--- AWS Skill Guild LABS -----

-- training
https://www.aws.training/

--labs
https://us-east-1.student.classrooms.aws.training/

--workshops

https://workshops.aws/

----- Cuso Netec -------------

https://www.npl.netecdigital.com

user : correo
pass: AWS-PRACT

--- EC2 -----

-- Acceso ssh a Instancia EC2

sudo ssh -i ~/Keys/debian_keys.pem [email protected]

--Start instance
aws ec2 run-instances \
--image-id ami-a1b2c3d4e5example \
--instance-type t3.micro \
--key-name MyKeyPair \
--disable-api-stop \
...

--Stop instance
aws ec2 stop-instances --instance-ids i-1234567890abcdef0
aws ec2 stop-instances --instance-ids i-09ae2aa1a654c2363

--------- IAM USERS ---------

--Set credentials
aws configure

--List IAM users

aws iam list-users
xx

-------- PROFILES ------------

--List profiles
aws configure list-profiles

--Add user profile

nano ~/.aws/config

add user profile

nano ~/.aws/credentials

add user access keys on same profile

--Set existing prifile

export AWS_PROFILE=default

---------- S3 commands -------------------

--LIST buckets

aws s3 ls

-- Create bucket
aws s3 mb s3://bucket_name

--Upload file to bucket

aws s3 cp /home/ssm-user/HappyFace.jpg s3://labclibucket-NUMBER

-- List bucket content

aws s3 ls s3://labclibucket-NUMBER

-------- Roles -----------

-- List Roles

aws iam list-roles

-- Get role ARN by query

aws iam list-roles --query "Roles[?contains(RoleName, 'LambdaDeployment')].Arn" --

output text

------------- Ver metadatos de una instancia EC2 por categoria ----

1.

TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-

metadata-token-ttl-seconds: 21600"` \
&& curl -H "X-aws-ec2-metadata-token: $TOKEN" -v
http://169.254.169.254/latest/meta-data/
2.

curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-

data/CATEGORIA

Ej.

curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-

data/public-hostname

------- EC2 Instance User Data --------------

Ej.

#!/bin/bash
yum -y update

# Install and enable AWS Systems Manager Agent

cd /tmp
systemctl enable amazon-ssm-agent
systemctl start amazon-ssm-agent

# Install Apache Web Server and PHP

yum install -y httpd mysql
amazon-linux-extras install -y php7.2

# Download Inventory App Lab files

wget https://us-east-1-tcprod.s3.us-east-1.amazonaws.com/courses/ILT-TF-200-
ARCHIT/v7.5.0.prod-8b95bd17/lab-4-HA/scripts/inventory-app.zip
unzip inventory-app.zip -d /var/www/html/

# Download and install the AWS SDK for PHP

wget https://github.com/aws/aws-sdk-php/releases/download/3.62.3/aws.zip
unzip -q aws.zip -d /var/www/html

# Load Amazon Aurora DB connection details from AWS CloudFormation

un="dbadmin"
pw="lab-password"
ep="inventory-cluster.cluster-c4ehwqu5ajko.us-east-1.rds.amazonaws.com"
db="inventory"
#mysql -u $un -p$pw -h $ep $db < /var/www/html/sql/inventory.sql

# Populate PHP app settings with DB info

sed -i "s/DBENDPOINT/$ep/g" /var/www/html/get-parameters.php
sed -i "s/DBNAME/$db/g" /var/www/html/get-parameters.php
sed -i "s/DBUSERNAME/$un/g" /var/www/html/get-parameters.php
sed -i "s/DBPASSWORD/$pw/g" /var/www/html/get-parameters.php

# Turn on web server

systemctl start httpd.service
systemctl enable httpd.service
------------- Agregar Variables de entorno de recursos ---------------------

-- Exportar la cuenta aws com variable

export awsAccount=`aws sts get-caller-identity --query "Account" --output text` &&
echo awsAccount=$awsAccount >> ~/.bashrc

-- Consulta metadatos de la instancia EC2 y configura region aws de la instacia

EC2 com ovariable
export awsRegion=`curl -s http://169.254.169.254/latest/meta-data/placement/region`
&& echo awsRegion=$awsRegion >> ~/.bashrc

-- Exporta ID de la VPC
export VPC=`aws ec2 describe-vpcs --filters Name=tag:Name,Values=wa-lab-vpc --query
'Vpcs[*].VpcId' --output text --region $awsRegion` && echo VPC=$VPC >> ~/.bashrc

