DEV Community: Surya Shankar

hello

Surya Shankar — Sun, 05 Nov 2023 10:01:51 +0000

Enable Flow Logs for your VPC and collect all traffic in and out of your VPC network

Surya Shankar — Thu, 06 Apr 2023 12:53:23 +0000

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC.

Flow logs can help you with a number of tasks, such as:

Diagnosing overly restrictive security group rules
Monitoring the traffic that is reaching your instance
Determining the direction of the traffic to and from the network interfaces

Create your VPC , Subnet , InternetGateway & Routes table with Subnets Associations.

Create a VPC in Mumbai region.
VPC name :- VPC-Mumbai
Ipv4 CIDR :- 11.0.0.0/16

Create a public subnet inside that VPC
Subnet name :- Pub-subnet
AZ :- ap-south-1b
Ipv4 CIDR :- 11.0.1.0/24

Create a InternetGateway and attach it to your VPC

Create a route table for subnet association

Allow 0.0.0.0/0 inside route for internet access

Create a EC2 instance inside the public subnet

Deploy a Window server

Create IAM Role to allow Flow Logs to be sent to the CloudWatch Log Group

First, we need to create an IAM Role there allows the Flow Logs to send data into a CloudWatch Log Group, so go to IAM > Roles and click Create role.

Now select Custom trust policy under the Trusted entity type and add the vpc-flow-logs.amazonaws.com as a principal service.

You should click next until you hit the review pages where you name your new role with a name you easily can find, this role can be reused every time you need a flow log role to send logs into CloudWatch Log Group.

After you have created your role it can be found under your roles before we are finished with the role we need to attach an inline policy to it so click on your new role.

Click add permissions > create inline policy to start editing your policy for this role.
Copy the policy into the inline policy and click next

You need to give the inline policy a name before you are finished with creating this inline policy for the role.
Now your role should end up with your new policy attached to your role as you created it and your role is now ready for use.

Create a CloudWatch Logs group

Search for cloud watch and click on log groups
When you create the log group you need to change the retention settings to 3 months and give your log group a name, after that you can create your group.

Create Flow Logs for your VPC

To create a flow log you need to go for VPC and right-click on the VPC you want to create a flow log on, then click Create flow log.

You need a name for your flow log and select your CloudWatch Log Group and the IAM Role you created before, use the AWS default format for logging.

When you have created your flow log you can see it by clicking on your VPC and going to Flow logs, here you can click on your destination name to visit the logs for this flow log.

Now you can see the log stream for each network eni-* click on the log stream you want to watch out for , Here No logs are there because nothing happended inside our network till now.

Now lets try to RDP inside the window server that we created earlier.

Now Go to log groups --> log streams

Here You can able to watch all the logs
Each group will contain a separate stream for each Elastic Network Interface (ENI):

Each stream, in turn, contains a series of flow log records.

How To Install & Manage Splunk Universal Forwarder in AWS Ec2

Surya Shankar — Mon, 03 Apr 2023 20:22:47 +0000

What is Splunk?

Splunk is an application that is designed to search and analyze data gathered from the machine, devices, and well anything that sends data in your infrastructure.

Splunk Cloud vs Splunk Enterprise ?

The big difference here is that Splunk Enterprise is hosted on your company's infrastructure, or your personal machine if you are using it on your machine. Splunk Cloud is the same software however it is hosted in Splunk's Cloud and all this hardware is maintained by Splunk. Splunk Cloud reduces the time it takes to get to production as well as decreases the cost of your SIEM.

Universal Forwarder ?

Universal Forwarders allow your machine to stream data to the receiver which is an index in Splunk Cloud. These forwarders allow use to monitor traffic in real time.

Splunk Installation Lab

Create two instance on AWS ec2 as shown below

Install Splunk in both of them . In order to do that go to Splunk Enterprise website and download the splunk for linux.

