Part 1 of 3: HumanGov: Ansible is the Answer! | Terraform | AWS Cloud9 | AWS IAM | AWS EC2 | AWS DynamoDB | AWS S3

1 of 10. Open Cloud9 and IAM

2 of 10. Create a new user on IAM with Admin privilege

Identity and Access Management (IAM) > Users > Create User 1. Specify user details User name: cloud9-user [Next] 2. Set permissions Attach policies directly AdministratorAccess [Next] 3. Review and Create [Create user]

3 of 10. Setup security credentials for the 'cloud9-user'

start at the user your just created

'cloud9-user' > Security credentials > Create access key 1. Access key best practices & alternatives Command Line Interface (CLI) Checkbox: I understand the above recommendation and want to proceed to create an access key. [NEXT] 2. Set description tag - optional [Create access key] 3. Retrieve access keys

4 of 10. Disable the temporary credentials on Cloud9

Settings > AWS Settings > Credentials > Turning Off the option “AWS managed temporary credentials”

Why are we doing this? because the temporary credentials that come with Cloud9 are not able to attach roles via AWS Cloud9

5 of 10. Configure the new IAM user credentials by running the `aws configure` command

Give the access key, secret access key, region, etc. when prompted. It goes without saying, you'll want to remove this permission at the end of this project, as it doesn't use 'least privilege' or anything.

aws configure

6 of 10. Destroy any existing terraform-deployed infrastructure.

This is just a check to confirm that Terraform runs without issues.

cd human-gov-infrastructure/terraform terraform show terraform validate terraform plan terraform apply terraform destroy -auto-approve

7 of 10. Modify modules/aws_humangov_infrastructure/main.tf

Make several modifications to the main.tf:
IAM role
IAM instance profile for DynamoDB
security groups

You can simply use the complete 'main.tf' [the bottom code window of this step.]

Add the IAM role code below after the last line of the file

resource "aws_iam_role" "s3_dynamodb_full_access_role" { name = "humangov-${var.state_name}-s3_dynamodb_full_access_role" assume_role_policy = <

Add the argument below to the EC2 instance resource in the file

This associates the iam profile with the EC2 instance

iam_instance_profile = aws_iam_instance_profile.s3_dynamodb_full_access_instance_profile.name

Update the security groups as below in the file

Note: This will replace the existing configuration.

ingress { from_port = 80 to_port = 80 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } ingress { from_port = 5000 to_port = 5000 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } ingress { from_port = 0 to_port = 0 protocol = "-1" security_groups = ["<YOUR_CLOUD9_SECGROUP>"] } egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] }

Here is code for the entire main.tf<

Note: this is referring to the main.tf inside the aws_humangov_infrastructure folder. If you did not do the prior series, this folder may be meaningless to you.

resource "aws_security_group" "state_ec2_sg" { name = "humangov-${var.state_name}-ec2-sg" description = "Allow traffic on ports 80 and 5000, permit Cloud9" ingress { from_port = 80 to_port = 80 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } ingress { from_port = 5000 to_port = 5000 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } ingress { from_port = 0 to_port = 0 protocol = "-1" security_groups = ["sg-05b2e6f0305ae4271"] } egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } tags = { Name = "humangov-${var.state_name}" } } resource "aws_instance" "state_ec2" { ami = "ami-007855ac798b5175e" instance_type = "t2.micro" key_name = "humangov-ec2-key" vpc_security_group_ids = [aws_security_group.state_ec2_sg.id] iam_instance_profile = aws_iam_instance_profile.s3_dynamodb_full_access_instance_profile.name tags = { Name = "humangov-${var.state_name}" } } resource "aws_dynamodb_table" "state_dynamodb" { name = "humangov-${var.state_name}-dynamodb" billing_mode = "PAY_PER_REQUEST" hash_key = "id" attribute { name = "id" type = "S" } tags = { Name = "humangov-${var.state_name}" } } resource "random_string" "bucket_suffix" { length = 7 special = false upper = false } resource "aws_s3_bucket" "state_s3" { bucket = "humangov-${var.state_name}-s3-${random_string.bucket_suffix.result}" tags = { Name = "humangov-${var.state_name}" } } resource "aws_s3_bucket_ownership_controls" "state_s3" { bucket = aws_s3_bucket.state_s3.id rule { object_ownership = "BucketOwnerPreferred" } } resource "aws_s3_bucket_acl" "state_s3" { depends_on = [aws_s3_bucket_ownership_controls.state_s3] bucket = aws_s3_bucket.state_s3.id acl = "private" } resource "aws_iam_role" "s3_dynamodb_full_access_role" { name = "humangov-${var.state_name}-s3_dynamodb_full_access_role" assume_role_policy = <<EOF { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Principal": { "Service": "ec2.amazonaws.com" }, "Effect": "Allow", "Sid": "" } ] } EOF tags = { Name = "humangov-${var.state_name}" } } resource "aws_iam_role_policy_attachment" "s3_full_access_role_policy_attachment" { role = aws_iam_role.s3_dynamodb_full_access_role.name policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess" } resource "aws_iam_role_policy_attachment" "dynamodb_full_access_role_policy_attachment" { role = aws_iam_role.s3_dynamodb_full_access_role.name policy_arn = "arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess" } resource "aws_iam_instance_profile" "s3_dynamodb_full_access_instance_profile" { name = "humangov-${var.state_name}-s3_dynamodb_full_access_instance_profile" role = aws_iam_role.s3_dynamodb_full_access_role.name tags = { Name = "humangov-${var.state_name}" } }

