DEV Community: Ashraf Minhaj The latest articles on DEV Community by Ashraf Minhaj (@ashraf-minhaj). https://dev.to/ashraf-minhaj https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F989415%2F5501a175-975e-4b04-b20e-fd19ef658b9f.jpeg DEV Community: Ashraf Minhaj https://dev.to/ashraf-minhaj en For added data security, you can use IAM authentication for RDS for any aws services or for any IAM users! This is a bit overhead to configure at first, but I find it very secure instead of sharing the master password. Ashraf Minhaj Mon, 22 Dec 2025 02:28:05 +0000 https://dev.to/ashraf-minhaj/for-added-data-security-you-can-use-iam-authentication-for-rds-for-any-aws-services-or-for-any-iam-3fml https://dev.to/ashraf-minhaj/for-added-data-security-you-can-use-iam-authentication-for-rds-for-any-aws-services-or-for-any-iam-3fml <p> </p> <div class="ltag__link--embedded"> <div class="crayons-story "> <a href="https://dev.to/ashraf-minhaj/access-aws-rds-without-password-use-iam-1baf" class="crayons-story__hidden-navigation-link">Access AWS RDS without Password - use IAM</a> <div class="crayons-story__body crayons-story__body-full_post"> <div class="crayons-story__top"> <div class="crayons-story__meta"> <div class="crayons-story__author-pic"> <a href="/ashraf-minhaj" class="crayons-avatar crayons-avatar--l "> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F989415%2F5501a175-975e-4b04-b20e-fd19ef658b9f.jpeg" alt="ashraf-minhaj profile" class="crayons-avatar__image"> </a> </div> <div> <div> <a href="/ashraf-minhaj" class="crayons-story__secondary fw-medium m:hidden"> Ashraf Minhaj </a> <div class="profile-preview-card relative mb-4 s:mb-0 fw-medium hidden m:inline-block"> Ashraf Minhaj <div id="story-author-preview-content-3105308" class="profile-preview-card__content crayons-dropdown branded-7 p-4 pt-0"> <div class="gap-4 grid"> <div class="-mt-4"> <a href="/ashraf-minhaj" class="flex"> <span class="crayons-avatar crayons-avatar--xl mr-2 shrink-0"> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F989415%2F5501a175-975e-4b04-b20e-fd19ef658b9f.jpeg" class="crayons-avatar__image" alt=""> </span> <span class="crayons-link crayons-subtitle-2 mt-5">Ashraf Minhaj</span> </a> </div> <div class="print-hidden"> Follow </div> <div class="author-preview-metadata-container"></div> </div> </div> </div> </div> <a href="https://dev.to/ashraf-minhaj/access-aws-rds-without-password-use-iam-1baf" class="crayons-story__tertiary fs-xs"><time>Dec 21 '25</time><span class="time-ago-indicator-initial-placeholder"></span></a> </div> </div> </div> <div class="crayons-story__indention"> <h2 class="crayons-story__title crayons-story__title-full_post"> <a href="https://dev.to/ashraf-minhaj/access-aws-rds-without-password-use-iam-1baf" id="article-link-3105308"> Access AWS RDS without Password - use IAM </a> </h2> <div class="crayons-story__tags"> <a class="crayons-tag crayons-tag--monochrome " href="/t/devops"><span class="crayons-tag__prefix">#</span>devops</a> <a class="crayons-tag crayons-tag--monochrome " href="/t/aws"><span class="crayons-tag__prefix">#</span>aws</a> <a class="crayons-tag crayons-tag--monochrome " href="/t/awsrds"><span class="crayons-tag__prefix">#</span>awsrds</a> <a class="crayons-tag crayons-tag--monochrome " href="/t/databasesecurity"><span class="crayons-tag__prefix">#</span>databasesecurity</a> </div> <div class="crayons-story__bottom"> <div class="crayons-story__details"> <a href="https://dev.to/ashraf-minhaj/access-aws-rds-without-password-use-iam-1baf" class="crayons-btn crayons-btn--s crayons-btn--ghost crayons-btn--icon-left"> <div class="multiple_reactions_aggregate"> <span class="multiple_reactions_icons_container"> <span class="crayons_icon_container"> <img src="https://assets.dev.to/assets/exploding-head-daceb38d627e6ae9b730f36a1e390fca556a4289d5a41abb2c35068ad3e2c4b5.svg" width="18" height="18"> </span> </span> <span class="aggregate_reactions_counter">1<span class="hidden s:inline"> reaction</span></span> </div> </a> <a href="https://dev.to/ashraf-minhaj/access-aws-rds-without-password-use-iam-1baf#comments" class="crayons-btn crayons-btn--s crayons-btn--ghost crayons-btn--icon-left flex items-center"> Comments <span class="hidden s:inline">Add Comment</span> </a> </div> <div class="crayons-story__save"> <small class="crayons-story__tertiary fs-xs mr-2"> 5 min read </small> <span class="bm-initial"> </span> <span class="bm-success"> </span> </div> </div> </div> </div> </div> </div> devops aws awsrds databasesecurity Access AWS RDS without Password - use IAM Ashraf Minhaj Sun, 21 Dec 2025 17:00:11 +0000 https://dev.to/ashraf-minhaj/access-aws-rds-without-password-use-iam-1baf https://dev.to/ashraf-minhaj/access-aws-rds-without-password-use-iam-1baf <h2> Backstory </h2> <p>Part of setting up or debugging a database requires to get into the db itself. In general we use password to access into it. But we faced a situation where the db authentication was set to use AWS Secrets Manager secret and we did not have access to it. So, if you are in a situation like we were, or you are a DevOps who just does not feel comfortable sharing the password directly to the developers, you can use IAM based access to AWS RDS DB. Let's see how we can do it.</p> <h2> Step1: Create RDS DB </h2> <p>While creating RDS Database, under <code>Choose a database creation method</code> select <code>Full Configuration</code>. I will create a postgres db today. You can see the list of supported regions and dbs for IAM auth from <a href="https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RDS_Fea_Regions_DB-eng.Feature.IamDatabaseAuthentication.html" rel="noopener noreferrer">this list</a>. </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj40tg7dv59dwcrgotyng.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj40tg7dv59dwcrgotyng.png" alt=" " width="800" height="432"></a></p> <p>I am keeping the default settings, but go ahead as per your need. Under <code>Connectivity</code> section, check <code>Public Access</code> to `Yes' since we will access the db from a local machine. If the db will be accessed from by an ec2 from the same VPC, then the db can be kept as private. But for our case, we need it public.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6umbk9beqynew8jlrcx3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6umbk9beqynew8jlrcx3.png" alt=" " width="800" height="440"></a></p> <p><strong>Now we need a security group</strong> (firewall rule to allow db port from any machine). Go to <code>ec2 -&gt; Security Groups -&gt; Create Security Group</code> and allow the db port <code>5432</code> to be accessed by any IP - </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhsdj6fo2wxlv99sdb692.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhsdj6fo2wxlv99sdb692.png" alt=" " width="800" height="433"></a></p> <p>And under the same <code>Connectivity</code> section, attach the Security Group to the db.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqptcztly8q43c8p5d6fd.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqptcztly8q43c8p5d6fd.png" alt=" " width="800" height="438"></a></p> <p>Scroll down and Under <code>Database authentication</code> section and select <code>Password and IAM database authentication</code> option -</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbfvdz69p22a68qcucscl.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbfvdz69p22a68qcucscl.png" alt=" " width="800" height="434"></a></p> <p>That's about it. Now We can just create the database.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdwugm9y4mzv9kv0suwsr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdwugm9y4mzv9kv0suwsr.png" alt=" " width="800" height="426"></a></p> <p>Wait a while for a it to start.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5ge8pk1w9yh8p1jvc1zm.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5ge8pk1w9yh8p1jvc1zm.png" alt=" " width="800" height="208"></a></p> <h2> Step2: Setup IAM role/policy </h2> <p>First get the ARN and resource ID of the databse, click on the database and under <code>Configuration</code> tab you will find the ARN and resource ID of the database -</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fil7r1tcvqdvkgg2d2viw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fil7r1tcvqdvkgg2d2viw.png" alt=" " width="800" height="499"></a></p> <p>Since we are doing this for developers (users), we will create a policy and attach to the user. Let's create a an IAM policy.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe48hoccmzxjtpgp456m5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe48hoccmzxjtpgp456m5.png" alt=" " width="800" height="418"></a></p> <p>Please mind the db <code>db-resource-id</code> and <code>db-username</code> section, it's written as <code>arn:aws:rds-db:&lt;region&gt;:&lt;account-id&gt;:dbuser:&lt;db-resource-id&gt;/&lt;db-username&gt; . In my case the </code>db_user<code> is </code>postgres` . So the policy looks like this -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"rds-db:connect"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"arn:aws:rds-db:ap-southeast-1:980305500084:dbuser:db-GMICPKT7J4JMSEYSHVWUFEN7VQ/postgres"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Now click next and name the policy, then create it. I gave it this name - <code>rds-iam-access</code> .</p> <p>Now from <code>iam -&gt; Users</code> select your user and click <code>add permissions</code> to add the policy. </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7ch45r8djbxforfnbdxg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7ch45r8djbxforfnbdxg.png" alt=" " width="800" height="437"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8o91lmy4qotsk3ooqb6i.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8o91lmy4qotsk3ooqb6i.png" alt=" " width="800" height="441"></a></p> <p>Select the policy and click <code>add permission</code> to attach the policy to the user. And that's about it.</p> <blockquote> <p>If you want to give access to other services such as to your bastion host or k8s pods, create a role selecting respecting service.</p> </blockquote> <h2> Step3: Connect with db using IAM </h2> <h3> Prerequisite </h3> <p>Get the DB endpoint from the <code>Connectivity and Security</code> tab -</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqteqlpr4x4ewdtrc6abt.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqteqlpr4x4ewdtrc6abt.png" alt=" " width="800" height="442"></a></p> <p>We need to allow the db user to support IAM auth first. So first time, we will login with password as usual (or using secrets manager if that's your case).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># psql "postgresql://&lt;db-user&gt;:&lt;db-password&gt;@&lt;db-endpoint&gt;:&lt;port&gt;/&lt;db-name&gt;"</span> psql <span class="s2">"postgresql://postgres:YourMasterPasswordHere@database-1.cdkgmeaiqn6n.ap-southeast-1.rds.amazonaws.com:5432/postgres"</span> </code></pre> </div> <p>and run this -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>#GRANT rds_iam TO &lt;user&gt;; GRANT rds_iam TO postgres; </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F874mwjcu722zutwkxluz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F874mwjcu722zutwkxluz.png" alt=" " width="800" height="100"></a></p> <p><strong>Generate token</strong> using the db endpoint from the cli. Run this from your terminal, change db endpoint, port and user as per your need -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># aws rds generate-db-auth-token --hostname Endpoint --port Port_number --username DB_username # get token on terminal # aws rds generate-db-auth-token --hostname database-1.cdkgmeaiqn6n.ap-southeast-1.rds.amazonaws.com --port 5432 --username postgres # get the token in an env (preferred) TOKEN=$(aws rds generate-db-auth-token \ --hostname database-1.cdkgmeaiqn6n.ap-southeast-1.rds.amazonaws.com \ --port 5432 \ --region ap-southeast-1 \ --username postgres) # echo $TOKEN </code></pre> </div> <p>This returns a token that is valid for 15 minutes. Meaning you can connect to the DB within minutes, but it won't affect the db session duration.