--Exporta Zona de disponibilidad

export awsAZ1=`aws ec2 describe-availability-zones --region $awsRegion --query
'AvailabilityZones[].ZoneName[]|[0]' --output text` && echo awsAZ1=$awsAZ1 >>
~/.bashrc

------ Varible de entorno mediante Query --------------

--- Recuperar Arn de Politica

policyArn=$(aws iam list-policies --output text --query 'Policies[?PolicyName ==
`S3-Delete-Bucket-Policy`].Arn')

--Recuperar Arn de Rol

roleArn=$(aws iam list-roles --output text --query 'Roles[?contains(RoleName,
`lambdaPollyRole`) == `true`].Arn')

------ Checar version de politica --------------

aws iam get-policy-version --policy-arn $policyArn --version-id v1

----- Asignar politica a rol --------------

aws iam attach-role-policy --policy-arn $policyArn --role-name notes-application-
role

----- Checar politicas adjuntas a un rol -----------

aws iam list-attached-role-policies --role-name notes-application-role
---------- S3 Buckets -------------------

--- Listar buckets

aws s3 ls

--List all buckets with s3api

aws s3api list-buckets

-- Get s3 bucket name by query

aws s3api list-buckets --query "Buckets[?contains(Name, 'bookmark')].Name" --
output text

------ Borrar un Bucket

aws s3 rb s3://$bucketToDelete

----- Subir archivo en python

s3Client.upload_file(filePath,
mp3Bucket,
UserId+'/'+NoteId+'.mp3')

------ Agregar variable de objeto bucket a entorno

apiBucket=$(aws s3api list-buckets --output text --query 'Buckets[?contains(Name,

`apibucket`) == `true`] | [0].Name')
notesTable='Notes'

--- Asignar un bucket a variable por palabra / query ---

bucketToDelete=$(aws s3api list-buckets --output text --query 'Buckets[?

contains(Name, `deletemebucket`) == `true`] | [0].Name')

------ Creacion de subredes

------------ Crear subred publica ----------------

aws ec2 create-subnet --vpc-id $VPC --cidr-block "10.100.2.0/24" --availability-

zone $awsAZ2 --tag-specifications 'ResourceType=subnet, Tags=[{Key=Name,Value=wa-
public-subnet-2}]' --region $awsRegion
------------ Crear subred privada ---------------------

aws ec2 create-subnet --vpc-id $VPC --cidr-block "10.100.3.0/24" --availability-

zone $awsAZ2 --tag-specifications 'ResourceType=subnet, Tags=[{Key=Name,Value=wa-
private-subnet-2}]' --region $awsRegion

----------- Exportar subred publica como variable

export publicSubnetId=`aws ec2 describe-subnets --filters Name=tag:Name,Values=wa-

public-subnet-2 --query 'Subnets[*].SubnetId' --output text --region $awsRegion` &&
echo publicSubnetId=$publicSubnetId >> ~/.bashrc

----------- Exportar subred privada como variable

export privateSubnetId=`aws ec2 describe-subnets --filters Name=tag:Name,Values=wa-

private-subnet-2 --query 'Subnets[*].SubnetId' --output text --region $awsRegion`
&& echo privateSubnetId=$privateSubnetId >> ~/.bashrc

------- Tablas de enrutamiento

----------- Exportar tabla de enrutamiento de subred publica como variables

export publicRt=`aws ec2 describe-route-tables --filters Name=tag:Name,Values=wa-

public-rt --query 'RouteTables[*].RouteTableId' --output text --region $awsRegion`
&& echo publicRt=$publicRt >> ~/.bashrc

----------- Exportar tabla de enrutamiento de subred privada como variables

export privateRt=`aws ec2 describe-route-tables --filters Name=tag:Name,Values=wa-

private-rt --query 'RouteTables[*].RouteTableId' --output text --region $awsRegion`
&& echo privateRt=$privateRt >> ~/.bashrc

----- Asociar tabla de enrutamiento

-- Subred publica

aws ec2 associate-route-table --subnet-id $publicSubnetId --route-table-id

$publicRt --region $awsRegion

--Subred privada

aws ec2 associate-route-table --subnet-id $privateSubnetId --route-table-id

$privateRt --region $awsRegion
-- Crear subredes en primer zona de disponibilidad

aws ec2 create-subnet --vpc-id $VPC --cidr-block "10.100.4.0/24" --availability-

zone $awsAZ1 --tag-specifications 'ResourceType=subnet, Tags=[{Key=Name,Value=wa-
rds-subnet-1}]' --region $awsRegion

