{"id":5551,"date":"2019-09-18T11:35:16","date_gmt":"2019-09-18T15:35:16","guid":{"rendered":"\/db-blog\/?p=5551"},"modified":"2020-03-11T19:19:12","modified_gmt":"2020-03-11T23:19:12","slug":"aws-terraform-provision-a-lightsail-instance-using-infrastructure-as-code","status":"publish","type":"post","link":"https:\/\/droidbasement.com\/db-blog\/aws-terraform-provision-a-lightsail-instance-using-infrastructure-as-code\/","title":{"rendered":"AWS\/Terraform \u2013 Provision a Lightsail instance using Infrastructure as Code"},"content":{"rendered":"\n

AWS has introduced Lightsail<\/a> to compete with Digital Ocean, Linode, etc. for an inexpensive VPS (Virtual Private Server) offering.<\/p>\n\n\n\n

In this article we will use Terraform<\/a> (Infrastructure as Code) to swiftly bring up an AWS Lightsail instance in us-east-1 on a static IP, add a DNS Zone for the site in mention and install docker\/docker-compose on it.<\/p>\n\n\n\n

We will use ‘myweb’ as an example in this article, using the same base path of ‘dev’ that was previously created<\/a>, the container-admin group<\/a> and using ~\/.local\/bin for the binary.<\/p>\n\n\n\n

Please use ‘Get started with Lightsail for free’<\/a> prior to commencing with this article.<\/p>\n\n\n\n

<\/p>\n\n\n\n

–>
Go in to the dev directory\/link located within your home directory:<\/p>\n\n\n\n