Now install the splunk using command



sudo yum install ./splunk <Splunk file name>

Move to bin folder



cd /opt/splunk/bin

Create a license and start the splunk



./splunk start --accept-license --answer-yes

Add port 8000 in the security group

Now your splunk is read to run

Put publicip:8000 in browser and login

NOTE

Follow this above steps to install the splunk in both the server....

Now Clearly you can see there is no host present...

so inorder to connect host we need universal forwarder...

Universal Forwarder Installation

Go to splunk platform --> products --> Free trails and downloads

Download the universal forwarder

Install that forwarder using command :



sudo yum install ./<splunk forwarder name>

Now change path to bin folder and start the splunk

It will ask for a port number , put any port [ Here I put 9089 ]

Now add the forward server to the splunk, Here I have put the public ip of splunk server



./splunk add forward-server <publicip-splunk server>:9997

Restart the splunk

Now Put the log path :



./splunk add monitor /var/log

Restart the splunk again

Now go to bin path and enable 9997 port listen

Restart the Splunk and you can see that the client is added to the forwarder.

Inorder to add the another server client .. Follow the same process above
But in place of port input , Put a different port as shown below
9088

Add forward server ip as splunk server public ip

After that you can see two ip in the host ...
One host is splunk server and another was universal forwarder

Click on the host name and you can see the logs file here

Now create a test folder inside /opt/splunk/etc/deployment-apps ,
it will reflect in forwarder management apps

Now try to deploy a client using below commnads and restart the splunk



./splunk set deploy-poll <splunk server ip>:8089

You can see the client here

You can also create a server class and deploy that test app here

Add a client ip or hostname where you want to deploy

Deauthentication Attack using Kali Linux

Surya Shankar — Tue, 03 Jan 2023 19:00:31 +0000

What is a Deauth Attack?

Deauthentication attack is a type of denial of service attack that targets communication between a user ( or all users ) and a Wi-Fi access point.
This attack sends disassociate packets to one or more clients which are currently associated with a particular access point. Of course, this attack is useless if there are no associated wireless clients or no fake authentications.

The cool thing about this attack is that even today where all networks are using WPA2 encryption you can still easily deauth almost anything or anyone without even being inside the network!

Why does a deauth attack work on WPA2 despite encryption?

The use of encryption in 802.11 is limited to data payloads only. Encryption does not apply to the 802.11 frame headers, and cannot do so as key elements of 802.11 headers are necessary for normal operations of 802.11 traffic.
Since 802.11 management frames largely work by setting information in the headers, management frames are not encrypted and as such are easily spoofed.
To prevent deauthentication/disassociation attacks, the IEEE implemented the 802.11w amendment to 802.11. This provides a mechanism to help prevent the spoofing of management frames, but both client and infrastructure need to support it (and have it enabled) for it to function.

A deauth attack is, most of the time, the first step for a greater attack, a gateway hack ! Hackers usually need to deauth a user off of a network so they can:

Capture WPA/WPA2 4-Way Handshakes by forcing a user to reconnect to the network
Force users to connect to their Rogue access point (search: Evil Twin Attack)
Force users to connect to a Captive Portal for whatever reason

To perform this type of attact , You will a wifi adapter.
The ist command is iwconfig. Type it and execute it on your terminal



iwconfig

**Note : Here you have to set your wlan0 from managed to the monitor mode**

Execute the command airodump-ng wlan0 on your terminal and start choosing targets.



airodump-ng wlan0

You can also do specefic attack like



airodump-ng -d "target's BSSID" -c "target's channel number" "wireless adapter monitor mode name"

In our case the full command is:



airodump-ng -d <BSSID> -c 11 wlan0

The combination of BSSID and ESSID can help hackers find locations.

The command will keep running and monitoring near Access Point behavior but as soon as we find our target on the list we can just hit ctrl+c to stop the monitoring process.

