Infrastructure as Code and Secrets Management – Lesson 3

Lesson 3 Overview

In this lesson we’ll build all of the infrastructure depicted here, including the network and security layer.

Lesson 3

  1. Review/update the Terraform script variables
    1. WARNING! If two or more people are using the same AWS account for this lab, you MUST:
      1. Change the `stageName` variable in variables.tf to a unique 3 digit string (i.e. your initials).
      2. Change the `vpcCidr` variable in variables.tf to a unique cidr for each lab user (i.e. 10.x.0.0).
    2. NOTE: this lab will work in any region by changing the `region` variable, as long as you update `webAmi` and `vaultAmi` variables in variables.tf to the correct AWS Linux 2 instance ami- name in that region
    3. To update the variables using Nano (for NON-UNIX geeks). To save in nano: [CTRL-X] [Y] [ENTER]
      1. nano ~/iac_lab/terraform/variables.tf
  2. Create an s3 bucket required to store terraform state
    1. * This script reads the s3state.tf file, then checks to see if the bucket name is available in AWS. If it is not, it randomly creates a new bucket suffix and tries to create that bucket
    2. cd ~/iac_lab/terraform/scripts
    3. ./create_s3bucket.py
  3. Create a private ssh key file in the ~/iac_lab/terraform/ssh directory
    1. We need to give AWS ssh public keys to install on the linux instances provisioned so that we can access them. So create a new key (stored in ~/iac_lab/terraform/ssh/id_rsa.pub)
    2. cd ~/iac_lab/terraform/scripts
    3. ./create_sshkey.sh
  4. Run terraform init
    1. The `terraform init` process does basic syntax checking of our *.tf files, downloads any required modules (like AWS) and sets up our tfstate file in the s3 bucket
    2. cd ~/iac_lab/terraform
    3. terraform init
  5. Run terraform plan
    1. Terraform plan compares the infrastructure defined in your *.tf files to what’s actually running in your provider (AWS in this case). When complete, `terraform plan` will output a summary of the resources that would be built on `terraform apply`.
    2. * *Note*: Setting the following ENV variable sets the root password for the database. In the real world, you would use something very secure.
    3. export TF_VAR_dbRootPass=myDbPassword
    4. terraform plan
  6. Run terraform apply
    1. This is the big mother. `terraform apply` will ask you to provide a database password again and will also ask you to confirm with a “yes” that you actually intend to build/destroy/modify the resources.
    2. *Note*: the following command will build 74 + AWS resources including VPCs, database clusters, autoscaling groups and load balancers. It usually takes about 10 minutes to complete
    3. terraform apply -auto-approve
    4. While the resources are building, take a look at the scripts on https://github.com/cloudshiftstrategies/iac_lab/tree/master/terraform
  7. Check out our web application
    1. When the build is complete, and the web servers are online, you should be able to browse to the Load Balancer’s public DNS name and check out our web page. To get the load balancer’s DNS name, from the provisioning host run the following
  8. cd ~/iac_lab/terraform
  9. terraform output LOADBALANCER_DNS
  10. Or, from the AWS console navigate to the following
  11. AWS Console > EC2 > Load Balancers > select your ALB > Public DNS
  12. The code that built this web page is located in ~/iac_lab/iacapp. The web servers check the code out from github when they are built. These web servers are intended to be one time use servers. when you want to release new code, just terminate the instance and let the autoscaling group provision a new one.
  13. When looking at the web page, notice that the VAULT tab and DATABASE tab aren’t connecting to the database, we’ll fix that in the next lesson

Lesson 3 Summary

In this lesson, we completed the following tasks:
  1. Customized the variables for our environment
  2. Created an s3 bucket to store our terraform state file
  3. Created a pair of ssh keys that we will pass to AWS to install on our instances for authentication
  4. Ran `terraform init` to do basic syntax checking and download required modules (AWS)
  5. Ran `terraform plan` to see what the apply will do
  6. Ran `terraform apply` to build our resources
  7. Checked out our web application! But no database connectivity. 🙁
 
In Lesson 4 we’ll configure the vault server so the web servers can connect to the database