When I started to write the blog about AWS SSM I quickly realized that I need a way to bring up and destroy my AWS EC2 playground in an easy and reproducible way. There are several options for this: I could have used the AWS command line interface or AWS CloudFormation. Both work pretty well and would have been more than enough for my simple requirements. In the end I decided to use Terraform for one simple reason: With Terraform you can not only provision on AWS but also on Azure, GCP and many others. So, instead of using a tool which is limited to AWS, using a tool which is vendor independent make much more sense.
For the AWS SSM blog I had several requirements I wanted to address:
- The playground should run in my on VPC so I will not affect any other people doing tests at the same time
- Because I had Windows and Linux EC2 instances two security groups should get created, one allowing SSH and one allowing RDP into the EC2 machines
- Both security groups should allow outbound connections to the internet by using an internet gateway
- Finally two Windows, two Ubuntu, two Red Hat, two SLES and two CentOS instances should get provisioned
Using Terraform all of this is actually quite simple. The first information you’ll need to tell Terraform is the provider you want to use. In my case this is AWS and I am using my “test” AWS profile which is configured for my AWS command line interface, the AWS region I want to use is Frankfurt:
// set the provider to AWS and the AWS region to eu-central-1
provider "aws" {
profile = "test"
region = "eu-central-1"
}
Because I want to limit direct access to the EC2 instances to my own IP address for security reasons I am defining a local variable I am changing each time I am setting this up from a different network. Input variables could also be used for that but in my case a local variable is just fine:
locals {
my_ip = ["37.201.6.8/32"]
}
The first component that actually gets provisioned on AWS is the VPC usinf the aws_vpc resource::
// create the virtual private network
resource "aws_vpc" "dwe-vpc" {
cidr_block = "10.0.0.0/16"
enable_dns_hostnames = true
enable_dns_support = true
tags = {
Name = "dwe-vpc"
}
}
This defines the IP range I’ll be using, switches the dns parameters to on and gets a tag. As I want my EC2 instances to be able to connect to the internet an internet gateway gets provisioned in the next step, which is attached to the VPC that was created in the step before:
// create the internet gateway
resource "aws_internet_gateway" "dwe-igw" {
vpc_id = "${aws_vpc.dwe-vpc.id}"
tags = {
Name = "dwe-igw"
}
}
Next we need a subnet, again attached to the VPC:
// create a dedicated subnet
resource "aws_subnet" "dwe-subnet" {
vpc_id = "${aws_vpc.dwe-vpc.id}"
cidr_block = "10.0.1.0/24"
availability_zone = "eu-central-1a"
tags = {
Name = "dwe-subnet"
}
}
Routing tables are an important concept in AWS and define how traffic is routed in the VPC. The routing table below enables traffic to the internet through the internet gateway:
// create routing table which points to the internet gateway
resource "aws_route_table" "dwe-route" {
vpc_id = "${aws_vpc.dwe-vpc.id}"
route {
cidr_block = "0.0.0.0/0"
gateway_id = "${aws_internet_gateway.dwe-igw.id}"
}
tags = {
Name = "dwe-igw"
}
}
Once the routing table is defined it needs to be attached to the subnet:
// associate the routing table with the subnet
resource "aws_route_table_association" "subnet-association" {
subnet_id = "${aws_subnet.dwe-subnet.id}"
route_table_id = "${aws_route_table.dwe-route.id}"
}
For ssh and rdp access to the EC2 instances two security groups get provisioned:
// create a security group for ssh access to the linux systems
resource "aws_security_group" "dwe-sg-ssh" {
name = "dwe-sg-ssh"
description = "Allow SSH inbound traffic"
vpc_id = "${aws_vpc.dwe-vpc.id}"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = local.my_ip
