Perform the task-1 using EFS instead of EBS service on the AWS as,
Create/launch Application using Terraform
1. Create Key pair and Security group which allow the port 80.
2. Launch EC2 instance.
3. In this Ec2 instance use the existing key or provided key and security group which we have created in step 1.
4. Launch one Volume using the EFS service and attach it in your vpc, then mount that volume into /var/www/html.
5. Developer have uploded the code into github repo also the repo has some images.
6. Copy the github repo code into /var/www/html.
7. Create S3 bucket, and copy/deploy the images from github repo into the s3 bucket and change the permission to public readable.
8 Create a Cloudfront using s3 bucket(which contains images) and use the Cloudfront URL to update in code in /var/www/html.
1. Cloud platform provide us storage as a service . There are 3 types of storage
* Block storage ( as a service )
- aws : EBS
- openstack : cinder
* Object Storage ( as a service )
- aws : S3
- openstack : swift
* File Storage ( as a service )
- aws : EFS
- openstack : manila
2. Why we need EFS ..?
* If suddenly load increase, we have multiple of OS running in parallel i.e horizontal scaling and all the OS is configure with the Apache webserver. Per OS we attach EBS volume, suppose you have to copy the same content from one OS to other in this case the same EBS volume cannot be connected to the other OS. If developer change any code in one OS , they have to copy that code in other OS also. If you want your code or data persistent EBS won't help you if sudden load increase because it only provides you file system.
* Then S3 come in play because we can easily mount one S3 bucket with the multiple OS. If the developer changes the code in S3 bucket it automatically changes in the OS because all the OS are directly link to the S3 bucket. It is a centralized storage. But the biggest challenge is only one requirement is not solve by s3 that is in S3 we don't have a option to edit a file or s3 don't have the file system. Whatever you put in S3 it will be sharable and we always store unchangeable data in s3 such as logs , bigdata etc.
* File system : your data always load on the ram but complete data won't load on the ram at the same time , it will be loaded in parts i.e portions and this capability you only achieve with the file system because it continuously linking the file.
* Finally the role of EFS come in play.. they give you one centralized storage known as NFS :
? NFS stands for network file system , it is easily mount to the multiple OS over the network and if developer change any code in this storage , all the OS can easily access the update code.
? NFS is a protocol name . It gives you file system and create NFS server.
? NFS share files and objects over the network. Here you can easily edit the file.
* EFS i.e Elastic file system is a service that uses NFS protocol behind the scene. Here your data will be persistent and won't be loose.
Note 1 :
* EBS behind the scene uses fibre channel and iscsi protocol.
* S3 behind the scene uses http/s protocol.
Note 2 :
* EFS service only work per region.
* EFS directly mount to EC2 instance but for mounting to local laptop we have to setup one more extra service i.e VPN / direct connect to mount.
Note 3 :
* Don't use local storage because it is ephemeral in nature , always use EBS because it is a centralized storage.
* Here you can see i have one vpc which is by default created by aws guys.
* Here you can see i have three subnets which is by default created by aws guys.
* Here you can see i have one route table which is also by default created by aws guys.
* Here you can see i have one internet gateway which is also by default created by aws guys and it is in attached state with default vpc.
# Below i have shared my two task related to networking as a service i.e vpc.
* Here you can see in my case i have only two security groups one is by default created and other one is for my centos 7 OS.
* Here you can see in my case there is no elastic file system.
* Here you can see in my case i have only two keypairs which i have create for some use case.
* Here you can see in my case i have only one instance "myos1" which is in stopped state.
* Here in my case i have one s3 bucket named "trailbucket2801" for managing my aws logs.
* Here you can see in my case there is no cloud front distribution.
NOW AGAIN JUMP TO THEORITICAL PART : here i wanna tell you something about terraform -
1.#visualstudiocode : From now onwards we are using visual Studio code IDE i.e integrated development environment for writing terraform codes because writing a code in notepad becomes very difficult or unable to understand. And one of the best reason for using IDE, because it gives predefined things such as auto suggestions or help and predefine plugins such as hashicorp terraform , terraform autocomplete. So managing your code like from writing a code to running a code and opening the terminal everything will be managed in visual Studio IDE.
2.#Variable : variable is a way to control or manage the things. It is very helpful for managing our bigger code. In a variable terraform has a bi default data type string. Always try to create a separate folder for variables.
3. Before we run our code that means before we apply always used dry run because it is a good practice before apply. For dry and we have to use "terraform plan" command and internally it go to our desire or code.
4. Whatever happens currently in our code or desire is known as a current state. Everything this store locally in a state file and that file is known as local state file or by default is stored in local system.
5. If you want to change something either do complete manually or complete automation but automation is always a good practice. always update your state file by "terraform refresh" command. Whenever you do plan or apply they first internally refresh.
