Tag: aws

AWS EC2

EC2 represents Elastic Cloud compute

Ec2 instance is about you are requesting AWS to provide you a virtual server

Example:

An application requires huge storage. So depending upon that you will choose which type of ec2 instance is required. There are many types of ec2 instances available like General , Compute optimised, memory , storage, accelerated.
Now lets use general ec2 type instance

You can create Ec2 instance through the UI or through the CLI where you need to just select instance type and AWS will give you that instance type and AWS will also charge you accordingly

We also need to know concept of regions and availability zones which will come here

You will create ec2 instance that is very close to your client location. Inside each region you have multiple availability zones as well

If there was a disaster recovery like short circuit or for some reason the region went down. To avoid this problem what AWS suggests is within a region we will have multiple availability zones.

For example if you have selected a region called London, then AWS says that we have availabilities on in North west and North east of London

Now lets go to Ec2 instances and click on launch on instance

lets create phani-e2 instance. By default you have all of these operating systems 

Lets select ubuntu server and select a version. I selected free -tier as if anything else aws willl charge me
Authentication to the instance is disabled by default. The only way you can log into the instance is using key value pair.

key value pair is nothing but a combination of public private key which you use to log into the instance

Lets create key pair. Here i create phani-keypair with .pem file format and store that file somewhere. here i stored in downloads folder

Lets ignore storage and networking for now.

Now launch instance. And use key value pair to login to that instance

Now copy public ipv4 address shown in the pic.

Lets go to your terminal and get your keypair file name and ipv4 address.

ssh -i phani-keypair.pem ubuntu@54.196.110.205

You will see the below error when trying to connect to that instance


which means it is a very sensitive file which has lot of private key information
or sensitive information. you have to keep the permissions to open.

you can use a command called chmod to change the permissions of the file to 600

type in terminal chmod 600 phani-keypair.pem
Now I changed permission.

Now run ssh -i phani-keypair.pem ubuntu@54.196.110.205
Now I can log into ec2 instance

once you logged in, AWS will show you the private IP address of that server but you have logged in through the public IP address right so now you have technically inside the ec2 instance

Now what you need to do is you have to update the packages on this instance
Sudo command is needed if you are on the Ubuntu

Now run below command to update pakcages

sudo apt update

Now let’s try to deploy an application

Lets install Jenkins on that ubuntu server
Preqrequisistes for Jenkins is to install java
So run the command

sudo apt install openjdk-11-jdk

Now install Jenkins. Its bit of commands to use. you can google it and can see in below image

we will start the Jenkins service if it is not started and once the Jenkins
service is started you can try to access it from the browser
Let’s see if jenkins server is running


Use below command

systmectl status Jenkins


By default Jenkins runs on a port called 8080
Now go to browser and running http://publicipaddress:8080 . here ip address is 54.196.110.205
Now it don’t run
Now the instance is running . But your application by default it is not accessible to the external World there are lot of security and networking things that i will show you later.

Now i will show you how to open that port 8080 for now as shown below

There is a security groups where it has inbound traffic rules and outbound traffic rules.
An inbound is a request which is coming inside AWS to your ec2 instance. An outbound is a request thats going outside
 Go to the security group and Edit inbound rules.

Here I’ll edit the inbound traffic rules and I will tell that I will add a new rule saying that I allow custom TCP code 8080 from anywhere in the world I’ll just say anywhere ipv4 and I’ll just save the rule 


Now go to browser and type http://54.196.110.205:8080/
You can see you are able to access Jenkins webpage


Hurray !!

We deployed our application to Jenkins on AWS and able to access it from outside world

AWS IAM

 IAM in AWS is an AWS service which will be doing authentication and authorization

Root user have access to everyone who will be devops person

Note: users, p0licies, groups are important to know
Roles is next we discuss later

Create a user named phani-user, by default a policy is created which is to change password for that user.

if want to add more policies, click on Add Permissions button and now you will see below screen

After creating a user, we can throw that user in a specific group. Like if you are a developer you will be added to developer group

some scenario like someone came to you to create a user for them and then you just said okay let me create a user so you’ll create an user in IAM dashboard

if you create a custom password then it will be very difficult for one person you create a password for another person to remember

Always use Auto generated password and use this option when creating user. When that user (phani-user) try to log in with the username and password that you have given, next time in the login they have to reset the password themselves.

At the moment we are not setting any policies when creating IAM user

Give this temporary password to the user.

Now lets log off and try to login with new user phani-user
Remember the aws account id and now login


Once you logged in, It prompts to change password

 

Now after login, if you just go to the bucket section and try to view the buckets list.

you will be seeing access denied permission issue.

This is not only about buckets anything you will not be able to do on this AWS account . Same for EC2 instances you don’t have access to to anything or any resource


To solve this problem to get access to specific resource
Example:
I should see all the buckets available in this account
So devops engineer will attach some policy called s3 list all my buckets to the user

Now login to root user, lets provide access to Phani-user

let’s click on the phani user and let’s try to attach some permissions. Now i am providing phani-user full access to s3 buckets

Now phani-user will be able to do everything in S3 like create, delete list and everything. Now you can see you have s3 bucket policy

Now log off and see that you are ableto see list of s3 bucks
Now go to s3 and see list of buckets. Now you don’t see any permission issue error


For example, To only view specific set of bucket types or anything specific related to that so in such case what you will write a custom policy you will not use a AWS manage policy

So depending on aws managed policies we can provide permission to access to IAM user particular services

So using user you can authenticate to AWS account and then you have policies where you can authorize few things for that user in AWS

Groups:

Lets create a group for deevelopers. let’s call them as Development Group and you provide them a policy with S3 list .

