DEV Community: Nazrul Hassan

Building a Multi-User Environment in AWS with Terraform

Nazrul Hassan — Fri, 18 Oct 2024 13:40:04 +0000

In this blog post, we'll explore a project where we created a multi-user environment in AWS using Terraform. This setup aims to establish a structured permissions model that accommodates different user groups and roles within an AWS account. Specifically, we have three categories of users: administrators, cloud engineers, and developers.

Project Overview

The primary aim of this project is to create distinct user groups with tailored permissions, ensuring that each group has the necessary access rights to perform their specific tasks. Here's a breakdown of the groups we are setting up:

Administrator Group: This group will have full rights to manage all resources.
Cloud Engineer Group: Members will have permissions related to cloud infrastructure management.
Developer Role: Developers can assume this role to perform specific actions without granting them full access.

Now, let's delve into the Terraform code that accomplishes this setup.

Code Explanation

Below is the complete code for setting up the multi-user environment in AWS using Terraform. Each line is commented to provide clear explanations of what each part does.

Start by creating a project folder and a Terraform file named main.tf, then place the code below in that file.

# When we run terraform init, Terraform will download the AWS provider plugin from this line of code
provider "aws" {
  region = "us-east-1"  # Specify the AWS region
}

# Administrator Group
resource "aws_iam_group" "administrator-group" {
  name = "administrator-group"  # Create a group for administrators
}

# User Creation
resource "aws_iam_user" "user-1" {
  name = "user-1"  # Create a user named user-1
}

# AWS Managed Policy Attachment for Administrator Group
resource "aws_iam_policy_attachment" "administrator-access" {
  name       = "administrator-access"
  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"  # Attach the AdministratorAccess policy
  groups     = [aws_iam_group.administrator-group.name]  # Add to the administrator group
  users      = ["your-user"]  # Include the existing admin user. If not included, this user will lose admin rights.
}

# Group Membership for Administrators
resource "aws_iam_group_membership" "add-to-administrators-group" {
  name  = "add-to-administrators-group"
  group = aws_iam_group.administrator-group.name  # Add user-1 to the admin group
  users = [aws_iam_user.user-1.name]
}

# Cloud Engineer Group
resource "aws_iam_group" "cloud-engineer-group" {
  name = "cloud-engineer-group"  # Create a group for cloud engineers
}

# User for Cloud Engineers
resource "aws_iam_user" "user-2" {
  name = "user-2"  # Create a user named user-2
}

# Group Membership for Cloud Engineers
resource "aws_iam_group_membership" "add-to-cloud-engineer-group" {
  name  = "add-to-cloud-engineer-group"
  group = aws_iam_group.cloud-engineer-group.name  # Add user-2 to the cloud engineer group
  users = [aws_iam_user.user-2.name]
}

# Custom JSON Policy Document for Cloud Engineers Group Policy
data "aws_iam_policy_document" "cloud-engineer-policy" {
  statement {
    effect    = "Allow"
    actions   = [ 
      "cloudformation:CreateStack",
      "cloudformation:ListStacks",
      "cloudformation:DeleteStack",
      "ec2:RunInstances",
      "ec2:StopInstances",
      "ec2:StartInstances"
    ]
    resources = ["*"]  # Allow actions on all resources
  }
}

# Inline Policy for Cloud Engineers
resource "aws_iam_group_policy" "cloud-engineer-policy" {
  policy = data.aws_iam_policy_document.cloud-engineer-policy.json 
  group  = aws_iam_group.cloud-engineer-group.name  # Attach policy to the cloud engineer group
}

# Developer Role Trust Policy JSON Document
data "aws_iam_policy_document" "developer-role" {
  statement {
    effect = "Allow"
    actions = ["sts:AssumeRole"]  # Allow assumption of this role
    principals {
      type        = "AWS"
      identifiers = ["*"]  # Allow any AWS entity to assume this role
    }
  }
}

# Developer Role
resource "aws_iam_role" "developer-role" {
  name                 = "developer-role"
  assume_role_policy   = data.aws_iam_policy_document.developer-role.json  # Trust policy for the developer role
}

# Developer Permissions Policy JSON Document
data "aws_iam_policy_document" "developer-access" {
  statement {
    effect = "Allow"
    actions = [
      "lambda:CreateFunction",
      "lambda:DeleteFunction",
      "s3:GetObject",
      "s3:ListBucket"
    ]
    resources = [
      "arn:aws:lambda:us-east-1:471112828017:*",  # Specify resources for Lambda
      "arn:aws:s3:::*",
      "arn:aws:s3:::*/*"
    ]
  }
}

