{"id":5978,"date":"2020-02-29T20:47:12","date_gmt":"2020-03-01T01:47:12","guid":{"rendered":"\/db-blog\/?p=5978"},"modified":"2020-03-12T10:30:24","modified_gmt":"2020-03-12T14:30:24","slug":"aws-terraform-provision-an-ec2-instance-using-infrastructure-as-code","status":"publish","type":"post","link":"https:\/\/droidbasement.com\/db-blog\/aws-terraform-provision-an-ec2-instance-using-infrastructure-as-code\/","title":{"rendered":"AWS\/Terraform \u2013 Provision an EC2 instance using Infrastructure as Code"},"content":{"rendered":"\n

Note: Some of this is a duplicate of the AWS Lightsail<\/a> article, modified for EC2, a recent Terraform 0.12.x version and accommodates the previous Lightsail implementation. If you would like to use Lightsail, please follow the IAM specific instructions in that article.<\/em><\/p>\n\n\n\n

EC2<\/a> is the compute service in AWS. It is flexible, adaptable, scalable and is able to run Virtual Machine workloads to fit most every need.<\/p>\n\n\n\n

In this article we will use Terraform<\/a> (Infrastructure as Code) to swiftly bring up an AWS EC2 instance in us-east-1 on a static IP (Elastic IP), in a new VPC with an Internet Gateway, add a DNS Zone (Route 53) for the site in mention and install docker\/docker-compose on it.<\/p>\n\n\n\n

We will use ‘myweb’ as an example in this article, using the same base path of ‘dev’ that was previously created<\/a>, the container-admin group<\/a> (some of the IAM policy implemented there will be in use here) and using ~\/.local\/bin for the binary.<\/p>\n\n\n\n

Please use ‘<\/a>AWS Free Tie<\/a>r<\/a>‘<\/a> prior to commencing with this article.<\/p>\n\n\n\n

<\/p>\n\n\n\n

–>
Go in to the dev directory\/link located within your home directory:<\/p>\n\n\n\n

