Home of Shariq Mustaquim on the Internet!

Find expiring Certs in the Local Computer Store (Windows)

June 17, 2018 - Reading time: 3 minutes

At one job, we had Certificates that were deployed in the Local Computer store and we were annoyed by them expiring without notice. Following is a solution using the AWS SSM Service:

def lambda_handler(event, context):
    import collections
    from collections import defaultdict
    import os
    import boto3
    import time
    import datetime
    from datetime import timedelta
    from datetime import datetime

    # Connect to EC2
    ec2 = boto3.resource('ec2')
    ssm=boto3.client('ssm')
    sns = boto3.client('sns')
    todaysdate=datetime.now()
    #Get Environment Variables
    thresholdDaysString = os.environ['ExpiryThresholdDays']
    notificationARN=os.environ['NotificationARN']
    environment=os.environ['Environment']
    clientname=os.environ['ClientName']
    #thresholdDays=30
    #notificationARN="arn:aws:sns:ap-southeast-2:<Account_Number>:CertificateExpiry"
    #environment="SIT2"
    thresholdDays=int(thresholdDaysString)
    in30days=todaysdate + timedelta(days=thresholdDays)
    consoleBaseURL="https://ap-southeast-2.console.aws.amazon.com/ec2/v2/home?region=ap-southeast-2#ManagedInstances:InstanceIds="

    # Get information for all running instances
    filtered_instances = ec2.instances.filter(Filters=[{
        'Name': 'tag:Environment',
        'Values': [environment]}])

    ec2info = defaultdict()
    for instance in filtered_instances:
        inventoryentries=ssm.list_inventory_entries(InstanceId=instance.id, TypeName='Custom:CertInventory')
        certificates=inventoryentries["Entries"]
        #print("Instance ID: ",instance.id)
        #print("Certs: ",certificates)
        for cert in certificates:
            Expiry=cert["Expiry"]
            expirydateobject = datetime.strptime(Expiry, "%m/%d/%Y")
            Subject=cert["Subject"]
            Thumbprint=cert["Thumbprint"]
            #print("Expiry: ",Expiry)
            if (expirydateobject > todaysdate and expirydateobject < in30days):
                for tag in instance.tags:
                        if (tag['Key']== 'Name'):
                            name = tag['Value']
                #print("Instance: ",instance.id)
                alerthyperlink=consoleBaseURL + instance.id
                #print("Name: ",name)
                #print("Certificate is expiring within next 30 days")
                #print("Subject: ",Subject)
                message="A "+clientname +" certificate expiring within " + thresholdDaysString + " days has been found on the below EC2 instance \n" +instance.id +"("+ name +"). \n\nCertificate Details:\nThumbprint: " +Thumbprint +"\nSubject: " +Subject +"\nEXPIRES: "+Expiry +"\n\nClick here for more details: " +alerthyperlink
                print(message)
                client = boto3.client('sns')
                msgsubject=clientname+" - Certificate Expiry Alert"
                response = client.publish(
                    TargetArn=notificationARN,
                    Message=message,
                    Subject=msgsubject
    )

    print("Done")

Certificate Inventory SSM Doc:

{
    "schemaVersion": "1.2",
    "description": "Inventory Personal Store Certificates into JSON for SSM.",
    "runtimeConfig": {
        "aws:runPowerShellScript": {
            "properties": [
                {
                    "id": "0.aws:runPowerShellScript",
                    "timeoutSeconds": 7200,
                    "runCommand": [
                        "$instanceid=Invoke-RestMethod -Method Get -Uri http://169.254.169.254/latest/meta-data/instance-id",
                        "$customInventoryPath=\"C:\\ProgramData\\Amazon\\SSM\\InstanceData\\\"+$instanceid+\"\\inventory\\custom\\certs.json\"",
                        "Set-Location Cert:\\LocalMachine\\my",
                        "$certs=get-childitem | select Subject,FriendlyName,NotBefore,NotAfter,Thumbprint,HasPrivateKey",
                        "$certlist=get-childitem | select Thumbprint,@{Name='Expiry';Expression={$_.NotAfter.ToShortDateString()}},Subject,FriendlyName,@{Name='Start';Expression={$_.NotBefore.ToShortDateString()}},@{Name='HasPrivateKey';Expression={[string]$_.HasPrivateKey}}|convertto-JSON",
                        "$certJSONprefix='{\"SchemaVersion\": \"1.0\",\"TypeName\": \"Custom:CertInventory\",\"Content\": '",
                        "$certJSONsuffix='}'",
                        "$certJSONOut=$certJSONprefix +$certlist +$certJSONsuffix|Set-Content $customInventoryPath -Force"
                    ]
                }
            ]
        }
    }
}

