Forem: Raji Risikat Yewande

Automation: Onboard New Engineers on Linux with Best Practice Bash/Shell Scripting.

Raji Risikat Yewande — Tue, 02 Jul 2024 19:28:27 +0000

Synopsis

Your role is SysOps or SysAdmin Engineer, you are tasked with onboarding new engineers on most of the company's Linux servers. Users, groups, and home directories would be created. Access permissions for each user following the rule of less privilege should be observed. It would be inefficient to do so manually, looking at the number of servers and new engineers to be onboarded.

I have created a script that meets the basic requirements and some more.

It puts measures in place for errors while running the script, creates secure files to store user lists and passwords, creates files to debug and log processes, and finally sends notifications on both the terminal and Slack, all while following best practices.

Essentials:

An Ubuntu server
Basic Git Knowledge
Basic Linux Knowledge
A terminal user with sudo privileges.

Procedures:

I would walk you through the logic flow of the script, lets take them in sections.

1. Initiation Setup Section

#!/bin/bash
set -e
# Define log and secure password files
LOG_FILE="/var/log/user_management.log"
SECURE_PASSWORD_FILE="/var/secure/user_passwords.txt"
SECURE_PASSWORD_CSV="/var/secure/user_passwords.csv"
SLACK_WEBHOOK_URL="https://hooks.slack.com/services/WandesDummySlack/webhook/url"

# Define custom exit codes
E_INVALID_INPUT=10
E_USER_CREATION_FAILED=20
E_GROUP_CREATION_FAILED=30
E_ADD_USER_TO_GROUP_FAILED=40

# Define resource limits
ulimit -t 60  # CPU time limit in seconds
ulimit -v 1000000  # Virtual memory limit in kilobytes

sudo mkdir -p /var/log
sudo mkdir -p /var/secure
sudo touch "$LOG_FILE"
sudo touch "$SECURE_PASSWORD_FILE"
sudo touch "$SECURE_PASSWORD_CSV"
sudo chmod 600 "$SECURE_PASSWORD_FILE"
sudo chmod 600 "$SECURE_PASSWORD_CSV"

Valid bash scripts begin with #!/bin/bash, its called a shebang or hashbang and it tells the OS what interpreter to use. set -e is a personal default line of mine for exiting a script the moment an error occurs. The next lines are variables and they store the value of the intended files and urls. I have 3 files that log every action, store user passwords, and my slack webhook url for notifications once a user has been onboarded successfully. Next lines are exit codes, timeouts and resource limits I defined in the script for easy debugging, hanging runs and resource optimization.
The last set of lines in this stage show all absolute file paths and their corresponding files, which would be created and properly secured with permissions. The 600 in chmod 600 indicates that only the owner has read and write rights on the file; others have zero access.

2. Functions Section

# Function to log messages to the log file
log() {
    echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" | sudo tee -a "$LOG_FILE" > /dev/null
}

# Function to send notifications to Slack
send_slack_notification() {
    local message=$1
    curl -X POST -H 'Content-type: application/json' --data "{\"text\":\"${message}\"}" "$SLACK_WEBHOOK_URL"
}

# Function to generate a random password of length 12
generate_random_password() {
    < /dev/urandom tr -dc A-Za-z0-9 | head -c10
}

# Function to validate input format for usernames and groups
validate_input() {
    local username=$1
    local groups=$2

    if [[ -z "$username" || -z "$groups" ]]; then
        log "Error: Invalid input. Usernames and groups are required."
        send_slack_notification "Invalid input provided. Usernames and groups are required."
        exit $E_INVALID_INPUT
    fi
}

Function definitions are placed at the beginning to ensure they are available when called later in the script. As the comments on each function describes, these functions do different things. The first uses the stored message and webhook variables to make up the body of the curl it would make to Slack Channel in json format, the second generates a 10-character password piped from random 1–10 and A–Z alphanumeric characters; and the third uses the if fi statement to validate the username and group name from the text file input. It also logs an error for this step if it occurs.

