terraform aws lightsail

Setting up an AWS account

Today we’ll start down the path of implementing an AWS Lightsail WordPress service using Terraform. This will be a multi-part journey as we setup the AWS account, step through the Terraform, and eventually create a routable service.

The first step is to create an AWS account. Many of you may already have one of these, but for those of you that don’t, this next section is for you. The best thing to do is follow this post from AWS: Create and activate an AWS account. After you activate your account you’ll have one user, the root user. There are a few operations only the root user can perform, but it’s best practice to NOT use this user as your daily user. So we’ll walk through setting up two additional users with different permission levels.

Create a non-root user

Log into the AWS console and navigate to the IAM dashboard. Under the Access management section choose Users. Click the Add Users button and you will see this screen:

This is the user you want to use to access the AWS Management Console, so add a user name and check the box for Provide user access to the AWS Management Console. This will expand an area with some more options. Choose the I want to create an IAM user option in the first info box. Then decide how you want to handle the password generation and click Next.

The next section is adding permissions to the user. The easiest thing to do is Attach policies directly and give the user AdministratorAccess. Note – this is not best practice depending on how you are running your AWS account. Using groups and specific policies that are reduced down to specific access levels is much better. However, since this is going to be your replacement for the root user, it’s good enough.

After you click Next you will be brought to a Review and create page.

Click the Create user button. This will bring you to the Retrieve password page.

At this point, you can show the Console password and proceed to login to the AWS Management Console with your new user. Congratulations, you have a non-root user now that has admin access to your AWS account.

Create an automation user

Now that you’ve gone through the process of creating a non-root user, creating an automation user is almost identical. This user will have command line access but NOT console access. Technically you could use your non-root user for command line access, but IMHO it’s best to follow the “separation of concerns” principle. Go ahead and click Add User.

This time DO NOT check the Provide user access to the AWS Management Console option. Go ahead and click Next.

Now are going to attach policies directly to this user. Again, this is not exactly the best practice here but this is a simple tutorial and nobody is auditing me. There are four policies we need to add to this user so Terraform can perform the necessary actions. Three of the policies are managed by AWS, but we have to create one for Lightsail that will be managed by us. So again, select the Attach policies directly option. Then this time, click Create policy. This will bring us to the Create policy visual editor.

Click the Choose a service link and enter Lightsail in the search text box.
Click the Lightsail link that appears. This will enable the Actions section. To make this easy, select All Lightsail actions (lightsail:*). This will auto check all the Access level options.

Now the Resources section will be enabled. Go ahead an choose All resources. We don’t have ARN‘s of any resources to restrict access to yet, so we’ll just specify everything in this account.

Next is the Add tags screen and this is optional. Click the Next: Review button and it’ll take us to the Create policy page. Enter a name and click Create policy.

This will take us back to the Set permissions page for your Create user. Now, search for your newly created policy (in my case it was FishbitsLightsail) and select it.

Now that new policy will be attached to your new user. We need to attach 3 more:

  • AmazonRoute53FullAccess
  • AmazonS3FullAccess
  • IAMFullAccess

It would be better to reduce scope and manage ourselves, but for this tutorial we are going to provide full access. In the search box add the three options from above and make sure the or option is selected instead of the and option in the filter area. Check the box next to each of them to ensure they are attached to your new user.

Go ahead and click Next after selecting the polices. This takes us to the Review and create page and it should look something like this:

Verify that your policies are correct and click Create user. This will bring us back to the the Users list in the IAM console.
You will see you’re new automation user in the table. Go ahead and click the automation user name. This will show you details about the user and you should see the policies we just associated to the user along with some other details. There is a Security credentials tab that you’ll want to click.
Once you navigate to the Security credentials tab, scroll down until you find the Access keys section. This is where you’ll setup an access key that can be used by Terraform and the aws cli to manage your resources.

Go ahead and click the Create access key button. You’ll be provided with a number of options, choose Command Line Interface (CLI).

Yes, there is an alternative recommended way to handle this according to AWS. This is intended for human users, not automation users. While technically you will be the human running the Terraform commands, you can use this same process in a CI/CD pipeline.

After checking the I understand the above recommendation... checkbox click Next. This will bring us to the Set description tag page. Add a description if you’d like and click Create access key.

This is where you can retrieve your Access key and the Secret access key. Make note of these two values, they’ll be used in the next step, and click Done.

Now we have the tokens required to make API calls with the AWS Terraform provider and aws cli. It’s worth mentioning, if you don’t have the aws cli installed yet, please do so here. Let’s open your terminal and configure a profile for the automation user.

~ $ aws configure --profile automation
AWS Access Key ID [None]: <INSERT ACCESS_KEY FROM ABOVE>
AWS Secret Access Key [None]: <INSERT SECRET_ACCESS_KEY FROM ABOVE>
Default region name [None]: <insert your region>
Default output format [None]: <i like json here>
~ $

This will update your ~/.aws/config and ~/.aws/credentials files. You can test this out by running AWS_PROFILE=automation aws iam list-users. This should list your automation and non-root users.

Congratulations!

If you made it this far, congratulations! You have successfully setup a new AWS account with 2 IAM users and are ready to start building a Lightsail instance.

Leave a Reply

Your email address will not be published. Required fields are marked *