Check out our new article on Simplified Multi-Factor Authentication with awless
- #71: Add support for Classic load-balancers:
$ awless list classicloadbalancers
$ awless create classicloadbalancer name=my-loadb subnets=[sub-123,sub-456] listeners=HTTP:80:HTTP:8080 healthcheck-path=/health/ping securitygroups=sg-54321 tags=Env:Test,Created:Awless
$ awless update classicloadbalancer name=my-loadb health-interval=10 health-target=HTTP:80/weather/ health-timeout=300 healthy-threshold=10 unhealthy-threshold=5
$ awless attach classicloadbalancer name=my-loadb instance=@redis-prod-1
$ awless delete classicloadbalancer name=my-loadb
- #214:
AWS_PROFILE
env variable now loaded inawless
in addition to the deprecatedAWS_DEFAULT_PROFILE
thanks to @alewando - Better completion for
attach mfadevice
andattach user
commands - #219: Validate access key and secret key before writing into
~/.aws/credentials
file
- #220: Add double quotes to CSV output if needed thanks to @lllama
- Fix compilation error in templates with concatenation and reference (c.f. for example in this template)
- Parse integer beginning with '0' as string (preventing the deletion of the initial '0' for example in
... account.id=0123456789
)
-
Much better performance when synchronising all access data (IAM, etc.)
-
Create instances now supports distro prompting for CentOS, Amazon Linux 2, CoreOS
$ awless create instance name=myinst distro=amazonlinux:amzn2 $ awless create instance distro=coreos $ awless create instance distro=centos name=myinst
-
Avoiding extra throttling: Listing flag
--filter
now passes on the user wanted filtering down to the AWS API when possible so that less unneeded resources are fetched, bandwidth is reduced and some throttling avoided.For example:
$ awless ls s3objects --filter bucket=website $ awless ls records --filter name=io $ awless ls containertasks --filter name=my-task-definition-name
-
Support for region embedded in an AWS profile (i.e. shared config files ~/.aws/{credentials,config}). See #181 in Fixes for more details
-
#191 Attach a certificate to a listener with:
awless listener attach id=... certificate=...
(see awless attach listener -h for more)
- #200: Now paging is supported for s3 objects when listing
- #196: Regression fix SIGSEV when having AWS config with role assuming
- #182: Region embedded in profile taken into account and given correct precedence
- #144: Filtering done on AWS side when listing records for a given zone name
- #172: Filtering done on AWS side when listing containertasks for a given task definition name
In this release, the local data model has been updated to support multi-account and stale data is removed when upgrading. Local data (ex: used for completion, etc...) will progressively be synced again through your usage of awless. Although, to get all your data now under the new model, you can manually run 'awless sync'
- Support and seamless sync across multi-account (i.e. multiple profiles) and regions
- Enriched params prompting with optional/skippable but very common params. Can be disabled with
--prompt-only-required
or forced with--prompt-all
to leverage smart completion for all params - Automatically complete the username when deleting an access key by its ID, if it is contained in the local graph model:
awless delete accesskey id=ACCESSKEYID
- For
awless update stack
paramstackfile
can now slurp yml and json params files. Thanks to @Trane9991 (#167, #145) - Better completion for template parameters independently of their display name
- Aliases can now be resolved to properties other than IDs. For example, they are resolved to ARN in attach/detach/update/delete policy:
awless attach policy arn=@my-policy-name
- Running only
awless switch
now returns your current region and profile, allowing a quick and short region/profile lookup - Better completion of slice properties
- Listing of Route53 records now contains a new column for aliases #181
- Create an image from an existing instance. See
awless create image -h
awless create image instance=@my-instance-name name=redis-image description='redis prod image'
awless create image instance=i-0ee436a45561c04df name=redis-image reboot=true
- List your images with
awless ls images --sort created
- Delete images with an
awless revert ...
or withawless delete image id=@redis-image
- #169: Start/Stop a RDS database:
awless start database id=my-db-id
awless stop database id=@my-db-name
awless restart database id=@my-db-name
- Restart an EC2 instance
awless restart instance id=id-1234
awless restart instance ids=@redis-prod-1,@redis-prod-2
- #176: Delete a DNS record only by its awless ID (see
awless ls records
) or by its name:awless delete record id=awls-39ec0618
awless delete record id=@my.sub.domain.com
- Fix regression error: errors in dry run showed but where ignored hence user could wrongly confirm to run the template
- Delete a DNS record only by its awless ID
- Better prompting of template parameters
- Overall better logging output of template execution
- Create a database replica with:
awless create database replica=...
