How to find Private Network Load Balancer (NLB) ALBv2 IP4 addresses for adding to security group to allow health checks to pass

 Use case:

My Target Groups attached to my Load Balancer route to a private internal port that is not on the security group white listing.   Due to Network Load Balancer's use of the EC2 connected Security Group. I don't want to whitelist the private internal port to the internet for possible bypass.

This can be done manually in the aws console by finding the ENI by looking up the ELB (type)/(name)/(random string) getting the private ip4 and then adding them manually to the security group.

But this defeats the purpose of having a cloudformation script that automatically stands up everything to work.

in this example we want to get the private ip4 address of a ELBv2 (network). Full working example: https://github.com/qld-gov-au/quickstart-atlassian-bitbucket/blob/d6ebe59b5ccdd204a7edc72ab6f0f89d575ac6f8/templates/quickstart-bitbucket-dc.template.yaml 

(non-gist version below)

#Network Load Balancer health checks, need internal ip to approve connectivity

InternalNLBIp4List:
  DependsOn: NetworkLoadBalancerELB2
  Type: Custom::InternalNLBIp4ListCollector
  Version: 1.0
  Properties:
    ServiceToken: !GetAtt InternalNLBIp4ListCollector.Arn
    ELBv2Arn: !Ref NetworkLoadBalancerELB2
    StackName: !Ref 'AWS::StackName'
InternalNLBIp4ListCollector:
  Type: "AWS::Lambda::Function"
Properties:
    Handler: index.lambda_handler
    Role: !GetAtt InternalNLBIp4ListCollectorExecutionRole.Arn
    Runtime: python3.7
    Timeout: 120
    Code:
      ZipFile: |
        import cfnresponse
        import boto3

        def lambda_handler(event, context):
          elbv2 = boto3.client('elbv2')
          ec2 = boto3.client('ec2')
          elb2arn = event['ResourceProperties']['ELBv2Arn']
          response = elbv2.describe_load_balancers(LoadBalancerArns=[elb2arn])
          name = response['LoadBalancers'][0]['LoadBalancerName']
          elbtype = response['LoadBalancers'][0]['Type']
          filters = [{'Name': 'description', 'Values': ['ELB '+ elbtype[0:3] + '/' + name + '*']}]
          eni_response = ec2.describe_network_interfaces(Filters=filters)
          ip_addresses = [eni['PrivateIpAddress'] for eni in eni_response['NetworkInterfaces']]
          ip_addresses_cidr = [eni['PrivateIpAddress'] + '/32' for eni in eni_response['NetworkInterfaces']]
          print (ip_addresses)
          responseData = {}
          responseData['PrivateIpAddresses'] = ip_addresses
          responseData['PrivateIpCidrAddresses'] = ip_addresses_cidr
          cfnresponse.send(event, context, cfnresponse.SUCCESS, responseData)

InternalNLBIp4ListCollectorExecutionRole:
  Type: "AWS::IAM::Role"
Properties:
    AssumeRolePolicyDocument:
      Version: '2012-10-17'
Statement:
        - Effect: Allow
          Principal:
            Service:
              - lambda.amazonaws.com
          Action:
            - sts:AssumeRole
    Path: "/"
Policies:
      - PolicyName: root
        PolicyDocument:
          Version: '2012-10-17'
Statement:
            - Effect: Allow
              Action:
                - logs:CreateLogGroup
                - logs:CreateLogStream
                - logs:PutLogEvents
              Resource: !Sub "arn:${AWS::Partition}:logs:*:${AWS::AccountId}:log-group:/aws/lambda/*InternalNLBIp4ListCollector*"
- Effect: Allow
              Action:
                - "elasticloadbalancing:DescribeLoadBalancers"
- "ec2:DescribeNetworkInterfaces"
Resource: "*"

#NLB ip's need to be whitelisted to allow health checks to pass
SecurityGroupIngressNLB:
  DependsOn:
    - InternalNLBIp4List
    - SecurityGroup
  Type: AWS::EC2::SecurityGroupIngress
  Properties:
    GroupId: !Ref SecurityGroup
    IpProtocol: "-1"
FromPort: -1
    ToPort: -1
    CidrIp: !Select [ 0, !GetAtt InternalNLBIp4List.PrivateIpCidrAddresses ]