# Function to create a user and set up their home directory
create_user() {
    local username=$1
    local password=$2

    # Check if the user already exists
    if id "$username" &>/dev/null; then
        log "User $username already exists. Skipping user creation."
    else
        log "Creating user $username."
        # Attempt to create the user with a timeout
        timeout 10 sudo useradd -m -s /bin/bash "$username" || {
            log "Failed to create user $username."
            send_slack_notification "Failed to create user $username."
            exit $E_USER_CREATION_FAILED
        }
        # Set the user's password and home directory permissions
        echo "$username:$password" | sudo chpasswd
        sudo chmod 700 "/home/$username"
        sudo chown "$username:$username" "/home/$username"
        log "User $username created successfully with password $password."
        echo "$username:$password" | sudo tee -a "$SECURE_PASSWORD_FILE" > /dev/null
        echo "$username,$password" | sudo tee -a "$SECURE_PASSWORD_CSV" > /dev/null
    fi
}

# Function to create a group
create_group() {
    local groupname=$1

    # Check if the group already exists
    if getent group "$groupname" &>/dev/null; then
        log "Group $groupname already exists."
    else
        log "Creating group $groupname."
        # Attempt to create the group with a timeout
        timeout 10 sudo groupadd "$groupname" || {
            log "Failed to create group $groupname."
            send_slack_notification "Failed to create group $groupname."
            exit $E_GROUP_CREATION_FAILED
        }
        log "Group $groupname created successfully."
    fi
}

The two functions above for creating users and groups use an if, else, fi statement to process their logic. The first has the username validated variable from prevoius function being used to verify existing user before executing the add user command with a timeout to prevent lag, then it sets the user's password by piping to chpasswd. It then goes ahead to secure a chmod 700 permission for restrictive access for the home directory. The second for the group is quite similar, just that it is a group being created this time, not a user. Both functions have a log line to log errors as well.

3. Onboarding Section

onboard_user() {
    local username=$1
    local groups=$2

    # Validate the input format
    validate_input "$username" "$groups"

    # Generate a random password for the user
    local password=$(generate_random_password)

    # Create the user with the generated password
    create_user "$username" "$password"

    # Create a personal group for the user
    create_group "$username"

    # Add the user to their personal group
    add_user_to_group "$username" "$username"

    # Process and add the user to the specified groups
    IFS=',' read -ra group_array <<< "$groups"
    for group in "${group_array[@]}"; do
        group=$(echo "$group" | xargs)  # Trim whitespace from group name
        create_group "$group"
        add_user_to_group "$username" "$group"
    done
    # Notify terminal that user has been successfully onboarded
    echo "User $username has been successfully onboarded with groups: $groups"
}

As clearly explained in the comments, this function effectively combines the functionalities of the previous functions, more like the definer. It loops through the Input validation function, password generation function, user creation function, personal group creation function, and adding user to group function. It particularly splits the groups into an array using a comma delimeter (IFS=','), loops through again and trims any trailing white space before calling the functions to do their duty.
The last line of this section would send an output message to the terminal each time a user has been successfully onboarded. A slack message also goes to the defined Slack Channel for the same purpose.

4. Script Execution Section

# Check if the script argument is provided
if [[ $# -ne 1 ]]; then
    echo "Usage: $0 <users_file>"
    exit 10  # Invalid input exit code
fi

# Read from the provided text file
users_file="$1"

# Read from the input file and process each line
while IFS=';' read -r username groups; do
    # Remove leading and trailing whitespaces
    username=$(echo "$username" | xargs)
    groups=$(echo "$groups" | xargs)
    onboard_user "$username" "$groups"
done < "$users_file"

Now that we have ensured all functions and necessary configurations are defined and ready to be used when processing the input file, this last part checks if the script argument (input file) is provided. If not, it exits with an error message. It also validates the absence of white space and then processes the user data from a file. In summary, this section executes all previously prepared functions with the input data.

5. Usage:

Save the entire script as a whole with the name create_users.sh or whatever name you like. The whole script can be found at my github repository.
Assemble the input file; the argument formatted this way: usernames are differentiated by a semicolon, and groups are differentiated by a comma.

alice; admin,dev,qa
bob; prod
carol; test,dev,prod
tunde; pilot,prod,test,dev
tade; pilot,dev

Save the file as text.txt or your preferred name On the ubuntu terminal, run chmod +x create_users.sh to ensure the file is executable.
Run script with sudo via sudo bash create_users.sh text.txt What we eventually get are success messages like those shown in Figure 1 below: Figure 1: Success Messages Displayed on Terminal

6. Conclusion

In conclusion, this blog post has covered the automation of linux user mangement for new staff. By following these steps and leveraging bash scripting, you can effectively do the automations and improve efficiency by 100%. Now it's your turn! Try out these techniques and share your experiences in the comments below. Additionally, if you have any questions, feel free to leave a comment or reach out to me directly on Twitter.
Lastly, I would love to appreciate the team at HNG internship for doing an awesome job at impacting knowledge. The team is a home of talents. Kudos

Costly EKS Cluster Set Up? AWS to the rescue!

