Building AWS Infrastructure using Jenkins-Terraform Automation
| Variable File | Variables | Values |
|---|---|---|
| Global | aws_region_ | ap-south-1 |
| Global | aws_iam_user | deployer_user_ |
| Global | assume_role_ | deployer_role_ |
| Global | s3_backend_bucket | terraform-tfstate-mumba-1 |
| EC2 | ec2_instance_profile | ec2_instance_profile |
| Lambda | lambda_deployer_role | lambda_deployer_role |
Steps to follow
- Create Policy :
ec2_cw_kms_s3_sns_r53_rds_full_access - Create User :
deployer_user - Create Role :
ec2_instance_profile - Create Role :
deployer_role - Create Role :
lambda_deployer_role
IAM : List READ Tagging
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"acm:*",
"sns:*",
"rds:*",
"s3:*",
"cloudwatch:*",
"kms:*",
"logs:*",
"route53:*",
"ec2:*",
"events:*",
"lambda:*",
"iam:CreateServiceLinkedRole",
"iam:GetInstanceProfile",
"ses:*"
],
"Resource": "*"
}
]
}
Attach Policy : IAMUserChangePassword
Attach Policy : AmazonS3FullAccess
Attach Policy : assume_role
Attach Policy : AmazonEC2ContainerServiceFullAccess
Attach Policy : ec2_cw_kms_s3_sns_r53_full_access
{
"Version" : "2012-10-17",
"Statement" : [{
"Effect" : "Allow",
"Action" : "sts:AssumeRole",
"Principal" : {
"Service" : "ec2.amazonaws.com",
"AWS" : "arn:aws:iam::210315133748:role/deployer_role"
}
}]
}
Attach Policy : AmazonVPCReadOnlyAccess
Attach Policy : AmazonEC2ContainerServiceFullAccess
Attach Policy : IAMReadOnlyAccess
Attach Policy : AWSCloudFormationReadOnlyAccess
Attach Policy : ec2_cw_kms_s3_sns_r53_full_access
Attach Policy : AWSDataExchangeSubscriberFullAccess
{
"Version" : "2012-10-17",
"Action" : "sts:AssumeRole"
"Statement" : [{
"Effect" : "Allow",
"Principal" : {
"AWS" : [
"arn:aws:iam::210315133748:role/ec2_instance_profile",
"arn:aws:iam::210315133748:user/deployer_user"
],
"Service" : "ec2.amazonaws.com"
},
}]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeSnapshots",
"ec2:DeleteSnapshot",
"ec2:DescribeVolumes",
"rds:DescribeDBSnapshots",
"rds:DeleteDBSnapshot",
"rds:ListTagsForResource",
"rds:DescribeDBInstances",
"rds:StopDBInstance",
"rds:StartDBInstance"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"ec2:StartInstances",
"ec2:StopInstances",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/lambda/*:*:*",
"arn:aws:ec2:*:*:instance/*"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/*:*:*"
}
]
}
{
"Version" : "2012-10-17",
"Statement" : {
"Effect" : "Allow",
"Action" : "sts:AssumeRole",
"Resource" : "arn:aws:iam::210315133748:role/deployer_role"
}
}
- Create S3 Bucket terraform-tfstate-mumbai-1
~/.aws/credentials
[deployer_role]
aws_access_key_id = <AWS_ACCESS_KEY>
aws_secret_access_key = <AWS_SECRET_ACCESS_KEY>
region = ap-south-1
~/.aws/config
[deployer_role]
region = ap-south-1
output = text
role_arn = arn:aws:iam::161047494551:role/deployer_role
source_profile = deployer_role
| Role | Policy to Attach | Uses |
|---|---|---|
| role | AmazonVPCReadOnlyAccess | VPC RO To create EC2 in VPC |
| role | IAMReadOnlyAccess | IAM RO To attach instance profile in EC2 |
| role | AWSCloudFormationReadOnlyAccess | CF RO SNS Creation using CloudFormation |
| role | AWSDataExchangeSubscriberFullAccess | EC2 AMI Filter |
| role, profile | AmazonEC2ContainerServiceFullAccess | EC2 Creation |
| role, profile | S3 Full access | |
| role, profile | SNS Full access | |
| role, profile | Route53 Full access | |
| role, profile | RDS Full access | |
| role, profile | CloudWatchAgentServerPolicy | CW Custom metrics Optional |
| role, profile | AWSKeyManagementServicePowerUser | KMS Optional |
| role | AmazonEC2RoleforAWSCodeDeploy | EC2 Creation Optional |
#####S3
- Create S3 Bucket terraform-tfstate-mumbai-1
#####SQS
terraform init -backend=true -backend-config='bucket=main-s3-bucket-tfstate' -backend-config='key=simple/sqs/test_sqs_creation_1.tfstate'
terraform plan -out=tfplan -var-file=/root/terraform_practice_codes/global_vars.tfvars
terraform apply tfplan#####KMS
terraform init -backend=true -backend-config='bucket=main-s3-bucket-tfstate' -backend-config='key=simple/kms/test_kms_key_creation_1.tfstate'
terraform plan -var-file=/root/terraform_practice_codes/global_vars.tfvars
terraform apply -var-file=/root/terraform_practice_codes/global_vars.tfvars- Route53 Zone
- S3
- SQS
- KMS
- Security Group
- SNS
- ENI
- EBS
- EC2
- EBS Attachment
- Cloud-Watch
- Route53 C Record
- RDS Master
- RDS Slave
- Route53 A record
16.1) Lambda - EC2 Stop
16.2) Lambda - Snapshot Deletion
- ALB
- ASG
- AMI
- EFS