⛰️Terraform & AWS

Write-up for creation of Terraform configuration to automate Prestashop, Database, S3 Bucket & configuring VPC/subnets for it

GitHub - weumn00b/Terraform-PrestashopAWS: This project sets up a Prestashop Image in an EC2 container along with an RDS running MySQL and an S3 container you can access for storageGitHub

1. Overview

2. Terraform

3. Python Script

4. Issues

5. Costs Associated

6. Potential Use Cases

7. Future Considerations

Overview

---

Currently, I'm learning about AWS services and offerings. In order to put this into practice I decided to use my knowledge about E-Commerce sites (specifically PrestaShop) and spin up something that could be used in a small environment. I wanted a publicly accessible PrestaShop store exposed to the internet for me to mess around with. I started to plan out my set up in AWS. Originally, this was the idea:

• EC2 instance that runs PrestaShop

• RDS used for the store database

• S3 to host files and images for the store

This eventually evolved into adding security groups to the instances, creating IAM roles to access the S3 bucket, and creating a VPC (virtual private cloud) with public and private subnets

Diagram for overall design of the project

Terraform

---

I wanted to do this in a way that can be repeatable and customizable. I chose to use Terraform, as it works well with AWS. All you have to do is install AWS-CLI and Terraform, sign in to AWS-CLI and you are ready to go! I slowly built out my Terraform configuration, adding things where it was needed.

Terraform running in command line

The start of the script builds out the networking portion, as we need to assign the instances after this is created.

//This is the main VPC that will be tied to RDS and EC2

resource "aws_vpc" "main" {
  cidr_block = "10.0.0.0/16"
}

//Allows traffic out to the internet

resource "aws_internet_gateway" "igw" {
  vpc_id = aws_vpc.main.id
}

//Creating the Public Subnet for the E-Comm server

resource "aws_subnet" "public_subnet" {
  vpc_id                  = aws_vpc.main.id
  cidr_block              = "10.0.1.0/24"
  availability_zone       = "us-east-2b"
  map_public_ip_on_launch = true
}

//Creation of a routing table, this sends any IPv4 traffic out to the internet. Any traffic that is sent through to the Private VPC is routed by AWS internally

resource "aws_route_table" "public_rt" {
  vpc_id = aws_vpc.main.id

  route {
    cidr_block = "0.0.0.0/0"
    gateway_id = aws_internet_gateway.igw.id
  }
}

//Assigns the routing table to the public subnet only

resource "aws_route_table_association" "public_assoc" {
  subnet_id      = aws_subnet.public_subnet.id
  route_table_id = aws_route_table.public_rt.id
}

//Creation of the Private subnet (where RDS will sit)

resource "aws_subnet" "private_subnet" {
  vpc_id                  = aws_vpc.main.id
  cidr_block              = "10.0.2.0/24"
  availability_zone       = "us-east-2b"
  map_public_ip_on_launch = false
}

//There needs to be 2 private subnets for a subnet group to work in AWS

resource "aws_subnet" "private2_subnet" {
  vpc_id                  = aws_vpc.main.id
  cidr_block              = "10.0.3.0/24"
  availability_zone       = "us-east-2a"
  map_public_ip_on_launch = false
}

//RDS needs to be in a subnet group for higher availability, balancing workloads, and to actually control the networking portion.

resource "aws_db_subnet_group" "rds_subnets" {
  name       = "rds-subnet-group"
  subnet_ids = [aws_subnet.private_subnet.id, aws_subnet.private2_subnet.id]

  tags = {
    Name = "RDS Subnet Group"
  }
}

This creates the VPC, Gateway, Subnets, and the private subnet group needed for the RDS

Next, the Security groups are created for the instances:

//Creating EC2 secuity group that allows HTTP, HTTPS from anywhere and SSH from a specific public ip (yours)

resource "aws_security_group" "ec2_sg" {
  name        = "ec2_sg"
  description = "Allow HTTP, HTTPS, SSH"
  vpc_id      = aws_vpc.main.id

