Infrastructure as Code and Secrets Management – Lesson 2

Lesson 2 Overview

In this lesson, we will set up a Linux machine in AWS EC2 that will work as provisioning host. On that machine, we will download, the terraform scripts from github and build our aws infrastructure
As a best practice, do not use the AWS account root user for any task where it’s not required. Instead, create a new IAM user for each person that requires administrator access. Then make those users administrators by placing the users into an “Administrators” group to which you attach the AdministratorAccess managed policy.

Lesson

  1. If you don’t already have a non-root, administrators AWS IAM user, create one and log in as that user (not root)

  2. Create EC2 Admin Role to be used by our EC2 developer desktop

    NOTE: if two users are using the same AWS account, only one users needs to complete this step
    • IAM > Roles > Create Role
    • Click Link – Select the service that will use this role – “EC2”
    • Click Link – Select your use case – “EC2” (top choice)
    • Push Button – Next: Permissions
    • Check Box – AdministratorAccess
    • Push Button – Next Review
    • Set – Role name – “EC2Admin”
    • Push Button – Create Role
  3. Deploy AWS Linux AMI to EC2
    • AWS Console > EC2 > Instances
    • Select Region > **Ohio** (the lab is built for **us-east-2**)
    • Push Button – Launch Instances
    • Select Tab – Quick Start
    • Push Button – Select (next to image called: Amazon Linux 2
    • Check Box – t2.micro
    • Push Button – Next: Configure Instance Details
    • IAM Role – Select – “EC2Admin” role we just created
    • Push Button – Next: Add Storage
    • Push Button – Next: Add Tags
    • Push Button – Next: Add Tag
    • Key: `Name`, Value: `provisioner`
    • **NOTE** if multiple users are using the same AWS account, use an name like <your_initials>_provisioner
    • Push Button – Review and Launch
    • Push Button – Launch
    • Keypair – Create a new key pair (or Choose an existing if you already have one)
    • Key pair name – give the new key a name ex: “iaclab_key”
    • Push Button – Download Key Pair and save the file to your Downloads directory
    • Push Button – Launch Instance
    • Push Button – View Instance
    • Copy public_ipv4 address to clipboard
  4. Wait a few minutes, then connect to AWS EC2 public IP instance with ssh
    • For windows users with putty, check out Connecting to Linux from Windows Using PuTTY:

    • For Mac or Linux users with openssh: (substitute correct downloaded .pem file path below)

      chmod 600 ~/Downloads/iaclab_key.pem
ssh -i ~/Downloads/iaclab_key.pem ec2-user@<public_ipv4>
  5. Set the shell prompt for this host

    • When working with a lot of linux hosts via ssh, it is easy to get disoriented. In lesson 4 when we are destroying infrastructure, it will be helpful to be able to confirm exactly where you are working

      echo 'export PS1="[\u@\h (PROVISION) \W]\$ "' >> ~/.bashrc
. ~/.bashrc
  6. Test AWS cli connectivity.

    • Once you are logged into the EC2 provisioning host, run the following command to verify we have the admin privileges in AWS we requested. This should list out any S3 buckets you have without error.

      aws s3 ls
    • If your AWS IAM role is configured incorrectly, you will get an error indicating “Unable to locate credentials.”
  7. Install git and clone the project repository
    sudo yum -y install git
git clone http://github.com/cloudshiftstrategies/iac_lab
  8. Install terraform binary
    wget https://releases.hashicorp.com/terraform/0.11.8/terraform_0.11.8_linux_amd64.zip
sudo unzip -j terraform*.zip -d /usr/local/bin
  9. Test that it works. It should report the version number (0.11.8)
    terraform --version
  10. Install the required python libraries

    • One of the the scripts we use to setup our s3 buckets is written in python and needs a few python libraries (like pyhcl for parsing HCL and boto3 for connecting to AWS API)

      sudo yum -y install python-pip
sudo pip install -r ./iac_lab/terraform/scripts/requirements.txt
sudo pip install aws-shell --upgrade --ignore-installed six

Lesson 2 Summary

In this lesson, we completed the following tasks:
  1. Created an admin user in AWS console (never work as root)
  2. Create an IAM role for an EC2 instance
  3. Provisioned a provisioning Linux instance into EC2
  4. Connected to that desktop via ssh
  5. Change the shell prompt to identify the host
  6. Validated aws CLI & API connectivity using the role
  7. Cloned our project code from http://github.com/cloudshiftstrategies/iac_lab
  8. Downloaded and installed terraform binary
  9. Downloaded the required python libraries for some scripts
In Lesson 3 we’ll configure AWS infrastructure to host the application