- Better prompt completion for template parameters
- Create instance/launchconfiguration from community distro names (
awless create instance distro=debian
). In default config value, deprecation ofinstance.image
in favor ofinstance.distro
(migration should be seamless).awless create instance distro=redhat:rhel:7.2
awless create launchconfiguration distro=canonical:ubuntu
awless create instance distro=debian
- Quick way to switch to profiles and regions. Ex:
awless switch eu-west-1
,awless switch mfa us-west-1
- Create a public subnet in only one command with:
awless create subnet public=true...
- Save directly your newly created access key in
~/.aws/credentials
with :awless create accesskey save=true
- Overall better logging output of template execution
- Update Cloudfront distribution with:
awless update distribution...
Overall re-design of AWS commands with full acceptance testing allowing for easier external contribution, greater flexibility and scalability moving forward
- #154:
awless ssh
allow specifying both--port
and--through-port
- #151:
awless ssh
using ip addresses. Ex:awless ssh 172.31.68.49 --through 172.31.11.249
awless attach mfadevice
now propose to automatically add the MFA device configuration to~/.aws/config
- #158, #159: Added bash/zsh completion to regions and profiles. Thanks to @padilo.
- Complete flow to enable MFA for a user, including QRCode generation
- Much better output for
awless log
; default message (or user specified message) stored now in logs - #143: Follow CloudFormation stack events:
awless tail stack-events my-stack-name --follow
. Thanks to @Trane9991. - Support concatenation between
{holes}
and"quoted strings"
in template with+
operator:policy = create policy ... resource="arn:aws:iam::" + {account.id} + ":mfa/${aws:username}"
- Manage and listing of MFA devices:
awless create/delete/attach/detach mfadevice
,awless list mfadevices
- Support Network Load Balancers:
awless create loadbalancer .... type=network ...
- Add conditions in policies and support multiple resources
awless create policy ... conditions=\"aws:MultiFactorAuthPresent==true\" resource=arn:aws:iam::0123456789:mfa/test,arn:aws:iam::0123456789:user/test
- Add conditions in role creation
awless create role name=awless-mfa-role principal-account=0123456789 conditions=\"aws:MultiFactorAuthPresent==true\"
- List the access keys of all users with
awless list accesskeys
(previously, only current user) - Fetch role trust policy document:
awless show my-role
- Exit code is now non zero on template run with KO states
- Local storage of cloud data (RDF store) now done using the NTriples text format instead of a binary format (transition completely transparent for the user). New format allows more friendly git revisioning of data compared to a binary format.
- #87: Customize columns displayed in
awless list
with--columns
:awless ls instances --sort name --columns name,vpc,state,privateip
- Global
--no-sync
flag to not run any sync on command awless show policy-name/policy-id
now displays the current policy Document (in JSON).
- Update IAM policies, to add statements with
awless update policy
- Add ACM certificates in infra:
awless list certificates
awless create/delete/check certificate domains=my.firstdomain.com,my.seconddomain.com validation-domains=firstdomain.com,seconddomain.com
- #123: Listing route tables display the association IDs.
