Deploy AWS infrastructure using Terraform and GitHub Actions

By
Terraform being an Infrastructure as a Code helps us to manage a lot of infrastructure for several platforms in a consistent manner.  In this blog, I will walkthrough on deploying a terraform code using  Github actions

Terraform code to create S3 bucket

In this blog, I will walkthrough each blocks in terraform to create an S3 bucket in AWS in automated workflow using GitHub Actions.

Lets look into the Terraform files. To understand easily, I have created separate tf files for each purpose, but you can still use all in one tf file as per your convenient. You can use any name with tf extension, for better understanding I used following names.
  • versions.tf 
    terraform {
      required_version = ">= 0.14"
      required_providers {
        aws = {
          source  = "hashicorp/aws"
          version = "3.36.0"
        }
      }
      backend "s3" {
        bucket         = "prasanna-aws-demo-terraform-tfstate"
        key            = "creates3.tfstate"
        region         = "ap-south-1"
        dynamodb_table = "prasanna-aws-demo-terraform-tfstatelock"
        encrypt        = true
      }
    }
    <required_version> Specifies which versions of Terraform can be used with your configuration. Terraform 0.13 and later should be used in order to use the above code.

    <required_providers> This block specifies all of the providers required by the current module, mapping each local provider name to a source address and a version constraint.

    <backend> This block is very useful in keeping the state files in a secured remote location. State file keeps the blue print of the state of Infrastructure. In this case, I have used one of the existing s3 bucket. To prevent two team members from writing to the state file at the same time, we will use a DynamoDB table lock. Terraform provides locking to prevent concurrent runs against the same state. Locking helps make sure that only one team member runs terraform configuration. Locking helps us prevent conflicts, data loss and state file corruption due to multiple runs on same state file.

  • providers.tf 
    provider "aws" {
      region = var.region
    }
    Terraform relies on plugins called "providers" to interact with cloud providers, SaaS providers, etc. var.region is fetched from the variable which I will show you in the following.

  • main.tf 
    resource "aws_s3_bucket" "prasanna_test" {
      bucket = var.s3_bucket_name
      acl    = var.acl

      tags = merge (
        {
          Name        = var.s3_bucket_name
          Environment = var.Environment
        }
      )
    }
    resource is actual resource we are creating. In this case we are using aws_s3_bucket as resource name which will create the s3 bucket with provided attributes.

  • variables.tf 
    # common variables
    variable "s3_bucket_name" {
      description = "tags"
      type        = string
      default     = "my-tf-s3-bucket-prasannakn"
    }
    variable "acl" {
      description = "access control list"
      type        = string
      default     = "private"
    }

    variable "Environment" {
      description = "access control list"
      type        = string
      default     = "Dev"
    }

    variable "region" {
      description = "region"
      type        = string
      default     = "ap-south-1"
    }
    Above are the variables required for our tf files.

Deploy Terraform code via Github Actions

We have the terraform code and lets deploy the code into AWS environment in an automated workflow using Github Actions.

As a pre-requisites, in order to deploy the resources in AWS, you will have to pass the user credential in Github secrets as shown below
Create a programmatical IAM user with S3 permission from AWS console, please refer AWS official doc for the steps to create an IAM user. Add the secret keys and access secrets keys in GitHub secrets.

Lets look into the GitHub workflow. We have below two pipelines
  • TerraformTest.yml - To validate the Terraform code which will trigger for every push irrespective of the branch
  • TerraformApply.yml - To deploy the Terraform code which will trigger when Pull request is made on main branch
We have used two pipelines because, Each developers will be working in their own branch, so this approach will help when developer wants to validate the code before the Pull request and with this developer doesn't require to validate in the local setup. This can be achieved from the first pipeline. Second pipeline will apply the changes in AWS after the code merge to main branch, so before the code going to main, we can validate our infrastructure change.

Lets look into the both the pipelines workflow.

name: Terraform Test

# Trigger the workflow on push to Test the Terraform code
on: push

jobs:
  terraform_test:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v1

    - name: Install Terraform
      env:
        TERRAFORM_VERSION: "1.0.11"
      run: |
        tf_version=$TERRAFORM_VERSION
        wget https://releases.hashicorp.com/terraform/"$tf_version"/terraform_"$tf_version"_linux_amd64.zip
        unzip terraform_"$tf_version"_linux_amd64.zip
        sudo mv terraform /usr/local/bin/

    - name: Verify Terraform version
      run: terraform --version

    - name: Terraform init
      env:
        AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
        AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
      run: terraform init -input=false

    - name: Terraform validation
      run: terraform validate

    - name: Terraform plan
      env:
        AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
        AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
      run: terraform plan