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffdc3glsj8r3ff1rwmigb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffdc3glsj8r3ff1rwmigb.png" alt=" " width="800" height="111"></a></p> <h3> Option 1: Use psql </h3> <p>Use psql tool to connect to the db from the terminal -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#psql "host=&lt;rds-endpoint&gt; port=5432 dbname=&lt;db-name&gt; user=&lt;db-user&gt; sslmode=require password=&lt;IAM_AUTH_TOKEN&gt;"</span> <span class="nv">PGPASSWORD</span><span class="o">=</span><span class="s2">"</span><span class="nv">$TOKEN</span><span class="s2">"</span> psql <span class="s2">"postgresql://postgres@database-1.cdkgmeaiqn6n.ap-southeast-1.rds.amazonaws.com:5432/postgres?sslmode=require"</span> </code></pre> </div> <p>BAM! I'm in -</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0dmcfr25jyzu43xjlzpe.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0dmcfr25jyzu43xjlzpe.png" alt=" " width="800" height="79"></a></p> <p>Now, some of you are not happy with terminal so ...</p> <h3> Option 2: Use GUI client (i.e. PgAdmin) </h3> <p>Simple, just like you used to access any other db, just paste the token in place of the password. </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4de1il43ka92petay7tl.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4de1il43ka92petay7tl.png" alt=" " width="800" height="469"></a></p> <p>Go to <code>Parameters</code> tab and set <code>Enable ssl</code> to <code>require</code> -</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0i6pi1cxl6xeih99fgkw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0i6pi1cxl6xeih99fgkw.png" alt=" " width="800" height="632"></a></p> <p>Save it. Now use it. As simple as that. And just like that I'm in from the PgAdmin tool too -</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4c3jar45clksdhs9psjp.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4c3jar45clksdhs9psjp.png" alt=" " width="800" height="466"></a></p> <h2> Last thought </h2> <p>Remember, PgAdmin can't generate token. So, after a session times out you have to generate another token to get access to the db. A token is valid for only 15 minutes, that's the window to connect. But after the connection is established, it won't hamper the session, meaning, you can use a token to talk to the db forever.. until the session ends somehow.<br> It may seem annoying to some, but I see the secure feature here. I know the next time what I will do when a developer asks for db credentials, do you?</p> devops aws awsrds databasesecurity [Boost] Ashraf Minhaj Wed, 22 Oct 2025 06:57:32 +0000 https://dev.to/ashraf-minhaj/-16b9 https://dev.to/ashraf-minhaj/-16b9 <div class="ltag__link"> <a href="/ashraf-minhaj" class="ltag__link__link"> <div class="ltag__link__pic"> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F989415%2F5501a175-975e-4b04-b20e-fd19ef658b9f.jpeg" alt="ashraf-minhaj"> </div> </a> <a href="https://dev.to/ashraf-minhaj/build-and-push-docker-images-to-amazon-ecr-using-terraform-4m67" class="ltag__link__link"> <div class="ltag__link__content"> <h2>Build and push Docker images to Amazon ECR using Terraform</h2> <h3>Ashraf Minhaj ・ Oct 22</h3> <div class="ltag__link__taglist"> <span class="ltag__link__tag">#devops</span> <span class="ltag__link__tag">#aws</span> <span class="ltag__link__tag">#terraform</span> <span class="ltag__link__tag">#docker</span> </div> </div> </a> </div> devops aws terraform docker Build and push Docker images to Amazon ECR using Terraform Ashraf Minhaj Wed, 22 Oct 2025 06:19:16 +0000 https://dev.to/ashraf-minhaj/build-and-push-docker-images-to-amazon-ecr-using-terraform-4m67 https://dev.to/ashraf-minhaj/build-and-push-docker-images-to-amazon-ecr-using-terraform-4m67 <h2> Introduction </h2> <p>In general you would want to deploy infrastructure using terraform, build and push docker images in CI/CD phase. But let's say, just in case, someone pointed a gun at your head asking you to build and push docker images from within Terraform, how would you do it? Fear not, I am here, let me save you today.</p> <h2> Action Plan </h2> <p>It's simple, we will just wait check for file change - where a specific Dockerfile is kept, if any changes are detected we will build the image and push it.</p> <h2> Prerequisites </h2> <ol> <li>You have to have aws cli configured (v2 is prefered but v1 will just do)</li> <li>Terraform installed (I am using 1.5.5)</li> </ol> <h2> Get into action, we don't have much time </h2> <h3> The directory Structure </h3> <p>So this will be our directory structure -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>. ├── src │ └── frontend │ ├── Dockerfile │ └── index.html └── Terraform ├── ecr.tf ├── main.tf └── variables.tf </code></pre> </div> <p>Here, we have a very basic <code>nginx app</code> (code below) serving a <code>html</code> page. And inside the <code>Terraform</code> directory we will store the Terraform specific files. </p> <h3> The sample app </h3> <p>You can skip this if you already have an app and Dockerfile.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>├── src │ └── frontend │ ├── Dockerfile │ └── index.html </code></pre> </div> <p>For this demo I built this <code>src/frontend/index.html</code> -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html</span> <span class="na">lang=</span><span class="s">"en"</span><span class="nt">&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;meta</span> <span class="na">charset=</span><span class="s">"UTF-8"</span><span class="nt">&gt;</span> <span class="nt">&lt;title&gt;</span>Service Connect Test<span class="nt">&lt;/title&gt;</span> <span class="nt">&lt;style&gt;</span> <span class="nt">body</span> <span class="p">{</span> <span class="nl">font-family</span><span class="p">:</span> <span class="n">Arial</span><span class="p">,</span> <span class="nb">sans-serif</span><span class="p">;</span> <span class="nl">max-width</span><span class="p">:</span> <span class="m">600px</span><span class="p">;</span> <span class="nl">margin</span><span class="p">:</span> <span class="m">50px</span> <span class="nb">auto</span><span class="p">;</span> <span class="nl">padding</span><span class="p">:</span> <span class="m">20px</span><span class="p">;</span> <span class="p">}</span> <span class="nt">input</span><span class="o">,</span> <span class="nt">button</span> <span class="p">{</span> <span class="nl">padding</span><span class="p">:</span> <span class="m">10px</span><span class="p">;</span> <span class="nl">width</span><span class="p">:</span> <span class="m">100%</span><span class="p">;</span> <span class="nl">margin</span><span class="p">:</span> <span class="m">5px</span> <span class="m">0</span><span class="p">;</span> <span class="nl">font-size</span><span class="p">:</span> <span class="m">1rem</span><span class="p">;</span> <span class="p">}</span> <span class="nt">pre</span> <span class="p">{</span> <span class="nl">background</span><span class="p">:</span> <span class="m">#f4f4f4</span><span class="p">;</span> <span class="nl">padding</span><span class="p">:</span> <span class="m">10px</span><span class="p">;</span> <span class="nl">border-radius</span><span class="p">:</span> <span class="m">5px</span><span class="p">;</span> <span class="nl">overflow-x</span><span class="p">:</span> <span class="nb">auto</span><span class="p">;</span> <span class="p">}</span> <span class="nt">&lt;/style&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h2&gt;</span>ECS Service Connect Tester<span class="nt">&lt;/h2&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">id=</span><span class="s">"urlInput"</span> <span class="na">placeholder=</span><span class="s">"Enter internal service URL (e.g., http://service-name:8080)"</span><span class="nt">&gt;</span> <span class="nt">&lt;button</span> <span class="na">id=</span><span class="s">"connectBtn"</span><span class="nt">&gt;</span>Connect<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;h3&gt;</span>Response:<span class="nt">&lt;/h3&gt;</span> <span class="nt">&lt;pre</span> <span class="na">id=</span><span class="s">"responseBox"</span><span class="nt">&gt;</span>No data yet.<span class="nt">&lt;/pre&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">connectBtn</span><span class="dl">'</span><span class="p">).</span><span class="nf">addEventListener</span><span class="p">(</span><span class="dl">'</span><span class="s1">click</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">url</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">urlInput</span><span class="dl">'</span><span class="p">).</span><span class="nx">value</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">responseBox</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">responseBox</span><span class="dl">'</span><span class="p">);</span> <span class="nx">responseBox</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">Connecting...</span><span class="dl">"</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="nx">url</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">text</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">res</span><span class="p">.</span><span class="nf">text</span><span class="p">();</span> <span class="nx">responseBox</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="nx">text</span><span class="p">;</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">responseBox</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">Error: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">err</span><span class="p">.</span><span class="nx">message</span><span class="p">;</span> <span class="p">}</span> <span class="p">});</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwcdl1ek19aoxkj9mfboj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwcdl1ek19aoxkj9mfboj.png" alt=" " width="714" height="413"></a></p> <p>Like I mentioned, this is not important, use any basic html or your complex app, your wish. </p> <blockquote> <p>If you are interested, this is to check other APIs. </p> </blockquote> <p>Now the Dockerfile - <code>src/frontend/Dockerfile</code> -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> nginx:alpine-slim</span> <span class="k">COPY</span><span class="s"> ./index.html /usr/share/nginx/html/index.html</span> <span class="k">EXPOSE</span><span class="s"> 80</span> </code></pre> </div> <h2> Terraform Scripts </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>└── Terraform ├── ecr.tf ├── main.tf └── variables.tf </code></pre> </div> <p>You you love bad practice, you can put all files in one directory. But I am the opposite so let's maintain multiple files - </p> <p><strong>1. variables.tf</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">variable</span> <span class="s2">"aws_region"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"ap-southeast-1"</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"frontend_dir"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"../src/frontend"</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"frontend_repo_name"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"frontend"</span> <span class="p">}</span> </code></pre> </div> <p><strong>2. main.tf</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">aws_region</span> <span class="p">}</span> </code></pre> </div> <p><strong>3. ecr.tf</strong><br> Here's the main game (full code below). We will create a repository first, where our image will be pushed -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_ecr_repository"</span> <span class="s2">"frontend_repo"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">frontend_repo_name</span> <span class="nx">image_tag_mutability</span> <span class="p">=</span> <span class="s2">"MUTABLE"</span> <span class="c1"># Or "IMMUTABLE" based on your needs</span> <span class="nx">image_scanning_configuration</span> <span class="p">{</span> <span class="nx">scan_on_push</span> <span class="p">=</span> <span class="kc">false</span> <span class="c1"># Set to true if you want to scan images as they are pushed</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Now to track changes, we will generate hash of the Dockerfile (or any other file you wish to track -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">locals</span> <span class="p">{</span> <span class="nx">frontend_hash</span> <span class="p">=</span> <span class="nx">filebase64sha256</span><span class="p">(</span><span class="s2">"</span><span class="k">${</span><span class="nx">path</span><span class="p">.