From a597819e8a964936e6bb9b45c6bcf084333502ad Mon Sep 17 00:00:00 2001 From: Dezo2018 Date: Wed, 21 Sep 2022 17:49:31 -0400 Subject: [PATCH 1/3] Lab 10-kms --- 10-kms/Practice-10.1/PlaintextFile | 1 + 10-kms/Practice-10.1/cmk_key.yml | 55 ++++++++++++++++++ 10-kms/Practice-10.1/encryptedFile | Bin 0 -> 174 bytes 10-kms/Practice-10.1/file.txt | 1 + 10-kms/Practice-10.1/scripts | 14 +++++ 10-kms/Practice-10.2/NewFile.txt | 1 + 10-kms/Practice-10.2/go.mod | 10 ++++ 10-kms/Practice-10.2/go.sum | 22 +++++++ .../Practice-10.2/s3_client_side_download.go | 55 ++++++++++++++++++ 10-kms/Practice-10.2/s3_client_side_upload.go | 55 ++++++++++++++++++ 10 files changed, 214 insertions(+) create mode 100644 10-kms/Practice-10.1/PlaintextFile create mode 100644 10-kms/Practice-10.1/cmk_key.yml create mode 100644 10-kms/Practice-10.1/encryptedFile create mode 100644 10-kms/Practice-10.1/file.txt create mode 100644 10-kms/Practice-10.1/scripts create mode 100644 10-kms/Practice-10.2/NewFile.txt create mode 100644 10-kms/Practice-10.2/go.mod create mode 100644 10-kms/Practice-10.2/go.sum create mode 100644 10-kms/Practice-10.2/s3_client_side_download.go create mode 100644 10-kms/Practice-10.2/s3_client_side_upload.go diff --git a/10-kms/Practice-10.1/PlaintextFile b/10-kms/Practice-10.1/PlaintextFile new file mode 100644 index 00000000..6675f302 --- /dev/null +++ b/10-kms/Practice-10.1/PlaintextFile @@ -0,0 +1 @@ +This is my secret file \ No newline at end of file diff --git a/10-kms/Practice-10.1/cmk_key.yml b/10-kms/Practice-10.1/cmk_key.yml new file mode 100644 index 00000000..704bbc4c --- /dev/null +++ b/10-kms/Practice-10.1/cmk_key.yml @@ -0,0 +1,55 @@ +Description: AWS CMK Key + +Resources: + myKey: + Type: 'AWS::KMS::Key' + Properties: + Description: A symmetric encryption KMS key + EnableKeyRotation: true + PendingWindowInDays: 20 + KeyPolicy: + Version: 2012-10-17 + Id: key-default-1 + Statement: + - Sid: Enable IAM User Permissions + Effect: Allow + Principal: + AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root" + Action: 'kms:*' + Resource: '*' + - Sid: Allow administration of the key + Effect: Allow + Principal: + AWS: !Sub "arn:aws:iam::${AWS::AccountId}:user/desmond.ndambi.labs" + Action: + - 'kms:Create*' + - 'kms:Describe*' + - 'kms:Enable*' + - 'kms:List*' + - 'kms:Put*' + - 'kms:Update*' + - 'kms:Revoke*' + - 'kms:Disable*' + - 'kms:Get*' + - 'kms:Delete*' + - 'kms:ScheduleKeyDeletion' + - 'kms:CancelKeyDeletion' + Resource: '*' + - Sid: Allow use of the key + Effect: Allow + Principal: + AWS: !Sub "arn:aws:iam::${AWS::AccountId}:user/desmond.ndambi.labs" + Action: + - 'kms:DescribeKey' + - 'kms:Encrypt' + - 'kms:Decrypt' + - 'kms:ReEncrypt*' + - 'kms:GenerateDataKey' + - 'kms:GenerateDataKeyWithoutPlaintext' + Resource: '*' + + myAlias: + Type: 'AWS::KMS::Alias' + Properties: + AliasName: alias/ndambi + TargetKeyId: !Ref myKey diff --git a/10-kms/Practice-10.1/encryptedFile b/10-kms/Practice-10.1/encryptedFile new file mode 100644 index 0000000000000000000000000000000000000000..4630c9e4002f05385c117521b5cb0c22ac647e70 GIT binary patch literal 174 zcmZQ%Vq&PcB71b>S3|Z-2d=ss8{P2TaO9D})we2U??Niyzg{@oP@M6}vr4XZz6IN+ zc0PCHcv!xJfq|jKpoooAtIebBJ1-+U+k#YsWF|%igE)j3qk$Y7XF{6?V=6NXqn?2v z3(vIeQ-t3f`FAcqDM*EhQJ}$a+WH;W@`Qd~bjbW_d0g64DDZbj({&fdkp93v<18Pa Xd4GOX{}wiOjPWZ`6W+CSxjrudY>Pw4 literal 0 HcmV?d00001 diff --git a/10-kms/Practice-10.1/file.txt b/10-kms/Practice-10.1/file.txt new file mode 100644 index 00000000..6675f302 --- /dev/null +++ b/10-kms/Practice-10.1/file.txt @@ -0,0 +1 @@ +This is my secret file \ No newline at end of file diff --git a/10-kms/Practice-10.1/scripts b/10-kms/Practice-10.1/scripts new file mode 100644 index 00000000..f624bfba --- /dev/null +++ b/10-kms/Practice-10.1/scripts @@ -0,0 +1,14 @@ +aws kms encrypt \ + --key-id fbc58ad0-2bac-40fe-96ee-5ebd24d2f006 \ + --plaintext fileb://file.txt \ + --output text \ + --query CiphertextBlob | base64 \ + --decode > encryptedFile + +aws kms decrypt \ + --ciphertext-blob fileb://encryptedFile \ + --key-id fbc58ad0-2bac-40fe-96ee-5ebd24d2f006 \ + --output text \ + --query Plaintext | base64 \ + --decode > PlaintextFile + diff --git a/10-kms/Practice-10.2/NewFile.txt b/10-kms/Practice-10.2/NewFile.txt new file mode 100644 index 00000000..158a0601 --- /dev/null +++ b/10-kms/Practice-10.2/NewFile.txt @@ -0,0 +1 @@ +Test Client-Side encryption diff --git a/10-kms/Practice-10.2/go.mod b/10-kms/Practice-10.2/go.mod new file mode 100644 index 00000000..d6845094 --- /dev/null +++ b/10-kms/Practice-10.2/go.mod @@ -0,0 +1,10 @@ +module kms + +go 1.19 + +require ( + github.com/aws/aws-sdk-go v1.44.103 // indirect + github.com/aws/aws-sdk-go-v2 v1.16.16 // indirect + github.com/aws/smithy-go