In future if they come back to you and say they want access to some other resource as well, then you can simply go to the group and you can just attach that new policy where all of them will get the access for

I created a development group with s3 full access policy


Go to User Groups in IAM and create phani-developer group

Now lets add an user to the group
Click on add users button
Now lets add phani-user to the group

if developers come back to you and say that want with this S3 full access they also want full access to EC2 .

Then instead of going and adding policy permission of these users, you can go to user groups – click on group – click on the permissions button and along with the S3 full access you can just come here and search for ec2 and click on the attach policies.

Now as you added ec2 permission , the users will automatically get access to EC2. If you go to Phani-user you can see those 2 policies s3 bucket and ec2 policies

Terraform

Terraform is to automate infrastructure process

I am using VSCode to write terraform code

once you created the terraform files,

inititalise the code

run terraform init – which will create working directory and install all plugins and modules

run terraform plan – will preivew changes before applying them

run terraform apply – which will apply all the changes

Now you will see in console

+ shows creating respource 

– deleting resouce 

~ modifying resouce 

now run terraform apply it says refreshing 

i will show codebase .

a provider needs to be created which can be aws or azure

i want to create aws instance and modify that instance by adding tag

tags = {
  Name = "phani"
}

Now run terraform apply, you can see update in place with tild symbol

Now go to AWS and check it

Now lets desroy,  phani-server resouce is going to destroy 

Terraform destroy

Now its terminated 

Now terraform apply again, which will deploy resource . created new one which shows as running. old one will be terminated

Now if you comment code in resource, terraform is intelligent enough to understand there are no rsources 

It will destroy

Unitl now we done deploying aws instances

Lets see other resources 

Now lets create subnet in vpc 

To quickly check it, 

Type terraform aws subnet in google

for subnet, we need to get vpc id. Terrform is intelligent to get it when typing

  vpc_id     = aws_vpc.phani_vpc.id 

Now run terraform apply and see all changes applied 

Now you can see aws subnet and aws vpc created

we can see cider block

Now lets go to subnet

There are default subnets created 

Lets see one created and you can seee vpc this subnet resides in 

And cider block 10.0.1.0/24

Also the order doesnt matter in code, you can create resource subnet first and then vpc. Terraform doesnt care about that 

Form console you can see code is writtern as subnet first and vpc later , 

In console, terraform creats vpc first and subnet later 

Note: after terrfaorm apply, we dont need to do yes all tht time. To overcome that just use 

terraform apply –auto-approve

Now lets do small project. please check the code

1. Create VPC

    2. Create Internet Gateway

    3. Create route table

    4. Create subnet

    5. Associate subnet with Route table

    6. Create security group to allow port 22, 80, 443

    7. create a network interface with an ip in the subnet that was created in step 4

    8. Assign an elastic IP to the network interface crated in step 7

    9. Cretae ubuntu server and install/enable apache2

    Code can be found in my github

    https://github.com/pbndru/Phani-Terraform/blob/main/main.tf

    Before running the code, you need to set 2 things access_key and secret_key where you can find them in your AWS account security credentials. create new access key from here. save the keys somewhere. Later it will be difficult to get it

    provider "aws" {
    region = "us-east-1"
    access_key = "" //set these values
    secret_key = ""
    }

    And you need to create key pair. go to EC2 Instances and go to key pair and create one. here i created main-key for webserver instance. it will be created with pem file. we need this file later

    key_name = "main-key"

    Now run terraform apply, it will create all resources in aws

    Now lets use putty and putty gen. please download these. we need these for connections to webserver with different protocols

    open putty gen

    Load the main-key.pem file created before and save private key to pkf file format 

    Now open putty 

    We need pem files for mac and ppk files for windows 

    Open putty and add host as ubuntu@ipaddress 

    Now load the ppk file. Now you will be connected to device 

    FOR MAC

    For MAc 

    We need to use  

    Chmod 400 main-key.pem 

    And then 

    Ssh –i main-key.pem ubuntu@34.226.80.181 

    Now you will be connected to device 

    TERRAFORM STATE COMMANDS

    If you want to see all resouces in command line quickly 

    RUN Terraform state list 

    Now you wll see all resources 

    to look into parituclar resource like aws_eip

    >terraform state show aws_eip.one

    We can see actual details like id , id instance, network interfae , ppublic ip and more

    TERRAFROM OUTPUT

    Everytime seeing state list and showing is bit typing 

    What about terraform do it when using terraform apply 

    We can use output and value to do what you want

    Here you can see , i created output which is like a log showing for 

    output "phani_server_public_ip" {
    value = aws_eip.one.public_ip
    }

    Output result as 

    phani_server_public_ip = "50.16.131.74" 

    You can also use terraform output to output all values for those resouces

    Now we dont want to accidently delete or deploy 

    We can use terraform reresh whichrefresh the state

    To delete paritcular resource we can use  –

    terraform destroy -target aws_instance.web-server-instance 

    To create it back use 

    terraform apply -target aws_instance.web-server-instance  

    Now you can see only 1 plan created 

    VARIBLES

    Here i creaed subnet_prefix variable and used in subnet 

    i created a file for variables trraform.tfvars where we use the variables

    subnet_prefix = ["10.0.1.0/24"]

    hope you enjoyed the article.

    Code in my github https://github.com/pbndru/Phani-Terraform/tree/main