</span><span class="k">module}</span><span class="s2">/</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">frontend_dir</span><span class="k">}</span><span class="s2">/Dockerfile"</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>Based on that hash, we will generate a random tag for the image. <code>byte_length = 2</code> generates 4 char long random string, increase to 4,8 or 12 as you please.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"random_id"</span> <span class="s2">"frontend_rand_tag"</span> <span class="p">{</span> <span class="nx">keepers</span> <span class="p">=</span> <span class="p">{</span> <span class="c1"># Generate a new tag each time there's change in Dockerfile hash</span> <span class="nx">frontend_img_tag</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">frontend_hash</span> <span class="p">}</span> <span class="nx">byte_length</span> <span class="p">=</span> <span class="mi">2</span> <span class="p">}</span> <span class="k">output</span> <span class="s2">"image_tag"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">frontend_tag</span> <span class="p">=</span> <span class="nx">random_id</span><span class="p">.</span><span class="nx">frontend_rand_tag</span><span class="p">.</span><span class="nx">hex</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Finally, we build and push the image. Just like we would do using the CLI. We are utilizing terraform <code>null_resource</code> and <code>local-exec</code> provisioner to run the commands -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"null_resource"</span> <span class="s2">"build_and_push_frontend"</span> <span class="p">{</span> <span class="nx">triggers</span> <span class="p">=</span> <span class="p">{</span> <span class="c1"># Trigger a rebuild if the Dockerfile or source code changes</span> <span class="nx">dockerfile_hash</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">frontend_hash</span> <span class="p">}</span> <span class="k">provisioner</span> <span class="s2">"local-exec"</span> <span class="p">{</span> <span class="nx">command</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOT</span><span class="sh"> aws ecr get-login-password --region ${var.aws_region} | docker login --username AWS --password-stdin ${aws_ecr_repository.frontend_repo.repository_url} docker build -t ${aws_ecr_repository.frontend_repo.repository_url}:${random_id.frontend_rand_tag.hex} ${path.module}/${var.frontend_dir} docker push ${aws_ecr_repository.frontend_repo.repository_url}:${random_id.frontend_rand_tag.hex} </span><span class="no"> EOT </span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Now, combining all -</p> <p><strong>Full ecr.tf</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_ecr_repository"</span> <span class="s2">"frontend_repo"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">frontend_repo_name</span> <span class="nx">image_tag_mutability</span> <span class="p">=</span> <span class="s2">"MUTABLE"</span> <span class="c1"># Or "IMMUTABLE" based on your needs</span> <span class="nx">image_scanning_configuration</span> <span class="p">{</span> <span class="nx">scan_on_push</span> <span class="p">=</span> <span class="kc">false</span> <span class="c1"># Set to true if you want to scan images as they are pushed</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="nx">frontend_hash</span> <span class="p">=</span> <span class="nx">filebase64sha256</span><span class="p">(</span><span class="s2">"</span><span class="k">${</span><span class="nx">path</span><span class="p">.</span><span class="k">module}</span><span class="s2">/</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">frontend_dir</span><span class="k">}</span><span class="s2">/Dockerfile"</span><span class="p">)</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"random_id"</span> <span class="s2">"frontend_rand_tag"</span> <span class="p">{</span> <span class="nx">keepers</span> <span class="p">=</span> <span class="p">{</span> <span class="c1"># Generate a new tag each time there's change in Dockerfile hash</span> <span class="nx">frontend_img_tag</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">frontend_hash</span> <span class="p">}</span> <span class="nx">byte_length</span> <span class="p">=</span> <span class="mi">2</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"null_resource"</span> <span class="s2">"build_and_push_frontend"</span> <span class="p">{</span> <span class="nx">triggers</span> <span class="p">=</span> <span class="p">{</span> <span class="c1"># Trigger a rebuild if the Dockerfile or source code changes</span> <span class="nx">dockerfile_hash</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">frontend_hash</span> <span class="p">}</span> <span class="k">provisioner</span> <span class="s2">"local-exec"</span> <span class="p">{</span> <span class="nx">command</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOT</span><span class="sh"> aws ecr get-login-password --region ${var.aws_region} | docker login --username AWS --password-stdin ${aws_ecr_repository.frontend_repo.repository_url} docker build -t ${aws_ecr_repository.frontend_repo.repository_url}:${random_id.frontend_rand_tag.hex} ${path.module}/${var.frontend_dir} docker push ${aws_ecr_repository.frontend_repo.repository_url}:${random_id.frontend_rand_tag.hex} </span><span class="no"> EOT </span> <span class="p">}</span> <span class="p">}</span> <span class="k">output</span> <span class="s2">"image_tag"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">frontend_tag</span> <span class="p">=</span> <span class="nx">random_id</span><span class="p">.</span><span class="nx">frontend_rand_tag</span><span class="p">.</span><span class="nx">hex</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>You can download the full code and script from this <a href="https://github.com/ashraf-minhaj/AWS-IaCs-with-Terraform/tree/main/1026.%20docker%20build%20push%20w%20tf" rel="noopener noreferrer">git repo</a>.</p> <p>Now if we <code>init</code>, <code>plan</code>, <code>apply</code> -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform init terraform plan terraform apply --auto-approve </code></pre> </div> <p>You will see that after creating the repository it ran docker-login command and started building the image -</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F77wjq0v65k8flptix0sr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F77wjq0v65k8flptix0sr.png" alt=" " width="800" height="307"></a></p> <p>After the build process is complete, it pushed the image to ECR -</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxzoq1o3sy1fpu79jdg31.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxzoq1o3sy1fpu79jdg31.png" alt=" " width="800" height="378"></a></p> <p>Let's verify. Based on the <code>output</code> the image tag should be <code>87ed</code> . Let's see on the console.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fut7swdnqnbioyc0bwt5t.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fut7swdnqnbioyc0bwt5t.png" alt=" " width="800" height="366"></a></p> <p>Yeah looks like we have successfully done it!</p> <h2> Conclusion </h2> <p>Today we learnt how we can automate Docker image building and pushing using Terraform. But it's not production ready, use this only when using minor tasks, or specific needs - like dodging a bullet. Congratulations! you are saved today. </p> <blockquote> <p>: what do we say to the god of manual labour?<br> : Not today, we have Terraform.</p> </blockquote> <p>Happy Coding!</p> devops aws terraform docker Securing AWS EC2: Change SSH Port 22 to a Custom Port Ashraf Minhaj Thu, 28 Aug 2025 03:50:52 +0000 https://dev.to/ashraf-minhaj/securing-aws-ec2-change-ssh-port-22-to-a-custom-port-3b8c https://dev.to/ashraf-minhaj/securing-aws-ec2-change-ssh-port-22-to-a-custom-port-3b8c <h1> Introduction </h1> <p>When you deploy an ec2 instance or any server instance, it defaults to SSH in port 22. You already know it, so do the whole world and all of the hackers. So, most of the automated attacks start by scanning the known ports, say 22 for SSH. <br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj1bzdqz1ep52cysdnu7u.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj1bzdqz1ep52cysdnu7u.gif" alt="Rick &amp; Morty: real fake doors" width="400" height="223"></a></p> <p>One of the many ways to mitigate that is to change the port to a different port. Yes it won't make it bulletproof, but it will surely reduce the chances of brute force attacks.<br> Let's start.</p> <blockquote> <p>This method is applicable for all kinds of servers, including your Virtual Machines, but since I have an aws cloud account, I will use that, you can just use GCP Compute instance, Azure VM as well.</p> </blockquote> <h1> what is Security by Obscurity </h1> <p>In simple words, it means hiding something from the attackers, believing if the attackers can't see they can't exploit. </p> <p>Kind of removing your door to an unexpected location so that thieves don't find a way to enter from known places... say you removed the front door completely. </p> <h1> Deploy an ec2 instance </h1> <p>We will deploy an ec2 instance like how we usually do. In the security group, open port 22 for ssh and add a key (or generate one, save it), my key name is <code>test-min-keys.pem</code>. </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwrbrezns4rz37lqkjtga.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwrbrezns4rz37lqkjtga.png" alt="Create ec2" width="800" height="424"></a></p> <h1> Change the port </h1> <h3> 1. Connect to the server/instance </h3> <p>Ok for that we need to access the VM first, let's ssh into it normally - </p> <p>Change key file permission and ssh -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">chmod </span>400 <span class="s2">"test-min-keys.pem"</span> <span class="c"># your key, sever IP or hostname will be different, use that</span> ssh <span class="nt">-i</span> <span class="s2">"test-min-keys.pem"</span> ec2-user@ec2-13-228-72-54.ap-southeast-1.compute.amazonaws.com </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frarqm8dmtqrbm0d61x8x.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frarqm8dmtqrbm0d61x8x.jpg" alt="Terminal view" width="800" height="286"></a></p> <h3> 2. Update SSH configuration </h3> <p>Open the ssh config file -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>nano /etc/ssh/sshd_config </code></pre> </div> <p>And look for this portion - </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz1yjbnuaa2dx3jnnn6an.