Skip to main content

Posts

Showing posts with the label OpenTofu

Securing Terraform and You, Part 3 -- The Finish Line

9/20: The open source version of Terraform is now OpenTofu   I swear, this is not a recurring series. The problem just -- finally -- got solved. Part 2 is over here . I went back to tfsec after seeing the simple start guide posted here , by Liam Galvin at Ghost Security. There are two aspects of my code:  Allow buckets starting with [word]  deny buckets that don't start with [word].  The initial guide only has "don't allow buckets that are exactly named this", but that's all I needed to actually get going! The problems could have been; The rego file and the terraform file don't play well in the same folder. Having the options in two separate subfolders helped even though there was a command that I used to read both files in the same folder. Trivy ... I don't know. Maybe the metadata setup was incorrect - but if it's set up as comments -- readable by the program but not acknowledged in the rego -- who knows. I can work on that in the future. The code w...

Securing Terraform and You Part 2 -- Trivy by AquaSecurity

9/20: The open source version of Terraform is now  OpenTofu    Part one is over here . This comes as the 3rd tool in a long line of tools I am using to make Terraform (OpenTofu) code consistent. I went back to the Styra Academy courses for OPA Policy Writing. I am a very "Just show me the general idea, and I can probably figure it out", and I am reasonable enough to say that it didn't work this time, and I had to take the slow road. Good start; Trivy told us where it installed; trivy info installed /usr/local/bin/trivy /Users/morganza/Library/Caches/trivy the homebrew package had an outdated version, so I had to install v. 0.40.0 myself and link it to the previously installed 0.18.0 I believe -- See the GitHub discussion here . We are now back to rego, but fortunately, Trivy works as intended when you run it locally with the following command; trivy conf --policy . --namespaces morganza . There was an odd combination of YAML with a bit of rego involved for tfsec -- can ...

Securing Terraform and You Part 1 -- rego, Tfsec, and Terrascan

9/20: The open source version of Terraform is now  OpenTofu     Sometimes, I write articles even when things don't work. It's about showing a learning process.  Using IaC means consistency, and one thing you don't want to do is have 5 open S3 buckets on AWS that anyone on the internet can reach.  That's where tools such as Terrascan and Tfsec come in, where we can make our own policies and rules to be checked against our code before we init.  As this was contract work, I can't show you the exact code used, but I can tell you that this blog post by Cesar Rodriguez of Cloud Security Musings was quite helpful, as well as this one by Chris Ayers . The issue is using Rego; I found a cool VS Code Extension; Terrascan Rego Editor , as well as several courses on Styra Academy; Policy Authoring and Policy Essentials . The big issue was figuring out how to tell Terrascan to follow a certain policy; I made it, put it in a directory, and ran the program while in that ...

I Attempted Terraform (OpenTofu) Remote and Imploded VS Code - Here’s How I Fixed It

9/20/2023: The open source version of Terraform is now  OpenTofu    Find a better formatted version of this post on my Notion . Photo by Susan Wilkinson on Unsplash What is Terraform Remote It can store state files of Terraform remotely. It’s used more when there are multiple developers working on one thing, so someone’s state isn’t totally overwritten. Similar to CircleCI or Jenkins. Why Did You Try It? To see if I could! What Did You Do? The code worked - It was my S3 bucket permissions that were a little off, and did not allow me to place anything in there unless I went into the GUI and did it myself - which is time intensive and defeats the purpose of this project a bit. What Happened Afterward? Uh, well, VS Code suddenly had a lot of issues with permissions - It seems to have imploded the executable on my machine. I couldn’t start it, (’The location of this file could not be found’), but it wasn’t in my list of programs to uninstall - It was a ghost program. C...

Building a Dev Enviroment in Terraform in AWS (From More than Certified)

Want to see a better formatted version of this post? Check my Notion !   Created development environment using AWS and Terraform including a route table, internet gateway, security group, public subnet, and EC2 instance, using templates, provisioners, and key generation for remote access. NEW Concepts Learned aws_ami  A data segment instead of resource that pulls an owner number, filters by name (with  Userdata Made it a template file, it bootstaps the instance as well as installing the docker engine. AMI searcher in EC2 Console Going to search the AMI in the Instance Launcher, then returning to EC2 console to search it for the owner number and other info. ssh-keygen I used PuTTy for previous keys. Terraform’s homemade File function For relative file paths for shorter access The .tpl extension Makes templates that map to certain sections of the main code. Usually using ${ } , but that’s also very module-esque, I feel. Call it with templatefile() Provisioners ...