BSSID | MAC address of the access point.
PWR | Signal level reported by the card.
Beacons | Number of announcements packets sent by the AP.
Data | Number of captured data packets (if WEP, unique IV count), including data broadcast packets.
#/s | Number of data packets per second measure over the last 10 seconds.
CH | Channel number (taken from beacon packets).
MB | Maximum speed supported by the AP.
ENC | Encryption algorithm in use.
CIPHER | The cipher detected. One of CCMP, WRAP, TKIP, WEP, WEP40, or WEP104.
AUTH | The authentication protocol used. One of MGT (WPA/WPA2 using a separate authentication server), SKA (shared key for WEP), PSK (pre-shared key for WPA/WPA2), or OPN (open for WEP).
ESSID | Shows the wireless network name.

I will be targeting my own Wifi[Surya24]! You should understand that doing this to other APs is illegal. Unless you have the permission.

Deauthenticating device from network //Kicking

The final command is:



aireplay-ng --deauth 10 -a <BSSID> -D wlan0

Now the user will get disconnected and after 10 deauth attack , user will automatically connect

Steganography : Hide text within an Image file using steghide.

Surya Shankar — Fri, 09 Dec 2022 19:05:34 +0000

Steganography is the practice (or art) of hiding secret messages in plain view.

Take an image file of a flower, for example. Opening the file shows a flower. Whoopie. However, there might be a hidden message encoded inside the bits and bytes of the image data that is not visible unless certain software is used to decode it.

The same can apply to text files. You could write an innocent readme.txt file that looks like any other text file of instructions when opened normally. With steganography, you could encode a secret message within readme.txt that includes game cheat codes, secret contact information, a cookie recipe, ASCII art, or whatever else you wish to convey to your accomplice who receives the file.

What is steghide ?

steghide is a command line utility available on *nix like platforms. It allows us to hide textual contents inside supported image file.

How to hide text using steghide ?

Let us finally see how we can actually hide our super confidential text using steghide.

First of all Inside Kali Linux , create a text file and download an image from an internet.

Text file

Image

Run the command below to encrypt and append the data. You will be asked to type a password twice.



steghide embed -cf <image_file> -ef <file_with_confidential_text>

The -cf option is short for --coverfile which specifies the targeted image file. Whereas the -ef option is short for --embedfile which is the file which needs to be hidden.

Here we successfully hide the text file inside our image.

How to extract hidden text using steghide ?

Now that we have appended our text in the file in the section above. Let us see how we can actually retrieve the file from the image.

Now that we have the file let us run the command below to extract the data from the image file. It will prompt for password which you have used to encrypt the text.

In order to extract the textfile from the image ..
lets delete the original text file first



steghide extract -sf <image_file>

Code language: Bash (bash)
The option -sf is short for --stegfile which is the file which holds the appended data.

We have successfully extracted the encrypted information from the image.

Terraform code to create a VPC , Subnet , EC2 Instance , keypairs , Security group and Nat Gateway with Website Hosting in AWS

Surya Shankar — Sun, 09 Oct 2022 16:35:25 +0000

In a DevOps scenario, building AWS services via tools like Terraform is a more scalable and automated approach to cloud resource provisioning.

Understanding AWS VPCs

An AWS VPC is a single network that allows you to launch AWS services within a single isolated network. Technically, an AWS VPC is almost the same as owning a datacenter but with built-in additional benefits of scalability, fault-tolerance, unlimited storage, etc.

Building the Terraform Configuration for an AWS VPC

1. To start, create a folder to store your Terraform configuration files in. This tutorial will create a folder called terraform-ec2 in your home directory.

The Terraform configuration below:

Creates a VPC
Creates an Internet Gateway and attaches it to the VPC to allow traffic within the VPC to be reachable by the outside world.
Creates a public and private subnet

Subnets are networks within networks. They are designed to help network traffic flow be more efficient and provide smaller, more manageable ‘chunks’ of IP addresses

Creates a route table for the public and private subnets and associates the table with both subnets
Creates a NAT Gateway to enable private subnets to reach out to the internet without needing an externally routable IP address assigned to each resource.
Creates two server/instance [ public and private ]
Deploy a website inside public server with the help of scripting file [.sh].