SecurityGroupIngressNLB2: #ELB in 2 subnets, will have 2 ip's
DependsOn:
    - InternalNLBIp4List
    - SecurityGroup
  Type: AWS::EC2::SecurityGroupIngress
  Properties:
    GroupId: !Ref SecurityGroup
    IpProtocol: "-1"
FromPort: -1
    ToPort: -1
    CidrIp: !Select [ 1, !GetAtt InternalNLBIp4List.PrivateIpCidrAddresses ]

AWS Java Lambda package ways

 There is two ways to make Aws Java Lambda packages, one is to make a uber FAT jar with the shade plugin.

Many people are in two camps on this, as well as it causing major problems with duplicates and needing custom code to make things 'happy'.

An example of this is below

<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-shade-plugin</artifactId>
    <configuration>
        <createDependencyReducedPom>false</createDependencyReducedPom>
    </configuration>
    <executions>
        <execution>
            <phase>package</phase>
            <goals>
                <goal>shade</goal>
            </goals>
            <configuration>
                <transformers>
                    <transformer implementation="com.github.edwgiz.maven_shade_plugin.log4j2_cache_transformer.PluginsCacheFileTransformer">
                    </transformer>
                </transformers>
            </configuration>
        </execution>
    </executions>
</plugin>

The second way is to make a zip, it like a .war file in a way and still works, there is more maven configuration of setting up. This also allows a split to occur with the use of Lambda Layers (playing the lib's as a layer) 

<!-- alternative way without needing to use shader -->
<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-jar-plugin</artifactId>
    <configuration>
        <finalName>${project.build.finalName}</finalName>
        <archive>
            <manifest>
                <addClasspath>true</addClasspath>
                <classpathPrefix>lib/</classpathPrefix>
                <addDefaultImplementationEntries>true</addDefaultImplementationEntries>
                <addDefaultSpecificationEntries>true</addDefaultSpecificationEntries>
            </manifest>
        </archive>
    </configuration>
</plugin>
<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-dependency-plugin</artifactId>
    <version>3.1.2</version>
    <executions>
        <execution>
            <id>copy-dependencies</id>
            <phase>package</phase>
            <goals>
                <goal>copy-dependencies</goal>
            </goals>
            <configuration>
                <includeScope>runtime</includeScope>
                <outputDirectory>${project.build.directory}/lib</outputDirectory>
            </configuration>
        </execution>
    </executions>
</plugin>
<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-assembly-plugin</artifactId>
    <version>2.5.4</version>
    <executions>
        <execution>
            <phase>package</phase>
            <goals>
                <goal>single</goal>
            </goals>
            <configuration>
                <descriptors>
                    <descriptor>src/main/assembly/bin.xml</descriptor>
                </descriptors>
                <attach>false</attach>
            </configuration>
        </execution>
    </executions>
</plugin>

<!-- END alternative way without needing to use shader -->

This does require an assembly xml file placed at  src/main/assembly/bin.xml

<assembly>
    <id>aws-lambda-package</id>
    <formats>
        <format>zip</format>
    </formats>
    <includeBaseDirectory>false</includeBaseDirectory>
    <fileSets>
        <fileSet>
            <directory>${project.build.directory}${file.separator}lib</directory>
            <outputDirectory>lib</outputDirectory>
            <useDefaultExcludes>true</useDefaultExcludes>
        </fileSet>
        <!-- copy all classes -->
        <fileSet>
            <directory>${project.build.directory}${file.separator}classes</directory>
            <includes>
                <include>**</include>
            </includes>
            <outputDirectory>${file.separator}</outputDirectory>
        </fileSet>
    </fileSets>

</assembly> 

Upload the zip instead of jar. All is good.

See https://github.com/awslabs/aws-serverless-java-container/commit/22edc6e65dcdefab46145f80c80dcb274b0eedd4 

Junit 4 to Junit 5 upgrade

 So you started to upgrade from old junit 4 to the new junit 5 api spec.

Sadly the move the packages around. Its best to follow other docs out on the web for this like 

https://www.baeldung.com/junit-filtering-tests

Now heres a gotcha, if you are upgrading your springboot tests from junit4 to junit 5 and are trying to use tags to drop external tests or slow tests and it is not working. 