$ cd ~\/dev<\/pre>\n\n\n\n
Upgrade the AWS CLI on your host:<\/p>\n\n\n\n
$ pip3 install awscli --upgrade --user && chmod 754 ~\/.local\/bin\/aws<\/pre>\n\n\n\n
Grab Terraform:<\/p>\n\n\n\n
$ wget https:\/\/releases.hashicorp.com\/terraform\/0.12.9\/terraform_0.12.9_linux_amd64.zip<\/pre>\n\n\n\n
Install Unzip if you do not have it installed:<\/p>\n\n\n\n
$ sudo apt update && sudo apt -y install unzip<\/pre>\n\n\n\n
Unzip it to ~\/.local\/bin and set permissions accordingly on it:<\/p>\n\n\n\n
$ unzip terraform_0.12.9_linux_amd64.zip -d ~\/.local\/bin && chmod 754 ~\/.local\/bin\/terraform<\/pre>\n\n\n\n
Create a work folder and change in to it:<\/p>\n\n\n\n
$ mkdir -p terraform\/myweb\/scripts && cd terraform\/myweb<\/pre>\n\n\n\n
Add an IAM Policy to the container-admin group so it will have access to the Lightsail API:
AWS UI Console -> Services -> Security, Identity, & Compliance -> IAM -> Policies -> Create Policy -> JSON (replace <AWS ACCOUNT ID> in the Resource arn with your Account\u2019s ID (shown under the top right drop-down (of your name) within the My Account page next to the Account Id: under Account Settings)):<\/p>\n\n\n\n
{\n     \"Version\": \"2012-10-17\",\n     \"Statement\": [\n         {\n             \"Effect\": \"Allow\",\n             \"Action\": [\n                 \"lightsail:GetRelationalDatabaseEvents\",\n                 \"lightsail:GetActiveNames\",\n                 \"lightsail:GetOperations\",\n                 \"lightsail:GetBlueprints\",\n                 \"lightsail:GetRelationalDatabaseMasterUserPassword\",\n                 \"lightsail:ExportSnapshot\",\n                 \"lightsail:UnpeerVpc\",\n                 \"lightsail:GetRelationalDatabaseLogEvents\",\n                 \"lightsail:GetRelationalDatabaseBlueprints\",\n                 \"lightsail:GetRelationalDatabaseBundles\",\n                 \"lightsail:CopySnapshot\",\n                 \"lightsail:GetRelationalDatabaseMetricData\",\n                 \"lightsail:PeerVpc\",\n                 \"lightsail:IsVpcPeered\",\n                 \"lightsail:UpdateRelationalDatabaseParameters\",\n                 \"lightsail:GetRegions\",\n                 \"lightsail:GetOperation\",\n                 \"lightsail:GetDisks\",\n                 \"lightsail:GetRelationalDatabaseParameters\",\n                 \"lightsail:GetBundles\",\n                 \"lightsail:GetRelationalDatabaseLogStreams\",\n                 \"lightsail:CreateKeyPair\",\n                 \"lightsail:ImportKeyPair\",\n                 \"lightsail:DeleteKeyPair\",\n                 \"lightsail:GetInstance\",\n                 \"lightsail:CreateInstances\",\n                 \"lightsail:DeleteInstance\",\n                 \"lightsail:GetDomains\",\n                 \"lightsail:GetDomain\",\n                 \"lightsail:CreateDomain\",\n                 \"lightsail:DeleteDomain\",\n                 \"lightsail:GetStaticIp\",\n                 \"lightsail:AllocateStaticIp\",\n                 \"lightsail:AttachStaticIp\",\n                 \"lightsail:DetachStaticIp\",\n                 \"lightsail:ReleaseStaticIp\"\n             ],\n             \"Resource\": \"*\"         <\/em>\n         },\n         {\n             \"Effect\": \"Allow\",\n             \"Action\": \"lightsail:\",\n             \"Resource\": [\n                 \"arn:aws:lightsail::<AWS ACCOUNT ID>:StaticIp\/*\",\n                 \"arn:aws:lightsail::<AWS ACCOUNT ID>:ExportSnapshotRecord\/*\",\n                 \"arn:aws:lightsail::<AWS ACCOUNT ID>:Instance\/*\",<\/em>\n                 \"<\/em>arn:aws:lightsail::<AWS ACCOUNT ID>:CloudFormationStackRecord\/<\/em>*\",\n                 \"arn:aws:lightsail::<AWS ACCOUNT ID>:RelationalDatabaseSnapshot\/*\",<\/em>\n                 \"<\/em>arn:aws:lightsail::<AWS ACCOUNT ID>:RelationalDatabase\/<\/em>*\",\n                 \"arn:aws:lightsail::<AWS ACCOUNT ID>:InstanceSnapshot\/*\",<\/em>\n                 \"<\/em>arn:aws:lightsail::<AWS ACCOUNT ID>:<\/em>Domain\/<\/em>*\",\n                 \"arn:aws:lightsail::<AWS ACCOUNT ID>:LoadBalancer\/*\",<\/em>\n                 \"<\/em>arn:aws:lightsail::<AWS ACCOUNT ID>:KeyPair\/<\/em>*\",\n                 \"arn:aws:lightsail::<AWS ACCOUNT ID>:Disk\/*\"\n             ]\n         }\n     ]\n }<\/pre>\n\n\n\n
Review Policy -><\/p>\n\n\n\n
Name: AllowLightsail
Description: Allow access to Lightsail.<\/p>\n\n\n\n
Create Policy.<\/p>\n\n\n\n
Groups -> container-admin -> Attach Policy -> Search for AllowLightsail -> Attach Policy.<\/p>\n\n\n\n
<\/p>\n\n\n\n
Generate an SSH Key Pair (no password) and restrict permissions on it:<\/p>\n\n\n\n
$ ssh-keygen -q -t rsa -b 2048 -N '' -f ~\/.ssh\/myweb && chmod 400 ~\/.ssh\/myweb<\/pre>\n\n\n\n
Import the public key to Lightsail:<\/p>\n\n\n\n
$ aws lightsail import-key-pair --key-pair-name myweb --public-key-base64 file:\/\/~\/.ssh\/myweb.pub<\/pre>\n\n\n\n
Set the version to greater then or equal to 2.0, interpolate the region and use the AWS CLI credentials file:<\/p>\n\n\n\n
$ cat << 'EOF' > provider.tf\n> provider \"aws\" {\n>   version                 = \">= 2.0\"\n>\n>   region                  = \"${var.region}\"\n>   shared_credentials_file = \"~\/.aws\/credentials\"\n>   profile                 = \"default\"\n> }\n> EOF<\/pre>\n\n\n\n
Set the default region as a variable:<\/p>\n\n\n\n
