An example Ubuntu VM running in a AWS EC2 Instance.
This will:
- Create a VPC.
- Configure a Internet Gateway.
- Create a Systems Manager (aka SSM) Parameter.
- Create a EC2 Instance.
- Assign a Public IP address.
- Assign a IAM Role.
- Include the AmazonSSMManagedInstanceCore Policy.
- Initialize with cloud-init.
- Configure the guest firewall.
- Install a example application.
- Get the Instance Identity Document from the EC2 Instance Metadata Service.
- Get a Parameter from the Systems Manager Parameter Store.
- Get the Instance (IAM) Role Credentials.
Install the tools:
./provision-tools.sh
Set the account credentials using SSO:
# set the account credentials.
# see https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-token.html#sso-configure-profile-token-auto-sso
aws configure sso
# dump the configured profile and sso-session.
cat ~/.aws/config
# set the environment variables to use a specific profile.
export AWS_PROFILE=my-profile
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_DEFAULT_REGION
# show the user, user amazon resource name (arn), and the account id, of the
# profile set in the AWS_PROFILE environment variable.
aws sts get-caller-identity
Or, set the account credentials using an access key:
# set the account credentials.
# NB get these from your aws account iam console.
# see Managing access keys (console) at
# https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey
export AWS_ACCESS_KEY_ID='TODO'
export AWS_SECRET_ACCESS_KEY='TODO'
# set the default region.
export AWS_DEFAULT_REGION='eu-west-1'
# show the user, user amazon resource name (arn), and the account id.
aws sts get-caller-identity
Review main.tf
.
Initialize terraform:
make terraform-init
Launch the example:
rm -f terraform.log
make terraform-apply
Show the terraform state:
make terraform-show
At VM initialization time cloud-init will run the provision-app.sh
script to launch the example application.
After VM initialization is done (check the instance system log for cloud-init entries), test the app
endpoint:
while ! wget -qO- "http://$(terraform output --raw app_ip_address)/test"; do sleep 3; done
And open a shell inside the VM:
ssh "ubuntu@$(terraform output --raw app_ip_address)"
cloud-init status --wait
tail /var/log/cloud-init-output.log
wget -qO- localhost/try
systemctl status app
journalctl -u app
sudo iptables-save
sudo ip6tables-save
sudo ec2metadata
systemctl status snap.amazon-ssm-agent.amazon-ssm-agent
journalctl -u snap.amazon-ssm-agent.amazon-ssm-agent
sudo ssm-cli get-instance-information
sudo ssm-cli get-diagnostics
exit
Destroy the example:
make terraform-destroy
- Environment variables to configure the AWS CLI
- Token provider configuration with automatic authentication refresh for AWS IAM Identity Center (SSO)
- Managing access keys (console)
- AWS General Reference
- Connect to the internet using an internet gateway
- Retrieve instance metadata
- How Instance Metadata Service Version 2 works
- AWS Systems Manager (aka Amazon EC2 Simple Systems Manager (SSM))