Infrastructure as Code and Secrets Management – Lesson 3

### Lesson 3 Overview
In this lesson we’ll build all of the infrastructure depicted here, including the network and security layer.
![IA Logical](https://s3.us-east-2.amazonaws.com/cssdjango.prd.cloudshiftstrategies.com/media/images/iac_lab_logical.original.png)
 
 
### Lesson 3
 
  1. Review/update the Terraform script variables
  • * **WARNING!** If two or more people are using the same AWS account for this lab, you MUST:
  • * Change the `stageName` variable in variables.tf to a unique 3 digit string (i.e. your initials).
  • * Change the `vpcCidr` variable in variables.tf to a unique cidr for each lab user (i.e. 10.x.0.0).
  • * **NOTE:** this lab will work in any region by changing the `region` variable,
  • as long as you update `webAmi` and `vaultAmi` variables in variables.tf to the correct
  • AWS Linux 2 instance ami- name in that region
 
  • * To update the variables using Nano (for NON-UNIX geeks). To save in nano: [CTRL-X] [Y] [ENTER]
 
  • nano ~/iac_lab/terraform/variables.tf
 
  • * or with vim (for UNIX geeks)
 
  • vi ~/iac_lab/terraform/variables.tf
 
  1. Create an s3 bucket required to store terraform state
 
  • * This script reads the s3state.tf file, then checks to see if the bucket name is available
  • in AWS. If it is not, it randomly creates a new bucket suffix and tries to create that bucket
 
  • cd ~/iac_lab/terraform/scripts
  • ./create_s3bucket.py
 
  1. Create a private ssh key file in the ~/iac_lab/terraform/ssh directory
 
  • * We need to give AWS ssh public keys to install on the linux instances provisioned so that
  • we can access them. So create a new key (stored in ~/iac_lab/terraform/ssh/id_rsa.pub)
 
  • cd ~/iac_lab/terraform/scripts
  • ./create_sshkey.sh
 
  1. Run terraform init
 
  • * The `terraform init` process does basic syntax checking of our *.tf files, downloads
any required modules (like AWS) and sets up our tfstate file in the s3 bucket
 
  • cd ~/iac_lab/terraform
  • terraform init
 
  1. Run terraform plan
 
  • * Terraform plan compares the infrastructure defined in your *.tf files to what’s actually
  • running in your provider (AWS in this case). When complete, `terraform plan` will output a
  • summary of the resources that would be built on `terraform apply`.
 
  • * *Note*: Setting the following ENV variable sets the root password for the database.
  • In the real world, you would use something very secure.
 
  • export TF_VAR_dbRootPass=myDbPassword
  • terraform plan
 
  • * EXAMPLE Successful output
 
  • > tags.Name: “VPC Peering default VPC and the myproject-dev-vpc”<br>
> tags.Project: “myproject”<br>
> tags.Stage: “dev”<br>
> vpc_id: “${aws_vpc.vpc.id}”<br>
> <br>
> Plan: 74 to add, 0 to change, 0 to destroy.<br>
> <br>
> ————————————————————————<br>
> <br>
> Note: You didn’t specify an “-out” parameter to save this plan, so Terraform<br>
> can’t guarantee that exactly these actions will be performed if<br>
> “terraform apply” is subsequently run<br>
 
  1. Run terraform apply
 
  • * This is the big mother. `terraform apply` will ask you to provide a database password again
  • and will also ask you to confirm with a “yes” that you actually intend to build/destroy/modify
  • the resources.
 
  • * *Note*: the following command will build 74 + AWS resources including VPCs, database
  • clusters, autoscaling groups and load balancers. It usually takes about 10 minutes to complete
 
  • terraform apply -auto-approve
 
  • * While the resources are building, take a look at the scripts on [https://github.com/cloudshiftstrategies/iac_lab/tree/master/terraform](https://github.com/cloudshiftstrategies/iac_lab/tree/master/terraform)
 
  1. Check out our web application
 
  • * When the build is complete, and the web servers are online, you should be able to browse to the
  • Load Balancer’s public DNS name and check out our web page.
 
  • * To get the load balancer’s DNS name, from the provisioning host run the following
 
  • cd ~/iac_lab/terraform
  • terraform output LOADBALANCER_DNS
 
  • * Or, from the AWS console navigate to the following
  • AWS Console > EC2 > Load Balancers > select your ALB > Public DNS
 
  • * The code that built this web page is located in ~/iac_lab/iacapp. The web servers check the code
  • out from github when they are built. These
  • web servers are intended to be one time use servers. when you want to release new code, just terminate
  • the instance and let the autoscaling group provision a new one.
 
  • * When looking at the web page, notice that the VAULT tab and DATABASE tab aren’t connecting to the database,
  • we’ll fix that in the next lesson
 
## Lesson 3 Summary
 
In this lesson, we completed the following tasks:
 
  1. Customized the variables for our environment
  2. Created an s3 bucket to store our terraform state file
  3. Created a pair of ssh keys that we will pass to AWS to install on our instances for authentication
  4. Ran `terraform init` to do basic syntax checking and download required modules (AWS)
  5. Ran `terraform plan` to see what the apply will do
  6. Ran `terraform apply` to build our resources
  7. Checked out our web application! But no database connectivity. 🙁
 
In Lesson 4 we’ll configure the vault server so the web servers can connect to the database