Create a file inside ~/terraform-ec2 directory, paste in the following code, and name it as provider.tf to define the AWS provider

Vars.tf is a Terraform variables file that contains all the variables that the configuration file references.
You can see variables references in the configuration file by:

variable "region" {}
 variable "main_vpc_cidr" {}
 variable "public_subnets" {}
 variable "private_subnets" {}

Create one more file inside the ~/terraform-ec2 directory, name it terraform.tfvars, and paste the code below. This variables file contains the values that Terraform will use to replace the variable references inside of the configuration file.

main_vpc_cidr = "11.0.0.0/16"
 public_subnets = "11.0.1.0/24"
 private_subnets = "11.0.2.0/24"

The instance.tf file contains all the resources which are required to be provisioned such as vpc subnets and instance.

Creating VPC & Internet Gateway.

Creating public and private subnets

Creating routes table for public and private subnets

Subnets association and Creating Nat gateway

Creating keypairs for Ec2 instances
To create a key inside our folder we need to type following commands

ssh-keygen -t rsa
./id_rsa

It will create two files id_rsa[private] and id_rsa.pub[public]

Creating a web_server.sh file for Website deployment

Creating EC2 public server with keys pair

Creating EC2 private server

Creating Security Groups and assign it to EC2 instance

Run the terraform init command in the same directory. The terraform init command initializes the plugins and providers which are required to work with resources.

Now, run the terraform plan command. This is an optional, yet recommended action to ensure your configuration’s syntax is correct and gives you an overview of which resources will be provisioned in your infrastructure

Next, tell Terraform actually to provision the AWS VPC and resources using terraform apply. When you invoke terraform apply, Terraform will read the configuration (instance.tf) and the other files to compile a configuration. It will then send that configuration up to AWS as instructions to build the VPC and other components.

Now our resources are created successfully lets verify it in aws console

VPC

Subnets

Routes tables

Internet gateway

Nat Gateway

Public & private servers

Put your public server ip in browser and check your website

You can also try to ssh into public server

As private server don't have any public ip...so inorder to ssh into it we can either use openvpn or a jump server [ so here public server acts like a jump server]

Now we are in private server.. we can't able ping as there is no internet inside this server

Using Nat gateway we can go to internet from this server
A NAT gateway is a Network Address Translation (NAT) service. You can use a NAT gateway so that instances in a private subnet can connect to services outside your VPC but external services cannot initiate a connection with those instances.

Now you can delete all resources at a time using terraform destroy commands.

The terraform destroy command is a convenient way to destroy all remote objects managed by a particular Terraform configuration.

Terraform Workspace

Surya Shankar — Sun, 09 Oct 2022 16:17:35 +0000

Workspaces in Terraform are simply independently managed state files. A workspace contains everything that Terraform needs to manage a given collection of infrastructure, and separate Workspaces function like completely separate working directories. We can manage multiple environments with Workspaces.

What is Terraform Workspace?

If we use the local backend for storing Terraform state, Terraform creates a file called terraform.tfstate to store the state of the applied configuration. However, in scenarios where you want to use the same configuration for different contexts, separate states might be necessary with same configuration.

Workspaces allows you to separate your state and infrastructure without changing anything in your code when you wanted the same exact code base to deploy to multiple environments without overlap. i.e. Workspaces help to create multiple state files for set of same terraform configuration files.

Each of environments required separate state files to avoid collision. With the use of workspaces, you can prepend the workspace name to the path of the state file, ensuring each workspace (environment) had its own state.

To better understand how multiple Terraform workspaces work, create two different workspaces:

create a folder in your home directory, and change the working directory to that folder.

