Terraform: Launching an EC2 Instance in AWS

Terraform is an infrastructure as code (IaC) tool that lets a user define both cloud and on-prem resources in human-readable configuration files to version, reuse, and share. In other words, it allows users to define and provision infrastructure resources, such as virtual machines, storage accounts, and networks, in a declarative configuration language. 

For example, on Amazon Web Services (AWS), it would be lengthy to use the console to manually build an infrastructure. Terraform makes it faster and easier by providing a consistent and reproducible way to define, provision, and manage resources on AWS through a programmatic approach.

The key components of Terraform include:

• Configuration files: These files define the desired state of your infrastructure, specifying the resources and their configurations.
• Providers: Terraform providers are plugins that interact with APIs of different cloud providers (such as AWS, Azure, Google Cloud Platform, etc.) or other services to manage resources.
• Resource types: Terraform supports a wide range of resource types, representing various infrastructure components like virtual machines, networks, databases etc.
• Execution plans: Terraform generates execution plans to show what actions it will take when you apply your configuration, giving you a preview of changes before they are implemented.
• State management: Terraform maintains a state file that keeps track of the current state of your infrastructure. This allows Terraform to understand the relationships between resources and manage updates efficiently.

The following tutorial aims to show how to create a basic infrastructure: we will provision an EC2 instance on AWS. EC2 instances are virtual machines running on AWS, and a common component of many infrastructure projects. EC2 instances can be configured with various CPU, memory, storage, and networking options to meet different workload requirements. EC2 is widely used for hosting websites, running applications, processing data etc.

Requirements. For this tutorial, it is assumed that:

1. You have installed Terraform on your machine.
2. You know a bit of AWS.
3. You have installed AWS CLI.
4. You already have an account with AWS*.

*(Create an IAM user for this exercise rather than using the Root account. Give it the right permissions, depending on what you want to create through Terraform – an EC2 instance in this case).

I used Studio Visual Code as source-code editor (with the official Terraform extension) and GitHub.

----------------------------------------------------------------------------------------------------------------------

I created a directory on my pc (one per Terraform project is advisable). Inside, I created an empty file called "main.tf" (the name is not important, but the extension is!).

The first step is to identify a supported provider for Terraform, in my case AWS. Think of it as plugins: I want to make sure that Terraform downloads the needed code to communicate with the AWS API. Indeed, Terraform does not come with all the codes to connect to all APIs when you install it; it would not be functional since there are many providers.

Instructions for the AWS provider can be found here:

https://registry.terraform.io/providers/hashicorp/aws/latest/docs

In the instructions, there is an example about the setup:

terraform {

    required_providers {

        aws = {

            source = "hashicorp/aws"

            version = "~> 5.0"

        }

    }

}

# Configure the AWS Provider and define a Region (optional)

provider "aws" {

    region = "eu-west-2"

}

I copy this and paste it in main.tf. So, I declared to Terraform what provider I need.

Now, the problem is that Terraform needs to connect to my AWS account to create, manage or destroy resources. There are many ways to do that.

In AWS, for the user I created ad hoc for this exercise, I can 'Create New Access Key'.

The new access key comes with an 'Access Key ID' and a 'Secret Access Key' that can be seen only once (you can save them on your machine though). I could now add them in the main.tf file to instruct Terraform to connect to my AWS account through that key, as shown below:

provider "aws" {

    region = "us-west-2"

    access_key = "my-access-key"

    secret_key = "my-secret-key"

}

However, hardcoding the key in this way is risky because someone might discover it by looking at main.tf.

The alternative is using the AWS CLI (make sure to have it installed). *

*(There are more alternatives which are ignored in this post).

In my terminal, I type:

aws configure

I am asked for the AWS Access Key ID, AWS Secret Access Key, the Default region name (the one I used for my provider in main.tf), and the Default output format (JSON is fine).

This process populates a file in my home directory that can be accessed with cd .aws (I am using Git Bash). The credential file in the aws directory will be automatically used by Terraform to connect to my AWS account; this is safer than hardcoding the keys in plain sight in main.tf as suggested before.

----------------------------------------------------------------------------------------------------------------------

In the link provided above (this), there are instructions to create various resources in AWS. I searched for EC2 and found 'aws_instance' under Resource. The basic code is:

resource "aws_instance" "web" {

    ami = data.aws_ami.ubuntu.id

    instance_type = "t3.micro"

    tags = {

        Name = "HelloWorld"

    }

}

This can be copy-pasted in main.tf, under what I already wrote before. With this, I am telling Terraform to provide a resource which is an AWS instance named "web" by me (Terraform will remember this name for this resource for future uses but AWS will ignore it). 

data.aws_ami.ubuntu.id is the AMI for that instance and the type is t3.micro (better to use t2.micro since it is free in AWS). ami and instance_type are examples of config options (there could be more). Let’s ignore tags for now.