6. in which file you write a provider or put a provider is treated as a main file where we can manage our provider names and this main file is also known as a root module. We have tons of resources in hybrid multi-cloud setup that we have to use for this we create multiple file for many purposes such as create a AWS folder inside it create terraform code for ec2 instance ,keypair,security groups etc. And this aws folder is basically sub module.
7. If you use any resource name always give provider name because it is compulsory. When we plan , go to the main file in this we have to place or include our separate files. for separate file we always create a module in terraform language for including any file we have a module keyword where sources is important where is your module is located give your file location in source.
8. sub file does not has a capability to retrieve a variable from variable file or global variable file. but main file has a capability to call or retrieve a variable from variable file or global variable file. For making Sub file has a capability to retrieve a variable from variable file we have to create a variable in some module also but it is not a best way to use variable in every sub module. so we don't want to manage the value of variable in sub module.always manage the value of variable using root module for this you have to write "value"as a keyword in a root module or main file.
# But now our main intension is create our own infrastructure using terraform code and by running one single command "terraform apply --auto-approve" we can create our own vpc,subnets,internet gateway,route tables,route tables association,security groups,keypairs,ec2 instance,s3bucket and cloud front distribution and for this i have open "MYTERA" folder in visual studio code IDE :
* Here inside that "MYTERA" folder :
>> I have created one var.tf , in this i have written some variables.
var.tf code :
variable "vpc_cidr" { default = "" } variable "subnet_cidr" { default = "" } variable "az_subnet" { default = "ap-south-1a" } variable "rt_cidr" { default = "" } variable "sg_cidr" { default = "" } variable "sg_protocol" { default = "tcp" } variable "efs_token" { default = "my-product" } variable "efs_encryption" { default = "true" } variable "kp_filename" { default = "my_key.pem" } variable "kp_keyname" { default = "mykey" } variable "ec2_ami" { default = "ami-0732b62d310b80e97" } variable "ec2_instancetype" { default = "t2.micro" } variable "ec2_type" { default = "ssh" } variable "ec2_user" { default = "ec2-user" } variable "s3_bucketname" { default = "mynewbucketforjob1" } variable "s3_acl" { default = "public-read" } variable "s3_key" { default = "snapcode.png" } variable "s3_source" { default = "C:/Users/aadit/OneDrive/Desktop/snapcode.png" } variable "s3_origin_id" { default = "local.s3_origin_id" }
>> I have created one main.tf file where i have written one module named "mytestmodule1" and we always gives a provider information in main file of terraform.
main.tf code :
provider "aws" { version = "~> 2.7" region = "ap-south-1" profile = "default" } module "mytestmodule1" { source = "./myaws" my_vpc_cidr = var.vpc_cidr my_subnet_cidr = var.subnet_cidr my_datacentre = var.az_subnet my_rt_cidr = var.rt_cidr my_sg_cidr = var.sg_cidr my_sg_protocol = var.sg_protocol my_efs_token = var.efs_token my_efs_encryption = var.efs_encryption my_kp_filename = var.kp_filename my_kp_keyname = var.kp_keyname my_ec2_ami = var.ec2_ami my_ec2_instancetype = var.ec2_instancetype my_ec2_type = var.ec2_type my_ec2_user = var.ec2_user my_s3_key = var.s3_key my_s3_source = var.s3_source my_s3_acl = var.s3_acl my_s3_bucketname = var.s3_bucketname my_s3_origin_id = var.s3_origin_id }
>> I have created one folder named "myaws" and inside this folder i have created separate terraform codes as per my requirement.
