Mounting AWS S3 Buckets to EC2 Instances Using Terraform

AWS's Simple Storage Service (S3) has been a go-to solution for scalable object storage for years. Yet, there's been a missing feature that many developers and system administrators have been seeking: the ability to mount an S3 bucket directly onto an EC2 instance.

Thankfully, AWS has recently provided the capability. In this article, we'll look at a POC solution for mounting an S3 bucket into an EC2 instance using Terraform. To achieve this functionality, we'll leverage several AWS resources, including VPC, S3 bucket, IAM policies, and Amazon Linux EC2 instance.

This is 100% automated.

Clone the repo here.

Overview

Here's a quick rundown of what we'll create and configure:

Virtual Private Cloud (VPC) with an S3 Endpoint: This allows network communication between the EC2 instance and S3.

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "~> 5.1.1"

  database_subnet_ipv6_prefixes                 = [6, 7, 8]
  enable_ipv6                                   = true
  private_subnet_ipv6_prefixes                  = [3, 4, 5]
  public_subnet_assign_ipv6_address_on_creation = true
  public_subnet_ipv6_prefixes                   = [0, 1, 2]

  azs                                             = local.availability_zones
  cidr                                            = local.vpc_cidr
  create_database_subnet_group                    = false
  create_flow_log_cloudwatch_iam_role             = true
  create_flow_log_cloudwatch_log_group            = true
  database_subnets                                = local.database_subnets
  enable_dhcp_options                             = true
  enable_dns_hostnames                            = true
  enable_dns_support                              = true
  enable_flow_log                                 = true
  enable_nat_gateway                              = true
  flow_log_cloudwatch_log_group_retention_in_days = 7
  flow_log_max_aggregation_interval               = 60
  name                                            = var.environment
  one_nat_gateway_per_az                          = false
  private_subnet_suffix                           = "private"
  private_subnets                                 = local.private_subnets
  public_subnets                                  = local.public_subnets
  single_nat_gateway                              = true
  tags                                            = var.tags
}

module "vpc_endpoints" {
  source  = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
  version = "~> 5.1.1"

  vpc_id = module.vpc.vpc_id
  tags   = var.tags

  endpoints = {
    s3 = {
      route_table_ids = flatten([module.vpc.private_route_table_ids, module.vpc.public_route_table_ids])
      service         = "s3"
      service_type    = "Gateway"
      tags            = { Name = "s3-vpc-endpoint" }
    }
  }
}        

S3 Bucket and Object: The bucket we'll mount and a sample text file within it.

module "s3" {
  source = "terraform-aws-modules/s3-bucket/aws"

  bucket = local.bucket_name

  acl                     = "private"
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true

  control_object_ownership = true
  object_ownership         = "BucketOwnerPreferred"

  force_destroy = true

  expected_bucket_owner = data.aws_caller_identity.this.account_id

  server_side_encryption_configuration = {
    rule = {
      apply_server_side_encryption_by_default = {
        sse_algorithm = "AES256"
      }
    }
  }

  tags = var.tags
}

resource "aws_s3_object" "website-object" {
  bucket       = module.s3.s3_bucket_id
  for_each     = fileset("./files/", "**/*")
  key          = each.value
  source       = "./files/${each.value}"
  etag         = filemd5("./files/${each.value}")
  content_type = lookup(local.mime_types, split(".", each.value)[length(split(".", each.value)) - 1])
}        

IAM Policies: The permissions required for the EC2 instance to interact with the S3 bucket.

resource "aws_iam_instance_profile" "this" {
  name = "${var.environment}_ec2_role"
  role = aws_iam_role.ec2_role.name

  tags = var.tags
}

resource "aws_iam_policy" "s3_access" {
  name   = "${var.environment}_s3_access"
  policy = data.aws_iam_policy_document.s3_access.json

  tags = var.tags
}

resource "aws_iam_role" "ec2_role" {
  name = "${var.environment}_ec2_role"

  assume_role_policy = data.aws_iam_policy_document.ec2_role.json

  tags = var.tags
}

resource "aws_iam_role_policy_attachment" "AmazonSSMManagedInstanceCore" {
  policy_arn = data.aws_iam_policy.AmazonSSMManagedInstanceCore.arn
  role       = aws_iam_role.ec2_role.name
}

resource "aws_iam_role_policy_attachment" "s3_access" {
  policy_arn = aws_iam_policy.s3_access.arn
  role       = aws_iam_role.ec2_role.name
}        

