Terraform is an orchestration tool that can provision infrastructure with code. Instead of opening the AWS Management Console to create our resources, we can do that directly in our editor with HCL (HashiCorp's Configuration Langauge).🎉
Let's look at some things we can automate in AWS.
Prerequisites
- AWS Account - Free Tier
- Create an IAM user
- AWS CLI installation and configuration
- Terraform installation
Note: A step-by-step guide for setup can be found in the Github README.md
TODOs
Launch an EC2 Instance
Create an S3 Bucket
Create a backend state with S3
Create IAM group and policy
Add IAM users to a group
Launch an EC2 Instance
#variables.tf
variable "region" {
description = "AWS region"
default = "us-east-2"
}
variable "ami" {
default = "ami-0c8110836d05ad7bd"
}
#main.tf
provider "aws" {
region = var.region
}
terraform {
required_version = ">= 0.12"
}
resource "aws_instance" "ec2_example" {
ami = var.ami
instance_type = "t2.micro"
}
In this example, we are creating an AWS resource of type aws_intstance
with a unique name ec2_example
. This resource spins up an ec2 server by launching a copy of the AMI(Amazon Machine Image).
The AMI is a dynamic value and needs to be updated when creating instances. You can find these on the AWS console or search for ubuntu images here (For t2.micro select hvm:ebs-ssd).
Create an S3 Bucket
#variables.tf
variable "region" {
description = "AWS region"
default = "us-east-2"
}
#outputs.tf
output "s3-bucket" {
value = aws_s3_bucket.b_example.bucket
}
#main.tf
provider "aws" {
region = var.region
}
resource "aws_s3_bucket" "b_example" {
bucket = "bucket-example-tmed232323"
force_destroy = true
acl = "private"
versioning {
enabled = true
}
}
An s3 bucket is used for storage. To create a bucket a unique name is required. If you do not add one AWS will create one for you. To grant access to a bucket acl
can be used. By default it is set to private. force_destory=true
is set for testing purposes. This will allow us to delete the bucket with terraform destroy
even if it is not empty.
versioning
keeps different variants of an object in the bucket and outputs.tf
will output the results of the file to the console after an apply
.
Create a backend state with S3
#main.tf
terraform {
backend "s3" {
bucket = "bucket-example-tmed232323"
key = "terraform-aws-automation/create-s3-backend-state/terraform.tfstate"
}
}
In this example, remote state is being stored with a terraform.tfstate
file. This is common practice when using Terraform with more than one person so state does not get locked and only one person can make changes at a time on the latest copy. Since the bucket we created is using versioning there will be a history of changes stored as well.
To add an object to a bucket the unique bucket name is required along with the key
which defines the path of the file that's created in AWS.
Create IAM group and policy
#variables.tf
variable "region" {
description = "AWS region"
default = "us-east-2"
}
#main.tf
provider "aws" {
region = var.region
}
resource "aws_iam_group" "admin_example" {
name = "admin_example"
}
resource "aws_iam_policy_attachment" "admin-attachement" {
name = "admin-attachement"
groups = [aws_iam_group.admin_example.name]
policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}
Groups are collections of IAM users that share specific privileges or policies.
Two resources are created here, one for the IAM group and another to attach a policy to that group. The attribute policy_arn
is set to attach the Administrator Access policy to the IAM group.
Add IAM users to a group
#variables.tf
variable "region" {
description = "AWS region"
default = "us-east-2"
}
#main.tf
provider "aws" {
region = var.region
}
resource "aws_iam_user" "admin_example_1" {
name = "admin_example_1"
}
resource "aws_iam_user" "admin_example_2" {
name = "admin_example_2"
}
resource "aws_iam_group_membership" "admin-user-group-example" {
name = "admin-user-group-example"
users = [
aws_iam_user.admin_example_1.name,
aws_iam_user.admin_example_2.name,
]
group = "admin_example"
}
After an IAM group is created we can add new users to it. This is down with the resource type aws_iam_group_membership
. Users are passed to this resource along with the name of the group.
To run these examples locally, clone the repo and navigate to the root directory. In your terminal cd
into one of the above directories and follow these steps:
- Initialize Terraform:
terraform init
- Check the plan to make sure the configuration will do what we expect:
terraform plan
- Apply the execution plan and build the stack:
terraform apply
- Check the resource is up:
terraform state list
orterraform state show 'type.name'
ex. aws_instance.ec2_example
- Tear down all provisions:
terraform destroy
If you found this article useful give the repo a ⭐️ and check back later for more examples of automating AWS with Terraform. 🙂✌🏾
ari-hacks / terraform-aws-automation
⚙️ Examples of provisioning AWS resources with Terraform
Automating AWS with Terraform
- Launch an ec2 instance
- Create an s3 bucket
- Create an s3 backend state
- Create an IAM group and policy
- Add users to an IAM group
External Resources
Pre-requisite Setup
AWS Account - Free Tier
- Sign up for AWS Free Tier account if you do not already have one
Create an IAM user
- Log into your root AWS account
- Select Services > IAM
- On the left nav bar select 'Users'
- Select 'Add user'
- Create a username 'terraform-admin'
- Select AWS access type as Programmatic access (and AWS management console access to view resources on the dashboard)
- Select Next: Permissions
- Select Create group
- Add a group name 'admins'
- Check AdministratorsAccess and Create group, check group
- Select Next: Tags
- Select Next: Review
- Select Create User
- You will need the generated access key Id, and the secret access key (Download the csv provided or store these values)
Top comments (0)