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz1yjbnuaa2dx3jnnn6an.png" alt=" " width="744" height="450"></a></p> <p>We will change it from <code>22</code> to <code>2222</code> - that's our door change -</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjak9lr6zoy7rk9pn6ir0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjak9lr6zoy7rk9pn6ir0.png" alt="change port" width="744" height="450"></a></p> <p>Now we can just restart the ssh service and use the new port to ssh.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>systemctl restart sshd </code></pre> </div> <p>But.. if you are using <a href="https://en.wikipedia.org/wiki/Security-Enhanced_Linux" rel="noopener noreferrer">Selinux</a> enabled systems like RHEL/CentOS/Amazon Linux machines then you have to run this command to tell Selinux about the change as well.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>semanage port <span class="nt">-a</span> <span class="nt">-t</span> ssh_port_t <span class="nt">-p</span> tcp 2222 </code></pre> </div> <p>If you see this error then use a different port (headache? remove the head) -</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnjshcwwqejh5av9mbx5s.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnjshcwwqejh5av9mbx5s.png" alt="port already in use" width="800" height="60"></a></p> <p>Now restart ssh service -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>systemctl restart sshd </code></pre> </div> <p>Now, update your firewall, or in aws, the security group inbound rule and open port 2222 instead of 22. </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5xbt8db15oqjgi5quw82.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5xbt8db15oqjgi5quw82.png" alt="sec group rule" width="800" height="195"></a></p> <h3> 3. Access the server with new ssh port </h3> <p>Hold your horses, just in case, test the new port before closing the old session, open another terminal tab and try to ssh with the port tag <code>-p &lt;port&gt;</code> -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># ssh -p 2222 ec2-user@&lt;your-public-ip&gt;</span> ssh <span class="nt">-p</span> 2222 <span class="nt">-i</span> <span class="s2">"test-min-keys.pem"</span> ec2-user@ec2-13-228-72-54.ap-southeast-1.compute.amazonaws.com </code></pre> </div> <p>And voila! We are in!</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi43aihfaqv45u65024ve.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi43aihfaqv45u65024ve.jpg" alt="SSH" width="800" height="263"></a></p> <p>Let's close all the sessions and try again -</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyi0k3i8q5bhtaxruiotw.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyi0k3i8q5bhtaxruiotw.jpg" alt="ssh again" width="800" height="263"></a></p> <h2> Conclusion </h2> <p>In practice, you should never put instances in public subnet when you don't need to. Also harden the security by not allowing password based SSH access. <br> For ec2 instances, there's numerous ways to get <a href="https://dev.to/ashraf-minhaj/access-private-ec2-instances-without-public-ip-using-instance-connect-endpoint-274k">access to private ec2 instances</a> which is more secure. </p> <p>Happy Coding!</p> Time to ditch public IP in ec2 instances Ashraf Minhaj Sun, 17 Aug 2025 12:59:19 +0000 https://dev.to/ashraf-minhaj/-3noi https://dev.to/ashraf-minhaj/-3noi <div class="ltag__link"> <a href="/ashraf-minhaj" class="ltag__link__link"> <div class="ltag__link__pic"> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F989415%2F5501a175-975e-4b04-b20e-fd19ef658b9f.jpeg" alt="ashraf-minhaj"> </div> </a> <a href="https://dev.to/ashraf-minhaj/access-private-ec2-instances-without-public-ip-using-instance-connect-endpoint-274k" class="ltag__link__link"> <div class="ltag__link__content"> <h2>Access Private ec2 instances without Public IP using Instance Connect Endpoint</h2> <h3>Ashraf Minhaj ・ Aug 7</h3> <div class="ltag__link__taglist"> <span class="ltag__link__tag">#aws</span> <span class="ltag__link__tag">#devops</span> <span class="ltag__link__tag">#networking</span> <span class="ltag__link__tag">#cloud</span> </div> </div> </a> </div> aws devops networking cloud Access Private ec2 instances without Public IP using Instance Connect Endpoint Ashraf Minhaj Thu, 07 Aug 2025 03:59:50 +0000 https://dev.to/ashraf-minhaj/access-private-ec2-instances-without-public-ip-using-instance-connect-endpoint-274k https://dev.to/ashraf-minhaj/access-private-ec2-instances-without-public-ip-using-instance-connect-endpoint-274k <h2> Introduction </h2> <p>So far you know that you need to attach a public IP address to an ec2 instance to SSH into it or say port forward (access ec2 port from local machine).<br> But, there are multiple use cases where we might need a private ec2 instance. It can be the application we deployed running on a private subnet (saves cost and best for security too). Or we have a bastion host for mission critical applications but we are worried about that bastion with public IP addresses. <br> What if I tell you that you don't actually need to have public IP addresses to access the ec2 instances? </p> <h2> Idea </h2> <p>In general, our private instances are routed to public internet using a NAT gateway. We just need to add a <code>ec2 instance connect endpoint</code> to our <code>vpc</code> to access to the VM.</p> <p>So it's gonna look like this - </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkwhquyv61li2035gswy6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkwhquyv61li2035gswy6.png" alt="Architecture Diagram" width="800" height="660"></a></p> <p>In this blog we will see it with Terraform.</p> <h2> Create ec2 instance connect endpoint </h2> <p>When creating a VPC, we can define instance connect endpoint and <code>attach the subnet</code> where the ec2 instance will be deployed, also allow the <code>security groups</code> of the desired instances you want to connect to.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_ec2_instance_connect_endpoint"</span> <span class="s2">"instance_connect_endpoint"</span> <span class="p">{</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">instance_connect_subnet</span> <span class="nx">security_group_ids</span> <span class="p">=</span> <span class="p">[</span><span class="k">module</span><span class="p">.</span><span class="nx">bastion_sg</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="k">module</span><span class="p">.</span><span class="nx">jenkins_sg</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>The full <strong>vpc.tf</strong> now looks like this -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="c1"># select the private subnet </span> <span class="nx">locals</span> <span class="p">{</span> <span class="nx">instance_connect_subnet</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">private_subnets</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">id</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_vpc"</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">vpc_cidr</span> <span class="nx">instance_tenancy</span> <span class="p">=</span> <span class="s2">"default"</span> <span class="nx">enable_dns_support</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_dns_hostnames</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">vpc_name</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_internet_gateway"</span> <span class="s2">"vpc_int_gw"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">id</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">igw_name</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># public subnets</span> <span class="k">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"public_subnets"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">public_subnet_cidr_blocks</span><span class="p">)</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">id</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">public_subnet_cidr_blocks</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">]</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="nx">element</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">availability_zones</span><span class="p">,</span> <span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">)</span> <span class="nx">map_public_ip_on_launch</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">component_prefix</span><span class="k">}</span><span class="s2">-pubsub-</span><span class="k">${</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="k">}</span><span class="s2">-</span><span class="k">${terraform</span><span class="p">.</span><span class="nx">workspace</span><span class="k">}</span><span class="s2">"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># private subnets</span> <span class="k">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"private_subnets"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">private_subnet_cidr_blocks</span><span class="p">)</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">id</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">private_subnet_cidr_blocks</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">]</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="nx">element</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">availability_zones</span><span class="p">,</span> <span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">)</span> <span class="nx">map_public_ip_on_launch</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">component_prefix</span><span class="k">}</span><span class="s2">-prvsub-</span><span class="k">${</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="k">}</span><span class="s2">-</span><span class="k">${terraform</span><span class="p">.</span><span class="nx">workspace</span><span class="k">}</span><span class="s2">"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_nat_gateway"</span> <span class="s2">"nat_gateway"</span> <span class="p">{</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_internet_gateway</span><span class="p">.</span><span class="nx">vpc_int_gw</span><span class="p">]</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">private_subnet_cidr_blocks</span><span class="p">)</span> <span class="err">&gt;</span> <span class="mi">0</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">allocation_id</span> <span class="p">=</span> <span class="nx">aws_eip</span><span class="p">.</span><span class="nx">nat_eip</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">id</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">public_subnets</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">id</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">component_prefix</span><span class="k">}</span><span class="s2">-nat-</span><span class="k">${</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="k">}</span><span class="s2">-</span><span class="k">${terraform</span><span class="p">.</span><span class="nx">workspace</span><span class="k">}</span><span class="s2">"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_route_table"</span> <span class="s2">"public_route_table"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">id</span> <span class="nx">route</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="c1"># all IPs</span> <span class="nx">gateway_id</span> <span class="p">=</span> <span class="nx">aws_internet_gateway</span><span class="p">.</span><span class="nx">vpc_int_gw</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">pub_rt_name</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_route_table"</span> <span class="s2">"private_route_table"</span> <span class="p">{</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_nat_gateway</span><span class="p">.