$ cd ~\/dev<\/pre>\n\n\n\n
Grab Terraform:<\/p>\n\n\n\n
$ wget https:\/\/releases.hashicorp.com\/terraform\/0.12.21\/terraform_0.12.21_linux_amd64.zip<\/pre>\n\n\n\n
Install Unzip if you do not have it installed:<\/p>\n\n\n\n
$ sudo apt update && sudo apt -y install unzip<\/pre>\n\n\n\n
Unzip it to ~\/.local\/bin and set permissions accordingly on it (type y and hit enter to replace if upgrading, at the prompt):<\/p>\n\n\n\n
$ unzip terraform_0.12.21_linux_amd64.zip -d ~\/.local\/bin && chmod 754 ~\/.local\/bin\/terraform<\/pre>\n\n\n\n
Create a work folder and change in to it:<\/p>\n\n\n\n
$ mkdir -p terraform\/aws\/myweb\/scripts && cd terraform\/aws\/myweb<\/pre>\n\n\n\n
Add an IAM Policy to the container-admin group so it will have access to EC2 and related (EIP\/VPC\/Routes\/IGW\/Route 53\/SG\/KeyPair):
AWS UI Console -> Services -> Security, Identity, & Compliance -> IAM -> Policies -> Create Policy -> JSON (replace <AWS ACCOUNT ID> in the Resource arn with your Account\u2019s ID (shown under the top right drop-down (of your name) within the My Account page next to the Account Id: under Account Settings)):<\/p>\n\n\n\n
 {\n     \"Version\": \"2012-10-17\",\n     \"Statement\": [\n         {\n             \"Effect\": \"Allow\",\n             \"Action\": [\n                 \"ec2:TerminateInstances\",\n                 \"route53:GetChange\",\n                 \"route53:GetHostedZone\",\n                 \"route53:ChangeTagsForResource\",\n                 \"route53:DeleteHostedZone\",\n                 \"route53:ListTagsForResource\" \n             ],\n             \"Resource\": [\n                \"arn:aws:ec2:*:<AWS ACCOUNT ID>:instance\/*\",\n                \"arn:aws:route53:::hostedzone\/*\",\n                \"arn:aws:route53:::change\/*\"\n             ]      <\/em>\n         },\n         {\n             \"Effect\": \"Allow\",\n             \"Action\": [\n                 \"ec2:DisassociateAddress\",\n                 \"ec2:DeleteSubnet\",\n                 \"ec2:DescribeAddresses\",\n                 \"ec2:DescribeInstances\",\n                 \"ec2:DescribeInstanceAttribute\",\n                 \"ec2:CreateVpc\",\n                 \"ec2:AttachInternetGateway\",\n                 \"ec2:DescribeVpcAttribute\",\n                 \"ec2:AssociateRouteTable\",\n                 \"ec2:DescribeInternetGateways\",\n                 \"ec2:DescribeNetworkInterfaces\",\n                 \"ec2:CreateInternetGateway\",\n                 \"ec2:CreateSecurityGroup\",\n                 \"ec2:DescribeVolumes\",\n                 \"ec2:DescribeAccountAttributes\",\n                 \"ec2:ModifyVpcAttribute\",\n                 \"ec2:DescribeKeyPairs\",\n                 \"ec2:DescribeNetworkAcls\",\n                 \"ec2:DescribeRouteTables\",\n                 \"ec2:ReleaseAddress\",\n                 \"ec2:ImportKeyPair\",\n                 \"ec2:DescribeTags\",\n                 \"ec2:DescribeVpcClassicLinkDnsSupport\",\n                 \"ec2:CreateRouteTable\",\n                 \"ec2:DetachInternetGateway\",\n                 \"ec2:DisassociateRouteTable\",\n                 \"ec2:AllocateAddress\",\n                 \"ec2:DescribeInstanceCreditSpecifications\",\n                 \"ec2:DescribeSecurityGroups\",\n                 \"ec2:DescribeVpcClassicLink\",\n                 \"ec2:DescribeImages\",\n                 \"ec2:DescribeVpcs\",\n                 \"ec2:DeleteVpc\",\n                 \"ec2:AssociateAddress\",\n                 \"ec2:CreateSubnet\",\n                 \"ec2:DescribeSubnets\",\n                 \"ec2:DeleteKeyPair\",\n                 \"route53:CreateHostedZone\",\n                 \"sts:GetCallerIdentity\"\n             ],\n             \"Resource\": \"*\"\n         }\n     ]\n }<\/pre>\n\n\n\n
Review Policy -><\/p>\n\n\n\n
Name: AllowEC2
Description: Allow access to EC2 and related.<\/p>\n\n\n\n
Create Policy.<\/p>\n\n\n\n
Groups -> container-admin -> Attach Policy -> Search for AllowEC2 -> Attach Policy.<\/p>\n\n\n\n
<\/p>\n\n\n\n
–>
Note: If you are not using Lightsail then you can disregard this section.<\/p>\n\n\n\n
Edit the IAM Policy “AllowLightsail” to add an allowance to GetKeyPair in Lightsail:
AWS UI Console -> Services -> Security, Identity, & Compliance -> IAM -> Policies -> AllowLightsail -> Edit Policy -> JSON -> <\/p>\n\n\n\n
Append lightsail:GetKeyPair after lightsail:DeleteKeyPair and before lightsail:GetInstance.<\/p>\n\n\n\n
It will look like this:<\/p>\n\n\n\n
                  \"lightsail:DeleteKeyPair\",\n                  \"lightsail:GetKeyPair\",\n                  \"lightsail:GetInstance\",<\/pre>\n\n\n\n
Review Policy -> Save Changes
<–<\/p>\n\n\n\n
<\/p>\n\n\n\n
Generate an SSH Key Pair (no password) and restrict permissions on it:<\/p>\n\n\n\n
$ ssh-keygen -q -t rsa -b 2048 -N '' -f ~\/.ssh\/myweb && chmod 400 ~\/.ssh\/myweb<\/pre>\n\n\n\n
Pin the Terraform version to greater then or equal to 0.12:<\/p>\n\n\n\n
$ cat << 'EOF' > versions.tf\n> terraform {\n>   required_version = \">= 0.12\"\n> }\n> EOF<\/pre>\n\n\n\n
Set the version to greater then or equal to 2.0 for the AWS provider, interpolate the region and use the AWS CLI credentials file:<\/p>\n\n\n\n
$ cat << 'EOF' > provider.tf\n> provider \"aws\" {\n>   version                 = \">= 2.0\"\n>\n>   region                  = var.region\n>   shared_credentials_file = \"~\/.aws\/credentials\"\n>   profile                 = \"default\"\n> }\n> EOF<\/pre>\n\n\n\n
Set the default region as a variable, set prefix of myweb and set lightsail by default to true:<\/p>\n\n\n\n
$ cat << 'EOF' > vars.tf\n> variable \"region\" {\n>   default = \"us-east-1\"\n> }\n>\n> variable \"prefix\" {\n>   default = \"myweb\"\n> }\n>\n> variable \"lightsail\" {\n>   default = true\n> }\n> EOF<\/pre>\n\n\n\n
While we are here, let us create a new Lightsail script\/code (if you have completed the previous AWS\/Terraform against Lightsail article, then please overwrite).  This will execute if no override (‘lightsail = false’) is passed.  This also adds our public key as authorized (as oppose to uploading it manually as in the previous article):<\/p>\n\n\n\n
$ cat << 'EOF' > lightsail.tf\n> # Create a DNS Zone\n> resource \"aws_lightsail_domain\" \"myweb\" {\n>   count       = var.lightsail ? 1 : 0\n>   domain_name = \"${var.prefix}.com\"\n> }\n>\n> # Allocate a Static (Public) IP\n> resource \"aws_lightsail_static_ip\" \"myweb\" {\n>   count = var.lightsail ? 1 : 0\n>   name  = \"static-ip_${var.prefix}\"\n> }\n>\n> # Add Public Key as authorized\n> resource \"aws_lightsail_key_pair\" \"myweb\" {\n>   count      = var.lightsail ? 1 : 0\n>   name       = var.prefix\n>   public_key = file(\"~\/.ssh\/${var.prefix}.pub\")\n> }\n>\n> # Create an Ubuntu Virtual Machine with key based access and run a script on boot\n> resource \"aws_lightsail_instance\" \"myweb\" {\n>   count             = var.lightsail ? 1 : 0\n>   name              = \"site_${var.prefix}\"\n>   availability_zone = \"${var.region}a\"\n>   blueprint_id      = \"ubuntu_18_04\"\n>   bundle_id         = \"micro_2_0\"\n>   key_pair_name     = var.prefix\n>   user_data         = file(\"scripts\/install.sh\")\n>\n>   tags = {\n>         Site = \"${var.prefix}.com\"\n>     }\n> }\n>\n> # Attach the Static (Public) IP\n> resource \"aws_lightsail_static_ip_attachment\" \"myweb\" {\n>   count          = var.lightsail ? 1 : 0\n>   static_ip_name = element(aws_lightsail_static_ip.myweb[*].name, 0)\n>   instance_name  = element(aws_lightsail_instance.myweb[*].name, 0)\n> }\n> EOF<\/pre>\n\n\n\n
Note: The below adds a conditional to accommodate the previous implementation against Lightsail.  It will get executed when ‘lightsail = false’ is passed.<\/p>\n\n\n\n
The following is performed with this script\/code:<\/p>\n\n\n\n