8 of 10. Create new SSH Key Pair

If you have followed the series I made on Ansible, you're familiar with creating a key pair via the CLI in Cloud 9. I find that method most convenient, actually, as I don't have to upload the key pair. Still, there may be cases where you will need to upload the key pair, so we'll cover the GUI option/manual steps here to follow the lab example.

EC2 Dashboard > Key Pairs Delete the humangov-ec2-key Create key pair Name: humangov-ec2-key Key pair type: RSA Private key file format: .pem [Create key pair] Cloud9 > tree > humangov (/home/ec2-user/environment) File > Upload Local Files select 'humangov-ec2-key.pem'

9 of 10. Provision the infrastructure on AWS using Terraform

terraform plan terraform apply

10 of 10. Commit the changes to the local Git repository

git status git add . git status git commit -m "Added IAM Role to Terraform module aws_humangov_infrastructure/main.tf"

References

Ansible Documentation

AWS Cloud9 Documentation

AWS CodeCommit tutorial for AWS Cloud9

AWS Identity and Access Management Documentation

IAM roles

Temporary Credentials

Amazon Elastic Compute Cloud Documentation

Security groups

Amazon DynamoDB Documentation

Use an EC2 key pair for SSH credentials

Amazon Virtual Private Cloud Documentation

Git - Reference

Documentation | Terraform | HashiCorp Developer

Command: apply | Terraform | HashiCorp Developer

Comments

Post a Comment

Popular posts from this blog

"This site uses cookies from Google to deliver its services and analyze traffic. Your IP address and user-agent are shared with Google along with performance and security metrics to ensure quality of service, generate usage statistics, and to detect and address abuse."
Read more

Orphaned No More: Adopting AWS Lambda

Image
Background HumanGov is a Model Automated Multi-Tenant Architecture (MAMA) that is meant to be used by the 50 states for personnel tracking. Currently the architecture is fully automated on AWS. The architecture is not ready for go-live. All actions so far are for a proof-of-concept that is presented to the Chief Technical Officer (CTO) for review. During the weekly team meeting, Ko (User Experience Lead) reports that his team has performed thousands of tests against the infrastructure, with moves, adds, and changes, and is not finding any issues in the application user interface. Woo (Infrastructure Lead) reports that there are hundreds of 'orphaned' files in the S3 bucket. (These files are considered 'orphaned' because they do not have corresponding records in the DynamoDB table.) Kim (Tech Lead) reports that there is not a trigger to delete the file from the bucket when a user is deleted from the DynamoDB database. Brady (Lawyer) reports that not deleting t
Read more

Containing the Chaos! | A Three-Part Series Demonstrating the Usefulness of Containerization to HumanGov

Background HumanGov is a Model Automated Multi-Tenant Architecture (MAMA) that is meant to be used by the 50 states for personnel tracking. Currently the architecture requires Amazon Elastic Compute Cloud (EC2) instances that are maintained by the HumanGov systems administrators. The systems administrators handle all the patching, operations, etc. Due to states wanting their data separate from each other, each state gets a separate set of EC2 instances, which means that as the application scales from one state up to 50 states, the systems administrators will have to patch 50x as many EC2 instances. The system administrators report that they have begun to schedule more and more overtime to handle the maintenance windows for updating the EC2 instances. The lead developer remarked that it was taking longer and longer for new application deployments to get rolled out as the infrastructure grew and more states came on board. By the way, the development environment does not have standa
Read more