  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["${var.public_ip}/32"]
  }
  ingress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  ingress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

//This allows traffic connecting to MySQL only if the instance has the security group for EC2

resource "aws_security_group" "rds_sg" {
  name        = "rds_sg"
  description = "Allow MySQL from EC2 only"
  vpc_id      = aws_vpc.main.id

  ingress {
    from_port       = 3306
    to_port         = 3306
    protocol        = "tcp"
    security_groups = [aws_security_group.ec2_sg.id]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  depends_on = [aws_security_group.ec2_sg] //ensures EC2 security group exists first
}

These allow traffic to each of the instances properly

We then create the IAM role for the S3 bucket

resource "aws_iam_role" "ec2_s3_access" {
  name = "ec2-s3-access"
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Action = "sts:AssumeRole"
      Effect = "Allow"
      Principal = { Service = "ec2.amazonaws.com" }
    }]
  })
}

resource "aws_iam_role_policy_attachment" "attach_s3" {
  role       = aws_iam_role.ec2_s3_access.name
  policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
}

Then we create each of the instances, assigning them to the proper VPC, subnet, and security group

resource "aws_s3_bucket" "media_bucket" {
  bucket = var.s3_bucket_name
}
resource "aws_db_instance" "prestashop_db" {
  allocated_storage    = 20
  engine               = "mysql"
  engine_version       = "8.0"
  instance_class       = "db.t3.micro"
  db_name              = "prestashop"
  username             = var.db_username
  password             = var.db_password
  skip_final_snapshot  = true
  publicly_accessible  = false
  availability_zone    = "us-east-2b"
  vpc_security_group_ids = [aws_security_group.rds_sg.id]
  db_subnet_group_name   = aws_db_subnet_group.rds_subnets.name
}

resource "aws_instance" "prestashop_ec2" {
  ami           = var.ami_id
  instance_type = var.instance_type
  key_name      = var.key_name
  subnet_id     = aws_subnet.public_subnet.id
  iam_instance_profile = aws_iam_instance_profile.ec2_profile.name
  vpc_security_group_ids = [aws_security_group.ec2_sg.id]
  associate_public_ip_address = true   # ensures a public IP is assigned
  

//This user_data will install docker and run the prestashop image
  
  user_data = <<-EOF
              #!/bin/bash
              yum update -y
              yum install -y docker
              service docker start
              usermod -aG docker ec2-user
              docker run -d --name prestashop -p 80:80 -e DB_SERVER=${aws_db_instance.prestashop_db.address} -e DB_USER=${var.db_username} -e DB_PASSWORD='${var.db_password}' prestashop/prestashop:8.1
              EOF
//Can expand this later to use HTTPS when running prestashop
  tags = { Name = "PrestaShopServer" }
}
resource "aws_iam_instance_profile" "ec2_profile" {
  name = "ec2-profile"
  role = aws_iam_role.ec2_s3_access.name
}

The instances spin up, and then it outputs the needed info to connect to each of them:

output "ec2_public_ip" {
  value = aws_instance.prestashop_ec2.public_ip
}

output "rds_endpoint" {
  value = aws_db_instance.prestashop_db.address
}

output "s3_bucket_name" {
  value = aws_s3_bucket.media_bucket.bucket
}

Python Script

---

Like I said earlier, I want this to be used by others to quickly spin up these instances. What isn't quick is changing these variables manually and potentially hard-coding your credentials accidentally. I decided to make a small Python script that accepts user input for these variables, then runs the actions needed to spin this up.