EC2 Key Pair: SSH keys to access the EC2 instance.

resource "aws_key_pair" "generated" {
  depends_on = [tls_private_key.default]
  key_name   = var.environment
  public_key = tls_private_key.default.public_key_openssh

  tags = var.tags
}

resource "aws_secretsmanager_secret" "pem" {
  name        = "${var.environment}_${random_string.this.result}"
  description = "Keypair (${var.environment}) - private key"

  tags = var.tags
}

resource "aws_secretsmanager_secret_version" "pem" {
  secret_id     = aws_secretsmanager_secret.pem.id
  secret_string = tls_private_key.default.private_key_pem
}

resource "tls_private_key" "default" {
  algorithm = "RSA"
}        

EC2 Instance with Amazon Linux: The instance where the S3 bucket will be mounted.

resource "aws_instance" "this" {
  ami                     = data.aws_ami.this.id
  disable_api_termination = false
  ebs_optimized           = true
  iam_instance_profile    = aws_iam_instance_profile.this.name
  instance_type           = "t3a.small"
  key_name                = aws_key_pair.generated.key_name
  monitoring              = true
  subnet_id               = module.vpc.private_subnets[1]

  vpc_security_group_ids = [aws_security_group.this.id]

  metadata_options {
    http_endpoint               = "enabled"
    http_put_response_hop_limit = 3
    http_tokens                 = "required"
  }

  tags = merge(var.tags, {
    "Name"        = var.environment
    "backup"      = true
    "Patch Group" = "A"
  })

  volume_tags = merge(var.tags, { "Name" = "${var.environment}_vol" })

  root_block_device {
    encrypted   = true
    volume_type = "gp3"
  }
}        

Now, let's dive into the implementation.

Prerequisites

Before proceeding, ensure that you have the following:

• Terraform 1.5.4 or later installed on your local system.
• AWS CLI configured with the necessary access permissions.

Step-by-Step Implementation

1. Initialize Terraform

After cloning the project repository and navigating to the project directory, initialize Terraform. This downloads and sets up the required providers and modules.

terraform init         

2. Plan the Changes

Planning allows you to review the changes before applying them. This step ensures that you're fully aware of the actions Terraform will take on your behalf.

terraform plan -out=plan.out         

3. Apply the Changes

After reviewing and confirming the plan, you can apply the changes to create the resources.

terraform apply plan.out         

Information about the EC2 Instance

Userdata does all the work for us.

#!/bin/bash
# Update packages on the system
sudo yum update -y

# Install S3 Mount
wget https://s3.amazonaws.com/mountpoint-s3-release/latest/x86_64/mount-s3.rpm
sudo yum install ./mount-s3.rpm -y
rm -f ./mount-s3.rpm

# Create mount point directory
sudo mkdir /mount_s3
sudo mount-s3 ${module.s3.s3_bucket_id} /mount_s3        

1. Mount Directory: A directory /mount_s3 is created when the EC2 instance boots, using Userdata.
2. Bucket Mounting: The EC2 instance is configured to mount the S3 bucket at the /mount_s3 directory.
3. Test File: Terraform places a test file s3_file.txt in the S3 bucket.
4. Profile Permissions: The EC2 instance profile permits SSM access to the S3 bucket and connection.

4. Testing

You can connect to the EC2 Instance using SSM and verify the file from the S3 bucket with:

sudo cat /mount_s3/s3_file.txt         

5. Cleanup

When you've finished your experiments, it's essential to clean up the resources to avoid unnecessary costs:

terraform destroy         

Important Notes

• The mount point for the S3 bucket is configured at the /mount_s3 directory on the EC2 instance.
• Ensure that you have the necessary permissions and access to perform these operations in your AWS environment.

The capability to mount an AWS S3 bucket directly onto an EC2 instance opens up new possibilities for system architecture and data handling. With the newly introduced feature and the convenience of Terraform, we can now effortlessly create, configure, and manage this setup.

Remember to be mindful of permissions and network configurations to ensure security and availability. The seamless integration between S3 and EC2 now allows for more flexible and streamlined workflows, meeting a long-awaited need for many in the cloud computing community. Whether for a simple testing environment or complex production use, this functionality is sure to find broad application.

By following this guide, developers, DevOps, and system administrators can now explore this exciting feature and integrate it into their existing infrastructure, taking advantage of AWS' constantly increasing technology stack.

Visit my website here.