This is the code I have now in main.tf:

terraform {

    required_providers {

        aws = {

            source = "hashicorp/aws"

            version = "~> 5.0"

        }

    }

}

# Configure the AWS Provider and define a Region (optional)

provider "aws" {

    region = "eu-west-2"

}

resource "aws_instance" "web" {

    ami = data.aws_ami.ubuntu.id

    instance_type = "t2.micro"

}

That AMI has an 'id' at its end: it means that it comes from another piece of code (attribute) on main.tf (usually it is a combination of resource + provider + name + id but let’s ignore this for now). I insert a specific AMI found on AWS under Launch Instance: “ami-0e5f882be1900e43b” * (use quotations if you don’t use the id). 

*(Make sure to take a free one in the same Region you are working in. You can use Ubuntu).

Final code in main.tf (remember to save it):

terraform {

    required_providers {

        aws = {

            source = "hashicorp/aws"

            version = "~> 5.0"

        }

    }

}

# Configure the AWS Provider and define a Region (optional)

provider "aws" {

    region = "eu-west-2"

}

resource "aws_instance" "web" {

    ami = “ami-0e5f882be1900e43b”

    instance_type = "t2.micro"

}

I open the terminal and navigate where the project is. Then I type the command:

terraform init

This command initialises my working directory containing Terraform configuration files. In brief, it:

• Downloads Providers: It downloads the necessary provider plugins specified in my configuration files.
• Initialises Backend: My file is now stored locally on my machine. However, it can be stored remotely on Amazon S3, Azure Blob Storage, Terraform Cloud etc. to ease collaborations between developers.
• Installs Modules: in case these are used.
• Initializes Working Directory: It initializes the working directory for Terraform, creating necessary files and directories.

There is a well know problem that you might encounter at this stage:

'Error: Failed to query available provider packages

│ Could not retrieve the list of available versions for provider hashicorp/aws: could not connect to registry.terraform.io: failed to request

│ discovery document: Get https://registry.terraform.io/.well-known/terraform.json'

If I curl https://registry.terraform.io/.well-known/terraform.json, I receive 'curl: (35) Recv failure: Connection was reset.'

To solve this, I simply downloaded a free VPN and did the terraform init while logged into the VPN.

If the command is executed correctly (green output in the terminal), you will find a series of new files in the working directory. One of these is the "terraform.tfstate" which is fundamental to Terraform's operation, providing a snapshot of the infrastructure's desired state and serving as the basis for making changes and maintaining infrastructure. Proper management and protection of the state file are crucial for effective Terraform workflows.

Next command to type in the terminal after terraform init:

terraform plan

This command compares what has been built already with the plan I coded in Terraform. It basically allows me to review proposed changes and ensure they align with my intentions before making them live. The green plus sign stands for “creation” and the red minus sign stands for “destruction”. Every resource is evaluated in comparison to the current state.

Since nothing was created before for my AWS user, terraform plan informs me that one resource only (the EC2 instance) will be added ('Plan: 1 to add, 0 to change, 0 to destroy.')

Now I can terraform apply to launch the instance ("yes" to approve the action when prompted). If I go into my AWS account under EC2 I can verify that the t2.micro instance with AMI ami-0e5f882be1900e43b is indeed running.

terraform destroy to destroy it (remember to do it to avoid costs of running instances on AWS).

Basic Networking: Hub, Bridge, Switch and Router

(Thanks to Practical Networking for their informative YouTube channel, available here).

 
This follows my previous post.

 

In a network, data crossing a wire connecting two hosts decays as it travels, up to invalidating the sharing of data if the distance is significant.

A repeater is a device which regenerates a signal: when inserted between two hosts, the signal entering one end of the repeater is regenerated on the other side. This allows data to travel greater distances.

Definition: A repeater in networking is a device that amplifies and re-transmits signals, extending the reach of a network by regenerating and boosting the strength of the transmitted data, allowing it to travel over longer distances.

If you have more complex networks with more than two hosts, a device called hub is needed.

The hub connects multiple hosts in a network, allowing them to communicate by forwarding data to all connected devices. Hubs do not make intelligent decisions about where to send data; instead, they broadcast incoming data to all connected devices, regardless of the intended recipient. This can lead to network congestion and inefficiency. Hubs are largely obsolete in modern networks, with switches being more commonly used for better performance and efficiency*.

*(I will write more about this further down).

Hub’s purposes:

• Connecting hosts directly to each other doesn’t scale; therefore, a central device to handle funnelling communications is needed.
• We want an easy setup if we connect another host to the existing network: thanks to the hub, this new host will have connectivity to the other hosts in the network.
  

Hub is a multi-port repeater: it takes a packet from a single host and duplicates it to multiple hosts.

To avoid this, two hubs can be created (each one connected to a specific and closed network of hosts) and linked together through a bridge.

 

Bridges have two ports only, one for each hub (each hub represents a contained network). Bridges know how to contain communications inside one relative network without sending unwanted communications from one hub to the other one. However, bridges learn what hosts are on each side and therefore, if required, they can allow communications between the two relative networks. 

This solution can put two networks in communication, however, what is pushed through the bridge is pushed to all the hosts in the network on the other side. And this is not ideal.

