Skip to content

Latest commit

 

History

History
264 lines (228 loc) · 9.83 KB

readme.md

File metadata and controls

264 lines (228 loc) · 9.83 KB

AWS

EXERCISE 1: Create IAM user.
First of all, you need an IAM user with correct permissions to execute the tasks below.
  • Create a new IAM user using "Jane" as a username and "devops" as the user-group
  • Give the "devops" group all needed permissions to execute the tasks below - with login and CLI credentials
Note: Do that using the AWS UI with Admin User

Solution:

AWS UI:

  • go to AWS/IAM Dashboard/User/Create User
    also generate password (for AWS UI access) + download csv containing credentials
  • go to AWS/IAM Dashboard/User/Jane/Create access key
    generate Access Key ID and Access Key Secret (for console access) + download csv containing credentials)
  • go to AWS/User Groups/Create Group/ + add Jane to user Group
  • add permissions 'EC2FullAccess' to group devops.

AWS CLI:

1. Install AWS Client:

brew install awscli

2. Check for success:

awscli --version

3. Check if admin user has credentials on my local machibe

cat ~/.aws/config
if not: aws configure

4. Create user

aws iam create-user --username jane

5. Create group

aws iam create-group --group-name devops2

6. Add use to group

aws iam add-user-to-group --user-name jane --group-name devops2

7. Check if user is in group devops2

aws iam get-group --group-name devops2

8. Give permission (policy) to create EC2 instance to users in group
8.1 Find policy identifier (for EC2 and VPC and all components under that service)

aws iam list-policies --query 'Policies [?PolicyName==AmazonEC2FullAccess].Arn'
aws iam list-policies --query 'Policies [?PolicyName==AmazonVPCFullAccess].Arn'
or<br aws iam list-policies | grep AmazonEC2FullAccess
and
aws iam list-policies | grep AmazonVPCFullAccess

8.2 Attach policies (found above) to group

aws iam attach-group-policy --group-name devops2 --policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess
aws iam attach-group-policy --group-name devops2 --policy-arn arn:aws:iam::aws:policy/AmazonVPCFullAccess

8.3 Validate

aws iam list-attached-group-policies --group-name devops2

EXERCISE 2: Configure AWS CLI
You want to use the AWS CLI for the following tasks. So, to be able to interact with the AWS account from the AWS Command Line tool you need to configure it correctly:

- Set credentials for that user for AWS CLI
- Configure correct region for your AWS CLI

Solution: AWS UI Access (password)

1. Configure password reset after first login

aws iam create-login-profile --user jane --password --password-reset-required

2. Jane can't reset passwords -> Create permission for Jane

find policy ARN :
aws iam list-policies | grep Password
"Arn": "arn:aws:iam::aws:policy/IAMUserChangePassword"

aws iam attach-user-policy --user-name jane --policy-arn arn:aws:iam::aws:policy/IAMUserChangePassword

3. Login UI + reset password

Login to UI requires: username, password and user id
Find user ARN:
aws iam get-user --user-name jane
"Arn": "arn:aws:iam::197796734648:user/jane"

user id = 197796734648

Solution: AWS CLI Access (Access Key ID, Access Key Secret)

1. Save config file (keys) ~/.aws/credentials of admin user somewhere safe.

mv ~/.aws/credentials ~/.aws/credentials_admin

2. Create config file for user jane

aws iam create-access-key --user-name jane > key.txt
OR via UI
IAM/User/Jane/Create Access Key/Download csv file
aws configure

3. Validate credentials:

cat ~/.aws/credentials

EXERCISE 3: Create VPC
You want to create the EC2 Instance in a dedicated VPC, instead of using the default one. So, using the AWS CLI, you:

  • create a new VPC with 1 subnet
  • create a security group in the VPC that will allow you access on ssh port 22 and will allow browser access to your Node application

    Solution:

    ====== Create VPC and subnet ========
    1. Create VPC:

    aws ec2 create-vpc --cidr-block 10.0.0.0/16 --query Vpc.VpcId --output text
    Output: vpc-04411448155c5c404

    2. Create Subnet in VPC:

    aws ec2 create-subnet --vpc-id vpc-04411448155c5c404 --cidr-block 10.0.1.0/24 --query Subnet.SubnetId --output text
    Output: subnet-0dcd59104af3b4016

    3. Validate:

    aws ec2 describe-subnets --filters "Name=vpc-id,Values=vpc-04411448155c5c404"

    ====== Make subnet public by attaching a internet gateway ========
    1. Create Internet Gateway

    aws ec2 create-internet-gateway --query InternetGateway.InternetGatewayId --output text igw-0943c735026803291

