Terraform for AWS

Full Scale DevSecOps Hands-on for AWS using Terraform

In a real DevSecOPs work, engineers are asked to bring up infrastructure in a matter of minutes. And we are talking about not just one or two. Its normally 50s or even 100s of infrastructure.We are going to do full-scale deployment and provisioning of infrastructure as shown in below example. We will provision EC2 instance using terraform . To keep the example short we will provision 2 webappservers.

We will

1. Utilize Terraform
2. Utilize Systems Manager, to run the commands and help in provisioning infrastructure.
3. Run the commands via system manager
4. System manager can inform via email using Amazon SNS in case anything erroneous is happening.

Let’s make it happen. We will use VSCode to edit or update the Terraform configuration

Prerequisite: You have VSCode and Terraform extension deployed on VSCode. This will help in editing the terraform file.

Terraform is a configuration that can help in provisioning infrastructure via configuration. Please note that its not a code. To get started you can also refer to the terraform website that has aws tutorials link

Create the basic terraform file and update the basis infrastructure setting for this example. We will have to update the VPC, Subnet ids via AWS console. So login to your AWS console and select the default VPC id and update it in your terraform file. Once done then update the corresponding subnet id in the terraform file. Please make sure subnet id is associated with the VPC id that was selected as default.

Once done, create a sshkey and call it ad sshkey1. You can call whatever you want, in this example I am using it as sshkey1. Keep this key handy as we will need it in order to SSH into EC2 instance once we connect using AWS console.

Now Zip the terraform file and keep the files handy. We will Navigate to AWS console and look for AWS cloudShell. In the cloud shell perform below steps

1. install terraform on cloudshell using below command.

sudo yum install -y yum-utils
sudo yum-config-manager --add-repo https://rpm.releases.hashicorp.com/AmazonLinux/hashicorp.repo
sudo yum -y install terraform

2. Now upload the terraform zip file form your local machine

Now unzip the file

Now navigate to the folder and you will see the two files that you unzipped. The run below command. Terraform init and Terraform plan.

terraform init
terraform plan

Now we can execute the resource created by using the command terraform apply command

terraform apply

This will take a couple of seconds.

Now you can see the infrastructure has been provisioned in 31 seconds. This is way better than doing it manually and imagine if you have to do it for many instances.

More details can be found about terraform in this link

AWS | Terraform | HashiCorp Developer

Now I would like to add AWS Systems manager to notifications and execute the run command

Below steps will help in configuring this

1. Let's create IAM roles, IAM> Create Roles. Pick the use case as Systems Manager

Also, select “Allows SSM to call AWS services on your behalf”. Select SNS in the policy and lets select the full Access

click next and you can create the role name as “SystemsManagerToSNS”, its up to you to decide a role name. Please keep this handy in a note pad as we will need this in later steps.

Once, done then click next and it will create Role for you

Configuring SNS

1. Go to SNS on AWS console and create a Topic by selecting topic on the navigation menu.

Once you see that the topic has been created then click on “create Subscription”.

Once you create a subscription you will get an email to confirm the subscription so go ahead and check your email that was used while creating the subscription. Upon confirmation the aws console page with SNS will show the status as confirmed. congratulsation the SNS is being configured for this example.

Configuring AWS Systems Manager

Now Let's go to Systems Manager, click on Quick Setup on the left hand side menu.

1. Select the region you are in I am going to use it as us-east-1
2. Then Select the next option as Host Management.
3. Keep other options as default and in Target select the manual Region and select the WebServer that we created using Terraform

It will take a few minutes and wait till all configuration turns green. This is shown below in screenshot

Select the session Manager

Now you will see that EC2 instances are not appearing in session Manager

To solve this , perform below steps

Go to EC2 instances and Reboot them. Wait for 5 minutes and go back to Sysrtems Manager > Session Manager and STart Sesison. You will see both instances being shown there. This will solve the above problem.

Now go ahead and select one of the web server and start the session for it by clicking “start session”

Once you click on it, this will enable a remote connection to your ec2 instance.

Now next steps are to execute the run command from systems manager. So navigate to AWS Systems Manager>> Run Command. Click on Run command button. This will provide you with the Command document. In the filter type “shell”. We are doing in our preparation for shell script execution.

Select “RunShellScript”

execute below commands. These commands are responsible for installing agents on ec2 instance. Please note that this is just a simulation agent and not a real agent.

sudo wget -q https://tcb-bootcamps.s3.amazonaws.com/bootcamp-aws/en/install_security_agent.sh -P /tmp
sudo chmod +x /tmp/install_security_agent.sh
sudo /tmp/install_security_agent.sh
ls -ltr /usr/bin/security_agent

After adding the script scroll down and select the option to check the instance Manually

Select the SNS option and update the Topic name that we created earlier

Now click “Run”.

This is what you will see

Refresh it by clickingthe refresh button, meanwhile you should check your email that you have subscribed the SNS to. You will receive notification on the from the SNS.

Now you can see that instances are up and running

Congratulations you are able to run the EC2 instances and have the infrastructure up and running.

Let’s clean up the project and use terraform to stop these instances and clean up the infrastructure.

1. GO to AWS CloudShell
2. Navigate to terraform folder and install terraform using below command

sudo yum install -y yum-utils
sudo yum-config-manager --add-repo https://rpm.releases.hashicorp.com/AmazonLinux/hashicorp.repo
sudo yum -y install terraform

1. Now go ahead and use the command Terraform destroy

This will shutdown the instances and will remove the EC2 instances via terraform , instead of doing it manually.

Congratulations, you went through the exercise of configuring infrastructure using Terraform on aws . You can see the power of terraform and how convenient it is to bring up infrastructure just by configurations.