* vpc.tf code :
variable "my_vpc_cidr" {} variable "my_subnet_cidr" {} variable "my_datacentre" {} variable "my_rt_cidr" {} resource "aws_vpc" "myownvpc" { cidr_block = var.my_vpc_cidr instance_tenancy = "default" tags = { Name = "addy_vpc" } } resource "aws_subnet" "publicsubnet" { depends_on = [ aws_vpc.myownvpc] vpc_id = aws_vpc.myownvpc.id cidr_block = var.my_subnet_cidr availability_zone = var.my_datacentre map_public_ip_on_launch = true tags = { Name = "addy_subnet" } } resource "aws_internet_gateway" "myigw" { depends_on = [ aws_vpc.myownvpc ] vpc_id = aws_vpc.myownvpc.id tags = { Name = "addy_igw" } } resource "aws_route_table" "rt" { depends_on = [ aws_internet_gateway.myigw ] vpc_id = aws_vpc.myownvpc.id route { cidr_block = var.my_rt_cidr gateway_id = aws_internet_gateway.myigw.id } tags = { Name = "addyroute_table" } } resource "aws_route_table_association" "rt_association" { depends_on = [ aws_route_table.rt ] subnet_id = aws_subnet.publicsubnet.id route_table_id = aws_route_table.rt.id }
* securitygroup.tf code :
variable "my_sg_cidr" {} variable "my_sg_protocol" {} resource "aws_security_group" "mywebsg" { name = "allow_nfs" vpc_id = aws_vpc.myownvpc.id ingress { description = "HTTP" from_port = 80 to_port = 80 protocol = var.my_sg_protocol cidr_blocks = [var.my_sg_cidr] } ingress { description = "SSH" from_port = 22 to_port = 22 protocol = var.my_sg_protocol cidr_blocks = [var.my_sg_cidr] } ingress { description = "NFS" from_port = 2049 to_port = 2049 protocol = var.my_sg_protocol cidr_blocks = [var.my_sg_cidr] } egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = [var.my_sg_cidr] } tags = { Name = "myweb_sg" } }
* efs.tf code :
variable "my_efs_token" {} variable "my_efs_encryption" {} resource "aws_efs_file_system" "myefsvol" { creation_token = var.my_efs_token encrypted = var.my_efs_encryption tags = { Name = "MY_EFS" } } resource "aws_efs_file_system_policy" "efs_policy" { depends_on = [ aws_efs_file_system.myefsvol ] file_system_id = aws_efs_file_system.myefsvol.id policy = <<POLICY { "Version": "2012-10-17", "Id": "efs-storage-read-write-permission-Policy01", "Statement": [ { "Sid": "efs-statement-permission01", "Effect": "Allow", "Principal": { "AWS": "*" }, "Resource": "${aws_efs_file_system.myefsvol.arn}", "Action": [ "elasticfilesystem:ClientMount", "elasticfilesystem:ClientWrite", "elasticfilesystem:ClientRootAccess" ], "Condition": { "Bool": { "aws:SecureTransport": "true" } } } ] } POLICY } resource "aws_efs_mount_target" "efsmount" { depends_on = [ aws_route_table_association.rt_association, aws_security_group.mywebsg, aws_efs_file_system.myefsvol ] file_system_id = aws_efs_file_system.myefsvol.id subnet_id = aws_subnet.publicsubnet.id security_groups = [ aws_security_group.mywebsg.id ] }
* keypair.tf code :
variable "my_kp_filename" {} variable "my_kp_keyname" {} # Creating key resource "tls_private_key" "private_key" { algorithm = "RSA" } # Saving to local system resource "local_file" "save_key" { depends_on = [ tls_private_key.private_key] content = tls_private_key.private_key.private_key_pem filename = var.my_kp_filename } # sending public key to aws resource "aws_key_pair" "public_key" { depends_on = [local_file.save_key] key_name = var.my_kp_keyname public_key = tls_private_key.private_key.public_key_openssh }
* ec2.tf code :
variable "my_ec2_ami" {} variable "my_ec2_instancetype" {} variable "my_ec2_type" {} variable "my_ec2_user" {} resource "aws_instance" "myos" { depends_on=[ aws_security_group.mywebsg,tls_private_key.private_key ] ami= var.my_ec2_ami instance_type= var.my_ec2_instancetype key_name= var.my_kp_keyname subnet_id= aws_subnet.publicsubnet.id vpc_security_group_ids = [ aws_security_group.mywebsg.id ] connection{ type= var.my_ec2_type user= var.my_ec2_user private_key= tls_private_key.private_key.private_key_pem host= aws_instance.myos.public_ip } provisioner "remote-exec"{ inline=["sudo yum install httpd git php amazon-efs-utils nfs-utils -y", "sudo systemctl restart httpd", "sudo systemctl enable httpd"] } tags = { Name = "mywebos1" } } resource "null_resource" "efs_attach"{ depends_on = [ aws_efs_mount_target.efsmount ] connection{ type= var.my_ec2_type user= var.my_ec2_user private_key= tls_private_key.private_key.private_key_pem host= aws_instance.myos.public_ip } provisioner "remote-exec"{ inline=[ "sudo yum install git httpd php nfs-utils -y", "sudo systemctl start httpd", "sudo systemctl enable httpd", "sudo mount ${aws_efs_file_system.myefsvol.dns_name}:/ /var/www/html/", "sudo git clone https://github.com/aaditya2801/terraformjob1.git /var/www/html/"] } }
* s3.tf code :
