS development by creating an account on GitHub.
GitHubAWSary



AWAsary v1.2.1
Tiago Rodrigues — Fri, 04 Aug 2023 18:35:00 GMT
‎AWSary - AWS Dictionary
‎AWSary is the ultimate resource for AWS Cloud Consultants, students, and anyone looking to stay up-to-date with AWS services. With this app, you’ll have access to a comprehensive AWS dictionary, allowing you to easily search and learn about various AWS services. With this app, you’ll have access t…
App StoreTiago Rodrigues
Release v1.2.1 · AWSary/AWSary-iOS
AWS Dictionary iOS App. Contribute to AWSary/AWSary-iOS development by creating an account on GitHub.
GitHubAWSary
Bug fixes and compliance with Apple requirements with in app purchase for the Tip Jar, we hope that Apple aproves this app update. 


AWAsary v1.2.0
Tiago Rodrigues — Wed, 02 Aug 2023 18:31:00 GMT
‎AWSary - AWS Dictionary
‎AWSary is the ultimate resource for AWS Cloud Consultants, students, and anyone looking to stay up-to-date with AWS services. With this app, you’ll have access to a comprehensive AWS dictionary, allowing you to easily search and learn about various AWS services. With this app, you’ll have access t…
App StoreTiago Rodrigues
Release v1.2.0 · AWSary/AWSary-iOS
revenuecat subscription
GitHubAWSary
We improved the AWS Services descriptions and pricings, as well as added a way for users to help me financially with the app development and servers costs, now with a Tip Jar users are able to send some money this way with no aditional peark, the same app with the same features but you feel awesome because you help me prioritize this app. Hope some of you decide to leave a Tip 😅.