awless ssh --through
: no reusing same conn to avoid EOF. Bug: only first user (amazonlinux) was successful (usually ec2-user) !!awless ssh --through
: on new proxy client catching error that where shadowed
awless show
command 'not found' error now suggests if resource with same reference exists in other locally synced regionsawless
template language now supports lists, for example:create loadbalancer subnets=[$subnet1, $subnet2]
- Variables in
awless
template language now support references, holes and lists, for example:mysecgroups = [$secgroup1, {my.secgroup},sg-123456]
awless
template language now supports holes in strings, for example:create instance name={prefix}database{version}
awless update securitygroup
can now authorize/revoke access from another security group:update securitygroup id=sg-12345 inbound=authorize portrange=any protocol=tcp securitygroup=sg-23456
- Template CLI prompt: better TAB completion of resources and their properties
- Man CLI examples for all one liners command. For example,
awless create instance -h
will display relevant CLI examples - Add
Type
(AWS/Customer managed) andAttached
(true/false) columns inawless list policies
- #129: flag
--color=always/never
to force enabling/disabling of colored output.
- List network interfaces with
awless list networkinterfaces
- Fix regression: listing a resource returned no results when this resource was disabled for sync. Listing should always fetch the resources and display what is on your cloud.
- #130: Better exit status code in
awless show
command - Port ranges starting from 0 to n are no longer processed as from n to n.
awless ssh --through
: works without an SSH agent running; correct StrictHostkeyChecking; correct display for--print-config
- Sync overall speed up and massive reducing in memory consumption
- SSH
--through
:awless ssh my-priv-inst --through my-pub-inst
allow you to connect to a private instance by going through a public one in ths same VPC. You need to have the same keypair (SSH key) on both instances. - Flag
--profile-sync
onawless sync
to enable live profiling. Will dumpmem
andcpu
Go profiling files for later inspection - #109: Support caching of STS credentials for Multi-Factor Authentication.
- #126: Flag
--no-alias
inawless show
force the display of IDs in relations. - #126: Reverse sorting when listing resources with flag
--reverse
- #120: Profile info is now included in execution logs and appended when suggesting revert action
- #82: Better template TAB completion (e.g. complete list of parameters)
- Instance Profiles: List them; attach them to an instance. Ex:
attach instanceprofile name=...
,awless ls instanceprofiles
- Replace in one command an InstanceProfile on a given instance with the
replace=true
param. Ex:attach instanceprofile .... replace=true
- Update Route53 records with
awless update record
- #116 No more sync Out Of Memory
- Detach/Attach rapidly AWS policies to user, group or role with:
attach policy service=ec2 access=readonly group=sysadmin
. More info withawless attach policy -h
- Better template TAB completion: suggest on properties, suggest nothing if not relevant
- Create access keys: prompt user to potentially store them locally under a specific profile
- Conveniently prompting and storing locally (~/.aws/credentials) for AWS profile credentials when access keys not found
awless ssh
: support SSH agent thanks to @justone- New
--port
flag forawless ssh
: specifying non-standard SSH port thanks to @justone - Use
--no-headers
flag inawless list
to display the results without headers - New flag
--values-for
inawless show
to output machine readable values for resource properties. Ex:awless show my_instance --values-for name,publicip
- Sync works on best effort now. Meaning it does not bail out when an error happens (most often it can be an access right issues on some AWS services)
awless ls policies
now returns: your managed policies + all policies attached to any users, role or group- Table display now use full terminal width when possible
- Much friendlier first install
- Support of EC2 NAT Gateways:
awless list natgateways
/awless create/delete natgateway
- Support ECR repositories and registry:
awless list repositories
/awless create/delete repository
/awless authenticate registry
- Support ECS clusters, services, containerinstances and containers:
awless list containerclusters/containertasks/containerinstances
awless attach/detach/delete/start/stop containertask
- Create/Delete ApplicationAutoScaling scalable target and policies:
awless create/delete appscalingtarget/appscalingpolicy
- Template TAB completion: do not display non relevant id/name listing for each prompt
- Parse successfully template parameters starting with a digit
- Add documentation for all template parameters (
awless create instance -h
,awless update s3object -h
...) - Listing with filter invalid keys: return error and help
awless whoami
now has flags to return specific account properties only:--account-only
,--id-only
,--name-only
,--resource-only
,--type-only
- Rename template parameters for standardization:
delete keypair id=...