The folder is called terraform-EC2-workspace, stored in your home directory. You can name the folder differently as you prefer. This folder stores your Terraform configuration files.

Building Terraform Configurations to Launch EC2 Instances

The provider.tf file is where you define the AWS provider so that Terraform can connect to the correct cloud services.

Now, create another file named variable.tf inside the ~/terraform-EC2-workspace directory , which contains all the variables that the configuration file references.

The terraform.tfvars contains the values Terraform uses to replace the variable references inside a configuration file.**

The instance.tf and key.tf file allows you to create AWS EC2 instances with the AMI and [instance type] etc , declared as variables

Use ssh-keygen command to create a keypair

Create two new files name as dev-terraform.tfvars and prod-terraform.tfvars
Inside dev-terraform.tfvars , change the ami to windows ami , also change to subnet id and zone

Inside prod-terraform.tfvars , change the ami to ubuntu ami , also change to subnet id and zone

Now we are in a default workspace , to check this type :

terraform workspace list

Creating the new workspace for dev and prod

terraform workspace new dev
terraform workspace new prod

Perhaps you want to switch from one workspace to another. If so, run the command below.

terraform workspace select dev

Now we are in dev workspace , Lets run all terraform command to spin a EC2 instance

terraform init --var-file dev-terraform.tfvars

terraform plan --var-file dev-terraform.tfvars

terraform apply --auto-approve --var-file dev-terraform.tfvars

Similary go for prov-terraform.tfvars after switching to it workspace

It will create two terraform.tfstate file one for dev and one for prod separately as below..

For DEV

For PROD

Key Points

With Workspaces, we can set deploy different environment with same terraform configuration files.
To manage multiple distinct sets of infrastructure resources (e.g. multiple environments), we can use Workspaces.
Workspaces isolate Terraform state. It is a best practice to have separate state per environment.
Workspaces are technically equivalent to renaming your state file.
Workspaces ensure that the environments are isolated and mirrored.

Terraform code to create a VPC , Subnet & Routes table with subnets association.

Surya Shankar — Wed, 28 Sep 2022 16:09:00 +0000

In a DevOps scenario, building AWS services via tools like Terraform is a more scalable and automated approach to cloud resource provisioning.

Understanding AWS VPCs

Building the Terraform Configuration for an AWS VPC

1. To start, create a folder to store your Terraform configuration files in. This tutorial will create a folder called terraform-ec2 in your home directory.

The Terraform configuration below:

Creates a VPC
Creates an Internet Gateway and attaches it to the VPC to allow traffic within the VPC to be reachable by the outside world.
Creates a public and private subnet
Subnets are networks within networks. They are designed to help network traffic flow be more efficient and provide smaller, more manageable ‘chunks’ of IP addresses
Creates a route table for the public and private subnets and associates the table with both subnets
Creates a NAT Gateway to enable private subnets to reach out to the internet without needing an externally routable IP address assigned to each resource.

Create a file inside ~/terraform-vpc directory, paste in the following code, and name it as provider.tf to define the AWS provider
prerequisite :- Ist of all you have to create a admin IAM user in aws

The VPC.tf file contains all VPC credentials such as cidr range vpc name etc.

internetgateway.tf file contains internet gateway name with vpc attachment...
Here we can attach it with vpc using vpc id. [ aws_vpc.NewVpc.id]

subnets.tf file contains all details of Public Subnets and Private Subnets such as cidr range , inside which vpc we have to put our subnets using vpc id.
Here inside public subnet we have used map_public_ip_on_launch = true in order to enable auto assign public ip inside this subnet

Pub-routes.tf file contains routes table with subnet association of public sunbet.

nat.tf file contain a nat gatway which will be present inside our public subnet thats why here we have attach public subnet id.

priv-routes.tf file contains routes table with subnet association of private sunbet.

Run the terraform init command in the same directory. The terraform init command initializes the plugins and providers which are required to work with resources.