Using Dynamic Blocks in Terraform

9/20/2023: The open source version of Terraform is now  OpenTofu     Want to read it with nice formatting? Check out the Notion page. Continuing from the post about Modules , let's look at Dynamic Blocks. What are Dynamic Blocks? It's a way to construct dynamically repeatable nested blocks in Terraform code. Think about using for_each - This is often used to make individual resources with a value to iterate over. Is This a Dynamic Block? I’ve done something like this, but it involved the multiple function (*) and a stand-in variable ${var.ex} . network_interface_ids = ["${element(azurerm_network_interface.CA-NetInt.*.id, 01)}"] The index (01) was the number of network_interface_ids one would want. Was that unknowingly a dynamic block, or something else? By all means, comment what you think. Apparently, It Wasn’t resource "aws_elastic_beanstalk_environment" "tfenvtest" { name = "tf-test-name" application ...

Using Terraform and AWS Cloud9

Wanted to try Cloud9 but didn't feel like making an EC2 instance in the GUI. So I made a Terraform file instead, remade a default VPC, and it took 20 minutes of troubleshooting. #AWS — Morgan (@runtcpip) February 1, 2022 9/20/2023: The open source version of Terraform is now  OpenTofu     👉🏾 Find the Notion page of this post here , if it's easier for you. It certainly looks nicer!   Setup: An EC2 instance A reference to the default VPC, which I had to remake, as I had deleted mine.    Downloading Terraform into Cloud9: Instructions here . Done and Done. Now, How About Using It? The kicker (or blessing) is that Cloud9 doesn't auto save, like I’ve set my VSCode up to do. Had to do a lot of manual saving, but it wasn’t a struggle. The lock file is created, but I don't see it in my file system to the left until resources have been pushed, so I made a simple bucket to try it out. Because this instance is attached to my AWS account, I suppose anything I m...

Building AWS Infrastructure with Python (+ Learning the Code)

Follow along with more DevOps stuff! It's not only CloudFormation and YAML we can use to build infrastructure in AWS - The ever-popular Python is here. I like how the docs say it should take around 6 minutes, and I'm here on maybe...minute 34 waiting for packages to finish installing. I'm sure it doesn't account for setup, but for a while, I was concerned I had misconfigured something. No, there are just a ton of packages to download.   Node.js had to not only open Powershell, but update my chocolatey and some VS Code components. Importing Python packages happens in consoles/terminals . You have to import them each session.  So, I open a terminal in VS Code to install this Pipenv Virtual Environment Package in theory. The hardest part is always installing Python packages, as I never remember what command works in Windows Terminal.  It's never pip install or apt-get, but 'python -m pip install [package], when you are not in the Python prompt. Now, into the cmd ...

Working With Terraform Modules for AWS

9/20/2023: The open source version of Terraform is now  OpenTofu  Terraform (now OpenTofu) for AWS is somewhat clearer than Terraform for Azure - easier to grasp than YAML and it's finicky formatting. After pushing some DevOps Terraform (TF) configurations live to AWS, I wondered if I could push a static webpage. Situation - Why Would You Use This? To quickly spin up the front-end for a simple webpage that might take user input after attaching it to back end services that accept and hold the data.  What Other Options Are There? I've documented hosting static webpages through Azure before on here through various methods - The process is somewhat intensive and relies strongly on interconnected systems. GitHub to host the code Azure Webapps to take the code and display it Another option would be using Netlify,  but that works best for truly single-page apps like this . It looks like it has different pages to the untrained eye, but it's only one. Task - How Is It Done? ...

Totally Terraform (Or, Introducing Terraform DevOps Cloud Engineer Proceedures to A Company) [Updated March 2022]

 Want to share this post easily? Here's a Notion page !   9/20: Terraform is now  OpenTofu   I got to teach myself Terraform, but that's what this entire blog is about; Teaching myself things and hoping for work sometimes to make money and being employed by multiple people. You can be the next one! Anyway, what do I like about Terraform? A lot. Including all the troubleshooting and digging into new things. The Numbers on What Was Made: Project : 1 Resources created : 7 Virtual Machine Network Interface Virtual Network Security Rule attached to Security Group Security Group (with outputs) Subnet Public IP address Many of these resources are attached to each other - The Network Interface is attached to the Virtual Machine, and they’re both in a Security Group which has Security Rules attached to it. The Virtual Network is attached to the Subnet, and the Public IP address is attached to the Network Security Group. This way, The Virtual Machine has internet acce...