Implementation of a set of EC2 instances using Terraform and AWS Systems Manager configuration with Amazon Simple Notification Service for automated installation of security officers
The process involved automating the provisioning of EC2 instances and infrastructure using Terraform, which allows for Infrastructure as Code (IaC). Additionally, a specific security agent was required to be installed on all these instances automatically.
After successfully provisioning the infrastructure, AWS System Manager’s Command Run component was utilized to automate the installation of the security agents on the EC2 instances. This streamlined the process and ensured that the security agents were efficiently deployed across the instances.
To keep stakeholders informed about the progress and status of the entire process, the Amazon Simple Notification Service (SNS) was used. It enabled automated email notifications to be sent, providing updates on the various stages of the infrastructure provisioning and security agent installation. This helped keep everyone involved in the loop and ensured transparency throughout the process.
Step-by-Step Process
Tools needed
VS code — https://code.visualstudio.com/download
Zip, and Unzip software
Use the below folder structure to create the files.
- Planning
Edit Terraform main.tf file using the VSCode:
data "aws_ami" "ubuntu" {
most_recent = true
filter {
name = "name"
values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"]
}
filter {
name = "virtualization-type"
values = ["hvm"]
}
owners = ["099720109477"] # Canonical
}
variable "vpc_id" {
default = "vpc-xxxxxxxxxxxxxxxxxx"
}
variable "subnet_id" {
default = "subnet-xxxxxxxxxxxxxxxxxx"
}
variable "key_name" {
default = "sshkey1"
}
resource "aws_security_group" "allow_ssh" {
name = "allow_ssh"
description = "Allow external SSH connectivity to EC2 instances"
vpc_id = var.vpc_id
ingress {
description = "SSH to EC2"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "allow_ssh"
}
}
resource "aws_instance" "webserver1" {
ami = data.aws_ami.ubuntu.id
instance_type = "t2.micro"
key_name = var.key_name
subnet_id = var.subnet_id
vpc_security_group_ids = [aws_security_group.allow_ssh.id]
associate_public_ip_address = true
tags = {
Name = "webserver1"
}
}
resource "aws_instance" "webserver2" {
ami = data.aws_ami.ubuntu.id
instance_type = "t2.micro"
key_name = var.key_name
subnet_id = var.subnet_id
vpc_security_group_ids = [aws_security_group.allow_ssh.id]
associate_public_ip_address = true
tags = {
Name = "webserver2"
}
}Learn more: https://learn.hashicorp.com/terraform
In the above main.tf file use your own VPC ID(for learning purposes use default VPC) and subnet ID that is related to the VPC that you mentioned above.
Since we are using Terraform directly in the AWS console we need not provide access key and secret key information in the provider.tf file as below.
provider "aws" {
region = "us-east-1"
#access_key = "XXXXXXXXX"
#secret_key = "XXXXXXXXX"
}after saving all the files Zip the folder and keep it as we are going to use in later steps.
Create SSH key pair
name: sshkey1
format: .pem- Install Terraform on AWS Cloud Shell
Open the cloud shell and use the below commands to install Terraform in the AWS cloud shell.
sudo yum install -y yum-utils
sudo yum-config-manager --add-repo https://rpm.releases.hashicorp.com/AmazonLinux/hashicorp.repo
sudo yum -y install terraform> Upload your edited terraform code to AWS Cloud Shell and unzip it
Run terraform in the folder that was created after Un-Zipping (Folder containing main.tf and provider.tf files)
$ terraform init
$ terraform plan
$ terraform apply- AWS Systems Manager
Create an IAM role by going to the IAM service -> Role -> create -> SystemsManagerToSNS
Select the “AmazonSNSFullAccess” policy when it asks to select.
Go to Amazon SNS and Create a Notification Topic DevOpsNotification and Copy the ARN (Keep it posted somewhere so we can use it later)
After creating a topic, Create a subscription of type email, and give an email ID you have access to. Once you have successfully created a subscription, it is possible that it will initially be in a “pending” status. This occurs because you are required to confirm your email address. To complete the confirmation process, simply click on the link provided in the email sent to the inbox of the email address you provided during the subscription process.
Run the System Manager Quick Setup
Targets: choose instances manually
Validate the ‘configuration’: “Success” status
Explore the Session Manager (please note: if the EC2 instances don’t show up, reboot both instances using the EC2 console to re-run the SSM-agent startup script)
Execute “Run Command” to deploy the “security agent installation”
Command document: AWS-RunShellScript
Command parameters:
sudo wget -q https://tcb-bootcamps.s3.amazonaws.com/bootcamp-aws/en/install_security_agent.sh -P /tmp
sudo chmod +x /tmp/install_security_agent.sh
sudo /tmp/install_security_agent.sh
ls -ltr /usr/bin/security_agentTargets: choose instances manually
Uncheck enable writing to S3 Bucket.
Enable SNS Notification
IAM Role: SystemsManagertoSNS
SNS Topic: <ARN> (ARN that we stored previously when we created SNS topic)Events notifications: all Events
Change notifications: Command status on each instance changes
Helpful resources:
https://aws.amazon.com/premiumsupport/knowledge-center/systems-manager-ec2-instance-not-appear/