v1.13.3 // indirect + github.com/jmespath/go-jmespath v0.4.0 // indirect +) diff --git a/10-kms/Practice-10.2/go.sum b/10-kms/Practice-10.2/go.sum new file mode 100644 index 00000000..70c1397e --- /dev/null +++ b/10-kms/Practice-10.2/go.sum @@ -0,0 +1,22 @@ +github.com/aws/aws-sdk-go v1.44.103 h1:tbhBHKgiZSIUkG8FcHy3wYKpPVvp65Wn7ZiX0B8phpY= +github.com/aws/aws-sdk-go v1.44.103/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo= +github.com/aws/aws-sdk-go-v2 v1.16.16 h1:M1fj4FE2lB4NzRb9Y0xdWsn2P0+2UHVxwKyOa4YJNjk= +github.com/aws/aws-sdk-go-v2 v1.16.16/go.mod h1:SwiyXi/1zTUZ6KIAmLK5V5ll8SiURNUYOqTerZPaF9k= +github.com/aws/smithy-go v1.13.3 h1:l7LYxGuzK6/K+NzJ2mC+VvLUbae0sL3bXU//04MkmnA= +github.com/aws/smithy-go v1.13.3/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= +github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= +github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= diff --git a/10-kms/Practice-10.2/s3_client_side_download.go b/10-kms/Practice-10.2/s3_client_side_download.go new file mode 100644 index 00000000..096e6e33 --- /dev/null +++ b/10-kms/Practice-10.2/s3_client_side_download.go @@ -0,0 +1,55 @@ +package main + +import ( + "fmt" + "io/ioutil" + "log" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/session" + "github.com/aws/aws-sdk-go/service/s3" + "github.com/aws/aws-sdk-go/service/s3/s3crypto" + "os" +) + +var ( + bucket = "kms-bucket-ndambi" + key = "clientside.txt" +) + +func main() { + sess := session.New(&aws.Config{ + Region: aws.String("us-east-1"),}) + + client := s3crypto.NewDecryptionClient(sess) + + input := &s3.GetObjectInput{ + Bucket: &bucket, + Key: &key, + } + + result, err := client.GetObject(input) + // Aside from the S3 errors, here is a list of decryption client errors: + // * InvalidWrapAlgorithmError - returned on an unsupported Wrap algorithm + // * InvalidCEKAlgorithmError - returned on an unsupported CEK algorithm + // * V1NotSupportedError - the SDK doesn’t support v1 because security is an issue for AES ECB + // These errors don’t necessarily mean there’s something wrong. They just tell us we couldn't decrypt some data. + // Users can choose to log this and then continue decrypting the data that they can, or simply return the error. + if err != nil { + log.Fatal(err) + } + + // Let's read the whole body from the response + b, err := ioutil.ReadAll(result.Body) + if err != nil { + log.Fatal(err) + } + //fmt.Println(string(b)) + + file, err := os.Create("NewFile.txt") + if err != nil { + fmt.Println(err) + return + } + fmt.Fprintf(file, "%v\n", string(b)) +} diff --git a/10-kms/Practice-10.2/s3_client_side_upload.go b/10-kms/Practice-10.2/s3_client_side_upload.go new file mode 100644 index 00000000..7f885b6b --- /dev/null +++ b/10-kms/Practice-10.2/s3_client_side_upload.go @@ -0,0 +1,55 @@ +/* +Licensed under the MIT-0 license https://github.com/aws/mit-0 +*/ +package main + +import ( + "log" + "strings" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/credentials" + "github.com/aws/aws-sdk-go/aws/session" + "github.com/aws/aws-sdk-go/service/kms" + "github.com/aws/aws-sdk-go/service/s3" + "github.com/aws/aws-sdk-go/service/s3/s3crypto" +) + +var ( + cmkId = "fbc58ad0-2bac-40fe-96ee-5ebd24d2f006" + bucket = "kms-bucket-ndambi" + key = "clientside.txt" +) + +func main() { + sess, err := session.NewSession(&aws.Config{ + Region: aws.String("us-east-1"), + Credentials: credentials.NewSharedCredentials("", "default"), + }) + // This is our key wrap handler, used to generate cipher keys and IVs for + // our cipher builder. Using an IV allows more “spontaneous” encryption. + // The IV makes it more difficult for hackers to use dictionary attacks. + // The key wrap handler behaves as the master key. Without it, you can’t + // encrypt or decrypt the data. + keywrap := s3crypto.NewKMSKeyGenerator(kms.New(sess), cmkId) + // This is our content cipher builder, used to instantiate new ciphers + // that enable us to encrypt or decrypt the payload. + builder := s3crypto.AESGCMContentCipherBuilder(keywrap) + // Let's create our crypto client! + client := s3crypto.NewEncryptionClient(sess, builder) + + input := &s3.PutObjectInput{ + Bucket: &bucket, + Key: &key, + Body: strings.NewReader("Test Client-Side encryption"), + } + + _, err = client.PutObject(input) + // What to expect as errors? You can expect any sort of S3 errors, http://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html. + // The s3crypto client can also return some errors: + // * MissingCMKIDError - when using AWS KMS, the user must specify their key's ARN + if err != nil { + log.Fatal(err) + } +} + From c9056754893bbf19830f5f0c788e9f8d1e9af36f Mon Sep 17 00:00:00 2001 From: Dezo2018 Date: Thu, 