# Customer Managed Policy for Developer Role
resource "aws_iam_policy" "developer-policy" {
  policy = data.aws_iam_policy_document.developer-access.json  # Use the defined permissions
}

# Attach Developer Policy to Role
resource "aws_iam_role_policy_attachment" "attach-developer-policy" {
  role       = aws_iam_role.developer-role.name
  policy_arn = aws_iam_policy.developer-policy.arn  # Attach policy to the developer role
}

Initialize Terraform: Run the following command in your console. This step will download the required plugins:
terraform init
Plan the Infrastructure: This command will show what infrastructure this code will create in AWS:
terraform plan
Apply the Changes: Run this command, and it will prompt you for confirmation. Type yes to proceed. If everything is correct, this will create the groups, users, and roles in AWS:
terraform apply

This should create resources in AWS,feel free to tweak any sections further.

Hosting React static website on AWS S3 with terraform

Nazrul Hassan — Tue, 15 Oct 2024 07:58:39 +0000

Nowadays, hosting a static website is fairly easy, thanks to AWS S3 and infrastructure-as-code tools like Terraform. In this post, I will walk you through the entire process of building a static React application and hosting it on AWS S3 while managing our infrastructure with Terraform.

Prerequisites

Make sure you have the following set up:

Node.js and npm: To create and build React applications.
AWS Account: To host your static website in AWS S3.
Terraform: For infrastructure management.
AWS Cli: To interact with AWS resources.

Step 1: Build Static Application With React

First we create our react application using create react app.

npx create-react-app my-static-site
cd my-static-site

Once your application is ready, run it locally with
npm start
When your application is ready , build your static files:
npm run build
This command will create a build directory in your React project that will contain your static files.

Step 2: Set up Terraform

Lets set up our Terraform configuration to create s3 bucket and host our React static application.

Create a main.tf(by convention we call it main.tf you could name it anything you like) in your project directory.

provider "aws" {
  region = "us-east-1"  // any region you want your aws configured to
  access_key = "your-aws-access-key" //if aws cli is configured then you dont need this
  secret_key = "your-aws-secret-key" //if aws cli is configured then you dont need this 
}

run this command in your console, this command will initialize the working directory and download required plugins.

terraform init

Now include the following commands in your main.tf:
for creating a S3 bucket.

resource "aws_s3_bucket" "example" {
  bucket = "your-unique-s3-bucket-name" 

}

Unblock your S3 bucket to allow public access. This is necessary for the next step, where we will create a bucket policy:

resource "aws_s3_bucket_public_access_block" "example" {
  bucket = aws_s3_bucket.example.id 
  block_public_acls = false
  block_public_policy = false
  ignore_public_acls = false
  restrict_public_buckets = false  
}

We now utilize the aws_iam_policy_document data source, which allows us to create IAM JSON policies. Notably, in the resources section, we specify both the bucket itself and "/*" to encompass all objects within that bucket. This distinction is important because our actions include both s3:ListBucket and s3:GetObject. The s3:GetObject action applies to individual objects, while the s3:ListBucket action pertains to the entire S3 bucket.

data "aws_iam_policy_document" "example" {
  statement{

    principals {
      type = "AWS"
      identifiers = ["*"]
    }    

    effect = "Allow"
    actions = [
      "s3:GetObject",
      "s3:ListBucket"
    ]

    resources = [
      aws_s3_bucket.example.arn ,
      "${aws_s3_bucket.example.arn}/*"
    ]
  }

}

Next, we create our bucket policy, utilizing the JSON policy generated by the aws_iam_policy_document data source from above step.

resource "aws_s3_bucket_policy" "example" {
  bucket = aws_s3_bucket.example.id 
  policy = data.aws_iam_policy_document.example.json

}

Now above commands in your main.tf run this command in console, this will generate an execution plan and show you the changes that this script will bring about.
terraform plan

Now run
terraform apply

type yes to create the architecture

Now, we will upload the react static application that we created above to our AWS s3 bucket(run npm run build command before running below command).

aws s3 sync build s3://your-bucket-name

Once your file is uploaded, go to your main.tf and add these block

resource "aws_s3_bucket_website_configuration" "example" {
  bucket = aws_s3_bucket.example.id 
  index_document {
    suffix = "index.html"    
  }

}

This code will enable your bucket for static website hosting. If everything is set up correctly, you will see a link in the static website section under the permissions of your bucket.

It will look something like this
http://my-static-site-bucket.s3-website-us-east-1.amazonaws.com