Next, tell Terraform actually to provision the AWS VPC and resources using terraform apply. When you invoke terraform apply, Terraform will read the configuration (.tf) and the other files to compile a configuration. It will then send that configuration up to AWS as instructions to build the VPC and other components.

Now our resources are created successfully lets verify it in aws console

VPC

PUBLIC & PRIVATE SUBNETS WITH ROUTES TABLES

ROUTES AND SUBNET ASSOCIATION OF PUBLIC SUBNET

ROUTES AND SUBNET ASSOCIATION OF PRIVATE SUBNET

INTERNET AND NAT GATWAYS

CI/CD using Jenkins , Docker on AZURE Virtual machine [ Ubuntu ] with Github Integration.

Surya Shankar — Tue, 20 Sep 2022 04:23:11 +0000

What is a CI/CD pipeline?

A CI/CD pipeline automates your software delivery process. The pipeline builds code, runs tests (CI), and safely deploys a new version of the application (CD).
Automated pipelines remove manual errors, provide standardized feedback loops to developers, and enable fast product iterations.

IMPORTANT STEPS :

- Create a Web Application.
- Azure Virtual Machine
- Create a Dockerfile and docker-compose.yml.
- Jenkins Installation.
- Github Integration using personal access token.
- Jenkins Node configuration and Job setup.

Prerequisite :

You must have an website/web application [In this project , I have used a Web application present in my github repository]

STEP-1 : Create a Virtual machine in azure ( I have used Ubuntu machine )

SSH into that server and create a folder naming dockerfiles

Inside that folder , Create one Dockerfile and one yml[docker-compose.yml]

Creating Dockerfile

A Dockerfile is a script that automatically creates containers on the Docker platform.
A Dockerfile is basically a text document that contains all the commands a user could call on the command line to assemble an image.

The FROM instruction sets the Base Image for subsequent instructions. As such, a valid Dockerfile must have FROM as its first instruction. The image can be any valid image – it is especially easy to start by pulling an image from the Public Repositories.

The ADD instruction add's the local files into the containers specified path.

The EXPOSE instruction informs Docker that the container listens on the specified network ports at runtime.

The CMD instruction should be used to run the software contained by your image, along with any arguments. We use this to start our tomcat inside the image.

Creating docker-compose.yml as shown below

Docker Compose is a tool that was developed to help define and share multi-container applications.
With Compose, we can create a YAML file to define the services and with a single command, can spin everything up or tear it all down.

STEP-2 : Create a Personal access token and a github repository

Personal Access token in github

Github repository

Now push all files into your repository .. Here you can use you personal access token as a password

STEP-3 : Jenkins Installation

Jenkins is an open-source automation tool written in Java with plugins built for Continuous Integration purposes.
Jenkins is used to build and test your software projects continuously making it easier for developers to integrate changes to the project, and making it easier for users to obtain a fresh build.
It also allows you to continuously deliver your software by integrating with a large number of testing and deployment technologies.

Step - 1 Install Java

sudo apt update
Install java
sudo apt install openjdk-11-jre

Step - 2 Install Jenkins

Just copy these commands and paste them onto your terminal.

curl -fsSL https://pkg.jenkins.io/debian/jenkins.io.key | sudo tee \
/usr/share/keyrings/jenkins-keyring.asc > /dev/null
echo deb [signed-by=/usr/share/keyrings/jenkins-keyring.asc] \
https://pkg.jenkins.io/debian binary/ | sudo tee \
/etc/apt/sources.list.d/jenkins.list > /dev/null
sudo apt-get update 
sudo apt-get install jenkins

Step -3 Start jenkins

sudo systemctl enable jenkins
sudo systemctl start jenkins
sudo systemctl status jenkins

After that go back to your virtual machine and add a inbound port 8080 into it. [ As jenkins always runs on a port 8080 ]

Paste your publicip:8080 in browser and put the password to unlock jenkins

Create your admin user

Jenkins Dashboard

Ist of all we Have to setup an agent [node]

Inside remote directory put your dockerfiles folder location

Select use websocket and save

After that inside managed plugins , Make sure you have git plugins installed there

Jenkins achieves Continuous Integration with the help of plugins. Plugins allow the integration of Various DevOps stages. If you want to integrate a particular tool, you need to install the plugins for that tool. For example Git, Maven 2 project, Amazon EC2, HTML publisher etc.