->delete keypair name=...
create listener target=...
->create listener targetgroup=...
delete database skipsnapshot=... snapshotid=...
->delete database skip-snapshot=... snapshot=...
delete dbsubnetgroup id=...
->delete dbsubnetgroup name=...
create queue maxMsgSize=... retentionPeriod=... msgWait=... redrivePolicy=... visibilityTimeout=...
->create queue max-msg-size=... retention-period=... msg-wait=... redrive-policy=... visibility-timeout=...
- #98:
awless ssh
searches SSH keys in both~/.awless/keys
and~/.ssh
folders. - When
awless ssh
in an instance, you can now specify only-i keyname
, if the key is stored in~/.awless/keys
or~/.ssh
. - #99: Suggesting the right command when typing
awless create instance ID
orawless create ID
rather thanawless create instance id=ID
- Use a s3 bucket as a public website with
awless update bucket name=my-bucket-name public-website=true
- Set/update buckets or s3objects predefined ACL (private / public-read / public-read-write / bucket-owner-read...):
awless update s3object acl=public-read
- List CloudFront distributions:
awless list distributions
- Create/Update/Check/Delete a CloudFront distribution:
awless create/update/check/delete distribution
- List CloudFormation stacks:
awless list stacks
- Create/Update/Delete a CloudFormation stack:
awless create/delete stack
awless log --raw-json
shows the full info stored on template execution (context, fillers used, region, ...). Typically this contextual info can be reused for replay and updates of templates
- Template author is now persisted in awless log using the caller identity
- #93: Supporting EC2 tags: syncing locally; filtering in
awless list
with --tag, --tag-value, --tag-key - #84: Create AMI by importing VM image from S3:
awless import image bucket=my-bucket s3object=my-object
. Add template to create AMI from local VM file (OVA, VMDK ...):awless run repo:upload_image
. - Listing pending import image tasks with
awless list importimagetasks
- Deleting images and optionally its related snapshots
awless delete image delete-snapshots=true
- Create/Update/Delete login profiles (AWS Console credentials):
awless create/update/delete loginprofile username=...
- Autowrapping results in tables when too long for
awless list
. No longer truncate results in--format csv/tsv/json
- Adjust the width of table columns to the terminal width in
awless show
- Using local EC2 metadata to set region when installing awless on an EC2 instance
- #94: Add short flags for
--aws-profile
:-p
and--aws-region
:-r
- Listing in CSV: remove extra spaces; proper listing in TSV (only 1 tab separator)
- Avoid double sync on first install due to pre defined default region value us-east-1
- #92: Impossible to set a region in config when
aws.region
was empty - #89: Fix
awless whoami
when using STS credentials.
- Create and attach role to a user or resource (instance, ...). See an example
- Get my IP as seen by AWS:
awless whoami --ip-only
. Example:awless create securitygroup ... cidr=$(awless whoami --ip-only)/32 ...
- #86: SSH using private IP with
--private
flag. Thanks @padilo. awless ssh
now checks the remote host public key before connecting. Check can be disabled with the (insecure)--disable-strict-host-keychecking
flag.- #74: support of encrypted SSH keys for generation
awless create keypair encrypted=true
and inawless ssh
. - Better documentation of awless-templates; listing remote templates in awless with
awless run --list
. - Friendlier (using units: B, K, M, G) display for storage size (s3objects, volumes, lambda functions)
- Better help for template parameters (ex:
awless create loadbalancer -h
) - Create/delete and list Lambda functions:
awless list functions
/awless create/delete function
- Create/delete/attach/detach and list elastic IPs:
awless list elasticips
/awless create/delete/attach/detach elasticip
- Create/delete and list volume snapshots:
awless list snapshots
/awless create/delete snapshot
- Create/delete and list autoscaling launch configurations, scaling policies and scaling groups:
awless create/delete launchconfiguration/scalingpolicy/scalinggroup
. See an example - Create/delete/start/stop/attach/detach and list cloudwatch alarms. List cloudwatch metrics:
awless list alarms/metrics
- List EC2 images (AMIs) of which you are the owner:
awless list images
- Copy an EC2 image from a given region to the current region:
awless copy image name=... source-id=... source-region=...
