Part 1 of 3: HumanGov: Ansible is the Answer! | Terraform | AWS Cloud9 | AWS IAM | AWS EC2 | AWS DynamoDB | AWS S3

1 of 10. Open Cloud9 and IAM

2 of 10. Create a new user on IAM with Admin privilege

Identity and Access Management (IAM) > Users > Create User 1. Specify user details User name: cloud9-user [Next] 2. Set permissions Attach policies directly AdministratorAccess [Next] 3. Review and Create [Create user]

3 of 10. Setup security credentials for the 'cloud9-user'

start at the user your just created

'cloud9-user' > Security credentials > Create access key 1. Access key best practices & alternatives Command Line Interface (CLI) Checkbox: I understand the above recommendation and want to proceed to create an access key. [NEXT] 2. Set description tag - optional [Create access key] 3. Retrieve access keys

4 of 10. Disable the temporary credentials on Cloud9

Settings > AWS Settings > Credentials > Turning Off the option “AWS managed temporary credentials”

Why are we doing this? because the temporary credentials that come with Cloud9 are not able to attach roles via AWS Cloud9

5 of 10. Configure the new IAM user credentials by running the `aws configure` command

Give the access key, secret access key, region, etc. when prompted. It goes without saying, you'll want to remove this permission at the end of this project, as it doesn't use 'least privilege' or anything.

aws configure

6 of 10. Destroy any existing terraform-deployed infrastructure.

This is just a check to confirm that Terraform runs without issues.

cd human-gov-infrastructure/terraform terraform show terraform validate terraform plan terraform apply terraform destroy -auto-approve

7 of 10. Modify modules/aws_humangov_infrastructure/main.tf

Make several modifications to the main.tf:
IAM role
IAM instance profile for DynamoDB
security groups

You can simply use the complete 'main.tf' [the bottom code window of this step.]

Add the IAM role code below after the last line of the file

resource "aws_iam_role" "s3_dynamodb_full_access_role" { name = "humangov-${var.state_name}-s3_dynamodb_full_access_role" assume_role_policy = <

Add the argument below to the EC2 instance resource in the file

This associates the iam profile with the EC2 instance

iam_instance_profile = aws_iam_instance_profile.s3_dynamodb_full_access_instance_profile.name

Update the security groups as below in the file

Note: This will replace the existing configuration.

ingress { from_port = 80 to_port = 80 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } ingress { from_port = 5000 to_port = 5000 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } ingress { from_port = 0 to_port = 0 protocol = "-1" security_groups = ["<YOUR_CLOUD9_SECGROUP>"] } egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] }

Here is code for the entire main.tf<

Note: this is referring to the main.tf inside the aws_humangov_infrastructure folder. If you did not do the prior series, this folder may be meaningless to you.

resource "aws_security_group" "state_ec2_sg" { name = "humangov-${var.state_name}-ec2-sg" description = "Allow traffic on ports 80 and 5000, permit Cloud9" ingress { from_port = 80 to_port = 80 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } ingress { from_port = 5000 to_port = 5000 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } ingress { from_port = 0 to_port = 0 protocol = "-1" security_groups = ["sg-05b2e6f0305ae4271"] } egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } tags = { Name = "humangov-${var.state_name}" } } resource "aws_instance" "state_ec2" { ami = "ami-007855ac798b5175e" instance_type = "t2.micro" key_name = "humangov-ec2-key" vpc_security_group_ids = [aws_security_group.state_ec2_sg.id] iam_instance_profile = aws_iam_instance_profile.s3_dynamodb_full_access_instance_profile.name tags = { Name = "humangov-${var.state_name}" } } resource "aws_dynamodb_table" "state_dynamodb" { name = "humangov-${var.state_name}-dynamodb" billing_mode = "PAY_PER_REQUEST" hash_key = "id" attribute { name = "id" type = "S" } tags = { Name = "humangov-${var.state_name}" } } resource "random_string" "bucket_suffix" { length = 7 special = false upper = false } resource "aws_s3_bucket" "state_s3" { bucket = "humangov-${var.state_name}-s3-${random_string.bucket_suffix.result}" tags = { Name = "humangov-${var.state_name}" } } resource "aws_s3_bucket_ownership_controls" "state_s3" { bucket = aws_s3_bucket.state_s3.id rule { object_ownership = "BucketOwnerPreferred" } } resource "aws_s3_bucket_acl" "state_s3" { depends_on = [aws_s3_bucket_ownership_controls.state_s3] bucket = aws_s3_bucket.state_s3.id acl = "private" } resource "aws_iam_role" "s3_dynamodb_full_access_role" { name = "humangov-${var.state_name}-s3_dynamodb_full_access_role" assume_role_policy = <<EOF { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Principal": { "Service": "ec2.amazonaws.com" }, "Effect": "Allow", "Sid": "" } ] } EOF tags = { Name = "humangov-${var.state_name}" } } resource "aws_iam_role_policy_attachment" "s3_full_access_role_policy_attachment" { role = aws_iam_role.s3_dynamodb_full_access_role.name policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess" } resource "aws_iam_role_policy_attachment" "dynamodb_full_access_role_policy_attachment" { role = aws_iam_role.s3_dynamodb_full_access_role.name policy_arn = "arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess" } resource "aws_iam_instance_profile" "s3_dynamodb_full_access_instance_profile" { name = "humangov-${var.state_name}-s3_dynamodb_full_access_instance_profile" role = aws_iam_role.s3_dynamodb_full_access_role.name tags = { Name = "humangov-${var.state_name}" } }

8 of 10. Create new SSH Key Pair

If you have followed the series I made on Ansible, you're familiar with creating a key pair via the CLI in Cloud 9. I find that method most convenient, actually, as I don't have to upload the key pair. Still, there may be cases where you will need to upload the key pair, so we'll cover the GUI option/manual steps here to follow the lab example.

EC2 Dashboard > Key Pairs Delete the humangov-ec2-key Create key pair Name: humangov-ec2-key Key pair type: RSA Private key file format: .pem [Create key pair] Cloud9 > tree > humangov (/home/ec2-user/environment) File > Upload Local Files select 'humangov-ec2-key.pem'

9 of 10. Provision the infrastructure on AWS using Terraform

terraform plan terraform apply

10 of 10. Commit the changes to the local Git repository

git status git add . git status git commit -m "Added IAM Role to Terraform module aws_humangov_infrastructure/main.tf"

References

Ansible Documentation

AWS Cloud9 Documentation

AWS CodeCommit tutorial for AWS Cloud9

AWS Identity and Access Management Documentation

IAM roles

Temporary Credentials

Amazon Elastic Compute Cloud Documentation

Security groups

Amazon DynamoDB Documentation

Use an EC2 key pair for SSH credentials

Amazon Virtual Private Cloud Documentation

Git - Reference

Documentation | Terraform | HashiCorp Developer

Command: apply | Terraform | HashiCorp Developer

Comments

Popular posts from this blog

Containing the Chaos! | A Three-Part Series Demonstrating the Usefulness of Containerization to HumanGov

Ansible is the Answer! | A Three-Part Series Demonstrating the Usefulness of Ansible to HumanGov