Raji Risikat Yewande — Sun, 23 Apr 2023 18:10:03 +0000

Storyline

The goal was to do an automated Terraform Kubernetes Deployment. I eventually provisioned a production grade EKS Cluster using Terraform-EKS-modules and it created other AWS resources to be intergrated along with it. As the beginner that I was, I left the cluster running for days hoping to sort out deploying different types of microservice applications to the same cluster then finally clean up. The total bill accrued after a while was jaw-dropping and problematic but AWS came to my rescue and sorted it all out.

Aim

This walks you through the process of creating a standard EKS-Cluster using Terraform modules in AWS EKS Cluster Creation and steps to request a total cost/bills waiver from AWS in AWS Bills Waiver. The waiver process is useful for other workloads and not just this cluster set up.

AWS EKS Cluster Creation

Essentials:

An AWS Account, create a free tier here.
Be logged in an IAM user with Admin priviledges, secret and access keys.
Ubuntu Host OS (Local PC or Virtual Machine).
VS code or any IDE of your choice.
An S3 bucket to store the terraform state files remotely
Basic Linux Terminal use

Installations:

Install latest Terraform on the command line:

sudo apt update && apt upgrade -y
sudo apt install -y gnupg software-properties-common curl
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
sudo apt update
sudo apt install terraform
terraform -v

Install the Terraform extension by Anton Kulikov on VS code for syntax highlights and efficiency.
Install AWS CLI :

sudo apt-get update
sudo apt-get install -y less curl unzip
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip -q awscliv2.zip
sudo ./aws/install
aws --version

Configure AWS CLI with aws configure command:
- fill up outputs with secret and access keys previously created from IAM user
- add us-east-1 as region
- Test configuration details with aws configure list
- No need to create environment variables as runnng env | grep AWS will not recognize the enviroment variables set in another terminal tab hence aws configure is appropriate for global setup.
```
export AWS_ACCESS_KEY_ID="YOUR_AWS_ACCESS_KEY_ID"
export AWS_SECRET_ACCESS_KEY="YOUR_AWS_SECRET_ACCESS_KEY"
export AWS_DEFAULT_REGION="us-east-1"
```

Install Kubectl as the command line tool that interacts with the Kubernetes Cluster:

sudo apt-get update -y
sudo apt-get install -y apt-transport-https ca-certificates curl
curl -fsSLo /usr/share/keyrings/kubernetes-archive-keyring.gpg https://packages.cloud.google.com/apt/doc/apt-key.gpg
echo "deb [signed-by=/usr/share/keyrings/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list
sudo apt-get update -y
sudo apt-get install -y kubectl
kubectl version --client

(Optiona) Install Graphviz to visualize the terraform plan process:

sudo apt install graphviz

Architecture

This shows the summarized version of how the cluster would be formed via the terraform module(more like a group of interwoven resources used together). Other resources such as VPC, Security groups, NAT and Internet gateways for routing traffic from inside the private subnets and the internet respectively..etc. would be created alongside it.
This set up has the VPC created with three Public and three Private Subnets which tallies with the three availabilty zones present in us-east-1 region.

The values in the Terraform Configuration aren't fixed and can be changed according to individual's preference but I'll suggest that beginners follow through these exact values in order to eradicate bugs and avoidable errors.

Procedures:

Navigate to preferred working directory by git cloning my repository git clone https://github.com/wandexdev/k8s-microservices-deployment-via-CICD-terraform.git, then cd terraform/eks_creation-terraform/ to switch directory.

Note

Ensure your present working directory is ~/k8s-microservices-deployment-via-CICD-terraform/terraform/eks_creation-terraform

Confirm with the command pwd.