$ cat << 'EOF' > vars.tf\n> variable \"region\" {\n>   default = \"us-east-1\"\n> }\n> EOF<\/pre>\n\n\n\n
Create a Lightsail DNS Zone of myweb.com, allocate a static IP for it, create a micro instance based off of Ubuntu 18_04, reference an extraneous file for user_data (run once script on Virtual Machine boot), tag it and attach the allocated Static IP to it:<\/p>\n\n\n\n
$ cat << 'EOF' > lightsail.tf\n> resource \"aws_lightsail_domain\" \"myweb\" {\n>   domain_name = \"myweb.com\"\n> }\n>\n> resource \"aws_lightsail_static_ip\" \"myweb\" {\n>   name = \"static-ip_myweb\"\n> }\n>\n> resource \"aws_lightsail_instance\" \"myweb\" {\n>   name                    = \"site_myweb\"\n>   availability_zone       = \"${var.region}a\"\n>   blueprint_id            = \"ubuntu_18_04\"\n>   bundle_id               = \"micro_2_0\"\n>   key_pair_name           = \"myweb\"\n>   user_data               = \"${data.template_file.init_script.rendered}\"\n>\n>   tags = {\n>         Site = \"myweb.com\"\n>     }\n> }\n>\n> resource \"aws_lightsail_static_ip_attachment\" \"myweb\" {\n>   static_ip_name = \"${aws_lightsail_static_ip.myweb.name}\"\n>   instance_name  = \"${aws_lightsail_instance.myweb.name}\"\n> }\n> EOF<\/pre>\n\n\n\n
Output our allocated and attached static IP after creation:<\/p>\n\n\n\n
$ cat << 'EOF' > output.tf\n> output \"static_public_ip\" {\n>   value = \"${aws_lightsail_static_ip.myweb.ip_address}\"\n> }\n> EOF<\/pre>\n\n\n\n
Create a template file to reference a run-once on boot user_data script:<\/p>\n\n\n\n
$ cat << 'EOF' > install.tf\n> data \"template_file\" \"init_script\" {\n>   template = \"${file(\"scripts\/install.sh\")}\"\n> }\n> EOF<\/pre>\n\n\n\n
Create the shell script for user_data:<\/p>\n\n\n\n
$ cat << 'EOF' > scripts\/install.sh\n> #!\/bin\/bash\n>\n> MY_HOME=\"\/home\/ubuntu\"\n> export DEBIAN_FRONTEND=noninteractive\n>\n> # Install prereqs\n> apt update\n> apt install -y python3-pip apt-transport-https ca-certificates curl software-properties-common\n> # Install docker\n> curl -fsSL https:\/\/download.docker.com\/linux\/ubuntu\/gpg | sudo apt-key add -\n> add-apt-repository \"deb [arch=amd64] https:\/\/download.docker.com\/linux\/ubuntu $(lsb_release -cs) stable\"\n> apt update\n> apt install -y docker-ce\n> # Install docker-compose\n> su ubuntu -c \"mkdir -p $MY_HOME\/.local\/bin\"\n> su ubuntu -c \"pip3 install docker-compose --upgrade --user && chmod 754 $MY_HOME\/.local\/bin\/docker-compose\"\n> usermod -aG docker ubuntu\n> # Add PATH\n> printf \"\\nexport PATH=\\$PATH:$MY_HOME\/.local\/bin\\n\" >> $MY_HOME\/.bashrc\n>\n> exit 0\n> EOF<\/pre>\n\n\n\n
Initialize the directory:<\/p>\n\n\n\n
$ terraform init<\/pre>\n\n\n\n
Run a dry-run to see what will occur:<\/p>\n\n\n\n
$ terraform plan<\/pre>\n\n\n\n
Provision:<\/p>\n\n\n\n
$ terraform apply -auto-approve<\/pre>\n\n\n\n
Log on to the instance (up to ~30 seconds may be needed for the attachment of the static IP to the instance):<\/p>\n\n\n\n
$ ssh -i ~\/.ssh\/myweb ubuntu@<The value of static_public_ip that was reported.  One can also use 'terraform output static_public_ip' to print it again.><\/pre>\n\n\n\n
Type yes and hit enter to accept.<\/p>\n\n\n\n
<\/p>\n\n\n\n
On the host (a short while is needed for the run-once script to complete):<\/p>\n\n\n\n
$ docker --version\n$ docker-compose --version\n$ logout<\/pre>\n\n\n\n
Tear down what was created by first performing a dry-run to see what will occur:<\/p>\n\n\n\n
$ terraform plan -destroy <\/pre>\n\n\n\n
Tear down the instance:<\/p>\n\n\n\n
$ terraform destroy -auto-approve<\/pre>\n\n\n\n
<–<\/p>\n\n\n\n
<\/p>\n\n\n\n
References:<\/p>\n\n\n\n
Source: 
terraform_aws_myweb<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
AWS has introduced Lightsail to compete with Digital Ocean, Linode, etc. for an inexpensive VPS (Virtual Private Server) offering. In this article we will use Terraform (Infrastructure as Code) to swiftly bring up an AWS Lightsail instance in us-east-1 on a static IP, add a DNS Zone for the site in mention and install docker\/docker-compose […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-5551","post","type-post","status-publish","format-standard","hentry","category-devops"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/droidbasement.com\/db-blog\/wp-json\/wp\/v2\/posts\/5551","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/droidbasement.com\/db-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/droidbasement.com\/db-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/droidbasement.com\/db-blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/droidbasement.com\/db-blog\/wp-json\/wp\/v2\/comments?post=5551"}],"version-history":[{"count":55,"href":"https:\/\/droidbasement.com\/db-blog\/wp-json\/wp\/v2\/posts\/5551\/revisions"}],"predecessor-version":[{"id":6213,"href":"https:\/\/droidbasement.com\/db-blog\/wp-json\/wp\/v2\/posts\/5551\/revisions\/6213"}],"wp:attachment":[{"href":"https:\/\/droidbasement.com\/db-blog\/wp-json\/wp\/v2\/media?parent=5551"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/droidbasement.com\/db-blog\/wp-json\/wp\/v2\/categories?post=5551"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/droidbasement.com\/db-blog\/wp-json\/wp\/v2\/tags?post=5551"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}