Using Terraform to Create a Linux Image with Cloud Watch Agent and Amazon Agent

In this installment of my adventures with Terraform.  I want to spin up an Amazon Linux AMI with the Cloud Watch Agent and the Amazon Agent.

The Cloud Watch Agent will configure the ability to send the logs for the EC2 Instance to Cloud Watch.

The Amazon Agent will enable Amazon Inspector to inspect the instance for security vulnerabilities.

The first step is to create a Terraform script that remotely executes a shell script.

Three parts are required.
Connection
This provides the ssh connection info in order to connect to the EC2 Instance.
  connection {
    user        = "${var.INSTANCE_USERNAME}"
    private_key = "${file("${var.PATH_TO_PRIVATE_KEY}")}"
  }
File Provisioner 
This allows us to take an arbitraty files and upload it to the EC2 instance, we could just put all of the scripts in the remote-exec, but that would be ugly.
  provisioner "file" {
    source      = "awscli.conf"
    destination = "/tmp/awscli.conf"
  }

  provisioner "remote-exec" {
    inline = [
      "chmod +x /tmp/script.sh",
      "sudo /tmp/script.sh",
      "sudo cp /tmp/awscli.conf /etc/awslogs/awscli.conf",
    ]
  }
Remote Exec Provisioner
Create a remote ssh session for executing commands on the EC2 Instance.
provisioner "remote-exec" {
    inline = [
      "chmod +x /tmp/script.sh",
      "sudo /tmp/script.sh",
      "sudo cp /tmp/awscli.conf /etc/awslogs/awscli.conf",
    ]
  }
So clearly there is some magic missing.  I mean what am i actually deploying?
For that we go to the Shell Script
First part install the Logging Agent
sudo yum update -y
sudo yum install -y awslogs
sudo service awslogs start
sudo chkconfig awslogs on
Here are the amazon instructions
Second part install the amazon agents
wget https://d1wk0tztpsntt1.cloudfront.net/linux/latest/install
sudo bash install
sudo /etc/init.d/awsagent start
sudo /opt/aws/awsagent/bin/awsagent status
Here are the amazon instructions
When you run terraform apply you get a lot of output.
Now we can jump into amazon inspector, use a filter for a tag and see what we find.

aws_instance.linuxec2 (remote-exec): Total download size: 78 k
aws_instance.linuxec2 (remote-exec): Installed size: 240 k
aws_instance.linuxec2 (remote-exec): Downloading packages:
aws_instance.linuxec2 (remote-exec): (1/2): aws-cli-p |  69 kB     00:00
aws_instance.linuxec2 (remote-exec): (2/2): awslogs-1 | 8.8 kB     00:00
aws_instance.linuxec2 (remote-exec): ----------------------------------------
aws_instance.linuxec2 (remote-exec): Total      436 kB/s |  78 kB  00:00
aws_instance.linuxec2 (remote-exec): Running transaction check
aws_instance.linuxec2 (remote-exec): Running transaction test
aws_instance.linuxec2 (remote-exec): Transaction test succeeded
aws_instance.linuxec2 (remote-exec): Running transaction
aws_instance.linuxec2 (remote-exec):   Installing : aws-cli- [         ] 1/2
aws_instance.linuxec2 (remote-exec):   Installing : aws-cli- [#        ] 1/2
aws_instance.linuxec2 (remote-exec):   Installing : aws-cli- [####     ] 1/2
aws_instance.linuxec2 (remote-exec):   Installing : aws-cli- [#####    ] 1/2
aws_instance.linuxec2 (remote-exec):   Installing : aws-cli- [######   ] 1/2
aws_instance.linuxec2 (remote-exec):   Installing : aws-cli- [######## ] 1/2
aws_instance.linuxec2 (remote-exec):   Installing : aws-cli-plugin-clo   1/2
aws_instance.linuxec2 (remote-exec):   Installing : awslogs- [         ] 2/2
aws_instance.linuxec2 (remote-exec):   Installing : awslogs- [#####    ] 2/2
aws_instance.linuxec2 (remote-exec):   Installing : awslogs- [######   ] 2/2
aws_instance.linuxec2 (remote-exec):   Installing : awslogs- [######## ] 2/2
aws_instance.linuxec2 (remote-exec):   Installing : awslogs-1.1.2-1.10   2/2
aws_instance.linuxec2 (remote-exec):   Verifying  : awslogs-1.1.2-1.10   1/2
aws_instance.linuxec2 (remote-exec):   Verifying  : aws-cli-plugin-clo   2/2

aws_instance.linuxec2 (remote-exec): Installed:
aws_instance.linuxec2 (remote-exec):   awslogs.noarch 0:1.1.2-1.10.amzn1



aws_instance.linuxec2 (remote-exec): Transaction Summary
aws_instance.linuxec2 (remote-exec): ========================================
aws_instance.linuxec2 (remote-exec): Install  1 Package

aws_instance.linuxec2 (remote-exec): Total size: 5.9 M
aws_instance.linuxec2 (remote-exec): Installed size: 5.9 M
aws_instance.linuxec2 (remote-exec): Downloading packages:
aws_instance.linuxec2 (remote-exec): Running transaction check
aws_instance.linuxec2 (remote-exec): Running transaction test
aws_instance.linuxec2 (remote-exec): Transaction test succeeded
aws_instance.linuxec2 (remote-exec): Running transaction
aws_instance.linuxec2 (remote-exec):   Installing : AwsAgent [         ] 1/1
aws_instance.linuxec2 (remote-exec):   Installing : AwsAgent [#        ] 1/1
aws_instance.linuxec2 (remote-exec):   Installing : AwsAgent [##       ] 1/1
aws_instance.linuxec2 (remote-exec):   Installing : AwsAgent [###      ] 1/1
aws_instance.linuxec2 (remote-exec):   Installing : AwsAgent [####     ] 1/1
aws_instance.linuxec2 (remote-exec):   Installing : AwsAgent [#####    ] 1/1
aws_instance.linuxec2 (remote-exec):   Installing : AwsAgent [######   ] 1/1
aws_instance.linuxec2 (remote-exec):   Installing : AwsAgent [#######  ] 1/1
aws_instance.linuxec2 (remote-exec):   Installing : AwsAgent [######## ] 1/1
aws_instance.linuxec2 (remote-exec):   Installing : AwsAgentKernelModu   1/1
aws_instance.linuxec2 (remote-exec):   Verifying  : AwsAgentKernelModu   1/1

aws_instance.linuxec2 (remote-exec): Installed:
aws_instance.linuxec2 (remote-exec):   AwsAgentKernelModule__amzn__4.4.41-36.55.amzn1.x86_64 0:1.0.27.1-0

Here is a link to the github repo with the working code.
Look in the folder ec2instances.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s