22 Sep 2022 10:57:05 -0400 Subject: [PATCH 2/3] removing files --- 10-kms/Practice-10.1/PlaintextFile | 1 - 10-kms/Practice-10.1/cmk_key.yml | 55 ------------------ 10-kms/Practice-10.1/encryptedFile | Bin 174 -> 0 bytes 10-kms/Practice-10.1/file.txt | 1 - 10-kms/Practice-10.1/scripts | 14 ----- 10-kms/Practice-10.2/NewFile.txt | 1 - 10-kms/Practice-10.2/go.mod | 10 ---- 10-kms/Practice-10.2/go.sum | 22 ------- .../Practice-10.2/s3_client_side_download.go | 55 ------------------ 10-kms/Practice-10.2/s3_client_side_upload.go | 55 ------------------ 10 files changed, 214 deletions(-) delete mode 100644 10-kms/Practice-10.1/PlaintextFile delete mode 100644 10-kms/Practice-10.1/cmk_key.yml delete mode 100644 10-kms/Practice-10.1/encryptedFile delete mode 100644 10-kms/Practice-10.1/file.txt delete mode 100644 10-kms/Practice-10.1/scripts delete mode 100644 10-kms/Practice-10.2/NewFile.txt delete mode 100644 10-kms/Practice-10.2/go.mod delete mode 100644 10-kms/Practice-10.2/go.sum delete mode 100644 10-kms/Practice-10.2/s3_client_side_download.go delete mode 100644 10-kms/Practice-10.2/s3_client_side_upload.go diff --git a/10-kms/Practice-10.1/PlaintextFile b/10-kms/Practice-10.1/PlaintextFile deleted file mode 100644 index 6675f302..00000000 --- a/10-kms/Practice-10.1/PlaintextFile +++ /dev/null @@ -1 +0,0 @@ -This is my secret file \ No newline at end of file diff --git a/10-kms/Practice-10.1/cmk_key.yml b/10-kms/Practice-10.1/cmk_key.yml deleted file mode 100644 index 704bbc4c..00000000 --- a/10-kms/Practice-10.1/cmk_key.yml +++ /dev/null @@ -1,55 +0,0 @@ -Description: AWS CMK Key - -Resources: - myKey: - Type: 'AWS::KMS::Key' - Properties: - Description: A symmetric encryption KMS key - EnableKeyRotation: true - PendingWindowInDays: 20 - KeyPolicy: - Version: 2012-10-17 - Id: key-default-1 - Statement: - - Sid: Enable IAM User Permissions - Effect: Allow - Principal: - AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root" - Action: 'kms:*' - Resource: '*' - - Sid: Allow administration of the key - Effect: Allow - Principal: - AWS: !Sub "arn:aws:iam::${AWS::AccountId}:user/desmond.ndambi.labs" - Action: - - 'kms:Create*' - - 'kms:Describe*' - - 'kms:Enable*' - - 'kms:List*' - - 'kms:Put*' - - 'kms:Update*' - - 'kms:Revoke*' - - 'kms:Disable*' - - 'kms:Get*' - - 'kms:Delete*' - - 'kms:ScheduleKeyDeletion' - - 'kms:CancelKeyDeletion' - Resource: '*' - - Sid: Allow use of the key - Effect: Allow - Principal: - AWS: !Sub "arn:aws:iam::${AWS::AccountId}:user/desmond.ndambi.labs" - Action: - - 'kms:DescribeKey' - - 'kms:Encrypt' - - 'kms:Decrypt' - - 'kms:ReEncrypt*' - - 'kms:GenerateDataKey' - - 'kms:GenerateDataKeyWithoutPlaintext' - Resource: '*' - - myAlias: - Type: 'AWS::KMS::Alias' - Properties: - AliasName: alias/ndambi - TargetKeyId: !Ref myKey diff --git a/10-kms/Practice-10.1/encryptedFile b/10-kms/Practice-10.1/encryptedFile deleted file mode 100644 index 4630c9e4002f05385c117521b5cb0c22ac647e70..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 174 zcmZQ%Vq&PcB71b>S3|Z-2d=ss8{P2TaO9D})we2U??Niyzg{@oP@M6}vr4XZz6IN+ zc0PCHcv!xJfq|jKpoooAtIebBJ1-+U+k#YsWF|%igE)j3qk$Y7XF{6?V=6NXqn?2v z3(vIeQ-t3f`FAcqDM*EhQJ}$a+WH;W@`Qd~bjbW_d0g64DDZbj({&fdkp93v<18Pa Xd4GOX{}wiOjPWZ`6W+CSxjrudY>Pw4 diff --git a/10-kms/Practice-10.1/file.txt b/10-kms/Practice-10.1/file.txt deleted file mode 100644 index 6675f302..00000000 --- a/10-kms/Practice-10.1/file.txt +++ /dev/null @@ -1 +0,0 @@ -This is my secret file \ No newline at end of file diff --git a/10-kms/Practice-10.1/scripts b/10-kms/Practice-10.1/scripts deleted file mode 100644 index f624bfba..00000000 --- a/10-kms/Practice-10.1/scripts +++ /dev/null @@ -1,14 +0,0 @@ -aws kms encrypt \ - --key-id fbc58ad0-2bac-40fe-96ee-5ebd24d2f006 \ - --plaintext fileb://file.txt \ - --output text \ - --query CiphertextBlob | base64 \ - --decode > encryptedFile - -aws kms decrypt \ - --ciphertext-blob fileb://encryptedFile \ - --key-id fbc58ad0-2bac-40fe-96ee-5ebd24d2f006 \ - --output text \ - --query Plaintext | base64 \ - --decode > PlaintextFile - diff --git a/10-kms/Practice-10.2/NewFile.txt b/10-kms/Practice-10.2/NewFile.txt deleted file mode 100644 index 158a0601..00000000 --- a/10-kms/Practice-10.2/NewFile.txt +++ /dev/null @@ -1 +0,0 @@ -Test Client-Side encryption diff --git a/10-kms/Practice-10.2/go.mod b/10-kms/Practice-10.2/go.mod deleted file mode 100644 index d6845094..00000000 --- a/10-kms/Practice-10.2/go.mod +++ /dev/null @@ -1,10 +0,0 @@ -module kms - -go 1.19 - -require ( - github.com/aws/aws-sdk-go v1.44.103 // indirect - github.com/aws/aws-sdk-go-v2 v1.16.16 // indirect - github.com/aws/smithy-go v1.13.3 // indirect - github.com/jmespath/go-jmespath v0.4.0 // indirect -) diff --git