AWS Infrastructure Creation using Terraform

Helpful Terraform Links:

• Terraform Language Documentation

• Resource: aws_security_group

• Resource: aws_instance

Prerequisites/Requirements:

Windows OS

• Install Visual Studio Code or VSCodium(https://vscodium.com/#install)

• Install AWS CLI

• Install Git for Windows

• Download Terraform

• Extract the executable to a desired location for this lab

• Set the executable's PATH on Windows

AWS - Cloud Instances

Create AWS free tier account

SonarCloud - SAST

Create SonarCloud Account

Snyk - SCA

Create Snyk Account

Step 1: Log in to AWS console and Create AWS Admin User

• Search IAM

• Click Users Tab and Add new user

• Set a usernme

• Select Attach policies

• Assign AdministratorAccess

• Click Next

• Look for User created successfully

Step 2: Create User Access Keys - Docs:

• Select the newly created user in the IAM section

• In the user's IAM profile area, select security credentials tab

• Go to the access keys section and select Create Access Key

• Select CLI, accept recommendations and click next

• OPTIONAL: Provide a tag

• Select Create Access Key

IMPORTANT!: Ensure to document these access keys for later use

Step 3: Clone this repo

• Open Windows Terminal in desired location for full copy of repo

• Run git clone command below

git clone https://github.com/Martian1337/devsecopslab1infra.git

Step 4: Open Folder in VSCode

Step 3: Modify .tfvars file

Here we will be modifying the dev-east-1.tfvars file so that we can use Terraform to deploy an EC2 instance

Create AWS Key Pair for EC2 via Terraform

• Go to Amazon EC2 Dashboard

• Click Launch Instance

• Scroll to Key Pair (login) and select create key pair

• Select RSA and PPK for key file

• Select Create Key Pair

• Save file in cloned repo folder (devsecopslab1infra)

• Scroll to Network Settings and Document VPC ID

• Make a note of the region, vpc_id, CIDR, and key_name

• Paste corresponding information into dev-east-1.tfvars

dev-east-1.tfvars Explanation

Here's a breakdown of what each line in my .tfvars file does:

1. aws_region = "us-east-1": This line specifies that the AWS region you want Terraform to operate in is us-east-1.

2. vpc_id = "vpc-070993d5821f87610": This line sets the value of the vpc_id variable to "vpc-070993d5821f87610". This ID is used when creating or configuring resources that are associated with a specific VPC in AWS.

3. cidr_block = "172.31.0.0/16": This line sets the cidr_block variable to "172.31.0.0/16". A CIDR block is a notation for IP address range, it is used here to specify the IP range for your AWS VPC or subnet. However, it seems this variable is not used in the Terraform code you provided earlier.

4. key_name = "devsecopslab-1": This line sets the key_name variable to "devsecopslab-1". This is the name of the key pair that you will use to SSH into your EC2 instances.

When you run Terraform commands, the Terraform CLI will use these values for the corresponding variables in your configurations. If a variable is defined in both the .tfvars file and as an environment variable, the environment variable will take precedence.

Remember to keep your .tfvars file secure and avoid committing sensitive information like keys and passwords to source control. Consider using other means to securely provide these values, such as environment variables or storing sensitive data in a secure store such as AWS Secrets Manager or HashiCorp Vault.

Step 5: Modify Main.tf

Main.tf Explanation

Here is a breakdown of the Terraform file:

1. Terraform Settings Block

terraform {
  required_version = ">= 0.12"
}

This block sets the minimum required version of Terraform to 0.12.

2. AWS Provider Block

provider "aws" {
  region = var.aws_region
}

The provider block configures the AWS provider for Terraform. The AWS region is obtained from the aws_region variable.

3. Variables

variable "aws_region" {
    type = string
}
variable "vpc_id" {
    type = string
}
variable "key_name" {
    type = string
}

These variable blocks declare three variables aws_region, vpc_id and key_name, all of string type. These are parameters used by this Terraform configuration. Their values can be set in a variety of ways, including from the command line, from environment variables, or from a separate variables file.

