Securing AWS Infrastructure Deployment with Terraform and IAM Guidelines (part 2/3)
Configuring and Running a Local Terraform Setup with IAM Access Keys
To execute Terraform from a local machine using your AWS permissions, it’s crucial to understand the essential practices and how it works. This understanding will enable you to apply your knowledge to any Terraform workflow environments that are suitable for your team’s processes.
Objectives
- Introduce you to the concept of Infrastructure as Code (IaC).
- Provide an overview of Terraform.
- Share essential hands-on practices for Terraform local machine execution.
Agenda
- Concept of IaC.
- What is Terraform?
- Overview of the Infrastructure Discussed in This Blog Post.
- Install Terraform.
- Construct AWS Infrastructure.
- Implement Defined Infrastructures.
- Make Changes.
- Clean Up.
Concept of IaC
Infrastructure as Code (IaC) enables the provisioning and management of cloud infrastructures through coding rather than relying on a graphical user interface. It’s considered a best practice for managing infrastructure because manually creating infrastructure using a UI is prone to errors. By using IaC, we can reuse, share, and collaborate with others, and we have the ability to review changes before deploying, updating, editing, or destroying infrastructure.
What is Terraform?
Terraform, developed by HashiCorp, is an Infrastructure as Code (IaC) tool that enables you to provision infrastructures across multiple cloud providers. Its key features include:
- Human-readable configuration language: Terraform utilizes a configuration language that is easy for humans to read and write, facilitating efficient infrastructure management.
- Terraform state: This feature allows you to track changes to your resources throughout the deployment process, ensuring transparency and accountability.
- Version control integration: Terraform seamlessly integrates with version control systems, enabling collaboration among team members and providing a structured approach to managing infrastructure changes.
Overview of the Infrastructure Discussed in This Blog Post
Install Terraform
For my case, I use Homebrew
on macOS.
- First, install the
HashiCorp tap
, which is a repository of all Hashicorp Homebrew packages.
brew tap hashicorp/tap
- Install Terraform
brew install hashicorp/tap/terraform
- Verify the installation. If your installation is complete, you will see Terraform’s available subcommands after typing this command.
terraform -help
Construct AWS Infrastructure
I will use this repository to construct infrastructures.
Now, it’s time to start defining your infrastructure as a code. Consider this main.tf
file, which consists of several parts that you need to consider.
main.tf
Code Block Explanation
terraform
Is for settings of Terraform. Terraform installs provider from Terraform Registry by default, in this case we define source that using hashicorp/aws shorthand for registry.terraform.io/hashicorp/aws.
provider
A plugin which Terraform use to create and manage your cloud resources.
resources
Define resources in your cloud, there are 2 strings before the block: “resource type” and “resource name”. e.g. resource “aws_instance” “web_server”
resource type is “aws instance” and resource name is “web_server”.
Optional
variables
In variables.tf
file, we can avoid hard-coded by define the variable in this file using variable
block that start with variable name
. In this example I define “instance_name”
then use it in aws_instance
on
tags = {
Name = var.instance_name
}
Note: Terraform loads all file that ending with
.tf
on the current directory, so your can name your.tf
file that store variables however you choose.
Output
This is a configuration about what to present to Terraform user when apply is complete. Consider my output.tf
, whenever apply is complete, it will display output section in terminal which contain defined resources in output e.g. for this case it will display information of instance_id
and instance_public_ip
.
Note: This is just an example. Exposing
instance_id
,instance_public_ip
,instance_arn
,instance_ami
or any credentials is not recommended unless the exposed value is intended to be public.
Recommend VSCODE Extension for auto complete
- HashiCorp Terraform
Implement Defined Infrastructures
To review your changes before applying to see what will happen use this cli.
terraform plan
Start applying your resources by this command, then type yes
to confirm.
terraform apply
Now, you can review your created AWS infrastructures using management console.
After apply changes, there will be
.tfstate
file which contain information of your resource in the cloud, included credentials in it, so be careful how to store this file in the safe place.
Make Changes
Try to switch your instance AMI from ami-0910e4162f162c238
to ami-0293d5edd542189e4
. When you enter a Terraform command, such as apply
or plan
, Terraform reads your .tfstate
file to detect drift between your changes. It will then apply modifications only to the affected resources. In this scenario, it will delete the existing instance and then create a new instance with the updated AMI.
Clean Up
When you no longer need the created resources, you should terminate them to avoid charges from AWS.
terraform destroy
Terraform will inform you which resources will be terminated, then type yes
to confirm.
Thank you for reading! Your feedback is valuable to me. Please feel free to leave comments, I appreciate any suggestions for improving my blog.
In the final part, I will provide some guidelines for working with production environments. I will use Terraform Cloud integrated with a GitHub repository. Additionally, I will demonstrate which values should be kept confidential, where to store them, and how to access them safely.
If you’re all set, let’s get started.