This pipeline will checkout to the code in container and fetch the secrets from the Github secrets and will initialize the terraform and validate the code. Also at the end, we will look out the current and desired state using terraform plan. This pipeline will trigger on every push. 


name: Terraform Apply

on:
  # Trigger the workflow on push or Pull request,
  # but only for the main branch
  push:
    branches:
      - main

jobs:
  terraform_apply:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v1

    - name: Install Terraform
      env:
        TERRAFORM_VERSION: "1.0.11"
      run: |
        tf_version=$TERRAFORM_VERSION
        wget https://releases.hashicorp.com/terraform/"$tf_version"/terraform_"$tf_version"_linux_amd64.zip
        unzip terraform_"$tf_version"_linux_amd64.zip
        sudo mv terraform /usr/local/bin/

    - name: Verify Terraform version
      run: terraform --version
    
    - name: Terraform init
      env:
        AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
        AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
      run: terraform init -input=false

    - name: Terraform apply
      env:
        AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
        AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
      run: terraform apply -auto-approve -input=false

This pipeline will checkout the code in container and fetch the secrets from the Github secrets and do the terraform init and apply.


Looking into the tree, below is my folder structure, where terraform_deploy is my main folder and inside we have all the required files.

terraform_deploy
    │   main.tf
    │   providers.tf
    │   README.md
    │   variables.tf
    │   versions.tf
    │
    └───.github
        └───workflows
                TerraformApply.yml
                TerraformTest.yml

Lets create a new branch and push the code to Github repo, Here is my Github repo for your reference. Once you push the code to the new branch of the Github repo, you can observe Terraform Test pipeline will start running.
Terraform test is Green and you can review the terraform states in the job.
Let's merge the code to main branch using Pull request, now we can observe, after code is merged to main branch, Terraform apply pipeline will runs and create the S3 bucket in AWS

Conclusion

In this blog post, I have shown you the basic of terraform files. I also showed you on how to deploy the terraform code using Github Action with two pipelines as a best practice. Hope this blog helped you in your similar use case.
Thank you for reading!

Comments

Post a Comment

Popular posts from this blog

Connect to Linux EC2 Instance if Key pair is lost after Initial Launch

By
Use Case We know that EC2 Linux instances are accessible through the private keys by default. However, SSH is allowed but you cannot use SSH password authentication to access Linux instance as it is disabled by default. So, what would happen if you lose the private key of your Linux instance? In this blog, I will walk you through the easiest ways to login when you lost the Key pair What is a key-pair file? Key-pair is a combination of a public and private key. Amazon EC2 uses public-key cryptography to encrypt and decrypt login information. Private key is only the way to get access to the instance, what if you lost the key? Is your servers lost in black hole? Thankfully nothing is lost you still can access your server, let me show you how can you solve this problem. Things that you should know before to proceed to this topic This procedure will requires s...
Read more

Start or Stop services in multiple Windows EC2 Instances using AWS Systems Manager

By
Use Case You are the admin over a large amount of EC2 instances and managing different AWS accounts under Organization and you have to start/stop/disable a service for all Windows EC2 Instances in the Organization. Rather than wasting labor hours to perform this activity in each instance manually, you want to automate the process using AWS Systems Manager. Recently Windows had a flaw in Print Spooler Remote Code Execution Vulnerability and Microsoft recommended to stop until the patch is applied, in order to apply this immediately, we can make use of this design Systems Manager Systems Manager (SSM) gives you visibility and control over your AWS infrastructure. Automation, a capability of AWS Systems Manager, simplifies common maintenance and deployment tasks of Amazon Elastic Compute Cloud (Amazon EC2) instances and other AWS resources. Automation helps you to do the following: Build automations to configure and manage instances and...
Read more

Automate Permission Boundary Attachment to IAM roles and Users

By
When we are managing multiple AWS Accounts in an Organization and each accounts will have their own requirement but as a centralized admin, we should be having a certain governance and compliance framework. IAM is a widely used AWS service and IAM roles/users are common used entity in AWS. As a centralized Admin, when we provide access to create IAM roles, cloud consumers in the landing zone accounts would create Users and Roles and attach Administrative policy and bypass the governance framework. In this blog, I will be briefing on restricting this scenario using IAM permission boundary and also deploying this setup through automation. AWS supports permissions boundaries for IAM entities (users or roles). A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity. An entity's permissions boundary allows ...
Read more

