Terraform Cloud Project Bootcamp with Andrew Brown — Week 1 Live Streaming

This article is my learning journal for the week 1 of the Terraform Bootcamp by Andrew Brown and Bayko Brown with Chris Wiliams and Shala (Gifted Lane).

My career adventure into the cloud computing world continues with Andrew Brown and I highly, highly recommend you to come join us if you are interested. Check out Andrews’ all free youtube learning contents.

• Week 1 Live Stream Video

Agenda

• ✅ 1. Create an S3 bucket to store your static website & enable the S3 bucket for static website hosting.
• ✅ 2. Prepare a simple html template for static website hosting.
• ✅ 3. Create a CloudFront distribution and tweak around the configuration to host your static html website.
• Quick command cheatsheet if you only need commands:

# install http-server globally.
npm install http-server -g

# start the http-server.
http-server 

# Upload a single file
aws s3 cp public/index.html s3://YOUR_BUCKET_NAME/index.html

# Upload a folder with multiple files
aws s3 sync public s3://YOUR_BUCKET_NAME

# Check CloudFront list of OACs 
aws cloudfront list-origin-access-controls
aws cloudfront list-origin-access-controls --output table

aws cloudfront list-cloud-front-origin-access-identities


# Bucket policy

{
      "Version": "2008-10-17",
      "Id": "PolicyForCloudFrontPrivateContent",
      "Statement": [
          {
              "Sid": "AllowCloudFrontServicePrincipal",
              "Effect": "Allow",
              "Principal": {
                  "Service": "cloudfront.amazonaws.com"
              },
              "Action": "s3:GetObject",
              "Resource": "arn:aws:s3:::nomadiachi-in-terratown-bucket/*",
              "Condition": {
                  "StringEquals": {
                    "AWS:SourceArn": "arn:aws:cloudfront::AWS_ACCOUNT_ID:distribution/DISTRIBUTION_ID"
                }
            }
        }
    ]
}

1. Create S3 bucket & enable static website hosting

The following is a walkthrough with complete configuration steps to create an S3 bucket.

Bucket Ownership

ACL stands for Access Control List. You can fine-tune the access configurations for your buckets and objects at the bucket level and object level (access to the whole bucket with multiple objects for the former, and individual objects for the latter). We are not enabling this for this project.

Block Public Access

When you are hosting a website from out of an S3 bucket, the easiest way to allow access for the random public across the internet is unblocking ALL public access so anybody can just walk into your website. However, this is a very poor decision from the security standpoint, so we are leaving the Block Public Access option as is.

Bucket Versioning

• Notes from Chris Williams: Terraform’s state file is used for storing backend data for provisioning resources, which includes, for instance, the ARN numbers for EC2 instances and database username and passwords. It is extremely important that your state file is NOT available to the outside and it is NOT corrupted or made inaccessible.
• Terraform Cloud does a good job of securing these backend states.
• Similarily to Terraform backend state file versioning, it is generally a good idea to enable the Bucket Versioning on for your S3 buckets (we are not enabling it for this project though).

Default encryption

Object Lock

This goes hand in hand with the bucket versioning.

Click on “create bucket”.

Now we are onto enabling the static website hosting. Click on your bucket, then navigate to “Permissions” tab, then scroll all the way down to the bottom. Edit the static website hosting option to enable it.

Fill the fields for index and error documents, then click on “save changes”.

2. Prepare an html file for static website hosting

Open a gitpod workspace (or any other environment of your choice) then install the http-server.

# install http-server globally.
npm install http-server -g

# start the http-server.
http-server

Once the http-server starts smoothly, your terminal looks colourful like this.

Prepare your own html template for the website. Mine is available here if you need a sample for testing.

My question featured during the live stream. Andrew is responding to my question, the correct path should be /public/assets.

Now, upload the index.html to your bucket using the command below. Once the file is uploaded, we should have a bucket website endpoint as we have already enabled the static website hosting. Click on the endpoint to check if the website is up and running.

# Upload a single file
aws s3 cp public/index.html s3://YOUR_BUCKET_NAME/index.html

# Upload a folder with multiple files
aws s3 sync public s3://YOUR_BUCKET_NAME

However, the chance is that you will run into this error page because of our current bucket access configuration as we discussed previously. Here, we laregly have two options to allow access to the website:

• 1) Configure a Bucket Policy
• 2) Create a CloudFront distribution: CloudFront can be a better choice in terms of Security because we can attach other dedicated AWS security services such as WAF (Web Application Firewall).

Configuring bucket policy

3. Create a CloudFront distribution

Go to CloudFront and start creating a distribution. From the Origin domain list, select the name of the bucket you created.

For origin access, select the recommended OAC settings, then the OAC you will create or have created for this specific distribution (see the steps below).

For most of the configurations, we are keeping the default setting.

Then go create the distribution. Once the distribution is created and enabled, try accessing the website using the CF endpoint. Again, we are met with the same access issue. We need to configured the following to make the website accessible:

• Origin Access Control (OAC)
• Bucket Policy

You can check the OAC by running the following commands:

aws cloudfront list-origin-access-controls
aws cloudfront list-origin-access-controls --output table

aws cloudfront list-cloud-front-origin-access-identities

Create OAC (Origin Accses Control)

In CloudFront > Origin access, start creating a control setting. The process is very simple. Make sure to sign requests, then create it.

Signing requests is important because this is the way we allow users access to the contents which are in a private bucket.

My question featured during the live stream! I was so into making my html index file so I missed out that bit lol

Once the CF distribution is created, we have to configure the bucket policy.

Go to S3 > Buckets > Your_Bucket > Edit bucket policy, then paste the code below.

{
        "Version": "2008-10-17",
        "Id": "PolicyForCloudFrontPrivateContent",
        "Statement": [
            {
                "Sid": "AllowCloudFrontServicePrincipal",
                "Effect": "Allow",
                "Principal": {
                    "Service": "cloudfront.amazonaws.com"
                },
                "Action": "s3:GetObject",
                "Resource": "arn:aws:s3:::nomadiachi-in-terratown-bucket/*",
                "Condition": {
                    "StringEquals": {
                      "AWS:SourceArn": "arn:aws:cloudfront::AWS_ACCOUNT_ID:distribution/DISTRIBUTION_ID"
                    }
                }
            }
        ]
      }
}

Now that the access setting is configured, try visiting the cloudfront distribution endpoint, and you can see that the website is up and running!

Well done, good job! Hot dog time? ♨️ 🐶

Resources

AWS

• Amazon CloudFront introduces Origin Access Control (OAC)

Brilliant

• My github repo for static website hosting