</span><span class="nx">nat_gateway</span><span class="p">]</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">private_subnet_cidr_blocks</span><span class="p">)</span> <span class="err">&gt;</span> <span class="mi">0</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="c1"># create only if there is more than 0 private subnets</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">id</span> <span class="nx">route</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="nx">nat_gateway_id</span> <span class="p">=</span> <span class="nx">aws_nat_gateway</span><span class="p">.</span><span class="nx">nat_gateway</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">component_prefix</span><span class="k">}</span><span class="s2">-prvrt-</span><span class="k">${</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="k">}</span><span class="s2">-</span><span class="k">${terraform</span><span class="p">.</span><span class="nx">workspace</span><span class="k">}</span><span class="s2">"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># routing association between routetable and subnets</span> <span class="k">resource</span> <span class="s2">"aws_route_table_association"</span> <span class="s2">"public_subnets_association"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">public_subnet_cidr_blocks</span><span class="p">)</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">public_subnets</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">].</span><span class="nx">id</span> <span class="nx">route_table_id</span> <span class="p">=</span> <span class="nx">aws_route_table</span><span class="p">.</span><span class="nx">public_route_table</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="c1"># Routing association between private route table and private subnets</span> <span class="k">resource</span> <span class="s2">"aws_route_table_association"</span> <span class="s2">"private_subnets_association"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">private_subnet_cidr_blocks</span><span class="p">)</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">private_subnets</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">].</span><span class="nx">id</span> <span class="nx">route_table_id</span> <span class="p">=</span> <span class="nx">aws_route_table</span><span class="p">.</span><span class="nx">private_route_table</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">id</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_ec2_instance_connect_endpoint"</span> <span class="s2">"instance_connect_endpoint"</span> <span class="p">{</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">instance_connect_subnet</span> <span class="nx">security_group_ids</span> <span class="p">=</span> <span class="p">[</span><span class="k">module</span><span class="p">.</span><span class="nx">bastion_sg</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="k">module</span><span class="p">.</span><span class="nx">jenkins_sg</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>Now we can create the ec2 instance, remember to add that specific private instance we defined using local <code>instance_connect_subnet</code>. So the <strong>ec2.tf</strong> will be -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">module</span> <span class="s2">"bastion_server"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">create_bastion</span> <span class="p">==</span> <span class="kc">true</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/ec2_instance"</span> <span class="nx">name</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">bastion_name</span> <span class="nx">ami_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">bastion_ami_id</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">bastion_instance_class</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">instance_connect_subnet</span> <span class="nx">security_group_ids</span> <span class="p">=</span> <span class="p">[</span><span class="k">module</span><span class="p">.</span><span class="nx">bastion_sg</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">key_name</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_key_pair</span><span class="p">.</span><span class="nx">bastion_key</span><span class="p">.</span><span class="nx">key_name</span> <span class="nx">volume_size</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">bastion_disk_size</span> <span class="nx">volume_name</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">bastion_volume_name</span> <span class="nx">tags</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">default_tags</span> <span class="p">}</span> </code></pre> </div> <h2> Connect to the private instance </h2> <p>Now the fun part, we will connect to the instances from CLI, don't worry, if you have something running on the instance, you can also access it via port forwarding. Let me show you -</p> <h4> 1. SSH into private ec2 instance - </h4> <p><strong>a. Connect using ec2 instance id</strong></p> <p>Use your ec2 instance id and the private key file <code>.pem</code> to connect to it. Remember to change the region as per your region -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">INSTANCE_ID</span><span class="o">=</span>&lt;add your ec2 instance <span class="nb">id </span>here&gt; ssh <span class="nt">-i</span> bastion-private-key.pem ubuntu@<span class="nv">$INSTANCE_ID</span> <span class="se">\</span> <span class="nt">-o</span> <span class="nv">ProxyCommand</span><span class="o">=</span><span class="s2">"aws ec2-instance-connect open-tunnel --instance-id </span><span class="nv">$INSTANCE_ID</span><span class="s2"> </span><span class="se">\</span><span class="s2"> --region ap-southeast-1"</span> </code></pre> </div> <p>But finding the instance id is a manual process and I hate manual processes, I can remember ec2 names, let's access using only the name -</p> <p><strong>b. Connect using ec2 instance name</strong></p> <p>Or, find the ec2 instance id by name, that's what I did to make my life easier -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">INSTANCE_NAME</span><span class="o">=</span>my-bastion-instance <span class="nv">INSTANCE_ID</span><span class="o">=</span><span class="si">$(</span>aws ec2 describe-instances <span class="se">\</span> <span class="nt">--region</span> ap-southeast-1 <span class="se">\</span> <span class="nt">--filters</span> <span class="s2">"Name=tag:Name,Values=</span><span class="nv">$INSTANCE_NAME</span><span class="s2">, running"</span> <span class="se">\</span> <span class="s2">"Name=instance-state-name,Values=running"</span> <span class="se">\</span> <span class="nt">--query</span> <span class="s2">"Reservations[].Instances[].InstanceId"</span> <span class="nt">--output</span> text<span class="si">)</span> ssh <span class="nt">-i</span> bastion-private-key.pem ubuntu@<span class="nv">$INSTANCE_ID</span> <span class="se">\</span> <span class="nt">-o</span> <span class="nv">ProxyCommand</span><span class="o">=</span><span class="s2">"aws ec2-instance-connect open-tunnel --instance-id </span><span class="nv">$INSTANCE_ID</span><span class="s2"> </span><span class="se">\</span><span class="s2"> --region ap-southeast-1"</span> </code></pre> </div> <h4> 2. Access services running on private ec2 instance - </h4> <p>Say you have Jenkins running on port 8080, or nginx on 80. Let's see how we can open not only 1, but also multiple ports and access using <code>localhost</code> -</p> <p><strong>a. Port forward single port</strong></p> <p>Let's port forward jenkins port 8080 to our localhost port 8080 -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">INSTANCE_NAME</span><span class="o">=</span>my-bastion-instance <span class="nv">INSTANCE_ID</span><span class="o">=</span><span class="si">$(</span>aws ec2 describe-instances <span class="se">\</span> <span class="nt">--region</span> ap-southeast-1 <span class="se">\</span> <span class="nt">--filters</span> <span class="s2">"Name=tag:Name,Values=</span><span class="nv">$INSTANCE_NAME</span><span class="s2">, running"</span> <span class="se">\</span> <span class="s2">"Name=instance-state-name,Values=running"</span> <span class="se">\</span> <span class="nt">--query</span> <span class="s2">"Reservations[].Instances[].InstanceId"</span> <span class="nt">--output</span> text<span class="si">)</span> ssh <span class="nt">-i</span> bastion-private-key.pem ubuntu@<span class="nv">$INSTANCE_ID</span> <span class="se">\</span> <span class="nt">-o</span> <span class="nv">ProxyCommand</span><span class="o">=</span><span class="s2">"aws ec2-instance-connect open-tunnel --instance-id </span><span class="nv">$INSTANCE_ID</span><span class="s2"> </span><span class="se">\</span><span class="s2"> --region ap-southeast-1"</span> <span class="se">\</span> <span class="nt">-L</span> 8080:localhost:8080 </code></pre> </div> <p>Here's what each part means - <code>-L [local_port]:[remote_host]:[remote_port]</code>, forget about it and remember <code>local_port:localhost:ec2_instance_port</code> .</p> <p>Now from the browser, if we type <code>localhost:8080</code> , we will be able to access jenkins. </p> <p><strong>b. Access multiple ports</strong></p> <p>The same way we can tunnel multiple ports just by adding another <code>-L</code> portion, let's access port <code>80</code> and <code>8080</code> -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">INSTANCE_NAME</span><span class="o">=</span>my-bastion-instance <span class="nv">INSTANCE_ID</span><span class="o">=</span><span class="si">$(</span>aws ec2 describe-instances <span class="se">\</span> <span class="nt">--region</span> ap-southeast-1 <span class="se">\</span> <span class="nt">--filters</span> <span class="s2">"Name=tag:Name,Values=</span><span class="nv">$INSTANCE_NAME</span><span class="s2">, running"</span> <span class="se">\</span> <span class="s2">"Name=instance-state-name,Values=running"</span> <span class="se">\</span> <span class="nt">--query</span> <span class="s2">"Reservations[].Instances[].InstanceId"</span> <span class="nt">--output</span> text<span class="si">)</span> ssh <span class="nt">-i</span> bastion-private-key.pem ubuntu@<span class="nv">$INSTANCE_ID</span> <span class="se">\</span> <span class="nt">-o</span> <span class="nv">ProxyCommand</span><span class="o">=</span><span class="s2">"aws ec2-instance-connect open-tunnel --instance-id </span><span class="nv">$INSTANCE_ID</span><span class="s2"> </span><span class="se">\</span><span class="s2"> --region ap-southeast-1"</span> <span class="se">\</span> <span class="nt">-L</span> 8080:localhost:8080 <span class="se">\</span> <span class="nt">-L</span> 80:localhost:80 <span class="se">\</span> </code></pre> </div> <p>Now you can access ec2 instance's 80 port using <code>localhost:80</code> . It's that simple. </p> <h2> Remarks </h2> <p>Keeping your instance in private subnet is a very good choice since public IPv4 addresses cost nowadays. Also, traffic flowing out of the VPC also costs. So if the instances run using private subnets, the data never leaves the VPC itself, and that saves a lot. <br> Obviously there might be a case when the ec2 instance has to reside on public IP, that's a different case. Till then, keep your private resources in private subnets and save costs smartly, access securely.