Now click on configuration setting and connect your github

Add Jenkins

Select Secreat text

Inside secreat paste your github access token

Now select your id

Test the connection and save

Create a job

let's create a Freestyle project to build and run the project stored in the GitHub repository:

In the Source Code Management section, we need to select the repository where we pushed our code.

As soon as we will click on the above option, we will see the text area in which we will write the commands mentioned below:

Here ist put your Dockerfile path

cd /dockerfiles

Run docker build and container run command

docker image build -t weatherapp
docker container run -itd -p 8000:80 weatherapp

Save it
Go to the respective job that we want to run and click on the "Build Now" link highlighted in the below image:

Now your Continous integration pipeline was created .. you can paste your publicip:8000 in browser to watch your application

Now the problem is , If you do some changes in your github then you need to ist kill the running container and build a new container to integrate that changes.
So in order to create a Continous deployment you need to run docker-compose file

Now build it

Dockerfile build process console output shown below

Now if you have done some changes in your github , it will reflict automatically

Just click on build now and your changes will be reflected here
No need to manually kill the container

As you can see our website working properly.

Terraform code to Create Github Repository

Surya Shankar — Mon, 29 Aug 2022 16:02:00 +0000

Create a new manifest called github.tf in the directory, and paste that into there:

Copy the use provider code to create your first block

terraform {
required_providers {
github = {
source = "integrations/github"
version = "4.30.0"
}
}
}

provider "github" {
# Configuration options
}

Under authenticate in https://registry.terraform.io/providers/integrations/github/latest/docs,
you see that a token is required. Generate a token in your github accoundt under the developer settings within settings . When creating the token, select the operations for repo and
delete_repo.

- Navigate to github_repository in the documentation and copy the example usage into your VS Code, You can remove the template and description part since they are optional, change the
visibility to public/private and name it as terraform repo

Run Following Commands
$ terraform init
- Download Providers & Modules

$ terraform validate
- Validate .tf profile
$ terraform plan
- DRY RUN

$ terraform apply
- Create a resources &&& store a resonse IN STATE file(json)

Now go to your github and you can see your repo

How to Launch an Amazon Linux EC2 Instance Using Terraform

Surya Shankar — Mon, 29 Aug 2022 08:58:00 +0000

Terraform

Terraform is a tool for building, changing, and versioning infrastructure safely and efficiently.
Terraform can manage existing and popular service providers as well as custom in-house solutions which has been developed by HashiCorp.
A provider is responsible for understanding API interactions and exposing resources.
Most of the available providers correspond to one cloud or on-premises infrastructure platform and offers resource types that correspond to each of the features of that platform.

Advantages of Terraform:

- Support multiple platforms & has hundreds of providers
- Simple configuration language with fast learning curves
- Easy integration with configuration management tools like Ansible
- Easily extensible with plugins
- Free

Creating your AWS account user and setting up a directory for the terraform manifests

Create a user in your AWS account and note the access key and the security key. Create a directory wherein you will keep the terraform code and create a new file called first_ec2.tf. This will be the file where we will write out configuration into

Creating your terraform manifest

Considerations:
- Ensuring authentication to AWS
- Specifying a region for the resource
- Specifying the resource

Navigate to https://registry.terraform.io/ to look at the requirements to launch a resource. Navigate to Documentation found in the AWS provider . Here they provide example usage of the provider and resource blocks

Provider Block : Begin building the code for the provider block based of the example and signify the region:
Use your AWS users access-key and secret-key (acquired from IAM users):

Resource Block : Begin building the code for the resource block, this requires an ami and the instance type that you are interested in. You can choose the t2.micro free instance type here on the Amazon Linux 2 operating system. The ami must be selected according to the region and many more.