}
// allow access to the internet
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "dwe-sg-ssh"
}
}
// create a security group for rdp access to the windows systems
resource "aws_security_group" "dwe-sg-rdp" {
name = "dwe-sg-rdp"
vpc_id = "${aws_vpc.dwe-vpc.id}"
description = "Allow RDP inbound traffic"
ingress {
from_port = 3389
to_port = 3389
protocol = "tcp"
cidr_blocks = local.my_ip
}
// allow access to the internet
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "dwe-sg-rdp"
}
}
Both define an inbound rule (ssh and rdp) and an outbound rule for being able to connect the internet. Now, as all the basics are there the EC2 instances itself get provisioned based on the building blocks from above:
// create two Ubuntu instances
resource "aws_instance" "i-ubuntu-linux-prod" {
ami = "ami-0cc0a36f626a4fdf5"
instance_type = "t2.micro"
key_name = "dwe-key-pair"
vpc_security_group_ids = ["${aws_security_group.dwe-sg-ssh.id}"]
subnet_id = "${aws_subnet.dwe-subnet.id}"
associate_public_ip_address = "true"
root_block_device {
volume_size = "10"
volume_type = "standard"
delete_on_termination = "true"
}
tags = {
Name = "i-ubuntu-linux-prod"
}
}
resource "aws_instance" "i-ubuntu-linux-test" {
ami = "ami-0cc0a36f626a4fdf5"
instance_type = "t2.micro"
key_name = "dwe-key-pair"
vpc_security_group_ids = ["${aws_security_group.dwe-sg-ssh.id}"]
subnet_id = "${aws_subnet.dwe-subnet.id}"
associate_public_ip_address = "true"
root_block_device {
volume_size = "10"
volume_type = "standard"
delete_on_termination = "true"
}
tags = {
Name = "i-ubuntu-linux-test"
}
}
// create two Amazon linux instances
resource "aws_instance" "i-amazon-linux-prod" {
ami = "ami-0f3a43fbf2d3899f7"
instance_type = "t2.micro"
key_name = "dwe-key-pair"
vpc_security_group_ids = ["${aws_security_group.dwe-sg-ssh.id}"]
subnet_id = "${aws_subnet.dwe-subnet.id}"
associate_public_ip_address = "true"
root_block_device {
volume_size = "10"
volume_type = "standard"
delete_on_termination = "true"
}
tags = {
Name = "i-amazon-linux-prod"
}
}
resource "aws_instance" "i-amazon-linux-test" {
ami = "ami-0f3a43fbf2d3899f7"
instance_type = "t2.micro"
key_name = "dwe-key-pair"
vpc_security_group_ids = ["${aws_security_group.dwe-sg-ssh.id}"]
subnet_id = "${aws_subnet.dwe-subnet.id}"
associate_public_ip_address = "true"
root_block_device {
volume_size = "10"
volume_type = "standard"
delete_on_termination = "true"
}
tags = {
Name = "i-amazon-linux-test"
}
}
// create two Red Hat linux instances
resource "aws_instance" "i-redhat-linux-prod" {
ami = "ami-0badcc5b522737046"
instance_type = "t2.micro"
key_name = "dwe-key-pair"
vpc_security_group_ids = ["${aws_security_group.dwe-sg-ssh.id}"]
subnet_id = "${aws_subnet.dwe-subnet.id}"
associate_public_ip_address = "true"
root_block_device {
volume_size = "10"
volume_type = "standard"
delete_on_termination = "true"
}
tags = {
Name = "i-redhat-linux-prod"
}
}
resource "aws_instance" "i-redhat-linux-test" {
ami = "ami-0badcc5b522737046"
instance_type = "t2.micro"
key_name = "dwe-key-pair"
vpc_security_group_ids = ["${aws_security_group.dwe-sg-ssh.id}"]
subnet_id = "${aws_subnet.dwe-subnet.id}"
associate_public_ip_address = "true"
root_block_device {
volume_size = "10"
volume_type = "standard"
delete_on_termination = "true"
}
tags = {
Name = "i-redhat-linux-test"
}
}
// create two SUSE linux instances
resource "aws_instance" "i-suse-linux-prod" {
ami = "ami-03b86a97a8f02d44e"
instance_type = "t2.micro"
key_name = "dwe-key-pair"
vpc_security_group_ids = ["${aws_security_group.dwe-sg-ssh.id}"]
subnet_id = "${aws_subnet.dwe-subnet.id}"
associate_public_ip_address = "true"
root_block_device {
volume_size = "10"
volume_type = "standard"
delete_on_termination = "true"
}
tags = {
Name = "i-suse-linux-prod"
}
}
resource "aws_instance" "i-suse-linux-test" {
ami = "ami-03b86a97a8f02d44e"
