Comment on page
Lab 1 Infrastructure Deployment
Helpful Terraform Links:
- Extract the executable to a desired location for this lab
Create AWS free tier account
Create SonarCloud Account
Create Snyk Account
- Search IAM
- Click Users Tab and Add new user
- Set a usernme
- Select Attach policies
- Assign
AdministratorAccess
- Click Next
- Look for
User created successfully
- Select the newly created user in the IAM section
- In the user's IAM profile area, select security credentials tab
- Go to the access keys section and select
Create Access Key
- Select CLI, accept recommendations and click next
- OPTIONAL: Provide a tag
- Select
Create Access Key
IMPORTANT!: Ensure to document these access keys for later use
- Open Windows Terminal in desired location for full copy of repo
- Run git clone command below
git clone https://github.com/Martian1337/devsecopslab1infra.git
Here we will be modifying the
dev-east-1.tfvars
file so that we can use Terraform to deploy an EC2 instance- Go to Amazon EC2 Dashboard
- Click
Launch Instance
- Scroll to
Key Pair (login)
and selectcreate key pair
- Select RSA and PPK for key file
- Select
Create Key Pair
- Save file in cloned repo folder (devsecopslab1infra)
- Scroll to Network Settings and Document VPC ID
- Make a note of the region, vpc_id, CIDR, and key_name
- Paste corresponding information into dev-east-1.tfvars
Here's a breakdown of what each line in my
.tfvars
file does:- 1.
aws_region = "us-east-1"
: This line specifies that the AWS region you want Terraform to operate in isus-east-1
. - 2.
vpc_id = "vpc-070993d5821f87610"
: This line sets the value of thevpc_id
variable to"vpc-070993d5821f87610"
. This ID is used when creating or configuring resources that are associated with a specific VPC in AWS. - 3.
cidr_block = "172.31.0.0/16"
: This line sets thecidr_block
variable to"172.31.0.0/16"
. A CIDR block is a notation for IP address range, it is used here to specify the IP range for your AWS VPC or subnet. However, it seems this variable is not used in the Terraform code you provided earlier. - 4.
key_name = "devsecopslab-1"
: This line sets thekey_name
variable to"devsecopslab-1"
. This is the name of the key pair that you will use to SSH into your EC2 instances.
When you run Terraform commands, the Terraform CLI will use these values for the corresponding variables in your configurations. If a variable is defined in both the
.tfvars
file and as an environment variable, the environment variable will take precedence.Remember to keep your
.tfvars
file secure and avoid committing sensitive information like keys and passwords to source control. Consider using other means to securely provide these values, such as environment variables or storing sensitive data in a secure store such as AWS Secrets Manager or HashiCorp Vault.Here is a breakdown of the Terraform file:
- 1.Terraform Settings Block
terraform {
required_version = ">= 0.12"
}
This block sets the minimum required version of Terraform to 0.12.
- 2.AWS Provider Block
provider "aws" {
region = var.aws_region
}
The provider block configures the AWS provider for Terraform. The AWS region is obtained from the
aws_region
variable.- 3.Variables
variable "aws_region" {
type = string
}
variable "vpc_id" {
type = string
}
variable "key_name" {
type = string
}
These variable blocks declare three variables
aws_region
, vpc_id
and key_name
, all of string type. These are parameters used by this Terraform configuration. Their values can be set in a variety of ways, including from the command line, from environment variables, or from a separate variables file.- 4.AWS Security Group
resource "aws_security_group" "jenkins_sg" {
...
}
This block defines a security group named
jenkins_sg
that allows incoming traffic to specific ports (8081 for Jenkins and 22 for SSH), from any IP address (0.0.0.0/0
). The security group also allows any outgoing traffic.- 5.AWS AMI Data Source
data "aws_ami" "amazon_linux" {
...
}
This data block retrieves the most recent Amazon Linux AMI that meets the filters specified.
- 6.AWS IAM Role
resource "aws_iam_role" "test_role" {
...
}
This block creates an IAM role named
test_role
which can be assumed by EC2 instances.- 7.AWS IAM Instance Profile
resource "aws_iam_instance_profile" "test_profile" {
...
}
This block creates an IAM instance profile named
test_profile
associated with the IAM role test_role
.- 8.AWS IAM Role Policy
resource "aws_iam_role_policy" "test_policy" {
...
}
This block attaches an IAM policy named
test_policy
to the IAM role test_role
. The policy grants full access ("") to all resources ("").- 9.AWS Instance
resource "aws_instance" "web" {
...
}
This block creates an EC2 instance of type
t2.medium
using the Amazon Linux AMI found earlier. The instance is associated with the security group jenkins_sg
, the IAM instance profile test_profile
, and the SSH key specified in the key_name
variable. User data is specified, meaning a script named install_jenkins.sh
will be run on instance startup. The instance is tagged with the name "Jenkins".Remember to replace the variables with the appropriate values (like
aws_region
, vpc_id
, key_name
, etc.) when you run the Terraform scripts. Also, ensure that the IAM role has the appropriate permissions necessary for your use case - the "*"
specified here grants full access to all AWS services, which might not be what you want for security reasons.terraform init
terraform plan -var-file="vars/dev-east-1.tfvars"
terraform apply -var-file="vars/dev-east-1.tfvars"
- Go to EC2 Dashboard and click Instances
- Click the instance that was created for this lab
- Open the Public DNS Address on your configured port to visit the jenkins home page
- The URL for my Jenkins instance looks like this
http://ec2-xx-xxx-xxx-xxx.us-east-1.compute.amazonaws.com:8081
Connect via the console ad run this command to retrieve password
sudo cat /var/lib/jenkins/secrets/initialAdminPassword
Or remotely connect to this instance like this:
chmod 400 <keypair>
ssh -i <keypair> ec2-user@<public_dns>
sudo cat /var/lib/jenkins/secrets/initialAdminPassword
#To get context information of kubernetes cluster
cat /home/ec2-user/.kube/config
#To create namespace in kubernetes cluster
kubectl create namespace test
#To get deployments in a namespace in kubernetes cluster
kubectl get deployments --namespace=test
#To get services in a namespace in kubernetes cluster
kubectl get svc --namespace=test
#To delete everything in a namespace in kubernetes cluster
kubectl delete all --all -n test
#To delete unused docker images to cleanup memeory on system
docker system prune
#To delete a docker image
docker image rm imagename
#To Create EKS cluster
eksctl create cluster --name kubernetes-cluster --version 1.23 --region us-east-1 --nodegroup-name linux-nodes --node-type t2.medium --nodes 2
#To Delete EKS cluster
eksctl delete cluster --region=us-east-1 --name=kubernetes-cluster #delete eks cluster
terraform destroy -var-file="vars/dev-east-1.tfvars"
Last modified 3mo ago