All required Terraform files(.tf) are present in the folder on my repo, you can create a folder for yours to manually write the .tf files if you did not clone the repository.
All required .tf files
The majority configuration of the module used was gotten from terraform-aws-modules/eks in Terraform's Registry. You can add more/switch the non required inputs or decide which preferred resources or versions you want outside the ones I already chose in my repository.
Create a providers.tf file to recognize the specific terraform-provider plugins that directly interact with AWS service.


        provider "aws" {
            region  = var.region
        }

Create a s3_backend.tf file to store remote state files in an external S3 bucket as this ensures multiple users or CI server gets the latest state data before running terraform. Its also more secure. > PS > > Please ensure the S3 bucket is created prior to terraform being initialized


        terraform {
        required_version = ">= 0.12"
        backend "s3" {
            bucket         = var.S3_bucket_name
            key            = var.bucket_key
            region         = var.region
        }
     }

Create a variables.tf file to declare all variables to be used in this project.


        #----------------------------BACKEND-------------------------
        variable "S3_bucket_name" {
            description = "name of S3 bucket for remote backend storage"
        }

        variable "bucket_key" {
            description = "It's the file path inside the bucket"
        }

        variable "region" {
            description = "The region of cluster deployment"
        }

        #--------------------------------VPC-------------------------------#

        variable "vpc_cidr_block" {
            description = "ip range for vpc"
        }

        variable "private_subnet_cidr_blocks" {
            description = "ip range for private subnet"
        }

        variable "public_subnet_cidr_blocks" {
            description = "ip range for public subnets"
        }

Create a vpc.tf file for the configurations of the Virtual Private Environment the EKS-cluster would be created in.


        #-----------DATA SOURCE-------------------#
        # By state
        data "aws_availability_zones" "available" {
        }

        module "wandek8s-vpc" {
        source                                    = "terraform-aws-modules/vpc/aws"
        version                                   = "2.64.0"

        name                                      = "wandek8s-vpc"
        cidr                                      = var.vpc_cidr_block
        private_subnets                           = var.private_subnet_cidr_blocks
        public_subnets                            = var.public_subnet_cidr_blocks
        azs                                       = data.aws_availability_zones.available.names 

        enable_nat_gateway                        = true
        single_nat_gateway                        = true
        enable_dns_hostnames                      = true

        tags                                      = {
                "kubernetes.io/cluster/wandek8s-eks-cluster" = "shared"
        }

        public_subnet_tags                        = {
                "kubernetes.io/cluster/wandek8s-eks-cluster" = "shared"
                "kubernetes.io/role/elb"            = 1
        }

        private_subnet_tags                       = {
                "kubernetes.io/cluster/wandek8s-eks-cluster" = "shared"
                "kubernetes.io/role/internal-elb"   = 1
        }
        }

Create an outputs.tf file to share data between Terraform configurations and external tools. Outputs are also the only way to share data between child module and root module of the configuration.


    output "cluster_id" {
    description       = "EKS cluster ID."
    value             = module.eks.cluster_id
    }

    output "cluster_name" {
    description       = "Amazon Web Service EKS Cluster Name"
    value             = module.eks.cluster_name
    }

    output "cluster_endpoint" {
    description       = "Endpoint for Amazon Web Service EKS "
    value             = module.eks.cluster_endpoint
    }

    output "region" {
    description       = "Amazon Web Service EKS Cluster region"
    value             = var.region
    }

    output "cluster_security_group_id" {
    description       = "Security group ID for the Amazon Web Service EKS Cluster "
    value             = module.eks.cluster_security_group_id
    }

    output "cluster_ca_certificate" {
    value             = module.eks.cluster_certificate_authority_data
    }

Create an eks-cluster.tf file which specifies the Terraform Kubernetes Provider in order to create Kubernetes objects, the module configurations, the partly managed nodes groups + node instances to be created in the cluster etc.


        #-----------provider to communicate with Kubernetes’ resources----------#

        provider "kubernetes" {
            host                        = module.eks.cluster_endpoint # end point of k8s (API server)
            token                       = data.aws_eks_cluster_auth.wandek8s-eks-cluster.token
            cluster_ca_certificate      = base64decode(module.eks.cluster_certificate_authority_data)
        }

