Containing the Chaos Part 2 of 3: Amazon DynamoDB | Amazon S3, Amazon Elastic Container Services (ECS) | AWS Fargate

This article is part of a three-part series:

Containing the Chaos Part 1 of 3: Docker | Amazon Elastic Container Registry (ECR)
In part 1, the application will be placed into a container image. The container image will then be stored in the Amazon Elastic Container Registtry (ECR).

Containing the Chaos Part 2 of 3: Amazon DynamoDB | Amazon Simple Storage Service (S3) | Amazon Elastic Container Services (ECS) | AWS Fargate | Terraform
In part 2, the DynamoDB table and Amazon S3 buckets will created using Terraform. Further the Amazon Elastic Container Services (EC2) cluster will be initiated on AWS Fargate.

Containing the Chaos Part 3 of 3: Amazon Elastic Container Service (EC2) | Amazon Elastic Load Balancing (ELB) | Terraform
In part 3 (the final part), the task definition will be created for the cluster. A service will be created to handle running the defined tasks. The application will then be tested. Finally, will decommission the resources.

For background on this series, go here:

Containing the Chaos! | A Three-Part Series Demonstrating the Usefulness of Containerization to HumanGov

1 of 5. Open AWS Cloud9

2 of 5. Disable temp credentials and create access key for Cloud9

Disable temporary credentials

Settings -/- AWS Settings -/-Credentials -/- Disable: "AWS managed temporary credentials"

Create new access key

IAM -/- users -/- cloud9-user -/- Security credentials -/- select existing access key -/- Actions:Delete [Create access key] Use case: Command Line interface (CLI) I understand ... [Next] [Create access key]

Cloud9: Create a new file: export.sh

Note: This file will be deleted before this article is published. Regardless, not neccessarily a recommended security practice to put credentials in plain text in files.

vi export.sh export AWS_ACCESS_KEY_ID="AKIAXKHBMWXLOFCZWPKK" export AWS_SECRET_ACCESS_KEY="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"

set environment variables

source export.sh

3 of 5. Edit the terrafoom files

Comment out any of the ec2 stuff in terraform/modules/aws_humangov_infrastructure/main.tf , terraform/modules/aws_humangov_infrastructure/output.tf and terraform/outputs.tf.

In addition, make sure that only one state is in the terraform/variables.tf

cd /home/ec2-user/environment/human-gov-infrastructure/terraform terraform show

terraform/modules/aws_humangov_infrastructure/main.tf

/* resource "aws_security_group" "state_ec2_sg" { name = "humangov-${var.state_name}-ec2-sg" description = "Allow traffic on ports 22 and 80" ingress { from_port = 80 to_port = 80 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } ingress { from_port = 5000 to_port = 5000 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } ingress { from_port = 0 to_port = 0 protocol = "-1" security_groups = ["sg-027f57abd3fefda49"] } egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } tags = { Name = "humangov-${var.state_name}" } } resource "aws_instance" "state_ec2" { ami = "ami-007855ac798b5175e" instance_type = "t2.micro" key_name = "humangov-ec2-key" vpc_security_group_ids = [aws_security_group.state_ec2_sg.id] iam_instance_profile = aws_iam_instance_profile.s3_dynamodb_full_access_instance_profile.name provisioner "local-exec" { command = "sleep 30; ssh-keyscan ${self.private_ip} >> ~/.ssh/known_hosts" } provisioner "local-exec" { command = "echo ${var.state_name} id=${self.id} ansible_host=${self.private_ip} ansible_user=ubuntu us_state=${var.state_name} aws_region=${var.region} aws_s3_bucket=${aws_s3_bucket.state_s3.bucket} aws_dynamodb_table=${aws_dynamodb_table.state_dynamodb.name} >> /etc/ansible/hosts" } provisioner "local-exec" { command = "sed -i '/${self.id}/d' /etc/ansible/hosts" when = destroy } tags = { Name = "humangov-${var.state_name}" } } */ resource "aws_dynamodb_table" "state_dynamodb" { name = "humangov-${var.state_name}-dynamodb" billing_mode = "PAY_PER_REQUEST" hash_key = "id" attribute { name = "id" type = "S" } tags = { Name = "humangov-${var.state_name}" } } resource "random_string" "bucket_suffix" { length = 4 special = false upper = false } resource "aws_s3_bucket" "state_s3" { bucket = "humangov-${var.state_name}-s3-${random_string.bucket_suffix.result}" tags = { Name = "humangov-${var.state_name}" } } /* resource "aws_iam_role" "s3_dynamodb_full_access_role" { name = "humangov-${var.state_name}-s3_dynamodb_full_access_role" assume_role_policy = <<EOF { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Principal": { "Service": "ec2.amazonaws.com" }, "Effect": "Allow", "Sid": "" } ] } EOF tags = { Name = "humangov-${var.state_name}" } } resource "aws_iam_role_policy_attachment" "s3_full_access_role_policy_attachment" { role = aws_iam_role.s3_dynamodb_full_access_role.name policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess" } resource "aws_iam_role_policy_attachment" "dynamodb_full_access_role_policy_attachment" { role = aws_iam_role.s3_dynamodb_full_access_role.name policy_arn = "arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess" } resource "aws_iam_instance_profile" "s3_dynamodb_full_access_instance_profile" { name = "humangov-${var.state_name}-s3_dynamodb_full_access_instance_profile" role = aws_iam_role.s3_dynamodb_full_access_role.name tags = { Name = "humangov-${var.state_name}" } } */