    2. Attach Internet Gateway to the VPC

    aws ec2 attach-internet-gateway --vpc-id vpc-04411448155c5c404 --internet-gateway-id igw-0943c735026803291

    3. Create Route Table (like a virtual router in our VPC)

    aws ec2 create-route-table --vpc-id vpc-04411448155c5c404 --query RouteTable.RouteTableId --output text rtb-01e4614195e247971

    4. Create Route rule for handling all traffic between internet & VPC

    aws ec2 create-route --route-table-id rtb-01e4614195e247971 --destination-cidr-block 0.0.0.0/0 --gateway-id igw-0943c735026803291

    5. Valide your custom route table has correct configuraton, 1 local and 1 interent gateway routes

    aws ec2 describe-route-tables --route-table-id rtb-01e4614195e247971

    {
    "RouteTables": [
        {
            "Associations": [],
            "PropagatingVgws": [],
            "RouteTableId": "rtb-01e4614195e247971",
            "Routes": [
                {
                    "DestinationCidrBlock": "10.0.0.0/16",
                    "GatewayId": "local",
                    "Origin": "CreateRouteTable",
                    "State": "active"
                },
                {
                    "DestinationCidrBlock": "0.0.0.0/0",
                    "GatewayId": "igw-0943c735026803291",
                    "Origin": "CreateRoute",
                    "State": "active"
                }
            ],
            "Tags": [],
            "VpcId": "vpc-04411448155c5c404",
            "OwnerId": "197796734648"
        }
    ]
    }
    
    6. Associate subnet with the route table to allow internet traffic in the subnet of our VPC

    aws ec2 associate-route-table --subnet-id subnet-0dcd59104af3b4016 --route-table-id rtb-01e4614195e247971 AssociationId": "rtbassoc-0c6d6c4b85d6b0f50"

    ====== Create security group in the VPC to allow access on port 22 ======
    1. Find ID of the VPC created above:

    aws ec2 describe-vpcs
    -> vpc-04411448155c5c404

    2. Create Security Group for VPC

    aws ec2 create-security-group --group-name sgjane --description "My Sg" --vpc-id vpc-04411448155c5c404
    -> "GroupId": "sg-05b422fe026aaaa3e"

    3. Create Rule to open port 22 for ssh

    Allow access on port 22 from all sources
    aws ec2 authorize-security-group-ingress --group-id sg-05b422fe026aaaa3e --protocol tcp --port 22 --cidr 0.0.0.0/0
    -> sgr-0d89f1f54c1cf0b67

    4. Validate ingress rule

    aws ec2 describe-security-groups --group-id sg-05b422fe026aaaa3e

EXERCISE 4: Create EC2 Instance
Once the VPC is created, using the AWS CLI, you:
Create an EC2 instance in that VPC with the security group you just created and ssh key file

Solution:

aws ec2 create-key-pair --key-name MyKeyPair --query 'KeyMaterial' --output text>MyKeyPair.pem

chmod 400 MyKeyPair.pem

aws ec2 run-instances --image-id ami-0302f42a44bf53a45  --count 1 --instance-type t2.micro  --key-name MyKeyPair --security-group-id sg-05b422fe026aaaa3e --subnet-id subnet-0dcd59104af3b4016 --associate-public-ip-address<br></code>

Output:
instance_id = i-02dbb3020c487be05

#aws ec2 describe-instances --region eu-west-3
#aws ec2 describe-instances --instance-id i-046b2a2467a10dacc 
aws ec2 describe-instances --instance-id i-046b2a2467a10dacc  --query "Reservations[*].Instances[*].{State:State.Name,Address:PublicIpAddress}"

Output:
"State": "running",
"Address": "15.237.208.246"

EXERCISE 5: SSH into the server and install Docker on it
Once the EC2 instance is created successfully, you want to prepare the server to run Docker containers. So you:
- ssh into the server and
- install Docker on it to run the dockerized application later

Solution:

ssh -i MyKeyPair.pem [email protected]
sudo yum update
sudo yum install docker
docker version
sudo service docker start
EXERCISE 6: ToDo Jenkins
EXERCISE 7: ToDo Jenkins
EXERCISE 8: Configure access from browser (EC2 Security Group)
After executing the Jenkins pipeline successfully, the application is deployed, but you still can't access it from the browser. You need to open the correct port on the server. For that, using the AWS CLI, you:
  • Configure the EC2 security group to access your application from a browser

Solution:

aws ec2 authorize-security-group-ingress --group-id sg-05b422fe026aaaa3e --protocol tcp --port 3000 --cidr 0.0.0.0/0

EXERCISE 9: ToDo Jenkins