Implementation of a set of EC2 instances using Terraform and AWS Systems Manager configuration with Amazon Simple Notification Service for automated installation of security officers
Project description:
In this project based on a real-world scenario, I acted as DevSecOps Engineer, and I deployed a set of EC2 instances and infrastructure in an automated way using Terraform (infrastructure as code — IaC). Also, it was necessary to install a specific security agent on all these instances in an automated way.
Once I provisioned the infrastructure, AWS System Manager and its component Command Run were used to install the security agents in an automated way. I used the Amazon Simple Notification Service — SNS to send an email informing the whole process status.
Infrastructure Setup using Terraform:
As mentioned in the above project description, as a first step we are going to create couple of EC2 instances using Terraform in a automated way.
Terraform is an infrastructure as code tool that lets you build, change, and version cloud and on-prem resources safely and efficiently. Terraform supports various providers for AWS, refer the following documentation.
https://registry.terraform.io/providers/hashicorp/aws/latest/docs
To make things easier and avoid any syntax errors it’s always use any IDE’s when we write our Terraform scripts. There are several free IDE’s available but I prefer VSCode with the HanshiCorp Terraform plugin.
I have my Terraform project workspace setup ready and created my terraform scripts with 2 files main.tf and provider.tf. I used mostly the default VPC, Subnet that exist when we create out AWS console account.
Once Terraform scripts are ready, go to EC2 service -> Network & Security section then select Key Pairs and create SSH key in the .pem file format.
Now we’ve all the required things to run our Terraform scripts tocreate our EC2 instances in a automated way.
I am planning to use AWS Cloud Shell to run my Terraform scripts. In order to do this we will have to first install Terraform in our Cloud Shell. Sample commands below.
sudo yum install -y yum-utils
sudo yum-config-manager — add-repo https://rpm.releases.hashicorp.com/AmazonLinux/hashicorp.repo
sudo yum -y install terraform
Once done, lets upload our Terraform scripts to AWS Cloud Shell and run the sequence of Terraform scripts.
terraform init
terraform plan
terraform apply
If everything goes well, we should be able to see our 2 new EC2 instances up & running in AWS cloud console.
Alright, lets move on to the next part of our implementation.
Simple Notification Service:
Go to IAM service and create a new IAM role called SystemsManagerToSNS with policy AmazonSNSFullAccess.
Create a Notification Topic with name DevOpsNotification using Simple Notification Service and note down the ARN number which is required later when we configure System Manager -> ‘Run Command’
Once a Topic is created, select ‘Create Subscription’ option and add your email address to receive the notification.
So far we have provisioned 2 new ECS instances using Terraform and created a SNS topic with a subscription. lets move on to the last part of our implementation.
AWS Systems Manager:
In this section we will be configuring AWS System Manager and use one of its component Run Command to install the security agents in an automated way and receive the notification via above configured SNS.
Search for System Manager service and choose your region.
Select ‘Host Management’ option and choose ‘Manual’ target instance options which will allow us to select our 2 EC2 instances and hit ‘Create’ to see the status. If all goes well, the status will be success.
Now review the Session Manager connecting by SSH browser. If the EC2 instances don’t show up, reboot both instances using the EC2 console to re-run the SSM-agent startup script. If any issue please refer the AWS documentation to triage.
https://aws.amazon.com/premiumsupport/knowledge-center/systems-manager-ec2-instance-not-appear/
Now configure the Run Command to deploy the “security agent installation”. The option is under ‘Node Management’ section.
Choose the command document ‘AWS-RunShellScript’ and update command parameters.
Select Target option as “choose instances manually” and uncheck “enable writing to S3 Bucket”.
Enable SNS Notification checkbox and provide the IAM & SNS ARN values that we created & copied earlier.
Verify all the configurations and hit ‘Run’ button.
If all successful you should be able to receive the email whenever we execute the Run command.
Awesome! As part of this project, we’ve provisioned two EC2 instances using Terraform and used AWS System Manager and its component Run Command to install the security agents in an automated way. We also leveraged Amazon Simple Notification Service — SNS to receive an email informing the whole process status.