terraform/modules/aws_humangov_infrastructure/output.tf

/* output "state_ec2_public_dns" { value = aws_instance.state_ec2.public_dns } */ output "state_dynamodb_table" { value = aws_dynamodb_table.state_dynamodb.name } output "state_s3_bucket" { value = aws_s3_bucket.state_s3.bucket }

terraform/outputs.tf

output "state_infrastructure_outputs" { value = { for state, infrastructure in module.aws_humangov_infrastructure : state => { #ec2_public_dns = infrastructure.state_ec2_public_dns dynamodb_table = infrastructure.state_dynamodb_table s3_bucket = infrastructure.state_s3_bucket } } }

terraform/variables.tf

variable "states" { description = "A list of state names" default = ["california"] }

4 of 5. Create the DB and S3 using Terraform

Note the resource names of the table and S3 bucket. Will need it for the next article.

terraform plan terraform apply

5 of 5. Create the cluster on Fargate

Amazon Elastic Container Service -/- Create cluster Cluster name: humangov-cluster Infrastructure: AWS Fargate (serverless) [Create]

References

Amazon ECS on AWS Fargate

Amazon Elastic Container Registry Documentation

Amazon Elastic Container Service Documentation

Amazon Elastic Compute Cloud Documentation

Amazon DynamoDB Documentation

Amazon Simple Storage Service Documentation

AWS Cloud9 Documentation

Elastic Load Balancing Documentation

AWS Identity and Access Management Documentation

Docker Docs

Documentation | Terraform | HashiCorp Developer

Python 3.12.1 documentation

nginx documentation

Lewis Lampkin, III - Blog

Lewis Lampkin, III - LinkedIn

Lewis Lampkin, III - Medium

Comments

Post a Comment

Popular posts from this blog

"This site uses cookies from Google to deliver its services and analyze traffic. Your IP address and user-agent are shared with Google along with performance and security metrics to ensure quality of service, generate usage statistics, and to detect and address abuse."
Read more

Orphaned No More: Adopting AWS Lambda

Image
Background HumanGov is a Model Automated Multi-Tenant Architecture (MAMA) that is meant to be used by the 50 states for personnel tracking. Currently the architecture is fully automated on AWS. The architecture is not ready for go-live. All actions so far are for a proof-of-concept that is presented to the Chief Technical Officer (CTO) for review. During the weekly team meeting, Ko (User Experience Lead) reports that his team has performed thousands of tests against the infrastructure, with moves, adds, and changes, and is not finding any issues in the application user interface. Woo (Infrastructure Lead) reports that there are hundreds of 'orphaned' files in the S3 bucket. (These files are considered 'orphaned' because they do not have corresponding records in the DynamoDB table.) Kim (Tech Lead) reports that there is not a trigger to delete the file from the bucket when a user is deleted from the DynamoDB database. Brady (Lawyer) reports that not deleting t
Read more

Containing the Chaos! | A Three-Part Series Demonstrating the Usefulness of Containerization to HumanGov

Background HumanGov is a Model Automated Multi-Tenant Architecture (MAMA) that is meant to be used by the 50 states for personnel tracking. Currently the architecture requires Amazon Elastic Compute Cloud (EC2) instances that are maintained by the HumanGov systems administrators. The systems administrators handle all the patching, operations, etc. Due to states wanting their data separate from each other, each state gets a separate set of EC2 instances, which means that as the application scales from one state up to 50 states, the systems administrators will have to patch 50x as many EC2 instances. The system administrators report that they have begun to schedule more and more overtime to handle the maintenance windows for updating the EC2 instances. The lead developer remarked that it was taking longer and longer for new application deployments to get rolled out as the infrastructure grew and more states came on board. By the way, the development environment does not have standa
Read more