instance_type = "t2.micro"
key_name = "dwe-key-pair"
vpc_security_group_ids = ["${aws_security_group.dwe-sg-ssh.id}"]
subnet_id = "${aws_subnet.dwe-subnet.id}"
associate_public_ip_address = "true"
root_block_device {
volume_size = "10"
volume_type = "standard"
delete_on_termination = "true"
}
tags = {
Name = "i-suse-linux-test"
}
}
// create two CentOS linux instances
resource "aws_instance" "i-centos-linux-prod" {
ami = "ami-04cf43aca3e6f3de3"
instance_type = "t2.micro"
key_name = "dwe-key-pair"
vpc_security_group_ids = ["${aws_security_group.dwe-sg-ssh.id}"]
subnet_id = "${aws_subnet.dwe-subnet.id}"
associate_public_ip_address = "true"
root_block_device {
volume_size = "10"
volume_type = "standard"
delete_on_termination = "true"
}
tags = {
Name = "i-centos-linux-prod"
}
}
resource "aws_instance" "i-centos-linux-test" {
ami = "ami-04cf43aca3e6f3de3"
instance_type = "t2.micro"
key_name = "dwe-key-pair"
vpc_security_group_ids = ["${aws_security_group.dwe-sg-ssh.id}"]
subnet_id = "${aws_subnet.dwe-subnet.id}"
associate_public_ip_address = "true"
root_block_device {
volume_size = "10"
volume_type = "standard"
delete_on_termination = "true"
}
tags = {
Name = "i-centos-linux-test"
}
}
// create two Windows instances
resource "aws_instance" "i-windows-prod" {
ami = "ami-034937fd7f621ba85"
instance_type = "t2.micro"
key_name = "dwe-key-pair"
vpc_security_group_ids = ["${aws_security_group.dwe-sg-rdp.id}"]
subnet_id = "${aws_subnet.dwe-subnet.id}"
associate_public_ip_address = "true"
root_block_device {
volume_size = "30"
volume_type = "standard"
delete_on_termination = "true"
}
tags = {
Name = "i-windows-prod"
}
}
resource "aws_instance" "i-windows-test" {
ami = "ami-034937fd7f621ba85"
instance_type = "t2.micro"
key_name = "dwe-key-pair"
vpc_security_group_ids = ["${aws_security_group.dwe-sg-rdp.id}"]
subnet_id = "${aws_subnet.dwe-subnet.id}"
associate_public_ip_address = "true"
root_block_device {
volume_size = "30"
volume_type = "standard"
delete_on_termination = "true"
}
tags = {
Name = "i-windows-test"
}
}
And that’s it. To check what actually will be done by Terraform there is the “plan” command. As the output is quite long I’ll skip most of it and just present the last few lines:
dwe@dwe:~/Documents/aws/ssm_demo$ terraform plan ... Plan: 19 to add, 0 to change, 0 to destroy. ------------------------------------------------------------------------ Note: You didn't specify an "-out" parameter to save this plan, so Terraform can't guarantee that exactly these actions will be performed if "terraform apply" is subsequently run.
Once you are happy with that you can “apply” the execution plan and everything will get provisioned and you confirmed by “yes”:
dwe@dwe:~/Documents/aws/ssm_demo$ terraform apply Plan: 19 to add, 0 to change, 0 to destroy. Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes
Sit back, relax and one or two minutes later your AWS playground is ready:
aws_vpc.dwe-vpc: Creating... aws_vpc.dwe-vpc: Creation complete after 2s [id=vpc-026cdc481d5365074] aws_internet_gateway.dwe-igw: Creating... aws_subnet.dwe-subnet: Creating... aws_security_group.dwe-sg-ssh: Creating... aws_security_group.dwe-sg-rdp: Creating... aws_subnet.dwe-subnet: Creation complete after 0s [id=subnet-028e27fef8df3b963] aws_internet_gateway.dwe-igw: Creation complete after 0s [id=igw-0656108a04d5ea0a5] aws_route_table.dwe-route: Creating... aws_security_group.dwe-sg-rdp: Creation complete after 1s [id=sg-0764508e3a5234393] aws_route_table.dwe-route: Creation complete after 1s [id=rtb-07691bc54b40af0ae] aws_route_table_association.subnet-association: Creating... aws_instance.i-windows-prod: Creating... aws_instance.i-windows-test: Creating... aws_security_group.dwe-sg-ssh: Creation complete after 1s [id=sg-053995952f558a4ff] aws_instance.i-centos-linux-test: Creating... aws_instance.i-amazon-linux-prod: Creating... aws_instance.i-amazon-linux-test: Creating... aws_instance.i-redhat-linux-prod: Creating... aws_instance.i-centos-linux-prod: Creating... aws_instance.i-redhat-linux-test: Creating... aws_instance.i-ubuntu-linux-test: Creating... aws_route_table_association.subnet-association: Creation complete after 0s [id=rtbassoc-07c7d4282033c4a71] aws_instance.i-ubuntu-linux-prod: Creating... aws_instance.i-windows-prod: Still creating... [10s elapsed] aws_instance.i-windows-test: Still creating... [10s elapsed] aws_instance.i-centos-linux-test: Still creating... [10s elapsed] aws_instance.i-amazon-linux-test: Still creating... [10s elapsed] aws_instance.i-amazon-linux-prod: Still creating... [10s elapsed] aws_instance.i-redhat-linux-prod: Still creating... [10s elapsed] aws_instance.i-centos-linux-prod: Still creating... [10s elapsed] aws_instance.i-redhat-linux-test: Still creating... [10s elapsed] aws_instance.i-ubuntu-linux-test: Still creating... [10s elapsed] aws_instance.i-ubuntu-linux-prod: Still creating... [10s elapsed] aws_instance.i-amazon-linux-test: Creation complete after 13s [id=i-02706717c3440723a] aws_instance.i-suse-linux-test: Creating... aws_instance.i-ubuntu-linux-test: Creation complete after 16s [id=i-0d2999aa319a90a3d] aws_instance.i-centos-linux-test: Creation complete after 16s [id=i-03923fcf9d5881421] aws_instance.i-suse-linux-prod: Creating... aws_instance.i-ubuntu-linux-prod: Creation complete after 16s [id=i-00967725bc758f3ef] aws_instance.i-redhat-linux-test: Creation complete after 16s [id=i-02a705327fb0acb61] aws_instance.i-windows-prod: Creation complete after 16s [id=i-09c3fcc90491ef2cf] aws_instance.i-redhat-linux-prod: Creation complete after 16s [id=i-0161726dfe1ed890b] aws_instance.i-windows-test: Creation complete after 16s [id=i-02f567d11d32444fd] aws_instance.i-amazon-linux-prod: Still creating... [20s elapsed] aws_instance.i-centos-linux-prod: Still creating... [20s elapsed] aws_instance.i-suse-linux-test: Still creating... [10s elapsed] aws_instance.i-amazon-linux-prod: Creation complete after 23s [id=i-0b799879e77ce8b33] aws_instance.i-suse-linux-prod: Still creating... [10s elapsed] aws_instance.i-centos-linux-prod: Still creating... [30s elapsed] aws_instance.i-centos-linux-prod: Creation complete after 32s [id=i-0482d958849f86483] aws_instance.i-suse-linux-test: Still creating... [20s elapsed] aws_instance.i-suse-linux-prod: Still creating... [20s elapsed] aws_instance.i-suse-linux-test: Still creating... [30s elapsed] aws_instance.i-suse-linux-test: Creation complete after 32s [id=i-0b35d559853f9f0d6] aws_instance.i-suse-linux-prod: Still creating... [30s elapsed] aws_instance.i-suse-linux-prod: Creation complete after 33s [id=i-062df970b894a23da] Apply complete! Resources: 19 added, 0 changed, 0 destroyed.
Once you’re done with your tests, simply destroy the whole stuff by usinf the “destroy” command:
dwe@dwe:~/Documents/aws/ssm_demo$ terraform destroy ... Plan: 0 to add, 0 to change, 19 to destroy. Do you really want to destroy all resources? Terraform will destroy all your managed infrastructure, as shown above. There is no undo. Only 'yes' will be accepted to confirm. Enter a value: yes ... aws_security_group.dwe-sg-rdp: Destroying... [id=sg-0764508e3a5234393] aws_security_group.dwe-sg-rdp: Destruction complete after 1s aws_security_group.dwe-sg-ssh: Destruction complete after 1s aws_subnet.dwe-subnet: Destruction complete after 1s aws_vpc.dwe-vpc: Destroying... [id=vpc-026cdc481d5365074] aws_vpc.dwe-vpc: Destruction complete after 0s Destroy complete! Resources: 19 destroyed.
Quite easy, always reproducible and fast.
![Thumbnail [60x60]](https://www.dbi-services.com/blog/wp-content/uploads/2022/08/DWE_web-min-scaled.jpg)
![Thumbnail [90x90]](https://www.dbi-services.com/blog/wp-content/uploads/2022/08/ENB_web-min-scaled.jpg)