-- Crear subredes en primer zona de disponibilidad

aws ec2 create-subnet --vpc-id $VPC --cidr-block "10.100.5.0/24" --availability-

zone $awsAZ2 --tag-specifications 'ResourceType=subnet, Tags=[{Key=Name,Value=wa-
rds-subnet-2}]' --region $awsRegion

---- Exportar primer subred RDS

export rdsSubnet1Id=`aws ec2 describe-subnets --filters Name=tag:Name,Values=wa-

rds-subnet-1 --query 'Subnets[*].SubnetId' --output text --region $awsRegion` &&
echo rdsSubnet1Id=$rdsSubnet1Id >> ~/.bashrc

-- Exportar segunda subred para RDS

export rdsSubnet2Id=`aws ec2 describe-subnets --filters Name=tag:Name,Values=wa-
rds-subnet-2 --query 'Subnets[*].SubnetId' --output text --region $awsRegion` &&
echo rdsSubnet2Id=$rdsSubnet2Id >> ~/.bashrc

--- Asociar subred 1para RDS a tabla de enrutamiento

aws ec2 associate-route-table --subnet-id $rdsSubnet1Id --route-table-id $privateRt

--region $awsRegion

--- Asociar subred 2para RDS a tabla de enrutamiento

aws ec2 associate-route-table --subnet-id $rdsSubnet2Id --route-table-id $privateRt
--region $awsRegion

------- Crear grupo de subredes RDS

aws rds create-db-subnet-group --db-subnet-group-name "wa-rds-subnet-group" --db-

subnet-group-description "WA RDS Subnet Group" --subnet-ids $rdsSubnet1Id
$rdsSubnet2Id --region $awsRegion

--------- Crear grupo de seguridad IAM para RDS

aws ec2 create-security-group --description "RDS Security group" --group-name "wa-
rds-sg" --vpc-id $VPC --region $awsRegion
--------- Exportar id de gurpo de seguridad

export rdsSg=`aws ec2 describe-security-groups --filters Name=group-name,Values=wa-

rds-sg --query 'SecurityGroups[*].GroupId' --output text --region $awsRegion` &&
echo rdsSg=$rdsSg >> ~/.bashrc
export ec2DbSg=`aws ec2 describe-security-groups --filters Name=group-
name,Values=wa-database-sg --query 'SecurityGroups[*].GroupId' --output text --
region $awsRegion` && echo ec2DbSg=$ec2DbSg >> ~/.bashrc

----------------- Permitir comunicacion entre grupo de seguridad RDS

aws ec2 authorize-security-group-ingress --group-id $rdsSg --source-group $ec2DbSg

--protocol "tcp" --port "3306" --region $awsRegion

------------- Crear instancia MUltiAZ

aws rds create-db-instance --db-name "WaRdsDb" --db-instance-identifier

"waDbInstance" --allocated-storage 20 --db-instance-class db.t3.micro --engine
"mariadb" --master-username "mainuser" --master-user-password "WaStr0ngP4ssw0rd" --
vpc-security-group-ids $rdsSg --db-subnet-group-name "wa-rds-subnet-group" --multi-
az --no-publicly-accessible --backup-retention-period 0 --region $awsRegion

--------------- Verificar disponibilidad de punto de enlace de instancia RDS

aws rds describe-db-instances --db-instance-identifier "waDbInstance" --query

'DBInstances[*].Endpoint.Address' --output text --region $awsRegion

Se espera:

wadbinstance.cyk7pychnesl.us-west-2.rds.amazonaws.com

------------ Comprobar valores de parametros de coneccion APP > RDS guardados en

almacén

aws ssm get-parameters --names "DbPrivateDns" --region $awsRegion --output table

--------------- Actualizar valor del servidor RDS en los parámetros de conexion

guardados en el almacen

----- Exportar el puntos de enlace de RDS

export rdsEndPoint=`aws rds describe-db-instances --db-instance-identifier

"waDbInstance" --query 'DBInstances[*].Endpoint.Address' --output text --region
$awsRegion` && echo rdsEndPoint=$rdsEndPoint >> ~/.bashrc
----- Actualizar el valor