a/10-kms/Practice-10.2/go.sum b/10-kms/Practice-10.2/go.sum deleted file mode 100644 index 70c1397e..00000000 --- a/10-kms/Practice-10.2/go.sum +++ /dev/null @@ -1,22 +0,0 @@ -github.com/aws/aws-sdk-go v1.44.103 h1:tbhBHKgiZSIUkG8FcHy3wYKpPVvp65Wn7ZiX0B8phpY= -github.com/aws/aws-sdk-go v1.44.103/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo= -github.com/aws/aws-sdk-go-v2 v1.16.16 h1:M1fj4FE2lB4NzRb9Y0xdWsn2P0+2UHVxwKyOa4YJNjk= -github.com/aws/aws-sdk-go-v2 v1.16.16/go.mod h1:SwiyXi/1zTUZ6KIAmLK5V5ll8SiURNUYOqTerZPaF9k= -github.com/aws/smithy-go v1.13.3 h1:l7LYxGuzK6/K+NzJ2mC+VvLUbae0sL3bXU//04MkmnA= -github.com/aws/smithy-go v1.13.3/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= -github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= -github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= -github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= -github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= -golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= diff --git a/10-kms/Practice-10.2/s3_client_side_download.go b/10-kms/Practice-10.2/s3_client_side_download.go deleted file mode 100644 index 096e6e33..00000000 --- a/10-kms/Practice-10.2/s3_client_side_download.go +++ /dev/null @@ -1,55 +0,0 @@ -package main - -import ( - "fmt" - "io/ioutil" - "log" - - "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/aws/session" - "github.com/aws/aws-sdk-go/service/s3" - "github.com/aws/aws-sdk-go/service/s3/s3crypto" - "os" -) - -var ( - bucket = "kms-bucket-ndambi" - key = "clientside.txt" -) - -func main() { - sess := session.New(&aws.Config{ - Region: aws.String("us-east-1"),}) - - client := s3crypto.NewDecryptionClient(sess) - - input := &s3.GetObjectInput{ - Bucket: &bucket, - Key: &key, - } - - result, err := client.GetObject(input) - // Aside from the S3 errors, here is a list of decryption client errors: - // * InvalidWrapAlgorithmError - returned on an unsupported Wrap algorithm - // * InvalidCEKAlgorithmError - returned on an unsupported CEK algorithm - // * V1NotSupportedError - the SDK doesn’t support v1 because security is an issue for AES ECB - // These errors don’t necessarily mean there’s something wrong. They just tell us we couldn't decrypt some data. - // Users can choose to log this and then continue decrypting the data that they can, or simply return the error. - if err != nil { - log.Fatal(err) - } - - // Let's read the whole body from the response - b, err := ioutil.ReadAll(result.Body) - if err != nil { - log.Fatal(err) - } - //fmt.Println(string(b)) - - file, err := os.Create("NewFile.txt") - if err != nil { - fmt.Println(err) - return - } - fmt.Fprintf(file, "%v\n", string(b)) -} diff --git a/10-kms/Practice-10.2/s3_client_side_upload.go b/10-kms/Practice-10.2/s3_client_side_upload.go deleted file mode 100644 index 7f885b6b..00000000 --- a/10-kms/Practice-10.2/s3_client_side_upload.go +++ /dev/null @@ -1,55 +0,0 @@ -/* -Licensed under the MIT-0 license https://github.com/aws/mit-0 -*/ -package main - -import ( - "log" - "strings" - - "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/aws/credentials" - "github.com/aws/aws-sdk-go/aws/session" - "github.com/aws/aws-sdk-go/service/kms" - "github.com/aws/aws-sdk-go/service/s3" - "github.com/aws/aws-sdk-go/service/s3/s3crypto" -) - -var ( - cmkId = "fbc58ad0-2bac-40fe-96ee-5ebd24d2f006" - bucket = "kms-bucket-ndambi" - key = "clientside.txt" -) - -func main() { - sess, err := session.NewSession(&aws.Config{ - Region: aws.String("us-east-1"), - Credentials: credentials.NewSharedCredentials("", "default"), - }) - // This is our key wrap handler, used to generate cipher keys and IVs for - // our cipher builder. Using an IV allows more “spontaneous” encryption. - // The IV makes it more difficult for hackers to use dictionary attacks. - // The key wrap handler behaves as the master key. Without it, you can’t - // encrypt or decrypt the data. - keywrap := s3crypto.NewKMSKeyGenerator(kms.New(sess), cmkId) - // This is our content cipher builder, used to instantiate new ciphers - // that enable us to encrypt or decrypt the payload. - builder := s3crypto.AESGCMContentCipherBuilder(keywrap) - // Let's create our crypto client! - client := s3crypto.NewEncryptionClient(sess, builder) - - input := &s3.PutObjectInput{ - Bucket: &bucket, - Key: &key, - Body: strings.NewReader("Test Client-Side encryption"), - } - - _, err = client.PutObject(input) - // What to expect as errors? You can expect any sort of S3 errors, http://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html. - // The s3crypto client can also return some errors: - // * MissingCMKIDError - when using AWS KMS, the user must specify their key's ARN - if err != nil { - log.Fatal(err) - } -} - From 7f1190bc8c1621cad5202571f549b04ef6c44d29 Mon Sep 17 00:00:00 2001 From: Dezo2018 Date: Mon, 10 Oct 2022 19:13:07 -0400 Subject: [PATCH 3/3] Lab-17 Terraform --- .../network-infra/data_backup/data_backup.zip | Bin 0 -> 5168 bytes .../dev/network-infra/data_backup/tfplan | Bin 0 -> 5633 bytes 17-Terraform/dev/network-infra/dev.tfvars | 4 + 17-Terraform/dev/network-infra/main.tf | 85 ++++++++++++++++++ 17-Terraform/dev/network-infra/script.sh | 21 +++++ 17-Terraform/dev/network-infra/variables.tf | 16 ++++ .../modules/vpc_with_public_subnets/main.tf | 85 ++++++++++++++++++ .../vpc_with_public_subnets/outputs.tf | 11 +++ .../vpc_with_public_subnets/variables.tf | 16 ++++ 17-Terraform/prod/network-infra/main.tf | 16 ++++ 17-Terraform/prod/network-infra/prod.tfvars | 4 + 17-Terraform/prod/network-infra/variables.tf | 15 ++++ 17-Terraform/state-management/main.tf | 68 ++++++++++++++ 17-Terraform/terraform-example/main.tf | 11 +++ 14 files changed, 352 insertions(+) create mode 100644 17-Terraform/dev/network-infra/data_backup/data_backup.zip create mode 100644 17-Terraform/dev/network-infra/data_backup/tfplan create mode 100644 17-Terraform/dev/network-infra/dev.tfvars create mode 100644 17-Terraform/dev/network-infra/main.tf create mode 100755 17-Terraform/dev/network-infra/script.sh create mode 100644 17-Terraform/dev/network-infra/variables.tf create mode 100644 17-Terraform/modules/vpc_with_public_subnets/main.tf create mode 100644 17-Terraform/modules/vpc_with_public_subnets/outputs.tf create mode 100644 17-Terraform/modules/vpc_with_public_subnets/variables.tf create mode 100644 17-Terraform/prod/network-infra/main.tf create mode 100644 17-Terraform/prod/network-infra/prod.tfvars create mode 100644 17-Terraform/prod/network-infra/variables.tf create mode 100644 17-Terraform/state-management/main.tf create mode 100644 17-Terraform/terraform-example/main.tf diff --git a/17-Terraform/dev/network-infra/data_backup/data_backup.zip b/17-Terraform/dev/network-infra/data_backup/data_backup.zip new file mode 100644 index 0000000000000000000000000000000000000000..8b673b701f9a9cf7fb9d2db415bc10acacf38468 GIT binary patch literal 5168 zcmV-06wm8WO9KQH00;mG0000XiU0rr000000000000sa60CZ+>Y+-JMm~~W?Ya8xg zx`q&tmXZ`uKpZ-xq(PAG?x90RLQ-i#N>Y00PRXG`8fgU-Mg|8Eq=uNY_P5sFpL)*O z-}B%5$9+B5TK99W>vz98>NvR603kpKSf{J$1HT-6fC%t)@N~0==s&>&uv!WgZND3R z@L*ECx$ng#=yFoaP)B5>@}2Cvb<@gy<`qdsZ+UUgMV#o)g0euptCCXTHT~jpWZlqX zGQPfa3PP_hZ^?)13M*0ZHfi}qTL%Q52LtJzSYD4j6-=JYqcWQv`Kt<*MzKum+do6~ zkCCUr`-SF`h9N68q@0{@BFnEeF`N6>X0A?!bcqb6sK}BF_a@2XfXfBn(yZnz zlB$8NS38?KC9!Qg9oM^TE^skAu0TlebV#9HFlIP9^1R!yrm=`pfu;ccSi!o#@o{0v z!{U7ICo^^h^8{;-Pk5HXZmzYWH)_h8)UF)$G2HXCpF|!57 z`p}rU=Tet@sxc|#G{P;;%CL+=KVjqr0wvY~E0olG#NBfyvdCx?SvZ=vPxsQd*&0Ln z@(a%7#kam={Eb$5&v_o!_Q~YItzA)w8I;sOgkEjAv14L?A}7bO(Evt;LEa;YS$liv zV0wp*4I3V)7&RS3`oSE5(J&MRsp}LeJMMxd*JxOR%rbW{P*St+C+#f!0=OzzVg8Jg zy~Ur3)q7_Sbsb^qviW1a@4U{Rh2Oyqj~`PfNy$59U>g(@(6s;Nwh~LV6VJGC*QiXb zRn&eto<0Y2r5<_`Zc-dPfVrO3#zT>8dLNDT6+d5~6y)x2NUEDMYn&2<=y-{6V2ASw zy3{*e*W7#D3dya|N9IkQV=|!|K|$$Zy5l9PT`D#IHA(zN8e3Xg8_i1?hst zj1RAk4Adf}o7HSe;-zXR+m&StQB6{OhpEn28M96G8q0tyO`H^$STs zTpES+f##GdqJ%6M8AT(}^4cT4Q7J*aHIe=6kbD@J{oz*G#@mDX3iMLA>LikXpQX$6 z{hc{>ed<>z_v&|8k5wXxs}hBZvQJLQvr0{I#*I8(9cD*!bH5wu1wr^cG^`dWPV+cf zN9H2AhU}mp*Li|D2d>jp;;ENgneG~P!}nDNqO1~5eQlH}xyKUAzYYZi6B0o(Es`cJ zdN*6$CUifP75qr=|2d&ilE_^t$k+X|YtLX+dCw z1MGJ|{05DaQH!nU4Mgg)*;TgX2oh6$hN--Cz%g{rjw)-AYR)r>&{Js7uWP8hs67iF zI+>AQwG~QMjL2}ON#=O|d9Wog#R{!0FDTb8M*wq6&CPPvV6K`8;;EW(``|x!oE^~} zWR&!p7?PCbwtv>)(-$SW!cWbnw`B0cEw#g*Ttj=XXW!_~s)g<0kY&e7l)fm5#wzyi z@@41f5(&K6q`2$*y-)lfc<_>DQ{Y!p{&Zdc@CL4*JZHcIvQ_D!j|C5SPf()c%?m8`TSrr9Nb;|=^R z$03gMueM$y6vpJf&7U-PfcP97s$RGpW1KAwo9IJ^ukAUW{cJa^1EkpP$%ohjP^Gqu z;ZN{;;Bv*;_nGmUd%i)3VGOEA&u!oL(o`=$#al(J`fD2r8%a>QD+@W0({ZHCLdZRR z&$M2`4TP}q<4&m?S3MWrMy&qKw)0663q*Z1C90&1R2G_Bl7>ZaPUX-{EgMP+oe)_3>ZpUQ$zHuQHgAV{0jE*`1VH-hx`&)bf=%xgK|9`9z{3q6Ye64-$ z|H-w8lr>19AVuWEO_xcE) zMhFEfxvMl?_Qb^32)K|o&1i~K?U*?hw{wfTgFlpO6fBA(_crZuxMx5q-8TLFXT1uJYhf=-WD{wmw zhtit{Rf2VWo{{sr9SkHi2zcXMK2kPam$=j_H*S_sbmb+-@Rn--=<2y0)Q^uf9oaa zzr7Uj^tSi^r=g0Y4~hE(DIzz5w1mb@Vw4QqVpNDWV7-gO8k;3Q_mW2n#!jz1d=xLk zo$l~K+jG&?6hw*ad0RYE+Ud>?yTqz&4W$hqvJE1*(at|-kS+T5+A9#&sTq!fSrmlY z^5wo#zQ95+Bme{aZP+S;H3tF!Kmzb@hUxxe*wzE$;OuzMUErR-wYRgijhnsCU0;WP z%->PxAJxzpRn^zI!>5vWu0SXYSU{kY7zz>T7zeNP)U` z4Jn@0)Z~Cytkb{GT-46qRbrc>Ng?#&&@5moQaV{7Fitp{uZHX35a9+(k+aMcWXksx zlb8nH0A2)hQK|5;n0bgqie+GV(pn4UVil;r;|#?celXbNY<_TmRY@ETC7u?`y6W!g zL!hh0$l$VB0-e#RwiW~(72VlAhc&(a3I^eEd0z>ai~JQpLylOwdaDu@6~l9W4oYbi zPf}~cn%_xhODm|!HuOuZ0pLK}vMMY0$Sj=XEBfqM5vs0@~;ibx=KmG`;h6t6+V z>xzqHWVq?ugb8d3w?PYJ=RnnLyp3D?Dp>r7;fSG=-_7Kv!RqpfrYyEyRx)`e0z%d67{%wA%*#zXs(oV*3FG5%3i_BeqvLl#`|}MA)SSc9i}BN#UIkV=>V?vMG8y!2UvUn5x84K9KYbhHO;GeJ zfyH+fWflmp5bD!mLB954*Po&NP{&2@n_G*|0#7+`fiFm3_pXg*kf-s@`k5O z)Z_XwdJm)g`I0nfP#90W(qOm|-ihmMK+Eotx)zF?o-x{##2VxxF?