It might actually be the import Test class that is breaking it.

Replace import org.junit.Test; with import org.junit.jupiter.api.Test;

This should make everything work correctly again.

Then the command below can work.

mvn test  -DexcludedGroups=ExternalIntegrationTest 

Major change between spring-boot 2.2.x to 2.4.x with spring-cloud and spring-cloud-starter-aws-parameter-store-config (bootstrap.yml, profiles and more)

So with the change in how versioning works. A change to how config is loaded by default and a split between cloud agnostic spring-cloud and vendor specific integration types. There has been a major shake up on how to upgrade to the next minor version of spring-boot.

<parent>

        <groupId>org.springframework.boot</groupId>

        <artifactId>spring-boot-starter-parent</artifactId>

-        <version>2.2.11.RELEASE</version>

+        <version>2.4.4</version>

        <relativePath></relativePath><!--empty to not look up parent folder which is a helper pom on building-->

</parent>

-<spring-cloud.version>Hoxton.SR5</spring-cloud.version> <!-- https://spring.io/projects/spring-cloud release trains, Greenwich 2.1.x, Haxton 2.2.x -->

+<spring-cloud.version>2020.0.2</spring-cloud.version> <!-- https://spring.io/projects/spring-cloud release trains, Greenwich 2.1.x, Haxton 2.2.x, 2020.0.2 2.4.x -->

We now need to include io.awspring.cloud:spring-cloud-aws-dependencies as its now not included in the upstream org.springframework.cloud:spring-cloud-dependencies

    <dependencyManagement>

        <dependencies>

            <!-- spring cloud and aws cloud for param store lookup -->

            <dependency><scope>import</scope><groupId>org.springframework.cloud</groupId><artifactId>spring-cloud-dependencies</artifactId><version>${spring-cloud.version}</version><type>pom</type></dependency>

+            <dependency><scope>import</scope><groupId>io.awspring.cloud</groupId><artifactId>spring-cloud-aws-dependencies</artifactId><version>2.3.1</version><type>pom</type></dependency>

..

          

          

With dependencies we don't include spring-cloud-starter any more but with bootstrap.yml not being the 'default' way for loading we now need to include spring-cloud-starter-bootstrap to re-enable that functionality

-        <dependency><groupId>org.springframework.cloud</groupId><artifactId>spring-cloud-starter</artifactId></dependency>

-        <dependency><groupId>org.springframework.cloud</groupId><artifactId>spring-cloud-starter-aws-parameter-store-config</artifactId></dependency>

+        <!-- spring-cloud-starter-bootstrap required to enable bootstrap.yml due to it not being default anymore -->

+        <dependency><groupId>org.springframework.cloud</groupId><artifactId>spring-cloud-starter-bootstrap</artifactId></dependency>

+        <!-- aws parm store config changed home-->

+        <dependency><groupId>io.awspring.cloud</groupId><artifactId>spring-cloud-starter-aws-parameter-store-config</artifactId></dependency>

          

          

You now can't have spring profiles load other profiles, you can do profile groups, but that is limited if you wanted something dynamic like enabling proxy settings. (this is maven profile adding a spring profile)

<profile>

        <id>local-proxy</id>

        <activation>

            <property>

                <name>env.http_proxy</name>

            </property>

        </activation>

        <properties>

-                <springBootRunArguments>--spring.profiles.include=PROXY,</springBootRunArguments>

+                <springBootRunArguments>--spring.config.import=classpath:application-PROXY.yml</springBootRunArguments>

        </properties>

        <build>

            <plugins>

                <plugin>

                    <artifactId>maven-surefire-plugin</artifactId>

                    <version>${maven-surefire-plugin.version}</version>

                    <configuration>

                        <systemPropertyVariables>

-                            <spring.profiles.include>PROXY</spring.profiles.include>

+                            <spring.config.import>classpath:application-PROXY.yml</spring.config.import>

                        </systemPropertyVariables>

                    </configuration>

                </plugin>

                <plugin>

                    <artifactId>maven-failsafe-plugin</artifactId>

                    <configuration>

                        <systemPropertyVariables>

-                            <spring.profiles.include>PROXY</spring.profiles.include>