</p> aws devops networking cloud Terraform Tip: Avoiding Resource Ownership Conflicts Ashraf Minhaj Thu, 17 Jul 2025 06:33:52 +0000 https://dev.to/ashraf-minhaj/-2pog https://dev.to/ashraf-minhaj/-2pog <div class="ltag__link--embedded"> <div class="crayons-story "> <a href="https://dev.to/ashraf-minhaj/terraform-silent-resource-ownership-conflict-1o04" class="crayons-story__hidden-navigation-link">Terraform: Silent Resource Ownership Conflict</a> <div class="crayons-story__body crayons-story__body-full_post"> <div class="crayons-story__top"> <div class="crayons-story__meta"> <div class="crayons-story__author-pic"> <a href="/ashraf-minhaj" class="crayons-avatar crayons-avatar--l "> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F989415%2F5501a175-975e-4b04-b20e-fd19ef658b9f.jpeg" alt="ashraf-minhaj profile" class="crayons-avatar__image"> </a> </div> <div> <div> <a href="/ashraf-minhaj" class="crayons-story__secondary fw-medium m:hidden"> Ashraf Minhaj </a> <div class="profile-preview-card relative mb-4 s:mb-0 fw-medium hidden m:inline-block"> Ashraf Minhaj <div id="story-author-preview-content-2697288" class="profile-preview-card__content crayons-dropdown branded-7 p-4 pt-0"> <div class="gap-4 grid"> <div class="-mt-4"> <a href="/ashraf-minhaj" class="flex"> <span class="crayons-avatar crayons-avatar--xl mr-2 shrink-0"> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F989415%2F5501a175-975e-4b04-b20e-fd19ef658b9f.jpeg" class="crayons-avatar__image" alt=""> </span> <span class="crayons-link crayons-subtitle-2 mt-5">Ashraf Minhaj</span> </a> </div> <div class="print-hidden"> Follow </div> <div class="author-preview-metadata-container"></div> </div> </div> </div> </div> <a href="https://dev.to/ashraf-minhaj/terraform-silent-resource-ownership-conflict-1o04" class="crayons-story__tertiary fs-xs"><time>Jul 17 '25</time><span class="time-ago-indicator-initial-placeholder"></span></a> </div> </div> </div> <div class="crayons-story__indention"> <h2 class="crayons-story__title crayons-story__title-full_post"> <a href="https://dev.to/ashraf-minhaj/terraform-silent-resource-ownership-conflict-1o04" id="article-link-2697288"> Terraform: Silent Resource Ownership Conflict </a> </h2> <div class="crayons-story__tags"> <a class="crayons-tag crayons-tag--monochrome " href="/t/terraform"><span class="crayons-tag__prefix">#</span>terraform</a> <a class="crayons-tag crayons-tag--monochrome " href="/t/aws"><span class="crayons-tag__prefix">#</span>aws</a> <a class="crayons-tag crayons-tag--monochrome " href="/t/devops"><span class="crayons-tag__prefix">#</span>devops</a> <a class="crayons-tag crayons-tag--monochrome " href="/t/infrastructureascode"><span class="crayons-tag__prefix">#</span>infrastructureascode</a> </div> <div class="crayons-story__bottom"> <div class="crayons-story__details"> <a href="https://dev.to/ashraf-minhaj/terraform-silent-resource-ownership-conflict-1o04#comments" class="crayons-btn crayons-btn--s crayons-btn--ghost crayons-btn--icon-left flex items-center"> Comments 2<span class="hidden s:inline"> comments</span> </a> </div> <div class="crayons-story__save"> <small class="crayons-story__tertiary fs-xs mr-2"> 3 min read </small> <span class="bm-initial"> </span> <span class="bm-success"> </span> </div> </div> </div> </div> </div> </div> terraform aws devops infrastructureascode Terraform: Silent Resource Ownership Conflict Ashraf Minhaj Thu, 17 Jul 2025 05:31:14 +0000 https://dev.to/ashraf-minhaj/terraform-silent-resource-ownership-conflict-1o04 https://dev.to/ashraf-minhaj/terraform-silent-resource-ownership-conflict-1o04 <h1> Introduction </h1> <p>Today I'll talk about a more interesting and tricky problem, the <strong>Resource Ownership Conflict</strong> occurs when Terraform tries to manage a resource that is already managed by another Terraform configuration, or not managed by it at all.<br> In simple scenarios, Terraform might show an <code>EntityAlreadyExists</code> error, this is easy to resolve by renaming the resource or using a data source.<br> What about the silent ones? The one that does not show any error messages? </p> <h1> Background of my issue </h1> <h2> Situation </h2> <p>I have two repositories. <br> <strong>On Repo 1:</strong> creates ECS cluster, Aurora postgres cluster and through a security group permits the ECS cluster to access the db. So we have some <code>ingress rules</code> -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow Mobile API ECS to connect to Aurora"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">5432</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">5432</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="k">module</span><span class="p">.</span><span class="nx">mobile_api_sg</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="p">}</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow bastion to connect to Aurora"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">5432</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">5432</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="k">module</span><span class="p">.</span><span class="nx">bastion_sg</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p><strong>Repo 2:</strong> is for ETL, here a Glue job needs to access the RDS db that is managed by repo 1. The simplest thing we can do is, <em>inherit the db security group</em> using a <code>data source</code> by name and add another rule to it. Just like this -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="c1"># inherit rds sg</span> <span class="k">data</span> <span class="s2">"aws_security_group"</span> <span class="s2">"rds_sg"</span> <span class="p">{</span> <span class="nx">filter</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"tag:Name"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="kd">local</span><span class="p">.</span><span class="nx">db_sg_name</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># add ingress rule</span> <span class="c1"># Add ingress rule to RDS sg</span> <span class="k">resource</span> <span class="s2">"aws_security_group_rule"</span> <span class="s2">"postgres_ingress"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"ingress"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">5432</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">5432</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow Glue to access RDS"</span> <span class="nx">source_security_group_id</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">glue_sg</span><span class="p">.</span><span class="nx">id</span> <span class="nx">security_group_id</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">rds_sg</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <h2> What went wrong? </h2> <p>Now unlucky for me, I did not see any error message. And to be honest there should not be any.<br> Since <strong>Repo1 owns the security group</strong>, it considers any rules added outside its configuration (e.g., from Repo2) as drift—and removes them on apply.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9x9wo3alh0gyimybhlvs.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9x9wo3alh0gyimybhlvs.png" alt="Repo 1 marks the glue sg rule to destory." width="657" height="533"></a></p> <p>The obvious reason is, the state files. State file on the repo1 owns the RDS security group, and while creating the security group resource we added the rules inside it. So it will see any other changes as drift and will remove them. Drift - what you want vs what is actually present. <br> So it's a conflict created by proud me!</p> <h1> Solution to Silent Resource Ownership Conflict </h1> <p>Terraform keeps track of resources. So the solution would be simple. Create a security group resource, no rules/configs to it. Add rules in a separate resource block. </p> <p>So, for <strong>Repo1</strong> we will create an empty security group and add rules using <code>aws_security_group_rule</code> block as such -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"db_sg"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">db_sg_name</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Aurora DB Security Group"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">id</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">db_sg_name</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># add the rules outside, using sg rule block -</span> <span class="k">resource</span> <span class="s2">"aws_security_group_rule"</span> <span class="s2">"admin_api_db_access"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"ingress"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow backend ECS to connect to Aurora"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">5432</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">5432</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">security_group_id</span> <span class="p">=</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">db_sg</span><span class="p">.</span><span class="nx">id</span> <span class="nx">source_security_group_id</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">admin_api_sg</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="c1"># other rules just like that...</span> </code></pre> </div> <p><strong>Repo2</strong> remains as is. </p> <p><strong>How this solves the conflict/bug/error?</strong> When we define rules inside the <code>aws_security_group</code> block, it takes it as source of truth, now any rules not defined inside the block is a drift for it, so it will destroy those.<br> If we define the rules from outside the resource using <code>aws_security_group_rule</code>, terraform only cares about the <code>aws_security_group_rule</code> block, if that's there then the beast will remain silent and won't bother you. </p> <p>It proved my suspicion when I ran a <code>plan</code> -</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmerioas23kb6l9hdoz7v.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmerioas23kb6l9hdoz7v.png" alt=" " width="660" height="295"></a></p> <p>It said three resources to add, but did not say anything about the rules I removed from the <code>aws_security_group</code> block. It only cares about what it sees.</p> <p>It's like convincing a child that no one is playing with it's toy.</p> <p>Have fun practicing DevOps!!<br> See you in another one.</p> terraform aws devops infrastructureascode AWS Multi Region Failover Infrastructure Ashraf Minhaj Sat, 24 May 2025 16:54:57 +0000 https://dev.to/ashraf-minhaj/aws-multi-region-failover-infrastructure-2314 https://dev.to/ashraf-minhaj/aws-multi-region-failover-infrastructure-2314 <h2> Introduction </h2> <p>So you have selected a region closer to your target customer you want to make it Highly-Available. For that typically we create different subnets spanning over 2 or more AZs (Availability Zone) and call it a day.<br> But hey, a Region Consists of multiple AZs, what if the whole region gets down? Also, what if your target customers are from different regions?<br> Both the cases we can simply use AWS Global Accelerator which does the following things -</p> <ol> <li>Routes user traffic through the AWS global network (not the public internet), reducing latency and jitter.</li> <li>Continuously monitors endpoint health and routes traffic away from unhealthy ones.</li> <li>Supports intelligent traffic routing to multiple AWS regions or endpoints based on health, geography, or weights.</li> </ol> <h2> Why are we here? </h2> <p>Well, when talking about a multi-region failover architecture, it's not that straight forward. A typical application consists of user facing Frontend, Backend, DataBase layer etc. all needs to be designed in a way that at any time the application serves the same thing from any of the selected regions. </p> <p>This blog will discuss about those decisions. </p> <h2> 1. Stateless Frontend &amp; Backend: The First Step Toward Scalability </h2> <p>The first thing to do is to make your application stateless, meaning it won't save any data in itself but will fetch the data from a DB. <br> For a better performance and faster deployment time we can containerise the applications, because, why not!