Práctica de migración a la nube AWS - Yilis Ramirez
The purpose of this practice is building a Webapp to handle a to-do-list, in which we wil add items in a text box and when pressing enter it is added into the list. And if you make click in some of the items, it is deleted.
First of all we are going to setup our environment in AWS:
-
Creation of a personal AWS account.
Our first steps will be to create an AWS account through this link, where you will have to populate your personal data accordingly.
-
Enable MFA in root access.
You will have to access in IAM dashboard, and in security recommendations you will see the option Add MFA for root user, click on add MFA tab.
We advise to activate it with virtual MFA device, where you need an authenticator app installed on your mobile device. We highly recommend to use Google authenticator app. We proceed to scan the QR code with the app and introduce the corresponding codes. Now you will see the IAM dashboard as follows:
-
Create an organization in AWS to be able to set policies, servicies, and so on.
Search for AWS organization and click on Create an Organization. Now you will see your organizational structure.
-
Setting a SCP to deny resources in París and Sao Paulo.
For this we have implemented the following JSON code where we specified the regions where we have denied resources.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAllOutsideRequestedRegions",
"Effect": "Deny",
"NotAction": [
"cloudfront:*",
"iam:*",
"route53:*",
"support:*",
"organizations:*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": [
"sa-east-1",
"eu-west-3"
]
}
}
}
]
}We click on Create policy, now we select Targets and then we go on Attach tab, to attach the policy to our Organizational Unit closer than our account. And you should see a pop up message "Successfully attached the policy 'RestrictRegion' to OU 'KeepCoding3'."
-
Generate a billing alarm.
To configure it we should go on AWS Budgets, select Cost Budget, and on Next. We select monthly period, recurring budget to renew it every month. The Budget method selected is "Fixed", we enter the budgeted amount, and we have set the name as "My Budget".
Once we have defined the budget, we set the alert. On this we have set two alerts, one when the budgeted threshold exceeds 10% and another one when forecasted cost is greater than 100% of the budgeted amount. As notification preference we choice email address to be informed about these billing alerts.
-
Delete default VPC
As one of best practices advised by Amazon, we are going to remove the default VPC of Ireland which is where our practice is based, so we search for VPC option in our AWS account, select the single VPC listed and proceed to delete and confirm it.
-
Proving access to AWS account
We need to create a role cross account towards the account id
920348516674to grant the proper access to this project. So we select on AWS Account, add the mentioned account id above, and on Permissions we choose the policyAdministratorAccessas shown below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"AWS": "920348516674"
},
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": true
}
}
}
]
}To design a network topology we will start creating a VPC as shown below.
We have also enabled DNS hostnames, DNS resolution to deploy the database, and set the IPv4 172.24.0.0/16
Now we will create the public and private Subnets. Where the private ones the database is provisioned, while the public ones the Loadbalancer and Webapp are provisioned.
To enable the outbound internet in the public Subnets, we will add the Internet Gateway and attach it to the VPC.
Now we are going to edit the Route Table automatically created and select the two public Subnets, which require internet access.
We added a new route with IP destination 0.0.0.0/0 and the internet gateway previously created as target.
As last setting, we define another Route Table for private Subnets, but in this case we will not include any other route, as it's a private subnet which does not need outbound internet.
To create the database we need to establish the connection between the webapp and database, so we create first a Security Group kc-rds-sg for security purposes, in which it only allows incoming requests to TCP port 3306 from webapp.
In adittion, we have created another Security Group for EC2 instances, and a Subnet Group where we specify the private subnets in which the database will be connecting to kc-mysql-ddbb-sg.
Once the resources have been created, we will go on RDS-Databases, we choose standard database creation and select MySQL.
We named the database as kc-mysql-ddbb
After the database has been created, we proceed to store the connection details into a Secret Manager with the name rtb-db-secret
To get the connection details of database, we provide access from EC2 to secret manager by stating IAM policy for EC2 instance, which we named secret_policy with the following JSON code:
{
"Statement": [
{
"Action": "secretsmanager:GetSecretValue",
"Effect": "Allow",
"Resource": "arn:aws:secretsmanager:eu-west-1:124678637394:secret:rtb-db-secret-8uUnua",
"Sid": ""
}
],
"Version": "2012-10-17"
}Now from IAM management, we proceed with the role creation role_access_secret, and attach permissions to the policy previously created.
To create a EC2 instance we need a Key pair created, so we proceed to generate it with the name kc-ec2-keys, download and keep it in a safe place.
We set Security Group for webapp on which we specify for incoming requests to TCP port 8080 from Load Balancer and outbound requests to TCP port 3306 towards database, and other outgoing traffic towards internet.
In adittion, we create another Security Group for the Load Balancer in which we allow incoming requests to TCP port 80 from internet and outbound requests to TCP port 8080 towards webapp instance.
After defined the required Security Groups, we need to create a Target Group that is linked to the load balancer with listener at the port HTTP 8080. We have also set the healthcheck to validate the app endpoint and establish the connection.
Then we proceed to create the load balancer, which will be in charge of receiving traffic from IPv4 at the port HTTP 80, and relate the corresponding Security Group and Target Group.
To deploy the EC2 instance we have configured first the Launch Template with all details needed, such as, the instance type, network interfaces, the required AMI (ami-05cd35b907b4ffe77), and auto-assigning of public IP to provide it outbound internet.
In the user data section, we have added a script which contains the docker installation, the webapp image and the command to run a container, and expose it to the port 8080.
#! /bin/bash
sudo yum update -y
sudo yum install -y docker
sudo service docker start
sudo docker run -d --name rtb -p 8080:8080 vermicida/rtb
Once created the Launch template, we proceed to define the Autoscaling group with the details shown below:
Now we can see the EC2 instance has been properly generated.
We have also deployed the webapp as code in terraform. Note you might need to install Terraform as described here
To run the code you would need to type the following commands:
terraform ini --> initialize the environment
terraform fmt --> format the code
terraform plan --> validate the code
terraform apply --> deploy the code