In order to do this, I created a file for specifically variables called terraform.tfvars. It has default values for each of the variables (I also put them into the variables.tf file just in case as well).

aws_region      = "us-east-2"
key_name        = "keypair"
instance_type   = "t2.micro"
db_username     = "admin"
db_password     = "password"
s3_bucket_name  = "prestashop-media"
ami_id          = "ami-077b630ef539aa0b5"
public_ip       = "0.0.0.0"

Most of these values should change when running this script. Here is the Python script that takes the user input and runs the appropriate commands:

#Liam Browning

import subprocess
import os

#Entering changes

print("Enter your Terraform variables (press Enter to use default):")

aws_region = input("AWS Region [us-east-2]: ") or "us-east-2"
key_name = input("Key Name [keypair]: ") or "keypair"
instance_type = input("Instance Type [t2.micro]: ") or "t2.micro"
db_username = input("DB Username [admin]: ") or "admin"
db_password = input("DB Password [password]: ") or "password"
s3_bucket_name = input("S3 Bucket Name [prestashop-media]: ") or "prestashop-media"
ami_id = input("AMI ID [ami-077b630ef539aa0b5]: ") or "ami-077b630ef539aa0b5"
public_ip = input("Public IP [0.0.0.0]: ") or "0.0.0.0"
#Creating terraform.tfvars

tfvars_content = f"""
aws_region      = "{aws_region}"
key_name        = "{key_name}"
instance_type   = "{instance_type}"
db_username     = "{db_username}"
db_password     = "{db_password}"
s3_bucket_name  = "{s3_bucket_name}"
ami_id          = "{ami_id}"
public_ip       = "{public_ip}"
"""

os.chdir("AWS-Prestashop-Image")

tfvars_file = "terraform.tfvars"
with open(tfvars_file, "w") as f:
    f.write(tfvars_content)
#Changes tfvars if needed
print(f"{tfvars_file} created/updated successfully.")

#function to run a terraform command
def run_terraform(command):
    print(f"\nRunning: {command}\n")
    # Start the process
    process = subprocess.Popen(
        command, shell=True, text=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT
    )
    
    # Print output line by line as it comes
    for line in iter(process.stdout.readline, ''):
        print(line, end='')

    process.stdout.close()
    process.wait()

    if process.returncode != 0:
        print(f"\nCommand failed with exit code {process.returncode}")
        print(f"\nCommand failed with exit code {process.returncode}")
        exit(1)

# Initialize Terraform
run_terraform("terraform init")

# Plan Terraform deployment
run_terraform("terraform plan -var-file=terraform.tfvars")

# Apply Terraform deployment
run_terraform("terraform apply -auto-approve -var-file=terraform.tfvars")

print("\nTerraform deployment complete!")

These are all available in my GitHub repo as well

Here we can see the script asking the user for input:

And then it should run the required actions right away

and output the required information:

in order to tear this down quickly, cd into the AWS-Prestashop-Image directory and run terraform destroy

Issues

---

I ran into issues when trying to connect the EC2 and RDS. I was assigning the correct security groups, but I was still unable to connect to my database. That's when I learned about VPC's. I initially assumed all instances would automatically be under the same VPC. In AWS, you must explicitly assign instances to a VPC to ensure proper connectivity. So I added in resources for a VPC, deliberately assigning the instances to it.

In order to have a secure RDS, there needs to be separation between it and the EC2 instance. You don't want your database exposed on a public subnet. I created something similar to this, so I could separate the 2 and have a secure connection to the database. Once I implemented this, it was able to connect easily.

Costs associated

---

I do not have enough money to spin this up on a big expensive server, but I do have a free-tier AWS account. I was able to implement this by using the free-tier options for the EC2, RDS and S3 just fine. I would suggest others who want to test this do the same!

Potential Use Case

---

I got this idea from running an E-Commerce server at CCDC a while ago. There was a section at Regionals devoted to AWS, and it had something similar running in Docker. I wanted to recreate that so our Cybersecurity Club would be able to practice Cloud environment problems for the competition.

Other than that, this can absolutely be used by someone who just wants to spin up a quick Web Server in AWS. It's pretty flexible and lightweight, so you can definitely edit it to get it where you want it. The bonus of added security through subnetting and security groups automatically can be appealing as well.

Future Considerations

---

I'd like to expand this project to something like using Kafka to track orders, implementing a Data Lake, and other AWS services. I'd also like to fully set up PrestaShop on both HTTP and HTTPS using Docker (right now you still have to go through the setup process for PrestaShop).