</p> <p>And the same application will be deployed across multiple regions. Writing the infra using an IaC tool like Terraform simplifies things here. </p> <h2> 2. Shared &amp; Synced Data Layer Across Regions </h2> <p>Now comes the most challenging part. We will have multiple db instances across multiple regions but they need active syncing else not all the users across the regions will get the same results. The solution is to deploy db across 2 regions considering one primary and other secondary (read replica). <br> AWS aurora global DB can be used here, but it does not support failover automatically (promotion of database), and the db endpoint will change. For that a route53 (it's global) record can be used to to provide a custom db url like (db.my_app.com). </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F49z6o7bq3ib0x3tq3y5f.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F49z6o7bq3ib0x3tq3y5f.png" alt=" " width="800" height="151"></a></p> <p>But since as of May24,2025 AWS does not support db promotion upon a failover (we still have to do it manually, a lambda function can be used to promote the db of another region to become the master (read, write). </p> <h2> 3. Static Contents with cross region replication </h2> <p>For static assets we usually use an s3 bucket along with cloudfront to serve the contents. Since the buckets are also regional, we have to have multiple buckets across different regions and we can just use <a href="https://dev.to/ashraf-minhaj/s3-cross-region-replication-with-terraform-s3-high-availability-m0i">s3 cross region replication</a>, the data will be synced across multiple regions automatically, and on cloudfront we can define a primary and secondary region, it will automatically serve from the healthy region.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj9brq862z78c8uphst1b.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj9brq862z78c8uphst1b.png" alt=" " width="800" height="213"></a></p> <h2> Final Infrastructure </h2> <p>Finally here's a sample infrastructure where the <br> a. Frontend is a static website served from s3 bucket using cloudfront<br> b. The other static contents are served from again - s3 bucket<br> c. The business logic layer (Backend) is an ecs cluster spanned across multiple AZs and Regions at the same time<br> d. The DB has 1 master in one AZ, others are read replicas. Will be promoted by a lambda function which can run periodically or manually if needed.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyj9fp40rxx18ioj0dffq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyj9fp40rxx18ioj0dffq.png" alt=" " width="800" height="428"></a></p> <p>It's not perfect, no solution is. Looking forward to your suggestions down in the comment section.</p> <h2> References </h2> <ol> <li><a href="https://aws.amazon.com/blogs/database/deploy-multi-region-amazon-aurora-applications-with-a-failover-blueprint/" rel="noopener noreferrer">Deploy multi-Region Amazon Aurora applications with a failover blueprint</a></li> <li><a href="https://aws.amazon.com/blogs/database/deploy-multi-region-amazon-rds-for-sql-server-using-cross-region-read-replicas-with-a-disaster-recovery-blueprint-part-1/" rel="noopener noreferrer">Deploy multi-Region Amazon RDS for SQL Server using cross-Region read replicas with a disaster recovery blueprint</a></li> </ol> aws devops cloud region S3 Cross-Region Replication with Terraform - s3 High Availability Ashraf Minhaj Sat, 12 Apr 2025 19:12:57 +0000 https://dev.to/ashraf-minhaj/s3-cross-region-replication-with-terraform-s3-high-availability-m0i https://dev.to/ashraf-minhaj/s3-cross-region-replication-with-terraform-s3-high-availability-m0i <h2> Introduction </h2> <p>We keep our data in the cloud, it's stored in a region, but what if that region gets compromised? What if a natural disaster hits the datacenter and now our application is gone because it has data outage.<br> To avoid such scenarios, we should create a replica of our data in another region. The chance of both regions going down at once is extremely low. And that system has to be automatic, we can't copy paste everything every time. That's where AWS Cross Region Replication comes into play.</p> <h2> What is aws CRR? </h2> <p>In simple words, s3 Cross-Region Replication (CRR) lets you replicate data automatically from one bucket to another bucket. Here, Cross-Region means the bucket can be on different AWS regions. <br> In a simpler way, if we put one file in a bucket a copy will be created (replicated) in another bucket in another region.</p> <p>Here's how CRR helps -</p> <ul> <li>enhances data durability and availability, ensuring data is protected across geographically separate locations </li> <li>useful for disaster recovery (DR) and </li> <li>compliance requirements</li> </ul> <h2> The Game Plan </h2> <p>To set up CRR using Terraform, we need to:</p> <ol> <li>Create two buckets in different regions (source and destination)</li> <li>Enable versioning on both buckets</li> <li>Set proper bucket policies</li> <li>Create an IAM role for replication</li> <li>Define replication rules</li> </ol> <h2> s3 Cross Region Replication </h2> <p>This will be the directory structure for the project -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>├── main.tf ├── s3.tf ├── s3_replication.tf </code></pre> </div> <h3> 1. Create two buckets in different regions </h3> <h4> 1.1. Create two providers </h4> <p>We need to create two provider for each regions. Alias is used so that we can identify them easily, you can name anything. So, the <code>main.tf</code> file is -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># Providers for different AWS regions</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"primary"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-2"</span> <span class="c1"># Source region</span> <span class="p">}</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"secondary"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"eu-north-1"</span> <span class="c1"># Destination region</span> <span class="p">}</span> </code></pre> </div> <h4> 1.2. Create Source and Destination buckets </h4> <p>Let's write the <code>s3.tf</code> file to create two buckets and enable versioning -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># Source S3 Bucket (Primary Region)</span> <span class="k">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"source_bucket"</span> <span class="p">{</span> <span class="k">provider</span> <span class="p">=</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">primary</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"primary-bucket-for-replication"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_s3_bucket_versioning"</span> <span class="s2">"source_versioning"</span> <span class="p">{</span> <span class="k">provider</span> <span class="p">=</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">primary</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">source_bucket</span><span class="p">.</span><span class="nx">id</span> <span class="nx">versioning_configuration</span> <span class="p">{</span> <span class="nx">status</span> <span class="p">=</span> <span class="s2">"Enabled"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Destination S3 Bucket (Secondary Region)</span> <span class="k">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"destination_bucket"</span> <span class="p">{</span> <span class="k">provider</span> <span class="p">=</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">secondary</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"secondary-bucket-for-replication"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_s3_bucket_versioning"</span> <span class="s2">"destination_versioning"</span> <span class="p">{</span> <span class="k">provider</span> <span class="p">=</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">secondary</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">destination_bucket</span><span class="p">.</span><span class="nx">id</span> <span class="nx">versioning_configuration</span> <span class="p">{</span> <span class="nx">status</span> <span class="p">=</span> <span class="s2">"Enabled"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> 2. Add replication Policy </h3> <p>Now we will create a <code>replication policy</code> which will contain which actions can be done by one bucket on another like <code>ReplicateObject</code>, <code>ReplicateDelete</code> etc. and finally will bind it to a role that can be attached to our buckets using <code>aws_s3_bucket_replication_configuration</code>.<br> Notice using<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>filter <span class="o">{</span> prefix <span class="o">=</span> <span class="s2">""</span> <span class="c"># Replicate all objects or *.pdf *.mp4</span> <span class="o">}</span> </code></pre> </div> <p>You can filter out what kind of files to replicate. Here I kept it on for all, because - why not it's a demo!<br> So, the <code>s3_replication.tf</code> file is -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># IAM Role for Replication</span> <span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"replication_role"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"s3-replication-role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"s3.amazonaws.com"</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="p">}]</span> <span class="p">})</span> <span class="p">}</span> <span class="c1"># IAM Policy for Replication</span> <span class="k">resource</span> <span class="s2">"aws_iam_policy"</span> <span class="s2">"replication_policy"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"s3-replication-policy"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allows S3 replication between primary and secondary buckets"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"s3:ReplicateObject"</span><span class="p">,</span> <span class="s2">"s3:ReplicateDelete"</span><span class="p">,</span> <span class="s2">"s3:GetObjectVersion"</span><span class="p">,</span> <span class="s2">"s3:GetObjectVersionAcl"</span><span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"arn:aws:s3:::</span><span class="k">${</span><span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">source_bucket</span><span class="p">.</span><span class="nx">bucket</span><span class="k">}</span><span class="s2">/*"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"s3:ReplicateObject"</span><span class="p">,</span> <span class="s2">"s3:ReplicateDelete"</span><span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"arn:aws:s3:::</span><span class="k">${</span><span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">destination_bucket</span><span class="p">.</span><span class="nx">bucket</span><span class="k">}</span><span class="s2">/*"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="c1"># Attach Policy to Role</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"replication_policy_attach"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">replication_role</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="nx">aws_iam_policy</span><span class="p">.</span><span class="nx">replication_policy</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="c1"># S3 Replication Configuration</span> <span class="k">resource</span> <span class="s2">"aws_s3_bucket_replication_configuration"</span> <span class="s2">"replication"</span> <span class="p">{</span> <span class="k">provider</span> <span class="p">=</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">primary</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">source_bucket</span><span class="p">.