        #--------Query data ------------#
        #data "aws_eks_cluster" "wandek8s-eks-cluster" {
        #    name                        = module.eks.cluster_id
        #}

        data "aws_eks_cluster_auth" "wandek8s-eks-cluster" {
            name                        = module.eks.cluster_name
        }

        module "eks" {
        source                        = "terraform-aws-modules/eks/aws"
        version                       = "19.10.0"

        cluster_name                  = "wandek8s-eks-cluster"
        cluster_version               = "1.24"

        subnet_ids                    = module.wandek8s-vpc.private_subnets
        vpc_id                        = module.wandek8s-vpc.vpc_id
        cluster_endpoint_public_access = true

        tags = {
            environment = "development"
            application = "wandek8s"
        }

        eks_managed_node_groups = {
            one = {
            min_size     = 1
            max_size     = 4
            desired_size = 3

            instance_types = var.instance_type
            }
        }
        }

Finally Create a terraform.tfvars file to input the variable values defined in variables.tf file. Herein lies the ranges for VPC CIDR block, specific resources names etc. Please ensure to input the absolute path for private and public key located in the HOST OS as mine is removed for security reasons.

This is a very sensitive file that shouldn't be pushed to version control.


        S3_bucket_name               = "wandek8s-bucket"

        bucket_key                   = "cicd-server/state.tfstate"

        region                       = "us-east-1"

        key_pair                     = "cicd-server"

        local_public_key_location    = ""

        local_private_key_location   = ""

        instance_type                = ["t3.medium"]

        vpc_cidr_block               = "10.0.0.0/16"

        public_subnet_cidr_blocks    = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]

        private_subnet_cidr_blocks   = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"]

Initialize the current working directory with terraform init Terraform init Output
Next terraform plan to preveiw the list of the desired state to be executed. Terraform plan part Output
Optionally, we can visualize the terraform plan process before finally creating the resources in a graph via terraform graph -type plan | dot -Tsvg > graph.svg. A graph.svg file would be created that can abe viewed on your PC or via any svg viewing tool.
Next is terraform apply and patience because this process would take a little while. Terraform apply Output
Console Verification: After a successful apply, we can confirm the resources created on the AWS console
Validate the cluster with kubectl via aws eks update-kubeconfig --name wandek8s-eks-cluster and now the cluster is fully ready for interaction and deployments.
Please do remember to Clean up the infrastructure as the spend for this set up is costly. Terraform makes this super easy by typing terraform delete. If not proceed to the next section where I explain how I got my bills waived as a 1 time occurence.

AWS Bills Waiver.

Steps:

Navigate to the AWS console and select support centre from the drop down list
Figure 1: Support Centre on web console
Ensure Account & Billing is ticked then proceed to Create Case
Figure 2: Create Case in Account & Billing
Follow the option specifications in Figure 3 below.
Figure 3: Selecting Service and Category options
Fill the Subject Summary. I recommend an honest breakdown of the events that lead to the cost build, documents can be attached also. Here is my description version here, you can use it as a template.

Hello AWS Support team,

I am requesting your assistance with my recent AWS charges. As a beginner to AWS processes, I have incurred very high unexpected charges that I am not able to afford at this moment while setting up an EKS Cluster with modules and I am hoping to find a solution that will allow me to continue learning and using AWS services without experiencing any financial burden.


I understand that some of the charges may have been due to my lack of knowledge about AWS pricing and usage. I have since taken steps to educate myself and ensure that I am aware of the free tier limits and best practices for minimizing costs and curbing hidden costs.


I would be very grateful if my account be waived off all the pending AWS charges on my account as a one-time courtesy due to my status as a new user. This would allow me to continue my learning journey with AWS without any worry about unexpected charges.


Thank you for your time and attention to this matter. I appreciate your assistance in resolving this issue.

Select Web and you'll be contacted via chat with a wave off alongside few aws credits to clear future debts. Depending on your location, you can also select Phone, provide your phone number and you'll be contacted by the team.

Thank you for coming on this journey with me and I hope I have been able to guide you in 2 different ways with my experiences with AWS awesomeness.

Feel free to reach out in the comment section with doubts or questions as well as directly on twitter. Cheers to a fruitful learning journey with AWS.

How to deploy a static website on a PRIVATE S3 bucket served by CloudFront on a custom domain name.

Raji Risikat Yewande — Sat, 21 Jan 2023 10:34:39 +0000

Scenario:

You're assigned a task to create an S3 bucket, with a time stamp to ensure it's unique, enable static website hosting, whilst the bucket must be private. Explore Cloudfront to privately expose your index.html file in your S3 bucket, and ensure it's accessible via a secured custom domain name.

Essentials:

An AWS Account.
Be logged in an IAM user with Admin priviledges.
Files for the static website
A custom domain name.
- If you dont have, get a free domain name from freenom Figure 1: Cloudfront and S3 Deployment Architecture

Figure 1 explains the deployment architecture.