+                            <spring.config.import>classpath:application-PROXY.yml</spring.config.import>

                        </systemPropertyVariables>

                    </configuration>

                </plugin>

                <plugin>

                    <groupId>org.springframework.boot</groupId>

                    <artifactId>spring-boot-maven-plugin</artifactId>

                    <configuration>

-                        <jvmArguments>-Dspring-boot.run.jvmArguments='-Dspring.profiles.include="PROXY"'</jvmArguments>

+                        <jvmArguments>-Dspring-boot.run.jvmArguments='-Dspring.config.import="classpath:application-PROXY.yml"'</jvmArguments>

                    </configuration>

                </plugin>

            </plugins>

        </build>

    </profile>

          

Any properties files you may have loaded that used "spring.profiles.include" can't be used any more with 2.4.x+ (unless you enabled legacy which will be going away after 2.6.x? version i believe)

          

-spring.profiles.include: defaults

+spring.config.import: classpath:application-defaults.yml

          

Also ensure that your bootstrap.yml has

aws.paramstore.enabled: true

It is on by default (But as its nowvin your config you can set it to false for local run's)

          

For more info, see:

https://spring.io/blog/2020/08/14/config-file-processing-in-spring-boot-2-4

https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#boot-features-external-config-files-profile-specific

https://github.com/awspring/spring-cloud-aws/blob/2.3.x/docs/src/main/asciidoc/parameter-store.adoc

https://github.com/awspring/spring-cloud-aws/blob/2.3.x/spring-cloud-starter-aws-parameter-store-config/src/test/java/io/awspring/cloud/autoconfigure/paramstore/AwsParamStoreBootstrapConfigurationTest.java

https://stackoverflow.com/questions/64907675/including-profiles-in-spring-boot-2-4-0-version

https://stackoverflow.com/questions/64994034/bootstrap-yml-configuration-not-processed-anymore-with-spring-cloud-2020-0

https://stackoverflow.com/questions/65063402/why-bootstrap-properties-is-ignored-by-spring-cloud-starter-config

https://docs.awspring.io/spring-cloud-aws/docs/2.3.0/reference/html/index.html#integrating-your-spring-cloud-application-with-the-aws-parameter-store

          

          

Something I want to look into is setting up something like https://github.com/localstack/localstack within a maven project so that param store loading can be tested in pdev instead of being caught in an aws dev/test environment.

Spring cloud param store Hoxton.SR6 to Hoxton.SR8 how to run locally

 

So your using aws param store to configure your application when deployed to docker/elastic beanstalk but ran into issues on doing testing after updates to remove cve issues.

before hand

at or before Hoxton.SR6 you only needed in test/resources/bootstrap.yml

aws.paramstore.enabled: false

But after updating to 

<spring-cloud.version>Hoxton.SR8</spring-cloud.version>

<dependency><scope>import</scope><groupId>org.springframework.cloud</groupId>

<artifactId>spring-cloud-dependencies</artifactId>

<version>${spring-cloud.version}</version><type>pom</type></dependency>

<dependency><groupId>org.springframework.cloud</groupId>

<artifactId>spring-cloud-starter</artifactId></dependency>
<dependency><groupId>org.springframework.cloud</groupId>

<artifactId>spring-cloud-starter-aws-parameter-store-config</artifactId></dependency>

it now throws logs of errors and fails to boot, this sucks :'(

errors are:

see Log file output

lets work out where it broke. We first need to see what jar's were imported by our spring-cloud-dependencies

we do this by looking at 

https://mvnrepository.com/artifact/org.springframework.cloud/spring-cloud-dependencies/Hoxton.SR6 to https://mvnrepository.com/artifact/org.springframework.cloud/spring-cloud-dependencies/Hoxton.SR8

And we notice that that the aws cloud version incremented from 2.2.2 to 2.2.4

to see what changed we can do this on github by visiting the link below

https://github.com/spring-cloud/spring-cloud-aws/compare/v2.2.2.RELEASE...v2.2.4.RELEASE

What was added in the doc's which looked like it might be our problem.

|aws.paramstore.region | | If region value is not null or empty it will be used in creation of AWSSimpleSystemsManagement.

|aws.secretsmanager.region | | If region value is not null or empty it will be used in creation of AWSSecretsManager.

