I'm getting unexpected issue while trying to change ssh public key for one user via Terraform. What is changed in the PR is one line (actual ssh key), nothing else. That way I wouldn't expect anything new to be created. However, on the terraform plan I'm getting this:
# aws_security_group.default will be created
+ resource "aws_security_group" "default" {
and on terraform apply this error:
Error: Error creating Security Group: InvalidParameterValue: Cannot use reserved security group name: default
status code: 400, request id: xxx
on classic_security_groups.tf line 1, in resource "aws_security_group" "default":
1: resource "aws_security_group" "default" {
This issue didn't happen before, but I can't find any related updates etc. causing it. Could anyone please suggest where should I look for the solution?
As per AWS documentation [1]:
Your AWS account automatically has a default security group for the default VPC in each Region. If you don't specify a security group when you launch an instance, the instance is automatically associated with the default security group for the VPC.
A default security group is named "default", and it has an ID assigned by AWS. The following table describes the default rules for a default security group.
This means you should change the name argument of the aws_security_group resource to something else, e.g., my-default-sg. This should not be confused with the logical name given to the resource, i.e., "aws_security_group" "default".
Note: If you must have a Security Group named default you should probably assign it to a non-default VPC.
[1] https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/default-custom-security-groups.html
Related
i have tried to get user group name as value in auth/me URL, but it returns only objectId of group.
How to get the group name instead of objectId.
In my manifest i have added
"groupMembershipClaims": "SecurityGroup"
optional claims also added
i don't have any onpremises AD connect
I need the manifest configuration to get the group name in auth/me url
I have tried this in my lab and it is working for me.
This option is available only if you select "groups assigned to the application" option.
If you select any other option apart from this, "cloud-only group display names (preview)" it will be greyed out.
Since this option is still in preview, there is some enhancements going on at backend.
For more information, you can also refer this documentation Configure group claims for applications.
I tried to reproduce the same in my environment:
Manifest:
"given_name": "kav",
"groups": [
"xxxf-94bc-xxxxxx7d",
"xxxx-2459exx5a"
],
The jwt cannot contain group name but it gets Id’s of the groups
You can customize group claim name following Configure group claims but it required Onpremise AD which you mentioned is not there as sAMAccountName option is the option present on Group objects synced from Active Directory.
Else You can check all the default properties using Microsoft graph Api Graph Explorer | Try Microsoft Graph APIs - Microsoft Graph
https://graph.microsoft.com/v1.0/groups/<groupId>
Is there a way to create Mesos role using roles endpoint? I've tried different combinations of PUT / POST requests to http://mesos_master_url:5050/roles with different JSON body messages like
{
"frameworks":[],
"name":"new-role",
"resources":{
"cpus":0,
"disk":0,
"gpus":0,
"mem":0
},
"weight":1.0
}
but with no success. The docs itself are not that useful.
Roles is a part of resource definition and it must be done on node level. New role is declared when there is at least one resource attached to it.
To assign resource to specific role put role name after the resource in brackets. For example we want to run roles development and test on one cluster. We want to distinguish ports offered to these roles. The development tasks will be run on ports 31000-32000 and be tested on 41000-42000. To do it we define following resources.
ports(develop):[31000-32000]; ports(test):[41000-42000]
See Roles documentation and resources
Also, roles are actually created on the mesos masters.
Generally, the config lives in /etc/mesos-master/roles and the content is like this:
role1,role2,role3,role4,role5,...,roleN
I have gone through this document and created an API , mapped to my lambda function and its working fine .Now i need to add more path parameter to my URL rather than '/mydemoresource' (Eg :-/mydemoresource/sub-resource.json) but AWS not allowing to give / as resource name.Any suggestion ,thanks in advance
/ is automatically setup as the root resource when setting up a new API Gateway. You can create a new method at the root level.
When published, the API Gateway includes the stage as part of the URL. In case you're referring to that, you can use custom domain names and add an API mapping to avoid the stage name to be included in the client visible URL.
I am using elasticsearch-jetty plugin and trying to use it for the authentication of elasticsearch access.
I am wandering which security roles are available for users specified in realms.properties. I couldn't find definite list.
I saw in examples usage of: admin, readwrite and read-only. Are there any other and where can I specify new ones?
I have just found that roles are defined inside of jetty-restrict-*.xml files, depending on which is used. For default jetty-restrict-all.xml file, only "readwrite" role is defined, but for jetty-restrict-write.xml role "admin" is also used.
That is also the place where other roles can be defined.
I have resigned myself to the fact that many of the features that EC2 users are accustomed to (in particular, tagging) do not exist in OpenStack. There is, however, one piece of functionality whose absence is driving me crazy.
Although OpenStack doesn't have full support for instance tags (like EC2 does), it does have the notion of an instance name. This name is exposed by the Web UI, which even allows you to set it:
This name is also exposed through the nova list command line utility.
However (and this is my problem) this field is not exposed through the nova-ec2 API layer. The cleanest way for them to integrate this with existing EC2 platform tools would be to simulate an instance Tag with name "Name", but they don't do this. What's more, I can't figure out which Nova API endpoint I can use to read and write the name (it doesn't seem to be documented on the API reference); but of course it must be somehow possible since the web client and nova-client can both somehow do it.
At the moment, I'm forced to change it manually from the website every time I launch a new instance. (I can't do it during instance creation because I use the nova-ec2 API, not the nova command line client).
My question is:
Is there a way to read/write the instance name through the EC2 API layer?
Failing that, what is the REST endpoint to set it programmatically?
(BONUS): What is Nova's progress on supporting general instance tagging?
The Python novaclient.v1_1 package has a method on the server object:
def update(self, server, name=None):
"""
Update the name or the password for a server.
:param server: The :class:`Server` (or its ID) to update.
:param name: Update the server's name.
"""
if name is None:
return
body = {
"server": {
"name": name,
},
}
self._update("/servers/%s" % base.getid(server), body)
This indicates that you can update the name of a server by POST-ing
the following JSON to http://nova-api:port/v2.0/servers/{server-id}:
{
"server": {
"name": "new_name"
}
}
Of course, all of the usual authentication headers (namely X-Auth-Token
from your Keystone server) are still required, so it is probably easier to
use a client library for whatever language you prefer to manage all that.