- List your IAM access keys:
awless list accesskeys
- Update SSH library to fix CVE-2017-3204.
- Take the file name rather than full path as default name when uploading a s3object
- Correctly create repo on first install on machine with git not installed
- Amazon userdata support. Give the data as local file or remote http file resource. Ex:
awless create instance userdata=/tmp/mydata.sh ...
orawless create instance userdata=https://gist.github.com/jsmith/5f58272fa5406
. - Global rename of
storageobject
tos3object
for shorter typing in CLI. - awless model/storing is now full RDF ;). Allow exploration of all your infra in RDF tools and ontology editor (Ex: Protege)
- Faster, better and simpler RDF & triples management now done through the nifty library triplestore
- Ability to use strings with spaces and special characters in template parameters by surrounding them with single or double quotes.
- Loggers are now sent to the stderr file descriptor which makes easier piping and redirecting output.
- Warn when creating an instance without access key.
- ssh: print SSH configuration (
~/.ssh/config
) or the CLI one-liner to connect with SSH using--print-config
or--print-cli
flags. - ssh: better handle when several instances have the same name (e.g., with a running and a terminated instance)
- ssh: more warning; provide help and context on failing connections
- Manage properly secgroups on instances with
awless attach/detach secgroup id=... instance=@my-instance
- Logging more info when running templates
awless whoami
now supports displaying info forroot
user and user with org path- Use
securitygroup
rather thangroup
in templates, when appropriate. - Use
keypair
rather thankey
in templates, when appropriate. - Fix the fact you could not attach multiple security groups to an instance
- Reverting the creation of a load balancer now waits the deletion of its network interfaces
awless whoami
now returns your identity, your attached (i.e. managed), inlined and group policies- Rudimentary security groups port scanner inspector via
awless inspect -i port_scanner
- Template: compile time check of undefined or unused references
- Run official remote templates without specifying full url:
awless run repo:create_vpc
- #78: Show progress when uploadgin object to storage
- #81: Global force flag
--force
to bypass confirm prompt
- Fix regression: run templates/one-liners failed on
storageobject
,subscription
entities - Filtering in
awless list --filter
now works with column types other than string - Users, groups and policies are now independent of the region
- #83: Syncing while offline does not clear local cloud infra
- Auto completion of id/name to help fill in easily any missing info before template execution
- Better error messaging on parsing template errors
- Infra: basic support of RDS: listing, creation and deletion of databases and database subnets:
awless list databases/dbsubnetgroups
;awless create/delete database/dbsubnetgroup
- Infra: attach/detach an
instance
to atargetgroup
- Infra: delete tag:
awless delete tag
- Access: create an AWS access key for a user
- DNS: allow to revert creation/deletion of records
- #80 DNS: return the ChangeInfo id when creating/deleting a record
- #79:
awless list records
do not add new lines between records. - Better compute table columns width to adjust the number of columns to display exactly to the terminal width.
- #76: Show private IP and availability zones when listing instances.
- Run remote template when path prefixed with
http
. Ex:awless run http://github.com/wallix/awless-templates/...
- Fetch more instances properties when showing instances (ex: network interfaces, public and private DNS, Root device type and name...)
- DNS: listing Route53 zones and records
awless list zones/records
- DNS: basic creation/deletion of Route53 zones and records
awless create/delete zone/record
- Infra: detach EBS volumes
awless detach volume
- Config: enable/disable the syncing of Route53 service
awless config set aws.dns.sync
- All listing with default format are now Markdown table compatible.