DevOps Architecture

June 16, 2018 - Reading time: ~1 minute

Not sure about the source, but worth sharing...

Quickly bootstrap a Squid Proxy Server on Amazon EC2

June 13, 2018 - Reading time: ~1 minute

Squid is the ubiquitituos proxy server, there just isnt any competetion :)

Quickly bootstrap a Squid Proxy Server on Amazon EC2 with this UserData/Bootstrp script:

#!/bin/bash
#Squid user-data.sh
yum update -y
yum install -y squid
mkdir /var/log/squid3/
mkdir /var/spool/squid3/
chown squid /var/log/squid3/ -R
chown squid /var/spool/squid3/ -R

cat > /etc/squid/squid.conf << EOF
# Local network access to proxy
#Recommended minimum configuration:
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 0.0.0.0/8 10.76.0.0/16 10.78.0.0/16 
acl SSL_ports port 443
acl Safe_ports port 80      # http
acl Safe_ports port 21      # ftp
acl Safe_ports port 443     # https
acl Safe_ports port 70      # gopher
acl Safe_ports port 210     # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280     # http-mgmt
acl Safe_ports port 488     # gss-http
acl Safe_ports port 591     # filemaker
acl Safe_ports port 777     # multiling http

acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports

http_access deny to_localhost
icp_access deny all
htcp_access deny all

http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid3/access.log squid

#Suggested default:
refresh_pattern ^ftp:       1440    20% 10080
refresh_pattern ^gopher:    1440    0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern .       0   20% 4320
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid3

# Allow all machines to all sites
http_access allow all 

EOF

service squid start
chkconfig squid on

Docker Image for Bamboo Build Agent

June 13, 2018 - Reading time: ~1 minute

A basic Dockerfile for Bamboo agent

FROM atlassian/default-image
RUN curl -sO https://releases.hashicorp.com/packer/1.2.3/packer_1.2.3_linux_amd64.zip
RUN echo 822fe76c2dfe699f187ef8c44537d10453a1545db620e40b345cf6991a690f7d packer_1.2.3_linux_amd64.zip  | sha256sum --status -c -
RUN unzip packer_1.2.3_linux_amd64.zip -d /usr/local/bin/
RUN apt-get -q update && apt-get -q -y install python-pip rubygems-integration
RUN pip install awscli
RUN wget https://github.com/stedolan/jq/releases/download/jq-1.5/jq-linux64
RUN echo c6b3a7d7d3e7b70c6f51b706a3b90bd01833846c54d32ca32f0027f00226ff6d jq-linux64 | sha256sum --status -c -
RUN chmod +x jq-linux64 && sudo mv jq-linux64 /usr/local/bin/jq

Alert on a new EC2 instance creation...

June 6, 2018 - Reading time: 353 minutes

I created new notification system in AWS to alert us when a new instance is created in the account.

Infrastructure details

A new CloudWatch rule is created:

This invokes a Lambda function InvokeCreationNotifier.

The lambda function parses the event and sent an email through SNS:

Octopus Deploy is a neat product...

June 5, 2018 - Reading time: 270 minutes

I really like Octopus Deploy, have used it at a Client for deploying .Net applications and I like the visibility it provides for the CD side of the DevOps process.

Monthly Kloud Meeting ....

June 1, 2018 - Reading time: ~1 minute

Steve giving Managed Services updates

I am leaving Kloud...

May 30, 2018 - Reading time: ~1 minute

Kloud is one of the companies with a soul ... will be missed