 

Source

If you combine hubs and bridges, you have a switch, which is a central device that facilitates communication within a network without pushing unwanted packets to all the hosts in the network (a switch learns which hosts are on each port). 

 

Networks share the same IP address space. So, if 192.168.1.X is the hypothetical IP space of a network made of various hosts, each host of that network will be identified by a specific number replacing X (e.g., the IP can be 192.168.1.1 for one host, 192.168.1.2 for another host of the same network etc.). Imagine this to be the home Wi-Fi where your computer, phone, printer etc. are connected (after all, these are all hosts identified by an IP).

A switch can only facilitate communications within the same network so if there are two separate networks inside the same organisation and each one of them has a switch, these cannot communicate. To solve this, we need a router.

A router “sits” between networks and facilitates communications between them. A router provides a traffic control point (a logical location) to implement security measures, redirect and filter traffic. It can also connect networks with the internet. Switches cannot provide such filtering (actually, modern switches can but since they sit inside the network and not on its “edge” like a router, filtering is typically not required).

A router learns which networks they are attached to; this knowledge is known as “route”, and it is stored in routing tables.

A router has an IP for each network it is attached to. So, each of its IPs (can be multiple) is part of the IP spaces of the networks attached to it.

If a host in network A wants to communicate with another host in network B, and a router is involved, the router’s IP address which is in the IP space for network A serves as Gateway for the hosts in network A. In other words, it is a host’s way out of their local network.

In an organisation with different departments and locations, it is likely that every department and location has a router and that these routers are connected to the internet (which represents a bunch of different routers itself!). 

 

Routing is the process of moving data between networks; switching instead happens within networks. There are many different devices working with networks (e.g., load balancer), but each one of them performs routing and/or switching.

 

Source

 

Basic Networking: Hosts, IPs and Networks

This is the first of a series of posts investigating the complex world of Networking.

(Thanks to Practical Networking for their informative YouTube channel, available here). 

----------------------------------------------------------------------------------------------------------------------

In the context of Networking, if a device sends and receives traffic*, it is a host.

*(Amount of data moving across a computer network at any given time).

Therefore, computers, laptops, phones, printers, servers, routers and other networked devices are hosts.

Cloud servers or Internet of Things (IoT) devices are hosts too: TVs, Smart Watches, Speakers, Refrigerators… These can all be hosts.

Hosts fall into two main categories: Clients and Servers.

Clients initiate requests, Servers respond.

However, these terms are relative to a specific communication. In another communication, a Server can become the Client and vice versa.

In simpler terms, a Server is a computer with software installed which responds to requests.

----------------------------------------------------------------------------------------------------------------------

An IP address (internet protocol) represents the identity of each host. Each host must have at least one IP address to communicate over a network. Think of it as a phone number or a mail address.

This address is stamped on all communications sent by hosts.

In the message between hosts, there will be a Source address (which defines what host sent the communication, in other words the Client) and the Destination address (which defines what host should receive the communication, in other words the Server). If the Server responds back, these addresses are inverted.

Source

 There are two versions of IP addresses: IPv4 and IPv6.

• IPv4 addresses are 32-bit numerical labels written in the form of four sets of decimal numbers separated by periods (dots). Each decimal number is called an octet, and it represents 8 bits.
• Example IPv4 address: 192.168.0.1
• In binary, an IPv4 address is represented as 32 bits, a combination of thirty-two ones and zeros divided in four octets (e.g., 1 octet = 1000 and 1010). Every octet represents a decimal number (min 0, max 255).
  

• IPv6 addresses are 128 bits in length and are written as a series of hexadecimal numbers separated by colons.
• Example IPv6 address: 2001:0db8:85a3:0000:0000:8a2e:0370:7334
• In binary, an IPv6 address is represented as 128 bits. 
• IPv6 was introduced to address the limitations of IPv4, primarily the exhaustion of available IPv4 addresses due to the growth of the internet.

When assigned, IP addresses follow a hierarchy. For a set including subsets, the IP could be 10.X.X.X. A specific subset of that set might have an IP like 10.20.X.X. The subset within the subset of that particular set could potentially possess an IP address resembling 10.20.55.X. This pattern continues recursively.

Why is this important? Because by following the hierarchy, it is easier to pinpoint where a particular host exists. Think of a multinational enterprise with the IP 10.20.55.127: this IP might identify a host for that specific enterprise (10), which is in a specific branch office of that enterprise, such as London (20), which is assigned to a specific team, such as sales (55).

----------------------------------------------------------------------------------------------------------------------

Hosts exist in a network. A network represents a series of connections between hosts which have the purpose of sharing data and resources. Without a network, one should manually transfer data through disks, drives etc. In simple words, networking automates this transfer.

A network is a logical grouping of hosts having similar connectivity. For example, your Wi-Fi internet is a network. All devices of your house connected to it have similar connectivity profiles grouped under one network (your Wi-Fi internet).

Network can contain other networks named subnetwork or subnets (e.g., a school having a network with a subnetwork for each class).

Networks are connected to the Internet (which actually stands for “Interconnected Networks”) to connect them to other networks.