variable "my_s3_bucketname" {} variable "my_s3_acl" {} variable "my_s3_key" {} variable "my_s3_source" {} // S3 bucket : resource "aws_s3_bucket" "s3bucketjob1" { bucket = var.my_s3_bucketname acl = var.my_s3_acl } // Putting Objects in mynewbucketforjob1 : resource "aws_s3_bucket_object" "s3_object" { bucket = aws_s3_bucket.s3bucketjob1.bucket key = var.my_s3_key source = var.my_s3_source acl = var.my_s3_acl }
* cloudfront.tf code :
variable "my_s3_origin_id" {} // Cloud Front Distribution : locals { s3_origin_id = aws_s3_bucket.s3bucketjob1.id } resource "aws_cloudfront_distribution" "CloudFrontAccess" { depends_on = [ aws_s3_bucket_object.s3_object, ] origin { domain_name = aws_s3_bucket.s3bucketjob1.bucket_regional_domain_name origin_id = var.my_s3_origin_id } enabled = true is_ipv6_enabled = true comment = "s3bucket-access" default_cache_behavior { allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] cached_methods = ["GET", "HEAD"] target_origin_id = var.my_s3_origin_id forwarded_values { query_string = false cookies { forward = "none" } } viewer_protocol_policy = "allow-all" min_ttl = 0 default_ttl = 3600 max_ttl = 86400 } # Cache behavior with precedence 0 ordered_cache_behavior { path_pattern = "/content/immutable/*" allowed_methods = ["GET", "HEAD", "OPTIONS"] cached_methods = ["GET", "HEAD", "OPTIONS"] target_origin_id = var.my_s3_origin_id forwarded_values { query_string = false headers = ["Origin"] cookies { forward = "none" } } min_ttl = 0 default_ttl = 86400 max_ttl = 31536000 compress = true viewer_protocol_policy = "redirect-to-https" } # Cache behavior with precedence 1 ordered_cache_behavior { path_pattern = "/content/*" allowed_methods = ["GET", "HEAD", "OPTIONS"] cached_methods = ["GET", "HEAD"] target_origin_id = var.my_s3_origin_id forwarded_values { query_string = false cookies { forward = "none" } } min_ttl = 0 default_ttl = 3600 max_ttl = 86400 compress = true viewer_protocol_policy = "redirect-to-https" } price_class = "PriceClass_200" restrictions { geo_restriction { restriction_type = "blacklist" locations = ["CA"] } } tags = { Environment = "production" } viewer_certificate { cloudfront_default_certificate = true } retain_on_delete = true }
* deploy.tf code :
// Changing the html code and adding the image url in that. resource "null_resource" "addingurl" { depends_on = [ aws_cloudfront_distribution.CloudFrontAccess, ] connection { type = var.my_ec2_type user = var.my_ec2_user private_key = tls_private_key.private_key.private_key_pem host = aws_instance.myos.public_ip } provisioner "remote-exec" { inline = [ "echo '<img src='https://${aws_cloudfront_distribution.CloudFrontAccess.domain_name}/snapcode.png' width='300' height='330'>' | sudo tee -a /var/www/html/index.html" ] } } // deploying webapp : resource "null_resource" "deploywebapp" { depends_on = [ null_resource.addingurl, ] provisioner "local-exec" { command = "start chrome ${aws_instance.myos.public_ip}/index.html" } }
>> Now i have a full code for deploying our complete infrastructure automatically in a single go. so let's get's started.
>> we have to configure the aws by "aws configure" command :
>> Now for dry run we have to use "terraform plan" command :
>> we also validate our code by "terraform validate" command.
* Here you can see the configuration is valid.
>> Now we have to run our main command "terraform apply --auto-approve" to deploy our complete infrastucture :
* Here you can see my own vpc is created as "addy_vpc".
* Here you can see my own public subnet is created as "addy_subnet".
* Here you can see my own internet gateway is created as "addy_igw".
* Here you can see my own route table is created as "addyroute_table" and you can see in the target i have successfully attach internet gateway as a target.
* Here you can see my security group is created as "myweb_sg" that allow http for apache webserver,ssh for remote login and nfs protocol for efs.
*Here you can see my keypairs is created as "mykey".
* Here you can see my EC-2 instance is created as "mywebos1" that has a outside connectivity.
* Here you can see my EFS is created as "MY_EFS" which is Encrypted.
* and it is successfully mounted on /var/www/html.
* Here you can see my s3bucket is created as "mynewbucketforjob1" and it is in public access.
* inside my bucket i have successfully deployed one images as "snapcode.png".
* Here you can see my cloud front distribution is also created.
* and i have set "mynewbucketforjob1" s3 bucket as a origin for cloud front distribution.
Java Developer @Rakuten || Ex-Nagarrian || Java || 1x Google Cloud Certified || Content Developer at CareerVyas
4 年Keep it up sir??????
DevOps Engineer | Atlassian Administrator | Jira | Confluence | GIT | Kubernetes | Docker | AWS
4 年Good job??!!!
DevOps Engineer || Azure 1x || CI/CD || AKS || Jenkins || Kubernetes || Git
4 年Well done!