On application startup, for its internal purposes Spring Cloud AWS performs a check if application runs in AWS cloud environment

by using `EC2MetadataUtils` class provided by AWS SDK. Starting from version 1.11.678, AWS SDK logs a warning message with exception when this check is made outside of AWS environment.

This warning message can be hidden by setting `ERROR` logging level on `com.amazonaws.util.EC2MetadataUtils` class.

so it seems we now need to set a region to block auto region lookup even when we have the paramstore disabled, we also need to do it for the stack and region lookup outside of paramstore.

test/resources/bootstrap.yml

aws:
  paramstore:
    enabled: false
    fail-fast: false
    region: "ap-southeast-2"
  secretmanager:
    region: "ap-southeast-2"

cloud:
  aws:
    region:
      auto: false
      static: "ap-southeast-2"
    stack:
      auto: false

Now that we did this, we are now not crashing. Awesome :D

Hope this helps others including future me.

AWS Param store put with urls via CLI

seems the CLI will follow urls given to it. which for param store is not very useful when you want to store the website address instead.


the work around.

aws configure set cli_follow_urlparam false

per
https://github.com/aws/aws-cli/issues/1475


then this works

aws ssm put-parameter --name "/myappconfig/" --type "String" --value "http://enhanceindustries.com.au/" --region ap-southeast-2

Australian API Standards

This just came accross my desk.

Looks like an awesome set of specs to build to.

https://api.gov.au/standards/national_api_standards/index.html

AWS Cloudformation how to swap between Ip's and AliasTarget via conditions

Below Allows you to swap between cloudfront and a static ip address.

Note the new line after the - for the If statement, this tells yaml that this is an object array, you need to replicate everything in the object array as cloudformation does not merge objects arrays together.

WebDNSRecordSet:
  Type: AWS::Route53::RecordSet
  DependsOn:
    - DistributionConfig
  Properties:
    Fn::If:
      - IsIPRestricted
      -
        HostedZoneName: !Sub "${Domain}."        ResourceRecords:
          - 123.123.123.123
        TTL:  '900'        Name: !Sub "www.${Domain}."        Type: A
      -
        HostedZoneName: !Sub "${Domain}."        AliasTarget:
          DNSName:
            Fn::GetAtt: [DistributionConfig, DomainName]
          HostedZoneId: "Z2FDTNDATAQYW2"        Name: !Sub "www.${Domain}."        Type: A

https://www.json2yaml.com/

When run through https://www.json2yaml.com/

you get 

{
  "WebDNSRecordSet": {
    "Type": "AWS::Route53::RecordSet",
    "DependsOn": [
      "DistributionConfig"
    ],
    "Properties": {
      "Fn::If": [
        "IsIPRestricted",
        {
          "HostedZoneName": "${Domain}.",
          "ResourceRecords": [
            "123.123.123.123"
          ],
          "TTL": "900",
          "Name": "www.${Domain}.",
          "Type": "A"
        },
        {
          "HostedZoneName": "${Domain}.",
          "AliasTarget": {
            "DNSName": {
              "Fn::GetAtt": [
                "DistributionConfig",
                "DomainName"
              ]
            },
            "HostedZoneId": "Z2FDTNDATAQYW2"
          },
          "Name": "www.${Domain}.",
          "Type": "A"
        }
      ]
    }
  }
}

Cloudfront With Squiz Edge being an origin

Just wanted to share an insight on trying to do an Squiz CMS overlay beside another product that has no CMS features. I.E a homepage of a COTS solutions.


Problem space:
I want to have the squiz edge as an origin in cloudfront so that i can have some pages fully managed by the content team without developer intervention.

Issues encounted
cloudfront started returning 502 errors which their documentation relates to ssl issues.
Squiz the company needs to be contacted to do an update on their squiz edge system to acknowledge your hostname as well as setup required inside squiz matrix.

Outcome:

Cloudfront has two rules for SSL passthrough,

Rule 1: Origin Domain Name you request against must  match ssl cert

Rule 2: If Rule1 fails, Host header must match ssl cert.