&rl_~uH@9Nr{; zBlVhg{l1U+;TRyI1g2RMtAKpkaV-Vt+O!G<4i=i`9F8p*sRzHA+|RdcDgxPU@=y;1 zK0i`FHnhQT9J7`L=@>+enkt4p2Y1yTe#-M`a-$uJtV!VGRw#SlpOW`uCcw!jN&Pz& zU*h{NG6~6r+eKX329F**=VVS~sdPTUXs4-1<7 zd-J!4>tW~j*EG5Kc>H&3iP_fG`D=c3baW22s-D#A>gdkA@H7{Wl{1s(yo(oUQf(yn z&!suVuD5sr0O0+f({k6>-rL*S!Nc4AuA7Ig>s=>Xw|}n8PSZ@x8SoxDy{3Ky7oKjd zXfJPP7iCoQ2YKQv?SwcoIZDBVM%G3_#vQr!}t zZlTZ0$%Z=Mu96m?SAMh~T9KcM)}XHGPLT5#;oY)ks|%>A;}57^_z!eoh}ZeI2Dn~F zaIInV=$ES<#3?}yydtaP0{#O%MSe=&;ujd0;%^y{p2*zU*7-DGyj|LC_2bx=wJX%c znC$EHp{yZ8{{X+ZtQFBj6u3HJAGvuTn@AQN;0FzO-zFm^Znn;8kr4YR8t&}8b}N_Z z`e=H?Q_Re)7jY&Katik#mzBK;xZHvUUXFb@JvlxOMh`?=vgCG8)qF=m#gTgZ0qC)m z*pTZlE#!uI$Au2e#oD(Y2)}KYk%@qm|zzJ)tA0OmOj?PDfez>4e!H3a5{@XSLC73|tQI zn|(;IXw>K3Vj5t&ZRk*f5KR7h6LiacMN~vbpA7GI6xPnI3LoxG-TV1MlRB;pjxiHW zSm5F1l(4yF0RL=pJ1t{Ngflr@PL@8BL9 zuGM^Z{GKI_#^I8THa(3s)4;%`jLlUSv(^E16UL__=$Gi4N0^I%$n)-f8PdZYsCR4r zm}*FoIHY=i&qEt2u7uviTyM#R&>w|BPnv_Dk9*`1U7l&PJh2GjMRQtq(%67TK6q3O`sdIGnBm zl(meG-hkC>m$Zbk{l4ad`;I>PSy4VBd0}>=Rb!0Q&gexf9v=t3F<1LGM1dBIFl#fn)uNmxJ|?`F3n+9thuPTa!&JAe&u`{lxzf ztL(8B@8JaL`i9jykLf)ACNk``Z-Pz#G?afxDaF7b4l)ay<&$?Kj(_#Fm$z{0bWZA3 zyY9R5=Ys&YH92_emL#4*sr3^R{m^^x=~1ZLl6#aLm^UA10hAql4GDWXl6DYw)0Q;0 zDt2)j_9J@pFn_IzOMWcig_qcu(8u%^2;QE@LNYQ}@4`^>q2UH8!X1cZq9{BUIcOO= zTblL9%a*wtx9zqrnW#R$7xoKV`G9xKKc#zBn&!pEFjl%fc*cvlizg zW}0z6J)AZ0V6FqaZdN8oOQ;*2nDB#T&0DARrAxIMGq9Kv`;l>VpihSd}%;6f|=`)!dSCEn2JaI z-U;NMz4CB~|F!kuss3OTMLCD!BV_v^S+c@Rc>cZ8Ww6 zf#qTrl+=U#R-{jw8%6Jt`EjmzP^;jiLm`Z+Ry&Y>_^vDL=OHJVy+r9_evqsmG?eq& zISxbqcfu7v*n?%@13)(DuY|+GrUw3-alfum_y7^``}yN<;Gf06GCRR<#S8er|Fv`d zS^Xev1ucS-&o5T|$;D2-XpK`zQ2i0$KdwT@2#|N96q`P~lA#@}pl@_EVrHAg692%sNRzLw696*p7 zVlLjh?x&yYzu&*#b>6l1de_nEt*5#l6pFW*eUAZV$In4SG~cT&0@COG@2IboZq6Z_x&pHjN>I=x_ zsq#>dA=1Mbat*W#^_0mBP%{fc`Q3M>ij+gCs z%HjB)Rg?8gNtdN^8iVihb^$$+_#lXL+>Vklaz0cT6qavv!&x@CKP((CTjT@RD>^pZ zR>93T<8i`tPNiwIuasXt-W=BIkxo`nhC;KVeP6Zp2{)QgrG4*yz9p5Fl9=FJx%a!dzo44NA!L;)b4YAw}C@`4YMhIlE4U=jpA( z^M`ZxXkI`XtINb}HSGc=haHf_3Kdg;Y5F!AN^JV= zxRr^Q4_g@{#Ft*8yYOS7TKCj}jsr|hCU*q#*7NLX=pF3P*bz0Nq?{8vmVQw_4ZE+d zOVJeDvGjBNh9#=aB6f?hv{~p&wcz7Wu{u}@Yx)>0B3JqLd}F} z{e%Em+f$egGn7Zbxz_Qj>h7avaCVsuU1zt#bNJ>ENU`>8YioS0+G6R$X>=)i8bP!t_bOyOYAlWV zSb#TAbD1w~^;|*#n@T>luQ92DAT9$&LRL?(xbjeUSW-ZDMR@NjC>I7|eXvoo_GZ7f z47CudGLGQgW9l$@cV~uGkMbqbt@16#Bjs?yig>|-%;OW%jA9e4Q9}~Ds; z0bm|?b<26OlN@&Dp_y=w0bA&YRjxqxzN-}FSjxp_27ZH1_?~iKgk{_b#9E1*b0og> z%Ya`XJ^?u0JYn3td%f9pOy_+`-uKkrA7ko8IlL)8YKY|=dqKVqI^Kx8qwB|LqYD`a z&vOV>lZ6UZ(-vCD&u$yYt6x7JF@IfaTgi*2mzfqr2z2Esy8OZ(%fKl!qNGl;F~>Me zSH3m3rmpBMlew!EX|E7k?q;1{wDt{x{VZtjya6*Rb-f5e6PlU)4FC~lag8p~cL3` zlGToMfYlFKY%?GF7`F>9TbOx|5vQ^1D|8S>r*inr=3O^c<>C{Z<*j93EkhwgadI~$ zL3>gfwxnq=sR!g#^95XA5ED1%gtC6wWA07Z@{deg?*vhQQ!OzU{FBX__Pl zqui(*^@!^@H-+$O2}$CO#fRd9j1r2w%1^o*KZwFwTIiLu04*-PfG5X;)^7{5!jL|P z1X3AQ5u&bThsaHxy7pr!G*a@pzHmCiy4C1~b$RD*(5%efmHcW>)BORH^AwrV2~4-KVgPa$ z!2hc8I(=`n+gsoyOfXQ3>qpQUmmM&q6|YYqi9 zx%ANk$?nc2xGkG~@lE{-ftntV@Y$UPQ+LMDusuDu|gSwL+K`es@7Kv9P` zQ6}29N%=TwBOf8yx`AsVpHgWUw|nlH=Fe6WSta-SU906$(~M*0Go@t7L^Q^Kxn%9# zq=>urISreE%X;VfX=I&o!ZI0h)rN#!-p}Em6t@Yq0M5LG|^bAG?V| zc_Sy6?%oO)p^kTWpsm@cN-~0Y)|?G4Nv%{T`yE0Rmb&7)_nG=(oG7OsQ-~%#JFO)! z^TZTe-ZT%W_S*3oPIO2YSK)5v2eP&{73Gm1N$t%Pf1 z5nu;Ok}^%@rOR~{5}Ekl06Y)mpit&vGIbXY7fr+Pptcgs#>i89%N~p~c)!2F$!!1L zvZ5FYN;oN+aoO3?vxTY@C4tLi@U=%K+nD3Em33xz9aMGu%Ik;5s*w5{?888jts2PY)8yR0owXu!zKzL&p;j32Oo3X8(gUe!mHwVIOR*; z^(N(fpYn6`PEh+s!4vZA@&2i#ZvHKC-EDn-R+F>0`>&}b>biD**3Y#aXjVL~)zQ|OdhTH+ z6fJ8i#mRw>iv4V&whF@zGHrsxQ)l zDZ6u`>KhU&hS1&fLyaUw2VH$`A~nb%{XWwNWi171k|fAw65(eZ1A!31rbkhQZzUDB z6s8s6W?Lm>IGo`v6XNCK)2#Xmpf8XdkTu(ojtwR0(Q`3t&D;j5F>L`Qyz_4~+DbxC z#!PpSSUuET%k{1!pi%&@>H9eIdOhw9hCYVd2KGf;0*PO40&lr3i3n@!k>K2pz}UW3 z=FPdTb1zqLT-$}tA!@7v12njp6f(02z&)McOi9}iW={-N{*c*#TlS4oMxOfto{@5Y zK|@ndrp;YdR<%rQqm-ilmA0bLoW>?xd+5^*X?eGO@)#s`GKu$*bCx>2Y;i6J_pBxi z)JI~$;3jz=R7u?Jz!m+4Lr!b#Ciw`+l|ey}L5MOS^r#NU4*ZGG9IJIm zA^P0!dMMtLCO+7PdNt>cs00;=fh+fR-L(*6il}w;)rM>k?O_n~xH0hAsCy2<#icCq{w*Z**c;ubxZK!_Q3d1elgsEayTwAQSz~9myeh0(U|0;qE*iDk;wojI zo^rmu4enj&xkEmIkR)(Pu65VEr{Or||%Q@g(m8=Mx& zFoF2()+CoNrCZZ$>54s^+~hK9HL$Kt;CR_PUs!G|Zjj5L^}@tQqv5@vZ9b5d>6v*M zGWf%Afwf7w(EU06gUJejlBVI|Ymi#?f~H`m&zD?K&*29jOY(#y<)#^Je!8ET-AAZMw*7S>OuzqKilx@;AJT>Gbpye^ zG&y;g4OzK!K>D^Pq)lAC59}zk#PGh;?LM;pxFL2j`g}2XD^HV2h`Eu|a$Z)0mg=c< z@Jp=Z5qae&e5>YA$08a;c~WiSDTR$T>$jJ>Ui)l5a2<5o?s9XNN=5-fLojbmzZyR0X&LL7^Uph|jA5Eo zltKUXi@M*xUFIEXt?guo6MclBf7%>)e9_mo^yz@}39W@pdDGE>g*&+O{OsgxGrBkj zh-e=17zKV2pTm&2p8?WEOWF5%LNWXWcsqanq2@Ll-iFw}LyEy5PWor^UG z%nZB&hddcd*$=sCLmXWZJ--S29=U#yyHdd+H{$o)Q}lE2BUbj%&5>)Q;I=y;+M(2gBRoea#8N0G-q-B2nP z*m*GAoz(09(u&t664M^fVm<>(>`riS=nkN?;1zpMN|L;S9Ee=6-?_W0U?