A Private Amazon S3 bucket containing files for the static website to be hosted
CloudFront caches the S3 private pages and distributes the content to its default URL
CloufFront is linked to the custom domain name(wandexdev.me) via Hosted zone in Route 53.
The connection is secured via SSL and Certificate Mangaer
Users can access the static website by simply navigating the custom domain name(wandexdev.me)

Steps to achieve the setup

Step 1: Create an S3 bucket with private Access

Navigate to your home console on your aws account, select Northern Virginia (us-east-1) as your region. This is optional and done to stay within the free tier limits of the aws account
Move to the S3 console either by searching for S3 in the search bar or by clicking S3 in 'recently visited services'
Select create Bucket in Figure 2 below. Figure 2: Create a bucket in S3 console
Set up Bucket Configuration. Refer to figures 3, 4, 5
- Give a bucket name. The name has to be unique, no spaces or uppercase letters present, avoid using dots(.), hyphens(-) are more welcome. Using Timestamps helps relieve the stress.
- Region is US East (N. Virginia) as previously mentioned
- Leave Object Ownership as default Figure 3: Bucket Name, Region and Object Ownership
- Leave Public Access blocked as we want our bucket private
- Enable Versioning if you would like to still make changes to the static files you're about to upload but still have older versions uploaded, keep it Disabled if not.
- Tags are not neccessary for this simple static website demo
- Server-side Encryption is automatically applied so we leave encryption to default 'Amazon S3-managed keys'. The Encryption enables S3 encrypt objects before saving it and decrypts it when downloaded. Encryption doesn't change the way that you access data as an authorized user.
- Disable Bucket key as we are not using KMS encryption click on Create bucket Figure 4: Public Access, Bucket Versioning and Encryption
  - Observe and verify new bucket details (name, region, bucket access etc) and ensure no error was made Figure 5: New Bucket details

Step 2: Upload static website files into S3 bucket created.

Select the bucket name just created
Select Upload, then select add files
Add all files needed to run the static website from your local device Figure 6: Pre Upload Details
Leave other options at default
Select Upload Figure 7: Uploaded Bucket Details

Step 3: Enable Static Website Hosting

Select Bucket name, then Properties
Move down to the very last option 'static website hosting' and select Edit Figure 8: Static Website Hosting Section
Select Enable and a new interface shows.
Select host static website. A Static website is made up of individual webpages that contain static / unchaging content. Enabling your S3 bucket as a static website mean the website is available at the specific AWS Region website endpoint of the S3 bucket.
Specify the home page of the website files i.e index.html
Save changes
Success message Figure 9: Successfully Enabled

Step 4: Set up Hosted Zone and name servers in Route 53

Move to the route 53 console either by searching for Route 53 in the search bar or by clicking Route 53 in 'recently visited services'
Click create hosted zone
Input your custom Domain name in the Domain name field
Select Public hosted zone as Type Figure 10: Hosted Zone Created in Route 53
Click on the hosted zone. The ns- values under the Value/Route traffic to are called name servers
- To link custom domain name with route 53, the name servers from route 53 have to be updated on custom domain name provider's management.
- The name servers generally tell the domain name to redirect requests to it. Figure 11: List of Name servers generated
Switch to a new tab in your browser (do not close the Route 53 page with the nameservers), log in your custom domain provider's site and add name servers
- Mine is namecheap.com, log in, select domain list, then manage
- Navigate to custom DNS, select add name server and add all four name servers from Route 53 without the last dots!(.)
- Save changes Figure 12: Name servers in Domain Providers site

Step 5: Set up an SSL certificate via the AWS Certificate Manager

Setting up an SSL certificate ensures CloudFront custom domain with SSL is secured.
Move to the Certificate Manager console either by searching for Certificate Manager in the search bar or by clicking Certificate Manager in 'recently visited services'
Select Request a public certificate and then Request a certificate.
Input your custom Domain name i.e wandexdev.me
Choose DNS validation as method of validation.
Select next till you can confirm and request certificate
It then displays 'pending validation' on next page. This would be fixed by linking the certificate with Route 53
Click Certificate ID
Next click on Create record in Route 53 button under Domains. Figure 13: Link Pending SSL Certificate with Route 53
click create records
Certificate Manager takes a while before certificate is issued so please be patient. Figure 14: Issued SSL Certificate
Once certificate is issued, CloudFront Distribution can be set up.