If my front end domain is zyx.

My Origin Domain Name is lpo

If the origin returns ssl cert zyx or lpo it will pass. If it passes abc it will fail.

Now in relation to Squiz.

When we do a low level ssl cert check against their staging edge network if the server name is the hostname, we get *.squizedge.net

If its (valid configured domain without custom ssl cert) we get *.clients.net.au if its (invalid domain) we get *.squizedge.net

What we want is to have *.squizedge.net to be provided to as instead of *.clients.squiz.net cert. 

Below is how to test.

openssl s_client -showcerts -servername staging.squizedge.net -connect staging.squizedge.net:443
depth=0 C = AU, ST = New South Wales, L = Sydney, O = SQUIZ PTY LTD, CN = *.squizedge.net

openssl s_client -showcerts -servername (valid domain without custom ssl cert) -connect staging.squizedge.net:443

depth=0 C = AU, ST = New South Wales, L = Sydney, O = Squiz Australia Pty. Ltd., CN = *.clients.squiz.net

openssl s_client -showcerts -servername (invalid domain) -connect staging.squizedge.net:443

depth=0 C = AU, ST = New South Wales, L = Sydney, O = SQUIZ PTY LTD, CN = *.squizedge.net

openssl s_client -showcerts -servername (valid domain with custom ssl cert) -connect staging.squizedge.net:443

(valid ssl cert depth=0 provided)

ALSO 

do ensure you are picking tls1.1 or higher as ssl3 handshake with squizedge is an instant deny

 openssl s_client -showcerts -connect staging.squizedge.net:443 -servername (valid domain without custom ssl cert)  -ssl3
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1564975196
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

AWS: Why does Auto Minor Version Upgrade Flag not upgrade to latest minor Version of Database.

Shout out to Asmita V. for this answer.

------------------------------------------
PROBLEM DESCRIPTION
------------------------------------------

Why were the RDS PostgreSQL instances not automatically upgraded to the latest Minor Version available even though the Auto Minor Version Upgrade Flag is enabled for your instances.

------------------------------------------
RESPONSE
------------------------------------------

The reason why your instances was not upgraded to these minor version is that AMVU will only upgrade the engine version for your RDS instance if the current engine version is being deprecated or the new one contains very important cumulative bug fixes and an upgrade is absolutely necessary. 

Please note that while we highly recommend that you perform an upgrade to 10.9, this upgrade will not happen automatically as of now using AMVU as the automatic upgrades happen only when absolutely necessary and you can also view such actions using describe-pending-maintenance-actions command.

If there is an auto minor version upgrade scheduled as a maintenance, please be assured that you will get a separate notification explicitly mentioning the same. Currently, in this case the upgrade will have to be applied manually.

Further, at your end, you can check if the minor version upgrade will happen automatically or not by using the below CLI command:

$aws rds describe-db-engine-versions --output=table --engine postgres --engine-version 10.6

Output:
||+-------------------------------------------------------------------------------------------+||
|||                                    ValidUpgradeTarget                                     |||
||+-------------+---------------------+-----------+----------------+--------------------------+||
||| AutoUpgrade |     Description     |  Engine   | EngineVersion  |  IsMajorVersionUpgrade   |||
||+-------------+---------------------+-----------+----------------+--------------------------+||
|||  False      |  PostgreSQL 10.7-R1 |  postgres |  10.7          |  False                   |||
|||  False      |  PostgreSQL 10.9-R1 |  postgres |  10.9          |  False                   |||
|||  False      |  PostgreSQL 11.1-R1 |  postgres |  11.1          |  True                    |||
|||  False      |  PostgreSQL 11.2-R1 |  postgres |  11.2          |  True                    |||
|||  False      |  PostgreSQL 11.4-R1 |  postgres |  11.4          |  True                    |||
||+-------------+---------------------+-----------+----------------+--------------------------+||

As you can see from the above output, for 10.6 version "AutoUpgrade" column is marked as "False" for all minor version upgrade (either 10.7 or 10.9) . So, it has to be done manually. Please make sure to upgrade to the latest minor version  (10.9)  so that you wont be prone to any security vulnerabilities as per the following notice:

[+] https://www.postgresql.org/about/news/1949/