Posts

Package and deploy a PowerShell Lambda function with custom modules

Recently I had the need to create a Lambda function with PowerShell 7. The function is to synchronize data between two REST APIs. It's fairly simple, but does need to use a custom made module. I spent quite bit time to find out how to deploy PowerShell Lambdas with custom modules. Thought might write a guide to help people want to do the same.   
My script is fairly simple, it get a list of users from one API and then convert it to a XML format object and export into the target API. To reuse some of the code, The script requires AWS.Tools module as well as a custom made module, let's called it CAT. The CAT is module contians some functions that are invoked in by the main script. The inital lines of my main script looks like below: #Requires -Modules @{ModuleName='AWS.Tools.Common';ModuleVersion='4.0.5.0'}
#Requires -Modules @{ModuleName='AWS.Tools.SecretsManager';ModuleVersion='4.0.5.0'}
#Requires -Modules CAT In addition to install the AWS.Tools mo…

Test out PowerShell 7 new features in WSL

Image
Finally, PowerShell 7 is now GA! As a heavy WSL user, I was keen to see how some of its new features will work in WSL1 (Ubuntu 4.4.0-18362-Microsoft). Below are the tests I have done.

Installation in WSL
Download the binary from Github repo to a local folder /usr/share/powershell
sudo wget https://github.com/PowerShell/PowerShell/releases/download/v7.0.0/powershell-7.0.0-linux-x64.tar.gz
Untar the file
sudo tar xzvf powershell-7.0.0-linux-x64.tar.gz
Add path for your shell
export PATH=/usr/share/PowerShell:$PATH
Reload .bashrc
source .bashrc
Remove the tar ball
sudo rm /usr/share/PowerShell/powershell-7.0.0-linux-x64.tar.gz
Run PowerShell 7 by run pwsh

Import Windows Modules in WSL
Install commonly Vendor released modules like VMware PowerCli
Install-Module -Name VMware.PowerCli
Install .Net based modules also works fine.
Install-Package PrtgApi
What about those module require Windows GUI, like Out-GridView? PowerShell 7 on Windows fully support this kind module. But for WSL some tweaks are r…

Monitor AWS VPC Connectivity with Python

Image
We recently have the need to cutover our AWS Direct Connects to a different vendor. In order to carry out the change, I was tasked to find a way to monitor Direct Connect connectivities to our on premise network from our hundreds of VPCs in AWS.

After some discussion with our network engineers and security team, the solution I end up using is to deploy a single EC2 instance into each those VPCs that has a connection to VGW. We then add those instance IPs into PRTG to monitor with Ping and Http sensors.

To allow the instance to be deployed into the targeted AWS accounts, we use CloudFormation StackSet to push out a role into each of those accounts first. The role then allows the "Master Account" to have permission to create and update necessary resources within the target accounts.

The instance uses a t3.nano tier alogn with Amazon hvm Linux2 AMI (Use our own hardened AMI in my case). A simple Nginx test page is installed on the instance to allow us to monitor TCP traffics. T…

RDP to EC2 with SSM Port Forwarding

Say you have a bunch of Windows servers hosted in AWS. The VPC they are in does not have VPN or Direct Connect connect back to your on premse network. Expose RDP port through public IP for these Windows servers is a very good way to get hacked. So how can we securely connect to the servers in this kind setup?

Fortunately we have SSM for the rescue. In August, AWS announced a new feature for SSM Session Manager, which allows us to securely create tunnels between your EC2 instances deployed in private subnets and your local machine. You can read about the announcement here.

Here are the steps you can setup for Windows Instances.
1. Configure the Windows EC2 as Managed Instances in SSM.
This mainly involves assign a IAM EC2 Role to the instance with SSM policies. Since the focus of this post is about Session Manager Port Forwarding, I won't expand this too much. you can find more details about initial setup of SSM here.

2. For your existing Windows EC2s, you will need to update the S…

VMware Site Recovery Manager Multi-Site Pair Deployment

I was recently involved in a data center migration project, which used VMware SRM (Site Recovery Manager) as the migration tool to move virtual machines between 3 DCs. The diagram below shows how the setup looks like. The version of SRM is 8.1.

[SiteA] <----> [SiteB] <----> [SiteC]

VMware documentation refer the above scenario as Shared Recovery Site. For each site-pair, you will need to deploy individual SRM server to ensure the SRM Plug-in ID is unique to that pair. So in our case, SiteB-C pair requires a new SRM server in Site B and Site C.

Install SRM

The steps below shows the configuration details of the installation process on each SRM server.
1. Provide the PSC server details of the site
2. Provide the vCenter server details of the site
3. Provide the local SRM extension details
4. This is the most important part of the configuration. Make sure you choose Custom Site Recovery Manager Plug-in Identifier. The Plug-in ID needs to be the same on both Site B and Site C SR…

How Secure is RDP?

Hands up if you have following setup/practices in your organization: A RDP server (Terminal server) that everyone can jump onto. Apart from the IT admins, some users have local admin rights on the box, just so they can run or configure a particular application. To help troubleshooting an issue, your IT admins often RDP to servers directly from user's laptop, which the user is a local admin. A group of users have local admin rights on a particular Windows box, and your Domain Admins also need to RDP to from time to time.
If any of above scenario applies to your organization, you might want to consider introducing some changes. This is why:
It is well known that Windows Remote Desktop Service has this feature that allows you to connect to another user's session. But obviously you will need to know the other user's credential to do that, right? No, not necessarily. With NT AUTHORITY/SYSTEM account, you can hijack the user's RDP session without the need for type in the cr…

Use Terraform to build server in VMware

Image
Like Cloud Formation and ARM Templates, Terraform enables the way of Infrastructure as Code to provision resources in Clouds, but it also works with on premise infrastructures like VMware vSphere and NSX. I recently have been working on the automation of on premise server provision process. The goal is to provision a Ubuntu server on our vSphere 6.5 environment with iPerf3 installed and configured.

It surprises me that there aren’t many useful resources/examples out there when comes to using Terraform with VMware. Yes, there are tons of blog posts about how to build a VMware VM with Terraform, but almost all of those are just touched on very very basic stuff. I can’t find any good reference for how to install and configuration applications within the VM. Without those, I seriously doubt the value of using IaaC. A simple VMware Template with ClickOps will be way more efficient.

I did end up finding a very detailed repo about using Terraform to build a Kubernate cluster in VMware in G…