Setup Grafana on AWS EKS and integrate with AWS Cloudwatch

By
What is Grafana? Grafana is open-source visualization and analytics software. It allows you to query, visualize, alert on, and explore your metrics no matter where they are stored. In plain English, it provides you with tools to turn your time-series database (TSDB) data into beautiful graphs and visualizations. Setup Grafana on Amazon Elastic Kubernetes Service This blog explains on how to run Grafana on Amazon Elastic Kubernetes cluster and adding cloudwatch as datasource to Grafana. Using Grafana you can simplify Kubernetes monitoring dashboards from Clo...
Read more

Concourse CI Installation and Configuration in Windows

By
Introduction to Concourse Concourse is an open source CI/CD system with integration supported to Resource types in the outside world. Concourse's principles reduce the risk of switching to and from Concourse, by encouraging practices that decouple your project from your CI's little details, and keeping all configuration in declarative files that can be checked into version control. Install and Configure Concourse in Windows Follow the below Steps to Install Installing Docker Desktop is pretty simple, download the exe file and install the docker desktop Modify Docker daemon configuration file as below ...
Read more

Create Docker Environment locally and deploy a sample web application

By
Docker is a platform for developers and sysadmins to develop, deploy, and run applications with containers. You can refer Docker official website for more understanding about the docker. In this blog, I will walkthrough on how to setup a Docker Environment locally in your laptop, server or desktop. Installing Docker Desktop Previously, when we were working on a Windows or Mac Environment, setting up docker was a difficult task but Docker Desktop is designed to let you build, share and run containers as easily on Mac and Windows as you do on Linux. Docker handles the tedious and complex setup so you can focus on writing code. Pre-requisites for Docker Desktop Configure WSL 2 ( Recommended for Windows 10, 11 - All Editions) Hyper-V backend ( Recommended for Windows 10, 11 - Professional, Enterprise, Education Editions) We will use WSL 2 since i...
Read more

Install SSM Agent in Amazon EC2 Instance

By
What is SSM Agent AWS Systems Manager Agent is a Amazon software which can be installed on Amazon EC2 Instances. If SSM Agent is Installed in the servers then it will be easy to manage the EC2 Instances through AWS Systems manager.  By default SSM agent is pre installed for below Amazon Machine Images Amazon Linux Amazon Linux 2 Amazon Linux 2 ECS-Optimized Base AMIs macOS 10.14.x (Mojave), 10.15.x (Catalina), and 11.x (Big Sur) SUSE Linux Enterprise Server (SLES) 12 and 15 Ubuntu Server 16.04, 18.04, and 20.04 Windows Server 2008-2012 R2 AMIs published in November 2016 or later Windows Server 2016 and 2019 In this blog, I will walk you through on the ways to Install SSM Agent in the Instances which will not get SSM Agent by default. Steps to Insta...
Read more

Hosting AWS VPC Interface Endpoints in Shared Model

By
What is VPC Endpoint A VPC endpoint enables private connections between your VPC and supported AWS services. Endpoints are classified as Interface and Gateways endpoints. In this blog, I will be showing how to host interface endpoints in shared model Do you have Multi AWS Accounts in Organization? When you have multi accounts structure in your Organization then creating endpoints in each accounts will increase the costs and IPs, in this blog I will explain how you can deploy endpoints in Shared Services Account and associate the member accounts VPCs with Private Hosted zone. Below is the Architectural diagram which I will be showing in detail on how to setup and also how the flow works Architecture Design AWS Services/Components required VPC Subnets Endpoints Hosted zone and Record set Transit Gateway I...
Read more

Auto tag AWS resources with Lambda

By
Automating AWS resource Tagging  Why Tagging resources? Tagging AWS resources is very important when you want to automate some tasks based on the tags, like you want to install patch automatically based on the tags from SSM association or you want to get a list of resources based on the tags. There are many aspects where tagging the resources will be required.  In this blog, I will be showing on automatically adding a tag CreatedBy to the S3 bucket. You can leverage the same logic to other AWS resources. Architectural design ...
Read more

AWS Route 53 Inbound Resolver to resolve DNS for Multi Account Organization

By
Amazon Route53 Resolver The route 53 resolvers are contactable IP addresses (endpoints) where the DNS queries from different sources can be directed. There are two types of resolvers that administrators can deploy. Inbound Resolver As the name says inbound (DNS Resolutions coming in) which will enable your resources in the on-prem network to resolve AWS resource domain names or records in a Route 53 private hosted zone by allowing your on-prem network DNS resolvers to forward queries to Route 53 Resolver. Outbound Resolver As the name says Outbound (DNS Resolutions going out) which will enable your AWS resources to resolve the domain names of your on-prem network resources using resolver rules, which would forward selected queries to the on-prem network DNS resolvers On-prem to AWS DNS Resolution for ...
Read more