Full screen shown below

Preparing your terraform directory and executing your manifest with the terraform core commands

- terraform init

The terraform init command read the configuration file that we used and found the provider to be aws and downloaded the terraform plugins needed for this. These can be found in the path .terraform\providers\registry.terraform.io\hashicorp

Each time you configure our provider, ensure to run terraform init

- terraform plan

Perform this command in this directory to see what the configuration file (the manifest) will do and review it

- terraform apply

Perform this to execute the manifest that you have.

Enter yes to execute it after it shows a review of what will happen

You can confirm this in the console

Now You can see your Ubuntu server launched Successfully.

Since this is a test, you can destroy your instance by running the command:

The destroy command can be used to destroy a complete set of cloud infrastructure or a targeted resource.

- terraform destroy

To destroy a specific resources

terraform destroy -target RESOURCE_TYPE.NAME -target RESOURCE_TYPE2.NAME

It terminates all the resources specified in your Terraform configuration file.

Here Resource_type is aws_instance and name is Ubuntu as shown below

terraform destroy -target aws_instance.Ubuntu

Type yes

Now as shown below our resources terminated successfully

Visit this link ,If you want more information ..
https://spacelift.io/blog/how-to-destroy-terraform-resources

How to connect AWS RDS with MySQL Workbench application.

Surya Shankar — Sat, 20 Aug 2022 14:20:18 +0000

What is AWS RDS?

Amazon RDS is a Relational Database Cloud Service.
Amazon RDS creates multiple instances for high availability and failovers.
Amazon RDS supports PostgreSQL, MySQL, Maria DB, Oracle, SQL Server, and Amazon Aurora.

Note

RDS should always be configure inside a private subnet as because its a Database.

Backup retention is very easy in case of RDS.

RDS has an endpoint through which we can able to connect it with mysql workbench.

QS)-Now the question is how to connect AWS RDS which is present inside a private subnet of VPC from our local computer application [ MYSQL Workbench ]?

Ans:- One of the way is through OpenVpn setup. Once we able to setup an OpenVpn network , We can associate Host name ,port,Username,Password of RDS to our MYSQL workbench and able to connect.

LAB WORK

RDS setup

Create a VPC. [CIDR range :- 10.0.0.0/16]

Create two Private subnet with subnet association inside that VPC [ Atleast 2AZ] .Ipv4 CIDR:- 10.0.2.0/24 and 10.0.4.0/24

Create subnet groups and attach all subnet present inside that VPC.

Launch a RDS inside those private subnet.

-Create username and password.

-Copy the endpoints and attach it in Mysql workbench host name.

OpenVpn Setup

Create an Internet Gateway attach it with that VPC.

Create One public subnet with subnet association and routes table associated with internet gateway.

Deploy an OpenVpn in the Public subnet and connect it through xshell. -launch configuration.
Search for Openvpn.
Select OpenVpn Access server and launch it.

Install OpenVpn ,set the username and password and get the admin and client url for further use.

-Change the password.

Copy and paste the admin and client url for further use.

-Go to openvpn application and paste client url.

-Enter your username and password and connect.

-Now turn on VPN.

Download and install MySQL Workbench.

Open MySQL Workbench, and choose the ⊕ sign beside MySQL Connections to set up a new connection.

In the Setup New Connection dialog box, enter a suitable name for your connection.

In the Parameters section, enter the following details:

Host name: Enter the RDS endpoint

Port: Enter Port the number

Username: Enter the master user

Choose Test Connection.

In the popup that appears, enter the password that you configured when you created the DB instance, and then choose OK.

After testing your connection, from the Setup new connection dialog box, choose OK to save the connection. -Now You have successfully connected to Aws rds.