*#AGe z`_FK{>yMue|CjCl5$;d1{AZ-!Ma56O^2>^^N%#fq|57i1#`>MUzoTLx2K=Ka(N@E` S<^ce}yMB<@v(**FPw!usUI}La literal 0 HcmV?d00001 diff --git a/17-Terraform/dev/network-infra/dev.tfvars b/17-Terraform/dev/network-infra/dev.tfvars new file mode 100644 index 00000000..83149470 --- /dev/null +++ b/17-Terraform/dev/network-infra/dev.tfvars @@ -0,0 +1,4 @@ +vpc_cidr = "10.0.0.0/16" +subnet1_cidr = "10.0.1.0/24" +subnet2_cidr = "10.0.2.0/24" +destination_cidr = "0.0.0.0/0" diff --git a/17-Terraform/dev/network-infra/main.tf b/17-Terraform/dev/network-infra/main.tf new file mode 100644 index 00000000..69c1ad8c --- /dev/null +++ b/17-Terraform/dev/network-infra/main.tf @@ -0,0 +1,85 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4.0" + } + time = { + source = "hashicorp/time" + version = "~> 0.8" + } + } + backend "s3" { + bucket = "desmond-stelligent-u-bucket" + key = "dev/network-infra/state/terraform.tfstate" + encrypt = true + region = "us-east-1" + profile = "labs" + dynamodb_table = "terraform-up-and-running-locks" + } +} + +provider "aws" { + region = "us-east-1" + profile = "labs" +} + +provider "archive" {} + +data "aws_availability_zones" "available" {} + +# Create a VPC +resource "aws_vpc" "main" { + cidr_block = var.vpc_cidr +} + +resource "aws_subnet" "subnet1" { + vpc_id = aws_vpc.main.id + cidr_block = var.subnet1_cidr + availability_zone = data.aws_availability_zones.available.names[0] + + tags = { + Name = "tf-subnet-1" + } +} + +resource "aws_subnet" "subnet2" { + vpc_id = aws_vpc.main.id + cidr_block = var.subnet2_cidr + availability_zone = data.aws_availability_zones.available.names[1] + + tags = { + Name = "tf-subnet-2" + } +} + +resource "aws_internet_gateway" "ig" { + vpc_id = aws_vpc.main.id +} + +resource "aws_route_table" "public" { + vpc_id = aws_vpc.main.id +} + +resource "aws_route" "public_internet_gateway" { + route_table_id = aws_route_table.public.id + destination_cidr_block = var.destination_cidr + gateway_id = aws_internet_gateway.ig.id +} + +resource "aws_route_table_association" "public" { + subnet_id = aws_subnet.subnet1.id + route_table_id = aws_route_table.public.id +} + + +data "archive_file" "zip" { + type = "zip" + source_file = "data_backup/tfplan" + output_path = "data_backup/data_backup.zip" + depends_on = [ + aws_vpc.main, + aws_subnet.subnet1, + aws_subnet.subnet2 + ] +} diff --git a/17-Terraform/dev/network-infra/script.sh b/17-Terraform/dev/network-infra/script.sh new file mode 100755 index 00000000..23e4f330 --- /dev/null +++ b/17-Terraform/dev/network-infra/script.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +WORKSPACE_NAME="${1}" +OPTION="${2}" + +FILE="${WORKSPACE_NAME}.tfvars" +BACKUP_PATH="data_backup" + +if [ -f "/$FILE" ] + then + echo "File '${FILE}' not found." +else + terraform ${OPTION} -out ${BACKUP_PATH}/tfplan -var-file=${FILE} + if [ -f "${BACKUP_PATH}/tfplan" ] + then + echo "Plan is available for review!" + time terraform apply ${BACKUP_PATH}/tfplan + else + echo "tfplan not found" + fi +fi diff --git a/17-Terraform/dev/network-infra/variables.tf b/17-Terraform/dev/network-infra/variables.tf new file mode 100644 index 00000000..ad7a8ad7 --- /dev/null +++ b/17-Terraform/dev/network-infra/variables.tf @@ -0,0 +1,16 @@ +variable "vpc_cidr" { + type = string +} + +variable "subnet1_cidr" { + type = string +} + +variable "subnet2_cidr" { + type = string +} + +variable "destination_cidr" { + type = string +} + diff --git a/17-Terraform/modules/vpc_with_public_subnets/main.tf b/17-Terraform/modules/vpc_with_public_subnets/main.tf new file mode 100644 index 00000000..69c1ad8c --- /dev/null +++ b/17-Terraform/modules/vpc_with_public_subnets/main.tf @@ -0,0 +1,85 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4.0" + } + time = { + source = "hashicorp/time" + version = "~> 0.8" + } + } + backend "s3" { + bucket = "desmond-stelligent-u-bucket" + key = "dev/network-infra/state/terraform.tfstate" + encrypt = true + region = "us-east-1" + profile = "labs" + dynamodb_table = "terraform-up-and-running-locks" + } +} + +provider "aws" { + region = "us-east-1" + profile = "labs" +} + +provider "archive" {} + +data "aws_availability_zones" "available" {} + +# Create a VPC +resource "aws_vpc" "main" { + cidr_block = var.vpc_cidr +} + +resource "aws_subnet" "subnet1" { + vpc_id = aws_vpc.main.id + cidr_block = var.subnet1_cidr + availability_zone = data.aws_availability_zones.available.names[0] + + tags = { + Name = "tf-subnet-1" + } +} + +resource "aws_subnet" "subnet2" { + vpc_id = aws_vpc.main.id + cidr_block = var.subnet2_cidr + availability_zone = data.aws_availability_zones.available.names[1] + + tags = { + Name = "tf-subnet-2" + } +} + +resource "aws_internet_gateway" "ig" { + vpc_id = aws_vpc.main.id +} + +resource "aws_route_table" "public" { + vpc_id = aws_vpc.main.id +} + +resource "aws_route" "public_internet_gateway" { + route_table_id = aws_route_table.public.id + destination_cidr_block = var.destination_cidr + gateway_id = aws_internet_gateway.ig.id +} + +resource "aws_route_table_association" "public" { + subnet_id = aws_subnet.subnet1.id + route_table_id = aws_route_table.public.id +} + + +data "archive_file" "zip" { + type = "zip" + source_file = "data_backup/tfplan" + output_path = "data_backup/data_backup.zip" + depends_on = [ + aws_vpc.main, + aws_subnet.subnet1, + aws_subnet.subnet2 + ] +} diff --git a/17-Terraform/modules/vpc_with_public_subnets/outputs.tf b/17-Terraform/modules/vpc_with_public_subnets/outputs.tf new file mode 100644 index 00000000..b42d3f01 --- /dev/null +++ b/17-Terraform/modules/vpc_with_public_subnets/outputs.tf @@ -0,0 +1,11 @@ +output "vpc_id" { + value = aws_vpc.main.id +} + +output "subnet_id" { + value = aws_subnet.subnet1.id +} + +output "subnet_id_2" { + value = aws_subnet.subnet2.id +} diff --git a/17-Terraform/modules/vpc_with_public_subnets/variables.tf b/17-Terraform/modules/vpc_with_public_subnets/variables.tf new file mode 100644 index 00000000..ad7a8ad7 --- /dev/null +++ b/17-Terraform/modules/vpc_with_public_subnets/variables.tf @@ -0,0 +1,16 @@ +variable "vpc_cidr" { + type = string +} + +variable "subnet1_cidr" { + type = string +} + +variable "subnet2_cidr" { + type = string +} + +variable "destination_cidr" { + type = string +} + diff --git a/17-Terraform/prod/network-infra/main.tf b/17-Terraform/prod/network-infra/main.tf new file mode 100644 index 00000000..009d5185 --- /dev/null +++ b/17-Terraform/prod/network-infra/main.tf @@ -0,0 +1,16 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4.0" + } + } +} + +module "my_vpc" { + source = "../../modules/vpc_with_public_subnets" + vpc_cidr = var.vpc_cidr + subnet1_cidr = var.subnet1_cidr + subnet2_cidr = var.subnet2_cidr + destination_cidr = var.destination_cidr +} diff --git a/17-Terraform/prod/network-infra/prod.tfvars b/17-Terraform/prod/network-infra/prod.tfvars new file mode 100644 index 00000000..83149470 --- /dev/null +++ b/17-Terraform/prod/network-infra/prod.tfvars @@ -0,0 +1,4 @@ +vpc_cidr = "10.0.0.0/16" +subnet1_cidr = "10.0.1.0/24" +subnet2_cidr = "10.0.2.0/24" +destination_cidr = "0.0.0.0/0" diff --git a/17-Terraform/prod/network-infra/variables.tf b/17-Terraform/prod/network-infra/variables.tf new file mode 100644 index 00000000..c7d6f2dd --- /dev/null +++ b/17-Terraform/prod/network-infra/variables.tf @@ -0,0 +1,15 @@ +variable "vpc_cidr" { + type = string +} + +variable "subnet1_cidr" { + type = string +} + +variable "subnet2_cidr" { + type = string +} + +variable "destination_cidr" { + type = string +} diff --git a/17-Terraform/state-management/main.tf b/17-Terraform/state-management/main.tf new file mode 100644 index 00000000..69feb9b0 --- /dev/null +++ b/17-Terraform/state-management/main.tf @@ -0,0 +1,68 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4.0" + } + } + backend "s3" { + bucket = "desmond-stelligent-u-bucket" + key = "state_management/terraform.tfstate" + encrypt = true + region = "us-east-1" + profile = "labs" + dynamodb_table = "terraform-up-and-running-locks" + } +} + +provider "aws" { + region = "us-east-1" + profile = "labs" +} + +resource "aws_s3_bucket" "lab17_bucket" { + bucket = "desmond-stelligent-u-bucket" +} + +resource "aws_s3_bucket_acl" "example-lab17" { + bucket = aws_s3_bucket.lab17_bucket.id + acl = "private" +} + +resource "aws_s3_bucket_versioning" "example" { + bucket = aws_s3_bucket.lab17_bucket.id + versioning_configuration { + status = "Enabled" + } +} + +resource "aws_s3_bucket_server_side_encryption_configuration" "example" { + bucket = aws_s3_bucket.lab17_bucket.bucket + + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "AES256" + } + } +} + +resource "aws_s3_bucket_public_access_block" "s3_block_access" { + bucket = aws_s3_bucket.lab17_bucket.id + + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true +} + + +resource "aws_dynamodb_table" "terraform_locks" { + name = "terraform-up-and-running-locks" + billing_mode = "PAY_PER_REQUEST" + hash_key = "LockID" + + attribute { + name = "LockID" + type = "S" + } +} diff --git a/17-Terraform/terraform-example/main.tf b/17-Terraform/terraform-example/main.tf new file mode 100644 index 00000000..8f232d2d --- /dev/null +++ b/17-Terraform/terraform-example/main.tf @@ -0,0 +1,11 @@ +provider "aws" { + region = "us-east-1" + access_key = "AKIAUXAYGAARTYR6VMSI7C" + secret_key = "gEefvzATtW+YvP4sxNbEy8HSfgn55EoitOlRyoUf7wE3M" + +} + +resource "aws_instance" "my_ec2_server" { + ami = "ami-026b57f3c383c2eec" + instance_type = "t2.micro" +}