Forem: Emre Oztoprak

Host a static website on AWS under a minute with Terraform

Emre Oztoprak — Sun, 14 Nov 2021 20:23:32 +0000

If you have a static website and you want a simple solution, S3 and Cloudfront are great choices. S3 with Cloudfront secure, scalable way to host static content. Also, we will get an SSL certificate for our domain and it will be free.

Prerequisites

Before the deployment of this terraform module, make sure your hosted zone exists in Route 53 and move your domain to Route53 by changing NS records on your DNS provider.

We will use 4 AWS Services;

S3 - Storing website files (HTML, CSS, JavaScript)
Cloudfront - CDN
Certificate Manager - SSL Certificate
Route 53 - DNS records

Since we are using Cloudfront we don't need the public bucket, so we will create a private S3 bucket. We will use OAI (Origin Access Identity) settings when we create Cloudfront. This means that only our Cloudfront distribution can access and read the files in our S3 bucket. Also, we will create an SSL certificate from Certificate Manager and Cloudfront redirect all HTTP traffic to HTTPS.

First clone the repository

git clone git@github.com:emreoztoprak/terraform-aws-s3-cloudfront-acm.git

Change these two variables in the terraform.tfvars file.


SiteTags = "Example" (Tag value of the resources.)

domainName = "example.com"

You can now run this module when you change the variables.

terraform init
terraform plan
terrafom apply --auto-approve

After the deployment is completed upload your website files to in S3 Bucket. I configured DefaultRootObject as index.html. Basically, when users access your root URL they will see index.html file.

I just uploaded a simple HTML file.

Congratulations. You made it. :)

Hope you find this tutorial helpful!

Deploy Elastic Beanstalk Application with Terraform

Emre Oztoprak — Thu, 21 Oct 2021 12:54:18 +0000

AWS Elastic Beanstalk is a managed service for deploying and scaling web applications and services. It supports languages such as Java, .NET, PHP, Node.js, Python, Ruby, Go, and also Docker. You can deploy these applications on Apache, Nginx, Passenger, and IIS.

But Elastic Beanstalk has a lot of configurations. With Terraform we can automate this process. Later we can use the same Terraform script just changing variables.

With this Terraform configuration, we will create PHP 8.0 Elastic Beanstalk WebServer Environment on Amazon Linux 2 and Nginx. Also Application Load Balancer and SSL certificate for our domain. We will validate this certificate, create A record for our domain and it will be pointed to Elastic Beanstalk Environment. In the end, it will create Cloudwatch alarms for Elastic Beanstalk Environment Health, LoadBalancer 5xx requests, and network out the traffic of our instances.

Structure of our Terraform Configurations

Requirements

Create EC2 Key Pair
Creating key pair in the EC2 console and using the name of that key pair in Terraform is a secure way than passing the public key pair file in Terraform.

SNS Topic
When Cloudwatch alarms are triggered you will get notifications via SNS. You can add subscriptions like E-Mail, SMS, or HTTP-HTTPS endpoint like Opsgenie. You can use the same SNS Topic later in different alarms.

Route53 Public Hosted Zone
SSL Certification and DNS Records for your domain

Deployment

Clone the repository.

git@github.com:emreoztoprak/terraform-aws-elasticbeanstalk.git

Change the variables in the terraform.tfvars file

I set up one subnet for EC2 Instance and two subnets for ALB. You can change this any number you want.

When everything is ready you can deploy with these 4 commands.

terraform init
terraform validate
terraform plan
terraform apply

Finally :)

Github repo

I hope it was useful. Thank you for reading this article.

Send AWS Config Notification to Slack

Emre Oztoprak — Wed, 06 Oct 2021 11:20:05 +0000

What is AWS Config?

AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.

That’s what AWS say. It’s basically compliance and auditing tool for your AWS resources. You can track your resources are compliant or not, according to the rules. Here are some sample rules;

Ssh port disabled off all my instances?
Deletion protection enabled on all my RDS instances?
IAM Access Keys rotating every 90 day?

But there aren’t only 3 rules, there are too many rules. You can’t track all rules by manually. You want to get notified when a rule change status to non-compliant.

We will do this by Amazon Eventbridge and little python code.
Here our python code.

import json, boto3, requests

def lambda_handler(event, context):

    time = event['time']
    region = event['region']
    rule = event["detail"]["configRuleName"]
    resource_type = event["detail"]["newEvaluationResult"]["evaluationResultIdentifier"]["evaluationResultQualifier"]["resourceType"]
    resource_id = event["detail"]["resourceId"]
    compliance = event["detail"]["newEvaluationResult"]["complianceType"]

    webhook_url = "YOUR SLACK WEBHOOK URL"
    slack_data = slack_data = {
    "blocks": [
        {
            "type": "section",
            "text": {
                "type": "mrkdwn",
                "text": "\n*Config Compliance Change* :alert_:"
            }
        },
        {
            "type": "divider"
        },
        {
            "type": "section",
            "text": {
                "type": "mrkdwn",
                "text": "*`Compliance:`*  " + compliance + "\n*`Time:`* " + time + "\n*`Region:`* " + region + "\n*`Rule:`* " + rule +"\n*`Resource Type:`* "+resource_type+"\n*`Resource ID:`* "+ resource_id
            },
            "accessory": {
                "type": "image",
                "image_url": "https://i.ibb.co/BjWcWKt/Picture1.png",
                "alt_text": "thumbnail"
            }
        },
        {
            "type": "divider"
        },
        {
            "type": "section",
            "text": {
                "type": "mrkdwn",
                "text": "For more details."
            },
            "accessory": {
                "type": "button",
                "text": {
                    "type": "plain_text",
                    "text": "AWS Config"
                },
                "value": "click_me_123",
                "url": "https://console.aws.amazon.com/config/home?region="+region+"#/timeline/"+resource_type+"/"+resource_id+"/configuration",
                "action_id": "button-action"
            }
        }
    ]
}
    response = requests.post(
        webhook_url, data=json.dumps(slack_data),
        headers={'Content-Type': 'application/json'}
    )
    if response.status_code != 200:
        raise ValueError(
            'Request to slack returned an error %s, the response is:\n%s'
            % (response.status_code, response.text)
    )

After uploading our code to lambda, we open the Eventbridge console. First we need event pattern.

{
  "source": ["aws.config"],
  "detail-type": ["Config Rules Compliance Change"],
  "detail": {
    "messageType": ["ComplianceChangeNotification"],
    "newEvaluationResult": {
      "complianceType": ["NON_COMPLIANT"]
    }
  }
}

This event will trigger our lambda function when “complianceType” goes “NON_COMPLIANT” status.

Everything is ready now it’s time to see the results.

AWS Config always checks your resources and rules and if a NON_COMPLIANT type event occurs you will get notification like this.

Thank you for taking the time and reading. I hope it was useful.