</span><span class="nx">id</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">replication_role</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">id</span> <span class="p">=</span> <span class="s2">"cross-region-replication"</span> <span class="nx">status</span> <span class="p">=</span> <span class="s2">"Enabled"</span> <span class="nx">filter</span> <span class="p">{</span> <span class="nx">prefix</span> <span class="p">=</span> <span class="s2">""</span> <span class="c1"># Replicate all objects or *.pdf *.mp4</span> <span class="p">}</span> <span class="nx">destination</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">destination_bucket</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">storage_class</span> <span class="p">=</span> <span class="s2">"STANDARD"</span> <span class="p">}</span> <span class="nx">delete_marker_replication</span> <span class="p">{</span> <span class="nx">status</span> <span class="p">=</span> <span class="s2">"Enabled"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Now, if we put one file in the source bucket (primary-bucket-for-replication) the object will very soon be created automatically in the secondary bucket as well (secondary-bucket-for-replication`.</p> <h2> Final thoughts </h2> <p>For a production use case, use variables file to handle variables and use strict permission on IAM policies, grant only what’s necessary.<br> Happy Coding!</p> aws terraform cloudcomputing devops Run aws Lambda locally with LocalStack Ashraf Minhaj Mon, 10 Feb 2025 17:56:29 +0000 https://dev.to/ashraf-minhaj/run-aws-lambda-locally-with-localstack-3mog https://dev.to/ashraf-minhaj/run-aws-lambda-locally-with-localstack-3mog <h2> Introduction </h2> <p>How do we usually debug a Lambda function? We deploy it to aws using the Web Console or Terraform then run it, see the output and repeat until we are satisfied. But hey, every lambda execution costs, not to mention the tiresome process to run it manually. <br> What if I tell you that you can deploy an aws-lambda function in locally simulated aws environment and actually run it with fruitful results! No more extra costs and boring process. </p> <p>Imagine deploying your full micro services architecture in local! And yeah you don't have to have an aws account too. I can't wait to show you.</p> <h2> The Game Plan </h2> <p>We need <a href="https://www.localstack.cloud/" rel="noopener noreferrer">LocalStack</a> which simulates aws cloud inside our local machine for deploying, testing, debugging aws cloud infrastructure. It exposes an API (default: <a href="http://localhost:4566" rel="noopener noreferrer">http://localhost:4566</a>) using which we can deploy and manage aws resources.<br> There's another tool named <a href="https://github.com/localstack/terraform-local" rel="noopener noreferrer">tflocal</a>, which is a wrapper for Terraform for LocalStack. <br> We just have to define some mock credentials in the provider section and that's it.</p> <p>We will deploy the infrastructure (lambda here) and invoke it then save the output in a .json file for the sake of debugging. Let's go!</p> <h2> Build the infrastructure </h2> <p>We will write a basic lambda function. This will be the directory structure for the project -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>├── README.md ├── Terraform │ ├── lambda.tf │ └── provider.tf └── app └── lambda_function.py </code></pre> </div> <h3> 1. Write the lambda function </h3> <p>First let's write the basic lambda function using python <code>app/lambda_function.py</code> -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">json</span> <span class="k">def</span> <span class="nf">lambda_handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">'</span><span class="s">statusCode</span><span class="sh">'</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="sh">'</span><span class="s">body</span><span class="sh">'</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="sh">'</span><span class="s">Hello, I ran using LocalStack!</span><span class="sh">'</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h3> 2. Write the Terraform code </h3> <p>Now let's write the provider <code>Terraform/provider.tf</code> -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">aws</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 5.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">access_key</span> <span class="p">=</span> <span class="s2">"test"</span> <span class="nx">secret_key</span> <span class="p">=</span> <span class="s2">"test"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="nx">s3_use_path_style</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">skip_credentials_validation</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">skip_metadata_api_check</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">skip_requesting_account_id</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <p>We can write the lambda manifest now <code>Terraform/lambda.tf</code>. This automatically zips the lambda function, so chill.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># Automatically zip the Lambda code from the ../app directory</span> <span class="k">resource</span> <span class="s2">"archive_file"</span> <span class="s2">"lambda_zip"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"zip"</span> <span class="nx">source_dir</span> <span class="p">=</span> <span class="s2">"../app"</span> <span class="nx">output_path</span> <span class="p">=</span> <span class="s2">"../app/lambda_function.zip"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_lambda_function"</span> <span class="s2">"my_lambda"</span> <span class="p">{</span> <span class="nx">function_name</span> <span class="p">=</span> <span class="s2">"my-test-lambda"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">lambda_exec</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">handler</span> <span class="p">=</span> <span class="s2">"lambda_function.lambda_handler"</span> <span class="nx">runtime</span> <span class="p">=</span> <span class="s2">"python3.8"</span> <span class="c1"># Specify the location of the Lambda function code (the zip file)</span> <span class="c1"># the script takes it automatically</span> <span class="nx">filename</span> <span class="p">=</span> <span class="s2">"../app/lambda_function.zip"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"lambda_exec"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"lambda_exec_role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">lambda_assume_role_policy</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> <span class="k">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"lambda_assume_role_policy"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sts:AssumeRole"</span><span class="p">]</span> <span class="nx">principals</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Service"</span> <span class="nx">identifiers</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"lambda.amazonaws.com"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>You can now run <code>terraform init</code>, <code>terraform plan</code> to see if things went fine, but that's optional. We will use tflocal in the next step anyway.</p> <p>All the codes can be downloaded from <a href="https://github.com/ashraf-minhaj/AWS-IaCs-with-Terraform/tree/main/localstack/lambda" rel="noopener noreferrer">here</a>.</p> <h3> 3. Setup LocalStack </h3> <p>3.1. Install and run <a href="https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-on-ubuntu-20-04" rel="noopener noreferrer">docker</a> on your machine. <br> 3.2. Install localstack - <a href="https://docs.localstack.cloud/getting-started/installation/" rel="noopener noreferrer">see instructions</a>. I just installed using homebrew -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>brew <span class="nb">install </span>localstack/tap/localstack-cli </code></pre> </div> <p>3.3. Install <code>tflocal</code> - a wrapper for <code>localstack</code> to work with <code>Terraform</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip3 <span class="nb">install </span>terraform-local </code></pre> </div> <p>3.4. Run LocalStack -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>localstack start <span class="nt">-d</span> localstack status <span class="c"># to stop</span> <span class="c"># localstack stop </span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp0pm8t2izjqamj8mtspj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp0pm8t2izjqamj8mtspj.png" alt=" " width="800" height="273"></a></p> <p>3.5. You have AWS CLI installed, don't you?</p> <h2> 4. Deploy and Run Lambda </h2> <h3> 4.1. Deploy the Lambda </h3> <p>Now on your project's <code>Terraform/</code> directory run<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>tflocal init </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw29tejyjicogxsic3h0l.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw29tejyjicogxsic3h0l.png" alt="init-demo" width="800" height="410"></a></p> <p>Plan to see the draft output -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>tflocal plan </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyms216rfm181747n8wts.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyms216rfm181747n8wts.png" alt="plan" width="800" height="431"></a></p> <p>Now we can apply the resources (localstack must be running) -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>tflocal apply <span class="nt">--auto-approve</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzv3zavwivl6ghui77ylu.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzv3zavwivl6ghui77ylu.png" alt="apply" width="800" height="511"></a></p> <p>Now let's see if there are any functions deployes. Let's use the aws cli command to list the lambda functions. Note, we have to pass the <code>endpoint-url</code>, that's the only change.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws <span class="nt">--endpoint-url</span><span class="o">=</span>http://localhost:4566 <span class="nt">--region</span> us-east-1 lambda list-functions </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffi4g5ru4wcm2vyui3hd6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffi4g5ru4wcm2vyui3hd6.png" alt=" " width="800" height="371"></a></p> <p>There you have it!! We have successfully deployed a lambda function locally using localstack!!</p> <h3> 4.2. Invoke the lambda </h3> <p>Let's invoke (run) the lambda to test, again using aws CLI commands but with the endpoint url passed -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws <span class="nt">--endpoint-url</span><span class="o">=</span>http://localhost:4566 <span class="nt">--region</span> us-east-1 lambda invoke <span class="nt">--function-name</span> my-test-lambda output.json </code></pre> </div> <p>So this will invoke the lambda function and save it's output in a file called <code>output.json</code> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F16iswxdfc4q8wds05shf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F16iswxdfc4q8wds05shf.png" alt=" " width="800" height="131"></a></p> <p>Congratulations! Now you know how you can run aws lambda functions without putting pressure on the bills and automate any way possible. </p> <h2> What's next? </h2> <p>LocalStack opens up a whole new window to explore and enhance your DevOps project management capability. Without deploying on the actual cloud you can now play around on the local which gives you enough flexibility to explore and no worries about costs and errors. </p> <p>The next projects where we can explore in future -</p> <ul> <li>Connecting Lambda with API Gateway</li> <li>Testing with event payloads</li> <li>Running multiple microservices locally</li> </ul> <p>May be I can write another blog on it with API GateWay. Till then, best wishes. Happy learning.</p> lambda aws localstack terraform