Snippets

If you are working with an application that sends email, you’ve probably come across “DKIM” which is cryptographic signing of emails to prevent impersonation of people within an organisation. Unfortunately AWS SES only supports DKIM signing for domain identities - not single-address identities. This means even if your application only sends email from a single address such as contact@example.com - to set up DKIM you need the entire example.com domain verified. If the SES SMTP credentials were leaked, an attacker could use them to impersonate anyone in your organisation and it would be detected as legitimate. This could have tangible financial and reputational impacts to your organisation - imagine your finance department getting an email from the CEO requesting a (fake) invoice be paid immediately. ...

A bug in older versions of drush stop errors bubbling up to shell exit codes. This is problematic if you have a shell script with a sequence of commands that depend on the previous one completing successfully. It also makes detecting failed CI builds, deployments and cronjobs near impossible. Unfortunately I’m stuck using drush8 as Lagoon does not support dynamic drush aliases in newer versions. The bash function below will terminate a script with exit-code 1 if the output piped to it includes exception or error. ...

Recently I encountered an issue where a CI tool could not fetch certain dependencies as the SSH key used for cloning the main project did not have access to the other repositories. To work around this, I opted to clone the private dependencies via https, passing the credentials in the URI. The magic to force this without changing composer.json: # Set the COMPOSER_USER and COMPOSER_TOKEN environment variables to a user which has access to clone these repos. git config --global url."https://${COMPOSER_USER}:${COMPOSER_TOKEN}@gitlab.example.com/".insteadOf "git@gitlab.example.com:" You can also clone public repos via the https endpoint rather than ssh like this: ...

I recently worked on a project to push our private docker images to GitHub’s package registry. Our CI only had a GITHUB_TOKEN environment variable set, but docker login requires a username too. Rather than add a new environment variable to the build and an assumption that the username and token had to match, I used this snippet to derive the username from the token and log in to the registry. ...

I am currently in 5 slack organisations and wanted to automate setting my status across all the orgs simultaneously. Unfortunately Slack have deprecated personal api tokens… You may also be in an environment where slack apps are tightly controlled. Don’t lose hope though - with a bit of l33t h4x0ring you can get a personal bearer token from the web UI! Log into slack in a browser with devtools available (a URL like https://your-org.slack.com) ...

First up - here’s the template. Continue reading below for an explanation of each component. Unofficial Strict Mode s I e F t S = - $ e ' u \ n p t i ' p e f a i l There’s a few things going on here - set -e will exit the script if any command returns a non-zero status. set -u will stop a script if using an undefined variable. set -o pipefail will terminate the script at the first failed command in a pipeline. IFS=$'\n\t' makes iterating over lines more predictable by splitting on new lines and tabs, rather than spaces. Logging Helpers This template provides helpers for displaying log messages at various levels. These levels provide more context for users of the script. fatal has special behavior where it will exit the script with after displaying the message. ...

S3 has a feature which allows you to generate signed URLs which are valid only for a predefined period of time. This makes it much safer to distribute URLs via email/slack etc.. Process Find the object in the S3 console and note the bucket name and object path. Ensure your AWS credentials are loaded into your environment. Use the AWS CLI to create a pre-signed URL: # # # # T B O a T U B w T - - - L C J s T = K E L 8 6 2 6 E C s 6 0 5 0 T T 3 i 4 4 9 4 = = s 0 8 2 8 b o p 0 0 0 0 u b r t : 0 0 0 c j e h : 0 k e s e : e c i t t g n 2 7 3 - / n u 4 0 n p m d a a s b h a d m t 3 e o y a e h : r u s y . / r s t / o s g $ f z { B s U e C c K o E n T d } s / $ u { n O t B i J l E C t T h } e U - R e L x p e i x r p e i s r - e i s n . $ { T T L } Send the resulting URL to the intended recipient (ensure you include a note about its expiration). The link should look something like this: h t t p s : / / b u c k e t - n a m e . s 3 . a m a z o n a w s . c o m / o b j e c t / p a t h . t g z ? A W S A c c e s s K e y I d = A K I A J 5 4 U G S P N B H H H H G A & E x p i r e s = 1 5 1 6 2 2 9 7 3 4 & S i g n a t u r e = X U i 6 5 4 D F I b A s 5 5 Q J G n M u D 9 2 f Z % 2 F Q % 3 D

AWS KMS is a managed service for cryptographic functions in AWS. This service allows you to offload the tough job of key lifecycle management to Amazon. These snippets will allow you to perform basic cryptographic functions - encypt, decrypt, and rewrap. It is assumed you already have a KMS key provisioned, and you have a IAM user with permissions to perform the relevant operations. Encrypt the Contents of a File This command encrypts the contents of contents.txt and saves the encrypted version in contents.asc. ...

tl;dr version: " $ { e l e m e n t ( d a t a . g i t h u b _ t e a m . p u l l . * . i d , c o u n t . i n d e x ) } " While writing a little terraform module to manage github repositories, team permissions and branch protection rules, I ran into an issue where github_team_repository resources need the team ID, but github_branch_protection resources need the team slug. ...