aws ssm put-parameter --name "DbPrivateDns" --value $rdsEndPoint --overwrite --

region $awsRegion

----- Migrar base de datos en EC2 a RDS. Systems Manager : Run Commnad
--Script

#!/bin/bash
# Database backup using mysqldump utility
mysqldump sample > backup.sql
# Add RDS endpoint as an environment variable
export awsRegion=`curl -s http://169.254.169.254/latest/meta-data/placement/region`
export rdsendpoint=`aws ssm get-parameter --name DbPrivateDns --query
'Parameter.Value' --region $awsRegion --output text`
# Set RDS instance admin user variable
export user=mainuser
# Set the RDS admin password value stored in Secrets Manager as variable
export rdspasswd=`aws secretsmanager get-secret-value --secret-id rdsPassword --
query 'SecretString' --output text --region $awsRegion`
# Below commands creates database, loads MySQL backup into RDS, creates a user and
set permissions in RDS database instance
mysql -h $rdsendpoint -u $user -p$rdspasswd -e "CREATE DATABASE sample;"
mysql -h $rdsendpoint -u $user -p$rdspasswd -e "USE sample;source backup.sql;"
mysql -h $rdsendpoint -u $user -p$rdspasswd -e "CREATE USER 'tutorial_user'@'%'
IDENTIFIED BY 'WaFram3w0rk';"
mysql -h $rdsendpoint -u $user -p$rdspasswd -e "GRANT SELECT, INSERT, UPDATE,
DELETE ON *.* TO 'tutorial_user'@'%' WITH GRANT OPTION;"
mysql -h $rdsendpoint -u $user -p$rdspasswd -e "FLUSH PRIVILEGES;"

-------------- Lambda -------------------

-------Create function

aws lambda create-function \

--function-name $folderName \
--role $roleArn \
--environment Variables={TABLE_NAME=$notesTable} \
--zip-file fileb://$folderName.zip

------- Agregar variables de sistema a entorno lambda

aws lambda update-function-configuration \

--function-name dictate-function \
--environment Variables="{MP3_BUCKET_NAME=$apiBucket, TABLE_NAME=$notesTable}"
-------- Actualizar codigo de la funcion

aws lambda update-function-code \

--function-name dictate-function \
--zip-file fileb://dictate-function.zip

-------Invoke a function

aws lambda invoke \

--function-name $functionName \
--payload fileb://event.json response.txt

--- Agregar permisos a funciones lambda para llamados por apigateway

aws lambda add-permission --function-name delete-function --statement-id apiInvoke

--action lambda:InvokeFunction --principal apigateway.amazonaws.com

aws lambda add-permission --function-name dictate-function --statement-id apiInvoke

--action lambda:InvokeFunction --principal apigateway.amazonaws.com

aws lambda add-permission --function-name search-function --statement-id apiInvoke

--action lambda:InvokeFunction --principal apigateway.amazonaws.com

--- Cognito ----

--- Crear nuebo usuario en grupo de Cognito

aws cognito-idp sign-up --client-id $AppClientId --username student --password
student

--- Confirmar usuario creado

aws cognito-idp admin-confirm-sign-up --user-pool-id $CognitoPoolId --username

student

---Recuperar region
region=$(curl http://169.254.169.254/latest/meta-data/placement/region -s)

--Recuperar cuenta

acct=$(aws sts get-caller-identity --output text --query "Account")

--- Recuperar Cognito user pool id

poolId=$(aws cognito-idp list-user-pools --max-results 1 --output text --query
"UserPools[].Id")

--- Recuperar Congnito user pool arn

poolArn="arn:aws:cognito-idp:$region:$acct:userpool/$poolId"

------------ Apigateway ----------------

--- Recuperar api gateway id por nombre

apiId=$(aws apigateway get-rest-apis --query "items[?name == 'PollyNotesAPI'].id"

--output text)

--- Importar recursos (llamadas) desde definicion yaml a un api gateway

aws apigateway put-rest-api --rest-api-id $apiId --mode merge --body
'fileb://PollyNotesAPI-swagger.yaml'

-- Implementar recursos de api nuevos

aws apigateway create-deployment --rest-api-id $apiId --stage-name Prod

----- SAM (scripts for serverless resources )

---- Obtiene recursos , Compilar la aplicacion y crea un contenedor

sam build --use-container

---- Despliega el contenedor

-- sam deploy --stack-name polly-notes-api --s3-bucket $apiBucket --parameter-

overrides apiBucket=$apiBucket

---------- SAM ------------------

sam init -- Genera un template basado en las elecciones de configuracion
sam build -- Genera y compila los artefactos de implementación a partir del
template
sam deploy -- Despliega aplicacion en la nube a partir de los artefactos de
implementación del paso anterior