Posts

Work with Google OAuth2 Flow and Blogger API using PowerShell

Image
I haven't been very diligent on maintaining this blog. There has been quite a few SPAM comments accumulated on my posts. Turning on moderation is a good way to prevent them in the future. I still want to have an automated way to clean those SPAM comments. So over the weekend, I wrote this PowerShell script to achieve exactly this.  It will probably take way less time if I just manually go through the portal and delete those comments. But I learnt so much more about Google API and OAuth2 flow in the process of writing this small tool. Plus, now I have something to write about :) Google API can be access with both API key and OAuth2 token. However, the API key is only allowed for public accessible resources and actions like read a post or comment. Actions like deleting a post or comment require OAuth2 to be setup. Now let's look at how this is achieved for PowerShell. Setup the app in Google Developer Console Go to https://console.developers.google.com/ and setup a new project. U

Use Ansible to update Splunk Universal Forwarder Configuration

Today we will look at how to use Ansible to update Splunk UF (Universal Forwarder) configuration. The benefits of using Ansible to achive this are: - Save the hassel to manually modify conf files of syslog-ng and splunk uf. - Codify Splunk UF configuratoin, so they can be version controlled via GitHub. - Automate multiple UFs update without the need to ssh to each single server.  - The playbook can also be used to configure newly provisioned Spunk UF. Update log inputs on Splunk Universal Forwarder, normally invovles following tasks 1. Modify two configuratoin files: - Syslog-ng conf file in conf.d/syslog-ng.conf.  - Syslog app inputs config file under Splunk UF installation folder. 2. After the modification, Splunk service needs to be restarted. For configuration files, we use Jinja2 template to simpilify its format. The Jinja2 templates use parameters supplied from CSV file to populiate the final conf file. The Ansible playbook converts the template to conf file use template task. Th

OWA and ECP failure after Install Exchange 2016 CU17

Image
I recently ran into an issue after update Exchange 2016 from CU15 to CU17. The upgrade installation took around an hour, but was eventually completed successfully according to the Installation Wizard at least. When I tried to access ECP, I got the error below even before the login page shows up. At the meantime, Exchange Management Shell is inaccessible due to the error. In the eventlog, there are lots of 1003 errors relate to MSExchange Front End HTTP Proxy.  After some research, it appears the issue is caused by corrupted SharedWebConfig.config files in C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy and C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess. But regenerating the files base on this MS document didn't fix the issue. I end up had to setup a test Exchange 2016 CU17 in my own lab environment. Once the new Exchange is up, I copied those 2 SharedWebConfig.config files to the production Exchange server and then did a IISRESET. To my dismay, ECP t

Package and deploy a PowerShell Lambda function with custom modules

Recently I had the need to create a Lambda function with PowerShell 7. The function is to synchronize data between two REST APIs. It's fairly simple, but does need to use a custom made module. I spent quite bit time to find out how to deploy PowerShell Lambdas with custom modules. Thought might write a guide to help people want to do the same.    My script is fairly simple, it get a list of users from one API and then convert it to a XML format object and export into the target API. To reuse some of the code, The script requires AWS.Tools module as well as a custom made module, let's called it CAT. The CAT is module contians some functions that are invoked in by the main script. The inital lines of my main script looks like below: #Requires -Modules @{ModuleName='AWS.Tools.Common';ModuleVersion='4.0.5.0'} #Requires -Modules @{ModuleName='AWS.Tools.SecretsManager';ModuleVersion='4.0.5.0'} #Requires -Modules CAT  In addition to install the AWS.Tool

Test out PowerShell 7 new features in WSL

Image
Finally, PowerShell 7 is now GA! As a heavy WSL user, I was keen to see how some of its new features will work in WSL1 (Ubuntu 4.4.0-18362-Microsoft). Below are the tests I have done. Installation in WSL Download the binary from Github repo to a local folder /usr/share/powershell sudo wget https://github.com/PowerShell/PowerShell/releases/download/v7.0.0/powershell-7.0.0-linux-x64.tar.gz Untar the file sudo tar xzvf powershell-7.0.0-linux-x64.tar.gz Add path for your shell export PATH=/usr/share/PowerShell:$PATH Reload .bashrc source .bashrc Remove the tar ball sudo rm /usr/share/PowerShell/powershell-7.0.0-linux-x64.tar.gz Run PowerShell 7 by run pwsh Import Windows Modules in WSL Install commonly Vendor released modules like VMware PowerCli Install-Module -Name VMware.PowerCli Install .Net based modules also works fine. Install-Package PrtgApi What about those module require Windows GUI, like Out-GridView? PowerShell 7 on Windows fully support this

Monitor AWS VPC Connectivity with Python

Image
We recently have the need to cutover our AWS Direct Connects to a different vendor. In order to carry out the change, I was tasked to find a way to monitor Direct Connect connectivities to our on premise network from our hundreds of VPCs in AWS. After some discussion with our network engineers and security team, the solution I end up using is to deploy a single EC2 instance into each those VPCs that has a connection to VGW. We then add those instance IPs into PRTG to monitor with Ping and Http sensors. To allow the instance to be deployed into the targeted AWS accounts, we use CloudFormation StackSet to push out a role into each of those accounts first. The role then allows the "Master Account" to have permission to create and update necessary resources within the target accounts. The instance uses a t3.nano tier alogn with Amazon hvm Linux2 AMI (Use our own hardened AMI in my case). A simple Nginx test page is installed on the instance to allow us to monitor TCP traf

RDP to EC2 with SSM Port Forwarding

Say you have a bunch of Windows servers hosted in AWS. The VPC they are in does not have VPN or Direct Connect connect back to your on premse network. Expose RDP port through public IP for these Windows servers is a very good way to get hacked. So how can we securely connect to the servers in this kind setup? Fortunately we have SSM for the rescue. In August, AWS announced a new feature for SSM Session Manager, which allows us to securely create tunnels between your EC2 instances deployed in private subnets and your local machine. You can read about the announcement here . Here are the steps you can setup for Windows Instances. 1. Configure the Windows EC2 as Managed Instances in SSM. This mainly involves assign a IAM EC2 Role to the instance with SSM policies. Since the focus of this post is about Session Manager Port Forwarding, I won't expand this too much. you can find more details about initial setup of SSM  here . 2. For your existing Windows EC2s, you will need to up