Step 6: Set up CloudFront Distribution

Move to the CloudFront console either by searching for CloudFront in the search bar or by clicking CloudFront in 'recently visited services'
Select create Cloudfront distribution in Figure 15 below. Figure 15: Create CloudFront Distribution
Click on Origin domain and select the name of S3 bucket created from drop down list i.e wandebucket-0432pm.s3.amazonaws.com. Its simply the source from which CloudFront caches from.
Origin Name automatically fills up
Select Legacy access identities for Origin access. Origin Access is mainly for restricting access of a S3 bucket to only authenticated requests from CloudFront. An OAI(Origin Access Identity) would be used to do this
Select Create new OAI
- An autogenerated name shows in the prompt, click create Figure 16: Origin Access Identity (OAI)
- Select yes, update bucket policy as in Figure 17 below Figure 17: CloudFront Configuration Figure 18: CloudFront Configuration
Select to Redirect HTTP to HTTPs
Scroll down to Alternate Domain Name (CNAMEs) under Settings section then type in your custom domain name i.e wandexdev.me
Still under settings, select the drop down list for Custom SSl certificate and select your issued certificate for your domain name.
Figure 19: CloudFront Configuration
Scroll to Default root object and write index.html in the box
Create distribuition
The Distribution takes a while to deploy so be patient
- Once provisioned, status changes to deployed and state turns Enabled.

Step 7: Link Custom domain with CloudFront via Alias in Route 53

Move to the route 53 console either by searching for Route 53 in the search bar or by clicking Route 53 in 'recently visited services'
Select your domain name in Hosted zone
Click Create record, choose Simple routing, turn Alias on.
Select the drop down menu at Route Traffic to and choose Alias to CloudFront distribution
Click drop down list and select cloudfront distridution Figure 20: Create an Alias Record for CloudFront
Wait a few minutes for the DNS records to be updated
Type in your custom domain name in a browser and you would see your static website ONLY distributed and accesible via by cloudfront. Here's mine!! Figure 21: Final Output showing my static website

Remarks

I hope you found this guide helpful and as enjoyable as I enjoyed making it. Ask me questions in the comment section and I'll surely respond.
I used app.diagram to draw my architechture diagram and its free!
Please dont forget to delete all AWS resources provided after youre done. Staying within the free tier limits is low cost friendly

How to create a single-tier highly available architechture on AWS

Raji Risikat Yewande — Tue, 10 Jan 2023 22:07:03 +0000

Scenario

This tutorial would take you on the process of easily creating a highly available single tier architecture on AWS.

Figure 1: Single tier, fault resistant, highly available AWS Architecture

Figure 1 explains the entire architecture setup which includes:

A Custom VPC with two Availability Zones for High Availability
Each Availability Zone has a public subnet and a private subnet.
There are two EC2 instances, which are in private subnets and the Application Load Balancer(ALB) is attached to two public subnets as expected.
Two Network Address Translation(NAT) Gateways are attached to the the two public subnets and they allow Internet traffic to the instances in the private subnets via an associated Elastic IP
ALB is coupled with Auto Scaling
There is one Target Group connecting both the EC2 instances
EC2 Apache installation happens with the user data fromm the Auto Scaling Launch template
CloudFormation, an Infrasture as code tool would be used to automatically Provision the servers and Network Infrastructure

Essentials:

An AWS Account with IAM admin Priviledges
Git installed for cloning repository

Procedures

Navigate to the AWS Console or aws CLI
If youre using the console, search for cloudformation, Click on Create a new stack.
- Two Stacks would be needed for this set up
Click this cloudformation and follow instructions on the readme file.

Let me know in the comment section if you have any questions, I'll be happy to oblige.

The Oven...

Raji Risikat Yewande — Tue, 15 Mar 2022 06:40:44 +0000

"Hello World"

Haha, I tend to see that phrase a lot these days so I can as well us it. So, I'm WANDE and I unofficially started my journey on this path (a career transition)in October last year.

I'm trusting myself to document my journey and do some #technicalwriting to help people overcome problems I may have faced along the way.

The Oven a.k.a the journey is mine because I'll be 80% baking myself (the awesome boot camps I'm in deserve credit haha) and I'm looking forward to how far i would have developed myself.

Cheers to doing hard things...
Bismillah