4. AWS Security Group

resource "aws_security_group" "jenkins_sg" {
  ...
}

This block defines a security group named jenkins_sg that allows incoming traffic to specific ports (8081 for Jenkins and 22 for SSH), from any IP address (0.0.0.0/0). The security group also allows any outgoing traffic.

5. AWS AMI Data Source

data "aws_ami" "amazon_linux" {
  ...
}

This data block retrieves the most recent Amazon Linux AMI that meets the filters specified.

6. AWS IAM Role

resource "aws_iam_role" "test_role" {
  ...
}

This block creates an IAM role named test_role which can be assumed by EC2 instances.

7. AWS IAM Instance Profile

resource "aws_iam_instance_profile" "test_profile" {
  ...
}

This block creates an IAM instance profile named test_profile associated with the IAM role test_role.

8. AWS IAM Role Policy

resource "aws_iam_role_policy" "test_policy" {
  ...
}

This block attaches an IAM policy named test_policy to the IAM role test_role. The policy grants full access ("") to all resources ("").

9. AWS Instance

resource "aws_instance" "web" {
  ...
}

This block creates an EC2 instance of type t2.medium using the Amazon Linux AMI found earlier. The instance is associated with the security group jenkins_sg, the IAM instance profile test_profile, and the SSH key specified in the key_name variable. User data is specified, meaning a script named install_jenkins.sh will be run on instance startup. The instance is tagged with the name "Jenkins".

Remember to replace the variables with the appropriate values (like aws_region, vpc_id, key_name, etc.) when you run the Terraform scripts. Also, ensure that the IAM role has the appropriate permissions necessary for your use case - the "*" specified here grants full access to all AWS services, which might not be what you want for security reasons.

Step 6: Analyze Jenkins.sh Install Script

Step 7: Initialize Terraform in Text Editor

terraform init

Step 8: Plan Resources

terraform plan -var-file="vars/dev-east-1.tfvars"

Step 9: Apply Resources

terraform apply -var-file="vars/dev-east-1.tfvars"

Step 10: Visit Jenkins Instance in the Browser

• Go to EC2 Dashboard and click Instances

• Click the instance that was created for this lab

• Open the Public DNS Address on your configured port to visit the jenkins home page

  • The URL for my Jenkins instance looks like this http://ec2-xx-xxx-xxx-xxx.us-east-1.compute.amazonaws.com:8081

Commands to get the Jenkins admin password via command line

Connect via the console ad run this command to retrieve password

sudo cat /var/lib/jenkins/secrets/initialAdminPassword

Or remotely connect to this instance like this:

chmod 400 <keypair>
ssh -i <keypair> ec2-user@<public_dns>
sudo cat /var/lib/jenkins/secrets/initialAdminPassword

Some Useful Commands for Training Pipeline1

#To get context information of kubernetes cluster
cat /home/ec2-user/.kube/config 

#To create namespace in kubernetes cluster
kubectl create namespace test

#To get deployments in a namespace in kubernetes cluster
kubectl get deployments --namespace=test 

#To get services in a namespace in kubernetes cluster
kubectl get svc --namespace=test 

#To delete everything in a namespace in kubernetes cluster
kubectl delete all --all -n test 

#To delete unused docker images to cleanup memeory on system 
docker system prune  

#To delete a docker image
docker image rm imagename  

#To Create EKS cluster
eksctl create cluster --name kubernetes-cluster --version 1.23 --region us-east-1 --nodegroup-name linux-nodes --node-type t2.medium --nodes 2 

#To Delete EKS cluster
eksctl delete cluster --region=us-east-1 --name=kubernetes-cluster #delete eks cluster

Cleanup Terraform Resources

terraform destroy -var-file="vars/dev-east-1.tfvars"