- Better display of
awless show
. Added--siblings
flag to display exhaustively all siblings - Reverse the sorting order when listing instances sorted by "up since"
- Fix
awless show
to properly show relations between groups and users
- infra: support the creation/deletion of ELBv2 loadbalancers, listeners and target groups:
awless create loadbalancer/listener/targetgroup
- infra: add tag
Name
to subnets. - Format
tsv
supported when listing:awless list subnets --format tsv
- Pricer inspector now resolves prices for any regions:
awless inspect -i pricer
- Fix alias, required and extra params parsing in template runs
If you have any data or config issues, you can run rm -Rf ~/.awless/
to start with a fresh install.
-
#65:
awless ssh
: use existing SSH client if available, otherwise fallback on builtin SSH. -
awless show
resolves automatically on id, name or arn without any prefixing (previously it was '@') -
#47: Enable/disable sync per services or resources through config. Ex:
awless config set aws.notification.sync false
,awless config set aws.storage.storageobject.sync true
. -
#55: Dynamically change AWS region/profile with global flags
--aws-region us-west-1
or--aws-profile myprofile
. -
#73:
AWS_DEFAULT_REGION
env variable now loaded inawless
. It takes precedence overaws.region
. -
#73:
AWS_DEFAULT_PROFILE
env variable now loaded inawless
. It takes precedence overaws.profile
. -
Better output of
awless config list
(doc per variable, etc.). -
Global default menu with clearer one-liner display.
-
Simplification of the templating engine using decoupled compile passes.
-
Config setters now provide dialogs (ex:
awless config set instance.type
orawless config set aws.region
). -
#54:
awless ssh
: specify the keyfile to use with-i /path/toward/key
flag. -
#64:
awless ssh
: columns and lines automatically adapt to terminal with/height. -
Attach/detach policy to user/group (see wiki examples)
-
Attach/detach user to group (see wiki examples)
-
List AWS load balancers, target groups and listeners with
awless list loadbalancers/targetgroups/listeners
. Show their relations with, e.g.awless show LOAD_BALANCER
.
- #12: Support AWS pagination when fetching resources in AWS IAM.
- Template parsing: allow digits in refs; allow regular chars in alias declaration
- Template: all aliases now resolves correctly from file or CLI. Ex:
awless create instance subnet=@my-subnet
- Allow simple fuzzy search for listing filters. Ex:
awless list instances --filter state=run
- Revert: waiting instance termination when deleting a vpc/subnet/instance hierarchy.
- Fix regression: timeout too low for HTTP requests with AWS.
As model/relations for resources may evolve, if you have any issues with models related commands, you can run rm -Rf ~/.awless/aws/rdf
to start a fresh RDF model.
- #6: Create Linux installer shell script:
curl https://raw.githubusercontent.com/wallix/awless/master/getawless.sh | bash
- #42, #60, #66: Better load AWS credentials (support profile credentials, MFA and crossaccount profile access)
- #32: Basic support of SNS (CRUD for topics and subscriptions)
- #32: Basic support of SQS (CRUD for queues)
- #53: Filter results in listings. Ex:
awless ls instances --filter state=running,"Access Key"=my-key
or the equivalentawless list instances --filter state=running --filter "Access Key"=my-key
- Better help menus by splitting one-liner template commands from general commands
- Run template: better dialog and remove noisy info
- Template validation: notify on unexpected params; check names unicity against local graph
- Log contextual error instead of hard failure when user has no rights to sync a service
- #57: Properly fetch buckets when they are in the
us-east-1
region. - #12: Support AWS pagination when fetching resources in AWS SNS and EC2.
As model/relations for resources may evolve, if you have any issues with models related commands, you can run rm -Rf ~/.awless/aws/rdf
to start a fresh RDF model.
- #39, #38: Remove data collection & sending
- #33: Ability to set AWS profile using
aws.profile
config key - Better output for
awless sync
awless ls
now an alias forawless list
- #44: Fetch only the S3 buckets and related objects of the current region.
- #52, #34: Properly fetch route tables, even if a route contains several destinations.
- #37: Load the region from database when initializing cloud services rather than
awless
environment. - #56: Do not require a VPC as parent of security groups nor route table.